Advertisements

XenApp 6.5 / XenDesktop 5.6 Best Practice Policies

One of the most common mistakes that Citrix Engineers make in a XenApp/XenDesktop deployment is not taking the time to fully understand Citrix Policies.  There are several articles such as the XenApp and Desktop Policy Planning Guide and the XenDesktop and XenApp Best Practices Reference Guide I suggest reading.

I been in environments running pretty large farms where policies are not applied at all.  It is very important to take the time to go over these, as you can provide better session control and most importantly a better end user experience, specially when working with high latency connections for remote offices.

The policies below are from a collection of the docs mentioned above, as well as my own experience.

XenApp Baseline User Policy:

Apply this policy as your baseline to all users connecting to your XenApp farm.

ICA\Adobe Flash Delivery\Flash Redirection
Flash acceleration – Enabled
Flash default behavior – Enable Flash Redirection
Flash event logging – Enabled
Flash intelligent fallback – Enabled
Flash latency threshold – 30 milliseconds

ICA\Audio
Audio Plug N Play – Allow
Audio quality – Medium
Client audio redirection –  Allow
Client microphone redirection –  Prohibit

ICA\Desktop UI
Desktop wallpaper – Allowed
Menu animation – Allowed
View window contents while dragging – prohibited

ICA\File Redirection
Client floppy drives – Prohibit
Client optical drives – Prohibit
Host to client redirection  Disable
Read-only client drive access – Disable
Use asynchronous writes – Enabled

ICA\Port Redirection
Auto connect client COM ports – Disable
Auto connect client LPT ports – Disable
Client COM port redirection – Disable
Client LPT port redirection – Disable

ICA\Printing
Client printer redirection – Allow
Default printer – Set to client’s main printer
Printer auto creation log preference – Errors
Wait for printers to be created (desktop) – Disabled

ICA\Printing\Client Printers
Auto-create client printers – Default printer only
Auto-generate generic universal driver – Disabled
Client printer names – Standard names
Direct connections to print servers – enabled
Retained and restored client printers – Allowed

ICA\Printing\Drivers
Automatic installation of in-bo printer drivers – Disabled
Universal driver usage – Use Universal Printing only if requested driver is unavailable

ICA\Printing\Universal Printing
Universal printing EMF processing mode – Spool to printer
Universal printing image compression limit – Best Quality
Universal printing optimization defaults – Standard Quality
Caching of embedded images
Caching of embedded fonts
Universal printing preview preference – Use for auto-generated and generic

ICA\Session Limits
Linger Disconnect Timer Interval – 5 Minutes
Linger Terminate Timer Interval – 10 Minutes
Pre-Launch Disconnect Timer Interval – 15 Minutes
Pre-Launch Terminate Timer Interval – 30 Minutes

ICA\Shadowing
Log shadow attempts – Allow
Notify user of pending shadow connections – Allow
Users who can shadow other users – Defined by security

ICA\Time Zone Control
Estimate local time for legacy clients – Enable
Use local time of client –  Use Client time zone

ICA\TWAIN devices
Client TWAIN device redirection – Enabled
TWAIN compression level – low

ICA\Visual Display\Moving Images
Moving Image Compression – Enabled
Server Session Settings
Session importance – Normal
Single Sign-on – Disabled

XenApp Baseline Computer Policy Setting.

Apply this policy as your baseline to all Servers in your XenApp farm.

ICA
ICA listener connection timeout – 120000 ms
ICA listener port number – 1494

ICA\Auto Client Reconnect
Auto client reconnect – Allow
Auto client reconnect authentication – Not required
Auto client reconnect logging – Disabled

ICA\End User Monitoring
ICA round trip calculation – Enable
ICA round trip calculations for idle connections – Disable

ICA\Graphics
Display memory limit   32768 KB
Display mode degrade preference – Degrade Color Depth First
Dynamic Windows preview – Enabled
Image caching – Enabled
Maimum allowed color depth   32 bit
Notify user when display mode is degraded – Disabled
Queuing and tossing – Enabled

ICA\Graphics Caching
Persistent Cache Threshold – 3000000 Kbps

ICA\Keep Alive
ICA keep alive timeout – 60 seconds
ICA keep alives – Enabled

ICA\Multimedia
Windows Media Redirection – Allowed

ICA\Session Reliability
Session reliability connections – Prohibited

ICA Shadowing
Shadowing – Allow

Licensing
License server host name – License Server name
License server port – 27000
Server Settings
DNS address resolution – Enabled
Full icon caching – enabled

Server Settings\Health Monitoring and Recovery
Health Monitoring – Enabled
Health Monitoring tests – Use Defaults (please configure as you see fit.)

Server Settings\Memory/CPU
CPU Management server lever – preferential load balancing
Memory optimization – Enabled
Memory optimization interval – enabled

Server Settings\Reboot Behaviour
Reboot logon disable time – Choose a value to suit your clients
Reboot Schedule frequency – Choose a value to suit your clients
Reboot Schedule start date  – Reboot Schedule Choose first day of the reboot
Reboot Schedule time – Choose time to restart server
Reboot warning interval – Choose interval which the users are notified about pending restart
Reboot warning users – enabled
Scheduled Reboots – enabled

XML Service
Trust XML requests – enabled
XML server port – 8080

XenApp WAN/External User Policy.

Apply this policy for users working from branch offices or remote locations with low bandwidth and/or high latency connections.

ICA\Adobe Flash Delivery\Flash Redirection
Flash acceleration – Enabled

ICA\Audio
Audio quality –  Medium

ICA\Client Sensors\Location
Allow applications to use the physical locations of the client device – allowed (Tablet Devices)

ICA\Desktop UI
Desktop wallpaper – prohibited
Menu animation – prohibited
View window contents while dragging – prohibited

ICA\File Redirection 
Use asynchronous writes – Enabled

ICA\Mobile Experience
Automatic Keyboard Display – Enabled (Tablet Devices)
Launch touch-optimized desktop – Enabled (Tablet Devices)
Remote the combo box – Enabled (Tablet Devices)

ICA\Printing  Wait for printers to be created (desktop) – Disabled

ICA\Printing\Universal Printing 
Universal printing optimization defaults – Standard Quality
Caching of embedded images
Caching of embedded fonts

ICA\TWAIN devices
Client TWAIN device redirection – Disabled

ICA\Visual Display 
Max Frames per Second – 15 FPS

ICA\Visual Display\Still Images
Extra Color Compression – Enabled
Extra Color Compression Threshold – 8192 kbps
Lossy compression level – High
Lossy compression level threshold value – Unlimited

Advertisements

About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

16 Responses to XenApp 6.5 / XenDesktop 5.6 Best Practice Policies

  1. Citrix Guru says:

    Daniel this is awesome… thank you for posting this. I worked with so many Citrix consultants and they are never able to give me a good answer. This can be used as a default and grow from there. Your blog is awesome!

  2. hbggbh says:

    Hey Daniel,
    Is this setting not recommended any longer?
    ICA\Session Reliability
    Session reliability connections – Prohibited

    • CyberRuiz says:

      I normally disable Session Reliability when connected directly to the LAN. Meaning for local users. Remote users over the WAN I leave it enabled. You can control this via an AD group where the policy is applied.

      Cheers,
      Daniel

      • Hey Daniel,
        Can you provide any details of the impact of having Session Reliability turned on? We have about 2500 remote XenApp users in our environment and don’t have it turned on at the moment. They all connect via the web interface. I’d love to enable that functionality but I’m concerned it will cause unforeseen issues with that many users. Any thoughts are greatly appreciated.

      • CyberRuiz says:

        Very sorry for the late response… been really busy with work.
        When session reliability is enabled, the ICA Client tunnels its ICA traffic inside the Gateway Protocol and sends the traffic to port 2598 first.
        The XTE service on your XA hosts act as a relay, removing the Common Gateway Protocol layer and then forwarding traffic to the ICA listener on port 1494:

        So in short your XTE service becomes really crucial, since it becomes the middle man between the user and the published app. This is normally enabled for high latency/long distance connections.

        Hope this helps
        Daniel

  3. Rob F says:

    Hi Daniel,
    Really appreciate you posting this. Could you clarify one line for me:
    Auto client reconnect authentication Not required Require

    Which option are you recommending?

    Thanks,
    Rob F

    • CyberRuiz says:

      Rob F. Thanks for your comment. I made a mistake on the post and made it confusing 😦

      The proper config is below. For XenApp 6.5, the option for “Auto client reconnect authentication” is no longer there.

      Computer policy: ICA\Auto Client Reconnect:

      Auto client reconnect – Allow
      Auto client reconnect authentication – Not required
      Auto client reconnect logging – Disabled

      Hope this helps!
      Daniel

  4. Arman says:

    Hi Daniel,

    Thank you for the best practices guide. I was wondering if you could assist or point me in the right direction on a weird issue with Citrix VDI. When an user is listening to say a webcast the audio just stops working but the presentation continues to play. If the user clicks on an area the audio resumes. Any suggestions on what could be causing this?

    -Arman

    • CyberRuiz says:

      Arman,
      Can you tell me what type of video/audio content you are having issues with. If it is flash, there are many things you can do… For Windows and Linux systems you can use flash redirection via the ICA client and user policy settings which can be filtered via a group, user, etc.

      This setting will allow you to offload the flash content back to the source PC. I’ve done demo’s where I display 1080P flash content from XenApp 6.5 and XenDesktop 5.6

      To enable support on systems running IE 8, a registry edit is required. For 32-bit OSs, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\HdxMediaStreamForFlash\Server\PseudoServer and add the entry named IEBrowserMaximumMajorVersion with a DWORD value of 00000009.

      For 64-bit OSs, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer and add the entry named IEBrowserMaximumMajorVersion with a DWORD value of 00000009.

      The user policies are located under ICA\Adobe Flash Delivery\Flash Redirection
      Please note some security folks may question that whole HDX Flash redirection debacle.

      Hope this helps a bit…

      Cheers

  5. Arman says:

    Daniel,

    Thank you for the prompt reply. The audio content are both Flash and Windows Media based, as per my conversation with the users the more problematic content is Windows Media based. Also our users are connecting via WYSE thin clients.

    Any other thoughts? I know Feature Pack 1 resolves some audio issues but nothing to specifically address this. (http://support.citrix.com/article/CTX133872)

    -Arman

    • CyberRuiz says:

      Arman,
      What is the OS that the Wyse Terminals run? As I mentioned before the HDX offloading is only supported on Windows and Linux.

      And YES there is a known issue with audio playback on XD 5.6 which FP1 fixes due to a dll lock.

      In addition, take a look at the latest XenDesktop 5.6 Hotfix Update 3 which was released yesterday and test it on a Test environment.

      Cheers

  6. Miguel Romero says:

    Hello Daniel. I am trying to figure out if XA6.5 can be licensed with my actual XD5.6 Platinum licenses. Right now we have XA5 with XD5.6 and XS6. Thank you in advance.

    • CyberRuiz says:

      Miguel,
      XD Platinum licenses cover XA licenses. Take a look at this article http://danielruiz.org/2012/09/26/xendesktop-licensing-features-and-editions/
      You can also get more information from http://www.citrix.com/products/xendesktop/features/editions.html

      However to be 100% sure, contract your Citrix Rep and provide them your Customer ID number to make sure you have the proper information.

      Thank you
      Daniel

      • Miguel Romero says:

        Thank you for your quick response. I know that XD Plat include XA Plat, my question is about the migration from XA5 which we have right now to XA6.5 with the same licenses. Can we do that?. I have read the migration process (and is not seamless, jeje) but i don´t know if my .lic file will work with XA6.5. Have you made this migration process?. Thank you in advance.

      • CyberRuiz says:

        Miguel,
        It is all about the version of the license server. You can certainly run both environments with the same license server.
        However you need to double check the version you are running. I am running 11.10 at the moment and hosting XenApp 6.5, XenDesktop 5.6 and a legacy 5.0 (really 4.5)farm we are decommissioning.

        Please note that you need to make sure your existing XenApp 5 and any other Citrix products you have support the license server version. Many times there are HotFixes that you need to install.

        Daniel

      • Miguel Romero says:

        Thank you, really, thank you for your information. It is what i´m looking for. Have a nice weekend.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: