Accelerating XenDesktop 7 for Road Users

his article contains information about accelerating XenDesktop 7 for Road Users.

Note: The purpose of this article is to describe how to configure the various parts of an integrated solution that supports this acceleration and includes a case study for XenDesktop 7, CloudBridge Plugin, and NetScaler Gateway.

Introduction

Road Users, and Home Workers, are those users who work away from their company’s offices, and typically use a laptop or PC from a remote location in order to access resources in their company’s datacenter. In many cases, these users use a hotel or domestic ADSL link to connect to the Internet, and will be connecting through a NetScaler Gateway (Access Gateway) and StoreFront server in order to access a XenDesktop farm.

These Road Users can accelerate network traffic to and from their company’s datacenter by installing the CloudBridge Plugin on their laptop or PC.

The following diagram identifies the components that form part of this solution, and a network diagram in Appendix 1 gives further details.

NetScaler Gateway Settings

Initial Configuration

The NetScaler Gateway is hosted on a NetScaler Appliance or VPX, version 10 or greater, and this article assumes that a basic NetScaler Gateway has been established as described in http://support.citrix.com/proddocs/topic/access-gateway-10/agee-install-simplified-config-tsk.html

Once the NetScaler Appliance or VPX has been established, the NetScaler Gateway configuration can be created from the NetScaler GUI by usingNetScaler Gateway > Getting started > NetScaler Gateway wizard.
Note
: This case study used, the slightly out of date CTX132787 – XenDesktop 5.6 with Receiver StoreFront and Access Gateway as a basis for setting up the NetScaler Gateway.

Having established the NetScaler Gateway, the following Policies and Profiles must be created or modified, and bound to the NetScaler Gateway Virtual Server. Settings in the Virtual Server must also be modified.

NetScaler Gateway Virtual Server > Intranet IPs

Currently Web Receiver in Full VPN mode does not support Single Sign On (SSO). However, where StoreFront sees a client connecting through NetScaler Gateway, it will generally attempt to use passed-through credentials and might fail. By defining Intranet IPs in the NetScaler Gateway Virtual Server, the StoreFront server can be persuaded that the connection did not come through Netscaler Gateway, and will display a login screen rather than attempt SSO.

The use of Intranet IPs might mean that corporate firewall rules must be modified. Each client that connects through Full VPN will appear to have one of the Intranet IPs, so firewall rules must be extended to allow access from these apparent client addresses.

A side effect of using Intranet IPs is that for WebReceiver, the Netscaler Gateway will be unable to pass SmartAccess tags through to StoreFront or XenApp or XenDesktop.

A Clientless VPN policy and profile have been included to allow users to download account information to Receiver on a Client System outside of the corporate LAN (First Time Use)

Appendix 2 describes the settings that were used in this case study

CloudBridge Appliance Settings

Description

The CloudBridge Appliance or VPX is placed on the network so that all traffic must pass through it in order to get from the Internet to the server LAN (LAN 1) and vice-versa. CloudBridge documentation refers to this as Inline mode

In this case study:

  • The WAN link of the CloudBridge Appliance is connected to the same network segment as the Firewall Router
  • The LAN link is connected to a network switch that connects to the rest of the server LAN (LAN 1).

The initial setup of the CloudBridge appliance is most easily done by using the Wizard that will be seen the first time that that CloudBridge GUI/Console is entered.

Appendix 3 describes the settings that were used in this case study.

StoreFront

Introduction

Where StoreFront detects that a user has connected through a NetScaler Gateway, it will always arrange for XenApp/XenDesktop sessions to be established using a Secure Ticket Authority (STA) address, rather than the direct IP address. This is also true even where the user has established a Full VPN connection to the server LAN. This default behaviour prevents CloudBridge acceleration, and it is therefore necessary to modify StoreFront using the following PowerShell commands.

The following commands inform StoreFront that, for a given Store, it should always arrange for direct IP addresses to be used instead of STA addresses.

Force Direct IP Addressing

  • From a StoreFront Console, identify the name of the Store that you wish to modify.
  • Close all StoreFront Consoles before running the following PowerShell script as Administrator.
  • Run the following three commands from a PowerShell prompt.
    Note that the 2nd command begins dot space.
  • Set-ExecutionPolicy RemoteSigned
  • ‘C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1’
  • Set-DSFarmsWithNullOptimalGateway -SiteId 1 -ResourcesVirtualPath /Citrix/Store –AllFarms

Where:

  • SiteId: The IIS Site Id, typically 1 unless IIS has been explicitly reconfigured by the administrator.
  • ResourcesVirtualPath: The virtual path of the store to be modified. The preceding example modifies a store with the default name “Store”.
  • Exit from the PowerShell console before restarting any Storefront Consoles.

Require Full VPN for Connections

StoreFront must know what sort of connection is required between the Client PC and the NetScaler Gateway. It must know this so that it can tell Receiver how to connect.

In this case, a full VPN is required, and this is configured in the StoreFront Console in the following way:

Stores > Store > Enable Remote Access
Remote access = Full VPN tunnel
Access Gateway appliances = Check appropriate appliance

Manage Citrix Receiver Updates

Use Citrix Storefront > Stores > Store > Manage Citrix Receiver Updates to enable updating of the NetScaler Gateway VPN Plug-in.

In this case study, Citrix (citrix.com) was used to obtain Receiver updates. Alternatively, a Merchandising Server might be used, if available.

Client Systems

Introduction

In this case study, the Citrix Receiver and the CloudBridge Plugin were manually installed on a Windows 7 x64 client PC. These can be obtained from www.citrix.com, or from XenDesktop product media.

The NetScaler Gateway Plugin will be automatically downloaded and installed on the client PC when a user first connects to the NetScaler Gateway.

It is also possible to automatically deploy the CloudBridge Plugin, although this was not attempted during this case study.

Once installed, it is necessary to configure the CloudBridge Plugin by entering the Signalling IP address of the CloudBridge Appliance. This is achieved in the following way:

Load the CloudBridge Plugin from the Start Menu.
This should cause the Citrix Receiver icon to be visible in the Taskbar.

Right-Click on the Citrix Receiver icon on the Taskbar and select About.

Click on Advanced > CloudBridge Settings (or Accelerator Settings) > Manage Acceleration.

Enter the Signalling IP of the CloudBridge Appliance and click Apply.
Note: In this case study, the Signalling IP is 192.168.1.132.

Certificates

A CA certificate must be installed on the client PC. This CA certificate should match the issuing authority of the server certificate installed on the NetScaler Gateway. This CA certificate is required to establish the SSL VPN.

For this case study, there was no requirement to install any certificates into the CloudBridge Plugin.

Usage and Expected Behaviour – WebReceiver

Connecting

On the client PC, a user does the following:-

1. If not already installed, install Receiver. When the installation completes, click Finish. Do not Add Account to use WebReceiver.

  • Browse to the company’s NetScaler Gateway. A logon screen will appear.
  • Authenticate with username and password.
  • If this is the first time that the client PC has connected to the NetScaler Gateway:
  • The user might be invited to download and install a NetScaler Plugin. This is required to run End Point Analysis checks if defined. Allow this.
  • The user will be invited to download and install a Netscaler Gateway Plug-in. This is required to run and to establish the SSL VPN to the NetScaler Gateway. Allow this.
  • The user will see a message indicating that an SSL VPN is being established.
  • The StoreFront logon page is displayed.
  • The user authenticates with domain\username and password.
  • The StoreFront page is displayed.
  • The user starts Desktops and Apps in the normal way.
  • If not already installed, install the Acceleration Plug-in, and configure it as described earlier in this section.
  • Acceleration might subsequently be enabled by loading the CloudBridge Plugin from the Start Menu.

Disconnecting

Once the user has closed or disconnected from all Desktops and Apps, they should also close the SSL VPN.

1. On the client PC, right-click on the Citrix Receiver icon on the Taskbar, and click Exit.

2. The SSL VPN will close

Usage and Expected Behaviour – Receiver

First Time Use from an internal LAN

While there are a number of First Time Use options for Receiver, the following was used in this case study:

1. Connect the client PC to the corporate internal LAN.

2. If not already installed, install Citrix Receiver.

3. Once the installation of Receiver is complete, Receiver will load and it will allow the user to Add Account.

4. The user clicks Add Account.

5. Enter the FQDN of the StoreFront server: storefront89.xen8.xenctx.com

6. Click Next.

7. A logon box appears.

8. The user authenticates with domain\username and password.

9. The user is asked whether they want to allow Citrix Receiver to make changes to the client PC.

10. Click Yes.

11. Because the StoreFront is configured to Manage Citrix Receiver Updates, including the Secure Access Plug-in, the Secure Access Plug-in is downloaded and installed.

12. A success message is displayed.

13. Click Finish.

14. The Citrix Receiver page is displayed.

15. If not already installed, install the Acceleration Plug-in, and configure it as described earlier in this section.
Note: Acceleration might be enabled by loading the CloudBridge Plugin from the Start Menu.

First Time Use from an external LAN

While there are a number of First Time Use options for Receiver, the following was used in this case study:

  • Connect the client PC to a LAN outside the corporate LAN, but with access to the Internet.
  • If not already installed, install Citrix Receiver.
  • Once the installation of Receiver is complete, Receiver will load and it will allow the user to Add Account.
  • The user clicks Add Account.
  • Enter the FQDN of the Netscaler Gateway: mygateway.mycompany.com
  • Click Next.
    A logon box appears.
  • The user authenticates with username and password.
  • The user is asked whether they want to allow Citrix Receiver to make changes to the client PC.
  • Click Yes.
    Because the StoreFront is configured to Manage Citrix Receiver Updates, including the Secure Access Plug-in, the Secure Access Plug-in is downloaded and installed. A success message is displayed.
  • The user clicks Finish
  • The Citrix Receiver page is displayed.
  • If not already installed, install the Acceleration Plug-in, and configure it as described earlier in this section.
    Note
    : Acceleration might be enabled by loading the CloudBridge Plugin from the Start Menu.

Connecting

  • From the client PC, start Receiver, or right-click on the Receiver icon on the Start Bar and selects Logon.
    A message box pops up saying that Citrix Receiver is connecting, and a logon box appears.
  • The user authenticates as domain\user and password.
    A message indicating that Citrix Receiver has connected appears.
  • Citrix Receiver page is displayed.
    Acceleration might be enabled by loading the CloudBridge Plugin from the Start Menu.
  • Start Desktops and Apps in the normal way.

Disconnecting

Once the user has closed or disconnected from all Desktops and Apps, they should also close the Citrix Receiver page, and the SSL VPN.

On the top of the Receiver Store page, click on the down arrow next to the username, and select Log Off.

The SSL VPN will close.

Note The preceding approach shows the Acceleration Plug-in being loaded manually, when required. An advantage of this approach is that, the user is not expected to remember to unload the Acceleration Plug-in when visiting a branch office where network traffic is already being accelerated by a CloudBridge appliance or VPX. The Acceleration Plug-in should not be used in this situation.

Confirming CloudBridge Acceleration

While the user is running a XenDesktop App or Desktop session, they can confirm acceleration in the following way:

  • On the client PC, right-click on the Citrix Receiver icon on the Taskbar and select About.
  • Click on Advanced > CloudBridge Settings (or Accelerator Settings) > Manage Acceleration.
    Note
    : The Bandwidth Gain bar and the Traffic Graph should confirm acceleration.
A network administrator can confirm acceleration by connecting to the CloudBridge Appliance Console and monitoring the Connections, Compression, and Multistream ICA pages.
Note. Because CloudBridge acceleration works by reducing the amount of duplicate data transmitted across the network, initial gains are likely to be modest. However, the bandwidth gain should improve with time and usage.

Session Reliability / Automatic Client Reconnection

Session Reliability

When CloudBridge technology is in use, Session Reliability is disabled, and Automatic Client Reconnection (ACR) handles all client reconnection.

Automatic Client Reconnection (ACR)

The Automatic Client Reconnect feature allows Citrix Receiver to detect broken network connections and automatically reconnect users to disconnected sessions. When Receiver detects an involuntary disconnection of a session, it attempts to reconnect the user to the session until there is a successful reconnection or the user cancels the reconnection attempts.

When a NetScaler Gateway is in use, the Automatic Client Reconnect feature will only work if a Full VPN connection has been established.
See Citrix product documentation XenDesktop 7 > Manage > Maintain session activity.

Expected Behavior

Where the network link from a client PC is disrupted, ACR attempts to reconnect the VPN once the network is restored. ACR attempts VPN reconnection indefinitely, or until the user cancels reconnection attempts.

Where the VPN is disrupted for a period of less than 180 seconds, the user should expect any XenDesktop desktops or applications to be available once the VPN is restored.

SmartAccess

Administrators can control access to XenDesktop applications, desktops, and features (such as client drive mapping) by using Smart Access information, passed down from the NetScaler Gateway to the XenDesktop policy engine.

See Citrix product documentation Access Gateway > Access Gateway 10 > Integrate > Providing Access to Published Applications and Virtual Desktops > Configuring SmartAccess on Access Gateway Enterprise Edition

As part of this case study and when using Receiver, XenDesktop policies based on SmartAccess information were seen to be working correctly. However, in order for the XenDesktop policy engine to see SmartAccess information the following action is required:

1. On a XenDesktop Delivery Controller, start Citrix Studio.

  • Navigate to Citrix Studio (farm name) > PowerShell
  • Use the Launch PowerShell button to issue the following PowerShell command:
set-brokersite -trustrequestssenttothexmlserviceport $true
Note . When using WebReceiver with Full VPN, the use of Intranet IPs in the NetScaler Gateway Virtual Server prevents the NetScaler Gateway from passing SmartAccess tags to StoreFront and XenDesktop or XenApp. For this reason, the use of Receiver is recommended when policy decisions based on SmartAccess tags are required.

Appendix 1 – Environment

Network Diagram

Hosts (partial)

192.168.1.87 XenApp87 # XenApp server
192.168.1.86 XtraDDC86 # XenDesktop controller
192.168.1.89 Storefront89 # Storefront 
192.168.1.1 Router # Default Gateway
192.168.1.131 BR131 # CloudBridge B – Mgmt
192.168.1.132 BR131 # CloudBridge B – Signal
192.168.1.150-250 DHCP # XenDesktop VDAs etc

Appendix 2 – Product Versions

At the time of documenting this article, the following products and versions were in use:

  • Access Gateway VPX – 10.0 71.6014e.nc (working)
10.1.116 (via upgrade)
  • Receiver – 3.4.0.29577
  • Access Gateway Plugin – 10.0 71.6014e.nc (working)
10.1.116 (via upgrade)
  • CloudBridge Plugin – 7.0.0 Build 148 (beta)
  • XenApp – 6.5 plus all HotFixes to April 2013
  • XenDesktop – 7.0.0 Build 81 (beta)
  • StoreFront – 2.0.0 Build 77 (beta)
  • CloudBridge VPX – 7.0.0 Build 148 (beta)

Appendix 3 – NetScaler Gateway – Configuration Details

In this case study, the following settings were used:

Netscaler Gateway Virtual Server > Intranet IPs

 

IP Address

Netmask

192.168.2.10

255.255.255.255

192.168.2.11

255.255.255.255

192.168.2.12

255.255.255.255

192.168.2.13

255.255.255.255

192.168.2.14

255.255.255.255

WebReceiver Policy (Session Policy)

Request Profile = WebReceiver_Profile

Expression = REQ.HTTP.HEADER Referer EXISTS && REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

WebReceiver_Profile (Session Profile)

Network Configuration

No config

Client Experience

Home Page= http://xenstore89.xen8.xenctx.com/Citrix/StoreWeb
Display Home Page = checked
URL for Web-Based Email = blank
Split Tunnel = ON (see Appendix on Split Tunnel / DNS)
Session Time-out = 30mins
Client Idle Time-out = blank
Clientless Access = off
Clientless Access URL Encoding = Clear
Clientless Access Persistent Cookie = DENY
Plug-in Type = Windows/Mac OS X
Single Sign-on to Web Applications = UNchecked
Credential Index = Primary (irrelevant)
Single Sign on with Windows = unchecked
Client Cleanup Prompt = checked
Advanced > Split DNS = Remote (see Appendix on Split Tunnel / DNS)

Security

Default Authorisation Action = Allow
Secure Browse = Checked

Published Applications

ICA Proxy = off
Web Interface Address = blank
Web Interface Portal Mode = NORMAL
Single Sign-on domain = Virtdom
Citrix Receiver Home page = blank
Account Service Address = blank

Receiver Full VPN Policy (Session Policy)

Request Profile = Receiver_Full_VPN_Profile
Expression = REQ.HTTP.HEADER Referer NOTEXISTS && REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Reciever_Full_VPN_Profile (Session Profile)

Network Configuration

No config

Client Experience

Home Page= blank
Display Home Page = unchecked 
URL for Web-Based Email = blank
Split Tunnel = ON (see Appendix on Split Tunnel / DNS)
Session Time-out = 30mins
Client Idle Time-out = blank
Clientless Access = Allow
Clientless Access URL Encoding = Clear
Clientless Access Persistent Cookie = ALLOW
Plug-in Type = Windows/Mac OS X
Single Sign-on to Web Applications = checked
Credential Index = Primary
Single Sign on with Windows = unchecked
Client Cleanup Prompt = checked
Advanced > Split DNS = Remote (see Appendix on Split Tunnel / DNS)

Security

Default Authorisation Action = Allow
Secure Browse = Checked

Published Applications

ICA Proxy = off
Web Interface Address = http://strorefont89.xen8.xenctx.com
Web Interface Portal Mode = NORMAL
Single Sign-on domain = xen8
Citrix Receiver Home page = blank
Account Service Address = http://strorefont89.xen8.xenctx.com/Citrix/Roaming/Accounts

Receiver Clientless VPN Policy (Session Policy)

Request Profile = Receiver_Full_VPN_Profile

Expression = REQ.HTTP.HEADER X-Citrix-Gateway EXISTS && REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

Reciever_Clientless_VPN_Profile (Session Profile)

Network Configuration

No config

Client Experience

Home Page= none

Display Home Page = unchecked

URL for Web-Based Email = blank

Split Tunnel = OFF

Session Time-out = 30mins

Client Idle Time-out = blank

Clientless Access = On

Clientless Access URL Encoding = Clear

Clientless Access Persistent Cookie = ALLOW

Plug-in Type = Windows/Mac OS X

Single Sign-on to Web Applications = checked

Credential Index = Primary

Single Sign on with Windows = unchecked

Client Cleanup Prompt = checked

Advanced > Split DNS = Remote (see Appendix on Split Tunnel / DNS)

Security

Default Authorisation Action = Allow

Secure Browse = Checked

Published Applications

ICA Proxy = off

Web Interface Address = http://strorefont89.xen8.xenctx.com

Web Interface Portal Mode = NORMAL

Single Sign-on domain = xen8

Citrix Receiver Home page = blank

Account Service Address = http://strorefont89.xen8.xenctx.com/Citrix/Roaming/Accounts

cVPN_Profile (Clientless Profile)

The creation of a Clientless Access Policy and Profile is described in Citrix eDocs > NetScaler Gateway > Access Gateway 10 > Integrate >Integrate Access Gateway with CloudGateway > Configuring Custom Clientless Access Policies for Receiver for Web

With NetScaler Gateway 10.1, Clientless Profiles and Policies might be created by using the NetScaler Gateway > Getting started > NetscalerGateway wizard.

Appendix 4 – CloudBridge – Configuration Details

In this case study, the following licenses and settings were used.

Licenses

CTX119927 – Citrix WANScaler and Branch Repeater Licensing Guide describes CloudBridge licensing

In this case study, the following licenses were used:-

  • Base License – CBR_V45_SSERVER
  • Concurrent client count – CWS_STD_SCCU

Features

 

Traffic Processing

Enabled

Traffic Acceleration

Enabled

Traffic Shaping

Enabled

Traffic Bridging

Enabled

CIFFS Protocol Optimisation

Enabled for All CIFS

ICA Multi-stream

Enabled

MAPI Cross Protocol Optimisation

Disabled

Repeater Plug-in

Enabled

SCPS

Disabled

SSH Access

Enabled

SSL Optimization

Unavailable – requires a license

Syslog

Disabled

User Data Store Encryption

Unavailable – requires a license

WCCP

Disabled

Configuration > Repeater Plug-ins > Signal Channel Configuration

 

State

Enabled

Signaling IP

192.168.1.132

Signaling Port

443

Signaling Channel Source Filtering

Disabled

Connection Mode

Transparent

Lan Detection

Disabled

Configuration > Repeater Plug-ins > Acceleration Rules

 

Rule

Rule Type

Destination IP/Mask

Port

Notes

1

Exclude

192.168.1.89/32

443

StoreFront

2

Accelerate

192.168.1.0/24

All

Whole LAN

Configuration > Service Classes

Default Settings

Appendix 5 – Split Tunnel & Split DNS

In this case study, the following settings were used:

Split Tunnel = on
The effect of this is that a user on the client PC can access network resources on the local LAN at the same time as the SSL VPN is active.
Some companies might have a security policy that requires that there is no access to the client PCs local LAN while they have an SSL VPN established to company resources. This can be achieved by using the setting Split Tunnel = off.

http://support.citrix.com/article/CTX138117

Split DNS = Reverse
If you consider the example of a Home Worker using a Windows PC, and network printer on a domestic LAN.

With Split Tunnel = off, the user can log in to Access Gateway from a Windows 7 client, establish a VPN and start a XenDesktop session through StoreFront. However, the user cannot use their local printer because access to the home LAN is disabled.

With Split Tunnel = on and Split DNS=Both(default), the user can log in to Access Gateway from a Windows 7 client, and establish a VPN. However, the DNS lookup of the StoreFront will often fail.

The reason that this DNS lookup of StoreFront fails is that the local (to the client) DNS server cannot find the StoreFront address and immediately does a DNS Redirect to a default error web page. The remote (to the client) DNS server does not get a chance to respond.

This DNS Redirect is a common feature of many domestic ISPs, including BT (in the UK).

A workaround for this problem is to access the local printer by its IP address, and use the settings Spilt Tunnel = on and Split DNS = Remote.

For BT users, an alternative workaround can be found under Can I opt out of the service? athttp://bt.custhelp.com/app/answers/detail/a_id/14244/~/about-bt-web-address-help

Appendix 6 – Branch Office Users (not covered in this document)

These users probably use (desktop) PCs, connected to a LAN in a branch office, to access XenDesktop resources in their company’s datacentre. In order to optimise performance, the remote office uses a CloudBridge appliance to accelerate network traffic along a private wire to the company datacentre.

For details of how to implement this solution there are a number of useful guides including:

CTX120455 – Understanding Citrix HDX Technology for Optimizing the Branch Office

CTX129473 – Branch Repeater VPX Best Practice and Deployment Guide

Disclaimer

This Web site might contain links to Web sites controlled by parties other than Citrix. Citrix is not responsible for and does not endorse or accept any responsibility for the contents or use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever you select for your use is free of viruses or other items of a destructive nature.

3 comentários sobre “Accelerating XenDesktop 7 for Road Users

  1. Thanks on your marvelous posting! I truly enjoyed reading it, you might be a great author. I will be sure to bookmark your blog and will eventually come back in the foreseeable future. I want to encourage you to definitely continue your great posts, have a nice holiday weekend!

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s