Citrix Cloud App Delivery Setup Tools Administration Guide

www.citrix.com

Contents
Introduction ........................................................................................................................................................ 3 Getting Started ................................................................................................................................................... 4 Architectural Diagram ................................................................................................................................... 4 System and Software Requirements ............................................................................................................ 4 Requirements for the Client Computer .................................................................................................. 4 Requirements for XenApp Servers ......................................................................................................... 5 Requirements for the Database Server ................................................................................................... 5 Requirements for Access Gateway ......................................................................................................... 6 Requirements for EdgeSight for reporting (Optional)......................................................................... 6 Mapping the XenApp DVD image ............................................................................................................. 6 Citrix Online Plug-in Transform ............................................................................................................. 6 Web Interface Installation Package ......................................................................................................... 6 Enhanced Desktop Experience Setup .................................................................................................... 6 Preparing the Client Computer.................................................................................................................... 7 Step One: Install setup tools .................................................................................................................... 7 Step Two: Configure the Deployment ................................................................................................... 7 Setting up the Farm ....................................................................................................................................... 8 Working with Tenants ....................................................................................................................................... 9 Adding New Tenants to the Farm .............................................................................................................. 9 Removing Tenants from the Farm.............................................................................................................. 9 Adding and Removing Farm Capacity .....................................................................................................10 Managing Desktops .........................................................................................................................................11 Enabling Windows 7 Look and Feel for Users .......................................................................................11 Restricting Access to Allocated Servers ...................................................................................................11 Usage Reporting ...............................................................................................................................................13 Helpful hints .....................................................................................................................................................14

Page 2

Introduction
The Citrix Service Provider program makes it easy to deliver the power of hosted enterprise applications and desktops to SMBs on a rental, subscription, or services basis. In order to deliver these services to their customers, partner organizations must have an efficient and reliable method of deploying Citrix XenApp farms. This document explains how Citrix Service Providers can use PowerShell scripts to install and configure XenApp farms, add tenants, and manage farm capacity for each tenant.

Page 3

Getting Started
Architectural Diagram
To deploy XenApp in a hosted environment, Citrix provides setup tools that are comprised of several PowerShell scripts. The setup tools are designed to deploy the Citrix recommended reference architecture as shown in the figure below. You can learn more about this reference architecture in the Citrix Knowledge Center: http://forums.citrix.com/thread.jspa?threadID=276053&tstart=0.

Figure 1. Reference Architecture Diagram

System and Software Requirements

Prior to running the PowerShell scripts, set up your deployment environment according to the system requirements for client and server computers. Requirements for the Client Computer The client computer connects remotely to servers to install and configure XenApp. PowerShell 2.0 must be installed The user account running the scripts must be a local administrator on all the XenApp servers The computer must be joined to the same domain as the remote servers

Page 4

If you are creating the farm database automatically, the user account must have permissions to create the database on the SQL server. The user account running the scripts must have permissions to create Active Directory (AD) objects (e.g., organizational units (OUs), user groups, and Group Policy objects (GPOs)) and to move machines between the Computers folder and OUs.

Requirements for XenApp Servers Ensure you have the computers necessary to assume the following roles in your deployment: Data collector for the XenApp farm Backup data collector for the XenApp farm Web Interface server Additional machines to be used as XenApp servers for adding capacity for a tenant

Each XenApp server must have the following components installed: Windows Server 2008 R2 operating system must be installed. NET Framework 3.5 SP1 PowerShell execution policy must be set to AllSigned. PowerShell remoting enabled. For more information, see the Microsoft TechNet article about_Remote_Requirements. The servers must be joined to the same domain as the client machine.

For more information about XenApp server requirements, see the topic System Requirements for XenApp 6 for Windows Server 2008 R2 in Citrix eDocs. Requirements for the Database Server SQL Server 2008 or higher must be installed. If you are creating a database on SQL Server using the infrastructure setup scripts, ensure that: SQL Server is set up as the default instance. SQL PowerShell provider, included with SQL Management Studio, is installed on the server. PowerShell remoting is enabled. For more information, see the Microsoft TechNet article about_Remote_Requirements. Windows authentication is configured. The user account running the scripts has permissions to create the database.

Page 5

If you are creating database the manually: Assign db_owner permissions on the database to the user account for IMA Use either Windows authentication or SQL Authentication

Requirements for Access Gateway For information about requirements for including Access Gateway in your deployment, see the Access Gateway documentation in Citrix eDocs. Requirements for EdgeSight for reporting (Optional) For information about requirements for including EdgeSight in your deployment for usage reporting, see the EdgeSight documentation in Citrix eDocs.

Mapping the XenApp DVD image

When installing and configuring XenApp, the scripts map a drive to the DVD share on the remote computers. Make sure the DVD share path is accessible from all machines in your deployment environment. When using a XenApp 6.0 DVD image, you need to patch the DVD image with the following components: Citrix Online Plug-in transform Updated installation package for Web Interface Enhanced Desktop Experience setup files

These changes are not necessary when using a XenApp Technical Preview DVD image. Citrix Online Plug-in Transform 1. Download the zip file from this KB article - http://support.citrix.com/article/CTX123761. 2. Extract the .mst transform file to <DVD_ROOT> \Citrix Receiver and Plugins\Windows\Online Plug-In. Web Interface Installation Package Replace the <DVD_ROOT>\Web Interface\WebInterface.exe file with the installation package for Web Interface 5.4, available as a download from the Citrix Web site. Enhanced Desktop Experience Setup If you want to enable the Enhanced Desktop Experience role, copy the CitrixAppDeliverySetupTools.exe file to the <DVD_ROOT> folder.

Page 6

Preparing the Client Computer

Step One: Install setup tools On the client machine, launch the CitrixAppDeliverySetupTools.exe file. This installs the infrastructure setup and Enhanced Desktop Experience Setup scripts in the %ProgramFiles%\Citrix\App Delivery Setup Tools folder. On 64-bit machines the scripts are located in the %ProgramFiles(x86)%\Citrix\App Delivery Setup Tools folder. Step Two: Configure the Deployment Using the PowerShell command prompt, open the App Delivery Setup Tools folder and run SaveSetupConfiguration. This creates an XML configuration file with details of the deployment environment you have prepared. If no parameters are specified, the configuration file is saved in the %APPDATA%\Citrix folder. You can specify a path for the file by passing in the SetupConfigurationFile parameter to the script. You can use a network share for saving the configuration file so that you can create multiple configuration files in one central location to support deploying multiple farms. If you do not use the default path, you must specify the full path to the file whenever you execute any infrastructure setup scripts.

Setting up Access Gateway

If you are setting up a test deployment and do not have an Access Gateway server already set up, you can specify a dummy server name during configuration which you can change later from the Web Interface Management Console. Internal sites are also created on the Web Interface servers that are used for testing without Access Gateway. To access the internal sites, open Internet Explorer and visit http://<WIServerName>/Citrix/InternalXenApp or point the online plug-in to http://<WISeverName>/Citrix/InternalPNAgent. If you have Access Gateway set up, provide the servers fully-qualified domain name (FQDN) for the configuration file. The Web Interface sites are set up assuming the Access Gateway authentication service is configured for the default URL of https://<serverFQDN>/CitrixAuthService/AuthService.asmx. If the authentication service is not located at the default URL, edit the Web Interface sites after they are created. Click Authentication Method and update the Authentication service URL path.

Change permissions for XenApp tools

In a shared XenApp environment in the cloud, you can allow multiple tenant administrators to access the same XenApp farm. Do not add the tenant administrators as local administrators on the server; instead, configure this role as a custom Citrix administrator account with permissions to manage specific servers and applications. In this environment, you might want to restrict non-administrators from having execute permissions on XenApp tools. Enable the Change ACLs of XenApp Tools options during configuration to remove the execute permissions from user accounts on certain XenApp tools.

Page 7

Setting up the Farm

On the client computer, using the PowerShell command prompt, open the App Delivery Setup Tools folder and run the Install-CtxFarm script. The script connects to the target servers using PowerShell remoting to install and configure the XenApp components. After the script finishes, the farm is set up with the following components: Data collector Backup data collector Primary Web Interface site on the Web interface server Backup Web Interface site on the backup data collector

Depending on the configuration options chosen for the database, the script creates a new database for the farm or uses an existing database. Re-deploying an existing farm can cause the farm database to be corrupted. To avoid this, the configuration file is updated after the farm has been successfully deployed to prevent further editing with Save-SetupConfig or re-creating the farm database with Install-CtxFarm. If you want to specify a new configuration file with the same name, you must include the overwrite flag for the SaveSetupConfiguration script. After farm setup is complete, you can begin hosting multiple tenants.

Page 8

Working with Tenants

Adding New Tenants to the Farm
Before a new tenant joins the farm, you create the tenants AD objects. This allows multiple tenants to exist in the same farm but with their own set of XenApp servers. These AD objects include, at a minimum, a user group for the tenants users and an OU for the XenApp servers that are allocated to the tenant. You can create the AD structure required for the tenant by running the Register-Tenant script. This script creates the objects for the tenant if they do not already exist and adds the tenants worker group to the farm. The script offers some flexibility in creating the AD structure, though the easiest approach may be to specify the Tenant parameter only. The AD structure is then created directly under the domain root. To run the script with advanced options such as User OU and Computer OU, refer to the included help. To access the help, use a PowerShell command prompt to open the App Delivery Setup Tools folder and enter Get-Help .\Register-Tenant.ps1. After the tenant is registered, you can publish any required applications or desktops. When publishing these resources, use the tenants user group and worker group to make managing these resources easier. Optionally, you can specify the PublishDesktop parameter during tenant registration to publish a default desktop that is available for the tenants user group on the tenants worker group. In addition to publishing resources in the XenApp farm, you will have to manage the tenants user accounts. When creating these user accounts, remember to add them to the tenants user group that was created during registration. After the tenant is registered, you will need to add capacity for the tenant before they can access published resources in the farm.

Removing Tenants from the Farm

To remove any tenants from the farm, you need to undo the actions that were performed during the tenant registration, including deleting the tenants worker group(s) from the farm and user group from Active Directory.

Note: Before removing a tenant, be sure to remove all capacity that has been allocated.
You can clean up the tenant objects by running the Unregister-Tenant script. As with the RegisterTenant script, there is some flexibility when running this script and the available options can be viewed in the help included with the script.

Page 9

If the Tenant parameter is used with the Unregister-Tenant script, all objects in Active Directory are deleted. However, if the OU parameter is used, then only the user group is deleted from Active Directory. To clean up the worker group, the script evaluates all worker groups in the farm and removes any references to the tenants Computer OU. If the worker group is empty after removing this reference, the script deletes it from the farm. This script does not affect any of the tenants published applications or desktops, so you will have to delete them manually, if necessary.

Adding and Removing Farm Capacity

Farm capacity is defined as the number of XenApp servers that are available for a specific tenant. You may occasionally need to change the capacity allocated for a tenant; for example, when the tenant initially joins the farm. To perform capacity changes, use the Add-CtxFarmCapacity or Remove-CtxFarmCapacity scripts. Before you can add capacity for a tenant, the tenant must be registered and the Active Directory and farm objects must be created. The Add-CtxFarmCapacity script uses a list of servers and the tenants AD information as parameters and installs and configures XenApp on these servers. After the servers are configured and joined to the farm, they are moved into the tenants Computer OU so that they are automatically included in the tenants worker group that was created during registration. The servers may not be listed immediately in the worker group and Active Directory synchronization must occur before the servers are recognized as being part of the OU. When adding capacity, you can optionally enable the Enhanced Desktop Experience feature. This feature enables the servers to provide the Windows 7 look and feel in user sessions. If you need to reduce the number of servers allocated for a tenant, you can run the RemoveCtxFarmCapacity script with a list of the XenApp servers to remove. To reduce the capacity, the script removes the servers from the farm while leaving XenApp installed and moves the servers back to the Computers folder in Active Directory. After removing the server from the tenants farm, the server can be reallocated to other tenants. However, if the server previously had the Enhanced Desktop Experience feature enabled, the feature is not disabled or removed when the server is added back to a farm.

Note: Before removing a tenant, be sure to remove all capacity that has been allocated.

Page 10

Managing Desktops
To manage and configure restrictions within published desktops, use the NewCtxManagedDesktopGPO script. This creates three user GPOs CtxStartMenuTaskbarUser, CtxPersonalizableUser, CtxRestrictedUser and one computer GPO CtxRestrictedComputer. After these GPOs are created in Active Directory, link the user GPOs to the desired user accounts and the computer GPO to the XenApp servers. Be aware that simply applying these policies is not enough to deliver a secure, locked-down desktop. You still need to follow your organizations security best practices for ensuring the servers and the desktops they deliver are protected. View the detailed settings that are configured in each of the GPOs using the Group Policy Management Console.

Enabling Windows 7 Look and Feel for Users

Apply the CtxStartMenuTaskbarUser GPO to the tenants user accounts to enable the Windows 7 look and feel on the published desktop. The GPO includes a PowerShell script that is executed on the users first login to the server. For the script to execute correctly, the PowerShell execution policy on the server must be set to AllSigned (see Requirements for XenApp Servers on page 5) and the Enhanced Desktop Experience feature must be installed and configured on the XenApp server. The CtxStartMenuTaskbarUser GPO changes the pinned shortcuts on the Taskbar and set up the users Start menu to match a Windows 7 environment.

Restricting Access to Allocated Servers

Apply the CtxRestrictedComputer GPO to configure certain restrictions on the XenApp servers allocated for the tenant. This GPO restricts users from accessing Windows update or removable server drives. Apply the CtxPersonalizableUser GPO to configure the user account that is accessing the XenApp server. This GPO configures Windows policies to limit the available Control Panel applets and restrict users from installing programs, viewing properties, scheduling tasks, or shutting down the server. The CtxPersonalizableUser GPO requires the Enhanced Desktop Experience feature to be configured correctly so that it can set the users theme to the NewBasic theme file that was created during the server configuration. The CtxRestrictedUser GPO includes most of the policies from the CtxPersonalizableUser GPO and also restricts the user from personalizing their desktop by configuring the Desktop wallpaper policy and by not allowing users to modify settings for the Start menu and Taskbar. When configuring the user session, apply either the CtxPersonalizableUser or CtxRestrictedUser GPO to the user account. Some Microsoft Hotfixes may be required to get all policies to work correctly. For more information, see the help included with the New-CtxManagedGPO script.
Page 11

To see a complete list of the settings, view the GPO in the Group Policy Management Console.

Page 12

Usage Reporting
A set of EdgeSight reports is available for easier tracking of users in a cloud environment. For more information on accessing and using these reports, refer to the article Citrix Service Providers Guide to Using Citrix EdgeSight. This resource is included in the Citrix Service Provider Toolkit, available from the Citrix Web site. .

Page 13

Helpful hints
Use the following tips for managing or troubleshooting your XenApp farm; Do not edit the setup and configuration scripts directly. Instead, copy the scripts to a separate directory and make your changes. The farm setup and capacity management scripts assume the servers are joined to the same domain and are accessible through PowerShell remoting. The scripts do not provision any machines automatically. The farm configuration scripts restart the servers to join the farm. Do not use any VMs that will lose changes when restarting occurs. Enabling the Enhanced Desktop Experience feature may degrade the performance and lower the user density on the server. If the user has an existing profile, some of the GPO settings may not apply correctly. To install the Enhanced Desktop Experience setup scripts only, run the CitrixAppDeliverySetupTools.exe file with the ADDLOCAL=EnhancedDesktopSetup parameter. To install the Infrastructure Setup scripts only, run the CitrixAppDeliverySetupTools.exe file with the ADDLOCAL=InfrastructureSetup parameter.

Page 14