WHITE PAPER

www.citrix.com

How to Deliver a Cloud Desktop Using

XenApp 6

2

Contents

Summary.................................................................................................................................... 3 Step 1: Register a new tenant with Active Directory....................................................... 3

Step 2: Enable the Windows 7 desktop experience on worker machines .................. 3 Step 3: Create a Worker Group of worker machines ..................................................... 6 Step 4: Publish the desktop ................................................................................................ 6

Step 5: Configure the XenApp policies ............................................................................. 7 Some things to keep in mind .............................................................................................. 8

3

Summary As you may already know, hosted shared desktops are part of the Citrix FlexCast™

delivery technology and are ideally suited for subscribers who need a set bundle of applications. Both Citrix and Microsoft have defined SPLA programs that enable a Citrix

Service Provider (CSP) to deliver hosted shared desktops from a cloud. Here are the first steps to make it happen in YOUR datacenter.

This paper lists the five steps needed to deliver a hosted shared desktop from a cloud.

The steps below assume that you, as a CSP administrator have the following environment:

Access to Active Directory with permissions to join a server to a domain, create

OUs, create user and group accounts.

A XenApp 6 deployment created by configuring the necessary server roles like

License Server, Data-collector, XML-broker and Web Interface.

You have one or more XenApp 6 servers that you plan to use to host the desktop

sessions. These machines are referred to as worker machines. Alternatively, you can have an image of a XenApp 6 server that you can use to create virtual worker machines.

To find documentation on how to set up such an environment, check out the Citrix

eDocs.

Step 1: Register a new tenant with Active Directory

For every tenant, Citrix recommends creating the following objects in Active Directory

(in addition to the user objects that represent the tenant's users):

An organizational unit (OU) that contains the user accounts representing the tenant's

users.

A global group account whose members are the tenant's users.

An organizational unit (OU) that contains the worker machines reserved for the tenant.

The purpose of these objects becomes clear in the next few steps.

Step 2: Enable the Windows 7 desktop experience on worker machines

The default desktop delivered by a XenApp 6 server (or Windows 2008 R2 server) is a

desktop intended primarily for an administrator to manage a server. As such, it looks a bit bland, has no support for themes and a number of accessory applications like the Windows Media Player, Snipping tool, Sound recorder, and so on are not available. See

the picture below:

4

To enable a Windows 7-like experience, Microsoft documentation states that you need

to add the Desktop Experience feature to the worker machine (or image). This can be done easily using Server Manager or you can add the lines below to your worker

machine preparation script.

import-module ServerManager

Add-WindowsFeature Desktop-Experience

The Windows Desktop experience feature adds support for themes and it also installs the accessory applications mentioned above. Once this feature is installed and you

reboot the server, you need to start the Themes service (and ensure that its startup type is configured as Automatic). To do this, you can copy the lines below to a

script/workflow step that gets invoked after the machine is rebooted during the worker machine (or image) preparation process.

Set-Service -Name Themes -StartupType Automatic

Start-Service Themes

If you were working on an image, you can now create virtual worker machines from this

image. Citrix recommends placing all the worker machines that are reserved for a specific tenant in an Active Directory OU created for that tenant (in step 1).

You should also create a GPO that sets a specific theme and wallpaper for all users (assuming for now that all of the tenant's users get the same theme and wallpaper and are not allowed to change this). The PowerShell code for this is shown below. This code

5

creates a domain GPO that sets the theme to the Windows 7 Basic theme and allows you to specify a path to a wallpaper file that is present on the local server.

import-module grouppolicy

#Create a new domain GPO

$gpo = new-gpo -name <Name of the GPO>

#Set the policy for Themes

$gpo | Set-GPRegistryValue -Key

"HKCU\Software\Policies\Microsoft\Windows\Personalization"

-Type String -ValueName ThemeFile -Value "%windir%\resources\Ease of Access

Themes\basic.theme"

#Set the policy for wallpaper

$gpo | Set-GPRegistryValue -Key

"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"

-Type String -ValueName WallPaper -Value <path to a local wallpaper file>

Once the GPO is created, you can link it with the OU (created in step 1) that contains the tenant's users.

Now, when a user logs in to a hosted desktop, the desktop looks like the picture below. See the difference?

Note: In my testing, I noticed that the wallpaper policy was not taking effect. Luckily,

Microsoft has already released a hotfix for this issue - KB 977944, which you need to install on the worker machine.

6

Step 3: Create a Worker Group of worker machines

XenApp 6 has a feature called Worker Groups, where a worker group is basically a

collection of XenApp servers with which you can associate objects like published applications, policies, and so on. You can define a worker group using the Active

Directory OU which contains the worker machines reserved for a specific tenant (created in step 1). To create the worker group, use the Delivery Services Console or use the XenApp cmdlet shown below, while registering a tenant.

New-XAWorkerGroup -WorkerGroupName Tenant1WG -Description "WorkerGroup for

Tenant1"

-OUs "OU=Tenant1OU, DC=<domain>, DC=<domain suffix>"

Step 4: Publish the desktop

Publish the desktop to the tenant's end-users. To do this, you can either use the

Delivery Services Console or you can use the New-XAApplication cmdlet as shown below (yes - in XenApp-speak even a desktop is a type of a published application). While publishing the desktop, assign it to the global group account (created in step 1)

that represents the users of a tenant and host it on the worker group (created above in the step 3).

New-XAApplication -DisplayName "MyDesktop" -ApplicationType ServerDesktop

-Accounts <domain\group account> -WorkerGroupNames "Tenant1WG"

7

Step 5: Configure the XenApp policies

The default XenApp policies are configured to deliver the best experience to an end-user without sacrificing performance or user-density on a server. However, there are a

few user policies that you might want to consider tweaking - the table below shows a couple. For a full list of policies, see the Policies node in the Delivery Services Console.

Policy Default

value

Recommended

value

Reason

UseLocalTimeOfClient Use

Server

Time

Use Client Time If you want the time of the client device

to be used within the session.

AllowDirectConnectToPrintServer True False To prevent the XenApp server in a

CSP's datacenter from attempting to

directly connect to a print server that

might be in the tenant's office

You can configure these policies using an Active Directory GPO using GPEdit.exe or

the script below. (For an excellent overview of XenApp policies and how to configure these using a script, see these blogs from Tom Kludy: XenApp 6: Group Policy

Overview and XenApp 6: Group Policy Provider..)

import-module grouppolicy

# Map a PowerShell drive to an existing GPO

New-PSDrive -Name GPODrive -PSProvider CitrixGroupPolicy -Root \

-DomainGpo <name of domain GPO>

#Navigate to the "User" part of the policy

cd GPODrive:

cd user\

#Create a new policy here

new-item MyHDXPolicy

#Filter this policy by a group account (that contains the tenant's users).

cd MyHDXPolicy

cd .\Filters

cd .\User

new-item Tenant1Users <name of group account>

#Configure the settings shown in the table above.

cd GPODrive:\User\MyHDXPolicy\Settings\ICA\Printing\ClientPrinters\

Set-ItemProperty DirectConnectionsToPrintServers -Name State -Value Prohibited

cd GPODrive:\User\MyHDXPolicy\Settings\ICA\TimeZoneControl

Set-ItemProperty SessionTimeZone -Name Value -Value UseClientTimeZone

8

Once the GPO has been configured, you can assign it to the OU containing the tenant's

users.

When an end-user logs in using Web Interface, they see a desktop icon and by clicking on it, they should get a hosted shared desktop delivered from a cloud that looks and feels like a Windows 7 desktop.

Some things to keep in mind

1. Citrix recommends reserving a collection of machines for each tenant - this avoids any security issues that might arise when end-users from multiple tenants are using desktops hosted on the same server. You can achieve this by following the steps

described above to create a distinct OU and a worker group per tenant. The published desktop object can be shared across tenants as long as you configure a

Load Balancing policy for Worker Group Preference that routes users from a specific tenant to a specific worker group. You can create this using the Delivery Services Console (under the Load Balancing Policies node) or by adding the following lines to

your tenant registration script/workflow.

#Create a new load balancing policy

New-XALoadBalancingPolicy -PolicyName "Tenant1LBPolicy"

-Description "Worker group preference policy for Tenant1 users"

#Enable Worker group preference and specify the preferred worker group.

Set-XALoadBalancingPolicyConfiguration -PolicyName "Tenant1LBPolicy"

-WorkerGroupPreferenceAndFailoverState Enabled -WorkerGroupPreferences

"1=Tenant1WG"

# Specify the user accounts to which this policy applies.

Set-XALoadBalancingPolicyFilter -PolicyName "Tenant1LBPolicy"

-AllowedAccounts <name of group account>

Note: If a tenant has high security requirements, you might want to deploy a separate

XenApp farm dedicated for that tenant.

2. With this model: a. If you need to increase capacity for a specific tenant, all you need to do is

provision more worker machines and add them to the OU for that tenant. These new machines automatically become part of the worker group and become available for hosting desktops.

b. If you need to deliver a desktop to new users from an existing tenant, just create the new user accounts and add them to the global group created in step 1. Note:

You might need to provision additional capacity for these new users as described in the bullet above.