Over the years, Citrix Virtual Apps and Desktops environments have become more sophisticated. New features and functionalities have been added to the Citrix stack, many new technologies are supported now, and there are new deployment options such as Citrix Cloud.
We at eG Innovations are bringing together 3 distinguished Citrix CTPs – George Spiers, David Wilkinson and Dennis Span – to talk about some of the most common questions heard in the field regarding Citrix Virtual Apps and Desktops implementation and management. Learn about:
• How to configure Profile Management policies
• How to support Office 365 users in Cached Exchange Mode
• Optimization tips for Windows 10 and Windows Server 2016
• Tips for using App Layering, WEM, Office 365, Google Chrome, and more
Engage Audience
“How many people are using Office365 or on the journey?”
Well I began this journey also 3 years ago now and have been through many products when then there was very little choice/options available.
So I’ll now cover tips & Best practises from the field when deploying Office365
Speaking: DW
First to give some context to the Tips/Best Practises, what are the challenges of deployment Office 365 in a citrix deployment? Particularly in a non-persistent/pooled environment.
Outlook Cache OST location , traditionally Outlook was Online mode in citrix environment when Exchange are nearby. Now the recommendation is Cache which means we need to place the OST file in close proximity to the Workload..
We all remember the days that PST causes havoc on Citirx environment! Right!
2. OneDrive for Business - OneDrive allows you to store up 1TB of data as part of the subscription , how do you access this data, where does it get stored!
3. Outlook Search – searching your mailbox is a key user experience expected, How do we address this in non-persistent/pooled image when the search database is machine based.
Well, these I’ll discuss in the next few slides how are overcome these challenges!
Bullet 1:
Thankfully the past 18month has really opened the products available to address these challenges.
Choose the right product, each product will cover different elements of Office365. Not everyone will use the full range of products within Office365 so choose wisely
App Layering Office365 User Layer : Will cover Outlook OST Cache, No OneDrive, No Outlook Search Index
App Layering User Layers: Will cover Outlook OST Cache, Windows Search Index, OneDrive for Business
User Profile Management: Will cover Outlook OST, Outlook Search Index but not OneDrive for Business.
Citrix Profile Management 1811 solves some bugs originally found in version 7.18
“The right solution is the solution that meets your business needs and delivers a excellent End User Experience”
Understand the Limitation of each product (i.e no concurrent logons, only support 32-bit version of outlook.)
Speaking: DW
Bullet 1: Limit OST Size
Allowing all of your mailbox to be fully downloaded to the cache would be very expensive for your local storage requirement.
Exchange Online Mailbox’s has a minimum of 50GB size limit depending on license type, unlike the good old days of Local IT limiting users to 1GB/5GB.
Reducing the time period you sync mail will help you identify the local cache storage requirements.
Speaking: DW
Bullet 1: Consider staging your initial cache creation when rolling out your solution as a high number of users will create large amount of IOPS.
Outlook Cache access to VHD(X) based solutions require on average 5 write IOPS / 8 Read IOPS per user.
Remember this is only an average and performance testing should be performed at the storage level to fully understand the impact
Bullet 2: Permissions , this is key. Ensure your VHD(X) directory has sufficient permissions are it may be over and above normal profile permissions.
Bullet 3: Citrix/Microsoft recommends using Cache Exchange Mode with an Office365 to deliver the most optimal user experience.
Speaking: DW
Bullet 1: Why do you need Outlook Search!
As mentioned in an earlier slide the end user experience rains supreme. Any slight adjustment
Bullet 2: Make sure you search service is in the right state for indexing to work,
Windows 2012 R2 – Ensure that you install the “Windows Search” feature an make sure the Service is Enabled
Windows Server 2016/2019 – Ensure you Enable the “Windows Search” service as by default
Windows 8 & Windows 10 – This service is enabled & running by default so no need to adjust any of the
Images:
As you can see the before result, where outlook is currently indexing your inbox items, The after reflect a newly logged in session without outlook launch where the search indexing roamed with the user and no indexing is required!
Speaking: DW
Bullet 1: Enabling the “Files on demand” setting with OneDrive allows only files being accessed to be downloaded upon request allowing most frequent files to be on local cache and un-accessed/un-used .
This will help reduce the size of the VHD’s & ultimately the size of the on-premises storage required.
Bullet 2: Don’t forget with Citrix Files(aka sharefile) there is a personal cloud connector which allows you to access
Bullet 3:
Speaking: DW
Speaking: GS
Bullet 1: The more you redirect, the less your profile size will be.
More files = longer logon times
Less files = less storage used. Less activity on file servers.
Bullet 2: If you operate across multiple locations, having the file server and profiles closer to user location will improve the experience.
Route users to home datacenter using technologies such as Zones/GSLB. They connect to a desktop in their home datacenter.
Use Active Directory attributes to map user to their home profile server. ##ADAttribute## (\\LondonFS.domain.com)
Speaking: GS
Bullet 1: Consider VHD(x) profile solutions to capture the full profile. Microsoft User profiles disks initially kicked of the trend for profile disks but through the years other vendors have excelled in this field. Windows Virtual Desktop (WVD) now uses profile container based on FSLogix to deliver a first class experience for Office365
Bullet 2: Ensure the file servers are closely monitored and ensure that the system resources and causing a bottleneck (i.e disk IOPS, Network etc) thus impacting on the users logon time. Users patterns should be identified (i.e 9AM start for all call centre staff) and accommodated in your infrastructure. I have experienced this
Bullet 3: If experiencing slow logons, try adding UserProfileManager.exe to your Anti-Virus process trusted list. You can also try things such as turning off the Windows Search service and disabling other sophisticated virus checking features, and virus checks on
Speaking: GS
Bullet 1: Understand the kind of start menu you want. Do you want your users to be able to adjust/edit and have a personalized menu or do you want to toe the corporate line and everyone get the same, or have a hybrid approach!
Bullet 2: Ensure your profile changes are captured, and this depends based on operating system.
Windows Server 2016 - Ensure you add the following folder in CPM
Windows 10 1803 onwards the start menu has slightly changed and an update to date version of CPM will automatically capture these setting, but for other profile management solutions out there here are the folders:
Speaking: GS
Rather than cache a large file to the VDA, we can just have CPM create a symbolic link to it.
This is pretty much like redirected folders at a file level.
Support for one active session at a time.
Not everyone uses streaming. Streaming if used may cause bad performance/delays when fetching a large file.
Speaking: GS
Example: Skype for Business administrator enables client-side logging for multiple users or the entire organization. Log files begin to fill up in each users profile, causing logon slowness. Citrix administrator needs to remove them.
Citrix administrator previously would need to depend on PoSH scripts and such to remove these files from the profile store.
Add AppData\Local\Microsoft\Office\Lync\Logs to the “Exclusion list – directories” policy and set the Logon Exclusion Check policy appropriately.
You can exclude files also using the “Exclusion list – files” policy setting.
CPM 5.7 originally allowed you to exclude file/folder from synchronization. CPM 5.8 allows you to do the same or delete files/folders from store.
Speaking: GS
Engage Audience & Ask “How many of you optimise your images”?
DW/GS – So Dennis , what are the different phases of Image Preparation
Speaking: DW
One thing that all our environments have in common is that we all have workers and we need an image for this
Let’s take a quick look at the various components that make up an image and where optimization fits in
Optimization and sealing are two different things
Speaking: DW
Better performing desktops
Lower logon times
Less RAM, CPU consumption, IOPs consumption and so on
Better user density (users per server)
Example of before and after image optimization.
The numbers can be lower, by reducing Group Policy complexity, implementing technologies such as WEM and Profile Management, increasing desktop hardware specifications etc.
Speaking: GS
Better performing desktops
Lower logon times
Less RAM, CPU consumption, IOPs consumption and so on
Better user density (users per server)
Example of before and after image optimization.
The numbers can be lower, by reducing Group Policy complexity, implementing technologies such as WEM and Profile Management, increasing desktop hardware specifications etc.
Speaking: GS
We want our desktops to be better performing. Fine tuning them is what it takes.
We disable unneeded services and scheduled tasks, remove UWP apps and then make registry edits to fine tune the image.
Miscellaneous optimizations:
Disable all 32 and 64-bit Active Setup items to prevent them from running at first user logon. The main reason here is not to speed up user logon times (since Active Setup only runs one-time (when a new profile is created for the user), but rather because Active Setup only runs in desktop sessions and not when a user starts a published application. This may lead to inconsistencies between user profiles. Another reason to disable Active Setup is to prevent untested or unwanted configurations to occur. As an administrator you want a high level of control over user configurations.
Run NGEN.exe (twice, both for 32 and 64-bit): this optimization pre-compiles .NET assemblies instead of using the just-in-time compilation using NGEN.exe. This is relatively slow. Takes about 2 minutes on a clean Windows Server 2016 server.
Disable System Recovery recommended by Citrix in the Windows 10 Optimization Guide (https://support.citrix.com/article/CTX216252). This optimizations uses PowerShell to run the command "bcdedit.exe /set recoveryenabled no".
Turn off Data Execution Prevention (DEP) recommended by Citrix in the Windows 10 Optimization Guide (https://support.citrix.com/article/CTX216252). This optimizations uses PowerShell to run the command "bcdedit.exe /set recoveryenabled no".
Speaking: GS
A lot of the optimization tools and scripts overlap and perform the same optimizations. Some are more aggressive than others.
Make sure to test these in your own test environment before releasing to production, and have a small subset of users use optimized desktops before releasing to everyone.
When using the Citrix Optimizer, there is no need to use the PVS Target Device Optimization Tool on your Target Devices.
Speaking: GS
Speaking: DS
Speaking: DS
Allow asynchronous user Group Policy processing when logging on through Remote Desktop ServicesAsynchronous processing speeds up logon times.
Always for the network at computer startup and logonSpeeds up logon times. The only thing to consider is that Folder Redirection, in case this is used, may require two logons. This is only the case when the Folder Redirection Group Policy Extensions is used. If you use registry values this is not the case. To disable “always wait for the network…” the policy “Allow asynchronous user Group Policy processing…” must be enabled
Read up on asynchronous and synchronous group policy processing, background refresh, etc.
Speaking: DS
In case logon scripts are used in your environment make sure to run them asynchronously if possible. Asynchronous means that the logon script does not delay the start of the desktop (the main explorer.exe processes). Otherwise the desktop is only shown to the user after all logon scripts have finished.
Speaking: DS
Always optimize your script as much as possible, especially if they run at user logon. Any action within a logon script should only run when absolutely necessary. No action should unnecessarily delay the user logon. Avoid LDAP queries since these delay user logon.
Make drive and printer mapping persistent if possible. Also here counts that both drive and printer mapping should not unnecessarily delay the user logon. Make sure that the drive that is being mapped actually exists and that the backend storage performs optimally. Otherwise there will be a delay.
Anti-virus exclusions: make sure to check the list of anti-virus exclusions as well as anti-virus configurations on TechZone
Optimize your profile solution (e.g. enable profile streaming in UPM). Do not activate „active-write“ back.
Speaking: DS
An image must be sealed so it can be used as a generic image for multiple machines
Speaking: DS
Various examples of sealing
BIS-F performs all of the important sealing tasks. BIS-F can be configured using a custom Group Policy template (ADMX). Other advantages of BIS-F are:
Format Write-Cache disk (one-time)
Perform an anti-virus full scan
Offline defragmentation (especially important for PVS because results in significant write-cache savings). Also, defragmenting is not supported on versioned vDisks.
Speaking: DS
Speaking: GS
Point 1: A common misconception I hear is that when upgrading the ELM you also have to upgrade the Machine OS Tools in the OS Layer. You don’t. Only upgrade if you need to make use of new scripts that ship with the newer OS Tools version. The newer App Layering drivers are injected into an image at the time of publishing.
Point 2: Export/Import can be a way to replicate your primary appliance with another
Point 3: There is a current bug where if you have caching enabled on a Connector that you use for Layer creation, running ngen /update fills the Packaging Machine’s write disk space. All space is consumed. Turn off caching as a workaround. Citrix are aware of this bug.
Point 4: You may want to edit NTUSER.DAT directly in a Layer so that certain registry keys are present for every user logging on to the layer. These could be registry keys specific to the Application layer you are creating for example. Keep in mind that if you edit NTUSER.DAT on multiple layers, the changes do NOT merge. They overwrite. I suggest using WEM or GP Preferences to continue modifying the user registry hive.
Point 5: The OS layer is the only layer that can write to the SAM (Security Account Manager) database.
Speaking: GS
Point 1: Entering the FQDN will allow the ELM to use any Domain Controller under your domain. I’ve come across deployments that only point at one DC, or customers have configured load balancing for this purpose.
Point 2: Snapshots are how Citrix will recommend you roll back to a previous version if the upgrade fails.
Point 3: A common misconception I hear is that when upgrading the ELM you also have to upgrade the Machine OS Tools in the OS Layer. You don’t. Only upgrade if you need to make use of new scripts that ship with the newer OS Tools version. The newer App Layering drivers are injected into an image at the time of publishing.
Speaking: GS
Intro: Elastic Layers allow you to hot-add applications to particular user sessions during user log on.
Elastic Layers are packaged applications that store themselves in a VHD file. As a user logs on, the VHD is mounted to the user’s desktop and the application is presented.
Point 1: SMB3 is available in Server 2012 R2 and above.
Point 2: DFS can be used for a highly available file share.
Point 3: Beginning App Layering 4.14, Elastic Layers load after logon. This change is aimed at reducing logon times. Note that not all applications will work with this change. So, Compatibility Mode can be enabled to return to the previous behavior of loading an Elastic Layer during logon. If you are using the classic method, Elastic Layers will add to your logon times.
Point 6: Mention that you could use an Application layer across different OS layers.
Speaking: GS
Intro: Elastic Layers allow you to hot-add applications to particular user sessions during user log on.
Elastic Layers are packaged applications that store themselves in a VHD file. As a user logs on, the VHD is mounted to the user’s desktop and the application is presented.
Point 1: SMB3 is available in Server 2012 R2 and above.
Point 2: DFS can be used for a highly available file share.
Point 3: Beginning App Layering 4.14, Elastic Layers load after logon. This change is aimed at reducing logon times. Note that not all applications will work with this change. So, Compatibility Mode can be enabled to return to the previous behavior of loading an Elastic Layer during logon. If you are using the classic method, Elastic Layers will add to your logon times.
Point 6: Mention that you could use an Application layer across different OS layers.
Speaking: GS
Speaking: DS
Yes! Google Chrome is indeed supported on Citrix XenApp, XenDesktop and CVAD. This was not always clear in the past, but Google Chrome has been added as a Citrix Ready product.
Speaking: DW
When Publishing chrome through Citrix Virtual Apps & Desktop, The command line parameters --allow-no-sandbox-job --disable-gpu-sandbox is no longer required (since version 58 of Chrome, the current version of Chrome is 74.
The path to the Chrome.exe is the same for both the 32-bit and 64-bit installer.
Speaking: DW
Have you ever got this message when launching a published Chrome session.
Two Chrome processes should be excluded from the Citrix API hooks (https://support.citrix.com/article/CTX226044)
This only applies when installing the 32-bit version of Chrome on a 64-bit operating system. The process NACL64.exe starts an instance of the Native Client (in 64-bit mode). The Native Client is a sandbox for rending compiled C and C++ code in a secure and efficient manner within the web browser. When the 64-bit version of Chrome is installed on a 64-bit version of Windows, there is no need to start this process.
Speaking: DW
Story: In my environment we had unexpected server crashes/blue screen, debug files narrowed the cause to chrome software reporting tool causing issues.
Here is how you resolve that happening in your environment.
The Chrome bundle for Windows includes the ADMX templates. Copy these ADMX files to your Group Policy central repository.
Speaking: DS
Two importants facts:
Chrome extensions can be installed using Group Policy
Chrome extensions are installed per-user
Point 1: the Chrome bundle for Windows includes the ADMX templates. Add the ADMX files to the Group Policy central repository.
Point 2: copy these ADMX files to your Group Policy central repository
Point 3: determine the extention ID and the update URL
Speaking: DS
The easiest way how to retrieve the extension ID and update URL is to manually download and install the extension on a test machine. The extension ID can be found on the extensions tab. Also, the name of the extension’s folder in the user profile is the same as the extension ID. This folder contains a file called ‘manifest.json’ which contains the extension’s update URL.
Speaking: DS
Speaking: DS
Google Chrome comes with its own Task Manager. The task manager shows the memory and CPU usage of each individual process, tab and extension.
Speaking: DS
Point 1: many applications nowadays include native support for GPUs. Chrome does as well.
Point 2: CPU and Memory management features can help with high resource consumption, at least in the rebalancing of resources between users.
Point 3: use an extension that suspends inactive tabs
Chrome also includes a tab suspending feature call Tab Discarding. This feature was introduced in September 2015, but has been experimental ever since.
Speaking: DS
Point 1: BCR can also be used in XD 7.15 LTSR! A Chrome extension is required on the side of the VDA (not the local client). Also in this case the extension can be installed using a Group Policy as explained in the previous slides.
Speaking: DS
Engage Audience
“Who is implementing WEM?”
“Who is thinking about Implementing WEM in the next 6 month?”
We are now going to go through a number of reasons your need to implement WEM In your environment!
Speaking: GS
One of the main purposes of WEM is to reduce the time it takes to process a user logon.
Traditionally in a non-persistent environment Group Policy settings are applied over and over again during logon. With WEM, the majority of settings can be applied after the user logs on. This presents the user with a positive perception that logons are quicker, as WEM then builds the user’s environment.
Speaking: GS
One of the main purposes of WEM is to reduce the time it takes to process a user logon.
Traditionally in a non-persistent environment Group Policy settings are applied over and over again during logon. With WEM, the majority of settings can be applied after the user logs on. This presents the user with a positive perception that logons are quicker, as WEM then builds the user’s environment.
Speaking: GS
CPU Management:
Enable CPU Spike protection to ensure that one process does not overconsume and affect the performance of end users. It lowers the priority of a process that exceeds the specified values of Usage limit. It does not actually prevent CPU from reaching 100% but certainly helps to provide a smooth experience for the end users.
Speaking: GS
Working Set Optimization:
Idle applications tend not to give RAM back.
WEM can take excess RAM back in a non-intrusive way from applications that have not been used for a certain period of time, allowing that RAM to be used elsewhere for other active users and processes on the system. WEM calculates the amount of RAM used by a process, and the least amount of RAM required.
If a process falls below the “Idle State Limit (percent)” value for the amount of time defined under “Idle Sample Time (min)”, WSO kicks in and does its thing.
In this example I have been using Internet Explorer with a couple of tabs open, and left it idle. Even when left idle, 345MB of RAM is consumed. On the right you can see how WEM has recovered the excess RAM, almost 50%! This results in better performing sessions for other active users and offers better user density per server. We are making better use of the resource we have.
You can exclude specific processes from Working Set Optimization.
Citrix don’t advise setting “Idle State Limit (percent)” to any value higher than 5%. Doing so will cause WEM to be too aggressive on processes that may be active.
Speaking: GS
Working Set Optimization:
Idle applications tend not to give RAM back.
WEM can take excess RAM back in a non-intrusive way from applications that have not been used for a certain period of time, allowing that RAM to be used elsewhere for other active users and processes on the system. WEM calculates the amount of RAM used by a process, and the least amount of RAM required.
If a process falls below the “Idle State Limit (percent)” value for the amount of time defined under “Idle Sample Time (min)”, WSO kicks in and does its thing.
In this example I have been using Internet Explorer with a couple of tabs open, and left it idle. Even when left idle, 345MB of RAM is consumed. On the right you can see how WEM has recovered the excess RAM, almost 50%! This results in better performing sessions for other active users and offers better user density per server. We are making better use of the resource we have.
You can exclude specific processes from Working Set Optimization.
Citrix don’t advise setting “Idle State Limit (percent)” to any value higher than 5%. Doing so will cause WEM to be too aggressive on processes that may be active.
Speaking: GS