N

ot
fo
rr
es
al
e
or
di
CWS-315-2I: Citrix Virtual Apps and Desktops 7 Advanced

s
tri
Administration

b
ut
io
n
(1-3 Days)
Table Of Contents

Module 0 - Course Overview.....................................................................................................................................................................2

Module 1 - Introduction to Citrix Virtual Apps and Desktops 7 Advanced Configuration.........................................................................33
Citrix Virtual Apps and Desktops Deployments - Advanced Configuration.................................................................................35

N
Module 2 - Planning: Redundancy and Scalability..................................................................................................................................42

ot
Citrix Virtual Apps and Desktops Redundancy and Scalability....................................................................................................44
StoreFront and Citrix Gateway Redundancy and Scalability.......................................................................................................53

fo
Site Infrastructure Redundancy and Scalability...........................................................................................................................67

rr
Machines Running the Virtual Delivery Agent.............................................................................................................................82

es
Module 3 - Planning: Virtual Apps and Desktops Environment with Multiple Locations..........................................................................93
Zones...........................................................................................................................................................................................95

al
VDA Registration in a Multi-Zone Environment.........................................................................................................................110

e
Zone Preference........................................................................................................................................................................122

or
Optimal Gateway Routing and Zones........................................................................................................................................131
StoreFront Resource Aggregation.............................................................................................................................................138

di
Managing StoreFront Store Subscriptions in a Multi-Location Environment.............................................................................145

s tri
Module 4 - Planning: Backups and Disaster Recovery.........................................................................................................................157
Backups.....................................................................................................................................................................................159

b ut
Disaster Recovery Considerations............................................................................................................................................177
Disaster Recovery Process.......................................................................................................................................................184

io
Module 5 - Planning: Advanced Authentication Methods......................................................................................................................193

n
Multi-factor Authentication - RADIUS and One Time Passwords (OTP)...................................................................................195
Multi-factor Authentication - Smart Card Authentication............................................................................................................205
Federated Authentication - Federated Identity Concepts..........................................................................................................217
Module 6 - Planning: App and Data Security........................................................................................................................................237
Introduction to Application Security..........................................................................................................................................239
 Preventing Jailbreak Attacks.....................................................................................................................................................245
Minimizing the Impact of Attacks...............................................................................................................................................263
Module 7 - Planning: Virtual Delivery Agent Security............................................................................................................................282
Transport Layer Security (TLS) Virtual Delivery Agent (VDA) Encryption.................................................................................284
Microsoft Group Policy Objects (GPOs) and Citrix Policies......................................................................................................292
Image Management...................................................................................................................................................................310
Module 8 - Introduction to Troubleshooting...........................................................................................................................................320

N
Resource Tools and Utilities......................................................................................................................................................326

ot
Introduction to PowerShell.........................................................................................................................................................341

fo
Module 9 - Troubleshoot Access Issues...............................................................................................................................................360

rr
Troubleshooting StoreFront.......................................................................................................................................................362
Workflow and Troubleshooting Overview..................................................................................................................................370

es
Troubleshooting Access and Authentication.............................................................................................................................380

al
Troubleshooting App/Desktop Launch......................................................................................................................................393

e
Module 10 - Troubleshoot Delivery Controller Issues...........................................................................................................................399
Validating FlexCast Management Architecture (FMA) Services................................................................................................401

or
Module 11 - Troubleshoot Virtual Delivery Agent (VDA) Registration Issues.......................................................................................423

di
Troubleshooting Virtual Delivery Agent (VDA) Registration......................................................................................................425

s
Module 12 - Troubleshoot HDX Connection Issues..............................................................................................................................442

tri
Troubleshooting HDX Connections...........................................................................................................................................444

b ut
io
n
 Citrix Virtual Apps and Desktops 7
Advanced Administration

N
ot
Course Overview

fo
rr
es
al
CWS-315-2I: September 27, 2021

e
Lab Manual: v1.19, v2.1
Module 0

or
di
s
tri
b
ut
io
n

2 © 2020 Citrix Authorized Content

 Course Overview (1/4)

• Explain how to implement redundancy for core Citrix

N
Virtual Apps and Desktops infrastructure

ot
components
• Manage Citrix Virtual Apps and Desktops

fo
deployment with multiple locations.

rr
• Implement backups and disaster recovery for Citrix

es
Virtual Apps and Desktops deployment.

al
• Determine the advanced authentication methods

e
appropriate for access to a Citrix Virtual Apps and

or
Desktops environment.

di
• Explain how the app and data security can be

s
improved in a virtualized environment.

tri
b
• Secure the machines running the Virtual Delivery

ut
Agent.

io
n

3 © 2020 Citrix Authorized Content

 Course Overview (2/4)

• Introduce core troubleshooting methodology for a

N
virtual environment.

ot
• Troubleshoot common access issues.

fo
• Troubleshoot common Delivery Controller and

rr
database issues.

es
• Troubleshoot common VDA registration issues.

al
• Troubleshoot common HDX connection issues.

e
or
di
s
tri
b
ut
io
n

4 © 2020 Citrix Authorized Content

 Course Overview (3/4)

• Introduce App Layering.

N
• Create OS, Platform, App, Elastic, and User Layers.

ot
• Deploy a layered image using Citrix Virtual Apps

fo
and Desktops.

rr
• Explore Layer priority and maintain an App Layering

es
environment.

al
e
or
di
s
tri
b
ut
io
n

5 © 2020 Citrix Authorized Content

 Course Overview (4/4)

• Introduce Citrix Workspace Environment

N
Management (WEM).

ot
• Install WEM on-premises and WEM Service.

fo
• Run the WEM Consoles and perform initial setup.

rr
• Use WEM for VM performance optimization.

es
• Use WEM to secure virtualization environments.

al
• Examine the WEM Agent operations.

e
or
• Migrate to WEM, and upgrade existing WEM
environments.

di
s
tri
b
ut
io
n

6 © 2020 Citrix Authorized Content

 Citrix Workspace

Drive digital transformation

N
with an intelligent workspace

ot
platform.

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

7 © 2020 Citrix Authorized Content

 App Delivery and
Security

Formerly Networking

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

8 © 2020 Citrix Authorized Content

 Student Introduction

• Introduce yourself to the class.

N
• Include the following information:

ot
• Name and company
• Job title

fo
• Job responsibility

rr
• Networking and virtualization experience

es
• Citrix product experience
• Class expectations

al
e
or
di
s
tri
b
ut
io
n

9 © 2020 Citrix Authorized Content

 Facilities

• Parking and transportation information

N
• Class Policies

ot
• Break and lunch schedules

fo
• Emergency contact information

rr
es
al
e
or
di
s
tri
b
ut
io
n

10 © 2020 Citrix Authorized Content

 Course Prerequisites

• Basic knowledge of:

N
• Active Directory
• Windows Operating Systems

ot
• Storage

fo
• Networking

rr
• Some previous administrative experience with Citrix

es
Virtual Apps and Desktops 7 (Deploy and
Administer)

al
e
or
di
s tri
b ut
io
n
Key Notes:
• Citrix recommends completing the free Citrix Virtual Apps and Desktops 7 introduction bundle at elearning.citrix.com prior to
attending this course.

11 © 2020 Citrix Authorized Content

 Course Outline – Day 1

• Module 0: Course Overview

N
• Module 1: Implement Redundancy and Scalability

ot
• Module 2: Manage Virtual Apps and Desktops

fo
Environment with Multiple Locations

rr
• Module 3: Implement Backups and Disaster

es
Recovery

al
e
or
di
s
tri
utb
io
n

12 © 2020 Citrix Authorized Content

 Course Outline – Day 2

• Module 4: Implement Advanced Authentication

N
Methods

ot
• Module 5: Improve App and Data Security

fo
• Module 6: Secure Machines Running the Virtual

rr
Delivery Agent

es
• Module 7: Introduction to Troubleshooting

al
e
or
di
s
tri
b
ut
io
n

13 © 2020 Citrix Authorized Content

 Course Outline – Day 3

• Module 8: Troubleshoot Access Issues

N
• Module 9: Troubleshoot Delivery Controller Issues

ot
• Module 10: Troubleshoot VDA Registration Issues

fo
• Module 11: Troubleshoot HDX Connection Issues

rr
es
al
e
or
di
s
tri
b
ut
io
n

14 © 2020 Citrix Authorized Content

 Course Outline – Day 4

• Module 12: Introduction to App Layering

N
• Module 13: Create an OS Layer

ot
• Module 14: Create a Platform Layer

fo
• Module 15: Create App Layers

rr
• Module 16: Create Elastic App and User Layers

es
• Module 17: Deploy a Layered Image using Citrix

al
Virtual Apps and Desktops

e
or
• Module 18: Explore Layer Priority and Maintain an
App Layering Environment

di
s
tri
b
ut
io
n

15 © 2020 Citrix Authorized Content

 Course Outline – Day 5

• Module 19: Introduction to Workspace Environment

N
Management (WEM)

ot
• Module 20: Installing Workspace Environment
Management (WEM)

fo
rr
• Module 21: WEM Consoles and Initial Setup

es
• Module 22: WEM Centralized Management Features:
System and Log On Optimization

al
e
• Module 23: WEM Centralized Management Features:

or
Security & Lockdown
• Module 24: The WEM Agent

di
s
• Module 25: Upgrading Workspace Environment

tri
Management (WEM) and Migration to WEM Service

b
ut
io
n

16 © 2020 Citrix Authorized Content

 Course Materials

• This course has the following material:

N
• Student Manual
• Lab Manual

ot
• Lab Environment

fo
• Watch the Instructor demonstrate how to access the

rr
course materials and connect to the lab

es
environment.

al
e
or
di
s
tri
b
ut
io
n

17 © 2020 Citrix Authorized Content

 Lab Exercises

All lab exercises are grouped and performed together

N
per module.

ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

18 © 2020 Citrix Authorized Content

 Lab Exercise Use the following link to access the labs:
https://training.citrix.com/learning/landing
Access

-315

1. Login with your MyCitrix

N
Credentials, specifically

ot
those used to enroll in the
course.

fo
2. When instructed to

rr
provision your labs, click

es
the module you want to

al
complete.

e
or
di
s tri
but
© 2020 Citrix Authorized Content

io
n
Additional Resources:
• Lab Access URL: <Insert link here>

19 © 2020 Citrix Authorized Content

 Lab Exercise Access (Continued)

N
ot
fo
rr
es
al
3. After clicking on a specific module, verify the

e
requirements and click READY TO START.

or
di
s
tri
4. On the next page, click START LAB.

but
© 2020 Citrix Authorized Content

io
n

20 © 2020 Citrix Authorized Content

 Lab Exercise Access (Continued)

Take notice of the Lab Time counter, this

will show you how much time you have left
to complete the exercise.

N
ot
fo
rr
es
al
5. Verify the 5-minute countdown timer starts and

e
wait for the timer to go to zero.

or
6. If you have not done so already, ensure you
have the Citrix Workspace app or Citrix

di
Receiver installed.

s
7. Click OPEN LAB IN CITRIX RECEIVER to

tri
connect to the lab.

but
© 2020 Citrix Authorized Content

io
n

21 © 2020 Citrix Authorized Content

 Lab Exercise Access (Continued)

N
ot
fo
rr
es
al
e
or
8. Once the lab exercises are complete, click END

di
LAB to decommission the lab.

stri
b ut
© 2020 Citrix Authorized Content

io
n

22 © 2020 Citrix Authorized Content

 Lab Introduction
New York City (NYC) WW Labs Initial Proof of Concept (POC) Design

User Layer Access Layer Control Layer Resource Layer

Delivery Controller
NYC-VDC-001
• This diagram represent the StoreFront
Server OS Desktop OS

N
lab environment for this NYC-STF-001
Master Master
NYC-DTP-MST

ot
NYC-SRV-MST
course. Domain Controller
NYC-ADS-001

• Check connectivity to the lab

fo
Firewall

environment and report to

rr
SQL Server OS
the Instructor any issues. NYC-SQL-001 NYC-SRV-001
Desktop OS

es
NYC-DTP-001
Firewall Citrix ADC
Endpoint
• All lab environment details NYC-WRK-001
NYC-ADC-001

al
are also provided in the lab File Server

e
Citrix ADM
manual. NYC-ADM-001 NYC-FSR-001

or
Hardware Layer

di
stri
Network Wifi Storage Processor Memory Graphics Hypervisor

b ut
© 2020 Citrix Authorized Content

io
n
Key Notes:
• The course lab environment is not a production environment.
• Each VM is given enough resources to perform the lab exercises.
• There are enough lab exercises to gain valuable hands-on experience to match the lecture part of this course.
• These lab VM’s are tuned tot eh lab manual tasks, do not deviate unless instructed to by the Instructor.
• Any deviation may result in destabilizing of the lab causing intermittent or long-term failure.
• If a lab fails, it can be reset to the beginning, but it is time consuming and requires a classroom support ticket.

23 © 2020 Citrix Authorized Content

 Student Desktop

• Remote Desktop Connection

N
Manager for general

ot
management
• Hyper-V Manager for virtual

fo
machine management and

rr
power operations

es
• System Center Virtual

al
Machine Manager for

e
Hypervisor management

or
di
s
tri
b
ut
© 2020 Citrix Authorized Content

io
n

24 © 2020 Citrix Authorized Content

 Remote Desktop
Connection
Manager

• Use the Remote Desktop

N
Connection Manager to

ot
connect to the lab virtual
machines (VM).

fo
• The connections are pre-

rr
configured.

es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content

io
n

25 © 2020 Citrix Authorized Content

 Hyper-V Manager

• Manage virtual machines

N
• Power operations

ot
• Install Operating System

fo
rr
es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content

io
n

26 © 2020 Citrix Authorized Content

 System Center
Virtual Machine
Manager

• Manage Hyper-V clusters

N
• Add Networking features

ot
fo
rr
es
al
e
or
di
s
tri
b
ut
© 2020 Citrix Authorized Content

io
n

27 © 2020 Citrix Authorized Content

 Classroom Support

N
ot
fo
rr
es
al
e
or
1. Navigate to training.citrix.com

di
2. Click on the “Contact Us” dropdown.

s
3. Select “Classroom Support”.

tri
utb
© 2020 Citrix Authorized Content

io
n

28 © 2020 Citrix Authorized Content

 Printing

• You can download, save, and print electronic

N
courseware.

ot
• To print, click Student Resources > Courseware >
Student Manual > Launch.

fo
rr
es
al
e
or
di
s
tri
utb
io
n

29 © 2020 Citrix Authorized Content

 Looking Ahead:
End of Course Survey

Your opinion matters!

N
ot
fo
rr
Help shape the next course.

es
al
Tell us what you liked!

e
or
What can we do better?

di
s
tri
utb
io
n

30 © 2020 Citrix Authorized Content

 Citrix Measures your Feedback with NPS
How is Net Promoter Score Calculated?

N
Not at all How likely is it you would recommend Citrix Courses to a friend? Extremely

ot
Likely Likely
0 1 2 3 4 5 6 7 8 9 10

fo
rr
es
\/

al
e
or
di
Detractor Passive Promoter

s
tri
but
io
n

31
The picture can't be display ed.

© 2020 Citrix Authorized Content

 Connect with Citrix Education

N
ot
fo
rr
es
al
Facebook Twitter LinkedIn

e
Become a fan of Citrix Services Follow @citrixservices Join the Citrix Education Group

or
di
Visit http://training.citrix.com to find more information on training, certifications, and exams.

s tri
b ut
© 2020 Citrix Authorized Content

io
n

32
The picture can't be display ed.

© 2020 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Introduction to Citrix Virtual Apps and Desktops 7 Advanced Configuration

fo
rr
es
al
e
Module 1

or
di
s
tri
but
io
n

33 © 2023 Citrix Authorized Content

 Learning Objectives

• Identify on-premises Citrix Virtual Apps and

N
Desktops deployment options.

ot
• Introduce the advanced configuration topics

fo
covered in this course.

rr
es
al
e
or
di
s
tri
b
ut
io
n

34 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops

N
Deployments - Advanced

ot
Configuration

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

35 © 2023 Citrix Authorized Content

 On-Premises Site in On‐Premises Site

Customer Data User Layer Access Layer Control Layer Resource Layer

Center
Delivery Controller

• The Citrix administrator Internal Users StoreFront

Multi-session OS Single-session OS

N
team manages every (Assigned
Desktop)
Domain Controller

ot
aspect of the deployment:
Firewall
• Infrastructure

fo
• Rights assignments

rr
• Resources and hardware SQL Single-session OS Remote PC
NetScaler Gateway (Random Desktop)

es
External Users Firewall

al
License Server

e
or
Hardware Layer

di
s
Network Wifi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• This model offers complete control over every aspect of the deployment, including choice of the hardware manufacturer. It also
comes with complete responsibility for designing and operating security, climate control, backup, maintenance and updates.
• A typical on‐premises configuration consists of one or more Delivery Controllers. For customers looking to use Citrix Cloud and have
Citrix host the Delivery Controller, consider the following needs:
• All current Delivery Controllers that are on premises need to use the “ListOfDDCs” option for those VDAs to remain on‐
premises.

36 © 2023 Citrix Authorized Content

 On-Premises Site Public Cloud

with Public Cloud User Layer Access Layer Control Layer Resource Layer

Workloads
Delivery Controller

• Access and Control Internal Users StoreFront

Multi-session OS Single-session OS

N
Layers hosted in (Assigned
Desktop)
Domain Controller

ot
customer’s data center.
Firewall

fo
• Resource Layer hosted in

rr
customer’s public cloud SQL Single-session OS Remote PC
(Random Desktop)
environment: NetScaler Gateway

es
External Users Firewall

• Microsoft Azure

al
License Server
• Amazon Web Services

e
• Google Cloud

or
Hardware Layer
• Requires Hybrid Rights

di
licenses.

s
Network Wifi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Citrix announced support for public cloud with Current Releases (CR) and Long‐Term Service Releases (LTSR) starting with 2203 for
customers with Hybrid Rights.
• Hybrid Rights are term‐based subscription licenses that are provided in addition to the cloud service subscription when the customer
transitions or trades up from a perpetual license to a cloud service subscription.
• Citrix offers support for Microsoft Azure, Amazon Web Services, and Google Cloud Platform for hosting resources in a public cloud.

37 © 2023 Citrix Authorized Content

 Fully Public Cloud Public Cloud

Hosted User Layer Access Layer Control Layer Resource Layer

Delivery Controller

• The Citrix administrator Internal Users StoreFront

Multi-session OS Single-session OS

N
team allows a third party (Assigned
Desktop)
Domain Controller

ot
to manage the hardware.
Firewall
Example:

fo
• Microsoft Azure or Google

rr
SQL
Cloud. Single-session OS
(Random Desktop)
Remote PC
NetScaler Gateway

es
External Users Firewall
• Requires Hybrid Rights

al
License Server
licenses.

e
or
Hardware Layer

di
s
Network Wifi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Simplify cloud adoption:
• Ensure a smooth and secure transition when migrating environments to the public cloud.
• Expand capacity quickly and with less capital cost.
• Manage hybrid and multi‐cloud environments:
• Leverage a common management plane across all Citrix environments.
• Use multiple disaster recovery locations or manage multiple sites and/or clouds.

38 © 2023 Citrix Authorized Content

 • Speed time‐to‐value:
• Quickly establish new sites and offices.
• Rapidly set up test environments and proof‐of‐concepts.
• Starting with version 7.11, Azure ARM is now supported.
• Hybrid Rights are term‐based subscription licenses that are provided in addition to the cloud service subscription when
the customer transitions or trades up from a perpetual license to a cloud service subscription.

N
Additional Resources:

ot
• Citrix Cloud Overview

fo
https://www.citrix.com/products/citrix‐cloud/

rr
es
al
e
or
di
s tri
b ut
io
n

39 © 2023 Citrix Authorized Content

 Advanced Deployment Topics Overview

N
ot
IMPLEMENT BACKUP SECURE TROUBLESHOOT

fo
rr
es
al
• Redundancy and • Backup key • Enhance application • Leading practice to

e
scalability. components and and data security. troubleshooting Citrix
• Deploy resources in • Secure Virtual environment.

or
perform disaster
multiple datacenter recovery activities. Delivery Agent. • Troubleshooting
locations. access, Delivery

di
• Advanced Controller, Virtual

s
authentication. Delivery Agent, and

tri
HDX issues.

but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The first part of this course will examine some important topics to help keep a Citrix Virtual Apps and Desktops infrastructure healthy
with the main themes being resilience and security.
• Each module will look at a different aspect with practical labs to reinforce learning.
• The second part of this course will examine some important areas to help troubleshoot a Citrix Virtual Apps and Desktops
infrastructure with the main themes being tools and procedures.
• Each module will look at a different troubleshooting aspect with practical labs to reinforce learning.

40 © 2023 Citrix Authorized Content

 Key Takeaways

• Citrix Virtual Apps and Desktops supports

several deployment options depending on

N
location, hardware ownership requirements,

ot
and responsibilities for configuration. Hosting

fo
platform types: On-Premises, customer

rr
managed Cloud-based, or Full Public Cloud.

es
al
• Ensure implementation of redundancy, backing

e
up key components, securing application and

or
data, and follow leading troubleshooting
practices to have a resilient and secure Citrix

di
Virtual Apps and Desktops site.

s
tri
b
ut
io
n

41 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Planning: Redundancy and Scalability

fo
rr
es
al
e
Module 2

or
di
s
tri
b
ut
io
n

42 © 2023 Citrix Authorized Content

 Learning Objectives

• Describe why redundancy and scalability

considerations are critical.

N
ot
• Identify components when adopting
redundancy and scalability leading practice.

fo
rr
• Recognize the importance of implementing
redundancy and scalability to Citrix

es
infrastructure components.

al
e
• Describe how to implement Redundancy and

or
Scalability to Citrix infrastructure components.
• Identify tools and indicators used to assess

di
VDA performance.

s
tri
• Determine redundancy requirements for VDA

b
ut
©machines.
2022 Citrix Authorized Content

io
n

43 © 2023 Citrix Authorized Content

 N
Citrix Virtual Apps and Desktops

ot
Redundancy and Scalability

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this lesson, we will describe why redundancy and scalability considerations are critical for the stability and optimization of Citrix
Virtual Apps and Desktops environments. Also, we will identify the components in Citrix Virtual Apps and Desktops deployments that
should be included when adopting redundancy and scalability leading practices. This will help you build a Citrix Virtual Apps and
Desktop environment that meets your organization’s growth and availability requirements.

44 © 2023 Citrix Authorized Content

 Redundancy

Active – Passive Configuration (Failover)

StoreFront‐A
• Redundancy: The
elimination of single points

N
Endpoints with Citrix ADC
of failure.

ot
Citrix Workspace app Load Balancer
StoreFront‐B

• Active-Passive: Typically, a

fo
failure will result in a delay

rr
while the backup (or Active – Active Configuration

es
passive) site is brought
online.

al
e
StoreFront‐A
• Active-Active: Typically, a

or
failure will create no loss of Endpoints with Citrix ADC
availability. Citrix Workspace app Load Balancer

di
StoreFront‐B

s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Redundancy is the ability of any system to experience a failure in one or more components, yet still be able to provide the service(s)
for which it is was designed.
• Single points of failure may include your license server, SQL database, Delivery Controllers, or file systems.
• In most cases, redundancy is achieved by having duplicate systems. These may be designed to be failed over to in the event of the
primary service failing, known as Active‐Passive. Alternatively, they may be designed to be running at all times, known as Active‐
Active, ensuring little or no disruption in the event the primary system fails.

45 © 2023 Citrix Authorized Content

 • Duplication to facilitate redundancy can be in the form of virtual servers or physical hardware. When virtual
redundancy is used, it is important to ensure that the hardware does not have its own single point of failure. For
example, two redundant delivery controllers on the same hypervisor host may be redundant from an OS failure, but
they will not be redundant from hardware failure.
• Thinking about the Citrix Virtual Apps and Desktops Control Plane, we would need fault tolerance with at least a
minimum of:
• 2x StoreFront Server

N
• 2x Controller Server

ot
• HA Database Server

fo
• 2x License Server (if grace period is not acceptable)
• 2x Citrix Gateway (recommended)

rr
• Load balancing systems, like Citrix ADC, are key in providing redundancy and offer many different load balancing

es
mechanisms and can provide performance gains.
• Although adding redundant systems can offer even more resources, bottlenecks can often limit the gains provided.

al
e
or
di
s tri
b ut
io
n

46 © 2023 Citrix Authorized Content

 Scalability

StoreFront‐A

• Scalability: Adding
Citrix ADC
Components to provide the

N
Load Balancer
StoreFront‐B
expected level of

ot
performance for "Business

fo
as Usual" activity.

rr
es
al
StoreFront‐A

e
Citrix ADC
Endpoints with

or
Load Balancer
Citrix Workspace app StoreFront‐B

di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• An architect will need to design a system to be able to support the expected load that allows "Business as usual" (or BAU) activities
to be conducted.
• BAU will mean different things to different organizations. An accountancy firm, for example, may have a greater demand for
resources one week per quarter, which means their system needs to be scaled to meet that demand.
• It can take a significant amount of time to scale up resources. So, it is important to ensure that a Citrix Virtual Apps and Desktops
environment can meet the near term needs of the user community.

47 © 2023 Citrix Authorized Content

 • In this example, we see a StoreFront Server Group load balanced using two Citrix ADC components.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

48 © 2023 Citrix Authorized Content

 Components
Covered in this User Layer Access Layer Control Layer Resource Layer

Course
Delivery Controller

Internal Users StoreFront

• Access, Control and Multi-session OS Single-session OS
(Assigned Desktop)
Resource Layer

N
Domain Controller
components are essential to

ot
Firewall
the operation of a Citrix

fo
Virtual Apps and Desktops

rr
environment. SQL Single-session OS
(Random Desktop)
Remote PC
Citrix ADC/Gateway

es
Firewall
• Management and Cloud External Users

components (where

al
License Server

appropriate).

e
or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Citrix infrastructures can be categorized into several layers, from hardware layers hosting CPU, memory, storage, and networks
through to operational layers such as control, access, user, and resource.
• We will be looking at the redundancy and scalability of the access, control, and resource layers throughout this course. Where
appropriate, this will include Cloud components.

49 © 2023 Citrix Authorized Content

 On-Premises and Cloud Environments – The Difference

User Layer Access Layer Citrix Cloud Resource Layer

Multi-session OS Single-session OS

N
Internal Users StoreFront Workspace Delivery Controller (Assigned Desktop)

ot
Cloud Connectors

fo
Firewall Site Database

rr
Single-session OS
Remote PC
(Random Desktop)

es
Citrix Gateway Citrix Gateway License Server
External Users Firewall

al
Service

e
Domain Controller

or
Hardware Layer Hardware Layer

di
s
Optional

tri
on-premises Network Storage Processor Memory Graphics Network Storage Processor Memory Graphics

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• While many components require an architect to design in a redundant and scalable manner, with Citrix Cloud environment this is not
necessary. The default setup is to use Workspace to provide authentication and Store services, and the Citrix Gateway Service for
HDX connections, both of which are redundant.
• Where you need to retain on‐prem resources, you will still need to ensure that redundancy and scalability considerations are met for
non‐Cloud components such as Cloud Connectors, Gateways, and on‐premises StoreFront servers.
• In the diagram, components not managed by Citrix Cloud must continue to be managed by the organization, and so redundancy and

50 © 2023 Citrix Authorized Content

 or scalability considerations still apply. These include components in the Resource Layer and optional on‐premises
components in the Access Layer.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

51 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
ot
Which components required for Citrix Virtual
Apps and Desktops on-premises deployments

fo
would normally have their scalability and

rr
redundancy considerations managed by other
teams?

es
• Active Directory

al
e
• SQL

or
di
s
tri
b
ut
io
n

52 © 2023 Citrix Authorized Content

 N
StoreFront and Citrix Gateway

ot
Redundancy and Scalability

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• The first point of contact that a user has to Citrix Virtual Apps and Desktops infrastructure is at the access layer. Whether access is
direct to a StoreFront server or via a Citrix ADC, it is crucial that this system will continue to be available should any single part fail.
• This section will focus on ensuring redundancy and scalability at the access layer.

53 © 2023 Citrix Authorized Content

 StoreFront Server
Redundancy User Layer Access Layer Control Layer Resource Layer

Delivery Controller

Internal Users StoreFront

• Server Groups Multi-session OS Single-session OS
(Assigned Desktop)
• A synchronized group

N
Domain Controller
containing multiple

ot
StoreFront servers. Firewall
• Creates Redundancy and

fo
reduces the changes of

rr
SQL
Single-session OS Remote PC
inconsistent (Random Desktop)

es
External Users Citrix Gateway
configurations. Firewall

• Provide a fault tolerant,

al
synchronized login License Server

e
experience to users.
• Hosted using IIS and load

or
Hardware Layer
balancers.

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
io
n
Key Notes:
• Used for both, internal and external access requirements, StoreFront is hosted on standalone web servers, most often running
Microsoft IIS.
• When load balancers are placed in front of multiple StoreFront servers, you can achieve both redundancy and scalability; however,
each server has its own independent configuration. This results in the potential for an inconsistent client experience when
connecting to different StoreFront servers through a load balancer.
• The use of server groups with StoreFront allows a common configuration to be shared across multiple StoreFront servers. This

54 © 2023 Citrix Authorized Content

 allows a true redundant and scalable StoreFront architecture to be presented to users.
• To achieve this, you will need to have a load balancer (Leading practice would be to use Citrix ADC) in front of the
StoreFront servers, which must share a common base URL. Initial configuration and any changes must be manually
propagated from the primary StoreFront server in the group. To facilitate this replication port 808 must be used.
• During the replication process Custom scripts and layout customizations are replicated as a background process.

Additional Resources:

N
• StoreFront high availability and multi‐site configuration: StoreFront current version documentation

ot
StoreFront 2203 Long Term Service Release | StoreFront 2203 (citrix.com)

fo
• High Availability
https://docs.citrix.com/en‐us/storefront/current‐release/plan/high‐availability‐and‐multi‐site‐configuration.html

rr
• Configure server groups: Current Release

es
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐server‐group.html
• Load balancing with ADC: Current Release

al
https://docs.citrix.com/en‐us/storefront/current‐release/integrate‐with‐netscaler‐and‐netscaler‐gateway/load‐

e
balancing‐with‐netscaler.html

or
di
s tri
b ut
io
n

55 © 2023 Citrix Authorized Content

 StoreFront Server Scalability
1

Scale Up Scale Out

N
ot
• Single-server scalability primarily based on • There is no hard limit to the number of servers
CPUs assigned to the server. in a server group.

fo
rr
• Scalability is measured by max amount of user • However, there will be diminishing returns when

es
connections per hour. adding 6+ StoreFront servers to a server group.

al
• Access via Citrix Receiver/Workspace for Web • 2-3 StoreFront servers with 4 vCPUs and 8 GB

e
adds CPU and RAM overhead. RAM should support 150k connections per hour

or
(at a logon rate of 50 requests per second)
• Scale up first, then scale out.

di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The StoreFront server, sitting in the access layer, is used to authenticate and broker connections only. It's load will be highest during
peak login periods, such as the start of the working day. The number of Citrix Receiver and or Citrix Workspace users supported by a
StoreFront server group depends on the hardware in use.
• Based on simulated activity where users log on, enumerate 100 published applications, and start one resource, expect a single
StoreFront server with the minimum recommended specification of two virtual CPUs running on an underlying dual Intel Xeon
2.27Ghz processor server to enable up to 30,000 user connections per hour.

56 © 2023 Citrix Authorized Content

 • As more StoreFront servers are added to the server group (scale out), this will scale linearly for the first few servers,
but additional scalability will begin to decline at 6+ servers. It is recommended to increase the CPUs allocated to the
initial StoreFront servers (scale up) before adding more.
• The minimum recommended memory allocation for each StoreFront server is 4GB. When using Citrix Receiver for Web,
assign an additional 700 bytes per resource, per user in addition to the base memory allocation. As with using Web
Receiver, when using Citrix Receiver, allow an extra 700 bytes per resource per user on top of the base 4 GB memory
requirements for this version of StoreFront.

N
• To determine whether an existing production deployment of StoreFront is sized adequately, use Citrix Director Trends to

ot
determine the maximum number of connections that are initiated over the course of an hour. If multiple Sites are

fo
aggregated by a single StoreFront server groups, the connections initiated to each Site should be added to arrive at the
total number. Combined with resource utilization data from the StoreFront servers, this can be used to support a

rr
request to allocate more resources to the existing StoreFront servers, or to add another server to the group.

es
al
Additional Resources:
• StoreFront High availability and multi‐site configuration: StoreFront current version documentation

e
https://docs.citrix.com/en‐us/storefront/current‐release/plan/high‐availability‐and‐multi‐site‐configuration.html

or
di
s tri
b ut
io
n

57 © 2023 Citrix Authorized Content

 Citrix ADC Redundancy Options
HA Pair HA Pair (Active/Passive)

Users
• Single Access Route

N
• Secondary Backup Route

ot
• Automatic, Instant Switchover

fo
rr
Citrix ADC Citrix ADC

es
al
e
or
Server Server

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• StoreFront servers are primarily used to connect to resources. In most public network situations or some high security deployments,
you need to control access and provide secure session communications using a gateway. Citrix Gateway is part of the Citrix ADC
product, which can provide a secure gateway through which to access Citrix Virtual Apps and Desktops infrastructure.
• To ensure redundancy, customers historically deployed HA Pairs or GSLB (Global Server Load Balancing) when integrating with Citrix
Virtual Apps and Desktops products.
• With release 10.1 and later, most of the important features in a Citrix ADC are available in Cluster mode, which is another viable

58 © 2023 Citrix Authorized Content

 option that improves scalability.
• When deploying any type of High Availability, scale the individual Citrix ADC appliances so that they can handle the user
load, even in the event that one appliance is down.
• In its simplest form, a Citrix ADC High Availability pair should be able to support 100% of expected login and session
load on each of two appliances operating in active‐passive mode.
• Both units in a HA pair "speak" to each other to verify the primary unit is operational. In the event communications are
not responded to the secondary will "activate" and serve connections.

N
• It is crucial that the "hello" messages between the primary and secondary units are not delayed to avoid triggering an

ot
incorrect failover.

fo
Additional Resources:

rr
• High Availability

es
https://docs.citrix.com/en‐us/citrix‐adc/current‐release/system/high‐availability‐introduction.html

al
• Clustering

e
https://docs.citrix.com/en‐us/citrix‐adc/current‐release/clustering.html

or
• Azure Load Balancer overview
https://docs.microsoft.com/en‐us/azure/load‐balancer/load‐balancer‐overview

di
s tri
b ut
io
n

59 © 2023 Citrix Authorized Content

 Citrix ADC Redundancy Options
Cluster/GSLB
Cluster (Active/Active)

Users
• Multi Site or Load parameters may require more
than one Citrix ADC to be active at a time.

N
ot
• Clusters require additional network setups and
configurations.

fo
rr
• GSLB requires no additional network setup.
Citrix ADC Citrix ADC

es
al
e
or
Server Server

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• A cluster or GSLB configuration exists when multiple Citrix ADC units are working effectively as a single entity sharing the load out to
a number of units servicing user requests. This allows load sharing, redundancy, and sizing to be accommodated in a single solution.
• A GSLB deployment uses DNS to identify the least busy service at the point of user request. Additional units can be added as
required.
• A Citrix ADC cluster is a group of appliances working together as a single system image. Each appliance in a cluster is called a node,
and you can have as many as 32 Citrix ADC appliances in each cluster. It is worth verifying that the features you need are available in

60 © 2023 Citrix Authorized Content

 a cluster and that all nodes are of the same model, platform, type, version, and release.

Additional Resources:
• High Availability
https://docs.citrix.com/en‐us/citrix‐adc/current‐release/system/high‐availability‐introduction.html
• Clustering

N
https://docs.citrix.com/en‐us/citrix‐adc/current‐release/clustering.html

ot
• Azure Load Balancer overview
https://docs.microsoft.com/en‐us/azure/load‐balancer/load‐balancer‐overview

fo
rr
es
al
e
or
di
s tri
b ut
io
n

61 © 2023 Citrix Authorized Content

 Citrix ADC Redundancy Options
Cloud - Azure
Azure (Active/Active)

Users
• Third-party infrastructure which services load
balancing requests.

N
ot
• ADC infrastructure can be standalone without Azure Load
GSLB or Clustering. Balancing

fo
rr
• It is important to understand how third-party load
balancing methods work to avoid issues

es
Citrix ADC VPX Citrix ADC VPX

integrating with Citrix features.

al
e
or
Server Server

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• With cloud solutions growing, there are several options available to facilitate load balancing and redundancy. These are normally
provided and supported by the cloud provider, and they can simplify deployments.
• In a Microsoft Azure deployment, for example, a high availability configuration of two Citrix ADC virtual machines is achieved by
using the Azure Load Balancer. This distributes the client traffic across the virtual servers configured on both the Citrix ADC instances.
• It is important that we understand how third‐party load balancing operates to ensure we do not have issues with features such as
persistence and auto‐reconnect.

62 © 2023 Citrix Authorized Content

 Additional Resources:
• High Availability
https://docs.citrix.com/en‐us/citrix‐adc/current‐release/system/high‐availability‐introduction.html
• Clustering
https://docs.citrix.com/en‐us/citrix‐adc/current‐release/clustering.html

N
• Azure Load Balancer overview

ot
https://docs.microsoft.com/en‐us/azure/load‐balancer/load‐balancer‐overview

fo
rr
es
al
e
or
di
s tri
b ut
io
n

63 © 2023 Citrix Authorized Content

 Citrix ADC
Scalability

• TLS (encryption) Citrix ADC VPX Citrix ADC MPX Citrix ADC SDX

N
throughput is the most • Virtual appliance that is • Physical network • Physical network

ot
significant factor in supported on most major appliance that is installed appliance that uses the
hypervisor and cloud- in an on-premises or MPX architecture
scalability and sizing.

fo
hosting platforms. service provider’s combined with Citrix
datacenter. Hypervisor to host

rr
• Each Citrix ADC platform • Depending on model, multiple Citrix ADC virtual
has multiple models with TLS throughput can

es
• Depending on model, instances simultaneously.
range from 10 Mbps to 30 TLS throughput can
increasing throughput

al
Gbps. range from 1 Gbps to 120 • TLS throughput must be
capabilities. Gbps. compared to the

e
maximum throughput for

or
• Includes dedicated CPUs the virtual VPX instance
for encryption/decryption. where the Gateway

di
vServer is located.

stri
b
ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• To identify which Citrix ADC platform can meet the environment’s requirements, the key resource constraints must be identified.
Since all remote access traffic will be secured using the transport security layer (TLS), transported by Hypertext Transfer Protocol
(HTTP) in the form of HTTPs, there are two resource metrics that should be targeted:
• TLS throughput – The TLS throughput is the maximum gigabits of TLS traffic that may be processed per second (Gbps).
• TLS transactions per second (TPS) – The TPS metric identifies how many times per second an Application Delivery Controller (ADC)
may execute a TLS transaction. The capacity varies primarily by the key length (security strength) required. While TPS is an

64 © 2023 Citrix Authorized Content

 important metric to monitor, field experience has shown that TLS throughput is the most significant factor in
identifying the appropriate Citrix ADC model.
• To determine the TLS throughput required for a Citrix ADC platform, multiply the maximum concurrent bandwidth for a
datacenter by 1.02:
• TLS Throughput = Maximum Concurrent Bandwidth * 1.02.
• We are adding 2% to the max concurrent bandwidth as a rule of thumb to account for TLS bandwidth overhead. This
is often considered negligible relative to the volume of HDX traffic, and it is not typically accounted for as part of

N
required TLS throughput. However, making provisions for TLS bandwidth will help ensure the total throughput

ot
estimated is sufficient.

fo
• Ideally, the overhead should be measured during a proof of concept or pilot.
• Once the concurrent bandwidth and TLS throughput requirements are known, compare those to the Citrix ADC model

rr
that has been deployed. Citrix publishes datasheets that specify that maximum expected TLS throughput for a given

es
Citrix ADC platform and model.

al
e
or
di
s tri
b ut
io
n

65 © 2023 Citrix Authorized Content

 Lesson Objective Review

Two StoreFront servers in a server group

N
aggregate resources from multiple Sites. They

ot
have been allocated with 2 vCPUs and 4 GB
RAM. Resource utilization and historical session

fo
data show that the StoreFront servers are at the

rr
limit of their expected capacity.

es
How should StoreFront capacity be expanded?

al
e
Increase the resources allocated to the existing

or
StoreFront servers.

di
s
tri
b
ut
io
n

66 © 2023 Citrix Authorized Content

 N
Site Infrastructure Redundancy

ot
and Scalability

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this lesson, we will identify the considerations for implementing Redundancy and Scalability to Delivery Controllers, License
Servers, Site Database, and Director.

67 © 2023 Citrix Authorized Content

 Citrix Delivery
Controller User Layer Access Layer Control Layer Resource Layer

Redundancy
Delivery Controller

Internal Users StoreFront

• Citrix Delivery Controller Multi-session OS Single-session OS
(Assigned Desktop)

N
servers manage the Domain Controller

ot
deployment.
Firewall

fo
• Deployments should have

rr
SQL
at least two Delivery Single-session OS
(Random Desktop)
Remote PC

Controllers.

es
External Users Firewall Citrix Gateway

al
License Server

e
or
Hardware Layer

di
s
Network Wi-Fi Storage Processor Memory Graphics Hypervisor

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The delivery controller is responsible for facilitating connection requests in cooperation with the StoreFront and ADC Servers. Once a
session is operational, the Delivery Controller continues to communicate with the session to extract performance and alerting
information. The delivery controller, therefore, has a critical role in both connectivity and session operation.
• If the only Delivery Controller fails, existing sessions will not be impacted; however, performance and alerting data will not be
available. New sessions will not be able to be launched and power management features, such as switching on additional machines
to meet demand will not be able to be met. As there is no way to communicate with the SQL, configuration management of the

68 © 2023 Citrix Authorized Content

 infrastructure will also not be possible.
• The ensure redundancy or manage scalability, additional Controllers can be added during initial Site creation or later.
• Software versions must be at least equal to those in the existing site to allow a new delivery controller to join.
• While most components will automatically recognize the addition of a new Delivery Controller, it may need to be listed
separately in a load balancer, STA, StoreFront, or ADC configuration to be fully available.
• Should we need to remove a Controller from a Site, it is simply removed from the database; no Citrix software is
uninstalled. When you remove a Controller from a Site, the Controller logon to the database server is not removed.

N
This avoids potentially removing a logon that is used by other products’ services on the same machine. The logon must

ot
be removed manually if it is no longer required; the security admin server role permission is needed to remove the

fo
logon.

rr
Additional Resources:

es
• Citrix VDI Handbook

al
https://docs.citrix.com/en‐us/legacy‐archive/downloads/citrix‐vdi‐handbook‐7‐6‐ltsr.pdf
• Delivery Controllers (Current Release)

e
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/delivery‐controllers.html

or
di
s tri
b ut
io
n

69 © 2023 Citrix Authorized Content

 Citrix Delivery Controller Scalability

• The sizing equation below is a baseline for estimating how many Delivery Controllers are needed in a Site or
Zone.
• Delivery Controller scalability is primarily based on CPU utilization.
• Local host cache considerations should play a part in sizing decisions.

N
• Use resource monitoring on the Delivery Controller(s) to track and validate scalability.

ot
fo
rr
es
Delivery Controller Sizing Equation Assumed Specifications

al
e
• 4 vCPU

or
୒୳୫ୠୣ୰ ୭୤ ୅ୡ୲୧୴ୣ ୗୣୱୱ୧୭୬ୱ ୮ୣ୰ ୗ୧୲ୣ ୭୰ ୞୭୬ୣ
• 4 GB RAM
൅ 1 ൌ Number of Delivery Controllers • Bonded virtual NIC
ହ,଴଴଴

di
• 40 GB storage

s tri
but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The sizing equation is useful for making quick estimates as to the scalability of a Delivery Controller, but a few factors can affect how
an administrator might want to size the Controllers in their environment.
• Local host cache introduces new considerations that were not applicable to earlier versions of Citrix Virtual Apps and Desktops. In
a Site database outage scenario, any of the Delivery Controllers in a Site could be elected as the primary broker. This means that
all Delivery Controllers must be sized to provide an acceptable level of scalability in this scenario.
• Because local host cache uses a SQL Server Express LocalDB to store Site data, only a single CPU socket and up to four cores can

70 © 2023 Citrix Authorized Content

 be used. Therefore, to optimize the available compute power, fewer sockets, and more cores per socket, should be
allocated to the Controllers. When using virtual machines, this can be accomplished through the machine settings on
the hypervisor.
• Local host cache’s LocalDB service also has a RAM overhead of 1.2 GB RAM, while the High Availability Service can
use 1 GB RAM during outage scenarios. For this reason, consider allocating 8 GB RAM to each Controller, up from the
baseline specification used in the equation.
• Citrix documentation has published limits for the maximum amount of VDA machines that can be handled by a single

N
Controller during an outage. Note that these numbers count machines, not sessions, in contrast to the estimate

ot
above.

fo
Additional Resources:

rr
• Design methodology control layer – Delivery Controllers – Decision: Server Sizing

es
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/system‐requirements.html

al
• Local Host Cache

e
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/local‐host‐cache.html

or
di
s tri
b ut
io
n

71 © 2023 Citrix Authorized Content

 Citrix License Server Redundancy Options and Scalability
1

N
ot
Redundancy Options Scalability Considerations

fo
rr
• Duplicate standby License Server • A server with 2 vCPUs and 2 GBs

es
of RAM can issue 170 licenses per
• Load Balanced License Server

al
second

e
• Microsoft Cluster
• Optimize Receive and Processing

or
parameters

di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Some Citrix components can operate without a license server for a period of time; however, for others a working license server is a
critical component.
• Traditionally, License files are assigned against a server name resulting in some special considerations for redundancy. This may mean
that a duplicate, identical license server in a passive state, is switched on if the active license server is detected as down.
• Multiple license servers must not be issuing licenses at the same time because of EULA restrictions, which is why active‐passive load
balancing is a useful option.

72 © 2023 Citrix Authorized Content

 • You can also use IIS Clustering for the License Server. This allows users to continue working during failure situations,
without interrupting their access to critical applications. When the active node in a cluster‐enabled License Server
suffers from hardware failure, failover occurs automatically, and resources are seamlessly available. License Server VPX
does not support clustered License Servers
• An important metric to note for scalability is the thread count of the server. If the thread count is set too low, requests
will be queued until a thread becomes available. Conversely, if the thread count is set too high, the license server will
become overloaded. These values are configured via the License Administration console.

N
• The optimal values are dependent on the server hardware, site configuration, and license request volume. Citrix

ot
recommends testing and evaluating different values to determine the optimal configuration. Setting the maximum

fo
number of processing threads to 30 and the maximum number of receiving threads to 15 is a good starting point for
large scale deployments. This optimization will improve the Citrix License Server‘s ability to provide licenses by

rr
increasing its ability to receive and process license requests.

es
al
Additional Resources:
• Clustered license servers

e
https://docs.citrix.com/en‐us/licensing/current‐release/clustered‐license‐servers.html

or
• Making the Citrix License Server (Truly) Highly Available

di
https://www.citrix.com/blogs/2015/02/12/making‐the‐citrix‐license‐server‐truly‐highly‐available/

s
• Improve performance by specifying thread use

tri
https://docs.citrix.com/en‐us/licensing/current‐release/manage/thread‐use.html

b ut
io
n

73 © 2023 Citrix Authorized Content

 Site Database SQL Always On

Redundancy SQLServer-A

Options
on Node01 Active
Database

Controller Virtual Database

Server
SQLServer-B Replica
on Node02 Database
• Microsoft SQL Server
options:

N
• Always On

ot
SQL Mirror
• Mirroring Active

fo
SQLServer-A
• Cluster Database

rr
es
Controller SQLServer-B Mirror
SQLServer-C Database

al
SQL Cluster

e
or
SQLServer-A

di
Shared Storage Active

s
Controller Virtual Database Database
Server

tri
SQLServer‐B

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Although we have technologies such as the Local Host Cache the most efficient way to ensure redundancy is to avoid the loss of
critical Citrix Virtual Apps and Desktops databases. If we focus on Microsoft SQL server we have three main options to protect the
site databases.
• SQL Always On uses a failover approach combined with a duplicated copy of the original database. Key here is that the replica
databases can also be used for reads so improvements in scalability and performance can also be observed with Always On.
• SQL mirroring uses a witness server to ensure the database is maintained over two locations and automatic failover occurs when the

74 © 2023 Citrix Authorized Content

 primary server fails.
• SQL clusters are, perhaps, the most advanced technique to maintain database uptime. This requires multiple hosts with
a central controller and shared storage which must also be highly available.

Additional Resources:
• Supported Databases for Citrix Virtual Apps and Desktops Components
https://support.citrix.com/article/CTX114501

N
• Always On Availability Groups (SQL Server):

ot
https://docs.microsoft.com/en‐us/sql/database‐engine/availability‐groups/windows/always‐on‐availability‐groups‐sql‐

fo
server?view=sql‐server‐2017

rr
es
al
e
or
di
s tri
but
io
n

75 © 2023 Citrix Authorized Content

 Site Database Scalability

SQL Server Sizing Database Storage Sizing

N
Database Expected Key Sizing factors

ot
Users CPU RAM Type max. size
0 – 5K 2 cores 4 GB RAM

fo
Number of users, published
30 – 390
Site applications, virtual desktop

rr
5 – 15K 4 cores 8 GB RAM MBs
type.

es
15K+ 8 cores 16 GB RAM
20 MBs Retention period, number of

al
Monitoring to 119 users, number of
• Host database files and transaction logs on

e
GBs connections.
separate hard disk subsystems.

or
Config. 30 – 200 Usage of MCS, number of
• This will help the database cope with high Logging MBs administrative actions.

di
number of transactions during boot storms.

s
• Sizing estimates do not include transaction

tri
logs, and in larger environments, these should
be monitored and backed up regularly to

b ut
© 2022 Citrix Authorized Content prevent excessive growth.

io
n
Key Notes:
• The SQL server must be sized correctly to ensure the performance and stability of an environment. Since every Citrix product uses
SQL server in a different way, no generic all‐encompassing sizing recommendations exist, but are available on a product‐by‐product
basis.
• For Citrix Virtual Apps and Desktops environments not using MCS, the configuration logging database size tends to fall between 30
and 40MB. For MCS environments, database size can easily exceed 200MB due to the logging of all VM build data.
• In addition to the Site, Monitoring, and Configuration Logging databases, a system‐wide temporary database (tempdb) is provided by

76 © 2023 Citrix Authorized Content

 SQL Server, which is used to store Read‐Committed Snapshot Isolation data. Citrix Virtual Apps and Desktops uses this
SQL Server feature to reduce lock contention on the Site databases (thus extending the feasible range of a single Site).
• If Citrix Studio is used to create a new Site database, or upgrade an existing one, in many cases it automatically
enables Read‐Committed Snapshot at that time; however, this might not always be possible, in which case it is
necessary to manually enable the option.
• The size of the tempdb database will depend on the number of active transactions, but in general it is not expected
to grow more than a few MBs. The performance of the tempdb database does not impact the performance of

N
session brokering, as any transactions that generate new data require tempdb space. Citrix Virtual Apps and

ot
Desktops tends to have short‐lived transactions, which help keep the size of the tempdb small.

fo
• For an existing production environment, regular monitoring of storage utilization of the SQL server(s) hosting the Site
databases should be completed by the team managing the SQL deployment. Regularly performing backups of the SQL

rr
transaction logs can help to limit the growth of the Site databases.

es
al
Additional Resources:
• How to Enable Read‐Committed Snapshot

e
https://support.citrix.com/article/CTX137161

or
di
s tri
b ut
io
n

77 © 2023 Citrix Authorized Content

 Citrix Director Redundancy and
Scalability Small Scale Deployments

Delivery Controller
Admin with Director
• Consider multiple Citrix Director servers if high
availability for Site monitoring is a requirement.

N
Enterprise Deployments

ot
• Citrix Director can be co-located with the Delivery
Controller role in small or non-production

fo
environments. Director Server Delivery Controller

rr
Admin

• For larger environments with larger administrative

es
teams, use a dedicated server or servers with 4 High-Availability Deployments

al
vCPU, 4 GB RAM as a baseline.

e
or
Director Server Delivery Controller

di
Citrix
Admin
Gateway

s
Director Server Delivery Controller

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• From a redundancy point of view, if a Citrix Director server goes offline, administrators will lose the ability to monitor the Site, but
end user sessions will not be affected. Configuring Citrix Director on multiple servers will mitigate this issue if high‐availability is
desired for monitoring.
• A load balancer, such as Citrix ADC, can be used to distribute the load between multiple Director servers.
• During initial installation, only one Controller per Site should be entered. Director automatically discovers all other Controllers in
the same Site and falls back to those other Controllers if the configured Controller fails. Director does not load balance between

78 © 2023 Citrix Authorized Content

 Controllers.
• As a minimum, a Citrix Director server should have a dedicated 2 GB RAM and 200 MB of hard disk space on a machine.
In smaller or non‐production environments, the role can be co‐located with the Delivery Controller(s), but larger
environments should use dedicated machines for the Director role to prevent it from impacting Controller performance.
• If creating a dedicated machine, Citrix recommends a 4 vCPU, 4 GB RAM resource allocation, which should support up
to 100 users. For every additional 100 users, add 4 GB RAM to the machine.

N
Additional Resources:

ot
• Citrix Director – Advanced configuration

fo
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/director/install‐and‐configure/advanced‐configuration.html

rr
es
al
e
or
di
s tri
b ut
io
n

79 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
When configuring CPUs for a Delivery Controller

ot
machine, is it better to configure four sockets,
one core per socket, or one socket with four

fo
cores?

rr
es
It is preferable to have one socket with four

al
cores allocated to it, so that all the cores can be

e
used if the Controller is elected as the primary
broker when Local Host Cache is in use.

or
di
s
tri
b
ut
io
n

80 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please, Take a Moment and Provision Your Lab

N
For Module 2.

ot
fo
rr
es
al
e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

81 © 2023 Citrix Authorized Content

 N
Machines Running the Virtual

ot
Delivery Agent

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this this lesson, we will identify tools and indicators used to assess VDA performance and determine the redundancy requirements
for VDA machines.

82 © 2023 Citrix Authorized Content

 Determine Redundancy 1. Assess the Requirements

Requirements for Machines

Running the Virtual Delivery Agent

• The redundancy requirement for machines running

the Virtual Delivery Agent is not as simple as having 2. Design the Redundancy Capacity

N
“N+1” machines per Delivery Group.

ot
• Each organization must determine the availability

fo
and capacity of VDAs in the event of a VM, host,

rr
chassis, or datacenter-level outage.

es
• Work to learn the business requirements of the end

al
users and translate those into redundancy

e
3. Test and Deploy
requirements for each resource hosted on Citrix

or
Virtual Apps and Desktops.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• There is no singular “leading practice” for the redundancy of machines hosting HDX sessions. Each organization must make its own
tradeoff between cost and increased availability.
• For example, non‐production and lab environments may be located on a single host, or even a single VM with a nested hypervisor.
On the other hand, critical production workloads may be hosted in multiple datacenters to provide the highest level of
redundancy possible.
• Investigate the business requirements of the end user groups, in terms of application and or desktop criticality, availability

83 © 2023 Citrix Authorized Content

 expectations, and capacity expectations in the event of a major outage. Then, translate those requirements into
redundancy requirements for the machines that host those published resources.
• Consider the following example:
• The Citrix Administrative team needs to add a new internal support application to the existing Virtual Apps and
Desktops environment.
• During the intake process, a Citrix administrator asks the support manager who submitted the request about their
availability requirements. The manager stated that they would like to maintain availability for all 200 people on the

N
team whenever possible; but he acknowledged that the application’s backend databases were hosted in a single

ot
datacenter, so there was no expectation of access if the entire datacenter suffered an outage.

fo
• As a result of these requirements, the Citrix administrative team worked with the hardware team to ensure that the
VDA machines hosting the application were not all located on the same physical host or rack in the primary

rr
datacenter. As a result of this approach, the team minimized the number of surplus machines that needed to be

es
created.

al
e
or
di
s tri
b ut
io
n

84 © 2023 Citrix Authorized Content

 Assess the Performance of
Machines Running the VDA

• In addition to the daily monitoring of system-

level metrics, performance trends should be

N
tracked over time.

ot
• Perform regular capacity assessment of the

fo
Citrix environment to determine environment

rr
utilization and required capacity adjustments, if

es
needed.

al
• Tools such as Citrix Director and the Citrix

e
Analytics can assist in performing a capacity

or
assessment.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Even when a Citrix environment goes through a formal design and is sized based on capacity requirements, once the environment is
in production, regular capacity assessments with help plan for future growth as more users access the environment.
• A baseline of the environment performance should be taken, so that it can be compared against performance over time.
• For example, if a user complains of poor performance, this baseline can be used for comparison purposes to identify if the issues
are related to the user load exceeding the capacity of the environment.
• An example of baseline performance metrics for capacity management would include historical data for CPU, Memory, and

85 © 2023 Citrix Authorized Content

 network utilization on the Server OS, and Desktop OS machines running the VDA.
• Use the Trends > Capacity Management view within Citrix Director to track the Citrix Virtual Apps and Desktops
deployment over time.
• The Citrix Analytics can also provide advanced performance data and recommendations for on‐prem Citrix Virtual
Applications and Desktops on‐premises Sites. Performance analytics provide a centralized location to view which VDA
machines and Delivery Groups are suffering from resource constraints and may need additional capacity.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

86 © 2023 Citrix Authorized Content

 Optimizing the Performance of
Windows Workloads
Citrix Optimizer

• Citrix has tools that are available to

optimize Windows workloads:

N
• Citrix Optimizer

ot
• Workspace Environment Management
(WEM)

fo
• Citrix Optimizer is part of WEM.

rr
es
• It is important to test optimizations
before implementing them in

al
production.

e
or
di
s tri
Citrix Workspace Environment
Management (WEM)

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In order to enhance performance and increase scalability, Citrix administrators can use tools such as the Citrix Workspace
Environment Management (WEM) tool to prepare and configure environments for optimal performance.
• Citrix Workspace Environment Management (WEM) has additional system optimization features that can provide benefits in
controlling resource usage and configuring the user environment.
• The Citrix Optimizer, included with WEM is a powershell based tool, with GUI, that analyzes an environment, allows optimizations to
be executed from template driven infrastructures with the ability to rollback an optimization if issues are found.

87 © 2023 Citrix Authorized Content

 • The Citrix optimizer can disable tasks, windows services and apps as well as provide scripted optimizations using per
operating system templates.

Additional Resources:
• Citrix Optimizer
https://support.citrix.com/article/CTX224676

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

88 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
ot
What are some tools that Citrix offers to help
assess and optimize the performance of

fo
machines hosting apps and desktops?

rr
es
• Citrix Analytics

al
• Citrix Optimizer

e
• Citrix Workspace Environment Management

or
di
s
tri
b
ut
io
n

89 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 2-1: Join a Second Delivery Controller to

the Site

N
ot
• Exercise 2-2: Edit the Store to Add the Second
Delivery Controller

fo
rr
• Exercise 2-3: Test Local Host Cache

es
• Exercise 2-4: Join the Second StoreFront Server to
the Server Group

al
e
• Exercise 2-5: Configure Load Balancing for the
StoreFront Servers

or
• Exercise 2-6: Test the Load Balancing of the

di
StoreFront Servers

s
tri
b
ut
io
n

90 © 2023 Citrix Authorized Content

 Key Takeaways

• Redundancy and scalability considerations are

N
critical for the stability and optimization of Citrix

ot
Virtual Apps and Desktops environments.

fo
• Some components may already be redundant or

rr
easily scalable in a Citrix Virtual Apps and Desktops
environment.

es
• Maintaining business as usual is a critical driver for

al
both redundancy and scalability.

e
or
di
s tri
b ut
io
n
Key Notes:
• To ensure platform stability and resource availability for business‐as‐usual activities an engineer must ensure both redundance and
scalability needs are met.
• Depending on each environment some components may already be redundant or have inbuilt redundancy.
• The primary objective for redundancy and scalability is to maintain a business‐as‐usual position.

91 © 2023 Citrix Authorized Content

 Key Takeaways

• Implementing redundancy and scalability may

N
require the use of third-party solutions in addition to

ot
Citrix technologies and hardware.

fo
• Various tools, both Citrix and third-party allow

rr
engineers and architects to assess the needs of a
Citrix Virtual Apps and Desktop deployment.

es
• Find out user requirements to guide redundancy

al
decisions for VDA machines and implement

e
Windows optimizations to gain the most from each

or
machine.

di
s tri
b ut
io
n
Key Notes:
• Redundancy and scalability implementation will often require the integration of third‐party solutions which need careful planning to
ensure proper integration.
• There are a wide variety of tools available to engineers to accurately plan for deployment redundancy and scalability needs.
• Decisions on how much redundancy is required will be driven by user requirements.

92 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Planning: Virtual Apps and Desktops Environment with Multiple Locations

fo
rr
es
al
e
Module 3

or
di
s
tri
but
io
n

93 © 2023 Citrix Authorized Content

 Learning Objectives
• Identify the benefits of creating multiple Zones
in a Citrix Virtual Apps and Desktops Site that
has geographically dispersed resource
locations.
• Describe the VDA registration process for

N
ot
VDAs in single-zone and multi-zone
environments.

fo
• Explain the purpose of Zone Preference

rr
options and how they control the behavior of

es
app and desktop launches.

al
• Compare the differences between StoreFront

e
standard routing and StoreFront optimal

or
gateway routing (OGR).

di
• Describe how StoreFront resource aggregation

s
tri
is used for application grouping and load

b
balancing and identify its configuration

ut
methods.

io
n

94 © 2023 Citrix Authorized Content

 N
ot
Zones

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes
• Identify the benefits of creating multiple Zones in a Citrix Virtual Apps and Desktops Site that has geographically dispersed resource
locations
• Identify the tasks to move a machine catalog between zones.

95 © 2023 Citrix Authorized Content

 What are Zones?

• Zones are a mechanism that allows for

N
deployment of a single Citrix Virtual Apps

ot
and Desktops site across multiple
geographically distributed datacenters.

fo
rr
• A site will always contain a primary zone
and, optionally, several satellite zones.

es
al
• The primary zone must contain at least one

e
Delivery Controller and access the site
database.

or
• A satellite zone can contain VDAs (machine

di
catalogs and delivery groups), Delivery

s tri
Controllers, StoreFront servers, Citrix

b
Gateway servers, and Hypervisor

ut
© 2022 Citrix Authorized Content
connections.

io
n
Key Notes:
• A site always has a primary zone, which is used to host control plane resources. It can also have one or more secondary, or satellite
zones.
• Satellite zones can be used for disaster recovery or connection routing.
• Zones will often be used where you have geographically‐distant datacenters, branch offices, or cloud locations.
• Primary zone:
• The primary zone has the default name "Primary", which contains the SQL Server site database, Studio, Director, Citrix StoreFront,

96 © 2023 Citrix Authorized Content

 Citrix License Server, and Citrix Gateway.
• The site database should always be in the primary zone.
• Two Delivery Controllers, as a minimum, should be configured for redundancy in an on‐premises deployment.
• Satellite zone:
• A satellite zone contains one or more VDAs, Delivery Controllers, StoreFront servers, and Citrix Gateway servers.
Under normal operations, Delivery Controllers in a satellite zone communicate directly with the database in the
primary zone.

N
• A satellite zone, particularly a large one, might also contain a hypervisor that is used to provision and or store

ot
machines for that Zone. When you configure a satellite zone, you can associate a hypervisor or cloud service

fo
connection with it.
• Be sure any machine catalogs that use a Hypervisor or cloud connection are in the same Zone.

rr
es
Additional Resources:
• Citrix Virtual Apps and Desktops Zones

al
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

e
or
di
s tri
b ut
io
n

97 © 2023 Citrix Authorized Content

 Zones Deployment Options
Deployment Solutions

Option 1 Option 2 Option 3

Scenario: 3 Office Locations Scenario: 3 Office Locations Scenario: 3 Office Locations

Solution: 3 sites Solution: Solution:

N
• Each location has a deployed site. • 1 site • 1 site, 3 Zones, Control Plane in Citrix

ot
• Each location has a Delivery Controller • 3 Zones Cloud

fo
and SQL server. • Control Plane on-premises • The control plane is hosted in Citrix

rr
• High Availability implementations, such Cloud, where High Availability is built
as Delivery Controller, are per site. in.
Result:

es
• Less administrative overhead, with • A site can have zero or more satellite

al
Result: only 1 site to manage zones, which can consist of VDAs and

e
• 3 times the work to manage 3 one or more Connectors, with or
separate sites without infrastructure servers.

or
• None of the office locations have a

di
Delivery Controller or a SQL server.

s
Result:

tri
• Less administrative overhead, with

b
only 1 site and no infrastructure to

ut
© 2022 Citrix Authorized Content manage.

io
n
Key Notes:
• Option 1 does not include the deployment of Zones.
• Each site deployment automatically creates a zone and puts all infrastructure and resources into this zone, known as the primary
zone.

Additional Resources:
• Citrix Virtual Apps and Desktops Zones

98 © 2023 Citrix Authorized Content

 https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

99 © 2023 Citrix Authorized Content

 FMA Zones Architecture Each location is a separate Zone within a single Citrix Virtual Apps and Desktops site.

Deployment Example
primary zone
New York (NYC)

• FlexCast Management Architecture (FMA) provides SQL

the modular structure in Citrix technologies.

N
ot
• Using a single site across multiple locations Delivery Controller

simplifies management.

fo
rr
Linux Desktop Hosted Desktop Assigned Desktop
• For example:
• New York is the primary zone and will host the site

es
satellite zone satellite zone
database and Citrix infrastructure. San Francisco (SFO) Miami (MIA)

al
• Miami is a satellite zone that only hosts a machine
catalog.

e
• San Francisco, as a larger satellite zone, hosts both a

or
Delivery Controller
Delivery Controller and a machine catalog.

di
Remote PC

s
Assigned Desktop

tri
b ut
© 2022 Citrix Authorized Content
© 2022 Citrix Authorized Content

io
n
Key Notes:
• From Citrix Virtual Apps and Desktops version 7.7 we can now span a single Citrix Virtual Apps and Desktops site across multiple
datacenters and geographical locations.
• The site database should always be in the primary zone and for optimal performance, install Studio and Director only in the primary
zone.
• While it is possible to have satellite zones without any controllers, it is recommended to configure at least one controller for each
satellite zone to ensure faster and more reliable VDA registration, and to ensure registration during WAN outages.

100 © 2023 Citrix Authorized Content

 Additional Resources:
• Citrix Virtual Apps and Desktops Zones
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

101 © 2023 Citrix Authorized Content

 Primary Zone Zone 1 Primary site 1
New York (NYC)

StoreFront License Citrix Gateway

SQL
• Every site has one primary
zone. Delivery Controller

• Required Components: Resources

Studio
• SQL Server site DB

N
Director
• Delivery Controller

ot
• License server Desktops Apps
• Studio and Director

fo
• Optional Components:

rr
Zone 2 Satellite Zone 2 Satellite
• Citrix Gateway San Francisco (SFO) Miami (MIA)
• StoreFront

es
• One or more VDAs *
• Machine catalogs

al
• Host connections

e
* Desktop OS and or Server
Delivery Controller

or
Resources Resources
OS machines running the
VDA.

di
s
Desktops Apps Desktops Apps

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Each Citrix Virtual Apps and Desktops site will start off with a single zone, created by default, called the primary zone.
• The primary zone will contain all the key components for operation of the site.
• In addition, secondary sites can be added to support a distributed infrastructure. These sites should, but don't have to contain
Delivery Controllers, allowing for local VDA registration with failover to a Delivery Controller in the primary zone.

Additional Resources:

102 © 2023 Citrix Authorized Content

 • Zones in Citrix Cloud
https://docs.citrix.com/en‐us/xenapp‐and‐xendesktop/service/manage‐deployment/zones.html
• Zones
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

103 © 2023 Citrix Authorized Content

 Satellite Zone site 1
Zone 1 Primary
New York (NYC)

StoreFront License Citrix Gateway

• Every site may have one or SQL

more satellite zones. Delivery Controller

• Required Components: Resources

Studio
• One or more VDAs *

N
Director
• One or more Machine

ot
catalogs Desktops Apps
• One or more Cloud

fo
Connectors, if using Citrix

rr
Cloud Zone 3 Satellite Zone 3 Satellite
San Francisco (SFO) Miami (MIA)
• Optional Components:

es
• Delivery Controller
• Citrix Gateway

al
Machine Catalog Machine Catalog
• StoreFront

e
• Host connections Delivery Controller

or
* Desktop OS and/or Server OS Resources Resources

machines running the VDA.

di
s
Desktops Apps Desktops Apps

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• A satellite zone is designed to contain resources needed to host Citrix Virtual Apps and Desktops in locations remote to the primary
zone and or datacenter. A zone needs to contain at least VDAs and machine catalogs.
• To avoid overloading during high‐load session launches, a registry setting on the Controller can be used to throttle concurrent end‐
user launches. This is located at HKLM\Software\Citrix\DesktopServer\ThrottledRequestAddressMaxConcurrentTransactions.
• In some test situations, high latencies between satellite zones and the database in the primary zone, coupled with a relatively high
rate of application and desktop connection, launches by end‐ users using a Controller in the satellite zone, could cause new launches

104 © 2023 Citrix Authorized Content

 to experience long delays.

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

105 © 2023 Citrix Authorized Content

 Options

N
ot
7KLVVOLGHLV HGLWDEOH$GDSWLWWR\RXUQHHGV
Manage multiple locations without multiple
Primary

fo
DQGFDSWXUH\RXUDXGLHQFH VDWWHQWLRQ
Reason SQL databases.

rr
es
al
e
Control VDA registration during normal

or
circumstances and during Delivery Controller failure.
7KLVVOLGHLV HGLWDEOH$GDSWLWWR\RXUQHHGV 6HFRQGDU\
Control app location launches
DQGFDSWXUvia Zone Preference.

di
H\RXUDXGLHQFH VDWWHQWLRQ 5HDVRQV

s
Reduce long distance WAN traffic.

tri
b ut
© 2022 Citrix | Confidential

io
n
Key Notes:
There is no real limitation on how many VDAs you can run per zone. It would only be limited based on the resource constraints of the
host hypervisor platform.
With a small secondary site, there may be no need for Delivery controllers if you have a stable, low latency connection to the primary
zone; however, as load increases in a Secondary Zone, performance may degrade when connecting to resources.

106 © 2023 Citrix Authorized Content

 Zones with Citrix Cloud

• Zones in Citrix DaaS are similar to on-

premises zones.

N
ot
• Use zones in the Manage console to map items to
Resource Locations:

fo
• Cloud Connectors

rr
• machine catalogs

es
• Host Connections
• Users

al
• Application Groups

e
• Citrix DaaS zones do not use a Primary and or

or
Secondary setup like an on-premises site, and
have in-built fault tolerance.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Zones in Citrix Cloud, as displayed in Cloud Studio, reference resource locations. Using Cloud Zones, you can map Cloud Connectors,
machine catalogs, Host Connections, Users, and Application groups to a particular Resource Location.
• In a Citrix DaaS site, there is no primary zone because the Database and Delivery Controllers reside in Citrix Cloud and not inside the
resource location. This means that for each resource location created in the Cloud Control Plane, a corresponding Zone is created
inside Cloud Studio.
• When a hypervisor connection is placed in a zone, it is assumed that all the hypervisors managed through that connection also reside

107 © 2023 Citrix Authorized Content

 in that zone. This is also true when a machine catalog is placed in a zone, and it is assumed that all VDAs in the catalog
are in the zone.
• In addition, Citrix Gateway instances can be added to zones. When you create a resource location, you are offered the
option to add a Citrix Gateway. When a Citrix Gateway is associated with a zone, it is preferred for use when
connections to VDAs in that zone are used.
• After you create more resource locations and install Cloud Connectors in them (which automatically creates more
zones), you can move resources between zones; however, you need to be careful in relation to putting large distances

N
between components that are impacted by latency. For example, moving a catalog to a different zone than the

ot
connection (host) that creates the machines in the catalog, can affect performance.

fo
Additional Resources:

rr
• Zones in Citrix Cloud

es
https://docs.citrix.com/en‐us/xenapp‐and‐xendesktop/service/manage‐deployment/zones.html
• Citrix Virtual Apps and Desktops Zones

al
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

e
or
di
s tri
b ut
io
n

108 © 2023 Citrix Authorized Content

 Lesson Review

N
ot
What is a benefit when using zones in a

fo
Citrix Virtual Apps and Desktops site?

rr
es
Reduces the network traffic between geographically

al
separated datacenters.

e
or
di
s
tri
b
ut
io
n

109 © 2023 Citrix Authorized Content

 N
VDA Registration in a Multi-Zone

ot
Environment

fo
rr
es
al
e
or
di
s tri
but
io
n
Key Notes
• Describe the VDA registration process for VDAs in single Zone and multi‐Zone environments.
• Identify the requirements of moving Machine Catalogs between Zones.

110 © 2023 Citrix Authorized Content

 VDA Registration Process and Methods
1

VDA Registration Process: VDA Registration Configuration Options:

N
• Install VDA software on the VM. • Auto-update

ot
• Specify Delivery Controller address.

fo
• Citrix Desktop Service (BrokerAgent.exe) • Group Policy

rr
contacts controller to register as available.

es
• Manually

al
e
• Machine Creation Services

or
di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• It is critical that the VDA registers with a Delivery Controller for management, enumeration, and session operation. The registration
process can be completed using a number of methods.
• The auto update method allows VDAs to receive an updated list of available Delivery Controllers every 90 minutes. This allows
Delivery Controllers to be added or removed from the site without any additional configuration on the VDAs. It is controlled by a
Citrix Policy and is enabled by default.
• Some deployments cannot use auto‐update and they must self‐manage. These are:

111 © 2023 Citrix Authorized Content

 • Deployments that use Controller groups.
• Deployments that use ListOfSIDs for security reasons. (Deployments that use ListOfSIDs to decrease the Active
Directory load can use auto‐update.)
• Deployments that use Citrix Provisioning without a write cache drive.
• Deployments that use the Controllers or Controller SIDs policy setting.
• After the VDA completes initial registration, the Controller with which it registered sends a list of the current Controllers
Fully Qualified Domain Names (FQDNs) and Security IDs (SIDs) to the VDA. The VDA then writes this list to the auto‐

N
update persistent storage. Each Controller also checks the site Configuration Database every 90 minutes for Controller

ot
information. This means if a Controller has been added or removed since the last check, or if a policy change has

fo
occurred, the Controller sends updated lists to its registered VDAs.

rr
• A VDA will accept connections from all the Controllers in the most recent list it received. If that list does not include the

es
Controller it is registered with (in other words, that Controller was removed from the site), the VDA re‐registers,

al
choosing among the Controllers in the list. After a VDA registers or re‐registers, it receives an updated list, and the
process starts again.

e
or
Additional Resources:
• Citrix Virtual Apps and Desktops Current Release: Delivery Controllers

di
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/delivery‐controllers.html

s tri
b ut
io
n

112 © 2023 Citrix Authorized Content

 Single Zone VDA Registration
Process (1 of 2)
4

Active Directory

1. Desktop Service on the VDA checks if auto-update

3
of Delivery Controllers is enabled.

N
ot
OR

fo
2. Desktop Service checks the registry for VDA uses Desktop
5

rr
Service
ListOfDDCs. (BrokerAgent.exe)
to initiate the

es
Virtual Delivery Delivery Controller
3. Validates each Delivery Controller listed in AD by Agent
registration process
over TCP (BrokerService.exe)
DNS entry. (BrokerAgent.exe) Port 80

al
1 & 2

e
4. Obtains a Kerberos ticket from AD for each
Delivery Controller found to allow communication.

or
5. Makes a call for “Registration”.

di
Site Database

s tri
b ut
© 2022 Citrix Authorized Content
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The VDA Registration Process starts with:
1. A check to see if Auto‐update of DDCs is enabled. If so, the VDA gathers the list of all available controllers, OR
2. The VDA checks its registry entry for ListOfDDCs (manually or GPO populated).
3. Once a list of DDCs is obtained it is validated by DNS entry.
4. The next stage is to obtain a Kerberos ticket from AD for each controller found to allow for communication.
5. The VDA can then make a call for “Registration”.

113 © 2023 Citrix Authorized Content

 Single Zone VDA
Registration Process (2 of 2)
8

Active Directory

6. Validates VDA identity and functional level.

7

N
7. BrokerService.exe attempts to validate the

ot
Kerberos ticket and VDA details from AD.

fo
8. Obtains Kerberos ticket for communication with VDA uses Desktop

rr
Service
VDA. (BrokerAgent.exe)
to initiate the

es
Virtual Delivery 9 Delivery Controller
9. Two -Way test for Callback is made to complete Agent
registration process
over TCP (BrokerService.exe)
registration. (BrokerAgent.exe) Port 80

al
e
or
6

di
Site Database

s tri
b ut
©
© 2022
2022 Citrix
Citrix Authorized
Authorized Content
Content

io
n
Key Notes:
• The VDA Registration Process continued:
6. Before confirming registration, the VDA identity and functional level are validated.
7. Next BrokerService.exe attempts to validate the Kerberos ticket and VDA details from AD.
8. A Kerberos ticket is then obtained for communication with the VDA.
9. Finally, a two‐Way test of Callback is made. This two‐way test needs to be confirmed by both VDA and controller for hard
registration to be successful.

114 © 2023 Citrix Authorized Content

 Multi Zone: Registration Process

VDA Location (primary zone) VDA Location (satellite zone)

VDAs in the primary zone will always attempt to VDAs in the satellite zone will always attempt to
register with a Delivery Controller, which is also in the register with a local Delivery Controller in the same
primary zone, and will never attempt to register with zone. If that fails, they will attempt to register with a

N
Delivery Controllers in satellite zones. Delivery Controller in the primary zone.

ot
fo
rr
Zone 1 (Primary) Zone 2 (Satellite) Zone 1 (Primary) Zone 2 (Satellite)
New York (NYC) San Francisco (SFO) New York (NYC) San Francisco (SFO)

es
al
SQL SQL

e
or
Delivery Controller Delivery Controller Delivery Controller Delivery Controller
Resources Resources Resources 1 Resources

di
s
2

tri
Desktops Apps Desktops Apps Desktops Apps Desktops Apps

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• For on‐premises deployments, the VDA Registration process will always try to use a Delivery Controller within the zone that the VDA
is located.
• When no Delivery Controllers in the same zone respond, the VDA will then seek to register with a delivery controller in the primary
zone.

Additional Resources:

115 © 2023 Citrix Authorized Content

 • Zones ‐ Where VDAs register
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops‐service/manage‐deployment/zones.html
• VDA registration
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/vda‐registration.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

116 © 2023 Citrix Authorized Content

 Failover Registration

site 1

When the first attempt to register fails, the VDA Zone 1 (Primary)
New York (NYC)
Zone 2 (Satellite)
San Francisco (SFO)

N
follows this pattern:

ot
fo
1. A VDA in a satellite site unsuccessfully
Delivery
attempts to contact a Delivery Controller. Delivery

rr
Delivery Delivery
Controller Controller Controller Controller

es
4 3 2 1
2. The VDA will next attempt to register with
another Delivery Controller in its local zone.

al
e
3. If that is unsuccessful, or no other Delivery

or
Controllers exist in its local zone, the VDA will
contact a random Delivery Controller in the

di
primary zone.

s tri
4. The VDA proceeds to attempt registration with

b
other Delivery Controllers in the primary zone

ut
until none are left to try.

io
n
Key Notes:
• In this example, the VDA is able to register with the final Delivery Controller in the primary zone after attempts to register with
Delivery Controllers in its own zone and one in the primary zone failed. This means the VDA stays registered in the primary zone,
even if a Controller in satellite zone becomes available again. If an administrator wants to later return the VDA back to their original
satellite zone it will require a manual restart of the VDA, or its Citrix Desktop Service (BrokerAgent.exe), which will force a new
registration. Essentially, any action that triggers the agent to attempt re‐registration will move it back to one of its local satellite zone
controllers.

117 © 2023 Citrix Authorized Content

 • A VDA in a satellite zone will never attempt to register with a Controller in another satellite zone.

Additional Resources:
• Zones ‐ Where VDAs register and where Controllers fail over
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

118 © 2023 Citrix Authorized Content

 Moving a Machine Catalog From
One Zone to Another Zone
site 1

• If you move a machine catalog to another Zone 1 (Primary)

New York (NYC)
Zone 2 (Satellite)
San Francisco (SFO)

N
zone, the VDAs in that catalog will re-register

ot
with Controllers in the zone you move the
catalog to.

fo
Delivery Delivery Delivery Delivery
Controller Controller Controller Controller

rr
• When you move a catalog, make sure you
Machine Catalog Machine Catalog
also move any associated host connection to

es
the same zone.

al
e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• An Administrator may want to move specific machine catalogs to a different zone for a number of reasons. These include;
• Changing the host infrastructure.
• Following user and user VDA relocation.
• To meet disaster recovery standards.
• To ease overall site resource organization and administration.
• Catalogs can be moved from one zone to another using Citrix Studio by:

119 © 2023 Citrix Authorized Content

 1. Selecting the machine catalogs node in the Studio navigation pane.
2. Selecting the catalog you want to move, and then select Move in the Actions pane.
3. Selecting the zone where you want to move the catalog to.

Additional Resources:
• Move items from one zone to another zone
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

120 © 2023 Citrix Authorized Content

 Lesson Review

Scenario: A deployment has three

Controllers: A, B, and C. A VDA is installed

N
and registers with Controller B, which was

ot
specified during VDA installation). Controller

fo
B is removed from the site.

rr
If Auto-Update is enabled, what happens

es
next?
1. The VDA receives an updated list of Delivery

al
Controllers 90 minutes later, the list does not

e
include Controller B.

or
2. Then, the VDA will proceed to attempt

di
registration with Controller A or C.

s
tri
3. Once it successfully registers with one of

b
these Controllers, it receives another updated

ut
list.

io
n

121 © 2023 Citrix Authorized Content

 N
ot
Zone Preference

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes
• Describe the purpose of each of the Zone Preference options.
• Describe how Zone Preference is used to control app and desktop launches for new sessions and when reconnecting to disconnected
sessions.

122 © 2023 Citrix Authorized Content

 Zone Preference Overview

• Zone Preference provides for more flexibility

N
in controlling which VDA is to be used when

ot
launching an application or desktop in a
multi-zone site.

fo
rr
• An Administrator can manage how a broker
selects a preferred launch zone when a user

es
session is initialized.

al
e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Setting a preferred zone allows you to control which VDA, in terms of the zone it is in, that should be used as the preferred VDA from
which to launch an app or desktop when you have a multi‐Zone environment.
• This can be useful in launching specific resources depending on the user’s requirements.
• This process can be controlled by configuring preferred launch zones.

123 © 2023 Citrix Authorized Content

 Zone Preference
The default Zone Preference priority order

N
Application User
User Home

ot
Home Location

fo
rr
es
The Application "Home option" of The User Home option of The User Location option of zone

al
zone preference will result in the zone preference will result in preference will result in the broker
broker selecting the launch zone

e
the broker selecting the selecting the launch zone where the
where the application is configured launch zone where the user’s user is currently located.

or
and its data stored. home data is located (such

di
as profile share). Wherever the user's Citrix Workspace

s
app is running will be identified and

tri
chosen as the launch zone for that

b
session.

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Zone Preference can be configured in one of three ways with only one being selected for launching resources. By default, if more
than one way is configured, the priority for selecting the preferred zone is:
• Application Home
• User Home
• User Location
• Some examples of how Zone Preference priority works are:

124 © 2023 Citrix Authorized Content

 • Where an application has a configured zone association (an application home), then the preferred zone is always the
home zone for that application.
• Where an application does not have a configured zone association, but the user has a configured zone association,
then the preferred zone is always the home zone for that user.
• When neither the application nor the user has a configured zone association, then the preferred zone is the zone
where the user is running a Citrix Receiver instance.
• It is worth noting that the Zone Preference feature only applies to shared desktops or applications, not to private and or

N
assigned ones. In addition, application home supports applications only. There is no support specific to Published

ot
Desktops (VDI) or Server Desktops.

fo
rr
es
al
e
or
di
s tri
b ut
io
n

125 © 2023 Citrix Authorized Content

 Customize Zone Preference
There are three options to customize Zone Preference

No
Mandatory

N
Mandatory Application
Application

ot
User Home Home
Home

fo
Zone

rr
es
This option will prevent a session This option will prevent a (Ignore configured user home zone.)

al
from being launched in an alternate session from being launched
zone if the users’ session cannot be

e
in an alternate zone if an If you do not specify a home zone for
launched in their Home zone. applications home zone is an application, you can also indicate

or
not available. that any configured user zones should

di
not be considered when launching that

s
application.

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
Key Notes:
• Zone Preference provides three options with the ability to further restrict how user and application Home zones are handled for
launch requests. These three options are:
• Mandatory User Home zone.
• Mandatory application home zone.

126 © 2023 Citrix Authorized Content

 • No application home zone and ignore configured user home zone.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

127 © 2023 Citrix Authorized Content

 Zone Preference
Session Launch and Order of
Preference

1 Connect to an existing session in the preferred zone.

• Zone Preference is
designed, so the Delivery
Controller running the Reconnect to an existing disconnected session in a

N
Broker Service will 2
non-preferred zone.

ot
always attempt to launch
an application or desktop

fo
in the preferred zone. 3 Start a new session in the preferred zone.

rr
es
• Zone Preference
occurs even if there is an Connect to an existing session in a non-preferred

al
existing session for a 4 zone.

e
user who launches a new

or
application that could
Start a new session in a in a non-preferred zone.

di
share (Session Sharing) 5

s
the already existing

tri
session.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• It should be noted that Zone Preference usually takes precedence over Session Sharing.
• Default behavior would normally mean that a user would connect to any existing session in the preferred zone. If no existing session
is available, then the user would connect to a disconnected session in a non‐preferred zone.
• Where no existing or disconnected sessions exist, the user would start a new session in the preferred zone before connecting to an
existing session in a non preferred zone.

128 © 2023 Citrix Authorized Content

 • Finally, a user would start a new session in a non preferred zone.

Additional Resources:
• Zone Preference (Order of Preference)
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops‐service/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
utb
io
n

129 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
ot
What is the default priority order for
selecting the preferred zone to process the

fo
session launch?

rr
es
Application Home

al
User Home

e
User Location

or
di
s
tri
b
ut
io
n

130 © 2023 Citrix Authorized Content

 N
Optimal Gateway Routing and

ot
Zones

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Compare the differences between StoreFront standard routing and StoreFront optimal gateway routing (OGR).

131 © 2023 Citrix Authorized Content

 Standard Routing

• StoreFront identifies the

Citrix Gateway used to make

N
(SITE) New York San Francisco (SITE)
a launch request.

ot
• By default, HDX connections HTTP(S)

fo
pass through the Citrix

rr
Citrix Citrix
Gateway that made the Gateway Gateway

es
launch request regardless of
where the resources are

al
geographically located.

e
HDX traffic passing

or
over inter‐
datacenter link

di
Word 2019
StoreFront StoreFront

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• A user may connect or be redirected to a Citrix Gateway near to their physical location, such as San Francisco, in this example. The
StoreFront server in San Francisco will enumerate the launch request, setting up the routing via the San Francisco gateway, despite
the user’s resource being in New York.
• The key is that with standard routing, the HTTPS and HDX traffic will all go through the same Citrix Gateway, the one that was used
for the initial connection, even when the user desktop and apps are in a different datacenter.

132 © 2023 Citrix Authorized Content

 Optimal Gateway
Routing

• Optimal HDX Routing forces

(SITE) New York San Francisco (SITE)
the HDX connection to use

N
the gateway closest to the

ot
HTTP(S)
resource.

fo
Citrix Citrix
• Enumeration and HDX traffic Gateway Gateway

rr
may use different gateways.

es
• HDX traffic is prevented from

al
traversing the network

e
between datacenters.

or
StoreFront Word 2019 StoreFront

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• From StoreFront 3.5, you have been able to configure routing to allow enumeration to occur at the point of nearest StoreFront server
while HDX traffic takes the most direct route to the user resources from their location.

Additional Resources:
• StoreFront
https://docs.citrix.com/en‐us/StoreFront/current‐release.html

133 © 2023 Citrix Authorized Content

 • StoreFront high availability and multi‐site configuration
https://docs.citrix.com/en‐us/StoreFront/current‐release/plan/high‐availability‐and‐multi‐site‐configuration.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

134 © 2023 Citrix Authorized Content

 Optimal Gateway Routing Configuration
1

N
• Older versions of StoreFront:

ot
• Optimal HDX Routing was configured using
PowerShell.

fo
rr
• StoreFront 3.12+:
• Optimal HDX Routing is configured using the

es
StoreFront management console.

al
• Optimal HDX Routing can be mapped using

e
zones and Delivery Controllers.

or
di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The Optimal Gateway Routing feature lets you override the Citrix Gateway used for ICA connections. To achieve this, you must
configure StoreFront to associate Citrix Gateway instances with zones (HDX Optimal Routing). Citrix Workspace app will then attempt
to use the preferred Citrix Gateway for the zone hosting the resource.

Additional Resources:
• StoreFront high availability and multi‐site configuration

135 © 2023 Citrix Authorized Content

 https://docs.citrix.com/en‐us/StoreFront/current‐release/plan/high‐availability‐and‐multi‐site‐configuration.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

136 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
Instead of using PowerShell, what is an

ot
alternative method to configuring Optimal

fo
Gateway Routing?

rr
es
Using the StoreFront Management Console, within the
"Configure the Store" Settings.

al
e
Under "Optimal HDX Routing", Delivery Controllers or
Zones may be specified to configure Optimal Gateway

or
Routing.

di
s tri
b ut
io
n
Key Notes:
• If you enable Optimal Gateway Routing using PowerShell, the changes will automatically appear in the StoreFront Console.
• If you have a Server Group set with multiple StoreFront servers, enabling Optimal Gateway Routing must be propagated manually
across the Server Group.
• Optimal Gateway Routing can only be enabled via the StoreFront console, or PowerShell.

137 © 2023 Citrix Authorized Content

 N
ot
StoreFront Resource Aggregation

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• Describe how StoreFront resource aggregation is used for application grouping and load balancing across multiple sites.
• Identify methods used to configure StoreFront resource aggregation features.

138 © 2023 Citrix Authorized Content

 StoreFront NYC site

Resource
Aggregation Receiver for Aggregation
Outlook

web Group

NYC‐DDC
• Identical desktop or
application resources from

N
Outlook SFO site
different site deployments

ot
are grouped, and then

fo
aggregated as a single icon Outlook

rr
to users. Outlook StoreFront
Endpoint Outlook

es
• Resources are then load SFO DDC

balanced across Controllers.

al
MIA site

e
or
Outlook

Outlook

di
s tri
MIA DDC

utb
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Where you have the same resource available over multiple different Citrix Virtual Apps and Desktops sites it is possible to use
StoreFront to present just one icon to the user. This is known as an aggregated resource. When a user starts an aggregated
resource, StoreFront determines the most appropriate instance of that resource for the user‐based on resource availability.
• As part of this resource aggregation process, StoreFront dynamically monitors the hosting servers. And if they fail to respond to
requests, perhaps due to being overloaded or temporarily unavailable, users are directed to resource instances on other servers until
communications are re‐established.

139 © 2023 Citrix Authorized Content

 • When deciding which resource to use and after checking for availability and existing user sessions, StoreFront uses the
ordering specified in your configuration to determine the site to which the user is connected.
• Aggregated resources do not need to be identical, but they must have the same name and path on each server to be
aggregated.

Additional Resources:
• StoreFront high availability and multi‐site configuration StoreFront Multi‐Site Settings Part 2

N
https://www.citrix.com/blogs/2016/09/07/StoreFront‐multi‐site‐settings‐part‐2/

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

140 © 2023 Citrix Authorized Content

 Configure StoreFront Resource Aggregation
1

• Achieve highly available, multi-site

configurations.

N
ot
• Configurable from within the StoreFront
console GUI.

fo
rr
es
al
e
or
di
stri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Configuring StoreFront aggregation settings can be completed from both the console through the Manage Delivery Controllers
option and directly in the web.config file.
• To configure aggregation, you will map user groups to delivery controllers and set the sites to be included in aggregation.
• There are two options available when publishing resources. The Identical Resources option provides no load balancing. And the Load
Balance option enables the full load balancing option for multi site resources.
• If you want to define multiple, distinct aggregation groups, it still has to be done by editing the web.config file. With highly available,

141 © 2023 Citrix Authorized Content

 multi‐site configurations, you can provide access to particular deployments on the basis of users’ membership of
Microsoft Active Directory groups, allowing for the configuration of different experiences for different user groups,
through a single store.
• To provide a seamless experience for users moving between separate StoreFront deployments, you can configure
periodic synchronization of users’ application subscriptions between stores in different server groups. Choose between
regular synchronization at a specific interval or schedule synchronization to occur at particular times throughout the
day.

N
ot
Additional Resources:

fo
• StoreFront high availability and multi‐site configuration
https://docs.citrix.com/en‐us/StoreFront/current‐release/plan/high‐availability‐and‐multi‐site‐configuration.html

rr
• StoreFront Multi‐site Settings Part 2

es
https://www.citrix.com/blogs/2016/09/07/StoreFront‐multi‐site‐settings‐part‐2/

al
e
or
di
s tri
b ut
io
n

142 © 2023 Citrix Authorized Content

 Lesson Objective Review

A Citrix Virtual Apps and Desktops Deployment

has two Sites aggregated for load balancing
purposes. A user launches an app and

N
StoreFront determines that the published app is

ot
available in both Site. What determines which
Site will be used to host the user’s session?

fo
rr
es
StoreFront uses the ordering specified in your
aggregation configuration to determine the site to

al
which the user is connected.

e
or
di
s
tri
b
ut
io
n

143 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab For

Module 3.

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

144 © 2023 Citrix Authorized Content

 Managing StoreFront Store

N
Subscriptions in a Multi-Location

ot
Environment

fo
rr
es
al
e
or
di
stri
utb
io
n
Key Notes:
• Identify the role of the StoreFront Subscription Store.
• Describe how Subscription Stores are replicated and synchronized.

145 © 2023 Citrix Authorized Content

 Subscription Store Server Group 1

StoreFront‐A

• Users log on to StoreFront File‐Based

Database
and are presented with the

N
Replication Replication
option to add items to their

ot
favorites (The Store).

fo
Single Shared Store
• Mapping between users and

rr
their subscribed items is

es
stored in a local database on
each StoreFront server.

al
e
• Needs to be enabled by an Replication

or
Administrator.
StoreFront‐B StoreFront‐C

di
File‐Based File‐Based

s
Database Database

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Where you have multiple StoreFront servers in a group, a user can have their favorites saved on one StoreFront server replicated to
the others in the same group. The Subscription Store on each StoreFront Server is stored in the
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\<Store Name>\PersistentDictionary.edb
location. This database contains user Favorites and the site name in the metadata. It consists of a string that includes:
• User SID
• site/Farm name (as defined in the StoreFront store)

146 © 2023 Citrix Authorized Content

 • Application/Desktop name
• Unique, per subscription GUID
• “subscribeddazzle:position#” with the number related to the application/desktop icon position on the screen so
that the icons maintain their order.
• Each StoreFront server replicates the database information across all servers in the group.
• To address some of the most common subscription‐related issues, start by restarting the Citrix Subscriptions Store
service.

N
ot
Additional Resources:

fo
• What Subscriptions and Server Groups Mean for StoreFront Designs
https://www.citrix.com/blogs/2014/10/10/what‐subscriptions‐and‐server‐groups‐mean‐for‐StoreFront‐designs/

rr
es
al
e
or
di
s tri
b ut
io
n

147 © 2023 Citrix Authorized Content

 Subscription Store Administrator points the Server Group 1
StoreFront‐A store to the
subscription service end
point on StoreFront‐B

web.config
( StoreFront‐A ) StoreFront‐A StoreFront‐B
(Internal Store) (External Store) (Internal Store) (External Store)
• Within a StoreFront
deployment, Subscriptions

N
can be configured to be

ot
Internal External Internal External
Subscription‐A Subscription‐B Subscription‐A Subscription‐B
shared between Stores

fo
within the same server

rr
group. Now the two stores are Server Group 1
pointing to the same

es
• The web.config file on one Subscription data

Store needs to be adjusted

al
to point to the subscriptions

e
file on the other Store. StoreFront‐A StoreFront‐B

or
(External Store) (Internal Store) (External Store) (Internal Store)

di
s tri
Internal Internal
Subscription‐A Subscription‐A

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In addition to synchronizing subscriptions within a store, we can also synchronize subscriptions between Stores. This would allow,
for example, where you have an internal and external store, to provide a smoother user experience by configuring the two stores to
share a common subscription database.
• To enable this, you need to change the store web.config file located in C:\inetpub\wwwroot\citrix<storename> so that the
web.config file on one Store points to the subscriptions file on the other Store.
• Each store web.config contains a client endpoint for the Subscription Store Service. For two stores to share a subscription datastore,

148 © 2023 Citrix Authorized Content

 you need only point one store to the subscription service end point of the other store.

Additional Resources:
• Configure two StoreFront stores to share a common subscription datastore
https://docs.citrix.com/en‐us/StoreFront/current‐release/configure‐manage‐stores/configure‐two‐stores‐share‐
datastore.html
• How to Export and Import StoreFront Subscription Database

N
https://support.citrix.com/article/CTX139343

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

149 © 2023 Citrix Authorized Content

 Replicating Subscriptions between StoreFront Server Groups

Server Group 1 Boston 9 PM Server Group 2 New York

N
(EST)

ot
fo
StoreFront‐A StoreFront‐B StoreFront‐A StoreFront‐B

rr
Subscription
Schedule initialized

es
Store Store

al
3 AM 12 AM

e
(EST) Server Group 3 Miami (EST)

or
di
s
StoreFront‐A StoreFront‐B

tri
b ut
Store
© 2022 Citrix Authorized Content

io
n
Key Notes:
• When using subscription replication, it is important to recognize that the process is time triggered; and therefore, it will occur at
different times over multiple time zone deployments.
• This means that users may not see changes to their subscription information, or favorites, immediately if they connect to StoreFront
servers in a different time zone soon after making changes.

150 © 2023 Citrix Authorized Content

 Configuring Subscription Synchronization

• PowerShell is used to execute periodic pull synchronization of subscriptions from stores in different StoreFront
deployments.

N
ot
• A specific sequence of tasks need to be completed to configure and execute this periodic pull
synchronization. This involves:

fo
• Loading the relevant PowerShell modules.

rr
• Enabling synchronization.

es
• Configuring the remote StoreFront to synchronize with.
• Adding the Microsoft Active Directory domain machine accounts for each StoreFront server in the remote

al
deployment to the local Windows user group CitrixSubscriptionSyncUsers on the current server.

e
• Propagating changes to all other servers in the Server Group.

or
• To configure a PowerShell periodic pull synchronization, you will need to use an account with local administrator
permissions to start Windows PowerShell and to import the StoreFront modules that will be required. The

di
commands for this are:

s
• Import-Module "installationlocation\Management\Cmdlets\UtilsModule.psm1"

tri
• Import-Module "installationlocation\Management\Cmdlets\SubscriptionSyncModule.psm1“

but
io
n
Key Notes:
• It is worth noting that the synchronization duration may vary depending on the size of the database.
• When configuring a periodic pull synchronization, you must always ensure the StoreFront admin console is closed to avoid errors and
that the configured Delivery Controllers are named identically, including capitalization between the synchronized Stores.
• For example: If you had three different GEO locations, as in the previous slides diagram, you may have three different AD
infrastructures and unique Virtual Apps and Desktops sites in each location. So, you would need to name the Delivery Controllers
the same for each of the three sites. Otherwise, without the same Delivery Controller names it may lead to users having different

151 © 2023 Citrix Authorized Content

 subscriptions across the synchronized Stores.
To complete the periodic synchronization, you need to use PowerShell. To configure a PowerShell periodic pull
synchronization, you will need to use an account with local administrator permissions to start Windows PowerShell and to
import the StoreFront modules that will be required. The commands for this are
• Import‐Module "installationlocation\Management\Cmdlets\UtilsModule.psm1"
• Import‐Module "installationlocation\Management\Cmdlets\SubscriptionSyncModule.psm1“
• You can configure periodic synchronization to take place at a particular time every day, or you can configure regular

N
synchronization at a specific interval.

ot
• To start synchronization of users’ application subscriptions between stores, you will need to restart the subscription

fo
store service on both the local and remote deployments using PowerShell after completing the configuration. If your
local StoreFront deployment consists of multiple servers, use the Citrix StoreFront management console to propagate

rr
the configuration changes to the other servers in the group.

es
al
Additional Resources:
• Set up highly available multi‐site stores: https://docs.citrix.com/en‐us/StoreFront/current‐release/set‐up‐highly‐

e
available‐multi‐site‐stores.html

or
di
s tri
b ut
io
n

152 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
ot
Which technology allows the same resource
across multiple sites to be presented as a single

fo
icon to the user?

rr
es
StoreFront resource aggregation

al
e
or
di
s tri
b ut
io
n
Key Notes:
• To ensure a user can retain Storefront customizations, such as favorites we enable subscriptions between StoreFront servers in a
group.
• To ensure a user is not presented with duplicate icons where the same resource exists across multiple sites, we enable StoreFront
resource aggregation.

153 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 3-1: Create a satellite zone

N
• Exercise 3-2: Move a Controller into the

ot
satellite zone

fo
• Exercise 3-3: Move a machine catalog into the

rr
satellite zone

es
• Exercise 3-4: Auto-Update Policy

al
• Exercise 3-5: Add a Home Zone for a User

e
or
• Exercise 3-6: Add a Home Zone for an App

di
s
tri
b
ut
io
n

154 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 3-7: Test Home Zone App Launch

N
• Exercise 3-8: Configure Optimal Gateway Routing

ot
• Exercise 3-9: Test Optimal Gateway Routing

fo
• Exercise 3-10: Configure Subscription

rr
Synchronization

es
• Exercise 3-11: Test Subscription Synchronization

al
e
or
di
s
tri
b
ut
io
n

155 © 2023 Citrix Authorized Content

 Key Takeaways

• Zones allow deployment of a single site across

multiple geographically distributed datacenters.
• VDA registration processes will vary based on
whether a VDA is located in a primary or satellite

N
zone.

ot
• Zone preference selects the nearest resource

fo
based on the user’s location during a session

rr
launch to provide the best experience.

es
• Optimal HDX Routing can be used to improve HDX

al
session performance by routing traffic to the

e
Gateway closest to the end user.

or
• StoreFront can aggregate identical resources over
multiple sites.

di
s
• StoreFront preferences can be synchronized over

tri
multiple servers in a store to ensure a consistent

b
user experience.

ut
io
n

156 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Planning: Backups and Disaster Recovery

fo
rr
es
al
e
Module 4

or
di
s
tri
b
ut
io
n

157 © 2023 Citrix Authorized Content

 Learning Objectives

• Describe how to perform onsite and offsite

N
backups for key components and data in a

ot
Citrix Virtual Apps and Desktops environment.

fo
• Recognize leading practices to take into

rr
consideration when building a Citrix Virtual
Apps and Desktop environment recovery plan.

es
• Identify the steps to fail over a production Citrix

al
Virtual Apps and Desktops deployment to a

e
Disaster Recovery site.

or
di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

158 © 2023 Citrix Authorized Content

 N
ot
Backups

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be introducing the important considerations for backups in a Citrix Virtual Apps and Desktops environment.

159 © 2023 Citrix Authorized Content

 Determining Backup Requirements and Location
A leading practice is storing backups of critical data both onsite and at an offsite location.

Onsite Backups Offsite Backups

N
ot
fo
rr
• Located on a storage device in the • Require transferring data physically or

es
datacenter. digitally to a separate physical location

al
from the datacenter.
• Allows for data to be recovered quickly.

e
• Typically used for a limited number of
• Ideal for issues that only affect a small

or
backups that require additional
portion of hardware in the datacenter.
protection in the event of a disaster.

di
• Cold storage solutions like tape can also

s
be used.

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The location of a backup can have a major impact on the recovery time and reliability of the Citrix environment.
• Backups can be onsite using media at the datacenter there the source server resides.
• This allows for a quick recovery time; however, it comes with a reduced resilience as events impacting the building may also impact
the backups.
• Hosting backups offsite may increase recovery time, but the resilience of the backup will be higher. The best balance can be
achieved with a hybrid backup solution where backups are held onsite, for example daily, and periodic. Let's say weekly are

160 © 2023 Citrix Authorized Content

 transferred offsite.
• Offsite, or cold storage solutions such as tape are slower to recover from. They provide additional protection as they are
only active during the backup process. This means data corruption that may be "backed up" in a daily backup can be
rolled back from offsite backups.

Additional Resources:
• Citrix Virtual Apps and Desktops Zones Disaster Recovery Planning

N
https://docs.citrix.com/en‐us/tech‐zone/design/design‐decisions/cvad‐disaster‐recovery.html

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

161 © 2023 Citrix Authorized Content

 StoreFront Configuration Backup

• The entire configuration of a StoreFront deployment can be exported; therefore, backed up.

N
• Configuration exports can be imported on other machines with StoreFront installed.

ot
• Imported settings will overwrite any configurations on a StoreFront server.

fo
• PowerShell commands are used to export and import StoreFront configurations.

rr
es
al
e
backup.zip backup.zip

or
di
s
StoreFront StoreFront

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• StoreFront configuration exists separate to the main site database. Residing on the StoreFront server's configuration exports are
made from the StoreFront servers and can include both single server deployments and server group configurations.
• The backup (exported) file can then be stored both on and off site. Backup files are either a straightforward ZIP file or a ctxzip file if
encrypted.
• When importing (recovering) an existing deployment, the current StoreFront configuration is erased and replaced by the
configuration contained within the backup archive. If the target server is a clean factory default installation, a new deployment is

162 © 2023 Citrix Authorized Content

 created using the imported configuration stored within the backup.
• It is worth noting that backup versions must match the version of StoreFront being imported to.
• There are some additional points to consider when exporting and importing a StoreFront configuration:
• Will the Host Base URL contained in the backup archive be used, or will a new Host Base URL be specified to use on
the importing server? A new URL can be set using the “HostBaseURL” parameter.
• Are there any Citrix published authentication SDK examples, (such as Magic Word authentication) or other third‐
party authentication customizations being used? If so, the SDK or customization packages required must be installed

N
on all importing servers before importing the StoreFront configuration containing extra authentication methods

ot
• The SiteID is a numerical value reflecting the order in which a StoreFront site was created. This must match on both

fo
the current site and the target site where you want to restore the configuration to.

rr
Additional Resources:

es
• Export and import the StoreFront configuration

al
https://docs.citrix.com/en‐us/StoreFront/current‐release/export‐import‐StoreFront‐config.html

e
or
di
s tri
b ut
io
n

163 © 2023 Citrix Authorized Content

 User Data Storage and Backup Options
Data recovery options for user profiles and home drives

Multi-File Backup/Restore Versioning in the Cloud

N
ot
fo
rr
File Server Desktop

es
• Save a new copy of a file every • This is the preferred option used • Uses cloud-hosted storage, such

al
day. by many enterprises. as Citrix Content Collaboration

e
(ShareFile).
• Files reside on the local • Files must be saved on network

or
machine. drives. • Auto-creates new versions as
files are saved.

di
• There may be no defense • May require support to recover

s
against local storage failure. files. • This provides a good balance of

tri
recoverability and lower admin.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In a traditional on‐premises deployment, data can be kept on local endpoints (or VMs), stored in an enterprise shared storage
solution, or placed into a third‐party cloud service. Each method has its pros and cons, but most medium to large enterprises will
choose options that allow enterprise or offsite storage in order to have more control over how data is accessed and used, as well as
to lower the risk of unrecoverable data in the event of an outage.
• Enterprise storage solutions include using File Servers either on or offsite which are simple to implement using existing skills and
scalable by adding more disks or resizing machines. However, they can represent a Single point of failure, where routine

164 © 2023 Citrix Authorized Content

 maintenance could impact the availability of the data and there may be a long recovery time.
• Using Microsoft DFS offers greater resilience, as there is no single point of failure in a well understood and moderately
scalable technology.
• It is, however, unsupported by Microsoft in an Active‐Active configuration and must use an Active‐Passive capacity for
support.
• It also requires manual intervention to fail over if the active machine fails and "in the field" experience has
shown performance issues.

N
• Storage Spaces Direct (S2D) is a solution based on Windows Server Failover Cluster and Scale‐Out File Services. This

ot
solution allows a single SMB file path to be hosted on multiple machines without the need for shared storage. It is

fo
highly resilient and scalable; however, it is only available on certain Windows Server Datacenter editions; it can be
complex to implement; and it may not provide the best results when used with user profile workloads.

rr
• Multiple third‐party offerings are also available for backups including vendors like Veeam, NetApp and Cloudian

es
among others. These can be highly resilient and provide good performance; however; they are often costly and may

al
require additional experience.

e
or
di
s tri
b ut
io
n

165 © 2023 Citrix Authorized Content

 Application Data Backup Considerations
Include backup considerations in the application intake process

1. Application is identified for inclusion in environment. 2. Citrix and app team determine backup requirements 3. Application backup configuration occurs during
and responsibilities. onboarding activities.

N
ot
fo
rr
es
al
e
or
Citrix Virtual
Apps and Desktops

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is critical to identify the applications that we need to or are willing to backup. It might be possible that initially we had 10
applications in our Citrix Virtual Apps and Desktop environment, but only eight applications are active. So, we can reduce (or
eliminate) the workload needed for two, saving time and effort.
• Each application may have its own backup options and requirements and, as a result, backup requirements should be determined
during the intake process for a new application to the Citrix Virtual Apps and Desktops Site. It is important to ensure what level of
backups are expected.

166 © 2023 Citrix Authorized Content

 Master Image Backups
Backup considerations for image management

Machine Creation Services Citrix Provisioning Citrix App Layering

N
Elastic Layer
App Layering

ot
VM‐1 VM‐2 VM‐3
Provisioning Server Application
Virtual Machine

fo
Layers

rr
Platform
Virtual Machine Layer
Master

es
Image
vDisk OS Layer

al
Master Identity Differencing vDisk Virtual Machine
Machine Disk Disk Store

e
or
• Backup approach and difficulty • vDisks should receive the highest • Implement a backup plan of the
will differ based on whether thin level of backup available. layered images.

di
clones or full clones are used.
• Elastic and user layers should

s
• Backup master VMs/templates. be backed up according to use

tri
case criticality.

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Master Images should be protected from potential corruption and loss. Keeping periodic offline copies is an easy way to achieve
this to ensure images are kept secured offline with each revision.

167 © 2023 Citrix Authorized Content

 SQL Database Backups
Select the appropriate level of SQL recovery model for the Citrix product databases.

Recovery Models

N
ot
Simple:
• No log backups are required.

fo
• Has lower storage space requirements.

rr
• Changes to database since most recent backup

es
are NOT protected.

al
Full:
• Requires log backups as well.

e
• Data can be recovered from any point in time.

or
• Required for SQL mirroring.

di
Bulk-Logged:

s
• Requires log backups as well.

tri
• Permits bulk copy operations, so is not typically

b
used

ut
© 2021 Citrix Authorized Content for Citrix databases.

io
n
Key Notes:
• Multiple Citrix products rely on a database to store session or configuration information. This includes Citrix Virtual Apps and
Desktops, Citrix Provisioning, Citrix Workspace Environment Management, and Citrix Session Recording. Some level of backup and
recovery is recommended for all Citrix product databases. The recovery model and backup level/frequency; however, it will depend
on the organization’s requirements.
• Backups should be considered separately and as an additional step to any existing solution like Always On, Mirror and Cluster. It is
also important to retain offline backups to help protect against real time corruption or malicious encryption of live database files or

168 © 2023 Citrix Authorized Content

 their content.
• Commonly used SQL database recovery models apply to the transaction log file, which contains a record of all
transactions and database modifications made by each transaction (or change) in the database. The transaction log is a
critical component of the database and, if there is a system failure, the transaction log might be required to bring the
database back to a consistent state. The usage of the transaction log varies depending on which database recovery
model is used:
• The simple model does not require log backups, and log space is automatically reclaimed, keeping space

N
requirements small. This essentially eliminates the need to manage transaction log space, but changes to the

ot
database since the most recent backup are unprotected. This means that, in the event of a disaster, the unprotected

fo
changes must be redone manually.
• The full model requires log backups, and no work is lost due to a lost or damaged database data file. Data from any

rr
arbitrary point in time can be recovered (for example, prior to application or user error). This method is required for

es
database mirroring.
• The Bulk‐logged model is an adjunct of the full recovery model that permits high performance bulk copy operations.

al
It is typically not used for Citrix databases.

e
or
Additional Resources:
• Citrix VDI Best Practices for Citrix Virtual Apps and Desktops – Disaster Recovery Planning: Design Decision

di
https://docs.citrix.com/en‐us/tech‐zone/design/design‐decisions/cvad‐disaster‐recovery.html

s tri
• Recovery Models (SQL Server): Recovery Models (SQL Server)
https://docs.microsoft.com/en‐us/sql/relational‐databases/backup‐restore/recovery‐models‐sql‐server?view=sql‐

b ut
server‐ver16&viewFallbackFrom=sql‐server‐2017%E2%80%8B
• Backup Overview (SQL Server):

io
https://docs.microsoft.com/en‐us/sql/relational‐databases/backup‐restore/backup‐overview‐sql‐server?view=sql‐

n
server‐ver15

169 © 2023 Citrix Authorized Content

 SQL Database Backups
Select the appropriate level of SQL recovery model for the Citrix product databases.

Backup Levels

N
ot
Full:
• Contains all data in a specific database, and

fo
enough log info to allow for recovering data.

rr
Partial:

es
• Contains data from only some of the filegroups in

al
a database, including:
• The primary filegroup.

e
• Every read/write filegroup.

or
• Optionally, specified read-only files.

di
Differential:

s
• Is based on the last full backup.

tri
• Records only the portions of data that have

b
changed since that full backup.

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Multiple Citrix products rely on a database to store session or configuration information. This includes Citrix Virtual Apps and
Desktops, Citrix Provisioning, Citrix Workspace Environment Management, and Citrix Session Recording. Some level of backup and
recovery is recommended for all Citrix product databases. The recovery model and backup level/frequency; however, it will depend
on the organization’s requirements.
• Backups should be considered separately and as an additional step to any existing solution like Always On, Mirror and Cluster. It is
also important to retain offline backups to help protect against real time corruption or malicious encryption of live database files or

170 © 2023 Citrix Authorized Content

 their content.
• Commonly used SQL database recovery models apply to the transaction log file, which contains a record of all
transactions and database modifications made by each transaction (or change) in the database. The transaction log is a
critical component of the database and, if there is a system failure, the transaction log might be required to bring the
database back to a consistent state. The usage of the transaction log varies depending on which database recovery
model is used:
• The simple model does not require log backups, and log space is automatically reclaimed, keeping space

N
requirements small. This essentially eliminates the need to manage transaction log space, but changes to the

ot
database since the most recent backup are unprotected. This means that, in the event of a disaster, the unprotected

fo
changes must be redone manually.
• The full model requires log backups, and no work is lost due to a lost or damaged database data file. Data from any

rr
arbitrary point in time can be recovered (for example, prior to application or user error). This method is required for

es
database mirroring.
• The Bulk‐logged model is an adjunct of the full recovery model that permits high performance bulk copy operations.

al
It is typically not used for Citrix databases.

e
or
Additional Resources:
• Citrix VDI Best Practices for Citrix Virtual Apps and Desktops – Disaster Recovery Planning: Design Decision

di
https://docs.citrix.com/en‐us/tech‐zone/design/design‐decisions/cvad‐disaster‐recovery.html

s tri
• Recovery Models (SQL Server): Recovery Models (SQL Server)
https://docs.microsoft.com/en‐us/sql/relational‐databases/backup‐restore/recovery‐models‐sql‐server?view=sql‐

b ut
server‐ver16&viewFallbackFrom=sql‐server‐2017%E2%80%8B
• Backup Overview (SQL Server):

io
https://docs.microsoft.com/en‐us/sql/relational‐databases/backup‐restore/backup‐overview‐sql‐server?view=sql‐

n
server‐ver15

171 © 2023 Citrix Authorized Content

 License File Backups Options

• Existing license files can be re-used if one of

N
the Citrix License server high availability

ot
options are used.
• Machines involved in a high availability

fo
configuration must use the same hostname, or the

rr
license file will not work.

es
• If a machine with a different hostname will be

al
used as a backup, or is created during

e
recovery, the Citrix license file must be re-

or
allocated with the new hostname.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix licenses are held in a text file and are, therefore, easily backed up both in real time and offline for additional integrity security.
• As access to your company's licenses is via a mycitrix account, the identity must be maintained to ensure rapid access to license files
in the event you need to download existing or updated license files in response to a DR situation.

Additional Resources:
• License files

172 © 2023 Citrix Authorized Content

 https://docs.citrix.com/en‐us/licensing/current‐release/license‐files.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

173 © 2023 Citrix Authorized Content

 Hypervisor VM/Pool/Cluster Metadata
• Each hypervisor vendor will have specific methods to back up critical data that will enable the
hypervisor environment to be restored in the event of a disaster.
• As an example, the following types of data should be backed up for a Citrix Hypervisor deployment to
recover from possible server and software failure.

N
ot
fo
Pool Metadata Host Config. and Software Virtual Machines

rr
• Hosts use a database to store data • These backups refer to hypervisor • Consists of backing up the virtual

es
about VMs and associated server control domain backup and machine disk files.

al
resources. restore procedures.
• Can be treated similarly to other file

e
• The process to back up and restore • May not include storage backups. Citrix recommends using

or
VM metadata will be based on repositories; e.g., only the a Citrix Ready 3rd party solution.
whether a single-host or pooled privileged control domain that runs

di
deployment is used. Citrix Hypervisor agent.

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• It is a leading practice to avoid altering the installed state of Citrix Hypervisor servers. That is, do not install any additional packages
or start additional services on Citrix Hypervisor servers, which would mean they are operating as more than a hypervisor. In the
event of needing to restore a Citrix Hypervisor, the best approach is to reinstall Citrix Hypervisor server software from the installation
media. If you have multiple Citrix Hypervisor servers, you can configure a TFTP server and use answer files for recovery replicating
any standard product deviations.
• Virtual machine configurations are held in a configuration known as the VM Metadata. Backup of the VM metadata is essential to be

174 © 2023 Citrix Authorized Content

 able to reconfigure VM settings after a loss of data. Backups of VM metadata can be used to restore corrupt hosts or
used in fresh installs. In a pool scenario, the master host provides an authoritative database that is synchronously
mirrored to all the pool member hosts. This process also provides a level of built‐in redundancy to a pool, where any
pool member can replace the master because each pool member has an accurate version of the pool database.
• Citrix Hypervisor uses a pool model, with a master and slaves. The pool database must be backed up to facilitate pool
recovery to new hardware.

N
Additional Resources:

ot
• License files Back up and restore hosts and VMs

fo
https://docs.citrix.com/en‐us/citrix‐hypervisor/dr/backup.htm
• Citrix Ready Marketplace (Backup Providers):

rr
https://citrixready.citrix.com/category‐results.html?search=backup&_ga=2.239675978.810872846.1559518441‐

es
98755839.1533921585

al
e
or
di
s tri
b ut
io
n

175 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
What is the difference between a full and a

ot
differential SQL database backup?

fo
rr
es
When a full backup is created, the full database is
backed up and a new backup file is created. When a

al
differential backup is created, only the changes made

e
since the previous full backup are captured; and are

or
added to the existing backup file.

di
s
tri
b
ut
io
n

176 © 2023 Citrix Authorized Content

 N
ot
Disaster Recovery Considerations

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be examining leading practice considerations for disaster recovery. This includes considering the type of
questions you need to ask to ensure you have sufficient plans in place to recover a Citrix Virtual Apps and Desktops environment from
issues that impact the environment’s ability to deliver business as usual.

177 © 2023 Citrix Authorized Content

 Key Notes:
• This slide highlights some question examples of a typical assessment that can be used to determine the disaster recovery
considerations for a deployment design. These questions should be considered in light of any plans currently in place. The primary
focus is to identify which Citrix components need to be recoverable. By defining which components need to be recoverable, we can
address the needs of a recovery plan.
• Based on the DR plan and requirements, make a team or personal plan (depending on the size of the organization) specifying what
actions will be taken during a DR event in order to comply with the DR plan. Having a checklist in place will increase the chance that
nothing important will be missed in the failover and recovery sequences, during what can be a stressful situation.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

178 © 2023 Citrix Authorized Content

 Key Notes:
• Ensuring access during a DR event requires proper planning and documented procedures which provide the correct level of business‐
as‐usual access in the event of an outage and potential site failover. There are a number of elements to this.
• Firstly, we can use the Same URL or a separate, failover URL for access. You will need to consider if there is at least one StoreFront
server in each resource location, and how many stores/servers are needed for the DR infrastructure.
• We then need to consider whether or not we configure for automatic or manual failover. If using Citrix ADC appliances deployed,
you have several failover options.
• Importantly you must also consider the resilience of the non‐Citrix components that Citrix Virtual Apps and Desktops relies on, such
as file storage.
• Depending on the environmental needs you may need to run a Single site or multi‐site environment. Identifying if each location is

N
managed independently through separate Citrix Virtual Apps and Desktops Sites is important as the users may need to use a

ot
different connection procedure during a DR event?

fo
• A good compromise to avoid multi‐site environments is to use Zone preference and failover or StoreFront multisite aggregation. An

rr
administrator could also consider the use of StoreFront subscription synchronization.

es
al
e
or
di
s tri
b ut
io
n

179 © 2023 Citrix Authorized Content

 Key Notes:
• In a deployment with active/active datacenters, it is important to focus on how the user data is handled. An Active/active design is
relatively simple as long as users do not have any personalization requirements, do not need to retain application settings, and do
not need to create documents or other persistent data.
• In practice, most use cases will require at least some of these items. However, active/active replication for profile data is not
supported by Microsoft (specifically, with their DFS‐R solution) or Citrix (regarding Citrix Profile Management when using DFS for
replication). This makes replication over multiple active‐active datacenters difficult
• Any supported scenarios assume that only one‐way profile replication is implemented, and that only one copy of the profile will

N
ever be active at any point in time. In order to support active/active replication, distributed file locking is needed.
• As a rule of a thumb never plan to have multiple access points to the same data by the same user.

ot
fo
Additional Resources:

rr
• Export and import the StoreFront configuration GSLB & DR – Everything you think you know is probably wrong!
https://www.citrix.com/blogs/2014/03/29/xendesktop‐gslb‐dr‐everything‐you‐think‐you‐know‐is‐probably‐wrong/

es
• Multiple folder targets and replication (with Citrix Profile Management)

al
https://docs.citrix.com/en‐us/profile‐management/current‐release/plan/high‐availability‐disaster‐recovery‐scenario‐2.html

e
• Disaster recovery (for Citrix Profile Management):
https://docs.citrix.com/en‐us/profile‐management/current‐release/plan/high‐availability‐disaster‐recovery‐scenario‐3.html

or
di
s tri
b ut
io
n

180 © 2023 Citrix Authorized Content

 Key Notes:
• For Citrix Cloud customers, the Control Layer is redundant and hosted in Citrix Cloud meaning there are a different set of
considerations when planning for DR. Redundant cloud components include the Delivery Controller(s), the Site database, the Studio
management console (Full Configuration Console in Citrix DaaS) and optionally other services, such as Citrix Gateway and StoreFront
(Citrix Workspace in Citrix Cloud).
• The Disaster Recovery plan for customers subscribed to apps and/or desktops in Citrix Cloud only includes the components not
within Citrix Cloud, such as the Server OS or Desktop OS machines running the VDA and the possible on‐premises Citrix ADC or
StoreFront servers.
• If connectivity to Citrix Cloud is ever lost or interrupted, Local Host Cache is used so that end users can continue to start HDX

N
sessions on customer‐managed VDA machines.
• The Citrix Cloud service level agreement (SLA) is available online and provides a monthly uptime commitment and an explanation of

ot
what that includes and doesn’t include. Any Citrix Cloud customer should become familiar with the SLA document and determine

fo
whether it is acceptable for their organization’s overall DR requirements.

rr
• This will determine, for example, whether to use an on‐premises StoreFront and Citrix Gateway to provide access during a Citrix
Cloud outage, and also to ensure that leading practices are in place for using Local Host Cache.

es
al
Additional Resources:

e
• Scale and size considerations for Local Host Cache
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops‐service/install‐configure/install‐cloud‐connector/local‐host‐scale‐and‐

or
size.html

di
• Service Level Agreement

s
• https://docs.citrix.com/en‐us/citrix‐cloud/overview/service‐level‐agreement.html

tri
b ut
io
n

181 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
How might zone preference settings interfere

ot
with a datacenter failover during a Disaster

fo
Recovery event?

rr
es
If users or applications are configured incorrectly,
they may not automatically have access to their

al
resources if they access a new zone.

e
or
di
s
tri
b
ut
io
n

182 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab For

Module 4.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

183 © 2023 Citrix Authorized Content

 N
ot
Disaster Recovery Process

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be focusing on the processes around actioning both a disaster recovery process and the return to primary
datacenter post recovery.

184 © 2023 Citrix Authorized Content

 Failing Over to a Disaster Recovery Environment

N
ot
fo
rr
es
Block Access Terminate Reverse Enable
Go / No‐Go Complete

al
to Primary Existing Access in DR
Decision Replication Replication
Environment Sessions Datacenter

e
or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Each environment may have its own specific procedures for maintaining business as usual in the event of a DR event. The steps in
the diagram apply to a generic scenario where there is a primary, active datacenter, a Citrix Virtual Apps and Desktops Site that is
normally used, and a passive DR datacenter with a backup Citrix Virtual Apps and Desktops Site that is only accessed when the
primary Site is unavailable or impaired. This scenario also assumes that there is application and user profile data that must be
replicated from the primary to the DR datacenter, so that users can have the full functionality needed there. Many of the steps are in
place to ensure that data replication can occur successfully without synchronization issues or lost data.

185 © 2023 Citrix Authorized Content

 • Any switch to a DR site will need a Go / No‐Go Decision point. This involves a decision‐maker confirming the decision to
begin the failover process.
• Once a decision to switch to the DR site is made, you will need to block access to the primary environment. This could
be accomplished in a number of ways. For example, the Citrix Gateway or StoreFront URL could be redirected to a web
page explaining the situation to end‐users and advising them of where to go to gain access to their resources (if a
separate URL will be used for the DR environment) or of an expected time to services resuming (if a single URL will be
used).

N
• Once no new sessions can be started, you may need to terminate existing sessions.

ot
• You may also need to complete a replication of the latest data from the primary to DR site.

fo
• Once all profile and application data is no longer being accessed or modified on the primary Site, data replication to
the backup environment can proceed.

rr
• If some or all the production data was lost due to the DR event, recovering the data from backup locations to the DR

es
datacenter could also occur at this stage.
• We then need to reverse replication. This is done once the datacenter doesn’t have any active connections and user

al
data is either properly replicated or you’ve decided to cut them off. We can then proceed with the second part of the

e
failover, activating access to the backup datacenter which should now be designated as the primary data location, and

or
the replication flow reversed, so that changes made to data in the backup environment will be retained.
• Finally, we need to enable access in the DR datacenter after completing any needed backend data migration/replication

di
procedures first.

s tri
• Communication to end‐users is important in this step, particularly if the access method will differ from their usual
process.

b ut
• Ideally, a plan should be in place for onboarding/migrating users to the DR site. This plan should include some
considerations;

io
• How many users and apps should be migrated.

n
• Prioritize business critical users and apps.
• How will users be notified about DR availability/limitations.
• Avoid boot/login storms.
• Monitor load on VDA machines and backend servers.
• Create appropriate load evaluator policy settings to ensure VDA machines are not overloaded.

186 © 2023 Citrix Authorized Content

 Additional Resources:
• GSLB & DR – Everything you think you know is probably wrong!:
https://www.citrix.com/blogs/2014/03/29/xendesktop‐gslb‐dr‐everything‐you‐think‐you‐know‐is‐probably‐wrong/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

187 © 2023 Citrix Authorized Content

 Returning to Normal Operations

N
ot
fo
rr
es
Enable
Block Access Terminate
Go / No‐Go Complete Complete Access to

al
to DR Existing
Decision Replication Replication Primary
Datacenter Sessions

e
Datacenter

or
di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Once you have recovered the primary datacenter, the process of returning to normal operations involves similar steps as failing over
to the backup datacenter, in reverse.
• Once you have determined stability in the Primary Datacenter, you will need to perform infrastructure and functional testing to
confirm that core functionality has returned.
• The next stage will be to block access to the DR datacenter. This can also be done in stages by removing certain Active Directory
groups from resource assignments in the backup datacenter in stages.

188 © 2023 Citrix Authorized Content

 • Before switching back, we will need to terminate any existing sessions in DR datacenter. We can drain sessions in a
controlled manner.
• Next, we can complete Replication to Primary Datacenter by ensuring any files, profiles, or databases that were
changed in the DR site have been replicated back to the primary site.
• The final steps see us reset replication to the DR datacenter from the primary and enabling access to the primary
datacenter.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

189 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
How can user profile settings impact a failover to

ot
a disaster recovery environment?

fo
rr
es
If user profile data is required (for example Microsoft
roaming profiles or Citrix Profile Management), the

al
profile data must be replicated to the DR location

e
before users access that location.

or
di
s
tri
b
ut
io
n

190 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 4-1: Export and Import the StoreFront

Configuration

N
ot
• Exercise 4-2: Perform a Differential Backup for the
Site Database

fo
rr
• Exercise 4-3: Restore a Backup for the Site
Database

es
al
e
or
di
s
tri
b
ut
io
n

191 © 2023 Citrix Authorized Content

 Key Takeaways

• In a Citrix Virtual Apps and Desktops environment,

N
there are multiple components that should be

ot
considered for regular backups.

fo
• Citrix component backups can be included in a

rr
disaster recovery plan that translates organizational
disaster recovery requirements to disaster recovery

es
actions for the environment.

al
• Determine the specific series of steps that are

e
needed to fail over between a primary and backup

or
environment, as well as what user communications
should be involved.

di
s
tri
b
ut
io
n

192 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Planning: Advanced Authentication Methods

fo
rr
es
al
e
Module 5

or
di
s
tri
b
ut
io
n

193 © 2023 Citrix Authorized Content

 Learning Objectives

• Describe how Multi Factor Authentication

N
(MFA) solutions are used to validate and

ot
authenticate end users in a Citrix Virtual Apps
and Desktops environment.

fo
rr
• Describe Smart Card authentication and PIN
prompt behavior in a Citrix Virtual Apps and

es
Desktops environment.

al
• Describe Citrix Federated Authenticated

e
Service (FAS) and its interaction with other

or
federated identity concepts in a Citrix Virtual

di
Apps and Desktops environment.

s
tri
b
ut
io
n

194 © 2023 Citrix Authorized Content

 N
ot
Multi-factor Authentication

fo
rr
RADIUS and One Time Passwords (OTP)

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will learn about the use of multi factor authentication in a Citrix Virtual Apps and Desktops environment.

195 © 2023 Citrix Authorized Content

 Introduction to Authentication Factors

Passwords Tokens

N
Static PINs Phones

ot
Smart Cards

fo
rr
What you know What you have

es
al
e
or
di
s tri
b ut
© 2021 Citrix Authorized Content Multi‐factor authentication

io
n
Key Notes:
• Authentication is the process of proving who you are.
• Three possible authentication “factors” are commonly referred to as:
• “What you know, typically a password”
• “What you have, typically a token code”
• “What you are, typically fingerprint or face recognition”
• “What you are” has been proven to be less useful as a form of authentication. Hackers have illustrated they can reproduce

196 © 2023 Citrix Authorized Content

 fingerprints and fool facial recognition software with photos or 3D models.
• Biometrics, although valuable, aren’t considered a factor of authentication by many, as the data (face or fingerprint) is
public. Many consider biometrics to be a factor of identification, not authentication.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

197 © 2023 Citrix Authorized Content

 One Time Passwords (OTP)

• Individual token created and tied to a "seed".

• Hashing function runs on seed and current time to generate a One Time Password (OTP).

N
• Token contains seed + hardware\software info to perform token hash.

ot
• Token and backend hash(seed + time) must match, proving that they both had the original seed!

fo
rr
es
Something you know User Login

al
My PIN is
6789

e
Username: HR1

or
Password 1: 6789
Something you have OTP Token Password 2: ABC123

di
s
ABC123

tri
utb
© 2021 Citrix Authorized Content

io
n
Key Notes:
• One‐time passwords are typically contained in OTP tokens, and fulfill the “what you have” authentication factor. These can be
physical or virtual and there are different brands and types from various vendors available (eg. RSA SecureID, Symantec VIP, HID
ActivID).
• Tokens do not require network connectivity to work instead the token device (or soft token) has a secret unique “seed record” that
exists both on the device (or software) and on the backend authentication server. The device and server input the seed record and
the current time into a publicly known algorithm to generate a unique PIN or Password.

198 © 2023 Citrix Authorized Content

 • The algorithm is specifically designed as a sort of ‘one‐way function’ in which it is near impossible to determine the
seed record from the output. The unique seed record cannot be transferred between devices, so that device
becomes a “what you have”. Some devices for use with OTP will also have their own security to prevent additional
security.
• When OTP tokens are used as the first authentication method when using Citrix Gateway it will help protect Active
Directory from brute force attacks, account lockouts, and DDoS.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

199 © 2023 Citrix Authorized Content

 What is RADIUS?

• The Remote Authentication Dial-In User Service, or

RADIUS, is an open network protocol providing

N
Authentication, Authorization, and Accounting (AAA)

ot
services.

fo
• It is commonly used as a multi-factor protocol. Many

rr
vendors use it to implement OTP systems.

es
• RADIUS is supported for both Citrix ADC system

al
Management and Citrix Gateway user connections.

e
• StoreFront needs Citrix ADC to perform RADIUS

or
authentication.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• RADIUS is a communications protocol that allows different third parties to authenticate using OTP systems.
• To function, an authenticating system “speaks” RADIUS to a OTP vendor server to pass along token information entered by the user.
• The OTP system simply returns pass\fail conditions over RADIUS back to the authenticating entity.
• This simple "Present‐Respond" approach makes RADIUS a quick and simple option to implement.

200 © 2023 Citrix Authorized Content

 Additional Resources:
• RADIUS Protocol and Components
https://docs.microsoft.com/en‐us/previous‐versions/windows/it‐pro/windows‐server‐2008‐R2‐and‐
2008/cc726017(v=ws.10)

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

201 © 2023 Citrix Authorized Content

 Citrix Gateway and RADIUS
Authentication
Endpoint

1. User sends username, password, and token

N
credentials to Citrix Gateway.

ot
2
2. Citrix Gateway forwards the token

fo
credentials to the RADIUS server. Citrix ADC RADIUS
Server

rr
3. If RADIUS confirms the token credentials, 4 3

es
Citrix Gateway sends the LDAP credentials
to a Domain Controller.

al
e
4. If the Domain Controller validates the LDAP

or
Site
credentials, the rest of the enumeration and
launch processes continue normally.

di
Domain

s
StoreFront
Controller

tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is important to remember that all the standard Windows OS authentication still happens on the backend.
• When configuring multi‐factor authentication, the order in which the factors are authenticated can provide additional protection
against DDoS attacks. For example, if LDAP is the first factor, an external DDoS attack could target the Domain Controllers, even
though the attackers have not authenticated and are outside the internal network. If we place a hardened, dedicated authentication
mechanism such as a RADIUS server, as the first authentication factor, we can prevent this scenario.
• Any of the authentication mechanisms that are supported on the Citrix ADC appliance can be configured as any factor of the nFactor

202 © 2023 Citrix Authorized Content

 authentication setup. These factors are executed in the order in which they are configured.
• When using tokens, it is important to consider that they can be compromised fairly easy, since many are not protected
by PINs or passwords. They are also susceptible to man‐in‐the‐middle attacks, since the token information is sent
across the wire. The use of smart cards can solve some of these problems.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

203 © 2023 Citrix Authorized Content

 Lesson Review

What Citrix component can be used to

N
implement two-factor authentication

ot
involving a RADIUS server for a Citrix Virtual
Apps and Desktops environment?

fo
rr
Citrix ADC

es
al
e
or
di
s
tri
b
ut
io
n

204 © 2023 Citrix Authorized Content

 N
ot
Multi-factor Authentication

fo
rr
Smart Card Authentication

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be looking at how we use smart card technology in a Citrix Virtual Apps and Desktop environment.

205 © 2023 Citrix Authorized Content

 Smart Cards with
Citrix Virtual Apps ID

and Desktops
United States Government

• Supported natively

N
through StoreFront with
Factor #1

ot
IIS.

fo
• Requires TLS.
1 2 3 4
John Doe

rr
• Bimodal authentication

es
available in StoreFront.

al
• Middleware may be Factor #2

e
needed on client and

or
VDA machine. USA
• E.G. ActivClient, SafeNet

di
(Gemalto).

stri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Smart cards provide multi‐factor authentication by three items.
• Identification, which is provided by a user certificate
• Authentication factor #1: PIN
• Authentication factor #2: Proof of private key
• Confirmed by digital signatures and public key decryption
• Smart cards rely on certificates and their associated public and private keys to function. This is supported by PKI, which provides a

206 © 2023 Citrix Authorized Content

 system of encryption and identity verification. This consists of symmetric encryption, which uses the same key to
encrypt and decrypt messages or asymmetric encryption. It also uses public/private key pairs to encrypt/decrypt
messages. A symmetric key requires the same key to exist at either end of the connection, which may present security
issues; however, it is faster.
• Smart cards rely on asymmetric cryptography using public/private key pairs, which is more secure for authentication.
• The Public Key is used to encrypt data to be sent to an authorized entity. Known to everyone.
• The Private Key is used to decrypt data that has been encrypted with a corresponding Public Key, known to only the

N
intended receiver.

ot
• Using keys to provide proof of identity and identity of issuer also means that we can revoke the key.

fo
• A Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) can be used to verify if a key has been
revoked.

rr
• When using Smart Cards with Virtual Apps and Desktops, the user will log on to their client with the same smart card

es
cert they wish to use on Citrix Virtual Apps and Desktops.
•

al
StoreFront allows for bimodal authentication, meaning the user can select either explicit or smart card authentication,
once they hit the StoreFront server.

e
or
di
s tri
b ut
io
n

207 © 2023 Citrix Authorized Content

 Smart Cards with Citrix Virtual Apps and Desktops
Key Considerations

Smart Card Removal Smart Cards and Smart Card Updates

Behavior WAN Network on Virtual Apps and

N
Desktops

ot
fo
rr
• When user removes their smart • Smart cards were never meant to • PIV smart card authentication
card from the PC or attached operate over a WAN, and thus are support has been added for

es
reader, one of the following occurs highly sensitive to latency. Director access.
based on the “Smart card removal

al
behavior” GPO setting: • Because certificates must be • Fast smart card feature improves

e
exchanged over the wire, logon performance in high-latency WAN
– Workstation is locked times can increase significantly scenarios.

or
– Session is disconnected (for remote when default settings are used.
sessions)

di
– User is logged off

s tri
– No action (session stays active)

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Director supports Personal Identity Verification (PIV) based smart card authentication.
• This feature is useful for organizations and government agencies that use smart card‐based authentication for access control.
• Also supported is a fast smart card feature which addresses high‐latency WAN scenarios.
• Fast smart card is enabled by default on the hosts that are running Window Server 2016 and above, or a minimum of Windows 10.
• To enable fast smart card on the client side, configure the SmartCardCryptographicRedirection parameter in default.ica.

208 © 2023 Citrix Authorized Content

 Additional Resources:
• Smart cards
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/secure/smart‐cards.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

209 © 2023 Citrix Authorized Content

 Smart Card PIN Prompts with Citrix Virtual Apps and Desktops
1

• Typically, a user authenticating into a Citrix

N
Virtual Apps and Desktops published resource

ot
with a smart card will receive one or more PIN
prompts:

fo
• PIN prompt at IIS\Citrix Gateway during

rr
authentication unless cached (or using Kerberos).

es
• PIN prompt at Citrix Gateway during resource launch
if set for “Client Cert:Required”.

al
• Non-domain joined Citrix Workspace app must enter

e
PIN again at Windows (no SSON).

or
• Domain-joined Citrix Workspace app with SSON
configured may not require third PIN.

di
s
tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• PIN codes form an important part of Smart Card operation.
• A Smart Card PIN can be cached for middle‐ware, such as ActivClient, to automatically respond to a prompt for a PIN.
• Also, if Kerberos is configured for Citrix Workspace app or accessing through a browser, then a Kerberos ticket can be used to
authenticate to StoreFront.
• If Citrix Gateway is set for requiring a client cert, then it will prompt again on application launch through a Gateway.
• If Single Sign‐On is not configured (so that the PIN is captured by the winlogon component), then a user will receive a PIN prompt at

210 © 2023 Citrix Authorized Content

 the Windows OS level.
• To prevent this, the SSOn configuration must be in place and the user must be logging on to a machine with the same
Smart Card they wish to logon to Citrix Virtual Apps and Desktops with.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

211 © 2023 Citrix Authorized Content

 Smart Card Authentication Flow
Domain-joined machine with Citrix Virtual Apps and Desktops

1
Endpoint
Domain Controller

N
ot
Winlogon Delivery Controller

fo
StoreFront FMA

rr
SSONSVR.exe 2

es
4
3 Virtual Delivery Agent

al
5
Web Browser 13
7 Winlogon

e
9 8 6

or
11

Desktop Toolbar VDA

di
14

s
12
Backend Services

tri
ICA Client Engine

b
10

ut
io
n
Key Notes:
• Using a domain joined machine with smart card is similar to a username and password authentication flow, except we cannot cache
the PIN on the backend. For SSOn we, therefore, rely on our client processes to grab the PIN and present it inside the HDX session
on logon. You can also use IWA (Kerberos) instead of PIN.
• The process of using a domain joined machine involves:
1. The user’s smart card logs into the endpoint where Winlogon validates the PIN and accepts the smart card certificate. Winlogon
then authenticates against the domain controller and requests the TGT (Kerberos Authentication Ticket). The domain controller

212 © 2023 Citrix Authorized Content

 checks the certificate validity, replacing the use of a password to authenticate.
2. As part of Single‐Sign on, the SSONSVR.exe process stores the users’ PIN.
3. The web browser then sends the smart card PIN to StoreFront.
4. StoreFront then communicates with the domain controller to validate that the client machine is a trusted device.
5. After a successful validation, StoreFront sends the client’s SID to the Delivery Controller.
6. The Delivery Controller then generates a launch reference for the requested published resource and sends it to
StoreFront.

N
7. StoreFront generates an ICA file which includes the launch reference and sends it to the client.

ot
8. The client device web browser then passes the launch reference to the Desktop Toolbar, which forwards it to the ICA

fo
Client Engine.
9. The ICA Client engine then obtains the smart card PIN, which was stored by the Single‐Sign on process.

rr
10. The ICA Client Engine then passes the launch reference and PIN to the VDA machine.

es
11. The VDA checks with the DDC to validate that the launch request is coming from an authorized machine, and to

al
perform some other checks related to previous sessions, etc. If the SID provided by the VDA matches the SID that
the Delivery Controller had previously stored, the Delivery Controller validates the connection.

e
12. The VDA service sends the PIN to Winlogon. Winlogon validates the PIN with the endpoint, and it receives the smart

or
card certificate in return.

di
13. Winlogon authenticates against the domain controller by using the smart card credentials.
14. At this stage, if the client needs a connection to other backend servers like Outlook or SharePoint, then the VDA will

s tri
use the smart card credentials to request a TGT\Service ticket for the requested server.

b ut
io
n

213 © 2023 Citrix Authorized Content

 Citrix Gateway +
Smart Card Authentication

Domain Controller

N
4
2

ot
fo
1 3

rr
Citrix Gateway

es
al
6

e
5

or
di
s
VDA

tri
Delivery Controller

utb
© 2022 Citrix Authorized Content

io
n
Key Notes:
When using the Citrix Gateway with Smart Card authentication the process is moved to the gateway.
1. First, the user device sends the PIN and Smart Card certificate to Citrix Gateway.
2. Citrix ADC then pulls AD attributes from the certificate and performs LDAP translation to obtain the sAMAccountName or UPN.
• As a secondary authentication mechanism, LDAP can also be used to translate to sAMAccountName or UPN from any AD
attribute on the certificate. The translation step is not necessary if the cert has sAMAccountName or UPN as one of its
attributes.

214 © 2023 Citrix Authorized Content

 3. Citrix ADCnow passes the sAMAccountName or UPN to StoreFront. StoreFront uses the callback URL to validate that
the request is valid.
4. StoreFront requests the endpoint machine SIDs from the domain controller and forwards them to the Delivery
Controller. At this point, available resources are enumerated.
5. When the endpoint attempts to a launch a published resource, StoreFront obtains an STA ticket for the requested
resource and sends it to the client along with the ICA file.
6. The client re‐enters the PIN in order to log into the VDA via Citrix Gateway. This PIN prompt is avoided if Single Sign‐on

N
is configured.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

215 © 2023 Citrix Authorized Content

 Lesson Objective Review

Scenario: You are a Citrix Administrator who

has recently configured Smart Card
authentication for a Citrix Virtual Apps and
Desktops environment. Users with managed
devices must authenticate via Citrix

N
Gateway. No middleware is caching PINs,

ot
and the Gateway is set for “User Cert:

fo
Mandatory”. Single sign-on has been set up

rr
for the environment, and users use the same

es
credentials to access their endpoints and the
Citrix environment.

al
e
How many PIN prompts would the user see

or
here PIN
One andprompt
why? at the initial Citrix Gateway

di
logon. A second PIN prompt at Citrix Gateway

s
during session launch. The final Windows OS

tri
PIN prompt is taken care of by the SSON

b
configs in this case, so there will be two prompts

ut
total.

io
n
Key Notes:
There are a number of different login combinations that can be implemented depending on your user and or environment needs.
These should be carefully assessed, planned, and verified before rolling out into production.

216 © 2023 Citrix Authorized Content

 N
ot
Federated Authentication

fo
rr
Federated Identity Concepts

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be looking at the use of federated authentication services as part of the authentication process for Citrix Virtual
Apps and Desktops.

217 © 2023 Citrix Authorized Content

 Introduction to Federated Identity

Site App
Password Password

• The problem: too many accounts, too many

N
passwords.

ot
• Single Sign-On vs Multiple identities

fo
• The solution: SSO using federated identity.
• Links users’ identity and other attributes across

rr
Identity
multiple distinct identity management systems. Provider

es
• Allows a single set of credentials for user

al
authentication to Intranet or Internet

e
applications. ATM PIN
Work
Password

or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Federated authentication aims to achieve the goal of using a single identity across all login requirements. The world wide web is full
of interactive applications that users can visit by simply clicking a hyperlink. Once they do, they expect to see the page they want,
possibly with a brief stop along the way to log on.
• When a user visits a different web page, which also requires a login, the ideal solution is that their existing login can be used or
federated to the new page. This single sign on experience already exists within the domain infrastructure.
• Kerberos, which provides single sign on through domains, is limited to operating within the domain. It can, for example, only give you

218 © 2023 Citrix Authorized Content

 a user's account and a list of groups.
• What if your application needs to send email to the user? That would not be available using a Kerberos solution. With
Federated Authentication we can achieve significantly more.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

219 © 2023 Citrix Authorized Content

 Federated Identity Solutions Utilize Claims-based Identity

N
ot
fo
rr
es
Issuer (e.g., ADFS, Relying Party (e.g.,

al
Claim Security Token Okta, and Ping) ShareFile)

e
or
• A statement that one • A bundle of claims that is • A trusted authority that • The claims-based
subject makes about digitally signed by the issues claims and tokens. application that trusts the

di
itself or another subject. issuer who created it. issuer to provide

s
• Typically, responsible for
identity/authentication.

tri
authenticating the user.

but
io
n
Additional Resources:
• An introduction to claims
https://www.microsoft.com/en‐us/download/details.aspx?id=28362

220 © 2023 Citrix Authorized Content

 Claims-based Identity
Example: Airport
Check‐in desk
provides boarding
pass based on
claims.

• Scenario:
• Issuer: Check-in desk
• Token - Boarding pass

N
Security validates
• Relying Party - Gate crew the “token” by

ot
asking for an
• Claims consists of: Passenger name, flight number, additional

fo
seat number, frequent flyer status, etc. authentication

rr
factor (e.g. license
• Claims-based identity frees the application from the or passport).

es
burden of authentication.

al
• Claims-based authentication requires an explicit

e
trust relationship with the issuer. Applications Boarding agent

or
accepts token and
and or resources believe a claim about a user provides access to
only if it trusts the entity that issued the claim.

di
the service.

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Federated, or claims‐based identity can be described by thinking about a route taken through an airport to board a plane.
• You can't simply walk up to the gate and present your passport or driver's license; instead, you must first go through a security
checkpoint. Here, you present the required credentials, lets us the example of a passport.
• After verifying that your picture ID matches your face (authentication), the agent checks your boarding pass to verify that you've
paid for a ticket (authorization).
• Assuming all is in order, you are allowed to proceed to the terminal and ultimately, the gate.

221 © 2023 Citrix Authorized Content

 • A boarding pass is very informative. Gate agents know your name and frequent flyer number (authentication and
personalization), your flight number, and seating priority (authorization), and perhaps even more. The gate agents have
everything that they need to do their jobs efficiently.
• There is also special information on the boarding pass. It is encoded in the bar code and or the magnetic strip on the
back. This information (such as a boarding serial number) proves that the pass was issued by the airline and is not a
forgery.
• In essence, a boarding pass is a signed set of claims made by the airline about you. It states that you are allowed to

N
board a particular flight at a particular time and sit in a particular seat. The gate agents simply validate your boarding

ot
pass, read the claims on it, and let you board the plane.

fo
• It's also important to note that there may be more than one way of obtaining the signed set of claims that is your
boarding pass. You might go to the ticket counter or kiosk at the airport, or you might use the airline's web site and

rr
print your boarding pass at home.

es
• The gate agents boarding the flight don't care how the boarding pass was created; they don't care which issuer you

al
used, as long as it is trusted by the airline. They only care that it is an authentic set of claims that give you permission to
get on the plane.

e
• In software terms, this bundle of claims is called a security token.

or
• Each security token is signed by the issuer who created it.
• A claims‐based application considers users to be authenticated if they present a valid, signed security token from a

di
trusted issuer.

s tri
b ut
io
n

222 © 2023 Citrix Authorized Content

 Active Directory Federation Services (ADFS) and Security
Assertion Markup Language (SAML)
• SAML is the protocol that describes how an entity authenticates to an Identity Provider (such as ADFS) to access a resource from a Service
Provider.

Client Authorization Server

Service Provider

N
(web browser) (IDP)

ot
User accesses URL in app

fo
1
App generates auth

rr
request
HTTP POST to AS w/ Auth request Auth request is
2 passed, verified

es
User is sent to logon page at AS
3

al
User logs in

e
or
Redirect to app w/ SAML token
4 SAML token is
generated

di
s
User is logged in to service provider

tri
5

but
io
n
Key Notes:
• It is important to understand what some of the terms mean in relation to federated authentication.
• SAML = Security Assertion Markup Language (SAML). It is an XML‐based open standard used for exchanging authentication and
authorization data between security domains, in other words, between an identity provider (ADFS, Google, Okta, etc.) and a service
provider (such as ShareFile, SalesForce or Workday).
• An identity provider is a trusted provider that enables you to use SSO to access other Web sites.
• A service provider is a Web site that hosts applications.

223 © 2023 Citrix Authorized Content

 • Similar to ADFS, SAML is also a claims‐based protocol. ADFS can speak SAML and ADFS 2.0 supports SAML 1.1 & 2.0
tokens and protocol.
• Federated authentication has many uses, which includes integrating authentication for:
• Partners & Contractors to allow 3rd parties need to access a XenApp resource without additional login details
• Mergers and where two companies merge resulting in two Active Directory forests.
• Multi‐tenant management, for example, when an organization with no active directory needs to integrate with an
organization with Active Directory.

N
• There are some different terms used between SAML and ADFS. These are:

ot
• Attributes = Claims

fo
• Identity Provider (IdP) = Account Provider / Issuer / Claims Provider
• Service Provider (SP) = Relying Party

rr
• SAML tokens contain assertions and claims about the authenticating party, which include Identity and authentication

es
mechanism among other attributes
• The SAML authentication flow is also used by ADFS and can be summarized as:

al
• Step 1: The user browses to the URL of the web application, which is also referred to as the Service Provider (SP).

e
• Step 2: The web application generates a SAML authentication request, and it passes it to the Authorization Server.

or
• Step 3: The client web browser is redirected to the AS’s logon page. The user enters the credentials necessary to

di
authenticate with the AS.
• Step 4: After successful authentication, the AS generates a SAML token, which is sent to the SP.

s tri
• Step 5: After validating the SAML token, the SP allows the client to access the web application.

b ut
Additional Resources:
• ADFS Technical Reference

io
https://docs.microsoft.com/en‐us/windows‐server/identity/ad‐fs/ad‐fs‐technical‐reference

224 © 2023 Citrix Authorized Content

 Citrix and Federated
Authentication Service (FAS)
Vendor
Overview

• The Citrix Federated Authentication Service (FAS) SAML Active

is a privileged component designed to integrate Identity Directory

N
Provider
with Active Directory Certificate Services.

ot
• FAS allows StoreFront to use a broader range of

fo
Users
authentication options, such as SAML.

rr
Corporate Network

es
FAS Certificate Active

al
Server Authority Directory

e
or
Citrix StoreFront Controller VDA

di
Gateway

s tri
b
ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• By using federation, you don’t need to issue and manage passwords for your partners’ personnel, nor do you have to worry about
how to lock down their access to just this entry point and specific apps. The external users don’t get passwords for your environment
and so can only come in via the gateway configured to accept them. Importantly, this puts responsibility for confirming the
authenticity and status of the external users where it belongs, with the partners themselves.
• This is the ultimate in authentication flexibility for Windows. And the beauty of FAS is that you are not compromising the capability
of the Windows session if you chose to go password‐free.

225 © 2023 Citrix Authorized Content

 • With XenApp 6.5 and earlier, you had the ability to do a domain logon without a password, but the mechanism was
based on Kerberos delegation, which brought limitations that, in some cases, affected the service quality that could be
delivered.
• It is important to understand who creates and or manages the virtual smart cards used in federated authentication. The
Federation Account Service has a Registration Authority (Enrollment Agent) certificate that automatically requests and
stores each user’s virtual smart card.
• To keep them secure, the virtual smartcards are stored as non‐exportable private keys by the network service. Low‐

N
level cryptographic configuration is available in the FederatedAuthenticationService.exe.config file allowing admins to

ot
change the encryption and protection of the virtual smartcards.

fo
• Lets examine a user who accesses Google Apps and Windows apps from a Chromebook. If the company is using Google

rr
apps, my users all have a Google account. If they have Win apps, they also have an AD account. Right now, my users
log in to Google to get Google apps, then they log in to AD to get Win Apps via Citrix Virtual Apps and Desktops. Two

es
separate accounts are needed.

al
• With CVAD 7.9+ FAS, a user can login to Gmail via FAS, and their Gmail account is associated with an AD account, and

e
they get access to their Win and Google apps via one, non‐Windows account. This provides a better user
experience.

or
• If the Gmail account is compromised, the company can disconnect the link between Gmail and Windows AD and

di
the compromised Gmail account doesn’t have access to business‐critical Windows apps.

s
• The other benefit of this approach is the ‘password free’ part, where the Gmail users only have to worry about

tri
their Google password and there is no additional password required to associate and authenticate to AD.

b
Everyone needs an AD account or a mapping to an AD account to get their Win Apps, but the accounts can be

ut
generic or even shared.

io
n
Additional Resources:
• Federated Authentication Service
https://docs.citrix.com/en‐us/federated‐authentication‐service/2203‐ltsr/

226 © 2023 Citrix Authorized Content

 FAS Architecture Communication
Step 1 - Authentication
Vendor

1. Remote user authenticates to SAML Identity SAML Active

Provider and is issued a SAML token. Identity Directory

N
Provider

ot
fo
Users

rr
Corporate Network

es
FAS Certificate Active

al
Server Authority Directory

e
or
Citrix StoreFront Controller VDA

di
Gateway

s tri
but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The first thing that a user needs to do, as part of federated authentication, is to authenticate to the identify provider.
• A successful authentication will result in a SAML token being issued.

227 © 2023 Citrix Authorized Content

 FAS Architecture Communication
Step 2 – Citrix Gateway
Vendor

1. Remote user authenticates to SAML Identity

Provider and is issued a SAML token.
2. User connection is forwarded to Citrix Gateway SAML Active
which validates the SAML token against the Identity Directory

N
Provider
Identity Provider.

ot
fo
Users

rr
Corporate Network

es
FAS Certificate Active

al
Server Authority Directory

e
or
Citrix StoreFront Controller VDA

di
Gateway

s tri
b
ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The next stage is for your connection request to be forwarded to the Citrix Gateway, where the SAML token will be validated against
the identity provider

228 © 2023 Citrix Authorized Content

 FAS Architecture Communication
Step 3 - StoreFront
Vendor

3. Citrix Gateway converts the SAML token SAML Active

Identity Directory

N
to a username and forwards the request to Provider
StoreFront.

ot
fo
Users

rr
Corporate Network

es
FAS Certificate Active

al
Server Authority Directory

e
or
Citrix StoreFront Controller VDA

di
Gateway

s tri
b
ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Once the Citrix Gateway has validated the token, it can then extract the username attribute for forwarding to StoreFront.

229 © 2023 Citrix Authorized Content

 FAS Architecture Communication
Step 4 - FAS

Vendor

4. StoreFront forwards the username to FAS, SAML

Active
Identity

N
which requests a certificate from the CA Provider
Directory

for the Session.

ot
fo
Users

rr
Corporate Network

es
FAS Server Certificate Active

al
Authority Directory

e
or
Citrix
StoreFront Controller VDA
Gateway

di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
Upon receiving the username, StoreFront then forwards it to the Citrix FAS server.
This will contain a request for a certificate from the certification authority to be used with the session.

230 © 2023 Citrix Authorized Content

 FAS Architecture Communication
Step 5 - Certificate
Vendor

5. The certificate is used to mimic a smart SAML Active

N
card logon through the rest of the Identity Directory
Provider
process.

ot
fo
Users

rr
Corporate Network

es
FAS Server Certificate Active

al
Authority Directory

e
or
Citrix
StoreFront Controller VDA
Gateway

di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
This certificate will then be used to mimic a smart card logon, which will see the user connected to their resources.

231 © 2023 Citrix Authorized Content

 Implementing FAS with Citrix Virtual Apps and Desktops
Requirements and Setup Process

• Install FAS on separate secured server.

N
• Upgrade all components to 7.9 or higher.

ot
• StoreFront must be 3.6 or higher.

fo
• Complete deployment:

rr
• Install and Enable FAS.

es
• Configure Group Policy.
• Deploy templates.

al
• Configure CA.

e
FAS
• Authorize FAS.

or
• Configure User Rules.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• To implement FAS with Citrix Virtual Apps and Desktops the FAS components should be installed on a separate, secured server to all
other Citrix components. The Citrix Virtual Apps and Desktops components must be v7.9 or higher with StoreFront being V3.6 or
higher.
• Once FAS has been installed, it needs to be enabled via PowerShell before group policy is configured and templates are deployed.
• You then need to configure the Certificate Authority and authorize the Federated Authentication Service before configuring the user
rules.

232 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 5.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning.
• The lab should finish provisioning in time to start the lab exercise.

233 © 2023 Citrix Authorized Content

 Lesson Objective Review

Can SAML authentication be configured on

N
Citrix Virtual Apps and Desktops 7

ot
environments without the use of the

fo
Federated Authentication Server (FAS)?

rr
No, FAS is required for SAML authentication

es
with Citrix Virtual Apps and Desktops 7.

al
e
or
di
s tri
b ut
io
n
Key Notes:
In order to use SAML with Citrix Virtual Apps and Desktops we are required to implement federated authentication services.

234 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 5-1: Install the Federated Authentication

Service (FAS)

N
ot
• Exercise 5-2: Integrate FAS with Citrix Virtual Apps
and Desktops

fo
rr
• Exercise 5-3: Configure and Test FAS

es
• Exercise 5-4: Integrate FAS with ADFS and SAML

al
• Exercise 5-5: Test SAML authentication using ADFS

e
and FAS

or
di
s
tri
b
ut
io
n

235 © 2023 Citrix Authorized Content

 Key Takeaways

• Multifactor authentication can be configured for

N
Citrix Virtual Apps and Desktops by using

ot
Citrix Gateway.

fo
• The number of smart card PIN prompts that

rr
appear for users will depend on how Citrix
Gateway and Citrix Workspace app are

es
configured.

al
• Citrix Federated Authentication Service allows

e
StoreFront to use a broader range of

or
authentication options, such as SAML.

di
s
tri
utb
io
n

236 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Planning: App and Data Security

fo
rr
es
al
e
Module 6

or
di
s
tri
b
ut
io
n

237 © 2023 Citrix Authorized Content

 Learning Objectives

• Define Defense in Depth and recognize how

N
attackers can compromise Citrix Virtual Apps

ot
and Desktops Site security using the jailbreak
method.

fo
rr
• Identify the different methods used to
implement Defense in Depth security in a Citrix

es
Virtual Apps and Desktops environment.

al
• Identify the different methods used to minimize

e
the impact of attacks in a Citrix Virtual Apps

or
and Desktops environment.

di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

238 © 2023 Citrix Authorized Content

 N
Introduction to

ot
Application Security

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be introducing the concepts behind application security. We will review the concept of breakouts, and how a
“defense in depth” approach can help prevent and mitigate them.

239 © 2023 Citrix Authorized Content

 Defense in Depth Security
Principle

• One of the most important principles of security is

called defense in depth (also known as the castle

N
approach).

ot
• The strategy is based on the military principle that it

fo
is more difficult for an enemy to defeat a complex

rr
and multi-layered defense system than to penetrate

es
a single barrier.

al
• A Citrix environment is layered and should be

e
secured at each layer.

or
• Securing networks, operating systems,
applications and file systems together is the

di
s
key behind Defense in Depth.

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In a Citrix Virtual Apps and Desktops environment, the StoreFront or Citrix Gateway in the DMZ is merely a pass‐through
authentication service for the backend Citrix resources.
• The applications and environments reside on the Citrix Virtual Apps and Desktops Site, potentially providing an attacker a shell in this
private network when compromised.
• It is, therefore, important to understand the architecture and possible consequences of a Citrix jailbreak should it occur.

240 © 2023 Citrix Authorized Content

 • The question should be asked: “If a jailbreak were to occur, would the attacker have a foothold into the internal
network?”
• In this lesson, we are going to have a look at what an attacker would do, based on the scenario where they have
obtained access to one published application.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

241 © 2023 Citrix Authorized Content

 Breaking Out of the Application
Attacker Example

• Application A (Notepad) is published to Domain Users.

• An attacker has compromised a domain account and can establish a session to Notepad.
• The attacker will try to gain access to shell or a more useful application than Notepad.

N
• Now the attacker may have access to the file system and other applications.

ot
• Always assume that the attacker will be able to break out of the application.

fo
rr
es
Server VDA

al
e
App A App C App E

or
Attacker Endpoint Published

di
Resource App B App D App F

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Should an attacker be able to get access to a domain account, perhaps via social engineering or using a test account that was not
properly secured, they could access an application, such as Notepad, that is published to domain users for testing Citrix Virtual Apps
and Desktops functionality. Once accessed, they have established a session inside the secured perimeter with this account.
• A HDX session running on the same server as other potentially more important applications gives the attacker an opportunity to try
to jailbreak from the HDX session application. There are many different options available to an attacker.
• For example, in an unsecured Citrix environment, they can just use Ctrl + F1 to start Task Manager and from there they can start

242 © 2023 Citrix Authorized Content

 any executable available to them. You can confidently say that as soon as the attacker jailbreaks from a published
application, they effectively have access to the rest of the system and any other applications that are installed on the
same server.
• The process of jailbreaking is defined as the ability to abuse an application running in the virtualized or physical
environment to launch other applications, spawn command shells, execute scripts, and perform other unintended
actions prohibited by administrators. Application jailbreaking can provide an attacker with an initial foothold into the
environment and domain. This is often a “blind side” for most Citrix deployments and their administrators. It is

N
important to consider that publishing filtering, that is reducing access to applications, should not be considered a

ot
security feature as jail breaks are possible.

fo
• Applications that are installed on the same server may be easily accessible should a jailbreak be successful.

rr
es
al
e
or
di
s tri
b ut
io
n

243 © 2023 Citrix Authorized Content

 Lesson Review

A Citrix Virtual Apps and Desktops

environment has been configured to use

N
ot
multifactor authentication for all external HDX
sessions. Will this prevent all attacks on the

fo
environment? Why?

rr
es
No. It is still possible for an attacker to gain
access to credentials and or endpoints through

al
social engineering or a man-in-the-middle

e
attacker (e.g., disgruntled employee).

or
As a result, a defense in depth approach should

di
be used so that additional layers of protection

s tri
can prevent or at least mitigate the damage an

b
attacker can do.

ut
io
n
Key Notes:
• No single security practice, product, or feature discussed in this course is sufficient to prevent all attacks on its own. By implementing
multiple layers of security, performing an attack without detection is made much more difficult.

244 © 2023 Citrix Authorized Content

 N
ot
Preventing Jailbreak Attacks

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be looking at methods aimed at preventing jailbreak attacks.

245 © 2023 Citrix Authorized Content

 User Assignments
Using Group Nesting 1

Published Resource

N
Group A

ot
Published Resource

fo
Group B

rr
es
Published Resource
Group C

al
e
or
Group Group Membership
Membership
Remote Desktop Users

di
s
NTFS

tri
User Profiles \

b
CTX-Core Folder Redirection

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• For many years, the best leading practice is to use Active Directory groups for resource assignment, and to not publish applications
for specific users. This is not only for security, but also to simplify management. Another leading practice is to refrain from
publishing applications to all users. Don't publish applications to the domain users’ group. Don't publish applications to all
authenticated users and try to limit the access as much as you can.
• You should avoid publishing resources to non‐specific users, typically anonymous accounts, or user accounts that are shared by
multiple users. If such accounts are required for a certain use case, such as kiosks or hospital stations, additional measures must be

246 © 2023 Citrix Authorized Content

 taken to isolate and lock down the resources that are accessed.
• A key driver behind security is to use the principle of least privilege. This should be applied to all types of user
accounts. Applying permissions to Domain Users or Authenticated Users is not adopting the principle of least privilege
as, inevitably, permissions will apply to those who do not need them.
• It is important to avoid enabling access that is not required when following the principle of least privilege, whilst at the
same time providing sufficient access to complete business as usual activity. A leading practice to achieve this is to
implement group nesting. We start with one Active Directory group for each published application or group of

N
published applications and then create one group for Citrix access where we call it, for example, CTX‐Core.

ot
• Next, we add all the individual app groups that are used for publishing as members to this central group.

fo
• Finally, all required permissions are assigned to this new group. When a user is added to any of the published
applications, they will get all the required backend permissions automatically.

rr
• Using the principle of least privilege approach not only makes it easy to provision access, but deprovisioning is much

es
easier as well. Once a user is removed from the last AD group for publishing, they will inherently lose permissions to all

al
shared resources.
• Restricting permissions for Remote Desktop Services Access or Direct Access permissions can also reduce the

e
opportunities for an attacker to gain permissions that can be exploited maliciously, and which are not a requirement for

or
normal business as usual activities.
•

di
It is also important to enforcing restrictions on Local Users and Groups. For example, applying the following restrictions
to the local administrators’ group can improve security.

s tri
• Deny access to this computer from the network.
• Deny log on as a batch job.

b ut
• Deny log on as a service.
• Deny log on through Remote Desktop Services.

io
n
Additional Resources:
• Manage logon rights
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/secure/best‐practices.html#manage‐logon‐rights
• Configure Permissions for Remote Desktop Services Connections
https://technet.microsoft.com/en‐us/library/cc753032(v=ws.11).aspx

247 © 2023 Citrix Authorized Content

 • Securing Local Administrator Accounts and Groups
https://docs.microsoft.com/en‐us/windows‐server/identity/ad‐ds/plan/security‐best‐practices/appendix‐h‐‐securing‐
local‐administrator‐accounts‐and‐groups

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

248 © 2023 Citrix Authorized Content

 Remove Undesired Citrix and
Windows Functionality

• Remove HDX session shortcuts and Help

N
keys.

ot
• Restrict access to the ICA file.

fo
• Disable unneeded HDX channels and

rr
redirections.

es
• Remove unneeded devices and drivers.

al
• Restrict access to the command-line,

e
PowerShell, and the registry.

or
• Restrict Control Panel access and

di
functionality.

s tri
• Limit local VDA machine and client drive

b
access.

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Depending on the session type and version of Citrix Workspace app used, users could potentially use HDX session shortcuts or help
keys to gain unauthorized access to parts of the operating system. Hotkey sequences are key combinations designed by Citrix to
assist users. For example, in some versions of Workspace app, the Shift+F1 sequence reproduces Ctrl+Alt+Delete, and Shift+F2
switches applications between full‐screen and windowed mode. You cannot use hotkey sequences with virtual desktops displayed in
the Desktop Viewer, but you can use them with published applications. To improve security, determine whether a given published
app uses hotkeys, and whether those hotkeys should be used in an HDX session.

249 © 2023 Citrix Authorized Content

 • You can also configure combinations of keys that Workspace App interprets as having special functionality. When the
keyboard shortcuts policy is enabled, you can specify Citrix Hotkey mappings, behavior of Windows hotkeys, and
keyboard layout for sessions. This can be achieved through group policy or updating the default.ica file.
• There are a number of additional keystrokes that have specific functions within a HDX session. For example, the
Desktop Viewer toolbar includes a button to send CTRL+ALT+DELETE to the VDA, which in turn can enable access to
Task Manager. You should carefully consider what functionality is required for business as usual activities. Some
examples include:

N
• In Desktop Viewer sessions, WIN+L is directed to the local computer.

ot
• Ctrl+Alt+Delete is directed to the local computer.

fo
• Key presses that activate StickyKeys, FilterKeys, and ToggleKeys (Microsoft accessibility features) are normally
directed to the local computer.

rr
• As an accessibility feature of the Desktop Viewer, pressing Ctrl+Alt+Break displays the Desktop Viewer toolbar

es
buttons in a pop‐up window.
• Ctrl+Esc is sent to the remote, virtual desktop (opens Start Menu).

al
• Solutions: Disable the Desktop Viewer via StoreFront; update the default.ica file; and disable Task Manager access via

e
GPO.

or
• Securing the ICA file is another important way to reduce undesired levels of access. It is a good idea to restrict

di
download access to the ICA file in general. This helps to stop amendments to the ICA file to try and control launch
parameters. As the ICA file has no ties to the client for which it was generated, a hijack of a VDI launch is relatively

s tri
simple by simply preventing the ICA file from running on the intended machine and copying it to another machine. This
approach would still require user credentials to generate the ICA file. Some browsers used to access Citrix Workspace

b ut
app for Web may be prompted to download the ICA file when they click on a published resource icon, which can be
subsequently opened with any text editor (Notepad, WordPad, Microsoft Word etc.). To reduce the risk of ICA files

io
being downloaded we have a few options,

n
• For managed endpoints, place the applicable StoreFront and Gateway URLs in the Intranet zone so that ICA file
download is not prompted.
• Offer a fallback to the Citrix Workspace app HTML5 or a download location for Citrix Workspace app in the event that
the endpoint does not already have Citrix Workspace app (this will often cause the .ica file to be downloaded as
well). Additionally, enforcing use of the HTML5 Citrix Workspace app will prevent ICA files from being downloaded to

250 © 2023 Citrix Authorized Content

 the endpoint.
• When using Citrix Workspace app HTML5, the ICA file is passed between the two browser tabs via javascript.
While most users will never see the file, a determined attacker could potentially use browser developer tools to
view the network requests and or responses and see the ICA file contents. Javascript debuggers could also be used
for this purpose.
• Always use Citrix Gateway for connections from unmanaged endpoints. This will enable the STA ticket to be used.
STA tickets can only be used once, and then they are invalid, preventing replay attacks. Additionally, STA tickets

N
time out after a default amount of time, limiting the potential for misuse.

ot
• Disabling all HDX channels that are not required is also an important tool to protect your connections.

fo
• Redirection (or offloading) is one of the areas where you have to balance user experience with security. Offloading
(Windows Media) essentially allows you to transfer data between the session and endpoint, which is always

rr
potentially dangerous. For environments where security is important, a leading practice is to disable all offloading.

es
• Even if there appears to be no direct security threat, it is important to minimize the attack surface by removing

al
unnecessary functionality.
• Remove access to printers or devices that are not absolutely required. Especially as this often leads to file system

e
access via “Print to File”.

or
• Remove drivers that provide access to devices and services that are not required for example floppy drives or music

di
search.
• Disable or remove floppy drives, USB ports, and other means of connecting external drives to restrict copying of data

s tri
to removable devices.

b ut
Additional Resources:
• How to Configure Desktop Viewer

io
https://support.citrix.com/article/CTX209468

n
• How to Enable or Disable Hotkeys within an ICA File (including Template.ica file)
https://support.citrix.com/article/CTX140219
• Support for ICA files in Citrix Virtual Apps and Desktop Environment
https://support.citrix.com/article/CTX200126
• How the HTML5 plugin & Chrome Connections Work

251 © 2023 Citrix Authorized Content

 https://www.citrix.com/blogs/2015/07/08/receiver‐internals‐how‐receiver‐for‐html5‐chrome‐connections‐work/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

252 © 2023 Citrix Authorized Content

 Application and Web Browser
Hardening Many layers of defence are required for a
hardened environment
Datacenter

Network and Services

• Review policies and hardening guides for all Hypervisor

N
applications. Operating System

ot
• Apply vendor recommended hardening
HDX Session

fo
configuration.

rr
• Be careful with applications that provide a

es
Application Application
development environment. Hardening Hardening

al
• Because web browsers often have external

e
App-to
network access, they tend to pose a significant App

or
Policy
security risk relative to other apps.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• One very important task is to review policies and hardening guides for all applications that are published on a specific server. Apply
the recommended hardening configuration.
• For example, disable context menus, printing (if not required) or diagnostic tools. Be especially careful with applications that
provide a development environment, such as Visual Basic for Applications language.
• Web browsers present a special security concern because, by their nature, they are intended to access content from outside the
internal network.

253 © 2023 Citrix Authorized Content

 • Often, users need to browse the web to do their job, so we cannot simply remove access to browsers.
• At a network level, it is also important to review protocol and network security. Some risks we may need to address
include;
• Use HTTPS for access to external web sites, especially if sensitive data will be transmitted. HTTP Strict Transport
Security (HSTS) can also be implemented by web applications to prevent the use of unsecure HTTP for the web
connection.
• HTTP response headers can be used to send security policies to an endpoint’s browser, ensuring a more secure

N
connection.

ot
• Open redirection could be implemented on a vulnerable web page so that users accessing the page are redirected to

fo
an untrusted, malicious website. This is often used in phishing attacks, where the malicious website mimics the
original website to collect personal user information. Preventing open redirection must be implemented by the

rr
website owner by closing known security vulnerabilities in login pages and referrer parameters.

es
• Domain relaxation, also known as same‐origin policy, allows web browsers to permit scripts to run between web

al
pages from the same origin, such as the same root domain. This provides a clear separation between trusted and
untrusted content. Microsoft Edge’s security zones use this concept.

e
• DNS/ARP/cache poisoning is an attack technique where spoofed ARP messages are transmitted over a LAN. This is

or
the precursor to a man‐in‐the‐middle attack, where traffic gets routed through an untrusted machine on its way to

di
the intended target.
• Web proxies are often used as an intermediary between internal endpoints and the Internet. In an enterprise

s tri
environment, proxies are often used to apply content filtering and other security policies to reduce the risk to the
internal network.

b ut
• Encryption of web traffic should be commonplace and HTTPS communications should be enabled through the use of
certificates from Trusted Root CAs. The encryption algorithm and hash used can also affect the level of security

io
provided by a given certificate.

n
• We also need to consider the Session and state management.
• Session persistence, especially SSL session persistence, helps improve the functionality and performance of a web
app. This is typically provided through the use of cookies, which ensure that when users connect to a set of load
balanced web servers, they are directed to the same server for the duration of the session. However, cookies can
potentially be exploited in cross‐site scripting attacks. Cookie security options (HTTPS‐only, domain‐matching, path‐

254 © 2023 Citrix Authorized Content

 matching, and expiration dates) can be implemented to mitigate the risks.
• Security indicators within browsers often help end‐users determine whether a website is high risk. For example, most
of the commonly‐used browsers use an indicator to show when a web site is not using HTTPS, when accessing a
mixed content page or when the certificate used by the web site is from an untrusted source.
• Authentication can be used to identify and restrict who can access a given application, including web applications. Using
multi‐factor authentication can help to mitigate the possibility of one factor being compromised via phishing or social
engineering.

N
• Content filtering and security allow administrators to focus on controlling specific content or content types. For

ot
example we can restrict access to specific websites and determine how specific files are processed. We also need to be

fo
careful of embedded or hidden objects in web pages which may present risks. Locking down a web page’s ability to run
hidden or unsecure content is highly recommended.

rr
• In Citrix Virtual Apps and Desktops, each of the major browsers can be configured to run using special parameters. This

es
can help to lock down large portions of the browser even before implementing additional policies. These include Kiosk

al
and incognito modes along with the ability to disable extensions. These special modes can be implemented using the
commands here;

e
• Kiosk mode

or
• Google Chrome: ‐‐kiosk ‐‐no‐default‐browsercheck ‐‐no‐first‐run <URL>
• Microsoft Edge and Firefox: ‐k <URL>

di
• Incognito mode

s tri
• Google Chrome: ‐‐incognito
• Microsoft Edge and Firefox: ‐private

b ut
• Disable Extensions
• Google Chrome: ‐‐disable‐extensions see chrome://extensions

io
• Microsoft Edge: ‐extoff

n
• Firefox: ‐safe‐mode
• Web security can be further enhanced through Group Policy settings. This can allow different web browsers such as IE,
Chrome, and Firefox, to attain different levels of security based on the settings available for each. We can manage
browser settings with the help of browser‐specific Administrative Templates.

255 © 2023 Citrix Authorized Content

 Citrix Secure Browser

Secure Browser On-Premises Deployment

Secure Browser is An isolated Store is created for A web browser is configured as a published
only supported for anonymous users using the app to a specific URL in kiosk mode and made
internal endpoints. Citrix Workspace app for available to anonymous users.
• Secure Browser is available as a Citrix HTML5 plugin.
Cloud service.

N
• Quickly and securely delivers SaaS User Layer Access Layer Control Layer Resource Layer

ot
and web applications to any modern Citrix and Microsoft
group policies provide
Delivery

fo
browser. Controller further lockdowns to
the VDA.
• Delivers older/legacy customer

rr
applications more effectively and Domain

es
Controller
reliably. Internal Users StoreFront

al
Multi-session OS

• Secure Browser capabilities are also Databases

VDA

e
built into the on-premises Citrix Virtual

or
Apps and Desktops product. License
Server

di
Compute Layer

s tri
Network Storage Processor Memory Graphics Hypervisor

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• By tightly locking down browser activity we can improve security. Secure Browser is available as a Citrix Cloud service, where
everything will be preconfigured for you – just supply the URLs of the web apps you need users to access; and you have a quick
solution to secure browsing.
• It is also possible to replicate the Secure Browser configuration in an on‐prem deployment. The end‐result is that users can have a
seamless web‐based application experience where a hosted web‐based application simply appears within the user’s preferred local
browser.

256 © 2023 Citrix Authorized Content

 • There is a value to running a hosted web browser, which is locked down, with Citrix policies restricting clipboard access,
client drive mapping, printing…everything you don’t need. This can be accomplished by doing the following:
• Publishing Edge in kiosk mode, pointing to the desired web app URL and making the app part of an unauthenticated
Delivery Group.
• A separate, dedicated StoreFront Store can be used to provide anonymous user access to the published web app
where the web app itself has an authentication mechanism.

N
Additional Resources:

ot
• How to Configure Desktop Viewer Citrix Virtual Apps and Desktops Secure Browser

fo
https://www.citrix.com/digital‐workspace/secure‐browser.html

rr
es
al
e
or
di
s tri
b ut
io
n

257 © 2023 Citrix Authorized Content

 Restrict Access to Internal Tools

• Disable all unnecessary administrative

N
components.

ot
• Be aware of hidden scripting environments.

fo
• Make use of User Account Controls (UAC) to

rr
prevent unauthorized changes to a system.

es
• Allow users to run executables only from

al
locations where they don’t have write

e
permissions (such as Program Files and

or
Windows folders).

di
s tri
but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• If an attacker is not able to use their own code to break out of a session, they will try to use whatever is available on the box.
• Make sure to secure all administrative tools that could be abused – command prompt (and PowerShell), Registry editor, Task
Manager, and many others. You can also use 3rd party tools to password protect the executables (if you still need to execute them for
troubleshooting purposes).
• Be aware of hidden scripting environments. There are many technologies that are very powerful; and a professional attacker can use
them to their advantage.

258 © 2023 Citrix Authorized Content

 • One example is the Office suite. It includes Visual Basic for Applications and VBA that can be used as a replacement
for PowerShell, which can execute malicious code or commands.
• Preventing access to items that are not required for business‐as‐usual activity helps reduce options available for
malicious activity. User access controls should also be used to ensure that standard users do not have permissions to
access system files or install applications. Even if the VDA is only intended to host published apps, assume that the
attacker will be able to circumvent that, and may attempt to install malicious scripts or executables.
• By restricting access to the file system dialog, we can prevent access to the file system where an attacker may have

N
unintended access to launch executables, data‐mine files, or write malware. This does not only mean Windows

ot
Explorer, but also any other methods that access the file system.

fo
• A good example is the Windows print functionality that allows a user to “Print to File” or use “Save As” dialogs.
Hiding local drives is another common method accomplished either by using Group Policy (hide & prevent access) or

rr
Group Policy Preferences (hide, but do not prevent access).

es
• In general, logon or logoff scripts can limit the number of lockdowns that can be applied to the command‐line,

al
PowerShell ISE, or the registry should the script require silent access to these items. In this scenario, an attacker could
exploit that to run their own scripts so consideration should be given to avoiding logon scripts where possible.

e
or
di
s tri
b ut
io
n

259 © 2023 Citrix Authorized Content

 Application Whitelisting/Blacklisting

• Use Windows AppLocker, or 3rd party tools, to

N
control what processes can run on a machine.

ot
• These tools control the executable files,

fo
scripts, Windows installer, and DLL files.

rr
• Use Citrix Workspace Environment

es
Management (WEM) to centrally manage
security. These include Windows AppLocker,

al
process hierarchy and process

e
blacklists/whitelists.

or
• Take a gradual approach to creating rules,

di
when applying to a production environment, to

s tri
ensure needed functionality is maintained.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Various tools can be used to create whitelists, permitted access or blacklists, denied access with Microsoft AppLocker being one of
the most common ones.
• Using AppLocker, you can achieve a number of objectives including:
• Control the applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and
.msp), and DLL files (.dll and .ocx).
• Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file

260 © 2023 Citrix Authorized Content

 version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you
can create rules for a specific version of a file.
• Assign a rule to a security group or an individual user.
• Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except
Registry Editor (Regedit.exe).
• Use audit‐only mode to deploy the policy and understand its impact before enforcing it.
• Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the

N
rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you

ot
import a policy, all criteria in the existing policy are overwritten.

fo
• Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.
• AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing

rr
resources by decreasing the number of help desk calls that result from users running unapproved applications.

es
• To centrally manage application security across multiple machines, a leading practice is to use Citrix Workspace

al
Environment Management (WEM). WEM is used for machine optimization as well as machine security. It can apply the
Windows AppLocker feature, manage and apply blacklists and whitelists.

e
or
Additional Resources:
• What Is AppLocker?

di
https://technet.microsoft.com/en‐us/library/ee424367(v=ws.10).aspx

s tri
• Requirements to use AppLocker
https://docs.microsoft.com/en‐us/windows/device‐security/applocker/requirements‐to‐use‐applocker

b ut
• WEM Security
https://docs.citrix.com/en‐us/workspace‐environment‐management/current‐release/user‐interface‐

io
description/security.html

261 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
Does locking down an HDX session involve Citrix

ot
configurations or Microsoft configurations?

fo
rr
es
Ideally, both Citrix and Microsoft configurations should
be implemented to fully lock down an HDX session.

al
e
or
di
s
tri
utb
io
n

262 © 2023 Citrix Authorized Content

 N
ot
Minimizing the Impact of Attacks

fo
rr
es
al
e
or
di
s tri
utb
io
n
Key Notes:
In this lesson, we will look at how we can minimize the impact of attacks.

263 © 2023 Citrix Authorized Content

 Separate Applications Based on their Security Sensitivity

• If a breakout occurs on a VDA, an attacker could gain access to other applications installed on the same
machine, administrative tools, or sensitive data.

N
• Consider dedicating a group of servers with dedicated security for very sensitive applications.

ot
• Consider separating networks.

fo
rr
es
Server OS VDA 1 Server OS VDA 2

al
e
App A App C App E

or
Attacker Published
Resource
App B App D App F

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• As mentioned earlier, despite of all the lockdowns covered so far, given sufficient time, we can assume that an attacker will find a
way to perform a jailbreak. So, assuming that you cannot prevent this from happening, what can you do?
• By isolating applications that are at higher risk, we can apply different or additional security to reduce the available footprint to the
network in the event of a jailbreak. In effect, you are minimizing the options that are available once a jailbreak has occurred.
• For example, if we publish sensitive HR or accounting apps on dedicated servers, we can lock them down further than, say, office

264 © 2023 Citrix Authorized Content

 apps reducing the potential impact of any jailbreak.

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

265 © 2023 Citrix Authorized Content

 Use NTFS to Isolate Applications on the Same Server

• Restrict access to applications by NTFS permissions on application folders\executables.

• You can use the same Active Directory group that is used for publishing.

N
ot
fo
rr
es
Server OS VDA

al
e
App A App C

or
Attacker Published Resource

di
App B App D

s
tri
NTFS

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Once you isolate your servers into groups, you can add another layer of protection. Try to isolate all applications from others on the
same server).
• A simple method is to use NTFS permissions to isolate applications from each other. Whenever possible, block access at the folder
level using read and execute permissions.
• Sometimes, if the folder contains libraries like MS Office and Adobe Acrobat, you can secure the executables.
• You can use the same AD group that is used to publish the application. That way, you can also guarantee that when a user sees an

266 © 2023 Citrix Authorized Content

 icon, they can execute it.

N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

267 © 2023 Citrix Authorized Content

 Use Citrix Analytics to Detect Attacks and Apply Mitigations

• Citrix Analytics is an analytics

service that allows you to

N
monitor and identify

ot
inconsistent or suspicious

fo
activities on your networks. It

rr
provides actionable insights

es
such as:
• User behavior.

al
• Usage risk based on indicators

e
identified across users,

or
endpoints, network traffic, and
files.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Once users are discovered by Citrix Analytics, they will (after some time), get a risk score assigned to their account.
• A risk score is a value that indicates the aggregate level of risk a user poses to the network over a pre‐determined monitoring period.
This value is dynamic; and it is based on User Behavior Analytics (UBA) that study and determine patterns of user behavior.
• These algorithms are applied to analyze anomalies that indicate potential threats. For a defined monitoring period, risk score is an
aggregate of the risk indicators that are triggered for a user.
• Risk indicators are user activities that look suspicious or can pose a security threat to the organization. Risk indicators span across

268 © 2023 Citrix Authorized Content

 all Citrix products used in a deployment.
• The indicators are based on user behavior and are triggered where the user’s behavior deviates from the normal.
Risk indicators help in determining the user’s risk score.
• A risky user can be one of the following types:
• High risk users ‐ Users who represent immediate threats to the organization.
• Medium risk users ‐ Users who could have multiple serious violations on their account and must be monitored
closely.

N
• Low risk users ‐ Users who may have some violations detected on their account.

ot
fo
Additional Resources:
• About Security Analytics

rr
https://docs.citrix.com/en‐us/citrix‐analytics/security‐analytics/about.html

es
al
e
or
di
s tri
b ut
io
n

269 © 2023 Citrix Authorized Content

 Session Recording
Introduction

• Powerful activity monitoring Session Recording Infrastructure

• Capture screen updates to a video file. User Layer Access Layer Resource Layer Control Layer

• Configure monitoring of a specific user, app or

server.

N
SR Policy Delivery

ot
• Faster problem resolution Console Controller

• Replay actual screen activity at exact moment of

fo
Internal Users StoreFront Multi-session
failure. OS VDA
Domain
Controller
w/ SR Agent

rr
• Quickly troubleshoot errors through time-stamped Firewall
Session Recording
Server
visual records.

es
• Address difficult to reproduce errors. Citrix Single-session
Databases (Includes
SR Database)

al
Firewall
External Users Gateway OS VDA w/ SR
• Enhanced auditing Agent

e
• Record admin screen for change management of Session Recording License

or
Player Server
critical systems.
• Notify users of recording to help deter potential

di
Compute Layer
misdeeds.

s tri
Network Storage Processor Memory Graphics Hypervisor

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Session Recording uses flexible policies to automatically trigger recordings of Citrix Virtual Apps and Desktops sessions. This enables
IT to monitor and examine user activity. This is particularly useful in areas such as financial operations and healthcare patient
information systems. It can be used to demonstrate internal control, thus ensuring regulatory compliance and aids security audits.
Similarly, it also aids in technical support by speeding problem identification and reducing time‐to‐resolution.
• Benefits of Session Recording include:
• Providing a definitive log of activity involving sensitive data access. This enables organizations to record user activity while

270 © 2023 Citrix Authorized Content

 interacting with applications that present sensitive information such as financial data, intellectual property, personal
information, and medical records.
• Ensuring powerful litigation support. Video logs of computing activity are the most powerful form of evidence
because they are the clearest indication of criminal intent. Whether acting as a defendant or a plaintiff, organizations
that use Session Recording Technology (SRT) will have a better chance of proving their case in court by using video
footage in parallel with other eDiscovery methods and tools.
• A faster problem resolution. When users call the helpdesk with a problem that is difficult to reproduce, support staff

N
can enable recording of user sessions. When the issue occurs again, SRT provides a visual record of the error, which

ot
can be used with other event logging tools to troubleshoot user issues faster.

fo
• Session Recording consists of five components:
• Session Recording Agent ‐ A component installed on each Server OS or Desktop OS machine to enable recording. It is

rr
responsible for recording session data.

es
• Session Recording Server ‐ A server that hosts:
• The Broker ‐ An IIS 6.0+ hosted Web application that handles the search queries and file download requests from

al
the Session Recording Player; handles policy administration requests from the Session Recording Policy Console;

e
and evaluates recording policies for each session.

or
• The Storage Manager ‐ A Windows service that manages the recorded session files received from each Session

di
Recording‐enabled computer running Citrix Virtual Apps and Desktops.
• Session Recording Player ‐ A user interface that users access from a workstation to play recorded session files.

s tri
• Session Recording Database ‐ An SQL database for storing recorded session data.
• Session Recording Policy Console ‐ A console used to create policies to specify which sessions are recorded.

b ut
Additional Resources:

io
• Session Recording

n
https://docs.citrix.com/en‐us/session‐recording/2203‐ltsr/
• Install, upgrade, and uninstall Session Recording
https://docs.citrix.com/en‐us/session‐recording/current‐release/install‐upgrade‐uninstall.html

271 © 2023 Citrix Authorized Content

 How Session Recording Works

1. Policies configured via SR Policy Console.

2. HDX Session established. Session Recording SR Policy Console
Player
3. SR Agent verifies recording policy with SR

N
Server.

ot
6 1
4. SR Agent records session; sends data to SR

fo
Server. 2 3 5

rr
5. SR Server logs session data; sends metadata 4 Session Recording

es
Server Session Recording
to the database and the recordings to storage. Endpoint Multi-session OS
VDA Database

al
w/ SR Agent
6. SR Player can retrieve and play session

e
5 7
recordings by contacting SR Server.

or
7. Files can be archived via 3rd party archive

di
solutions. 3rd Party Archiving

s
Storage
Solution

tri
but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Once session recording has been configured and activated, the SR Agent is in “capture” mode, monitoring all HDX sessions that start
up and asking the SR Server what to do: record or not, and if record, notify or not.
• If the policy is to record, the session data is sent to the SR Server for processing.
• The actual session recordings are written to storage and various metadata associated with the session is logged.
• Metadata includes session attributes such as the user, the application, the session start time, and the Worker used.
• An authorized user can use the SR Player to search metadata records for items of interest to play back.

272 © 2023 Citrix Authorized Content

 • For organizations that plan to record a large number of sessions and retain the recording for a long period of time, a 3rd‐
party archival solution will need to be employed.
• The text‐based session watermarking feature can be used in conjunction with session recording to show the particulars
of the endpoint or VM being depicted in the recording.

Additional Resources:
• Get started with Session Recording

N
https://docs.citrix.com/en‐us/session‐recording/current‐release/get‐started.html

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

273 © 2023 Citrix Authorized Content

 Lab Exercise Prep

N
Please Take a Moment and Provision Your Lab For

ot
Module 6.

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to provision; just initiate the provisioning. The lab should finish provisioning in time to start the lab exercise.

274 © 2023 Citrix Authorized Content

 Citrix App Protection
Overview

N
Definition Capabilities What It Protects What does NOT Protect

ot
fo
rr
es
App protection is an add- Anti-keylogging and anti- • Citrix logon windows. • Items under the Citrix
on feature for the Citrix screen-capturing • Citrix Workspace app Workspace app icon in

al
Workspace app that capabilities. HDX session windows the navigation bar:

e
provides enhanced (example, managed • Connections Center

or
security when using Citrix desktop). • All links under
Virtual Apps and Desktops • Self-Service (Store) Advanced Preferences

di
published resources. • Personalize
windows.
• Check for Updates

s
• Sign Out

tri
b ut
io
n
Key Notes:
• App Protection behaves differently depending on how you access the StoreFront store. When using StoreWeb, apps subject to
protection policies are not enumerated. This also applies where unsupported Citrix Receivers or Workspace App is used. Protection
is applied to all supported Citrix Workspace app versions.
• Protection is applied under the following conditions:
• Anti screen capture – enabled if any protected window is visible on the screen. To disable protection, minimize all protected
windows.

275 © 2023 Citrix Authorized Content

 • Anti‐keylogging – enabled if a protected window is in focus. To disable protection, change focus to another window.

Additional Resources:
• App Protection onPrem
https://www.citrix.com/blogs/2020/02/25/app‐protection‐is‐now‐ga‐for‐on‐prem‐citrix‐virtual‐apps‐and‐desktops/
• App protection
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/secure/app‐protection.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

276 © 2023 Citrix Authorized Content

 HDX Session Watermarking
1

• Text-based session watermarks help to deter and enable tracking data theft.

N
• Traceable information appears on the session desktop as a deterrent to those using photographs and screen

ot
captures to steal data.

fo
• The watermark displays over the entire session screen without changing the content of the original document.

rr
• Text-based session watermarks require VDA support.

es
• The solution does not prevent data theft, but it provides some level of deterrent and traceability.

al
• Session watermark supports only Thinwire and not the Framehawk or Desktop Composition Redirection (DCR)

e
graphic modes.

or
• If you use Session Recording or Windows remote assistance, the recorded session doesn’t include the

di
watermark.

s
tri
b ut
io
n
Key Notes:
• If certain conditions are met in relation to session parameters, it is possible to place a text‐based layer, or watermark on the HDX
session window. This has the advantage of providing a deterrent against data theft through screen captures or independent
recording technologies, such as video or still image recording.
• Watermark limitations:
• Session watermarks are not supported in sessions where Local App Access, Windows media redirection, MediaStream, browser
content redirection, and HTML5 video redirection are used. To use session watermark, ensure that these features are disabled.

277 © 2023 Citrix Authorized Content

 • Session watermark is not supported; and it doesn’t appear if the session is running in full‐screen hardware
accelerated modes (full‐screen H.264 or H.265 encoding).
• If you set these HDX policies, watermark settings don’t take effect and a watermark isn’t displayed in the session
display.

Additional Resources:
• Text‐based session watermark

N
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/graphics/session‐watermark.html

ot
• Session watermark policy settings

fo
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/policies/reference/ica‐policy‐settings/session‐watermark‐
policy‐setting.html

rr
es
al
e
or
di
s tri
b ut
io
n

278 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
Which built-in Windows setting allows

ot
administrators to provide granular access
permissions to individual files and folders?

fo
rr
es
NTFS permissions can be used to accomplish this.
They also provide an additional layer of protection for

al
applications.

e
For ease of management, use the application-specific

or
Active Directory groups when configuring NTFS

di
permissions.

s
tri
b
ut
io
n

279 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 6-1: Install Session Recording

N
Administration Components

ot
• Exercise 6-2: Install the Session Recording

fo
Agent

rr
• Exercise 6-3: Configure Director to use the

es
Session Recording Server

al
• Exercise 6-4: Test Session Recording

e
or
di
s
tri
utb
io
n

280 © 2023 Citrix Authorized Content

 Key Takeaways

• There are many routes an attacker could take to

break out of a published resource, which is why
implementing a defense in depth approach is

N
necessary to mitigate that risk.

ot
• Implementing user group nesting assignments for

fo
accessing resources, removing undesired Citrix and

rr
Microsoft functionalities, hardening web and

es
applications, and restricting application access are
different methods used to deploy a Defense in

al
Depth solution.

e
• Utilizing Citrix Analytics for Security, Session

or
Recording, and App protection are a few solutions

di
that can be deployed to minimize the impact of

s
attacks in a Citrix Virtual Apps and Desktops site.

tri
b
ut
io
n

281 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Planning: Virtual Delivery Agent Security

fo
rr
es
al
e
Module 7

or
di
s
tri
b
ut
io
n

282 © 2023 Citrix Authorized Content

 Learning Objectives

• Discuss the security advantages of using end-

to-end TLS encryption.
• Explain how Microsoft and Citrix components

N
are used to secure machines, devices,

ot
sessions, enforce endpoint compliance, and

fo
users in a Citrix Virtual Apps and Desktops

rr
environment.

es
• Describe how to harden a base image for

al
provisioning secure virtual machines.

e
or
di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

283 © 2023 Citrix Authorized Content

 Transport Layer Security (TLS)

N
Virtual Delivery Agent (VDA)

ot
Encryption

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this lesson, we will look at the use of end‐to‐end TLS encryption to protect traffic to and from the VDA.

284 © 2023 Citrix Authorized Content

 Limitations for
Default Deployment Some Industries: Only External Traffic secured using SSL (TLS) is sufficient.

SSL/TLS
• By default, the Citrix
Endpoint Devices Citrix Gateway VDA
Gateway does not use SSL

N
(TLS) to secure the HDX

ot
proxy to the session.

fo
• For some industries, Other Industries: All Traffic is secured using SSL (TLS).

rr
securing external traffic is

es
sufficient.

al
• Other industries require SSL/TLS In SSL/TLS

e
companies to secure both

or
external and internal traffic. Endpoint Devices Citrix Gateway VDA

di
s tri
utb
io
n
Key Notes:
• Transport Layer, or TLS encryption between components internally is a requirement for FIPS and PCI compliance. Many industries
also mandate its use for internal traffic.

285 © 2023 Citrix Authorized Content

 Securing Internal Traffic with
Secure ICA (TLS Encryption)
Basic Encryption
User Layer Access Layer Control Layer Resource Layer
HDX

• Default HDX traffic, uses basic XOR-based

Delivery

N
encryption. Secure ICA is available to increase Controller VDAs

ot
this encryption level. StoreFront
Internal
Multi-session OS

fo
Domain Single-session
• TLS encryption improves on basic XOR Users
Controller OS (Assigned

rr
Desktop )
Secure ICA, using cryptographic protocols that Firewall

provide private communication security over

es
Databases Single-session OS
Firewall Citrix Remote PC
the network. External (Random Desktop)

al
Users Gateway

• Secure the VDA, in addition to a network proxy

e
License
Server
like the Citrix Gateway, to achieve end-to-end

or
TLS security. Compute Layer

di
s
Network Storage Processor Memory Graphics Hypervisor

tri
b ut
io
n
Key Notes:
• By default, HDX traffic uses a basic XOR‐based encryption algorithm. It protects the data stream from being read directly, but it can
be decrypted. Rather than use the SecureICA minimum encryption level setting for Citrix Virtual Apps and Desktops 7, a leading
practice is to use TLS to secure HDX traffic if end‐to‐end traffic encryption is desired.
• A SecureICA minimum encryption level Citrix policy is available as a way to increase the encryption level of the HDX logon traffic to
Server OS VDAs by using a 128‐bit RC5 algorithm. Although simple to implement, this policy only covers logon data; it does not

286 © 2023 Citrix Authorized Content

 perform authentication or check data integrity; and RC5 is not a FIPS‐compliant algorithm.
• The SecureICA minimum encryption level setting specifies the minimum level at which to encrypt session data sent
between the server and a user device. Originally developed for the Citrix Virtual Apps IMA architecture, some settings
can be used in a Citrix Virtual Apps 7 environment.
• When adding security through a policy, you can select:
• Basic which encrypts the client connection using a non‐RC5 algorithm. It protects the data stream from being read
directly, but it can be decrypted.

N
• By default, the server uses Basic encryption for client‐server traffic.

ot
• RC5 (128 bit) logon only encrypts the logon data with RC5 128‐bit encryption and the client connection using Basic

fo
encryption. This is the setting that can be selected in Citrix Virtual Apps and Desktops 7 environments.
• RC5 (40 bit) encrypts the client connection with RC5 40‐bit encryption (legacy environments only).

rr
• RC5 (56 bit) encrypts the client connection with RC5 56‐bit encryption (legacy environments only).

es
• RC5 (128 bit) encrypts the client connection with RC5 128‐bit encryption (legacy environments only).
•

al
The settings you specify for client‐server encryption can interact with any other encryption settings in your environment
and your Windows operating system. If a higher priority encryption level is set on either a server or user device, settings

e
you specify for published resources can be overridden.

or
• You can raise encryption levels to further secure communications and message integrity for certain users. If a policy

di
requires a higher encryption level, Citrix Workspace app using a lower encryption level are denied connection.
• It is worth noting that SecureICA does not perform authentication or check data integrity. (To provide end‐to‐end

s tri
encryption for your site, use SecureICA with TLS encryption.) SecureICA does not use FIPS‐compliant algorithms either.
If this is an issue, configure the server and Citrix Workspace app to avoid using SecureICA.

b ut
Additional Resources:

io
• Transport Layer Security (TLS)

n
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/secure/tls.html
• Security policy settings
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/policies/reference/ica‐policy‐settings/security‐policy‐
settings.html

287 © 2023 Citrix Authorized Content

 Secure the VDA

Delivery Controller

N
1

ot
1. Add certificate to VDAs.

fo
2. Enable TLS on VDAs.

rr
2
3. Enable TLS on Controllers. SSL/TLS SSL/TLS

es
Endpoint Devices Citrix

al
VDA
Gateway

e
or
di
s tri
b
ut
io
n
Key Notes:
• To enable TLS encryption, you need to add certificates to the VDAs, and then configure the VDAs and Controllers to use encryption.
We’ll look at each of these steps in more detail because there are some important things to consider.
• In a typical scenario, external connections are secured to Citrix Gateway, but the “last mile” does not leverage TLS by default.
• You should encrypt HDX traffic to prevent an attacker from being able to watch everything that a user is doing. ICA ports 1494, 2598
and 8008 are unencrypted by default (though not plain text).
• With the release of Citrix Virtual Apps and Desktops 7.6, it is now possible to implement TLS encryption that is FIPS approved from

288 © 2023 Citrix Authorized Content

 Receiver to the VDA.
• The first step is to deploy certificates to the VDAs. By default, there are no certificates deployed to VDAs. After
certificates have been deployed to the VDAs, TLS can be enabled by the script Enable‐VdaSSL.ps1 (on the product ISO).
This is relatively straightforward for dedicated desktops, but much harder for pooled desktops, which are reset
following a reboot. One solution is to add a wildcard certificate to the master image such as *.Citrix.com.
• Once you have the cert installed on the VDA, you need to run a PowerShell script that enables TLS on the VDA. You can
use a few different parameters with the script. The SSLMinVersion parameter can be TLS_1.0, TLS_1.1 and TLS_1.2. The

N
script will use TLS_1.0 by default, which should no longer be used due to vulnerabilities. The SSLCiperSuite parameter

ot
allows you to select your preferred cipher suite, which can include Government, Commercial and All. The certificate

fo
thumbprint parameter allows you to specify which certificate you want to use. Most of the time, you won’t need this
parameter as you’ll just have one cert on the VDA.

rr
• The last step is to enable encryption on the controller.

es
• There are two PowerShell commands that you need to run on each controller:
• The first one enables TLS for all delivery groups, although you can also enable TLS for individual delivery groups if

al
you wish.

e
• The second PowerShell command changes the address of the VDA in the ICA file from IP address to FQDN, so that

or
it matches the name in the certificate.
•

di
It is worth noting that, when you change the VDA address from an IP to FQDN, you lose the ability to directly connect
with Quick Launch.

s tri
• A Delivery Group cannot have a mixture of some VDAs with TLS configured and some VDAs without TLS configured.
When you configure TLS for a Delivery Group, you should have already configured TLS for all the VDAs in that Delivery

b ut
Group.
• When you configure TLS on VDAs, permissions on the installed TLS certificate are changed, giving the ICA Service read

io
access to the certificate’s private key, and informing the ICA Service of the following:

n
• Which certificate in the certificate store to use for TLS.
• Which TCP port number to use for TLS connections.

Additional Resources:
• How To Secure ICA Connections in Citrix Virtual Apps and Desktops using SSL

289 © 2023 Citrix Authorized Content

 https://support.citrix.com/article/CTX135075
• Citrix Virtual Apps and Desktops: What Crypto is My Session Using?
https://support.citrix.com/article/CTX135075
• End‐To‐End Encryption with Citrix Virtual Apps and Desktops
https://www.citrix.com/content/dam/citrix/en_us/documents/white‐paper/end‐to‐end‐encryption‐with‐xenapp‐and‐
xendesktop.pdf
• Configure TLS on a VDA

N
https://support.citrix.com/article/CTX220062/ssl‐configuration‐on‐vda

ot
fo
rr
es
al
e
or
di
s tri
but
io
n

290 © 2023 Citrix Authorized Content

 Lesson Objective Review

What is the default encryption used by HDX

traffic?

N
ot
XOR-based encryption

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
It is important to remember that XOR based encryption is considered legacy and TLS 1.2 or higher should be used.

291 © 2023 Citrix Authorized Content

 N
Microsoft Group Policy Objects

ot
(GPOs) and Citrix Policies

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this lesson, we will explain how Microsoft GPOs, Citrix HDX policies, Citrix ADC and Citrix Gateway SmartAccess and SmartControl
are used to secure machines, devices, sessions, enforce endpoint compliance, and users in a Citrix Virtual Apps and Desktops
environment.

292 © 2023 Citrix Authorized Content

 Introduction to System Hardening
via Policies
Overview

• System hardening secures an environment to

N
reduce exposure to threats and provides

ot
secure remote access to an environment and
its resources.

fo
rr
• With Citrix Virtual Apps and Desktops, both
Microsoft Group Policy Objects (GPOs) and

es
Citrix policies (HDX), can be used.

al
e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• One of the most common methods of applying lockdowns to a Windows Operating Systems is via policies. Applied using a Group
Policy Object (GPO) to a production environment, settings must be evaluated to determine their appropriateness for your
organization’s environment. Setting should all be tested in a non‐production environment first.
• Depending on your organization’s requirements, Citrix Cloud GPOs may be more or less stringent than the ideal level of lockdowns.
• You can also separate admin from user policies allowing flexibility in your organization to give certain administrators full access to
tasks, and operations while other administrators have limited access.

293 © 2023 Citrix Authorized Content

 Additional Resources:
• Citrix Common Criteria Certification Information
https://www.citrix.com/about/legal/security‐compliance/common‐criteria.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

294 © 2023 Citrix Authorized Content

 Introduction to System Hardening
via Policies
Users and Administrators

• Policies can be used to control resource or

N
environment access for users and

ot
Administrators.

fo
• Identify and confirm the requirements for each

rr
type of account, defining the identity,
authentication and access rights and

es
privileges.

al
• Separating policies will provide the level of

e
granularity needed to provide the right level of

or
access based on individual needs of users or

di
Administrators.

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• One of the most common methods of applying lockdowns to a Windows Operating Systems is via policies. Applied using a Group
Policy Object (GPO) to a production environment, settings must be evaluated to determine their appropriateness for your
organization’s environment. Setting should all be tested in a non‐production environment first.
• Depending on your organization’s requirements, Citrix Cloud GPOs may be more or less stringent than the ideal level of lockdowns.
• You can also separate admin from user policies allowing flexibility in your organization to give certain administrators full access to
tasks, and operations while other administrators have limited access.

295 © 2023 Citrix Authorized Content

 Additional Resources:
• Citrix Common Criteria Certification Information
https://www.citrix.com/about/legal/security‐compliance/common‐criteria.html

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

296 © 2023 Citrix Authorized Content

 Separate Policies for
Users/Admins

• Policies can be applied to only allow users or

N
Administrators access to specific resources or Virtual Delivery Agent

ot
environments.

fo
• Identify and confirm the requirements for each

rr
type of account, defining the identity,
authentication, and access rights and

es
privileges.

al
• Separating policies will specific user and

e
Policy Policy
administrator needs.

or
di
Admin User

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Separating admin from user policies allows flexibility in your organization to give certain administrators full access to tasks, and
operations while other administrators have limited access. This allows many different levels of lockdowns to be applied to different
user groups, including administrators who may need greater access to the machines.
• As a general leading practice, when applying security lockdown policies, ensure that your core administrator group is not
inadvertently included in settings that would prevent them from effectively performing their duties. At the same time, even
administrators should not have full access to the systems and machines under their control, according the PoLP.

297 © 2023 Citrix Authorized Content

 Citrix Security and Control Policy Template

• Enabled by default, you can use the Citrix

Security and Control Policy Template to
limit access in the Citrix Virtual Apps and

N
Desktops environment.

ot
• Enables the administrator to deny access

fo
to peripheral devices, drive mapping, and

rr
much more.

es
• Allows for a quick and easy way to apply

al
the most restrictive policy to either users or

e
administrators.

or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Citrix Virtual Apps and Desktops includes a Citrix Security and Control policy template that contains many settings appropriate to a
locked down environment, such as disabling use of client‐side peripheral devices (like USB drives), drive mapping, client‐side
rendering of media content, and more.
• Note that, applying some of these settings may consume more bandwidth and or reduce user density per server.

298 © 2023 Citrix Authorized Content

 Citrix Policy Example
Clipboard Redirection

N
ot
fo
rr
es
All data:
text, files & folders Only text Only bitmaps

al
e
or
di
s
tri
One-Way One-Way No Clipboard
Two-Way Clipboard (Client-to-Server) Clipboard (Server-to-Client) Clipboard

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Citrix has introduced increasingly granular clipboard redirection settings to enable administrators to choose which type of content
can be transferred between a session and user device via the clipboard, as well as in which direction. Since CVAD 1903, clipboard
data that can be copied and or pasted between sessions. User devices includes files and folders; not just text and bitmaps.
• Client clipboard redirection is recommended for security‐focused environments to be disabled. This setting allows or prevents the
clipboard on the user device being mapped to the clipboard on the server. By default, clipboard redirection is allowed.
• To prevent cut‐and‐paste data transfer between a session and the local clipboard, select Prohibit. Users can still cut and paste data

299 © 2023 Citrix Authorized Content

 between applications running in sessions.
• Although fully disabling clipboard redirection is the most secure, additional settings are available for a more granular
approach. These include restricting client clipboard write, and session clipboard write. Allowing this setting means the
host clipboard data cannot be shared with the client endpoint or within the user session, respectively. This can be used
to enable uni‐directional clipboard access.
• When the Restrict client clipboard write or Restrict session clipboard write setting is Enabled, host clipboard data
cannot be shared with the client endpoint or user session respectively, but you can use this setting to allow specific data

N
formats to be shared with the client endpoint clipboard or user session clipboard. To use these settings, enable them

ot
and add the specific formats to be allowed.

fo
• The following clipboard formats are system defined:
• CFX_FILE (note: use this format to copy/paste files & folders)

rr
• CF_TEXT

es
• CF_BITMAP
• CF_METAFILEPICT

al
• CF_SYLK

e
• CF_DIF

or
• CF_TIFF
• CF_OEMTEXT

di
• CF_DIB

s tri
• CF_PALETTE
• CF_PENDATA

b ut
• CF_RIFF
• CF_WAVE

io
• CF_UNICODETEXT

n
• CF_ENHMETAFILE
• CF_HDROP
• CF_LOCALE
• CF_DIBV5
• CF_OWNERDISPLAY

300 © 2023 Citrix Authorized Content

 • CF_DSPTEXT
• CF_DSPBITMAP
• CF_DSPMETAFILEPICT
• CF_DISPENHMETAFILE
• The following custom formats are predefined in Citrix Virtual Apps and Desktops:CFX_RICHTEXT
• CFX_OfficeDrawingShape
• CFX_BIFF8

N
• HTML Format

ot
• Enabling HTML format clipboard copy support (HTML Format) will copy any scripts (if they exist) from the source

fo
of the copied content to the destination. Check that you trust the source before proceeding to copy.
• If you do copy content containing scripts, they will only be live if you save the destination file as an HTML file and

rr
execute it.

es
• Additional custom formats can be added. The custom format name must match the formats to be registered with the

al
system.
• Format names are case‐sensitive. The restrictions will not apply if either Client clipboard redirection or Restrict client

e
clipboard write is set to Prohibited.

or
• In addition to security of files, and keeping the data internal, we also need to consider denying or limiting what a user

di
can do with the clipboard.
• You can also specify which direction and what content can be copied.

s tri
• One way
• Two ways

b ut
• Only text
• Only bitmaps

io
n
Additional Resources:
• ICA policy settings
https://docs.citrix.com/httpsen‐us/citrix‐virtual‐apps‐desktops/policies/reference/ica‐policy‐settings.html

301 © 2023 Citrix Authorized Content

 Citrix Policy Guides

• Certain Citrix product versions have

achieved some level of Common Criteria
(CC) certification.

N
• If CC certification is a requirement, these

ot
product versions should be used.

fo
• The set of Citrix and Microsoft GPOs used

rr
by Citrix to achieve this can be applied to

es
any supported version of Citrix Virtual Apps

al
and Desktops.

e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Some Citrix products, including Citrix Virtual Apps and Desktops and Citrix Gateway, have achieved Common Criteria certification.
Details of this are available in the additional resources section.
• An Evaluated Configuration guide provides a more comprehensive review of the environment used to gain the CC certification. These
resources can be used as guidelines to assist in evaluating the relative security of different Citrix Virtual Apps and Desktops
configurations.

302 © 2023 Citrix Authorized Content

 • Citrix also periodically releases whitepapers, which contain security recommendations and lists of recommended Citrix
policies and GPOs.

Additional Resources:
• Citrix Common Criteria Certification Information
https://www.citrix.com/about/legal/security‐compliance/common‐criteria.html
• Common Criteria Certified Products (expand categories and do a keyword search for Citrix)

N
http://www.commoncriteriaportal.org/products/

ot
• Securing Citrix Virtual Apps and Desktops Environments (see System Hardening Guidance for Citrix Virtual Apps and

fo
Desktops):

rr
https://www.citrix.com/about/legal/security‐compliance/security‐standards.html

es
al
e
or
di
s tri
b ut
io
n

303 © 2023 Citrix Authorized Content

 Using Citrix Gateway SmartAccess and SmartControl with Citrix
Virtual Apps and Desktops 1

N
Firewall Firewall

ot
fo
rr
Full Access

es
VDAs
Compliant Endpoints

al
e
or
Citrix Gateway StoreFront Delivery Controller
Limited:

di
Copy/Paste
Citrix Virtual Apps
Drive Access
and Desktops Site

s
Non-Compliant Endpoints Print Access

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In contrast to SmartAccess, Smart Control is implemented exclusively through ICA policies on the Citrix Gateway. Each ICA policy is an
expression and access profile combination that can be applied to users, groups, virtual servers, and globally. It is important to note
that ICA policies are evaluated after the user authenticates at session establishment. As a result, session settings can be defined and
applied before the user connection enters the internal network.
• SmartControl requires Citrix Virtual Apps and Desktops Premium licensing.

304 © 2023 Citrix Authorized Content

 • Rather than making the admin configure capabilities on multiple backend Citrix Virtual Apps and Desktops servers, with
SmartControl, Citrix Gateway becomes a single point of configuration and users can be granted access to desktop or
apps based on end point checks.
• SmartAccess & SmartControl functions include:
• Smart Access, used with Citrix Gateway:
• Allows policy and resource filtering based on connection/access conditions.
• “Per Site” configuration.

N
• Requires Universal Licenses:

ot
• Part of ADC.

fo
• Part of Citrix Virtual Apps and Desktops Premium.
• Smart Control is a Citrix ADC only feature so Citrix Virtual Apps and Desktops site does not know about it.

rr
• Allows controlling ICA Virtual Channel behavior on Citrix Gateway such as.

es
• Disabling/enabling client drives, printers, etc.
• Can be controlled by means of ADC syntax policies.

al
• Allows configuration “per Gateway”.

e
• Requires Citrix ADC Premium license.

or
• SmartControl can be used to verify a user device meets connection criteria, for example, checking that when users

di
connect they are running the latest antivirus version and then decide if they can connect.
• SmartAccess and SmartControl are two features which utilize Citrix Gateway to help control which resources and level

s tri
of access a given user and/or endpoint is granted based on pre‐defined criteria.
• SmartAccess allows you to control access to published applications and desktops on a server through the use of

b ut
Citrix Gateway session policies. You use pre‐authentication and post‐authentication checks for access to published
resources.

io
• Other conditions include anything you can control with a Citrix Virtual Apps and Desktops policy, such as

n
printer bandwidth limits, user device drive mapping, clipboard, audio, and printer mapping. You can apply a
Citrix Virtual Apps and Desktops policy based on whether or not users pass an Citrix Gateway check.
• This functionality is achieved by integrating Citrix Gateway components with StoreFront and Citrix Virtual Apps
and Desktops. This integration provides advanced authentication and an access control options to StoreFront
• Smart Control allows administrators to define granular policies to configure and enforce user environment

305 © 2023 Citrix Authorized Content

 attributes for Citrix Virtual Apps and Desktops on Citrix Gateway. Smart Control allows administrators to manage
these policies from a single location, rather than at each instance of these server types.
• Both SmartAccess and SmartControl can apply differing HDX policy settings based on an EPA health check, for example
by verifying whether a certain antivirus client is present on the endpoint device.
• Smart Access enables:
• Resource access restrictions based on EPA.
• Verification of required security measures enabled on devices.

N
• Restriction of access to the resources based on Active Directory (AD) identify or group membership.

ot
• SmartControl enables:

fo
• Resource access restrictions based on EPA.
• Verification of required security measures enabled on devices.

rr
• Single point of configuration for all Citrix Virtual Apps and Desktops servers behind the Citrix Gateway.

es
al
Additional Resources:
• Configuring SmartAccess

e
https://docs.citrix.com/en‐us/citrix‐gateway/13/integrate‐web‐interface‐apps/ng‐smartaccess‐wrapper‐con.html

or
• Configuring SmartControl

di
https://docs.citrix.com/en‐us/citrix‐gateway/13/integrate‐web‐interface‐apps/smart‐control.html
• Demo Guide for SmartAccess and SmartControl

s tri
https://www.citrix.com/content/dam/citrix/en_us/documents/guide/demo‐guide‐for‐smart‐access‐smart‐control.pdf

b ut
io
n

306 © 2023 Citrix Authorized Content

 Can I Use Registry Changes to
Provide Further Lockdowns?

• Several web sources are available, which list

N
registry changes to remove different menu

ot
options or buttons from various portions of
windows.

fo
rr
• These registry changes are not officially
supported by Microsoft and Citrix and present

es
the risk of corrupting the OS image.

al
• If you choose these methods, always create a

e
registry backup and test with a non- production

or
image before rolling out changes to

di
production.

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• While it is possible to configure many options to make an environment secure, direct editing presents a significant risk.
• Registry backups and non‐production testing are critical to avoiding potential issues when editing the registry.

307 © 2023 Citrix Authorized Content

 Lesson Objective Review

SmartAccess and SmartControl provide

enhanced security for apps and desktops.

N
ot
SmartAccess is a feature of?
SmartControl is a feature of?

fo
rr
es
• Smart Access - Feature of Citrix Virtual Apps

al
and Desktops.

e
or
• Smart Control - Feature of Citrix ADC.

di
s
tri
b
ut
io
n

308 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please, Take a Moment and Provision Your Lab

N
For Module 7.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

309 © 2023 Citrix Authorized Content

 N
ot
Image Management

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this lesson, we will be looking at how to manage images to ensure leading security practice is followed.

310 © 2023 Citrix Authorized Content

 Harden Components by Using a
Golden Image
Recommendations

VDA
• Harden all components by using a Gold Disk

N
image when possible.

ot
• Enable cryptographic checksum and hashes on
Gold Disks and OS.

fo
• Patch all components in a timely manner to

rr
Citrix Provisioning Server VDA
include the infrastructure and hosts.

es
vDisk
• Automate the provisioning and de-provisioning (Golden Image)

al
processes with Citrix Provisioning or Machine

e
Creation Services.

or
VDA

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• When building golden images, it is recommended that the virtualized environment uses the same security stack as the non‐
virtualized environment. This includes IDS, IPS, multi‐factor authentication, web proxies, and advanced threat detection appliances.
• It is important to automate Citrix site creation process, via Citrix Life Cycle Management, to bring consistency between development,
test, and production environments.
• You should maintain a consistent development, test, and production environment that can be used to test security policies
successfully prior to deployment.

311 © 2023 Citrix Authorized Content

 Additional Resources:
• System Hardening Guidance for Citrix Virtual Apps and Desktops:
https://www.citrix.com/content/dam/citrix/en_us/documents/products‐solutions/system‐hardening‐for‐xenapp‐and‐
xendesktop.pdf
• Securing the Published Browser: https://www.citrix.com/content/dam/citrix/en_us/documents/white‐paper/securing‐
the‐published‐browser.pdf

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

312 © 2023 Citrix Authorized Content

 Enable Cryptographic Checksum
and Hashes on Golden Image and
OS

• Cryptographic checksums are values that are

N
generated by an algorithm based on the

ot
contents of a file.

fo
• This approach can be used to verify that

rr
unauthorized changes have not been made to
an OS image.

es
al
e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Checksums are often used to verify that downloaded files have not been tampered with and are the same as when the checksum
was generated. Typically, the hash function used to create the checksum is listed along with the checksum so that it can be verified.
• Tools can then be used to verify a checksum, such as Microsoft Checksum Integrity Verifier, CertUtil, and PowerShell.

Additional Resources:
• Ensuring Data Integrity with Hash Codes

313 © 2023 Citrix Authorized Content

 https://docs.microsoft.com/en‐us/dotnet/standard/security/ensuring‐data‐integrity‐with‐hash‐codes
• Guide to Cryptography
• https://www.owasp.org/index.php/Guide_to_Cryptography

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

314 © 2023 Citrix Authorized Content

 Creating a Locked-down VM Template

• Templates should be named to indicate

N
what their intended purpose is.

ot
• For example, to avoid using an experimental
template for a production VM, specify “-test” as

fo
part of its name.

rr
• When building a template, make sure it does

es
not include any unnecessary or undesirable

al
networks.

e
• A best leading practice is that you do not

or
assign unnecessary network ports to each

di
guest, just what is needed.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A template that was created with only one‐use case in mind, might be re‐used for many other VMs with differing security
requirements. Care should be taken when creating VMs for replication to ensure that the configurations are suitable for all potential
uses of the VM.
• You should also ensure VM templates are considered part of your organization’s patching schedule.
• The following practices can be used to lock down a VM template:
• Remove all undesired Windows and Citrix functionality.

315 © 2023 Citrix Authorized Content

 • Enable Application Hardening
• Restrict access to internal and external tools.
• Restrict access to file system dialog.
• Limit sensitive information on local and remote drives.
• Separate applications on different servers.
• Isolate applications on the same server.

N
Additional Resources:

ot
• Security Recommendations When Deploying Citrix Hypervisor

fo
https://www.citrix.com/content/dam/citrix/en_us/documents/white‐paper/security‐recommendations‐when‐
deploying‐citrix‐xenserver.pdf

rr
• System Hardening Guidance for Citrix Virtual Apps and Desktops

es
https://www.citrix.com/content/dam/citrix/en_us/documents/products‐solutions/system‐hardening‐for‐xenapp‐and‐

al
xendesktop.pdf

e
or
di
s
tri
utb
io
n

316 © 2023 Citrix Authorized Content

 Lesson Objective Review

Which image type allows for the highest degree of

hardening to be applied?

N
ot
• Read Only golden image as changes cannot be
made once it is sealed.

fo
rr
es
al
e
or
di
s
tri
utb
io
n

317 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 7-1: Configure Certificates on the VDA

N
• Exercise 7-2: Enable TLS on the VDA

ot
• Exercise 7-3: Enable TLS on the Controller

fo
• Exercise 7-4: Implement Citrix Security and Control

rr
Template

es
• Exercise 7-5: Import and Apply Common Criteria

al
GPO Security Template

e
• Exercise 7-6: Configure Citrix Gateway

or
SmartControl Policies

di
• Exercise 7-7: Test Citrix Gateway SmartControl

s
Policies

tri
b
ut
io
n

318 © 2023 Citrix Authorized Content

 Key Takeaways

• Enabling TLS requires SSL certs on all VDAs

N
and encryption setup on the VDAs and

ot
Controllers.

fo
• Policies can be configured to reduce exposure

rr
to threats and provide secure remote access
for users and administrators.

es
• SmartAccess and SmartControl provide

al
enhanced security within a Citrix Gateway and

e
Citrix Virtual Apps and Desktops infrastructure.

or
• Cryptographic checksum (and hashes) can be

di
enabled on base images and files to verify if

s
tri
any tampering, or unauthorized changes were

b
made.

ut
io
n

319 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Introduction to Troubleshooting

fo
rr
es
al
e
Module 8

or
di
s
tri
b
ut
io
n

320 © 2023 Citrix Authorized Content

 Learning Objectives

• Demonstrate the appropriate methodology

N
when troubleshooting Citrix Virtual Apps and

ot
Desktops site(s) to quickly identify issues.

fo
• Identify the capabilities of tools and utilities

rr
commonly used to troubleshoot and monitor a
Citrix Virtual Apps and Desktops environment.

es
• Demonstrate how to use PowerShell Cmdlets

al
to troubleshoot a Citrix Virtual Apps and

e
Desktops site.

or
di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

321 © 2023 Citrix Authorized Content

 Troubleshooting
Methodology
Detect the problem Isolate the problem

• Using the appropriate

N
methodology when

ot
troubleshooting will allow
you to quickly identify

fo
current or impending Understand the problem Fix the problem

rr
issues.

es
al
e
or
di
Take pro‐active steps to
Recover the service
avoid repetition

s tri
b ut
io
n
Key Notes:
• It is important that you have a consistent approach to troubleshooting. One key methodology is described here:
• Detecting the Problem, in other words issue identification is the first step in the troubleshooting methodology. Most issues are
reported in one of three ways, end users request helpdesk tickets, monitoring tools or observation by administrators. An
additional troubleshooting method is often overlooked is regular feedback retrieved directly from the end users. Citrix consulting
has had many encounters in which partners or customers were struggling with consistent issues, but the root cause couldn’t be
discovered until consulting directly approached the end users to discuss the problem.

322 © 2023 Citrix Authorized Content

 • Next, you need to understand the Problem for which you must first know the symptoms of the issue.
• Prioritize the problem based on:
• How many people are impacted.
• The importance or severity of the problem.
• Escalate the issue when:
• Data has been gathered and analysis is needed.
• The issue has been persistent for an extended period of time.

N
• Use resources such as online searches; it is a strong first step in identifying a problem which may be a known issue or

ot
already have documentation, potential workarounds for an issue or answers that prevent an administrator from “re‐

fo
inventing the wheel.” However, caution must be exercised as to the relevancy and authenticity of public material. In
real life, this stage is often very flexible Also, this might actually be a very good stage at which to involve vendor

rr
support. If the issue prevents end users from working and impacts a large amount of users, you might want to

es
escalate it immediately. The question that you ask during this step is actually quite simple – “Why was it working

al
yesterday and is not working today?”
• Recovering the Service:

e
• Recover the service quickly if you can provide a suitable workaround for end users. This allow users to continue

or
working while you troubleshoot the issue.
• In most companies, the IT department is responsible for providing technical support for core business of the

di
company. As soon as a technical issue affects the core business, you should address the problem even if you

s tri
cannot immediately fix the cause.
• At this stage, very often you may not know what the problem is and are not actively trying to fix it; you are just

b ut
trying to make the environment fully functional again. This is very often a decision between quickly recovering the
environment and finding the root cause. For example, if you have a problem that is repeated on a daily basis and

io
the quick solution is the recovery of the database, you might invest time to actually identify the root cause. If the

n
problem occurs once a year on an unimportant component and is solved by restarting one service, finding the root
cause might be a lower priority.
• Isolating the Problem: Conditions to consider when isolating the problem:
• Is the problem limited to certain individuals or geographical locations?
• How many machines are affected?

323 © 2023 Citrix Authorized Content

 • Is the issue sporadic or does it occur at a specific time?
• Can the issue be easily reproduced?
• You can start randomly applying hotfixes or restarting servers, but if you understand the product well, you can
actually isolate the problem.
• Other really good questions to ask:
• Is the problem limited to certain end device types – for example, thin clients?
• Can the issue be reproduced on different protocols, such as RDP?

N
• Does the problem exist if an end user with higher (or different) privileges launches the application?

ot
• This course addresses the most common problem areas for troubleshooting:

fo
• M03 – Problems between STF and DDC
• M04 – Problems between DDC and SQL (or FMA services)

rr
• M05 – Problems between VDA and DDC

es
• M06 – Problems between endpoint and VDA
• Fixing the Problem: When implementing a fix, it is important to verify and test it to ensure that it corrects the

al
problem, as well as confirm that it causes no different disruptions to the production infrastructure.

e
• Fix implementation guidelines:

or
• Verify the fix in a test environment first.
• Test the fix after making one change at a time.

di
• Document any changes made.

s tri
• Allow ample time to confirm that the fix resolved the issue.
• Implement the fix during non‐production hours when possible.

b ut
• Apply fix to all impacted production machines.
• Taking Pro‐active Steps: After resolving a problem, capture as much data as possible for root cause analysis:

io
• You may wish to implement monitoring software within the infrastructure to trigger alerts if there is a risk of the

n
issue recurring.
• Update a maintenance schedule for the infrastructure if required.
• Update your disaster recovery plan if appropriate.
• This is an often‐overlooked step in troubleshooting methodology. Think about what you could do to prevent
the issue from occurring again. Was the whole process flawless? Did you waste too much time on some steps?

324 © 2023 Citrix Authorized Content

 Did everyone know what to do?

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

325 © 2023 Citrix Authorized Content

 N
ot
Resource Tools and Utilities

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will look at a selection of tools and utilities you can use to assist in troubleshooting.

326 © 2023 Citrix Authorized Content

 Citrix Director

• Administrators can use OData

Director to review and monitor

N
Delivery Controller
real-time data, as well as

ot
Citrix Director
historical trends for session

fo
activity within a Citrix Virtual

rr
Apps and Desktops Administrator

infrastructure.

es
• Citrix Director metrics include:

al
• Session usage

e
WMI Data
• Logon performance

or
• Connection and machine VDA

failures

di
• Load evaluation

s
• Machine and application

tri
usage

b
• Licensing status

ut
io
n
Key Notes:
• Citrix Director allows an administrator to quickly resolve real‐time issues, by performing actions such as ending nonresponsive
applications or processes.
• Additionally, real‐time shadowing operations on the end user's machine, restarting the machine, or resetting the user profile, can
also be performed.
• The Dashboard provides an overview of the key aspects of a deployment, such as the status of sessions, user logons, and the site
infrastructure.

327 © 2023 Citrix Authorized Content

 • Full administrators see and manage the entire site and can perform commands for multiple users and machines.
• Delegated administration is also supported and can be used to enable access to specific tasks only.

N
ot
fo
rr
es
al
e
or
di
s tri
but
io
n

328 © 2023 Citrix Authorized Content

 Environment Tests

• The Environment Test service

is responsible for managing

N
and executing tests to

ot
evaluate the state of a Citrix

fo
Virtual Desktops site:

rr
• It can be accessed and run
using Citrix Studio or

es
PowerShell cmdlets.

al
• More than 200 tests are

e
available for reviewing
infrastructure.

or
di
Test site… Test catalog… Test delivery group…

s tri
b ut
io
n
Key Notes:
• Environment Tests are one of the very underrated features in Citrix Virtual Apps and Desktops which can give a great snapshot into
the environment.
• A good leading practice is to run environment tests regularly within a Site to check database connectivity, Active Directory
information, MCS availability, and the state of the delivery groups and machine catalogs, in addition to other parameters.

329 © 2023 Citrix Authorized Content

 Citrix Diagnostics Toolkit

• The Diagnostic Toolkit is a suite of individual,

standalone applications, tools and utilities, from

N
both Citrix and third-party vendors.

ot
• Tool examples include:

fo
• Citrix Scout

rr
• CDF Monitor

es
• Stress Printers
• Print Detective

al
• Wireshark

e
• System Dump Checker

or
• Process Monitor and Explorer

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is important to understand how to use various tools useful for troubleshooting. They should be tested outside of a working issue
when you have time to learn and understand the output and how it can be used.
• All third‐party tools are downloaded and installed on demand.
• Toolkit contains tools from Citrix, Microsoft, and other 3rd party vendors.

Additional Resources:

330 © 2023 Citrix Authorized Content

 • Citrix Diagnostics Toolkit ‐ 64bit Edition
https://support.citrix.com/article/CTX135075
• Reset Citrix Workspace app
https://docs.citrix.com/en‐us/citrix‐workspace‐app‐for‐windows/install.html#reset‐citrix‐workspace‐app

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

331 © 2023 Citrix Authorized Content

 Citrix Scout

• Citrix Scout is a support tool that is now widely

N
used by administrators to diagnose various

ot
environmental issues.

fo
• Scout gathers information on items such as:

rr
• Broker Service Status
• Site and Zone Information

es
• Machine Catalogs

al
• License Server information
• Hypervisor information

e
• Perform Health Checks

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Citrix Scout is run from a single Delivery Controller to capture key data points and diagnostic traces. Then, the data can be securely
uploaded as a package to Citrix Technical Support.
• Key data points collected include: Hardware information, such as BIOS, and CPU information, as well as SW ‐ such as Windows
registry and event log information.
• Data captured can be upload to Citrix for automated analysis or submitted to Citrix support for review.
• Scout can be configured to capture event log messages, CDF trace messages, and machine settings.

332 © 2023 Citrix Authorized Content

 • Scout also supports CLI mode that allows unattended and scripted executions.
• Citrix Scout is now installed by default on every Controller.
• Care should be taken to ensure company policy permits the upload of the information to Citrix (cis.citrix.com) for
analysis.

Additional Resources:
• Citrix Scout

N
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/cis.html

ot
• Citrix Scout

fo
https://support.citrix.com/article/CTX130147

rr
es
al
e
or
di
s tri
b ut
io
n

333 © 2023 Citrix Authorized Content

 Citrix Supportability Pack

• The Citrix Supportability Pack is a collection of

N
tools, including the Citrix Diagnostic Toolkit,

ot
designed to help diagnose and troubleshoot
Citrix Virtual Apps and Desktops products:

fo
• Tools help customers and partners save time and

rr
effort when testing.

es
• They are not designed to replace system
administration features that Citrix Virtual Desktops

al
provides for day-to-day system management.

e
• Includes both Citrix and third-party tools.

or
di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• The tools in this pack are not intended to replace system administration features that Citrix Virtual Apps and Desktops provides for
day‐to‐day system management. This collection of tools are specialized utilities for advanced troubleshooting in very specific areas.
• Installing Supportability Pack:
1. If you have an older version of Supportability Pack on your system, e.g., v1.1.x, a leading practice is that you completely remove
the existing Supportability Pack including all tools and files, before downloading the latest version. Version 1.2.x+ provides a
new Updater utility, which you can use it to keep all tools up to date.

334 © 2023 Citrix Authorized Content

 2. Unzip the latest Supportability Pack package into a local folder of your choice.
3. Open the README.HTML file with any web browser and begin exploring the tools catalog.
4. Each tool is in its individual folder inside the local directory Tools.
5. The Updater SupportabilityPackUpdater.exe is in the same directory as README.HTML. Use
"SupportabilityPackUpdater.exe /help" to access more info about how to use it.
• The Pack can be extracted to local drive, portable drive, USB stick, etc.
• The Citrix Health Assistant is a Windows tool that helps administrators troubleshoot configuration issues in a Citrix

N
environment. The tool provides GUI and command line operation.

ot
• The tool conducts the following health checks on a VDA, and reports check results in the GUI and in a log file:

fo
• VDA registration
• Session Launch

rr
• Time Zone Redirection

es
• Citrix Provisioning Event Log
• Profile Management Configuration

al
e
Additional Resources:

or
• The Citrix Supportability Pack

di
http://support.citrix.com/article/CTX203082
• Citrix Health Assistant ‐ Troubleshoot VDA Registration and Session Launch

s tri
https://support.citrix.com/article/CTX207624?recommended

b ut
io
n

335 © 2023 Citrix Authorized Content

 CDF Tracing Overview Controllers Providers Consumers
• Start and stop ETW • Components which • Consume the events
kernel-level tracing provide events (or from one or more
sessions. event trace trace sessions.
messages).
• Enable and disable • View the event data as
providers. • Once registered as an the data is created or
ETW provider, can be view the event data
• Configure the resulting log enabled or disabled from a log file.
• A Citrix Diagnostic Facility (CDF) trace provides file size and location. using a controller.
the ability to collect real-time logs without

N
• Configure the level of
disrupting running services or end users: details to capture.

ot
• It can be configured to run locally in real-time,
• Configure the trace
at startup, or remotely by utilizing the remote

fo
buffers.
registry service.

rr
• You can enable trace providers with the ability

es
to filter the retrieved data.
• There are three main components to the CDF

al
trace process:

e
• Controllers

or
• Providers
• Consumers CDF

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• CDFControl is an event tracing tool that is designed towards capturing Citrix Diagnostic Facility (CDF) trace messages that are output
from the various Citrix components.
• There are two primary ways to use CDF logging: CDFControl and Citrix Scout.
• CDFControl can be used to both capture as well as analyze CDF traces. It can be customized to parse trace messages from a
particular time period or particular component.
• Citrix Scout Captures the CDF traces; and then, securely uploads the data to Citrix Support.

336 © 2023 Citrix Authorized Content

 • There are three main components to the CDF trace process: Controllers, Providers and Consumers.

Additional Resources:
• CDFControl
https://support.citrix.com/article/CTX111961
• How to Collect a Citrix Diagnostic Facility (CDF) Trace at System Startup
https://support.citrix.com/article/CTX127131

N
• How To Collect Remote CDF Tracing

ot
https://support.citrix.com/article/CTX237216

fo
• Recommendations for Collecting the CDF Traces
https://support.citrix.com/article/CTX121185

rr
• Citrix Scout

es
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/2203‐ltsr/manage‐deployment/cis/scout.html

al
e
or
di
s tri
b ut
io
n

337 © 2023 Citrix Authorized Content

 PowerShell Simplifies Management Integration

Before PowerShell PowerShell

N
ot
Management GUI (MMC)

fo

Scripts
rr

GUI
es
Windows/server product functionality

al
e
Command .NET Framework, WWI and PowerShell
WMI COM

or
line

di
s
Windows / server product functionality

tri
Scripts

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• PowerShell is most commonly used through different consoles (PowerShell and PowerShell ISE being the most popular ones);
however, the PowerShell system can be directly accessed from C#.
• With the “SDK”, it is not referring to any set of APIs or libraries; it is referring to the regular PowerShell.
• In Citrix Virtual Apps and Desktops, there are no APIs or libraries to import, and the same language is used for administrators or
scripters, as well as professional software developers.
• For most legacy software products, the majority of functionality could be accessed using a GUI. Automation was always very painful.

338 © 2023 Citrix Authorized Content

 Not only did you have to use a couple of different technologies, but you were usually rather limited in what could be
automated.
• With modern software designs, GUI is just sitting on top of a PowerShell layer (such is the case with Citrix Studio), and
you have more functionality available from CLI than GUI.

Additional Resources:
• SDKs and APIs

N
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops‐service/sdk‐api.html

ot
• SDKs

fo
https://docs.citrix.com/en‐us/citrix‐cloud‐government/manage/sdk‐api.html

rr
es
al
e
or
di
s tri
b ut
io
n

339 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
ot
Which tools can assist in identifying the
source of errors in VDA communication?

fo
rr
es
Citrix Scout > Health Check

al
CDF trace

e
Citrix Diagnostic Toolkit

or
di
s
tri
b
ut
io
n

340 © 2023 Citrix Authorized Content

 N
ot
Introduction to PowerShell

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will explore PowerShell topics including: the two main components that make up PowerShell, the PowerShell verb‐
noun structure, and PowerShell search commands (Get‐Command, Get‐Help, and Show‐Command).

341 © 2023 Citrix Authorized Content

 PowerShell Structure

Two main components make up PowerShell:

Cmdlets Modules

N
ot
• Commands based on .NET • A set of related functionalities
framework classes. (cmdlets, providers, aliases,

fo
variables).

rr
• Perform an action.
• Module can contain multiple

es
• Differ from other CLI cmdlets.

al
commands in other CLI-
• Allows for the modularization

e
shell based structures, of Windows PowerShell code.

or
such as Windows CLI.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Cmdlets are members of a module. If you know the module, you can find out all cmdlets that are members of that module; or if you
know the cmdlet, you can find the parent module and then list all members.
• For example, if you know the command Start‐ScheduledTask, you can find the module it belongs to (Get‐Command Start‐
ScheduledTask | Select Module), and then find all the commands that are available for scheduled tasks (Get‐Command –Module
ScheduledTasks).
• This is a very important concept of PowerShell. You can easily spend hours just discovering new modules and cmdlets without using

342 © 2023 Citrix Authorized Content

 internet searches or reading a book.
• With a solid understanding of PowerShell, you can learn about the new PowerShell modules (such as Citrix Virtual
Desktops) without reading through the help documentation.
• If you want to view the list of Citrix modules, type “Get‐Command –Module Citrix.* | Select ModuleName –Unique” in
PowerShell.

Additional Resources:

N
• Citrix Virtual Apps and Desktops SDK PowerShell

ot
https://citrix.github.io/delivery‐controller‐sdk/

fo
• Citrix Virtual Apps and Desktops: Basic PowerShell Cmdlets for Delivery Controller's Health Check
https://support.citrix.com/article/CTX238581

rr
• SDKs and APIs

es
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops‐service/sdk‐api.html
• SDKs

al
https://docs.citrix.com/en‐us/citrix‐cloud‐government/manage/sdk‐api.html

e
or
di
s tri
b ut
io
n

343 © 2023 Citrix Authorized Content

 Cmdlet Syntax

Verb Noun
Predefined list Variable: Examples

N
ot
Get Date

fo
rr
New Process

es
al
Start Task

e
or
Remove Event Log

di
s tri
•• Etc…

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• PowerShell utilizes a "verb‐noun" naming system to perform actions. Each cmdlet name consists of a standardized verb, which is
then hyphenated with a specific noun to create a specific function.
• This is one of the most important early concepts of PowerShell. All cmdlets use the verb‐noun syntax, where “verb” part is a
predefined list of approved verbs that does not change.
• Actual syntax is: module\verb‐noun – for example, Get‐Process can be called using Microsoft.PowerShell.Management\Get‐Process.
This allows you to use same cmdlet names in multiple modules; however, it’s not recommended and should be avoided if possible.

344 © 2023 Citrix Authorized Content

 • When you’re trying to find the command to do something, you should start thinking about the verb – do you want to
remove something? Or do you want to start something?
• The PowerShell verb list is static therefore you can use cmdlet Get‐Verb to retrieve a list of verbs available for use.

Additional Resources:
• Technet
https://social.technet.microsoft.com/wiki/contents/articles/4537.powershell‐approved‐verbs.aspx

N
• Learning PowerShell command names

ot
https://docs.microsoft.com/en‐us/powershell/scripting/learn/learning‐powershell‐names?view=powershell‐6

fo
rr
es
al
e
or
di
s tri
b ut
io
n

345 © 2023 Citrix Authorized Content

 PowerShell in Citrix
Virtual Apps and
Desktops

• Citrix Studio runs

N
PowerShell under the

ot
hood.

fo
• Follows leading practices

rr
from Microsoft.

es
• Contains over 40
modules.

al
e
• Contains over 700

or
cmdlets.

di
s tri
but
© 2021 Citrix Authorized Content

io
n
Key Notes:
• This is a very short introduction to PowerShell. Its capabilities are extensive.
• Everything you do in Citrix Studio is actually executed as a PowerShell command, and Virtual Apps and Desktops is one of the
products where not only everything in UI is supported for automation, but you have actually more options when you use the CLI
interface.
• The latest release of Citrix Virtual Apps and Desktops contains over 700 PowerShell cmdlets.
• The most important lesson is that PowerShell is not a scripting language that needs to be memorized.

346 © 2023 Citrix Authorized Content

 • StoreFront contains 25 modules, Virtual Apps and Desktops contains 17 modules.
• StoreFront contains 100+ cmdlets, while Citrix Virtual Desktops contains 600+ cmdlets.
• Citrix Virtual Desktops also includes two providers – Citrix.Hypervisor (XDHyp:\) and CitrixGroupPolicy (LocalGpo:\
and Templates:\).

Additional Resources:
• Citrix Virtual Apps and Desktops SDK PowerShell

N
https://citrix.github.io/delivery‐controller‐sdk/

ot
• Citrix Virtual Apps and Desktops Basic PowerShell Cmdlets for Delivery Controller's Health Check

fo
https://support.citrix.com/article/CTX238581
• SDKs and APIs

rr
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops‐service/sdk‐api.html

es
• SDKs

al
https://docs.citrix.com/en‐us/citrix‐cloud‐government/manage/sdk‐api.html

e
or
di
s tri
b ut
io
n

347 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops Cmdlets Syntax

Verb-ModuleNoun:
• Citrix Virtual Desktops cmdlets are based on Microsoft’s naming conventions.

N
• Noun is prefixed with the Citrix Virtual Desktops service name.

ot
fo
Broker MCS AD Identity Service

rr
• Prefix: Broker • Prefix: Prov • Prefix: Acct

es
• Examples: • Examples: • Examples:

al
• Get-BrokerDesktop • Get-ProvTask • Get-AcctIdentityPool

e
or
• Get-BrokerSite • New-ProvScheme • Get-AcctADAccount
• Get-BrokerController

di
s tri
b ut
io
n
Key Notes:
• While many people are familiar with a verb‐noun syntax (which was covered previously), not many people know that the full syntax
actually includes a module name, at least in a shorter version.
• The actual full syntax includes the module prefix as well – Module\Verb‐ModuleNoun.
• With a simple verb‐noun syntax, there is a big risk of running into conflict with other modules. For example, Get‐Session cmdlet
could be applied to multiple different products; therefore, in Citrix Virtual Desktops implementation it is prefixed by a short module
name (Get‐BrokerSession). With the full syntax,

348 © 2023 Citrix Authorized Content

 • Its full name is actually Citrix.Broker.Admin.V2\Get‐BrokerSession.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

349 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please Take a Moment and Provision Your Lab

N
For Module 8.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision; just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

350 © 2023 Citrix Authorized Content

 Using Get-Command

• Use Get-Command to list all PowerShell

commands that are installed on the computer.

N
• Use Get-Command to find the specific command

ot
you need.
• * Wildcards are supported.

fo
Examples:

rr
• Get-Command Get-*User –Module Citrix*

es
• Get-Command –Module

al
Citrix.Broker.Admin.V2
• Get-Command *IP* -Module *Net*

e
or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• You can’t run a command without knowing its name. This is why Get‐Command is one of the most important cmdlets.
• Get‐Command on its own has limited usefulness, as it will only lists all the available commands. However, when used either to list
the cmdlets in a single module or when used with wildcards, it provides much more detail and can greatly assist an administrator in
isolating the commands they need.
• You can use the Auto‐complete feature, via the TAB key, as another approach to finding commands.
• Auto‐complete is a very useful feature of PowerShell, as you can start typing a command and press Tab to auto‐complete it.

351 © 2023 Citrix Authorized Content

 • For Example: Type in Get‐Pro*ess and press Tab. It will automatically be changed to Get‐Process (unless you have
other cmdlets that would match the pattern).
• Get‐Pro*ess
• Set‐*Network*Adapter
• PowerShell ISE (superior version of PowerShell console) provides you with context‐menus as well.

Additional Resources:

N
• Get‐Command Module: Microsoft.PowerShell.Core

ot
https://technet.microsoft.com/en‐us/library/hh849711.aspx

fo
rr
es
al
e
or
di
s tri
but
io
n

352 © 2023 Citrix Authorized Content

 Using Get-Help

• Display information about Windows

N
PowerShell commands and concepts.

ot
• Once you identify the command using

fo
Get-Command you can learn how to use it
using Get-Help.

rr
Examples:

es
• Get-Help Start-EnvTestTask –

al
Examples

e
• Get-Help Get-BrokerController –Full

or
di
s tri
but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The Get‐Command allows you to find the right command to do the task you have to perform.
• The next step is to use Get‐Help to find more information about it, such as what are the arguments, what are the examples of usage,
and so on.
• Get‐Help also has some useful switches:
• To show examples of usage ‐ Get‐Help Start‐EnvTestTask –Examples
• To display the entire help topic for a cmdlet ‐ Get‐Help Get‐BrokerController –Full

353 © 2023 Citrix Authorized Content

 Additional Resources:
• Get‐Help Module: Microsoft.PowerShell.Core
https://technet.microsoft.com/en‐us/library/hh849696.aspx

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

354 © 2023 Citrix Authorized Content

 Using Show-Command

• Show-Command is used to generate a

N
UI for any PowerShell command.

ot
• It can be used as a replacement for both

fo
Get-Command and Get-Help.

rr
Examples:
• Show UI to browse available cmdlets.

es
• Show-Command.

al
• Show UI for Get-Process cmdlet.

e
• Show-Command Get-Process.

or
di
s tri
but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The Show‐Command allows you to use any existing cmdlet and build a GUI for it automatically.
• It allows you to browse through available modules and cmdlets.
• While more senior administrators will probably prefer to use a combination of Get‐Command\Get‐Help, Show‐Command can be very
helpful for anyone, especially during their first interactions with PowerShell.

Additional Resources:

355 © 2023 Citrix Authorized Content

 • Show‐Command Module:Microsoft.PowerShell.Utility
https://technet.microsoft.com/en‐us/library/hh849915.aspx

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

356 © 2023 Citrix Authorized Content

 Lesson Objective Review

N
ot
•Which PowerShell command can be used to

fo
review available loaded commands?

rr
es
Get-Command

al
e
or
di
s
tri
b
ut
io
n

357 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 8-1: Use Get-Command

N
• Exercise 8-2: Use Get-Help

ot
• Exercise 8-3: Use Show-Command

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

358 © 2023 Citrix Authorized Content

 Key Takeaways

• Using the appropriate methodology to troubleshoot

N
issues will quickly isolate and identify solutions to

ot
reduce downtime in the environment.

fo
• Citrix Director is a prime administrator tool for

rr
reviewing real-time and historical data and resolving
issues.

es
• There are several resources available to assist in

al
troubleshooting and monitoring a Citrix Virtual App

e
and Desktops site, such as the Citrix Supportability

or
Pack.

di
• PowerShell provides an advanced approach to

s
identifying and troubleshooting the Citrix Virtual App

tri
and Desktops site.

b
ut
io
n

359 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Troubleshoot Access Issues

fo
rr
es
al
e
Module 9

or
di
s
tri
b
ut
io
n

360 © 2023 Citrix Authorized Content

 Learning Objectives

• Identify common StoreFront authentication,

N
enumeration, and Store subscription problems

ot
and their troubleshooting methods.

fo
• Describe session launch workflow when

rr
accessing published resources through Citrix
ADC or Citrix Gateway.

es
• Identify common Citrix ADC and Citrix

al
Gateway access issues and how to

e
troubleshoot them.

or
• Identify common Citrix ADC/Gateway resource

di
launch issues and how to troubleshoot them.

s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

361 © 2023 Citrix Authorized Content

 N
ot
Troubleshooting StoreFront

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• In this lesson, we will look at how to troubleshoot Citrix StoreFront enumeration and session launch related issues.

362 © 2023 Citrix Authorized Content

 Troubleshooting StoreFront
1

N
ot
End User PC

fo
rr
Connection issues

es
al
Enumeration Registration issues

e
StoreFront Issues (DDC) Controller VDA

or
Site issues License issues

di
s tri
Site Database

b
License Server

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Depending whether you are logging in, viewing apps and or desktops, or connected to a session, different elements of Citrix Virtual
Apps and Desktops and communications will influence where you need to begin troubleshooting.

363 © 2023 Citrix Authorized Content

 Credential Wallet

• Only used with Explicit Authentication (username + password) with

errors recorded on local StoreFront server logs.

N
ot
• Allows multiple authentication requests to be serviced without

fo
prompting for username and password.

rr
• Uses a Windows service that stores encrypted passwords in an in-

es
memory cache, used later for authenticating users. This service
should be checked for hung or error states when troubleshooting

al
issues with username + password authentication.

e
or
• Setting the Citrix Credential Wallet service to a delayed start can
reduce hangs.

di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The credential wallet retains credentials temporarily to allow them to be entered automatically by the operating system reducing the
need for multiple prompts to the user.
• If authentication fails, check the Event Viewer on each StoreFront server to ensure that no credential errors are present.
• When troubleshooting authentication issues, ensure that the Citrix Credential Wallet service is set for a delayed start, and that it is
started on the StoreFront server checking for an un‐started or hung Credential Wallet service when troubleshooting.

364 © 2023 Citrix Authorized Content

 Enumeration

• Multiple issues can cause

failure to enumerate.
• Most common issues
include:
• XML broker is

N
unavailable. User StoreFront

ot
• Authentication failed for

fo
the end user.
• End user has not been

rr
granted access to

es
desktops or applications.
• SQL server is

al
unavailable.

e
• Troubleshooting

or
• Use Citrix toolkit to Database Delivery Controller

di
validate configurations.

s
• Verify SQL ports, user

tri
accounts and

b
databases are correct.

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Subscription Store issues do not prevent enumeration from proceeding. When access to the Subscription Store fails, StoreFront
continues enumeration, but indicates that subscription is not available. This impacts personalisation and other non‐critical features.
• The XML Broker being unavailable will result in failed enumeration and can occur for a number of reasons, such as the XML service
being offline.
• If pass‐through or smart card authentication are being used, you must enable Trust requests sent to the XML service on the Delivery
Controller, to trust any XML requests sent from StoreFront. To achieve this:

365 © 2023 Citrix Authorized Content

 1. Load the Citrix cmdlets by typing asnp Citrix*. (including the period).
2. Type Add‐PSSnapin citrix.broker.admin.v2.
3. Type Set‐BrokerSite ‐TrustRequestsSentToTheXmlServicePort $True.
4. Close PowerShell.
• Additional authentication and, therefore, enumeration failures may occur as a result of such things as incorrect
credentials, network communication issues, or Active Directory validation problems.

N
Additional Resources:

ot
• StoreFront Current Release

fo
https://docs.citrix.com/en‐us/storefront/current‐release.html
• Troubleshoot StoreFront

rr
https://docs.citrix.com/en‐us/storefront/current‐release/troubleshoot.html

es
• XML service‐based authentication

al
https://docs.citrix.com/en‐us/storefront/current‐release.html https://docs.citrix.com/en‐us/storefront/current‐
release/configure‐authentication‐and‐delegation/xml‐authentication.html

e
• User authentication

or
https://docs.citrix.com/en‐us/storefront/current‐release/plan/user‐authentication.html
• User authentication Citrix Broker Service Events

di
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/downloads/broker_events.htm

s tri
b ut
io
n

366 © 2023 Citrix Authorized Content

 Subscription Store Expected

• Users may no longer be

able to save or view their
Favorites if an issue occurs
with the Subscription Store.

N
• Problems may include:

ot
• The Citrix StoreFront

fo
Subscriptions Store
Service.

rr
• Subscription replication or Failure

es
synchronization
problems.

al
e
• Troubleshooting

or
• Use PowerShell to
validate synchronization

di
status.

s
• Verify replication times

tri
are configured correctly

b
for different time zones.

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Subscription store facilitates a user’s ability to customize their apps and desktop's view in Citrix StoreFront. If the StoreFront
Subscriptions Service stops, then users customized views might not be available.
• To address some of the most common subscription‐related issues, start by restarting the Citrix Subscriptions Store service.

Additional Resources:
• Citrix StoreFront 3.0 Unable to save favorites in StoreFront

367 © 2023 Citrix Authorized Content

 https://support.citrix.com/article/CTX222649
• Troubleshoot StoreFront
https://docs.citrix.com/en‐us/storefront/current‐release/troubleshoot.html
• Store Front 3.12 | Automatic Subscription store synchronization between two servers
https://support.citrix.com/article/CTX236466
• Subscription Synchronization Does Not Work Among Multiple StoreFront Clusters
https://support.citrix.com/article/CTX206153

N
• What Subscriptions and Server Groups Mean for StoreFront Designs

ot
https://www.citrix.com/blogs/2014/10/10/what‐subscriptions‐and‐server‐groups‐mean‐for‐storefront‐designs/

fo
rr
es
al
e
or
di
s tri
but
io
n

368 © 2023 Citrix Authorized Content

 Lesson Objective Review

•What are the most common enumeration

issues that can be encountered in
StoreFront?

N
ot
fo
rr
es
• Problems with one or more of the XML brokers
in a Site.

al
e
• Authentication failures for end user(s).

or
• Published desktops or applications not

di
properly configured for end user(s).

s
tri
utb
io
n

369 © 2023 Citrix Authorized Content

 N
ot
Citrix ADC and Citrix Gateway

fo
rr
Workflow and Troubleshooting Overview

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will look at the workflow of Citrix ADC and Citrix Gateway connections to assist with troubleshooting.

370 © 2023 Citrix Authorized Content

 Troubleshooting Citrix ADC/Gateway
1

N
• Problems accessing published resources through

ot
Citrix ADC/Gateway fall into the following
categories:

fo
• Authentication

rr
• Enumeration

es
• Launching

al
• Test direct access through StoreFront, in order to
isolate the issue to the Gateway component.

e
or
di
s
tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• When issues occur accessing resources through the Citrix Gateway, we can quickly isolate if the issue is indeed with the Citrix
Gateway by testing connectivity directly with StoreFront. It is important to ensure that StoreFront be able to provide the same
access as through Citrix Gateway in the design of any Citrix Virtual Apps and Desktops site.
• Testing access via Citrix StoreFront may require internal access. Once verified, it can be determined if the root of the issue is with
the Citrix Gateway or not. If you can access the resource using Citrix StoreFront but not Citrix Gateway, then the investigation can
focus on the Citrix Gateway component.

371 © 2023 Citrix Authorized Content

 Additional Resources:
• Support and services for Citrix Gateway
https://www.citrix.com/products/citrix‐gateway/support.html
• Citrix Gateway
https://docs.citrix.com/en‐us/citrix‐gateway.html

N
ot
fo
rr
es
al
e
or
di
s tri
utb
io
n

372 © 2023 Citrix Authorized Content

 Complete Connections and Communication
Citrix ADC and Citrix Gateway Authentication 1

New York City (NYC)

N
Infrastructure Zone 1 (Primary)

ot
3 Resources
1

fo
Citrix StoreFront Active 4 License Delivery Controller SQL
Users

rr
Gateway Directory Server Site DB Desktops Desktops Apps Apps

es
2

al
San Francisco (SFO) Miami (MIA)

e
Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
End User

or
Device Resources Resources

di
Citrix
Gateway
Delivery Controller

s
Desktops Apps Desktops Apps

tri
StoreFront

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• It is important to understand the process under which authentication, enumeration, and session traffic flows.
• If we look at the external Process using Citrix Gateway, shown in purple, we can troubleshoot each stage using the guidance below;
• (1) End User device accesses Citrix Gateway authentication page via remote access URL.
• Ensure URL is externally accessible and not blocked by firewall.
• Certificates on Citrix Gateway should be valid and up‐to‐date.
• (2) User enters authentication credentials.

373 © 2023 Citrix Authorized Content

 • Common error in authentication phase is user mis‐typing or mis‐remembering credentials. Level 1 support should
be trained to verify that credentials are valid as an initial troubleshooting step.
• Consider implementing the Self‐Service Password Reset feature to enable end users to reset their own AD
passwords without opening a support ticket.
• (3) Citrix ADC authenticates the user via LDAP(S) to the Domain Controller.
• If using LDAPS, ensure the appropriate certificate is in place on the Citrix ADC(s).
• An authentication server and authentication policy must be configured and applied to the Citrix Gateway virtual

N
server.

ot
• (4) The Domain Controller validates the credentials.

fo
• Consider implementing a virtual IP (VIP) in order to load balance multiple LDAP servers in order to provide
redundancy.

rr
es
Additional Resources:

al
• Manage Authentication Methods

e
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/configure‐
authentication‐service.html

or
• How to Configure LDAP Authentication on Citrix ADC or Citrix Gateway

di
https://support.citrix.com/article/CTX108876
• StoreFront 2203 XML Service‐Based authentication

s tri
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/xml‐

b
authentication.html

ut
io
n

374 © 2023 Citrix Authorized Content

 Complete Connections and Communication
StoreFront Authentication 1

New York City (NYC)

N
Infrastructure Zone 1 (Primary)

ot
Resources

fo
Citrix StoreFront 3 Active License Delivery Controller SQL
Users 4

rr
Gateway Directory Server Site DB Desktops Desktops Apps Apps

es
2

al
1
San Francisco (SFO) Miami (MIA)

e
Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
End User

or
Device Resources Resources

di
Citrix
Gateway
Delivery Controller

s
Desktops Apps Desktops Apps

tri
StoreFront

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• It is important to understand the process under which authentication, enumeration and session traffic flows.
• If we look at the Internal Process for StoreFront direct access, shown in green, we can troubleshoot using the below steps.
• (1) End user device access StoreFront authentication page via internal URL.
• The URL must be accessible to any users expected to access it directly. Making this URL available to external users presents a
security risk because you are allowing external traffic to communicate directly with a Windows machine, which is more
vulnerable to malicious attacks (compared to a hardened network appliance like a Citrix ADC).

375 © 2023 Citrix Authorized Content

 • Ideally, HTTPS would be used for the communication with StoreFront, which requires up‐to‐date certificates to be
in place.
• (2) User enters authentication credentials.
• A common error in authentication phase is user mis‐typing or mis‐remembering credentials. Level 1 support
should be trained to verify that credentials are valid as an initial troubleshooting step.
• Consider implementing the Self‐Service Password Reset feature to enable end users to reset their own AD
passwords without opening a support ticket.

N
• (3) StoreFront submits credentials to a Domain Controller for validation.

ot
• Ensure the appropriate authentication methods are selected for the Store. For more complex methods such as

fo
Smart Card, Domain pass‐through, or SAML authentication, additional configuration will be required.
• (4) The Domain Controller validates the credentials.

rr
es
Additional Resources:

al
• Manage Authentication Methods

e
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/configure‐
authentication‐service.html

or
• How to Configure LDAP Authentication on Citrix ADC or Citrix Gateway

di
https://support.citrix.com/article/CTX108876
• StoreFront 2203 XML Service‐Based authentication

s tri
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/xml‐

b
authentication.html

ut
io
n

376 © 2023 Citrix Authorized Content

 Complete Connections and Communication
XML Service Based Authentication 1

New York City (NYC)

N
Infrastructure 3 Zone 1 (Primary)

ot
4 Resources

fo
Citrix StoreFront Active License Delivery Controller SQL
Users

rr
Gateway Directory Server Site DB Desktops Desktops Apps Apps

es
2

al
San Francisco (SFO) Miami (MIA)

e
Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
End User

or
Device Resources Resources

di
Citrix
Gateway
Delivery Controller

s
Desktops Apps Desktops Apps

tri
StoreFront

but
© 2022 Citrix Authorized Content

io
n
Key Notes:
• A key element of troubleshooting is to understand what occurs internally between the Citrix Virtual Apps and Desktops components.
• The internal Process are XML Service‐Based and shown in yellow in the diagram. Troubleshooting internal communications should
begin with the steps below;
• (1) End user device accesses StoreFront authentication page via internal URL.
• The URL must be accessible to any users expected to access it directly. Making this URL available to external users presents a
security risk because you are allowing external traffic to communicate directly with a Windows machine, which is more

377 © 2023 Citrix Authorized Content

 vulnerable to malicious attacks (compared to a hardened network appliance like a Citrix ADC).
• Ideally, HTTPS would be used for the communication with StoreFront, which requires up‐to‐date certificates to be
in place.
• (2) User enters authentication credentials.
• Common error in authentication phase is user mis‐typing or mis‐remembering credentials. Level 1 support should
be trained to verify that credentials are valid as an initial troubleshooting step.
• Consider implementing the Self‐Service Password Reset feature to enable end users to reset their own AD

N
passwords without opening a support ticket.

ot
• (3) StoreFront submits credentials to the XML port of a Delivery Controller.

fo
• For this to occur, the “Validation Password Via” setting must be configured to “Delivery Controllers.”

rr
• (4) The Delivery Controller submits the credentials to a Domain Controller.
• Ensure that communications between the Delivery Controllers and AD Domain Controllers are allowed in the

es
firewalls of your environment.

al
• (5) The Domain Controller validates the credentials.

e
or
Additional Resources:
• Manage Authentication Methods

di
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/configure‐

s tri
authentication‐service.html
• How to Configure LDAP Authentication on Citrix ADC or Citrix Gateway

b ut
https://support.citrix.com/article/CTX108876
• StoreFront 2203 XML Service‐Based authentication

io
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/xml‐

n
authentication.html

378 © 2023 Citrix Authorized Content

 Lesson Objective Review

•To narrow down resource enumeration

failure when using HTTPS which component

N
should we remove from the process to help

ot
troubleshoot it further?

fo
rr
es
Citrix Gateway

al
e
or
di
s
tri
b
ut
io
n

379 © 2023 Citrix Authorized Content

 N
ot
Citrix ADC and Citrix Gateway

fo
rr
Troubleshooting Access and Authentication

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will further investigate access and authentication issues when using the Citrix ADC or Citrix Gateway.

380 © 2023 Citrix Authorized Content

 Login Page Not Accessible
Parameters and Configurations to check:

• The intermediate and root certificates in the Citrix

Gateway console, under Traffic
• Citrix Gateway Error: 403 - Forbidden: Access Management > SSL, are not linked properly.

N
is Denied. • The Citrix Gateway session policy settings for the

ot
Store URL and Name are not spelled correctly.
• Authentication to the Citrix Gateway via

fo
StoreFront can receive a 403 error for several • The StoreFront address in the Citrix Gateway
Session Profile does not match the site address in

rr
reasons. Issue can occur post-authentication StoreFront.
as well.

es
• The call back address is not set to HTTPS.

al
• There is not a DNS Host entry on StoreFront to
point to Citrix Gateway virtual server.

e
or
• The Root CA is an internal CA certificate, and the
Root CA certificate is not added to both
StoreFront as well as on Citrix Gateway. So,

di
therefore, there is not a trust between them.

s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• When you receive a 403 error post‐authentication, there is normally a trust issue with certificates.
• Rebuild the trust issue between the StoreFront server and the Citrix Gateway. This can include expired or incorrectly linked
certificates along with naming and DNS issues.
• Some common parameters, or configurations to check are highlighted in the slide.

Additional Resources:

381 © 2023 Citrix Authorized Content

 • Error: "403 ‐ Forbidden: Access is Denied" After Log on to Citrix Gateway
https://support.citrix.com/article/CTX206900
• How to Configure Citrix Gateway with StoreFront and App Controller
https://support.citrix.com/article/CTX139319
• Error: 403 forbidden | Post authentication when accessing through Citrix Gateway
• https://support.citrix.com/article/CTX208697

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

382 © 2023 Citrix Authorized Content

 Unable to Authenticate through Citrix Gateway
Two factor authentication fails with error "user credentials are invalid“ logging on to the Citrix
Gateway.

Problem and Cause example: Troubleshooting Authentication:

N
• Issue: The aaad.debug log displays an attempt to • Isolation: Authentication processing in Citrix

ot
authenticate with the RADIUS server- the user Gateway is handled by the Authentication,

fo
trying to log on is, however, rejected. Authorization, and Auditing (AAA) daemon.

rr
• Problem: The RADIUS server is rejecting the data • Troubleshooting: Review the raw event

es
being sent from the Citrix Gateway. output from the audit daemon using the
aaad.debug module.

al
• The aaad.debug is a “pipe” as opposed to a flat

e
file and does not display the results or log them.

or
• The cat command can be used to view the
output or sent it to a file.

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• Use of the aaad.debug command is key in understanding where errors occur in the Citrix Gateway or Citrix ADC authentication
process.
• In this example, if the aaad.debug log displays an attempt to authenticate with the RADIUS server, and the user trying to log on is
rejected, then the RADIUS process will send a reject ,for example code 4001.
• This rejection occurs as a result of the RADIUS server rejecting the data being sent from the Citrix Gateway.
• This can be reviewed, verified and corrected by:

383 © 2023 Citrix Authorized Content

 1. Using nstrace to capture traffic from the Citrix Gateway .
2. Review the nstcpdump performed at the point of error, if available.
3. After ensuring that the Citrix Gateway is sending out the traffic correctly and settings on the Citrix Gateway are set
correctly, examine why the RADIUS server is rejecting connections from the Citrix Gateway.
4. Perhaps the RADIUS client is not added correctly to communicate with the NSIP of Citrix Gateway or the shared
secret configured on Citrix Gateway and backend RADIUS server is not matching.
• To troubleshoot Authentication processing in Citrix Gateway we look at the process handling it, the Authentication,

N
Authorization, and Auditing (AAA) daemon. The raw event output from the audit daemon can be reviewed in the

ot
aaad.debug module.

fo
• This process is useful for troubleshooting authentication issues such as:
• General authentication errors

rr
• Username/password failures

es
• Authentication policy configuration errors
• Group extraction discrepancies

al
e
Additional Resources:

or
• The Two Factor Authentication Fails on Citrix Gateway

di
https://support.citrix.com/article/CTX200402
• Troubleshooting Authentication Issues Through Citrix Gateway with aaad.debug Module

s tri
https://support.citrix.com/article/CTX114999

b ut
io
n

384 © 2023 Citrix Authorized Content

 Example - Error Message Appears after Authenticating
"Cannot Complete Your Request" as result of LDAP Authentication Misconfiguration on Citrix
Gateway.

• This error can occur when there is a misconfiguration in the Authentication policy on the Citrix
Gateway, or possibly an issue with Load Balancing, if multiple LDAP servers are used.

N
• A policy misconfiguration results in communication failure between the Citrix Gateway and LDAP

ot
server.

fo
rr
es
al
e
or
Active Directory LDAP Server

di
Citrix Gateway
End Users

s tri
StoreFront

b ut
io
n
Key Notes:
• In this example we look at LDAP configuration issues. Some steps used to troubleshoot this issue include:
• Test LDAP reachability from the Citrix Gateway LDAP settings and validate end‐to‐end LDAP authentication, to verify the location
of the issue.
• From within the StoreFront MMC, go to Citrix Gateway > select the gateway you are configuring > Change General
Settings window, and confirm the Logon Type is set to Domain if using LDAP authentication on the Citrix Gateway.
• Under the Citrix Gateway VIP go to Authentication > LDAP Policy > Edit Server and confirm the following settings:

385 © 2023 Citrix Authorized Content

 1. Session Policy bound to the Citrix Gateway VIP > Edit Profile > Client Experience > Single Sign‐on to Web
Applications and confirm that it is checked.
2. Go to the Published Applications tab > Single Sign‐on Domain and confirm the correct domain is specified.
• If you received this error during implementation of ADFS, Azure and FAS, then consider the following ‐ SAML
authentication does not use a password and only uses the username.
• Firewall failures or misconfigurations can also trigger LDAP authentication issues if they are located between the Citrix
Gateway and the LDAP servers on the internal domain.

N
ot
Additional Resources:

fo
• Error: "Cannot Complete Your Request" Due to Authentication Misconfiguration on Citrix Gateway
https://support.citrix.com/article/CTX235888

rr
• Common Resolutions to “Cannot Complete Your Request” Error

es
https://support.citrix.com/article/CTX207162
• How to Configure LDAP Authentication on Citrix Gateway

al
https://docs.citrix.com/en‐us/citrix‐gateway/current‐release/authentication‐authorization/configure‐ldap/ng‐ldap‐

e
authen‐configure‐tsk.html

or
di
s tri
b ut
io
n

386 © 2023 Citrix Authorized Content

 Troubleshooting Authentication
Citrix Gateway, StoreFront, and XML Service

Common Misconfigurations
• User error

N
Mistyping or forgetting credentials

ot
Client-side network connectivity issue.

fo
• Un-started or hung Credential Wallet service on

rr
StoreFront server(s).

es
al
• Citrix Gateway LDAP authentication settings

e
misconfigured.

or
di
s
• Firewall or monitor issues causing Citrix ADC load

tri
balancing of the StoreFront servers to fail.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Some of the most common causes of authentication issues include:
• In multi‐factor authentication scenarios, communication issues with the RADIUS server due to firewalls or misconfiguration on the
Citrix ADC or the RADIUS server.
• Active Directory could be experiencing issues that cause it to be unresponsive to authentication requests.
• DNS issues preventing Citrix ADC GSLB from functioning (if configured).

387 © 2023 Citrix Authorized Content

 • Citrix Workspace app experiencing issues due to faulty upgrade.

Additional Resources:
• Troubleshooting Methodology for Citrix ADC, StoreFront with Virtual Apps and Desktops
https://support.citrix.com/article/CTX140153
• Troubleshoot StoreFront
https://docs.citrix.com/en‐us/storefront/current‐release/troubleshoot.html

N
• StoreFront SDK

ot
https://docs.citrix.com/en‐us/storefront/current‐release/sdk‐overview.html

fo
• Wireshark webpage

rr
https://www.wireshark.org/
• Overview (Citrix Application Delivery Management Current Release)

es
https://docs.citrix.com/en‐us/citrix‐application‐delivery‐management‐software/current‐release/

al
• How to Troubleshoot Authentication Issues Through Citrix ADC or Citrix Gateway with aaad.debug Module

e
https://support.citrix.com/article/CTX114999

or
di
s tri
b
ut
io
n

388 © 2023 Citrix Authorized Content

 Troubleshooting Authentication
Citrix Gateway, StoreFront, and XML Service

Tools to Support and Troubleshoot

N
• Windows Event Logs – Citrix Delivery Services

ot
fo
• PowerShell

rr
es
al
• Wireshark

e
or
di
• Citrix Application Delivery Management (for external
access scenarios using Citrix Gateway)

s tri
• aaad.debug Module (on Citrix ADC)
• StoreFront console

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The Citrix Delivery Services view, within the Windows Event Logs on the StoreFront server, is helpful for troubleshooting common
application launch issues.
• Windows PowerShell commands can be run on the StoreFront servers to verify that the Citrix services are running and functioning as
expected. It can also restart Services as needed if they are unresponsive.
• WireShark is a packet analyzer that can be used to capture network data for analysis. It is helpful for pinpointing where a

389 © 2023 Citrix Authorized Content

 communication process fails.
• Citrix Application Delivery Management is a centralized console to manage and monitor Citrix application networking
products. This can be especially helpful in larger deployments in order to quickly verify and configure Citrix ADC
settings across multiple appliances.
• Authentication processing in Citrix Gateway is handled by the Authentication, Authorization, and Auditing (AAA)
daemon. The raw authentication events that AAA daemon processes can be monitored by viewing the output of the

N
aaad.debug module and serves as a valuable troubleshooting tool.

ot
Additional Resources:

fo
• Troubleshooting Methodology for Citrix ADC, StoreFront with Virtual Apps and Desktops

rr
https://support.citrix.com/article/CTX140153
• Troubleshoot StoreFront

es
https://docs.citrix.com/en‐us/storefront/current‐release/troubleshoot.html

al
• StoreFront SDK

e
https://docs.citrix.com/en‐us/storefront/current‐release/sdk‐overview.html

or
• Wireshark webpage
https://www.wireshark.org/

di
• Overview (Citrix Application Delivery Management Current Release)

s
https://docs.citrix.com/en‐us/citrix‐application‐delivery‐management‐software/current‐release/

tri
• How to Troubleshoot Authentication Issues Through Citrix ADC or Citrix Gateway with aaad.debug Module

b
https://support.citrix.com/article/CTX114999

ut
io
n

390 © 2023 Citrix Authorized Content

 Lesson Objective Review

•Scenario: A user is receiving authentication

errors using a Citrix Gateway. Where can
Citrix Administrators review audit data on the

N
authentication process?

ot
fo
rr
es
The aaad.debug module

al
e
or
di
s
tri
utb
io
n

391 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please, Take a Moment and Provision Your Lab

N
For Module 9.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

392 © 2023 Citrix Authorized Content

 N
ot
Citrix ADC and Citrix Gateway

fo
rr
Troubleshooting App/Desktop Launch

es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will be looking at how to troubleshoot application and desktop launch issues.

393 © 2023 Citrix Authorized Content

 App/Desktop Launch Issues through Citrix ADC and Citrix Gateway
Troubleshooting

Troubleshooting Checks
• When an STA ID error is returned this may

N
indicate communication or configuration errors with the

ot
STA.

fo
• Confirm STA servers on Citrix Gateway virtual server do

rr
match those on the StoreFront servers.

es
al
• Confirm that the usage or Role on the StoreFront server

e
is set to Authentication and HDX Routing.

or
di
• Confirm communication on port 1494/2598 from the

s
Subnet IP/Mapped IP to the Citrix Virtual Apps and

tri
Desktops servers is functional.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Issues with application or desktop launch can be verified as Citrix Gateway issues by attempting to launch directly via StoreFront. If
the published applications or desktops launch without any issues and the problem only happens via the Citrix Gateway, then the
Citrix Gateway is the focus for troubleshooting.

Additional Resources:
• Error: "Unable to launch your application." When Launching Published Applications or Desktops Through Citrix Gateway

394 © 2023 Citrix Authorized Content

 https://support.citrix.com/article/CTX134940

N
ot
fo
rr
es
al
e
or
di
s
tri
utb
io
n

395 © 2023 Citrix Authorized Content

 Lesson Objective Review

The STA address on the gateway is

https://sta-
server.company.com/Scripts/CtxSta.dll and
the STA address on the storefront is

N
https://staserver1.company.com/Scripts/CtxSt

ot
a.dll.

fo
Will the app launch work ?

rr
es
No. We need to make sure that the STA address
on the Citrix Gateway and StoreFront server are

al
the same.

e
or
di
s
tri
b
ut
io
n

396 © 2023 Citrix Authorized Content

 Lab Exercise

• Exercise 9-1: Change Delivery Controller settings

on StoreFront to resolve Failed Enumeration

N
ot
• Exercise 9-2: Troubleshoot Failed Authentication
Issues Using PowerShell On StoreFront

fo
rr
• Exercise 9-3: Export and Restore the Subscription
Store Database On StoreFront

es
• Exercise 9-4: Investigating XML Service

al
Communications Issues Between StoreFront and

e
Delivery Controller

or
• Exercise 9-5: Manually Rewrite Subscription Store

di
on StoreFront using PowerShell

s
tri
b
ut
io
n

397 © 2023 Citrix Authorized Content

 Key Takeaways

• Credential Wallet, certificate deployments, and

StoreFront configurations are common

N
ot
sources of issues.

fo
• Understanding the processes behind
authentication, enumeration, and session

rr
launch helps to identify the source of user app

es
and or desktop launch issues.

al
• Testing Direct Access mode through

e
StoreFront is a strong step towards isolating

or
an issue within the Citrix Gateway.

di
• The aaad.debug module can be used to

s
tri
review authentication issues with the Citrix

b
Gateway.

ut
• Citrix Gateway issues are commonly focused

io
n

398 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Troubleshoot Delivery Controller Issues

fo
rr
es
al
e
Module 10

or
di
s
tri
b
ut
io
n

399 © 2023 Citrix Authorized Content

 Learning Objectives

• Describe the role of each of the FlexCast

N
Management Architecture (FMA) services and

ot
how to validate them using PowerShell.

fo
• Describe HDX session enumeration workflow

rr
and common failure causes.

es
al
e
or
di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

400 © 2023 Citrix Authorized Content

 N
Validating FlexCast Management

ot
Architecture (FMA) Services

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will explain how an administrator can validate the status of key services in a Citrix Virtual Apps and Desktops
environment.

401 © 2023 Citrix Authorized Content

 FMA Services
The FMA Services collectively create the functionality of Citrix Virtual Apps and Desktops.

User Access Control

Resource Layer
Layer Layer Layer

N
Delivery
Controller

ot
Internal StoreFro
Server OS Assigned
Users nt Domain Desktop OS
Controller
Firewall Delivery Controller

fo
Database Random Remote PC
External Firewall Citrix

rr
ADC Desktop OS
Users FMA Services
Gateway
License

es
Server

Services
Hardware Layer Central Delegated

Core
Configuration
Configuration Administration
Logging Service

al
Service Service
Network Storage Processo Memory Graphics Hypervisor
r

e
• Each FMA Service communicates

or
with one another, but function AD
Apps and Desktops

Host Analytics StoreFront Monitoring Citrix

Identity
independently. Service Service Service Service Trust

Supporting
Service

di
Services
Services

• Collectively, the FMA Services

s
Machine
provide management functionality for Broker Citrix App Environmental

tri
Creation Library
Service Orchestration Test Service
Service
Studio, Director, and PowerShell.

utb
© 2022 Citrix Authorized Content

io
n
Key Notes:
• FlexCast Management Architecture (FMA) is a Service Oriented Architecture (SOA) that allows Citrix engineers to easily add new
services when needed. This SOA also makes troubleshooting easier, as CDF traces have multiple providers, which can be selected
depending on which area you wish to investigate.
• The FMA Services diagram shows three groups of FMA Services:
• Core Services
• These services are involved in almost all operations with the Citrix Configuration Service acting as a centralized directory

402 © 2023 Citrix Authorized Content

 service for all other services.
• The Delegated Administration Service is used to make the final decision if the current user is allowed to perform a
requested operation while the Configuration Logging Service is used to record all administrative changes.
• Apps and Desktops Services
• These services are used during provisioning processes:
• The AD Identity Service is used to create and manage all catalog machine accounts; while the Machine
Creation Service is used to process the MCS Provisioned virtual catalog machines.

N
• The Host Service is used to manage all Resource Connections between the Citrix Virtual Apps and Desktops Site

ot
and the Hypervisor Hosts and or Resource Pools and perform power management actions; while the Broker

fo
Service is used for a lot of actions including, brokering user connections to sessions, validating STA tickets, and
communicating with the deployed Virtual Delivery Agents (VDA).

rr
• Supporting Services

es
• These services are used to support additional functionality of the Citrix Virtual Apps and Desktops Site and

al
include:
• The Analytics Service, which is used to collect data from the other services for reporting.

e
• The StoreFront Service, which is used to manage the StoreFront Deployment that allows for some StoreFront

or
management through Studio.
• The Monitoring Service, which is used to monitor the overall FMA architecture and to produce alerts and

di
warnings when it finds something is potentially wrong, such as a failing service.

s tri
• The Citrix Trust Service is not currently in use. (This is why this service is greyed out on the diagram.)
• The Citrix Orchestration Service is not currently in use. (This is why this service is greyed out on the diagram.)

b ut
• The App Library Service, which is used to support management and provisioning of AppDisks, AppDNA

io
integration and App‐V where used.
• The Environmental Test Service, which is used to manage tests for evaluating the state of the Citrix Virtual Apps

n
and Desktops infrastructure, such as when an environment test is triggered through the Studio.
• The FMA Services all use Windows Communication Foundation (WCF) for inter‐service communication. This allows
each service to run independently of each other, so a failure of one service typically will not cause a disruption in the
functionality of another service. There are exceptions to the “typical” failure. For example, if the Citrix Configuration
Service fails, then there is no centralized directory for all the services, which causes a communication break down

403 © 2023 Citrix Authorized Content

 because no one service would be able to communicate with another. Another example would be that, if during MCS,
the AD Identity service fails; then, the machine accounts will not be created in Active Directory for the catalog.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

404 © 2023 Citrix Authorized Content

 Central Configuration
Service (CSS)

• Provides global directory to Delivery Controller

all services.

N
FMA Services

ot
• Allows services to register
and unregister.

fo
Services
Central Delegated

Core
Configuration
Configuration Administration
Logging Service

rr
Service Service
• All services hold cache for
five minutes to prevent

es
overloading CCS with too

al
many queries. Apps and Desktops
AD Identity Host Analytics StoreFront Monitoring Citrix

e
Service Service Service Service Service Trust

Supporting
Services
Services

or
Machine
Broker Citrix App Environmental Test
Creation

di
Service Orchestration Library Service
Service

s tri
utb
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The Central Configuration Service (CCS) acts as a global directory for FMA architecture. It knows each FMA service WCF address and
is a central point of contact, which is why it’s one of the core FMA services. It is involved in any operation across services. It allows
services to register and unregister. You can use Get‐ConfigRegisteredServiceInstance to retrieve the list of registered services.
• When one service wants to talk to another one, it will start by querying the CCS about the WCF address first, and CCS will reply
only to services that are already registered.

405 © 2023 Citrix Authorized Content

 • To prevent CCS from becoming a bottleneck, each service will keep a cache for the CCS directory for five minutes to
prevent overloading CCS with too many queries.
• If you ever need to refresh the cache, simply restart the Windows service itself as the cache is retrieved during the
startup of the service.
• You can use Get‐ConfigRegisteredServiceInstance to retrieve the list of registered services.
• It may be necessary at times to manually register a service with CCS.

N
• For example, services are registered during the installation of the Delivery Controller server with the DNS name of

ot
this Delivery Controller server. If the Delivery Controller is ever renamed, the FMA services will stop registering with
CCS. In this case, the easiest solution is to unregister existing instances and register new instances.

fo
• You can use Get‐ConfigRegisteredServiceInstance to retrieve the list of registered services. The output will specify

rr
the FQDN of the Delivery Controller original name.

es
• To un‐register existing services use Get‐ConfigRegisteredServiceInstance | Unregister‐
ConfigRegisteredServiceInstance. If the environment has more than one Delivery Controller, the –ServiceAccountSID

al
argument must be used to specify the Delivery Controller.

e
• To retrieve the FMA service instances and re‐register them, use Get‐Command Get‐*ServiceInstance –Module Citrix*

or
| For Each {.$_.name| Register‐ConfigServiceInstance}.

di
• Now that the FMA Services are registered to the CCS service, the service access permissions and configuration

s
service locations must be reset using $ServiceInstance = Get‐ConfigServiceInstance; Get‐Command Reset‐

tri
*ServiceGroupMembership | ForEach {. $_.Name –ConfigServiceInstance $ServiceInstance}
• Remember:

b ut
• All FMA services need to register their instances with the CCS.
• The CCS needs to be aware of every service that is part of the Citrix Virtual Apps and Desktops site.

io
• Each FMA service needs to know the address of the CCS.

406 © 2023 Citrix Authorized Content

 FMA Services (1 of 3)
Service Descriptions and PowerShell Validation

PowerShell
Citrix Services Description Validating with PowerShell
Prefix

N
Brokers new session requests, handles disconnected sessions and resource
Citrix Broker

ot
Broker enumeration, processes STA ticket verification and user validation. Get-BrokerServiceStatus
Service
Additionally, it handles all communication to and from the VDA desktop.

fo
Citrix Machine

rr
Prov Handles the creation of new virtual machines (not physical machines). Get-ProvServiceStatus
Creation Service

es
Citrix Configuration
Config Handles all inter-service communication between FMA services. Get-ConfigServiceStatusGet
Service

al
e
Citrix AD Identity Handles all Active Directory accounts related to any Citrix virtual or physical
Acct Get-AcctServiceStatus
Service workload.

or
Citrix Hosting Manages all connections XDC, and the Hypervisor; supporting vSphere,

di
Hyp Get-HypServiceStatus
Service Citrix Hypervisor or SCVMM. Responsible for power management.

s tri
Supports management and provisioning of AppDisks, AppDNA integration,
Citrix App Library AppLib Get-AppLibServiceStatus
and management of App-V.

b ut
© 2021 Citrix Authorized Content

io
n

407 © 2023 Citrix Authorized Content

 FMA Services (2 of 3)
Service Descriptions and PowerShell Validation

PowerShell Validating with

Citrix Services Description
Prefix PowerShell

N
Citrix Delegated
Manages the creation, configuration and administration of all

ot
Administration Admin Get-AdminServiceStatus
delegated administrative permissions.
Service

fo
Monitors the overall FMA architecture and produces alerts and

rr
Citrix Monitoring Get-
Monitor warnings when it finds something is potentially wrong, such as a
Service MonitorServiceStatus

es
failing service.
Citrix

al
Manages tests for evaluating the state of Citrix Virtual Desktops Get-
Environment EnvTest

e
infrastructure. EnvTestServiceStatus
Test Service

or
Citrix
Monitors and logs all configuration changes made within a Citrix
Configuration Log Get-LogServiceStatus

di
Virtual Desktop site, to include all administrator activity.
Logging Service

s tri
Citrix Analytics Get-
Analytics Collects analytical data from Citrix products.
Service AnalyticsServiceStatus

b ut
© 2021 Citrix Authorized Content

io
n

408 © 2023 Citrix Authorized Content

 FMA Services (3 of 3)
Service Descriptions and PowerShell Validation

N
PowerShell Validating with

ot
Citrix Services Description
Prefix PowerShell

fo
Citrix StoreFront
SF Manages the StoreFront deployment. Get-SFServiceStatus

rr
Service
Citrix

es
Orchestration Orch Not currently used (must be enabled, do not disable) Get-OrchServiceStatus

al
Service

e
Citrix Trust
Trust Not currently used (must be enabled, do not disable) Get-TrustServiceStatus

or
Service

di
s tri
b ut
© 2021 Citrix Authorized Content

io
n

409 © 2023 Citrix Authorized Content

 Following standard Microsoft PowerShell naming convention:
FMA Services and PowerShell • Verb‐ModuleNoun
• Each Module prefix is associated with a FMA service
Here are some example FMA PowerShell Structures below:

Citrix Broker Service

Prefix
Broker
Use Examples:
• There are 14 FMA services. Get‐BrokerDesktop

N
Get‐BrokerSite
• Each FMA Service follows a standard Get‐BrokerController

ot
PowerShell structure. Get‐BrokerSession

fo
• There are various commands within Citrix Machine Creation Service

rr
Prefix
PowerShell that assist with reviewing and Prov

es
troubleshooting issues within the FMA Use Examples:
architecture.

al
Get‐ProvServiceStatus
Reset‐ProvServiceGroupMembership

e
• PowerShell provides the ability to: Reset‐ProvEnabledFeatureList

or
• Review current site or session information. Host Service
• Investigate FMA service status and Delivery

di
Prefix
Controller health. Hyp

s
• Review and reset Machine Creation Services Use Examples:

tri
Test‐HypDBConnection
tasks.

b
Get‐HypServiceStatus
• Test and review hypervisor host conditions.

ut
Get‐HypVMMacAddress
• And more…

io
n
Key Notes:
• The SDK that installs with the current release of Virtual Apps and Desktops comprises several PowerShell snap‐ins that are installed
automatically when you install a Delivery Controller or Studio.
• The Citrix FMA services can be managed through PowerShell, which must be run using an identity that has Citrix administration
rights.
• This slide provides some examples of PowerShell use when interacting with Citrix FMA services.

410 © 2023 Citrix Authorized Content

 Additional Resources:
• Citrix Virtual Apps and Desktops SDKs and APIs
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/
• Citrix Virtual Apps and Desktops : Basic PowerShell Cmdlets for Delivery Controller's Health Check
https://support.citrix.com/article/CTX238581
• Getting started with the SDK
https://developer‐docs.citrix.com/projects/delivery‐controller‐sdk/en/latest/getting‐started/

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

411 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please, Take a Moment and Provision Your Lab

N
For Module 10.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

412 © 2023 Citrix Authorized Content

 SQL Connections

• Each Citrix service establishes its own direct connection to the site database.
• Some services, such as Configuration Logging, have an additional separate connection to a secondary database.

N
ot
fo
Monitoring Service Configuration Configuration

rr
Monitoring Service
Database Logging Service Logging Database

es
al
e
AD Delegated Machine
Citrix Citrix Analytics Broker Configuration Environmental Host StoreFront App
Identity Administration Creation
Trust Orchestration Service Service Service Test Service Service Service Library

or
Service Service Service

di
s
SITE Database

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Considering SQL server connections, it is important to note that each service has a separate connection to the database.
• FMA services leverage the Delivery Controller’s machine account to authenticate to SQL, where data for the Site from the FMA
services is stored in the Site.
• Leveraging the Delivery Controller’s computer AD account for authentication to SQL enhances security by preventing the service
account password from being stored and by having the machine password change every 30 days.
• The principal Database is the site database, which contains configuration information for the running of the

413 © 2023 Citrix Authorized Content

 system. Remember there are two additional databases if you include monitoring and configuration logging which will
have separate connections that may need independent functionality verification.
• High levels of transactions per second occur during logon, as each user logon requires multiple individual transactions
to be carried out with the database. You should, therefore, plan to scale based on the concurrent launch rate. (When a
site is created, its peak size is reached after 48 hours, as the database stores very little persistent information.)
• During the Controller installation, if you choose to have the default SQL Server Express database installed, some
information is already pre‐populated in the wizard. If you use a SQL server that is installed on a different machine, enter

N
the database and server names when prompted.

ot
• Should you need to reset a DB connection, reset it to $Null first (for example “Set‐BrokerDBConnection –DBConnection

fo
$Null”). This is by design to prevent accidental changes to the database configuration. After resetting the connection to
an empty state, you can define a new server.

rr
es
al
e
or
di
s tri
b ut
io
n

414 © 2023 Citrix Authorized Content

 Complete Connections and Communication
StoreFront Enumeration: SQL Server Site Database Query and App and Desktop Icon Enumeration

New York City (NYC)

Infrastructure Zone 1 (Primary)

N
(2) (4) Resources
(3)

ot
(1)
Citrix StoreFront Active License Delivery SQL

fo
Users Gateway Directory Server Controller Site DB Desktops Desktops Apps Apps

rr
es
(5)

al
San Francisco (SFO) Miami (MIA)

e
End User Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
Device

or
Resources Resources

Citrix

di
Gateway
Delivery

s
Controller Desktops Apps Desktops Apps
Internal User

tri
External User StoreFront

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• It is important for troubleshooting to understand how communications with the databases can impact user connections. We will
look here at how some messages interact with the database.
• The steps below describe the general process of communications with consideration on which elements require communication with
the SQL servers.
• (1) External (Green): Citrix Gateway communicates with StoreFront (after successful user authentication) to begin the resource

415 © 2023 Citrix Authorized Content

 enumeration process.
• If the StoreFront server address (or VIP) is misconfigured on the Citrix Gateway, the logon process will fail at this
stage.
• (2) Internal and External: After successful authentication, StoreFront queries the configured Delivery Controllers for
available resources accessible to the user. If XML‐based authentication is used, the process begins at Step 3.
• If a custom XML communication port is used, ensure that it has been configured both on the StoreFront server group

N
(via the Manage Delivery Controllers setting in the console) and the Delivery Controllers (via BrokerService.exe).

ot
• Additionally, ensure firewall rules allow communication on the selected port.
• (3) The Controller queries the site database for resource information.

fo
• If high availability is a high priority for a given organization, strongly consider implementing HA for the SQL Site

rr
database. The other Citrix Virtual Apps and Desktops databases (Monitoring and Configuration Logging) and

es
supporting product databases (Citrix Provisioning / Workspace Environment Management) can be located on the
same HA SQL deployment.

al
• (4) Based on the results of the SQL query, the Controller returns a list of all available resources for the user to

e
StoreFront.

or
• If the Controller cannot communicate with the Site database, the local host cache is used to provide limited resource

di
information. Each method has considerations that should be included in the environment design.

s
• (5) StoreFront builds a web page with the available resources, which is either communicated directly to the end user

tri
device (internal) or proxied to the end user device via Citrix ADC (external).

b
• If no resources have been assigned to a user or any of the AD groups, they are a member of, no resource icons will be

ut
visible to the user.

io
n
Additional Resources:
• How to Change the XML Port in Virtual Desktops
https://support.citrix.com/article/CTX127945
• Local host cache (FMA)
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/local‐host‐cache.html

416 © 2023 Citrix Authorized Content

 Complete Connections and Communication
StoreFront Enumeration: Troubleshooting
Session Launch: HDX Communication

Common Misconfigurations

• XML communication port mismatch

N
ot
• No published resources have been made available

fo
rr
es
• Expired SSL certificates

al
e
• Citrix Gateway and or StoreFront information

or
misconfigured

di
s
• Delivery Controllers are offline or unresponsive

tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In addition to ensuring database connections are correct and functional, the use of encryption can create another layer of
complication and potential errors.
• For example, expired SSL certificates on the Delivery Controllers will impact communications between the StoreFront servers and
Delivery Controllers if SSL is enabled between them. Switching to the HTTP transport type is a workaround; but it will lower the
security of the environment until new certificates are installed on the Delivery Controller(s).
• In addition, XML communication port mismatch will occur if the configured port was changed on either the StoreFront server(s) or

417 © 2023 Citrix Authorized Content

 Delivery Controller(s), but not both.
• The StoreFront console is used to adjust this setting on StoreFront, while a command prompt setting is used on the
Delivery Controllers. The registry can also confirm the Delivery Controller setting.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

418 © 2023 Citrix Authorized Content

 Complete Connections and Communication
StoreFront Enumeration: Troubleshooting
Session Launch: HDX Communication

Tools to Support and Troubleshoot

• Citrix Studio

N
ot
• Windows Event Logs
• Citrix Delivery Services

fo
rr
• CAPI2 Operational Log

es
• PowerShell/Command Prompt
• Windows Registry

al
e
• Active Directory Users and
Groups

or
di
s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Citrix Studio can be used to verify that resources have been published to a user or user group. Remember to check any application‐
level assignments and the “limit visibility” setting.
• The CAPI2 operation log within Windows Event Logs can help to identify PKI‐related errors (e.g., expired or invalid certificates). This
log is not enabled by default; and it takes up additional resources on the machine. So, it should only be enabled during
troubleshooting.

419 © 2023 Citrix Authorized Content

 Lesson Objective Review

•What PowerShell command should be

executed to load the Citrix modules prior to

N
validating FMA services?

ot
fo
rr
es
• Asnp Citrix*

al
e
or
di
s
tri
b
ut
io
n

420 © 2023 Citrix Authorized Content

 Lab Exercise

• 10-1: Verify and Update SQL Connections Strings

on the Delivery Controller

N
ot
• 10-2: Validate the FMA Services Using PowerShell
on the Delivery Controller

fo
rr
• 10-3: Performing a Site Recovery when no Delivery
Controllers are Available

es
• 10-4: Remove Defunct Delivery Controllers from the

al
SQL database

e
or
di
s
tri
b
ut
io
n

421 © 2023 Citrix Authorized Content

 Key Takeaways

• There are 14 FMA Services that function

independently and provide management

N
ot
functionality for Studio, Director, and
PowerShell.

fo
• The Citrix Configuration Service is the global

rr
directory for the FMA architecture and all other

es
FMA services must register with it.

al
• StoreFront Enumeration is a multi-step

e
process in which specific misconfigurations or

or
failure points (such as database

di
communications or certificate errors) will cause

s
enumeration failure to occur.

tri
utb
io
n

422 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Troubleshoot Virtual Delivery Agent (VDA)

fo
Registration Issues

rr
es
al
e
Module 11

or
di
s
tri
b
ut
io
n

423 © 2023 Citrix Authorized Content

 Learning Objectives

• Identify the common causes and

N
troubleshooting methods for VDA registration

ot
failures.

fo
• Explain the VDA registration process in a

rr
multi-zone Citrix Virtual Apps and Desktops
environment.

es
al
e
or
di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

424 © 2023 Citrix Authorized Content

 N
Troubleshooting Virtual Delivery

ot
Agent (VDA) Registration

fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
In this lesson, we will look at ways to troubleshoot Virtual Delivery Agent registration.

425 © 2023 Citrix Authorized Content

 VDA Registration Issues
Overview
1

N
ot
End User PC

fo
Network or
Connection issues

rr
es
al
Enumeration Registration issues
Issues

e
StoreFront ( VDC ) Controller VDA

or
Site issues License issues

di
s tri
b
Site Database License Server

ut
© 2022 Citrix Authorized Content

io
n

426 © 2023 Citrix Authorized Content

 Registration Communication Process
1

Obtain a Kerberos ticket from AD

4 for each controller found to allow for Active Directory

N
communication.

ot
fo
Obtain Kerberos ticket
Validate each DDC found 8 for communication with

rr
3 in AD by DNS entry. BrokerService.exe VDA.
7 attempts to validate

es
Kerberos ticket and
VDA details from AD.

al
5 Make a call for
VDA uses Desktop Service “Registration”.

e
(BrokerAgent.exe) to initiate the
registration process over TCP Port 80
Virtual Desktop Controller Site Database

or
(BrokerAgent.exe)) (BrokerService.exe)
2 -Way test for Callback made. Needs to Validate VDA
9 6 identity and

di
be confirmed by both VDA and controller
Check if Auto-update of Check registry entry for for hard registration to be successful. functionality level.

s
1 DDCs is enabled. If so, 2 ListOfDDCs (manually or
gather list of all available GPO populated).

tri
controllers.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• The VDA and Controller servers act in a client server relationship with two independent connections between them. This is used to
prevent a man‐in‐the‐middle attack, as the attacker would also need to compromise the Active Directory environment.
• The first stage in a VDA registering with controllers is to acquire a list of controllers. There are a few locations, including Active
Directory and manual input, that this can be achieved from. Steps 1‐2 describe these.
• You can see in steps 3‐4 and 7‐8, where the controller doesn’t trust the information provided by the VDA; and it contacts the AD
to confirm the SPN record. This process, which happens as the registration progresses, ensures that we avoid man‐in‐the‐middle

427 © 2023 Citrix Authorized Content

 attacks.
• The process behind validating identity is the reason why you cannot use a load‐balanced IP when defining the
controller.
• The same process applies to Linux VDAs, as well as Remote PC. That’s why Linux VDAs must have an AD account
created.

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

428 © 2023 Citrix Authorized Content

 Common Registration Failures

• Misconfigured or offline Firewall

• DNS
• Time synchronization out by five or more minutes

N
ot
• Domain membership

fo
• Service Principal Name (SPN) records

rr
es
BrokerAgent.exe attempts to
register on port 80

al
Registration attempt fails!

e
or
di
s
Firewall configured to block port 80 inbound – Registration request is blocked

tri
Virtual Delivery Agent and never reaches the Delivery Controller Delivery Controller

b ut
io
n
Key Notes:
• There are several reasons why VDA registration may fail; such as a network failure, or a firewall blocking communication. Other
issues can be related to Domain, DNS or encryption (TLS). Principal areas an engineer should investigate include;
• Issues with DNS preventing the Controller and VDA communication.
• The ListOfDDCs registry value is not updated or mistyped after a Delivery Controller is replaced or removed from the Site, where
configuration has been done manually.
• We can also suffer from GPO or network firewall rules introduced outside the Citrix environment which block necessary

429 © 2023 Citrix Authorized Content

 Controller‐VDA communications.
• Additionally, VDA time synchronization not being set to use a domain NTP server can cause it to become out of sync
with the Delivery Controller(s) by more than five minutes.
• Domain membership problems for the VDA can cause failure of the secure communication between the VDA and the
Controller.
• Leftover components, files, and/or registry values after a VDA version upgrade could also prevent registration.
• A Delivery Controller may also become unavailable for VDA registration requests, causing VDA registration failures to

N
take place Some possible causes for this include:

ot
• The Delivery Controller receiving too many registration requests and becoming overloaded and unresponsive.

fo
• The Delivery Controller has failed for another reason, such as a technical problem with the machine.
• The Delivery Controller has been taken offline for maintenance.

rr
es
Additional Resources:
• Virtual Delivery Agent (VDA) Registration Troubleshooting Tips and Flowchart

al
https://support.citrix.com/article/CTX136668

e
or
di
s tri
b ut
io
n

430 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please, Take a Moment and Provision Your Lab

N
For Module 11.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

431 © 2023 Citrix Authorized Content

 Troubleshooting Methods

Primary tools for troubleshooting VDA

Registration
• Scout - Health Checks: Windows or CLI tool for
troubleshooting configuration issues in a Citrix

N
environment, to include VDA issues. Results are

ot
reported both in a GUI and log file.

fo
• Event Log Entries: For display entries for controller or

rr
VDA issues.

es
al
• CDFControl: Event trace tool that can be used to

e
capture information in real time and the output captured

or
for review.

di
s
• XDPing: Part of Citrix Scout Health Checks this is a

tri
command-line based application check for common
configuration issues on controllers and VDA machines.

b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• There are several tools available for use in troubleshooting a Citrix Virtual Apps and Desktops environment.
• XDPing, which performs checks on a Citrix Virtual Apps and Desktops environment can be used for the items below. It is important,
when using XDPing, to run it two ways – VDA ‐> VDC as well as VDC ‐> VDA.
• Validate network settings and connections.
• DNS lookups (including reverse lookups).
• Provide details on time synchronization and Kerberos Authentication time checks.

432 © 2023 Citrix Authorized Content

 •User logon information.
•Machine information, such as the operating system and computer name.
•Information on the Citrix Virtual Desktops services.
•Windows firewall and port configuration information.
•Citrix Virtual Desktops ‐related event entries.
•Client bandwidth and response time (between the end user machine and the VDA).
•
WCF Tracing, which can be enabled to review system events, operation calls, and fault/exceptions, to assist with

N
diagnosing data for the registration process.

ot
• The Citrix Health Assistant Part of Citrix Scout is a Windows (or CLI ) tool that help administrators troubleshoot

fo
configuration issues in a Citrix environment. The tool conducts the following health checks on a VDA, and reports check
results in the GUI and in the log file. It is operated using the command “Citrix Health Assistant.exe" –start.

rr
• VDA registration:

es
• VDA Software Installation
• VDA Machine Domain Membership

al
• VDA Communication Port Availability

e
• VDA Services Status

or
• Windows Firewall Configuration
• Communication with Controller

di
• Time Sync with Controller

s tri
• VDA Registration Status
• Session Launch:

b ut
• Session Launch Communication Port Availability
• Session Launch Services Status

io
• Session Launch Windows Firewall configuration

n
• VDA Remote Desktop Services Client Access Licenses
• VDA Application Launch Path
• Windows Event Viewer will list various registration warnings or failures related to the Delivery Controller or VDA. The
VDA and Delivery Controller components both generate event log messages for successful and unsuccessful
registrations, which can be used to validate registration or narrow down the cause of a registration issue.

433 © 2023 Citrix Authorized Content

 • CDF Control (Remote tracing) can be used to capture trace messages that are output from the various Citrix tracing
providers. These traces can be analyzed to see detailed communication information for the selected process(es).
• Additional resources to assist with troubleshooting and investigation of VDA registration issues include:
• Citrix Studio or Citrix Director can be used to verify VDA registration status, as well as determine whether the issue is
specific to an individual VDA, or more widespread.
• PowerShell/Command Prompt or the Command Prompt can be used to verify communications between the
Controller and VDA, as well as investigate potential time synchronization issues.

N
• The Citrix Policy Reporter Tool can be used to validate how Citrix and Microsoft Group Policies are being applied to a

ot
VDA, which can be used to validate the ListOfDDCs setting.

fo
• The VDA Cleanup Utility is designed to assist with the following scenarios:
• When errors occur during upgrade from an earlier version of VDA.

rr
• When unexpected behavior or performance is experienced after upgrade from an earlier VDA.

es
• If VDA upgrade is not possible due to feature incompatibility and/or a clean uninstall is required.
• The VDA Clean‐Up Utility removes components, files, and registry values of VDA 5.6 afterwards.

al
e
Additional Resources:

or
• How to troubleshoot Virtual Delivery Agent (VDA) Registration issues

di
https://support.citrix.com/article/CTX136668
• Citrix Supportability Pack (bundles many useful tools

s tri
https://support.citrix.com/article/CTX203082
• Citrix Policy Reporter ‐ RSOP CtxCseUtil Tool

b ut
https://support.citrix.com/article/CTX138533
• VDA Cleanup Utility

io
https://support.citrix.com/article/CTX209255

n
• CDF Control
https://support.citrix.com/article/CTX111961

434 © 2023 Citrix Authorized Content

 VDA Registration in a Multi-Zone Site
Complete Connections and Communication

New York City (NYC)

Infrastructure Zone 1 (Primary)

N
6 Resources

ot
Citrix StoreFront Active License Delivery SQL

fo
Users Gateway Directory Server Controller Site DB Desktops Desktops Apps Apps

rr
es
2

al
San Francisco (SFO) Miami (MIA)

e
End User Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
Device

or
Resources Resources

Citrix

di
Gateway
Delivery

s
Controller Desktops Apps Desktops Apps

tri
StoreFront 3 1

b
4 7

ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
The registration process, when multiple zones are involved, is different than a single zone deployment. It may also vary based on factors
such as zone preference. Generally, a VDA will register with a controller in its local zone, if one is available. If no local controller is
available, registration will be attempted with a controller in the primary zone. If no controller exists in the local zone, registration will
always be attempted with a controller in the primary zone.

Additional Resources:

435 © 2023 Citrix Authorized Content

 • Best Practices for Virtual Desktops Registry‐Based DDC Registration
https://support.citrix.com/article/CTX133384
• Delivery Controllers
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/delivery‐controllers.html
• Zones
https://docs.citrix.com/en‐us/citrix‐virtual‐apps‐desktops/manage‐deployment/zones.html

N
ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n

436 © 2023 Citrix Authorized Content

 Complete Connections and Communication
XML Service Based Authentication

New York City (NYC)

N
Infrastructure 3 Zone 1 (Primary)

ot
4 Resources

fo
Citrix StoreFront Active License Delivery SQL
Users

rr
Gateway Directory Server Controller Site DB Desktops Desktops Apps Apps

es
2

al
San Francisco (SFO) Miami (MIA)

e
Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
End User

or
Device Resources Resources

di
Citrix
Gateway

s
Delivery
Controller Desktops Apps Desktops Apps

tri
StoreFront

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A key element of troubleshooting is to understand what occurs internally between the Citrix Virtual Apps and Desktops components.
• The internal Process are XML Service‐Based and shown in yellow in the diagram. Troubleshooting internal communications should
begin with the steps below;
• (1) End user device accesses StoreFront authentication page via internal URL.
• The URL must be accessible to any users expected to access it directly. Making this URL available to external users presents a
security risk because you are allowing external traffic to communicate directly with a Windows machine, which is more

437 © 2023 Citrix Authorized Content

 vulnerable to malicious attacks (compared to a hardened network appliance like a Citrix ADC).
• Ideally, HTTPS would be used for the communication with StoreFront, which requires up‐to‐date certificates to be
in place.
• (2) User enters authentication credentials.
• Common error in authentication phase is user mis‐typing or mis‐remembering credentials. Level 1 support should
be trained to verify that credentials are valid as an initial troubleshooting step.
• Consider implementing the Self‐Service Password Reset feature to enable end users to reset their own AD

N
passwords without opening a support ticket.

ot
• (3) StoreFront submits credentials to the XML port of a Delivery Controller.

fo
• For this to occur, the “Validation Password Via” setting must be configured to “Delivery Controllers.”

rr
• (4) The Delivery Controller submits the credentials to a Domain Controller.
• Ensure that communications between the Delivery Controllers and AD Domain Controllers are allowed in the

es
firewalls of your environment.

al
• (5) The Domain Controller validates the credentials.

e
or
Additional Resources:
• Manage Authentication Methods

di
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/configure‐

s tri
authentication‐service.html
• How to Configure LDAP Authentication on Citrix ADC or Citrix Gateway

b ut
https://support.citrix.com/article/CTX108876
• StoreFront 2203 XML Service‐Based authentication

io
https://docs.citrix.com/en‐us/storefront/current‐release/configure‐authentication‐and‐delegation/xml‐

n
authentication.html

438 © 2023 Citrix Authorized Content

 Lesson Objective Review

•Scenario: Users are reporting upon starting

work after a long weekend holiday that they
cannot see any resources. Upon investigation
the StoreFront logs show communication

N
ot
failed with all delivery controllers. Where
could an engineer look to identify the reason

fo
behind communication failures?

rr
es
• Change Control logs indicating a network or
firewall change.

al
e
or
di
s
tri
b
ut
io
n

439 © 2023 Citrix Authorized Content

 Lab Exercise

• 11-1: Troubleshooting VDA Registration

issues using Citrix Health Assistant and CDF

N
Tracing tools

ot
• 11-2: Verifying and Resolving Time Synchronization

fo
Issues

rr
• 11-3: Verifying and Resolving Network Connectivity

es
Issues between VDA and Delivery Controller

al
• 11-4: Troubleshooting Name Resolution Issues

e
or
di
s
tri
b
ut
io
n

440 © 2023 Citrix Authorized Content

 Key Takeaways

• VDA registration is a multi-step process

involving VDA, Delivery Controller(s) and

N
ot
Active Directory. If communications are
interrupted by network or security issues

fo
registration can fail.

rr
• Troubleshooting steps into VDA registration

es
issues should include policy, firewall and DNS

al
communications.

e
• VDA registration in a multi-zone environment

or
can involve both local and primary zones.

di
s
tri
b
ut
io
n

441 © 2023 Citrix Authorized Content

 Citrix Virtual Apps and Desktops 7
Advanced Configuration

N
ot
Troubleshoot HDX Connection Issues

fo
rr
es
al
e
Module 12

or
di
s
tri
b
ut
io
n

442 © 2023 Citrix Authorized Content

 Learning Objectives

• Describe the HDX session launch sequence to

N
assist in quickly isolating common session

ot
launch failures.

fo
• Identify the common causes of HDX session

rr
launch failures and how to resolve the failure
causes.

es
al
e
or
di
s
tri
b
ut
© 2022 Citrix Authorized Content

io
n

443 © 2023 Citrix Authorized Content

 N
ot
Troubleshooting HDX Connections

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

444 © 2023 Citrix Authorized Content

 Troubleshooting HDX Connections
Overview
1

N
ot
End User PC

fo
Connection issues

rr
es
Enumeration Issues

al
Registration issues

e
StoreFront ( VDC ) Controller VDA

or
Site issues License issues

di
s tri
b
Site Database License Server

ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• In order to assist troubleshooting issues with HDX connections, it is important to identify in what area the issues are in. This allows
us to focus more clearly on the potential resolution.
• The main areas to investigate when it comes to troubleshooting HDX connections are the connection, enumeration, registration, site
and license.

445 © 2023 Citrix Authorized Content

 Registration Communication Process

• You can review recent connections and brokering attempts using

specific PowerShell cmdlets that output to a log file for review:
Check Other • Get-BrokerConnectionLog
Sessions • Session connection log contains information for all brokered

N
connection, or reconnection, attempts to sessions within the site.

ot
fo
• When connecting via StoreFront, you can automatically download

rr
an .ica file to the local client machine by setting the LogICAFile
Verify Connection

es
string value to “true” on the workstation.
Parameters • HKLM\SOFTWARE\Citrix\ICA

al
Client\Engine\Configuration\Advanced\Modules\Logging

e
or
• A downloaded ICA file can be viewed to verify all connection
specific details, for example:

di
Verify Connection
• IP or DNS address of worker

s
Settings • Application settings

tri
• Proxy information

b ut
© 2022 Citrix Authorized Content

io
n

446 © 2023 Citrix Authorized Content

 Load Management

• User sessions connecting to either desktops or applications are distributed evenly across all VDA
within a given Delivery Group. Load values can assist in identifying errors.
• Normal range load values run from 0 no load to 10,000 full load.

N
• A server with a load of 10,000 will not allow new connections.

ot
• A server showing a load of 20,000 indicates a licensing issue.

fo
rr
Delivery Group

es
Session 1

al
e
Session 3
4 HDX Session Requests

or
Published Desktop

End Users Delivery Session 2

di
Controller

s
tri
Published Desktop
Session 4

b
ut
io
n
Key Notes:
• When connection requests are made, they are load balanced over all the VDAs in the delivery group. This can be customized using
policies either through Active Directory or Citrix policies.
• HDX Policy load Management settings include the following parameters that can be set based on specific infrastructure
requirements:
• Concurrent logons tolerance
• CPU usage

447 © 2023 Citrix Authorized Content

 • CPU usage excluded process priority
• Disk usage
• Maximum number of sessions (default value of 250)
• Memory usage
• Memory usage base load
• Session distribution, the process of load balancing, is driven by a load index, reported by each VDA to a delivery
controller. Some key load figures are:

N
• Range from 0 to 10000 (full load)

ot
• Report 20000 for licensing issues

fo
• Report a full server load at 250 sessions (default)
• You can query load index using the cmdlets Get‐BrokerMachine, Get‐BrokerMachine ‐SessionSupport MultiSession ‐

rr
Property DnsName, LoadIndex, SessionCount

es
al
Additional Resources:
• How to Calculate the Load Evaluator Index on DDC

e
http://support.citrix.com/article/CTX202150

or
di
s tri
but
io
n

448 © 2023 Citrix Authorized Content

 Lab Exercise Prep

Please, Take a Moment and Provision Your Lab

N
For Module 12.

ot
fo
rr
es
al
e
or
di
s tri
b ut
io
n
Key Notes:
• If needed, please refer to Module 0 for instructions regarding how to access labs.
• Do not wait for the labs to fully provision, just initiate the provisioning. The lab should finish provisioning in time to start the lab
exercise.

449 © 2023 Citrix Authorized Content

 Complete Connections and Communication
Session Launch: HDX Communication

New York City (NYC)

Infrastructure Zone 1 (Primary)

N
(10b) (8) (9) (3) (14) Resources
(10a) (2)

ot
(1a) (7)
Citrix (12)
StoreFront Active License Delivery SQL

fo
Users Gateway Directory Server Controller Site DB
(4) (5) Desktops Desktops Apps Apps

rr
(11) (13)

es
(6)

al
(1b)
San Francisco (SFO) Miami (MIA)

e
End User Infrastructure Zone 2 (Satellite) Zone 3 (Satellite)
Device

or
Resources Resources

di
Citrix
Gateway

s
Delivery
Internal User Controller Desktops Apps Desktops Apps

tri
External User StoreFront

b ut
© 2021 Citrix Authorized Content

io
n
Key Notes:
• A HDX session can connect either directly to a resource or via a Citrix Gateway.
• When using a Citrix Gateway, traffic will first pass to the Gateway using encryption before being processed by the
Gateway and any rules or restrictions applied. Once traffic has been processed, it will be forwarded on to the host
device.
• When a Citrix Gateway is not used, such as in scenarios where no encryption is required, the HDX traffic will pass
directly to the resource. It is important to recognize how traffic is routing in your environment to aid in troubleshooting.

450 © 2023 Citrix Authorized Content

 • A great hint to troubleshoot HDX connections that are failing through a Citrix Gateway is to try the
connection out with the Gateway. If it works, then you have isolated the issue to the Gateway.
• During a design and build phase, it is worthwhile ensuring you have set up both Citrix Gateway and direct
access options to allow for testing when required.

Additional Resources:
• Create a single Fully Qualified Domain Name (FQDN) to access a store internally and externally

N
https://docs.citrix.com/en‐us/storefront/current‐release/advanced‐configurations/configure‐single‐fqdn.html

ot
• Users Prompted to Download, Run, Open Launch.ica File, Instead of Launching Connection

fo
https://support.citrix.com/article/CTX804493
• Error: You Cannot Access this Session Because no Licenses are Available. Event ID 1163

rr
https://support.citrix.com/article/CTX210104

es
al
e
or
di
s tri
but
io
n

451 © 2023 Citrix Authorized Content

 Complete Connections and Communication
Session Launch: HDX Communication
Session Launch: HDX Communication

Common Misconfigurations

N
• All VDAs hosts are reporting full load, unregistered,

ot
offline, or in maintenance mode.

fo
rr
• No Citrix licenses are available due to unplanned
increase in users.

es
al
• Are there Secure Ticket Authority (STA) issues when

e
launching via Citrix Gateway.

or
• Unexpected behavior or performance after an upgrade

di
from an earlier version of Citrix Workspace app.

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• There are a number of common errors made when configuring Citrix Virtual Apps and Desktops that can lead to issues with HDX
sessions. These can include licensing, incorrect server details being used and VDA’s becoming unregistered or showing fully loaded
due to misconfigurations.

Additional Resources:
• Citrix Supportability Pack (bundles many useful tools)

452 © 2023 Citrix Authorized Content

 https://support.citrix.com/article/CTX203082
• Secure Ticket Authority (STA) Status is Marked as DOWN on Citrix ADC‐Gateway
https://support.citrix.com/article/CTX132334/
• FAQ: Citrix Secure Gateway/Citrix Gateway Secure Ticket Authority
https://support.citrix.com/article/CTX101997
• Ping Tool
https://support.citrix.com/article/CTX123278

N
• Tools To Simulate CPU / Memory / Disk Load (includes CPUStress Tool)

ot
https://blogs.msdn.microsoft.com/vijaysk/2012/10/26/tools‐to‐simulate‐cpu‐memory‐disk‐load/

fo
• Autoruns for Windows v13.7
https://technet.microsoft.com/en‐us/sysinternals/bb963902.aspx

rr
es
al
e
or
di
s tri
but
io
n

453 © 2023 Citrix Authorized Content

 Complete Connections and Communication
Session Launch: HDX Communication
Session Launch: HDX Communication

Tools to Support and Troubleshoot

• Citrix Scout – Health Checks

N
ot
• Windows Event Logs
• Citrix Studio

fo
rr
• Citrix Director

es
• PowerShell/Command Utility
• CPUStress Tool

al
e
• Resource Monitor

or
• Process Explorer

di
• AutoRuns utility

s tri
b ut
© 2022 Citrix Authorized Content

io
n
Key Notes:
• Principal tools used to troubleshoot are Citrix Studio and Director, Windows event logs, and PowerShell. Other tools, including a
number already covered in this course can be used to gather additional information on the status of a Citrix Virtual Apps and
Desktops environment to assist troubleshooting.

Additional Resources:
• Citrix Supportability Pack (bundles many useful tools)

454 © 2023 Citrix Authorized Content

 https://support.citrix.com/article/CTX203082
• Secure Ticket Authority (STA) Status is Marked as DOWN on Citrix ADC‐Gateway
https://support.citrix.com/article/CTX132334/
• FAQ: Citrix Secure Gateway/Citrix Gateway Secure Ticket Authority
https://support.citrix.com/article/CTX101997
• Ping Tool
https://support.citrix.com/article/CTX123278

N
• Tools To Simulate CPU / Memory / Disk Load (includes CPUStress Tool)

ot
https://blogs.msdn.microsoft.com/vijaysk/2012/10/26/tools‐to‐simulate‐cpu‐memory‐disk‐load/

fo
• Autoruns for Windows v13.7
https://technet.microsoft.com/en‐us/sysinternals/bb963902.aspx

rr
es
al
e
or
di
s tri
but
io
n

455 © 2023 Citrix Authorized Content

 Lesson Objective Review

Scenario: Users are reporting that they can

see resources but cannot launch a
session. An error message displays stating

N
"no server configured at the specified

ot
address. What is the most likely cause?

fo
A network error is resulting in the HDX

rr
connection request from the client device being

es
directed to a device that is not the intended

al
Citrix VDA.

e
or
di
s
tri
b
ut
io
n

456 © 2023 Citrix Authorized Content

 Lab Exercise

• 12-1: Configure Graceful App Session Logoff for

Ghost Sessions

N
ot
• 12-2: Troubleshooting Published App Launch
Failures Caused by a Missing Dependency

fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

457 © 2023 Citrix Authorized Content

 Key Takeaways

• HDX session launches start with the download

of an ICA file, which contains the required

N
ot
parameters for connection to the VDA, either
directly or through a Citrix Gateway.

fo
• An .ICA file, which contains incorrect details or

rr
a misconfigured dependent component, will

es
cause HDX sessions to fail.

al
• HDX or CLI commands such as Get-

e
BrokerConnectionLog can be used to review

or
HDX connection details or session activity

di
along with other Citrix and third-party tools.

s
tri
utb
io
n

458 © 2023 Citrix Authorized Content

 N
ot
fo
rr
es
al
e
or
di
s
tri
b
ut
io
n

459 © 2023 Citrix Authorized Content