XenApp 6.5 / XenDesktop 5.6 Best Practice Policies
October 22, 2012 16 Comments
One of the most common mistakes that Citrix Engineers make in a XenApp/XenDesktop deployment is not taking the time to fully understand Citrix Policies. There are several articles such as the XenApp and Desktop Policy Planning Guide and the XenDesktop and XenApp Best Practices Reference Guide I suggest reading.
I been in environments running pretty large farms where policies are not applied at all. It is very important to take the time to go over these, as you can provide better session control and most importantly a better end user experience, specially when working with high latency connections for remote offices.
The policies below are from a collection of the docs mentioned above, as well as my own experience.
XenApp Baseline User Policy:
Apply this policy as your baseline to all users connecting to your XenApp farm.
ICA\Adobe Flash Delivery\Flash Redirection
Flash acceleration – Enabled
Flash default behavior – Enable Flash Redirection
Flash event logging – Enabled
Flash intelligent fallback – Enabled
Flash latency threshold – 30 milliseconds
ICA\Audio
Audio Plug N Play – Allow
Audio quality – Medium
Client audio redirection – Allow
Client microphone redirection – Prohibit
ICA\Desktop UI
Desktop wallpaper – Allowed
Menu animation – Allowed
View window contents while dragging – prohibited
ICA\File Redirection
Client floppy drives – Prohibit
Client optical drives – Prohibit
Host to client redirection Disable
Read-only client drive access – Disable
Use asynchronous writes – Enabled
ICA\Port Redirection
Auto connect client COM ports – Disable
Auto connect client LPT ports – Disable
Client COM port redirection – Disable
Client LPT port redirection – Disable
ICA\Printing
Client printer redirection – Allow
Default printer – Set to client’s main printer
Printer auto creation log preference – Errors
Wait for printers to be created (desktop) – Disabled
ICA\Printing\Client Printers
Auto-create client printers – Default printer only
Auto-generate generic universal driver – Disabled
Client printer names – Standard names
Direct connections to print servers – enabled
Retained and restored client printers – Allowed
ICA\Printing\Drivers
Automatic installation of in-bo printer drivers – Disabled
Universal driver usage – Use Universal Printing only if requested driver is unavailable
ICA\Printing\Universal Printing
Universal printing EMF processing mode – Spool to printer
Universal printing image compression limit – Best Quality
Universal printing optimization defaults – Standard Quality
Caching of embedded images
Caching of embedded fonts
Universal printing preview preference – Use for auto-generated and generic
ICA\Session Limits
Linger Disconnect Timer Interval – 5 Minutes
Linger Terminate Timer Interval – 10 Minutes
Pre-Launch Disconnect Timer Interval – 15 Minutes
Pre-Launch Terminate Timer Interval – 30 Minutes
ICA\Shadowing
Log shadow attempts – Allow
Notify user of pending shadow connections – Allow
Users who can shadow other users – Defined by security
ICA\Time Zone Control
Estimate local time for legacy clients – Enable
Use local time of client – Use Client time zone
ICA\TWAIN devices
Client TWAIN device redirection – Enabled
TWAIN compression level – low
ICA\Visual Display\Moving Images
Moving Image Compression – Enabled
Server Session Settings
Session importance – Normal
Single Sign-on – Disabled
XenApp Baseline Computer Policy Setting.
Apply this policy as your baseline to all Servers in your XenApp farm.
ICA
ICA listener connection timeout – 120000 ms
ICA listener port number – 1494
ICA\Auto Client Reconnect
Auto client reconnect – Allow
Auto client reconnect authentication – Not required
Auto client reconnect logging – Disabled
ICA\End User Monitoring
ICA round trip calculation – Enable
ICA round trip calculations for idle connections – Disable
ICA\Graphics
Display memory limit 32768 KB
Display mode degrade preference – Degrade Color Depth First
Dynamic Windows preview – Enabled
Image caching – Enabled
Maimum allowed color depth 32 bit
Notify user when display mode is degraded – Disabled
Queuing and tossing – Enabled
ICA\Graphics Caching
Persistent Cache Threshold – 3000000 Kbps
ICA\Keep Alive
ICA keep alive timeout – 60 seconds
ICA keep alives – Enabled
ICA\Multimedia
Windows Media Redirection – Allowed
ICA\Session Reliability
Session reliability connections – Prohibited
ICA Shadowing
Shadowing – Allow
Licensing
License server host name – License Server name
License server port – 27000
Server Settings
DNS address resolution – Enabled
Full icon caching – enabled
Server Settings\Health Monitoring and Recovery
Health Monitoring – Enabled
Health Monitoring tests – Use Defaults (please configure as you see fit.)
Server Settings\Memory/CPU
CPU Management server lever – preferential load balancing
Memory optimization – Enabled
Memory optimization interval – enabled
Server Settings\Reboot Behaviour
Reboot logon disable time – Choose a value to suit your clients
Reboot Schedule frequency – Choose a value to suit your clients
Reboot Schedule start date – Reboot Schedule Choose first day of the reboot
Reboot Schedule time – Choose time to restart server
Reboot warning interval – Choose interval which the users are notified about pending restart
Reboot warning users – enabled
Scheduled Reboots – enabled
XML Service
Trust XML requests – enabled
XML server port – 8080
XenApp WAN/External User Policy.
Apply this policy for users working from branch offices or remote locations with low bandwidth and/or high latency connections.
ICA\Adobe Flash Delivery\Flash Redirection
Flash acceleration – Enabled
ICA\Audio
Audio quality – Medium
ICA\Client Sensors\Location
Allow applications to use the physical locations of the client device – allowed (Tablet Devices)
ICA\Desktop UI
Desktop wallpaper – prohibited
Menu animation – prohibited
View window contents while dragging – prohibited
ICA\File Redirection
Use asynchronous writes – Enabled
ICA\Mobile Experience
Automatic Keyboard Display – Enabled (Tablet Devices)
Launch touch-optimized desktop – Enabled (Tablet Devices)
Remote the combo box – Enabled (Tablet Devices)
ICA\Printing Wait for printers to be created (desktop) – Disabled
ICA\Printing\Universal Printing
Universal printing optimization defaults – Standard Quality
Caching of embedded images
Caching of embedded fonts
ICA\TWAIN devices
Client TWAIN device redirection – Disabled
ICA\Visual Display
Max Frames per Second – 15 FPS
ICA\Visual Display\Still Images
Extra Color Compression – Enabled
Extra Color Compression Threshold – 8192 kbps
Lossy compression level – High
Lossy compression level threshold value – Unlimited
Daniel this is awesome… thank you for posting this. I worked with so many Citrix consultants and they are never able to give me a good answer. This can be used as a default and grow from there. Your blog is awesome!
Hey Daniel,
Is this setting not recommended any longer?
ICA\Session Reliability
Session reliability connections – Prohibited
I normally disable Session Reliability when connected directly to the LAN. Meaning for local users. Remote users over the WAN I leave it enabled. You can control this via an AD group where the policy is applied.
Cheers,
Daniel
Hey Daniel,
Can you provide any details of the impact of having Session Reliability turned on? We have about 2500 remote XenApp users in our environment and don’t have it turned on at the moment. They all connect via the web interface. I’d love to enable that functionality but I’m concerned it will cause unforeseen issues with that many users. Any thoughts are greatly appreciated.
Very sorry for the late response… been really busy with work.
When session reliability is enabled, the ICA Client tunnels its ICA traffic inside the Gateway Protocol and sends the traffic to port 2598 first.
The XTE service on your XA hosts act as a relay, removing the Common Gateway Protocol layer and then forwarding traffic to the ICA listener on port 1494:
So in short your XTE service becomes really crucial, since it becomes the middle man between the user and the published app. This is normally enabled for high latency/long distance connections.
Hope this helps
Daniel
Hi Daniel,
Really appreciate you posting this. Could you clarify one line for me:
Auto client reconnect authentication Not required Require
Which option are you recommending?
Thanks,
Rob F
Rob F. Thanks for your comment. I made a mistake on the post and made it confusing 😦
The proper config is below. For XenApp 6.5, the option for “Auto client reconnect authentication” is no longer there.
Computer policy: ICA\Auto Client Reconnect:
Auto client reconnect – Allow
Auto client reconnect authentication – Not required
Auto client reconnect logging – Disabled
Hope this helps!
Daniel
Hi Daniel,
Thank you for the best practices guide. I was wondering if you could assist or point me in the right direction on a weird issue with Citrix VDI. When an user is listening to say a webcast the audio just stops working but the presentation continues to play. If the user clicks on an area the audio resumes. Any suggestions on what could be causing this?
-Arman
Arman,
Can you tell me what type of video/audio content you are having issues with. If it is flash, there are many things you can do… For Windows and Linux systems you can use flash redirection via the ICA client and user policy settings which can be filtered via a group, user, etc.
This setting will allow you to offload the flash content back to the source PC. I’ve done demo’s where I display 1080P flash content from XenApp 6.5 and XenDesktop 5.6
To enable support on systems running IE 8, a registry edit is required. For 32-bit OSs, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\HdxMediaStreamForFlash\Server\PseudoServer and add the entry named IEBrowserMaximumMajorVersion with a DWORD value of 00000009.
For 64-bit OSs, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer and add the entry named IEBrowserMaximumMajorVersion with a DWORD value of 00000009.
The user policies are located under ICA\Adobe Flash Delivery\Flash Redirection
Please note some security folks may question that whole HDX Flash redirection debacle.
Hope this helps a bit…
Cheers
Daniel,
Thank you for the prompt reply. The audio content are both Flash and Windows Media based, as per my conversation with the users the more problematic content is Windows Media based. Also our users are connecting via WYSE thin clients.
Any other thoughts? I know Feature Pack 1 resolves some audio issues but nothing to specifically address this. (http://support.citrix.com/article/CTX133872)
-Arman
Arman,
What is the OS that the Wyse Terminals run? As I mentioned before the HDX offloading is only supported on Windows and Linux.
And YES there is a known issue with audio playback on XD 5.6 which FP1 fixes due to a dll lock.
In addition, take a look at the latest XenDesktop 5.6 Hotfix Update 3 which was released yesterday and test it on a Test environment.
Cheers
Hello Daniel. I am trying to figure out if XA6.5 can be licensed with my actual XD5.6 Platinum licenses. Right now we have XA5 with XD5.6 and XS6. Thank you in advance.
Miguel,
XD Platinum licenses cover XA licenses. Take a look at this article http://danielruiz.org/2012/09/26/xendesktop-licensing-features-and-editions/
You can also get more information from http://www.citrix.com/products/xendesktop/features/editions.html
However to be 100% sure, contract your Citrix Rep and provide them your Customer ID number to make sure you have the proper information.
Thank you
Daniel
Thank you for your quick response. I know that XD Plat include XA Plat, my question is about the migration from XA5 which we have right now to XA6.5 with the same licenses. Can we do that?. I have read the migration process (and is not seamless, jeje) but i don´t know if my .lic file will work with XA6.5. Have you made this migration process?. Thank you in advance.
Miguel,
It is all about the version of the license server. You can certainly run both environments with the same license server.
However you need to double check the version you are running. I am running 11.10 at the moment and hosting XenApp 6.5, XenDesktop 5.6 and a legacy 5.0 (really 4.5)farm we are decommissioning.
Please note that you need to make sure your existing XenApp 5 and any other Citrix products you have support the license server version. Many times there are HotFixes that you need to install.
Daniel
Thank you, really, thank you for your information. It is what i´m looking for. Have a nice weekend.