How to Deliver a Cloud Desktop Using XenApp 6 WHITE PAPER

WHITE PAPER
How to Deliver a Cloud Desktop Using
XenApp 6
www.citrix.com
Contents
Summary.................................................................................................................................... 3
Step 1: Register a new tenant with Active Directory....................................................... 3
Step 2: Enable the Windows 7 desktop experience on worker machines .................. 3
Step 3: Create a Worker Group of worker machines ..................................................... 6
Step 4: Publish the desktop ................................................................................................ 6
Step 5: Configure the XenApp policies ............................................................................. 7
Some things to keep in mind .............................................................................................. 8
2
Summary
As you may already know, hosted shared desktops are part of the Citrix FlexCast™
delivery technology and are ideally suited for subscribers who need a set bundle of
applications. Both Citrix and Microsoft have defined SPLA programs that enable a Citrix
Service Provider (CSP) to deliver hosted shared desktops from a cloud. Here are the
first steps to make it happen in YOUR datacenter.
This paper lists the five steps needed to deliver a hosted shared desktop from a cloud.
The steps below assume that you, as a CSP administrator have the following
environment:
Access to Active Directory with permissions to join a server to a domain, create
OUs, create user and group accounts.
A XenApp 6 deployment created by configuring the necessary server roles like
License Server, Data-collector, XML-broker and Web Interface.
You have one or more XenApp 6 servers that you plan to use to host the desktop
sessions. These machines are referred to as worker machines. Alternatively, you
can have an image of a XenApp 6 server that you can use to create virtual worker
machines.
To find documentation on how to set up such an environment, check out the Citrix
eDocs.
Step 1: Register a new tenant with Active Directory
For every tenant, Citrix recommends creating the following objects in Active Directory
(in addition to the user objects that represent the tenant's users):
An organizational unit (OU) that contains the user accounts representing the tenant's
users.
A global group account whose members are the tenant's users.
An organizational unit (OU) that contains the worker machines reserved for the
tenant.
The purpose of these objects becomes clear in the next few steps.
Step 2: Enable the Windows 7 desktop experience on worker machines
The default desktop delivered by a XenApp 6 server (or Windows 2008 R2 server) is a
desktop intended primarily for an administrator to manage a server. As such, it looks a
bit bland, has no support for themes and a number of accessory applications like the
Windows Media Player, Snipping tool, Sound recorder, and so on are not available. See
the picture below:
3
To enable a Windows 7-like experience, Microsoft documentation states that you need
to add the Desktop Experience feature to the worker machine (or image). This can be
done easily using Server Manager or you can add the lines below to your worker
machine preparation script.
import-module ServerManager
Add-WindowsFeature Desktop-Experience
The Windows Desktop experience feature adds support for themes and it also installs
the accessory applications mentioned above. Once this feature is installed and you
reboot the server, you need to start the Themes service (and ensure that its startup type
is configured as Automatic). To do this, you can copy the lines below to a
script/workflow step that gets invoked after the machine is rebooted during the worker
machine (or image) preparation process.
Set-Service -Name Themes -StartupType Automatic
Start-Service Themes
If you were working on an image, you can now create virtual worker machines from this
image. Citrix recommends placing all the worker machines that are reserved for a
specific tenant in an Active Directory OU created for that tenant (in step 1).
You should also create a GPO that sets a specific theme and wallpaper for all users
(assuming for now that all of the tenant's users get the same theme and wallpaper and
are not allowed to change this). The PowerShell code for this is shown below. This code
4
creates a domain GPO that sets the theme to the Windows 7 Basic theme and allows
you to specify a path to a wallpaper file that is present on the local server.
import-module grouppolicy
#Create a new domain GPO
$gpo = new-gpo -name <Name of the GPO>
#Set the policy for Themes
$gpo | Set-GPRegistryValue -Key
"HKCU\Software\Policies\Microsoft\Windows\Personalization"
-Type String -ValueName ThemeFile -Value "%windir%\resources\Ease of Access
Themes\basic.theme"
#Set the policy for wallpaper
$gpo | Set-GPRegistryValue -Key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"
-Type String -ValueName WallPaper -Value <path to a local wallpaper file>
Once the GPO is created, you can link it with the OU (created in step 1) that contains
the tenant's users.
Now, when a user logs in to a hosted desktop, the desktop looks like the picture below.
See the difference?
Note: In my testing, I noticed that the wallpaper policy was not taking effect. Luckily,
Microsoft has already released a hotfix for this issue - KB 977944, which you need to
install on the worker machine.
5
Step 3: Create a Worker Group of worker machines
XenApp 6 has a feature called Worker Groups, where a worker group is basically a
collection of XenApp servers with which you can associate objects like published
applications, policies, and so on. You can define a worker group using the Active
Directory OU which contains the worker machines reserved for a specific tenant
(created in step 1). To create the worker group, use the Delivery Services Console or
use the XenApp cmdlet shown below, while registering a tenant.
New-XAWorkerGroup -WorkerGroupName Tenant1WG -Description "WorkerGroup for
Tenant1"
-OUs "OU=Tenant1OU, DC=<domain>, DC=<domain suffix>"
Step 4: Publish the desktop
Publish the desktop to the tenant's end-users. To do this, you can either use the
Delivery Services Console or you can use the New-XAApplication cmdlet as shown
below (yes - in XenApp-speak even a desktop is a type of a published application).
While publishing the desktop, assign it to the global group account (created in step 1)
that represents the users of a tenant and host it on the worker group (created above in
the step 3).
New-XAApplication -DisplayName "MyDesktop" -ApplicationType ServerDesktop
-Accounts <domain\group account> -WorkerGroupNames "Tenant1WG"
6
Step 5: Configure the XenApp policies
The default XenApp policies are configured to deliver the best experience to an enduser without sacrificing performance or user-density on a server. However, there are a
few user policies that you might want to consider tweaking - the table below shows a
couple. For a full list of policies, see the Policies node in the Delivery Services Console.
Policy
Default
value
Recommended
value
Reason
UseLocalTimeOfClient
Use
Server
Time
Use Client Time
If you want the time of the client device
to be used within the session.
AllowDirectConnectToPrintServer
True
False
To prevent the XenApp server in a
CSP's datacenter from attempting to
directly connect to a print server that
might be in the tenant's office
You can configure these policies using an Active Directory GPO using GPEdit.exe or
the script below. (For an excellent overview of XenApp policies and how to configure
these using a script, see these blogs from Tom Kludy: XenApp 6: Group Policy
Overview and XenApp 6: Group Policy Provider..)
import-module grouppolicy
# Map a PowerShell drive to an existing GPO
New-PSDrive -Name GPODrive -PSProvider CitrixGroupPolicy -Root \
-DomainGpo
<name of domain GPO>
#Navigate to the "User" part of the policy
cd GPODrive:
cd user\
#Create a new policy here
new-item MyHDXPolicy
#Filter this policy by a group account (that contains the tenant's users).
cd MyHDXPolicy
cd .\Filters
cd .\User
new-item Tenant1Users <name of group account>
#Configure the settings shown in the table above.
cd GPODrive:\User\MyHDXPolicy\Settings\ICA\Printing\ClientPrinters\
Set-ItemProperty DirectConnectionsToPrintServers -Name State -Value Prohibited
cd GPODrive:\User\MyHDXPolicy\Settings\ICA\TimeZoneControl
Set-ItemProperty SessionTimeZone -Name Value -Value UseClientTimeZone
7
Once the GPO has been configured, you can assign it to the OU containing the tenant's
users.
When an end-user logs in using Web Interface, they see a desktop icon and by clicking
on it, they should get a hosted shared desktop delivered from a cloud that looks and
feels like a Windows 7 desktop.
Some things to keep in mind
1. Citrix recommends reserving a collection of machines for each tenant - this avoids
any security issues that might arise when end-users from multiple tenants are using
desktops hosted on the same server. You can achieve this by following the steps
described above to create a distinct OU and a worker group per tenant. The
published desktop object can be shared across tenants as long as you configure a
Load Balancing policy for Worker Group Preference that routes users from a specific
tenant to a specific worker group. You can create this using the Delivery Services
Console (under the Load Balancing Policies node) or by adding the following lines to
your tenant registration script/workflow.
#Create a new load balancing policy
New-XALoadBalancingPolicy -PolicyName "Tenant1LBPolicy"
-Description "Worker group preference policy for Tenant1 users"
#Enable Worker group preference and specify the preferred worker group.
Set-XALoadBalancingPolicyConfiguration -PolicyName "Tenant1LBPolicy"
-WorkerGroupPreferenceAndFailoverState Enabled -WorkerGroupPreferences
"1=Tenant1WG"
# Specify the user accounts to which this policy applies.
Set-XALoadBalancingPolicyFilter -PolicyName "Tenant1LBPolicy"
-AllowedAccounts <name of group account>
Note: If a tenant has high security requirements, you might want to deploy a separate
XenApp farm dedicated for that tenant.
2. With this model:
a. If you need to increase capacity for a specific tenant, all you need to do is
provision more worker machines and add them to the OU for that tenant. These
new machines automatically become part of the worker group and become
available for hosting desktops.
b. If you need to deliver a desktop to new users from an existing tenant, just create
the new user accounts and add them to the global group created in step 1. Note:
You might need to provision additional capacity for these new users as described
in the bullet above.
8