Citrix Cloud App Delivery Setup Tools Administration Guide

Citrix Cloud App Delivery
Setup Tools Administration Guide
www.citrix.com

Contents
Introduction ........................................................................................................................................................ 3
Getting Started ................................................................................................................................................... 4
Architectural Diagram ................................................................................................................................... 4
System and Software Requirements ............................................................................................................ 4
Requirements for the Client Computer .................................................................................................. 4
Requirements for XenApp Servers ......................................................................................................... 5
Requirements for the Database Server ................................................................................................... 5
Requirements for Access Gateway ......................................................................................................... 6
Requirements for EdgeSight for reporting (Optional)......................................................................... 6
Mapping the XenApp DVD image ............................................................................................................. 6
Citrix Online Plug-in Transform ............................................................................................................. 6
Web Interface Installation Package ......................................................................................................... 6
Enhanced Desktop Experience Setup .................................................................................................... 6
Preparing the Client Computer .................................................................................................................... 7
Step One: Install setup tools .................................................................................................................... 7
Step Two: Configure the Deployment ................................................................................................... 7
Setting up the Farm ....................................................................................................................................... 8
Working with Tenants ....................................................................................................................................... 9
Adding New Tenants to the Farm .............................................................................................................. 9
Removing Tenants from the Farm.............................................................................................................. 9
Adding and Removing Farm Capacity ..................................................................................................... 10
Managing Desktops ......................................................................................................................................... 11
Enabling Windows 7 Look and Feel for Users ....................................................................................... 11
Restricting Access to Allocated Servers ................................................................................................... 11
Usage Reporting ............................................................................................................................................... 13
Helpful hints ..................................................................................................................................................... 14
Page 2

Introduction
The Citrix Service Provider program makes it easy to deliver the power of hosted enterprise
applications and desktops to SMBs on a rental, subscription, or services basis. In order to deliver
these services to their customers, partner organizations must have an efficient and reliable method
of deploying Citrix XenApp farms.
This document explains how Citrix Service Providers can use PowerShell scripts to install and
configure XenApp farms, add tenants, and manage farm capacity for each tenant.
Page 3

Getting Started
Architectural Diagram
To deploy XenApp in a hosted environment, Citrix provides setup tools that are comprised of
several PowerShell scripts. The setup tools are designed to deploy the Citrix recommended reference
architecture as shown in the figure below. You can learn more about this reference architecture in
the Citrix Knowledge Center: http://forums.citrix.com/thread.jspa?threadID=276053&tstart=0.
System and Software Requirements
Figure 1. Reference Architecture Diagram
Prior to running the PowerShell scripts, set up your deployment environment according to the
system requirements for client and server computers.
Requirements for the Client Computer
The client computer connects remotely to servers to install and configure XenApp.
� PowerShell 2.0 must be installed
� The user account running the scripts must be a local administrator on all the XenApp
servers
� The computer must be joined to the same domain as the remote servers
Page 4

� If you are creating the farm database automatically, the user account must have permissions
to create the database on the SQL server.
� The user account running the scripts must have permissions to create Active Directory (AD)
objects (e.g., organizational units (OUs), user groups, and Group Policy objects (GPOs)) and
to move machines between the Computers folder and OUs.
Requirements for XenApp Servers
Ensure you have the computers necessary to assume the following roles in your deployment:
� Data collector for the XenApp farm
� Backup data collector for the XenApp farm
� Web Interface server
� Additional machines to be used as XenApp servers for adding capacity for a tenant
Each XenApp server must have the following components installed:
� Windows Server 2008 R2 operating system must be installed.
� NET Framework 3.5 SP1
� PowerShell execution policy must be set to AllSigned.
� PowerShell remoting enabled. For more information, see the Microsoft TechNet article
“about_Remote_Requirements.”
� The servers must be joined to the same domain as the client machine.
For more information about XenApp server requirements, see the topic “System Requirements for
XenApp 6 for Windows Server 2008 R2” in Citrix eDocs.
Requirements for the Database Server
� SQL Server 2008 or higher must be installed.
� If you are creating a database on SQL Server using the infrastructure setup scripts, ensure
that:
� SQL Server is set up as the default instance.
� SQL PowerShell provider, included with SQL Management Studio, is installed on the
server.
� PowerShell remoting is enabled. For more information, see the Microsoft TechNet
article “about_Remote_Requirements.”
� Windows authentication is configured.
� The user account running the scripts has permissions to create the database.
Page 5

� If you are creating database the manually:
� Assign db_owner permissions on the database to the user account for IMA
� Use either Windows authentication or SQL Authentication
Requirements for Access Gateway
For information about requirements for including Access Gateway in your deployment, see the
Access Gateway documentation in Citrix eDocs.
Requirements for EdgeSight for reporting (Optional)
For information about requirements for including EdgeSight in your deployment for usage
reporting, see the EdgeSight documentation in Citrix eDocs.
Mapping the XenApp DVD image
When installing and configuring XenApp, the scripts map a drive to the DVD share on the remote
computers. Make sure the DVD share path is accessible from all machines in your deployment
environment.
When using a XenApp 6.0 DVD image, you need to patch the DVD image with the following
components:
� Citrix Online Plug-in transform
� Updated installation package for Web Interface
� Enhanced Desktop Experience setup files
These changes are not necessary when using a XenApp Technical Preview DVD image.
Citrix Online Plug-in Transform
1. Download the zip file from this KB article - http://support.citrix.com/article/CTX123761.
2. Extract the .mst transform file to \Citrix Receiver and Plugins\Windows\Online
Plug-In.
Web Interface Installation Package
Replace the \Web Interface\WebInterface.exe file with the installation package for
Web Interface 5.4, available as a download from the Citrix Web site.
Enhanced Desktop Experience Setup
If you want to enable the Enhanced Desktop Experience role, copy the
CitrixAppDeliverySetupTools.exe file to the folder.
Page 6

Preparing the Client Computer
Step One: Install setup tools
On the client machine, launch the CitrixAppDeliverySetupTools.exe file. This installs the
infrastructure setup and Enhanced Desktop Experience Setup scripts in the
%ProgramFiles%\Citrix\App Delivery Setup Tools folder. On 64-bit machines the scripts are
located in the %ProgramFiles(x86)%\Citrix\App Delivery Setup Tools folder.
Step Two: Configure the Deployment
Using the PowerShell command prompt, open the App Delivery Setup Tools folder and run Save-
SetupConfiguration. This creates an XML configuration file with details of the deployment
environment you have prepared.
If no parameters are specified, the configuration file is saved in the %APPDATA%\Citrix folder.
You can specify a path for the file by passing in the SetupConfigurationFile parameter to the script.
You can use a network share for saving the configuration file so that you can create multiple
configuration files in one central location to support deploying multiple farms. If you do not use the
default path, you must specify the full path to the file whenever you execute any infrastructure setup
scripts.
Setting up Access Gateway
If you are setting up a test deployment and do not have an Access Gateway server already set up,
you can specify a dummy server name during configuration which you can change later from the
Web Interface Management Console. Internal sites are also created on the Web Interface servers
that are used for testing without Access Gateway. To access the internal sites, open Internet
Explorer and visit http:///Citrix/InternalXenApp or point the online plug-in to
http:///Citrix/InternalPNAgent.
If you have Access Gateway set up, provide the server’s fully-qualified domain name (FQDN) for
the configuration file. The Web Interface sites are set up assuming the Access Gateway
authentication service is configured for the default URL of
https:///CitrixAuthService/AuthService.asmx. If the authentication service is not
located at the default URL, edit the Web Interface sites after they are created. Click Authentication
Method and update the Authentication service URL path.
Change permissions for XenApp tools
In a shared XenApp environment in the cloud, you can allow multiple tenant administrators to
access the same XenApp farm. Do not add the tenant administrators as local administrators on the
server; instead, configure this role as a custom Citrix administrator account with permissions to
manage specific servers and applications.
In this environment, you might want to restrict non-administrators from having execute permissions
on XenApp tools. Enable the Change ACLs of XenApp Tools options during configuration to
remove the execute permissions from user accounts on certain XenApp tools.
Page 7

Setting up the Farm
On the client computer, using the PowerShell command prompt, open the App Delivery Setup
Tools folder and run the Install-CtxFarm script.
The script connects to the target servers using PowerShell remoting to install and configure the
XenApp components. After the script finishes, the farm is set up with the following components:
� Data collector
� Backup data collector
� Primary Web Interface site on the Web interface server
� Backup Web Interface site on the backup data collector
Depending on the configuration options chosen for the database, the script creates a new database
for the farm or uses an existing database.
Re-deploying an existing farm can cause the farm database to be corrupted. To avoid this, the
configuration file is updated after the farm has been successfully deployed to prevent further editing
with Save-SetupConfig or re-creating the farm database with Install-CtxFarm. If you want to specify
a new configuration file with the same name, you must include the overwrite flag for the Save-
SetupConfiguration script.
After farm setup is complete, you can begin hosting multiple tenants.
Page 8

Working with Tenants
Adding New Tenants to the Farm
Before a new tenant joins the farm, you create the tenant’s AD objects. This allows multiple tenants
to exist in the same farm but with their own set of XenApp servers. These AD objects include, at a
minimum, a user group for the tenant’s users and an OU for the XenApp servers that are allocated
to the tenant.
You can create the AD structure required for the tenant by running the Register-Tenant script.
This script creates the objects for the tenant if they do not already exist and adds the tenant’s worker
group to the farm. The script offers some flexibility in creating the AD structure, though the easiest
approach may be to specify the Tenant parameter only. The AD structure is then created directly
under the domain root.
To run the script with advanced options such as User OU and Computer OU, refer to the included
help. To access the help, use a PowerShell command prompt to open the App Delivery Setup Tools
folder and enter Get-Help .\Register-Tenant.ps1.
After the tenant is registered, you can publish any required applications or desktops. When
publishing these resources, use the tenant’s user group and worker group to make managing these
resources easier. Optionally, you can specify the PublishDesktop parameter during tenant
registration to publish a default desktop that is available for the tenant’s user group on the tenant’s
worker group.
In addition to publishing resources in the XenApp farm, you will have to manage the tenant’s user
accounts. When creating these user accounts, remember to add them to the tenant’s user group that
was created during registration.
After the tenant is registered, you will need to add capacity for the tenant before they can access
published resources in the farm.
Removing Tenants from the Farm
To remove any tenants from the farm, you need to undo the actions that were performed during the
tenant registration, including deleting the tenant’s worker group(s) from the farm and user group
from Active Directory.
Note: Before removing a tenant, be sure to remove all capacity that has been allocated.
You can clean up the tenant objects by running the Unregister-Tenant script. As with the Register-
Tenant script, there is some flexibility when running this script and the available options can be
viewed in the help included with the script.
Page 9

If the Tenant parameter is used with the Unregister-Tenant script, all objects in Active Directory are
deleted. However, if the OU parameter is used, then only the user group is deleted from Active
Directory.
To clean up the worker group, the script evaluates all worker groups in the farm and removes any
references to the tenant’s Computer OU. If the worker group is empty after removing this reference,
the script deletes it from the farm.
This script does not affect any of the tenant’s published applications or desktops, so you will have to
delete them manually, if necessary.
Adding and Removing Farm Capacity
Farm capacity is defined as the number of XenApp servers that are available for a specific tenant.
You may occasionally need to change the capacity allocated for a tenant; for example, when the
tenant initially joins the farm. To perform capacity changes, use the Add-CtxFarmCapacity or
Remove-CtxFarmCapacity scripts.
Before you can add capacity for a tenant, the tenant must be registered and the Active Directory and
farm objects must be created. The Add-CtxFarmCapacity script uses a list of servers and the tenant’s
AD information as parameters and installs and configures XenApp on these servers. After the
servers are configured and joined to the farm, they are moved into the tenant’s Computer OU so
that they are automatically included in the tenant’s worker group that was created during registration.
The servers may not be listed immediately in the worker group and Active Directory
synchronization must occur before the servers are recognized as being part of the OU. When adding
capacity, you can optionally enable the Enhanced Desktop Experience feature. This feature enables
the servers to provide the Windows 7 look and feel in user sessions.
If you need to reduce the number of servers allocated for a tenant, you can run the Remove-
CtxFarmCapacity script with a list of the XenApp servers to remove. To reduce the capacity, the
script removes the servers from the farm while leaving XenApp installed and moves the servers
back to the Computers folder in Active Directory. After removing the server from the tenant’s farm,
the server can be reallocated to other tenants. However, if the server previously had the Enhanced
Desktop Experience feature enabled, the feature is not disabled or removed when the server is
added back to a farm.
Note: Before removing a tenant, be sure to remove all capacity that has been allocated.
Page 10

Managing Desktops
To manage and configure restrictions within published desktops, use the New-
CtxManagedDesktopGPO script. This creates three user GPOs – CtxStartMenuTaskbarUser,
CtxPersonalizableUser, CtxRestrictedUser – and one computer GPO – CtxRestrictedComputer.
After these GPOs are created in Active Directory, link the user GPOs to the desired user accounts
and the computer GPO to the XenApp servers. Be aware that simply applying these policies is not
enough to deliver a secure, locked-down desktop. You still need to follow your organization’s
security best practices for ensuring the servers and the desktops they deliver are protected.
View the detailed settings that are configured in each of the GPOs using the Group Policy
Management Console.
Enabling Windows 7 Look and Feel for Users
Apply the CtxStartMenuTaskbarUser GPO to the tenant’s user accounts to enable the Windows 7
look and feel on the published desktop.
The GPO includes a PowerShell script that is executed on the user’s first login to the server. For the
script to execute correctly, the PowerShell execution policy on the server must be set to AllSigned
(see “Requirements for XenApp Servers” on page 5) and the Enhanced Desktop Experience feature
must be installed and configured on the XenApp server.
The CtxStartMenuTaskbarUser GPO changes the pinned shortcuts on the Taskbar and set up the
user’s Start menu to match a Windows 7 environment.
Restricting Access to Allocated Servers
Apply the CtxRestrictedComputer GPO to configure certain restrictions on the XenApp servers
allocated for the tenant. This GPO restricts users from accessing Windows update or removable
server drives.
Apply the CtxPersonalizableUser GPO to configure the user account that is accessing the XenApp
server. This GPO configures Windows policies to limit the available Control Panel applets and
restrict users from installing programs, viewing properties, scheduling tasks, or shutting down the
server. The CtxPersonalizableUser GPO requires the Enhanced Desktop Experience feature to be
configured correctly so that it can set the user’s theme to the NewBasic theme file that was created
during the server configuration.
The CtxRestrictedUser GPO includes most of the policies from the CtxPersonalizableUser GPO
and also restricts the user from personalizing their desktop by configuring the Desktop wallpaper
policy and by not allowing users to modify settings for the Start menu and Taskbar.
When configuring the user session, apply either the CtxPersonalizableUser or CtxRestrictedUser
GPO to the user account. Some Microsoft Hotfixes may be required to get all policies to work
correctly. For more information, see the help included with the New-CtxManagedGPO script.
Page 11

To see a complete list of the settings, view the GPO in the Group Policy Management Console.
Page 12

Usage Reporting
A set of EdgeSight reports is available for easier tracking of users in a cloud environment. For more
information on accessing and using these reports, refer to the article “Citrix Service Providers Guide
to Using Citrix EdgeSight.” This resource is included in the Citrix Service Provider Toolkit, available
from the Citrix Web site. .
Page 13

Helpful hints
Use the following tips for managing or troubleshooting your XenApp farm;
� Do not edit the setup and configuration scripts directly. Instead, copy the scripts to a
separate directory and make your changes.
� The farm setup and capacity management scripts assume the servers are joined to the same
domain and are accessible through PowerShell remoting. The scripts do not provision any
machines automatically.
� The farm configuration scripts restart the servers to join the farm. Do not use any VMs that
will lose changes when restarting occurs.
� Enabling the Enhanced Desktop Experience feature may degrade the performance and
lower the user density on the server.
� If the user has an existing profile, some of the GPO settings may not apply correctly.
� To install the Enhanced Desktop Experience setup scripts only, run the
CitrixAppDeliverySetupTools.exe file with the ADDLOCAL=“EnhancedDesktopSetup”
parameter.
� To install the Infrastructure Setup scripts only, run the CitrixAppDeliverySetupTools.exe file
with the ADDLOCAL=“InfrastructureSetup” parameter.
Page 14