Fix for Citrix XenApp Published Apps Disabling Windows Visual Effects

A lot of time One of the minor issues I have encountered is that the Connection Center component of the Citrix Plugin client disables some of the visual effects at log on in Windows including the “Animate Window Minimizing and Maximizing” setting.  I have also noticed that the “Show Windows Contents While Dragging” setting also sometimes gets deactivated.  Having these disabled if you are using the Aero interface is particularly unattractive. 

To stop these from turning off it is necessary to prevent the Connection Center process “concentr.exe” from running when the user logs on.   Keep in mind that disabling the Connection Center will prevent you from accessing the features available in it.  This fix will only affect programs and windows running locally on the computer, apps published from XenApp will still have the visual features disabled.  On my computer the user I normally use is a standard user, so I will disable the execute privileges for the local Users group for the “concentr.exe” file.

I have found that this is the only way to disable the Connection Center from running without the Plugin (in particular the Web version) from detecting that something has been changed and rerunning the initialization.  Renaming the “concentr.exe” file or disabling from running within “msconfig” didn’t work for me.

First navigate to “C:\Program Files (32-bit) or Program Files (x86) (64-bit)\Citrix\ICA Client”.

Right click “concentr.exe” and choose Properties.

The screen shots show me modifying a different file because I’ve already run through the process on “concentr.exe”, but everything should be the same in the pictures except the file name.  Click the Security tab, then click Advanced.

Click Change Permissions, UAC may prompt you depending on your user log on.

Uncheck the “Include inheritable permissions” check box.

Click Add to copy the inherited permissions.  Now click OK on the dialog boxes until you are back to the main file properties dialog shown below.

Now click Edit.

Highlight the Users group, then uncheck the allow Read & Execute permission.  Now click OK until you’ve closed all the dialogs.

Now to make sure that the visual effects are enable, go to Start > right Click Computer, then choose Properties.

Click Advanced system settings.

In the Performance section click Settings.

Select Adjust for best appearance, then click Apply.  You may need to adjust to a different set of settings in order to ensure that the settings are applied.  Now close out of the windows.

I have noticed on occasion that the “Show window contents while dragging” may sometimes disable itself even with this fix applied.  Sometimes this may be related to disconnecting and later reconnecting to a XenApp session, however this doesn’t happen consistently.  I’ll let you know if I come across anything to permenantly fix this.

Read More

Web Interface Logon process in Citrix

Web Interface(WI) logon process:

1. User enter URL of WI server and logs on.
2. Web Interface server contacts XML broker, xml broker authenticates user and returns application list
3. User clicks on application
4. Web Interface server contacts XML broker
5. XML broker contacts ZDC to find least loaded server,
6. ZDC returns IP of least loaded server to XML broker
7. XML broker returns IP address of least loaded server to Web Interface
8. Web Interface creates ICA file with IP of least loaded server and returns it to client
9. Browser launches ICA client and connects directly to server using ICA files sent from Web Interface

Read More

Adding Second Farm to web Interface

Open the first farm and:

Open the Access Management Console at Web Interface Server,

click “Configuration Tool” 

-> “Web Interface” 

--> right click on the site you created 

and select “Manage Server Farm” 

-> Add second Farm

Read More

Backup Access Data Store and Restore

While there is no built-in backup scheduler with Access, Presentation Server includes the DSMAINT BACKUPcommand for backing up Access Data Stores only. Citrix recommends that this command be executed daily using a scheduler script.
WARNING! Do not attempt to backup Microsoft SQL Server or Oracle databases using this command.
MDB: A file with the MDB file extension is a Microsoft Access Database file.
Moving / Restoring an Access Database
Access to a valid backup or Copy of the Data Store is assumed before the following procedure is started.
Moving an Access Database
To move an Access database, complete the following procedure:

1. Copy the Data Store file named “MF20.mdb” in the %system%\Program Files\Citrix\Independent Management Architecture\ folder from the source server to the target server, which will be the new Data Store host.
2. On the new host server, create a new File DSN by using the Microsoft ODBC manager pointing to the Data Store, as shown in the following screen shots:

3. Close the ODBC manager because you have created the required DSN file.
   The next task requires you to edit the registry settings.
   Caution! This fix requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.


4. Run the Registry Editor and change the value of the following registry key from <blank> to ImaAccess.dll
   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DatabaseDriver


5. Open a command prompt and run the following command to configure IMA and use the new DSN file.
   dsmaint config


6. is a sample for your reference:
   dsmaint config /user:citrix /pwd:citrix /dsn:<full path to the newly created DSN file from Step 2>.

Note: You can drag and drop the DSN file into the command prompt to avoid typing the wrong path.

6. Run the following command from the command prompt to stop the IMA Service and recreate the Local Host:
   dsmaint recreatelhc


7. On all the remaining servers in the farm, run the following command, where <DirectServername> is the name of the new host server.
   dsmaint failover <DirectServername>

Restoring an Access Database
It is assumed that the following tasks are completed before starting the procedure to restore an Access database:

• You have rebuilt or reinstalled XenApp to recover from a failure.
•  You have a working XenApp server up and running with IMA started.
• You have access to a backup copy of the old Access Data Base (MF20.mdb) created by the DSMAINT BACKUP command or some other method.

To restore an Access database, complete the following procedure:

1. Stop the IMA Service and copy the existing MF20.mdb file to a safe location.
   Note: You will be replacing this file with your backup MF20.mdb.


2. Copy the Data Store file named “MF20.mdb” from the backup source to the target server and save it in the %system%\Program Files\Citrix\Independent Management Architecture\ folder.
   Note: The IMA Service must be stopped before starting the next task.


3. Open a command prompt and run the dsmaint config command to configure IMA and use the existing MF20.dsn file.
   Following is a sample of the preceding command:

dsmaint config /user:citrix /pwd:citrix /dsn:<full path to the .dsn file >.

Note: You can drag and drop the DSN file into the command prompt to avoid typing the wrong path.

     4.    Run the following command from the command prompt to recreate the Local Host cache and any other servers in the farm so they are aware of the new information:
            dsmaint recreatelhc
            Note: Do not forget to stop IMA before you run the preceding command.

Read More

P2V error - BlockLevelVolumeCloneMgr and Sysimgbase_DiskLib_Write

The other day we had to do a number of hot P2V's on some Citrix servers running Win2k3. I had succesfully completed a test migration a week before (with VMware Converter Standalone 5 installed locally on the source) on one of the same servers but when we re-initiated the P2V in the planned maintenance window, both servers failed at 90-something percent with an error stating the following:

SingleVolumeCloneTask:DoRun: Volume cloning failed with clone error BlockLevelVolumeCloneMgr::CloneVolume: Detected a write error during the cloning of volume \WindowsBitmapDriverVolumeId=[08-03-AE-BE-00-40-00-00-00-00-00-00]. Error: 37409 (type: 1, code: 2338)

This log entry is found by right clicking the job in Converter and choosing 'export logs'. Locate the file called vmware-converter-worker-X.log (where X is an incremental integer).

The above error message seems to indicate that there is a problem on the source disk. We tried running checkdisk which showed no errors and we defragmented all drives. Same error occurred.

Looking a bit more at the logs, I found the following entries which pointed towards a network error:


[NFC ERROR] NfcSendMessage: send failed: NFC_NETWORK_ERROR
[NFC ERROR] NfcFssrvr_IO: failed to send io message
Sysimgbase_DiskLib_Write failed with 'NBD_ERR_NETWORK_CONNECT' (error code:2338)

By searching a bit on the above entries, I was pointed towards a relevant KB article from VMware. As it turns out, this is not network related at all, it is a known error in the Converter Standalone (both v4 and v5) software. The KB simply states that VMware is aware of this issue... I've done a ton of P2V's but this error I've never seen before...

The good news is that there is a workaround:

The trick is to only transfer one drive at a time. This means that if the source has a C and a D drive you'll be P2V'ing this machine twice creating to seperate VMs - one only containing the C drive including the system partition and another VM (which I just called 'servername_Ddrive') containing only the D drive. When both P2V's are done the second one is removed from inventory. For the first VM, go to Edit Settings and attach the disk from the second VM, 'servername_Ddrive'. After that, you can boot the VM now containing both drives. Be aware that the newly attached disk will deafult to drive letter D. This means that if it had another drive letter before, you'll have to change it manually.

An important point to mention in this process is that when transferring the second VM only containing the D drive, the transfer will fail with an error around 98% stating something like "An error ocurred during reconfiguration...". This is ok - as long as the drive has been succesfully cloned, this is what matters (see below).

An alternative workaround that will most likely work as well is to do a cold clone.

Below is a screen dump of the releant entries in the log file.

Read More

Install app on Citrix server - change user

This is mostly a reminder to myself as I seem to forget the syntax.

When installing applications on a Citrix server in production, you need to change to install mode. After installation the mode has to be changed back to 'execute'.

From CMD prompt:

Install mode:

change user /install

Execute mode:

change user /execute

Read More

Configure Offline Access in Citrix

Administrators can configure applications that are published to stream to desktops for offline access. This feature allows users to disconnect from the company network and continue to run their applications in offline mode for a specified length of time. No additional configuration is needed while profiling the application to create application profiles or targets that can be accessed offline.
After you configure the offline application policy settings and configure a streamed application for offline access, the next time the user device connects to XenApp, the offline plug-in downloads the application and caches it on the user device.

Important: Before you configure offline access, refer to System Requirements for Application Streaming for the supported platforms and system prerequisites for user devices.

• Step 1: Configure policy settings for offline access
• Step 2: Install the online and offline plug-ins on user devices
• Step 3: Publish the application for offline access

You can complete these steps in any order, but users cannot run applications in offline mode until all steps are completed.


Step 1: Configure Policy Settings for Offline Applications

Configure these Citrix policy settings for Offline Applications:

• Offline app users (required). Create a list of users or groups who have offline access permission and add that list both when creating the policy for Offline app users and when publishing the application. Users or groups listed in the offline app users policy setting and who are also configured for the application have permission to run offline-enabled applications in online and offline mode. Users who are configured for the application, but who are not added to the policy list can access the application online, but not offline.Users or groups on this list use an offline license to launch applications regardless of whether they are connected to the network or disconnected.
  
• Offline app license period (required). Specify the number of days applications can work offline before users have to renew the license (21 days by default, but can range from 2 to 365 days).
•  For versions 1.0 through 5.1 of the plug-in, the license for each application in the profile is activated when the user launches the application the first time, for online or offline use. Beginning with version 5.2 of the plug-in, when the user launches an application in the profile for the first time, for online or offline use, the offline license is activated for all other applications in the profile, as well. This occurs at the farm level. Thus, the offline license for all applications in the profile expires based on the date of the first application launched the first time, regardless of when the other applications are launched.
• To configure licenses, administrators can use the License Management Console or command-line tools. They must also ensure they have a sufficient number of licenses to support the total number of users with offline access permission. Users who run XenApp hosted applications can also stream applications to user devices without requiring a separate license. For general information, in the topics for Licensing Your Product, see Getting Started with Citrix Licensing.
• When users with offline access log on using the online plug-in, they automatically either check out an offline license or renew a license already checked out. If users stay logged on, licenses are renewed automatically each day. If the license is near its expiration date while a user is running the application in offline mode, a notice appears reminding the user to log on (that is, change to online mode). When the user logs on, the offline license is renewed automatically if a license is available.
•  If the license expires and no license is available, the user cannot launch the application offline.Offline app client trust (optional). Use this setting to enable offline application clients that have disconnected to recreate sessions when reconnecting, without authenticating again.
  
• Offline app event logging (optional). Use this setting to enable logging of offline application events to the event log on the server. 

Step 2: Install the Online and Offline Plug-ins on User Devices 

To use the offline access feature, install both the offline and online plug-ins on the user device. The offline plug-in caches each streamed application on the hard drive of the user device. After the application is cached, the user can disconnect from the network or server and continue to run the application in offline mode for the period of time specified in the license.

Step 3: Publish the Application for Offline Access

The offline access feature is available only for applications that you publish as Streamed to client or Streamed if possible, otherwise accessed from a server.

In addition, when publishing an application for offline access, check the application's documentation and Web site to determine whether any special configuration is required on the user device to enable offline access of that application. For example, to stream Microsoft Outlook to the user device for offline access, users must enable the Microsoft Exchange Setting to "Use Cached Exchange Mode."

Configure the application for offline access while publishing the application or later using the application properties: 

• Enable the application for offline access and select the caching preference.
• Create a list of users or groups who have offline access permission and add that list both when creating the policy for Offline app users and when publishing the application.

Read More

If you loose the connectivity to the Data Store and if you are loosing PS 3.0 OR later

* Users can connect to the farm without no issues (no grace period or any time limitation)
* Do not restart the servers (as it will try to contact DS and try to refresh the LHC)
* Do not reset the local host cache (it will not rebuild since DS is down)
* 96 hours grace period only applied to PS & Metaframe versions before PS 3.0.
* There is no way to seize PS/XenApp servers try contacting DS upon a reboot,
* Unless you use Management Console/Delivery console to manage your citrix farm it wont contact DS,
* LHC is there to perform the required functionality. Its by design.

Read More

Points to remember in Citrix

Below points are very useful while attending interviews in citrix. Most of us know these statements, but just to gather all the key points at a single place, I have started this post. I will keep it updated everytime.

• If the data collector fails, existing and incoming sessions connected to other servers in the farm are not affected. The data collector election process begins automatically and a new data collector is elected almost instantaneously.
  
• The data collector election process is not dependent on the data store.
   
•  If the data collector goes down, sessions connected to other servers in the farm are unaffected.
• If a data collector goes down, there is no single point of failure.
   
• A primary domain controller or backup domain controller must not become the data collector for a zone.
   
• If a new MetaFrame server joins the zone or the current data collector is unavailable then an election is triggered to determine a data collector.
   
• Default time that inactive users will be logged off from the web interface is 20 mins in xenapp 5.0

• Individual Presentation Server will continue to function for 30 days after it loses connectivity to a Citrix License Server.
   
• Every five minutes the license server and the products send a heartbeat message to each other to verify that they are mutually communicating. 

• Some Citrix products can operate in a disconnected mode (not connected to the server). These products allow a user to check out a license and operate the product for a preconfigured period of time that is set by the administrator. In this case, heartbeat messages are not exchanged. One example of disconnected mode is when a user checks out a Password Manager license for a laptop, and then uses the laptop when it is not connected to the server.
   
• If for any reason, a Citrix product cannot contact the license server to request a license, the product goes into a grace period. This grace period is set by Citrix and differs depending upon the product.
   
• During a license server connectivity outage, yes, you can reboot your member Presentation Servers, and yes, you can reboot your data collectors. The mps-wsxica_mps-wsxica.ini file will stay put as long as you don’t actively delete it.
   
• If your environment includes a different directory service (such as Novell Directory Services for Windows) or you are a Citrix administrator without permission to manage Group Policy, use the Delivery Services Console to create policies for your farm.
   
• In Active Directory environments, the farm GPO takes precedence over the local GPO on the server in the event policy settings conflict.However, Active Directory GPOs take precedence over the farm GPO.
   
• If you are not seeing all the file types for your application this is because they may not yet be in the datastore. To pull the information from a server’s registry, right-click the server in the console select Other Tasks–>Update file types from registry. To pull FTA from all your servers right-click on the root of the farm and select Other Tasks –> Update file types. Bear in mind this is going to pull from all your server in the farm so if you have a large farm it may take a while.
   
• Remember you must also configure Client Drive Mapping for Client to Server content redirection to work.

• client to server redirection: update file types from registry.
   
• server to client redirection: u can set it in policy.

• If the license server is behind a firewall, you must assign a static port to the Citrix vendor daemon. 

• MS Access and SQL Express databases can only be accessed indirectly where you have the option when using MS SQL, IBM DB2 or Oracle.
   
• The Farm Metric Server gets its information from the zone data collector, which is updated every 15 seconds by each MetaFrame XP server

Read More

Which Applications can't be virtualized in Citrix

While most applications can be successfully virtualized for use with SoftGrid, some applications may have certain characteristics that would prevent them from being completely virtualized using the current version of Microsoft SoftGrid.  This includes:

1. Applications that install and rely on a system-level driver, i.e. an application that installs a print driver or a USB device driver. Some applications may allow for the drivers to be installed independent of the other components of the application. As a work around for this scenario, the driver portion of this application could be installed locally on the client system, allowing the other components of the application to be virtualized.

2. Applications that install boot-time services (like RES PowerFuse)

3. Applications that use COM+.

4. MAPI virtualization. For information on SoftGrid and Microsoft Office, see the following article:939796 Prescriptive guidance for sequencing 2007 Office programs in Microsoft SoftGrid http://support.microsoft.com/default.aspx?scid=kb;EN-US;939796.

5. COM DLL surrogate virtualization, i.e. DLL’s that run in Dllhost.exe.

6. Applications with licensing enforcement tied to machine, e.g. the license is tied to the system’s MAC address. (Due to sequencing issues; this just wouldn't make any sense)
7. Anti-Virus!

Some of the applications that fall into these categories can possibly still be run in Microsoft SoftGrid as long as the component that cannot be virtualized is installed locally on the same machine as the SoftGrid client. This solution may solve the issue but is not a guarantee the applications will properly function. We recommend you test the applications thoroughly to ensure they meet the expected level of functionality.

Read More

Working with Citrix Policies

To control user access or session environments, configure a Citrix policy. Citrix policies are the most efficient method of controlling connection, security, and bandwidth settings.

You can create policies for specific groups of users, devices, or connection types. Each policy can contain multiple settings. For example, you can configure settings to:

• Configure farm settings such as Virtual IP, Health Monitoring and Recovery, and multimedia acceleration
• Control sound quality for client devices
• Allow users to access the Documents folder on their local client device
• Allow or prevent remote users from being able to save to their hard drives from a session
• Allow or prevent users from accessing the Windows clipboard
• Set a required encryption level for Citrix plug-ins
• Set the session importance level, which, along with the application importance level, determines resource allotment for Preferential Load Balancing

You can work with policies through the Group Policy Editor in Windows or the Delivery Services Console in XenApp. The console or tool you use to do this depends on whether or not your network environment includes Microsoft Active Directory and whether or not you have the appropriate permissions to manage Group Policy Objects (GPOs).

Using the Group Policy Editor

If your network environment includes Active Directory and you have the appropriate permissions to manage Group Policy, use the Group Policy Editor to create policies for your farm. The settings you configure affect the GPOs you specify through the Group Policy Management console.

Using the Delivery Services Console

If your environment includes a different directory service (such as Novell Directory Services for Windows) or you are a Citrix administrator without permission to manage Group Policy, use the Delivery Services Console to create policies for your farm. The settings you configure are stored in a farm GPO in the data store.

 

Note: In Active Directory environments, the farm GPO takes precedence over the local GPO on the server in the event policy settings conflict. However, Active Directory GPOs take precedence over the farm GPO.

 

Tips for Working with Policies

 

If you create more than one policy in your environment, make sure that you prioritize the policies so that it is clear which policy should take precedence in the event of a conflict.
The process for configuring policies is:

1. Create and name the policy.
2. Configure policy settings.
3. Apply the policy to connections by adding filters.
4. Prioritize the policy.

In general, Citrix policies override similar settings configured for the entire server farm, for specific servers, or on the client. However, the highest encryption setting and the most restrictive shadowing setting always override other settings.

Read More

Local Host Cache in Citrix

A subset of data store information, the local host cache, exists on each server in the farm, providing each member server with quick access to data store information. The local host cache also provides redundancy of the data store information, if for example, a server in the farm loses connectivity to the data store.

When a change is made to the farm’s data store, a notification to update the local host cache is sent to all the servers in the farm. However, it is possible that some servers will miss an update because of network problems. Member servers periodically query the data store to determine if changes were made since the server’s local host cache was last updated. If changes were made, the server requests the changed information.

Refreshing the Local Host Cache

You can force a manual refresh of a server’s local host cache by executing dsmaint refreshlhcfrom a command prompt. This action forces the local host cache to read all changes immediately from the farm’s data store. Refreshing the local host cache is useful, for example, if the Citrix Independent Management Architecture (IMA) Service is running, but published applications do not appear correctly when users browse for application sets.

A discrepancy in the local host cache occurs only if the IMA Service on a server misses a change event and is not synchronized correctly with the data store.

Recreating the Local Host Cache

You can manually create the local host cache from the farm’s data store. If the IMA Service fails to start or you have a corrupt local host cache, you may need to recreate it.

To recreate the local host cache, stop the IMA Service and then run the command dsmaint recreatelhc. Running this command performs three actions:

• Sets the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\ RUNTIME\PSRequired to 1.
• Deletes the existing local host cache (Imalhc.mdb)
• Creates an empty local host cache (Imalhc.mdb).

You must restart the IMA Service after running dsmaint recreatelhc. When the IMA Service starts, the local host cache is populated with fresh data from the data store.

The data store server must be available for dsmaint recreatelhc

Tuning Local Host Cache Synchronization

to work. If the data store is not available, the IMA Service fails to start.

You can adjust the interval by which member servers query the farm's data store for missed changes. The default interval is 30 minutes. In most cases, this default setting is sufficient.

 

Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

You can configure the interval by creating the following registry key on each server you want to adjust, with the value expressed in hexadecimal notation:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\ DCNChangePollingInterval (DWORD)
Value: 0x1B7740 (default 1,800,000 milliseconds)

You must restart the IMA Service for this setting to take effect.

Most changes made through the Citrix AppCenter are written to the data store. When you open one of these tools, it connects to a specified server. The Citrix Independent Management Architecture (IMA) Service running on this server performs all reads and write operations to the data store for the AppCenter.
If the data store is experiencing high CPU usage when few read or write operations to the data store are occurring, it is possible that the data store is not powerful enough to manage a query interval of 30 minutes. To determine whether or not the data store query interval is causing the high CPU usage on the data store, you can set the query interval to a very large number and test CPU usage. If the CPU usage returns to normal after you set a large query interval, the data store query interval is probably the cause of the high CPU usage. You can adjust the query interval based on performance testing.

To test the query interval, set the interval to 60 minutes and then restart all the servers in the farm. If the data store is still experiencing constant high CPU usage, increase the query interval further. If the CPU usage returns to normal, you can try a smaller value. Continue these adjustments until data store CPU usage is normal.

 

Important: Do not set the data store query interval higher than necessary. This interval serves as an important safeguard against lost updates. Setting the interval higher than necessary can cause delays in updating the local host cache of the farm’s member servers.

Read More

Script to find all the disconnected sessions in citrix servers

I know the effort in logging into all the citrix servers for disconnected sessions and logging them off everyday. So I have designed a batch script which would run the qfarm command in all the servers mentioned in the text file and output the result to a text file. Here goes my script:

@echo off
Title Developped by Chaitanyakumar G
cd \
cd %userprofile%\Desktop\Servers
del /q *
cd \
cd %userprofile%\Desktop\Apps
for /f %%i in (hostnames.txt) do psexec.exe \\%%i -u Domain\username -p UR_PWD cmd /c "qfarm %%i /disc" >> .\Servers\%%i_Applications.txt
pause

In ur desktop, create a folder called Servers where all your servers text files would be created. Create an other folder called Apps where you need to have psexec.exe(you can download it from here). Here you need to create a text file hostnames.txt and place all your citrix servers, no matter which farm they belong to. As this script takes the hostnames from the text file hostnames.txt, we can place all the citrix servers here. Now copy the above script and place it in Apps folder. Now double click it. Once the script is executed, in the Servers folder we can see list of files. We can see all the files here. View by details in the folder view to find the size of the text files. If size of text file is zero, it shows that there are no disconnected sessions for that particular server. If size is more than zero, it shows that there are disconnected sessions. Now login to that particular server and clear the disconnected sessions. In the text file you can also see the application name. So, you can directly open that particular application and disconnect the sessions. This script will be useful if you have lot of citrix applications and servers.

If you still want to reduce the administrator effort, execute the script and once you get the text files in Servers folder, download tslogoff.exe(download it from here). Go through the Readme.txt file about the usage and logoff the disconnected sessions by connecting to the server using psexec.exe

Read More

Memory/CPU Optimization in Citrix

Citrix Presentation Server 4.0 introduced two resource optimization features that help increase scalability by as much as 25% and ensure a smoother user experience. These two features, memory optimization and CPU optimization, are distinct and function in unique ways. Memory and CPU optimization are not enabled by default.

Memory Optimization

When an application starts, the operating system maps application DLLs to the base memory address space. The default base memory address of applications is 0x10000000. Memory optimization works by redirecting the base memory address of applications to an alternate location. When multiple applications start and try to write to this base memory address and find it already in use, they must be relocated elsewhere. In doing so, the module code must be modified and produces a performance hit on application initialization time.With memory optimization invoked, the base memory addresses of installed applications are rebased at a predefined interval. This means that the base memory address is altered, and as such, the applications are relocated to another address automatically during initialization. The end result is that applications load faster because intermediate redirection.


During the predefined memory rebasing interval, a safe memory base address is calculated and designated. Thus, the 0x10000000 address is altered. The memory rebasing interval is set within the server farm properties, and should be scheduled during times of minimal use. Options are: startup, daily, weekly, or monthly. By default, the files listed in the HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SFO\ProcessExclusionList registry key are excluded from rebasing. Additional applications can be excluded from memory rebasing by being added to the exclusion list within farm properties memory optimization. Once added in the GUI, they will also be added to this registry key. The repair.sfo file includes the files that have been rebased, and the timestamp of the rebased DLLs will be modified to reflect the approximate time of the rebasing interval.

Some applications cannot be rebased. These include applications with digitally signed components, DLLs protected by Windows Rights Management, and any executable that programmatically checks the DLL after it has been loaded. However, even if an application is not included on the exclusion list, it simply means that rebasing will be attempted but will not be successful. Since rebasing should be scheduled during a time of minimal server use, the resource impact of the attempted rebasing should not be noticeable.

Memory optimization is based on the Citrix Virtual Memory Optimization service. This Windows service scans loaded DLLs every 10 seconds to determine which DLLs have been relocated. By default, this service runs under the context of the local system account but can be modified within farm properties.

The graphic shown below shows that without memory optimization invoked, all applications attempt to write to the same base memory address space, whereas with memory optimization invoked, each application cleanly gets directed to a unique address space.

Without Memory Optimization Configured

 

 With Memory Optimization Configured

 

CPU Optimization
CPU optimization is based on Presentation Server reserving approximately 20% of the CPUs for automatic optimization. As a result, no single session controls the majority of CPU processing. However, CPU power can be borrowed from idle or inactive sessions but re-allocated when active again.

CPU optimization is based on two Windows services:

• Citrix CPU Utilization Mgmt/Resource Mgmt: Monitors users and processes, calculates load, and sets CPU priority.
• Citrix CPU Utilization Mgmt/ User-Session Sync: Ensures that user processes get associated with user to determine load.

Impact to Architectural Designs

Invoking memory and CPU optimization is typically beneficial and should not have any noticeable negative impact. Memory optimization should be scheduled during a time of low or no usage. If an administrator is uncertain as to whether specific applications cannot take advantage of this feature, they should not be added to the exclusion list. Only those applications which have known issues based on the criteria described above should be placed on the exclusion list. Because CPU optimization uses approximately 20% of the CPU processing power, older servers with limited CPU resources may not have sufficient CPU to support this feature.

Considerations

As part of the application testing process, memory and CPU optimization should be tested to ensure that there is no adverse impact to the environment.

The impact of memory and CPU optimization can be viewed in standard Access Suite Console reports. In addition, CPU utilization can be viewed within the new Citrix CPU Utilization Mgmt User object, which can be accessed via Resource Manager or Performance Monitor. This object includes the following counters: CPU entitlement, CPU reservations, CPU shares, CPU usage, and long-term CPU usage.

Read More

Making Virtual IP Addresses Available to Applications in Citrix

Some applications, such as CRM and CTI, use an IP address for addressing, licensing, identification, or other purposes and thus require a unique IP address or a loopback address in sessions. Other applications may bind to a static port, which, because the port is already in use, causes the failure of multiple attempts to launch an application in a multiuser environment. For such applications to function correctly in a XenApp environment, a unique IP address is required for each device.

Use the virtual IP address feature to assign a static range of IP addresses to a server and have these addresses individually allocated to each session so that configured applications running within that session appear to have a unique address.

Processes require virtual IP if either:

• They use a hard-coded TCP port number, or
• They do both of the following:
  • Use Windows sockets, and
  • Require a unique IP address or require a specified TCP port number

Also, this feature lets you configure applications that depend on communication with localhost (127.0.0.1 by default) to use a unique virtual loopback address in the localhost range (127.*).
Processes require virtual loopback if either:

• They use the Windows socket loopback (localhost) address (127.0.0.1), or
• They use a hard-coded TCP port number

If the application requires an IP address for identification purposes only, configure your server to use the client IP address.

How Virtual IP Addressing Works

The virtual IP Address feature works as follows:

• During IMA startup, the virtual IP address assigner binds the assigned IP addresses to the NIC that matches the same subnet as the virtual addresses.
• When the virtual IP feature is enabled on a specific server, the virtual IP address allocatorallocates all new sessions connecting to the server an address from   the  pool of available addresses that were assigned by the virtual IP address assigner.
• Each new session is allocated an address that is removed from the pool of available addresses. When the session logs off, the allocated address is returned to the available address pool.
• After an address is allocated to a session, it uses the allocated virtual address rather than the primary IP address for the system whenever the following calls are made:

  Bind¸closesocket¸connect, WSAConnect, WSAAccept, getpeername,
  getsockname, sendto, WSASendTo, WSASocketW, gethostbyname,
  gethostbyaddr, getnameinfo, getaddrinfo

Note: All processes that require this feature must be added to the Virtual IP Process list. Child processes do not inherit this functionality automatically. Processes can be configured with full paths or just the executable name. For security reasons, Citrix recommends that you use full paths.

 

To make virtual IP addresses available to aplications running in sessions

Use virtual IP addresses to provide published applications with unique IP addresses for use in sessions. This is especially important for Computer Telephony Integration (CTI) applications that are widely used in call centers.

Users of these applications can access them on a XenApp server in the same fashion that they access any other published application.

To assign virtual IP address ranges, you must have a reserved range of static IP addresses to assign to the server. Work with your network administrator to obtain a list of free addresses that are not part of your DHCP pool. Ensure that you do not include broadcast addresses.

Before assigning virtual IP address ranges, determine the maximum number of users you may have connecting concurrently to the server. Because every session connecting to the server is assigned an IP address (not just sessions launching the application that require virtual IP addresses), assign at least as many static IP addresses to the server as the maximum number of users who may be connecting concurrently to that server.

 

Note: In the event more sessions are launched on a server than IP addresses are available, the server displays the error message: “No virtual IP address is available for this session, please contact your administrator.” The inability of the server to assign a virtual IP address to a session does not prevent the user from launching an application that requires a virtual IP address within the session; however, the application may not function correctly.

• At the farm level, configure virtual IP address ranges and assign them to servers.
• Enable applications to use virtual IP addresses.

In addition to configuring virtual IP address ranges and enabling applications for use with virtual IP addresses, this feature can control and monitor virtual IP addresses available from each server.

 

To determine whether an application needs to use virtual IP addresses

Some applications cannot run in multiple sessions on XenApp. For example, if the application binds to a fixed TCP port on a specific IP address such as 0.0.0.0 or 127.0.0.1, this prevents multiple instances of the application from running in multiple sessions because the port is already in use. The virtual IP feature of XenApp can help solve this problem.

To determine whether or not the application needs to use virtual IP addresses:

1. Obtain the TCPView tool from Microsoft. This tool lists all applications that bind specific IP addresses and ports.
2. Disable the Resolve IP Addresses feature so that you see the addresses instead of host names.
3. Launch the application and, using TCPView, note which IP addresses and ports are opened by the application and which process names are opening these ports.

To use the virtual IP address feature, configure any processes that open the IP address of the server, 0.0.0.0, or 127.0.0.1. To ensure that an application does not open the same IP address on a different port, launch an additional instance of the application.

Read More

Citrix Access Gateway

Citrix Access Gateway is a secure application access solution that provides administrators granular application-level policy and action controls to secure access to applications and data while allowing users to work from anywhere. It gives IT administrators a single point of control and tools to help ensure compliance with regulations and the highest levels of information security across and outside the enterprise. At the same time, it empowers users with a single point of access—optimized for roles, devices, and networks—to the enterprise applications and data they need. This unique combination of capabilities helps maximize the productivity of today's mobile workforce.

How Access Gateway works

Citrix Access Gateway is a secure access solution that provides administrators with application control while empowering users with access from anywhere. With flexible deployment options and a single point of management, IT administrators set policies—based on roles, devices, and networks—to control access and user actions, ensuring better security and compliance management.

Identify device, user, and location

When users attempt to connect to corporate resources, Access Gateway collects and verifies information including client device configuration, user identity, and network location to ensure compliance with security policies and to optimize the user experience.

Establish a secure, accelerated connection

Access Gateway establishes an encrypted connection between the client and datacenter to ensure desktops, applications, e-mail, and other resources are securely accessed from anywhere. Access Gateway also works with Citrix Branch Repeater to accelerate each connection and deliver a high-performance experience.

Adapt access and application actions

Once a session is established, information collected about the connecting device, user, and location dynamically
adapts the level of access and available actions. This ensures that the data needed is delivered to users in the most secure manner according to their particular access scenarios.

Monitor sessions in real time and reconnect as users roam

Access Gateway monitors active connections in real time to detect when a user roams between networks or moves between devices. When this occurs, Access Gateway transparently reconnects the session and dynamically adapts access and available actions to ensure security as the user's access scenario changes.

Read More

XenApp Content Redirection

I see a lot of people struggling with content redirection. The issues that people normally have are understanding what it is, how it works, and it’s limitations. Hopefully this blog post will clear it up.

What it is

Content redirection is a XenApp technology which, as the name implies, allows content to be passed from either the client to the server, or from the server to the client.

In real terms – for client to server – this is the ability to double-click a document on the client and have this open using a XenApp hosted application; for server to client it is the ability to click on a URL within a XenApp session and have it open using the local browser on the client.

Out of the box this is content redirection. Nothing more is supported. You cannot:

• Use any proxies on the client. By this I mean things like right clicking on a file, selecting Send To and have it open a hosted version of Outlook and attach the file to a new message. This will not work.
• Redirect anything from Server to Client Except URLs. E.G Double clicking a .xls file in your XenApp session and having it open in Excel on the local client

How it works

Client to Server

Provided you have everything configured correctly, when you authenticate to the Online Plug-in it will pull down the File Type Associations you have configured for a published application and write these into the client registry. Now any file that is associated with the XenApp hosted app will launch a connection to a XenApp server when double clicked. Once the application is launched on the XenApp server the file will be opened in the published application.

The Online Plug-in updates the HKEY_CLASSES_ROOT portion of the registry. If you look at one of your application file extensions before being logged into the Online Plug-in you will see that it points to local version of the application



And once logged into the Online Plug-in it now points to the XenApp version of the Application.



If you’re wondering what VisioViewer.Viewer and ctx.VISIO.DRAWING.11 refer to, if you scroll further down in HKEY_CLASSES_ROOT you will find registry keys with the same name, drill down into Shell–> Open–> Command and you will find the path to the executable that is to be launched. In the case of content redirection it looks something like this

“C:\Program Files\Citrix\ICA Client\pnagent.exe” /qlaunch “CXAPRD6:Visio 2010 Professional” /param:”\\client/%251”

This is the path to Online Plug-in, followed by the XenApp farm name (as configured on your Web Interface servers, not the actual farm name), the application name, and a parameter of \\client\%1. When the application is launched %1 get substituted for the path to the file that was double clicked.
You must have the following components for Client to Server Content Redirection to work:

• Citrix Online Plug-in
• Citrix Web Interface
• Client Drive Mapping Enabled
• Content Redirection Policies Enabled

You must have Client Drive Mapping enabled so that XenApp can make the call back to the client to open the file. If the file is located on a network share you must also have these mapped into the session as client drives. You do not need to make them visible though, as long as they are available through the client network in the background it will work.

Server to Client

Again, provided everything is configured correctly, when you click on certain URLs in a XenApp hosted Desktop or Application, it will be intercepted and passed back to the client. The default browser will be launched, if not running, and the URL will be opened in the browser on the client. If the client cannot open the URL, E.G if it has no route to the internet, it will pass it back to the server for it to be launched there.
The way that XenApp intercepts the URL is by overwriting the shell open command for the URL type, redirecting the call to its own version on Internet Explorer. The registry keys that do this are located under HKEY_CLASSES_ROOT and the I.E executable they point to is C:\Program Files (x86)\Citrix\system32\iexplore.exe

Looking at rtsp (which is one of the URL type than can be redirected) we can see what I have described above.



 You must have the following components for Server to Client Content Redirection to work:

• Citrix Online Plug-in
• XenApp Content Redirection Policy enabled

It will also only work with these URL types:

• HTTP (Hypertext Transfer Protocol)
• HTTPS (Secure Hypertext Transfer Protocol)
• RTSP (Real Player and QuickTime)
• RTSPU (Real Player and QuickTime)
• PNM (Legacy Real Player)
• MMS (Microsoft Media Format)

Configuration

Client to Server

Client to Server content redirection is configured by associating the file types with a Published Application. To do this, open the properties of the Published Application, and click on Content Redirection.



 If you are not seeing all the file types for your application this is because they may not yet be in the datastore. To pull the information from a server’s registry, right-click the server in the console select Other Tasks–>Update file types from registry. To pull FTA from all your servers right-click on the root of the farm and select Other Tasks –> Update file types. Bear in mind this is going to pull from all your server in the farm so if you have a large farm it may take a while.

Remember you must also configure Client Drive Mapping for Client to Server content redirection to work.

Server to Client

Server to Client Redirection is configured using XenApp Policies. The setting is located under User Configuration–> Policies–> Citrix Policies–> Policy Name–> ICA–> File Redirection–> Host to client redirection.

The following keys can be used to control Server to Client content redirection. These are taken from CTX113457, which does not specify XenApp 6 or 6.5 in the “Applies to section” but I have tested on both.

To configure file types that can be redirected, complete the following procedure:
Add the HKEY_LOCAL_MACHINE \SOFTWARE\Wow6432Node\Citrix\SFTA\DisableServerFTA registry key with the following values:

Name: DisableServerFTA
Type: REG_DWORD
Value: 1

Add the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\SFTA\NoRedirectClasses registry key with the following values:

Name: NoRedirectClasses
Type: REG_MULTI_SZ
Value: <Specify any combination of file type names that you would like to exclude from redirection.>

Note: These values are comma-delimited with no space in between the values.

To configure server to file redirection for specific URLs,
Add the HKEY_LOCAL_MACHINE \SOFTWARE\Wow6432Node\Citrix\SFTA\ValidSites registry key with the following values:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SFTA
Name: ValidSites
Type: MULTI STRING
Value: www.example.com
Note: Specify the required URLs in the Value field. The asterisk (*) is supported as a wildcard character.

Read More

How to change the STA ID when cloning PSE Server in Citrix

Cloning Presentation Server 4.0 will not change the STA ID that is integrated in the XML service! To change the STA ID edit CtxSta.conf file in %ProgramFiles%\Citrix\system32 and change the STA ID with a value you like.

[GlobalConfig]
UID=STABB4BD26E58F5 <= change this (sample) value

After changing the STA ID, restart the Citrix XML service to pick-up the new ID.

How to disable right mouse click
This is a very old feature from Project Columbia but was never included to any Web Interface version. The following change is the simplest way to do it.

Edit the ayout.ascx file in /Citrix/MetaFrame/auth/include and /Citrix/MetaFrame/include
Search for the <body> html tag and add oncontextmenu="return false"
Like  <body oncontextmenu="return false"...

Read More