22 min read

(For more resources related to this topic, see here.)

Configuring the XenDesktop policies

Now that the XenDesktop infrastructure has been configured, it’s time to activate and populate the VDI policies. This is an extremely important part of the implementation process, because with these policies you will regulate the resource use and assignments, and you will also improve the general virtual desktops performance.

Getting ready

All the policies will be applied to the deployed virtual desktop instances and the assigned users, so you need an already existing XenDesktop infrastructure on which you will enable and use the configuration rules.

How to do it…

In this recipe we will explain the configuration for the user and machine policies offered by Citrix XenDesktop. Perform the following steps:

  1. Connect to the XenDesktop Director machine with domain administrative credentials, then navigate to Start | All Programs | Citrix and run the Desktop Studio.
  2. On the left-hand side menu expand the HDX Policy section and select the Machines link.
  3. Click on the New button to create a new policy container, or select the default unfiltered policies and click on Edit to modify them. In the first case, you have to assign a descriptive name to the created policy.
  4. In the Categories menu, click on the following sections and configure the values for the policies that will be applied to the clients, in terms of network flow optimization and resource usage monitoring:
    • The ICA section
      • ICA listener connection timeout: Insert a value in milliseconds; default is 12000.
      • ICA listener port number: This is the TCP/IP port number on which the ICA protocol will try to establish the connection. The default value is 1494.
    • The Auto Client Reconnect subsection
      • Auto client reconnect: (Values Allowed or Prohibited) Specify whether or not to automatically reconnect in case of a broken connection from a client.
      • Auto client reconnect authentication: (Values Do not require authentication or Require authentication) Decide whether to let the Citrix infrastructure ask you for the credentials each time you have to reperform the login operation.
      • Auto client reconnect logging: (Values Do Not Log auto-reconnect events or Log auto-reconnect events) This policy enables or disables the logging activities in the system log for the reconnection process. In case of active autoclient reconnect, you should also activate its logging.
    • End User Monitoring subsection
      • ICA round trip calculation: (Values Enabled or Disabled) This decides whether or not to enable the calculation of the ICA network traffic time.
      • ICA round trip calculation interval: Insert the time interval in seconds for the period of the round trip calculation.
      • ICA round trip calculations for idle connections: (Values Enabled or Disabled) Decide whether to enable the round trip calculation for connections that are not performing traffic. Enable this policy only if necessary.
    • The Graphics subsection
        • Display memory limit: Configure the maximum value in KB to assign it to the video buffer for a session.
        • Display mode degrade preference: (Values Degrade color depth first or Degrade resolution first) Configure a parameter to lower the resolution or the color quality in case of graphic memory overflow.
        • Dynamic Windows Preview: (Values Enabled or Disabled) With this policy you have the ability to turn on or turn off the high-level preview of the windows open on the screen.
        • Image caching: (Values Enabled or Disabled) With this parameter you can cache images on the client to obtain a faster response.
        • Notify user when display mode is degraded: (Values Enabled or Disabled) In case of degraded connections you can display a pop up to send a notification to the involved users.
        • Queueing and tossing: (Values Enabled or Disabled) By enabling this policy you can stop the processing of the images that are replaced by other pictures.

      In presence of slow or WAN network connections, you should create a separate policy group which will reduce the display memory size, configure the degrade color depth policy, activate the image caching, and remove the advanced Windows graphical features.

    • The Keep Alive subsection
      • ICA keep alive timeout: Insert a value in seconds to configure the keep alive timeout for the ICA connections.
      • ICA keep alives: (Values Do not send ICA keep alive messages or Send ICA keep alive messages) Configure whether or not to send keep-alive signals for the running sessions.
    • The Multimedia subsection
      • Windows Media Redirection: (Values Allowed or Prohibited) Decide whether or not to redirect the multimedia execution on the Citrix server(s) and then stream it to the clients.
      • Windows Media Redirection Buffer Size: Insert a value in seconds for the buffer used to deliver multimedia contents to the clients.
      • Windows Media Redirection Buffer Size Use: (Values Enabled or Disabled) This policy decides whether or not to let you use the previously configured media buffer size.
    • The Multi-Stream Connections subsection
      • Audio UDP Port Range: Specify a port range for the UDP connections used to stream audio data. The default range is 16500 to 16509.
      • Multi-Port Policy: This policy configures the traffic shaping to implement the quality of service (QoS). You have to specify from two to four ports and assign them a priority level.

      • Multi-Stream: (Values Enabled or Disabled) Decide whether or not to activate the previously configured multistream ports.

        You have to enable this policy to activate the port configuration in the Multi-Port Policy.

    • The Session Reliability subsection
      • Session reliability connections: (Values Allowed or Prohibited) By enabling this policy you allow the sessions to remain active in case of network problems.
      • Session reliability port number: Specify the port used by ICA to check the reliability of incoming connections. The default port is 2598.
      • Session reliability timeout: Specify a value in seconds used by the session reliability manager component to wait for a client reconnection.

        You cannot enable the ICA keep alives policy if the policies under the Session Reliability subsection have been activated.

    • The Virtual Desktop Agent Settings section
      • Controller Registration Port: Specify the port used by Virtual Desktop Agent on the client to register with the Desktop Controller. The default value is 80.

        Changing this port number will require you to also modify the port on the controller machine by running the following command:

        <BrokerInstallationPath>BrokerService.exe /
        VdaPort <newPort>

        
        
      • Controller SIDs: Specify a single controller SID or a list of them used by Virtual Desktop Agent for registration procedures.
      • Controllers: Specify a single or a set of Desktop Controllers in the form of FQDN, used by Virtual Desktop Agent for registration procedures.
      • Site GUID: Specify the XenDesktop unique site identifier used by Virtual Desktop Agent for registration procedures.

        In presence of more than one Desktop Controller, you should create multiple VDA policies with different controllers for a load-balanced infrastructure.

         

    • The CPU Usage Monitoring subsection
      • Enable Monitoring: (Values Allowed or Prohibited) With this policy you can enable or disable the monitoring for the CPU usage.
      • Monitoring Period: Insert a value in seconds to configure the time period to run the CPU usage recalculation.
      • Threshold: Configure a percentage value to activate the high CPU usage alert. The default value is 95 percent.

        Enable the CPU Usage Monitoring policies in order to better troubleshoot machine load issues.

  5. After configuring, click on the OK button to save the modifications.
  6. On the left-hand side menu, click on the Users policy link in the HDX Policy section.
  7. Click on the New button to create a new policy container, or select the default unfiltered policies and click on Edit to modify them. In the first case, you have to assign a descriptive name to the created policy.
  8. In the Categories menu click on the following sections and configure the associated values:
    • The ICA section
      • Client clipboard redirection: (Values Allowed or Prohibited) This policy permits you to decide whether or not to enable the use of the client clipboard in the XenDesktop session, and to perform copy and paste operations from the physical device to the remote Citrix session.

        The active clipboard redirection could be a security issue; be sure about its activation!

    • The Flash Redirection subsection
      • Flash acceleration: (Values Enabled or Disabled) This policy permits you to redirect the Flash rendering activities to the client. This is possible only with the legacy mode. Enable this policy to have a better user experience for the Flash contents.
      • Flash backwards compatibility: (Values Enabled or Disabled) With this policy you can decide whether or not to activate the compatibility of older versions of Citrix Receiver with the most recent Citrix Flash policies and features.
      • Flash default behavior: (Values Enable Flash acceleration, Disable Flash acceleration, or Block Flash player) This policy regulates the use of the Adobe Flash technology, respectively enabling the most recent Citrix for Flash features (including the client-side processing), permitting only server-side processed contents, or blocking any Flash content.
      • Flash event logging: (Values Enabled or Disabled) Decide whether or not to create system logs for the Adobe Flash events.
      • Flash intelligent fallback: (Values Enabled or Disabled) This policy, if enabled, is able to activate the server-side Flash content processing when the client side is not required.

        The Flash Redirection features have been strongly improved starting from XenDesktop Version 5.5.

    • The Audio subsection
      • Audio over UDP Real-time transport: (Values Enabled or Disabled) With this policy you can decide which protocols to transmit the audio packets, RTP/UDP (policy enabled) or TCP (policy disabled). The choice depends on the kind of audio traffic to transmit. UDP is better in terms of performance and bandwidth consumption.
      • Audio quality: (Values Low, Medium, or High) This parameter depends on a comparison between the quality of the network connections and the audio level, and they respectively cover the low-speed connections, optimized for speech and high-definition audio cases.
      • Client audio redirection: (Values Allowed or Prohibited) Allowing or prohibiting this policy permits applications to use the audio device on the client’s machine(s).
      • Client microphone redirection: (Values Allowed or Prohibited ) This policy permits you to map client microphone devices to use within a desktop session.

        Try to reduce the network and load impact of the multimedia components and devices where the high user experience is not required.

    • The Bandwidth subsection
      • Audio redirection bandwidth limit: Insert a value in kilobits per second (Kbps) to set the maximum bandwidth assigned to the playing and recording audio activities.
      • Audio redirection bandwidth limit percent: Insert a maximum percentage value to play and record audio.
      • Client USB device redirection bandwidth limit: Insert a value in Kbps to set the maximum bandwidth assigned to USB devices redirection.
      • Client USB device redirection bandwidth limit percent: Insert a maximum percentage value for USB devices redirection.
      • Clipboard redirection bandwidth limit: Insert a value in Kbps to set the maximum bandwidth assigned to the clipboard traffic from the local client to the remote session.
      • Clipboard redirection bandwidth limit percent: Insert a maximum percentage value for the clipboard traffic from the local client to the remote session.
      • COM port redirection bandwidth limit: Insert a value in Kbps to set the maximum bandwidth assigned to the client COM port redirected traffic.
      • COM port redirection bandwidth limit percent: Insert a maximum percentage value for the client COM port redirected traffic.
      • File redirection bandwidth limit: Insert a value in Kbps to set the maximum bandwidth assigned to client drives redirection.
      • File redirection bandwidth limit percent: Insert a maximum percentage value for client drives redirection.
      • HDX MediaStream Multimedia Acceleration bandwidth limit: Insert a value in Kbps to set the maximum bandwidth assigned to the multimedia content redirected through the HDX MediaStream acceleration.
      • HDX MediaStream Multimedia Acceleration bandwidth limit percent: Insert a maximum percentage value for the multimedia content redirected through the HDX MediaStream acceleration.
      • Overall session bandwidth limit: Specify a value in Kbps for the total bandwidth assigned to the client sessions.

        In presence of both bandwidth limit and bandwidth limit percent enabled policies, the most restrictive value will be used.

    • The Desktop UI subsection
      • Aero Redirection: (Values Enabled or Disabled) This policy decides whether or not to activate the redirection of the Windows Aero graphical feature to the client device. If Aero has been disabled, this policy has no value.
      • Aero Redirection Graphics Quality: (Values High, Medium, Low, and Lossless) If Aero has been enabled, you can configure its graphics level.
      • Desktop wallpaper: (Values Allowed or Prohibited) Through this policy you can decide whether or not to permit the users having the desktop wallpaper in your session. Disable this policy if you want to standardize your desktop deployment.
      • Menu animation: (Values Allowed or Prohibited) This policy permits you to decide whether or not to have the animated menu of the Microsoft operating systems. The choice depends on what kind of performances you need for your desktops.
      • View window contents while dragging: (Values Allowed or Prohibited) This policy gives you the ability to see the entire window contents during the drag-and-drop activities between windows, if enabled. Otherwise you’ll see only the window’s border.

        Enabling the Aero redirection will have impact only on the LAN-based connection; on WAN, Aero will not be redirected by default.

    • The File Redirection subsection
      • Auto connect client drives: (Values Enabled or Disabled) With this policy the local drives of your client will or will not be automatically connected at logon time.
      • Client drive redirection: (Values Allowed or Prohibited) The drive redirection policy allows you to decide whether it is permitted or not to save files locally on the client machine drives.
      • Client fixed drives: (Values Allowed or Prohibited) This policy decides whether or not to permit you to read data from and save information to the fixed drives of your client machine.
      • Client floppy drives: (Values Allowed or Prohibited) This policy decides whether or not to permit you to read data from and save information to the floppy drives of your client machine. This should be allowed only in presence of an existing floppy drive, otherwise it has no value to your infrastructure.
      • Client network drives: (Values Allowed or Prohibited) With this policy you have the capability of mapping the remote network drives from your client.
      • Client optical drives: (Values Allowed or Prohibited) With this policy you can enable or disable the access to the optical client drives, such as CD-ROM or DVD-ROM.
      • Client removable drives: (Values Allowed or Prohibited) This policy allows or prohibits you to map, read, and save removable drives from your client, such as USB keys.
      • Preserve client drive letters: (Values Enabled or Disabled) Enabling this policy offers you the possibility of maintaining the client drive letters when mapping them in the remote session, whenever possible.
      • Read-only client drive access: (Values Enabled or Disabled) Enabling this policy will not permit you to access the mapped client drivers in write mode. By default, this policy is disabled to permit the full drive access. To reduce the impact on the client security, you should enable it. You can always modify it when necessary.

        These are powerful policies for regulating the access to the physical storage resources. You should configure them to be consistent with your company security policies.

    • The Multi-Stream connections subsection
      • Multi-Stream: (Values Enabled or Disabled) As seen earlier for the machine section, this policy enables or disables the multistreamed traffic for specific users.
    • The Port Redirection subsection
      • Auto connect client COM ports: (Values Enabled or Disabled) If enabled, this policy automatically maps the client COM ports.
      • Auto connect client LPT ports: (Values Enabled or Disabled) This policy, if enabled, autoconnects the client LPT ports.
      • Client COM port redirection: (Values Allowed or Prohibited) This policy configures the COM port redirection between the client and the remote session.
      • Client LPT port redirection: (Values Allowed or Prohibited) This policy configures the LPT port redirection between the client and the remote session.

        You have to enable only the necessary ports, so disable the policies for the missing COM or LPT ports.

    • The Session Limits subsection
      • Disconnected session timer: (Values Enabled or Disabled) This policy enables or disables the counter used to migrate from a locked workstation to a logged off session. For security reasons, you should enable the automatic logoff of the idle sessions.
      • Disconnected session timer interval: Insert a value in minutes, which will be used as a counter reference value to log off locked workstations. Set this parameter based on a real inactivity time for your company employees.
      • Session connection to timer: (Values Enabled or Disabled) This policy will or will not use a timer to measure the duration of active connections from clients to the remote sessions.
    • The Time Zone Control subsection
      • Use local time of client: (Values Use server time zone or Use client time zone) With this policy you can decide whether to use the time settings from your client or from the server.

        XenDesktop uses the user session’s time zone.

    • The USB Devices subsection
      • Client USB device redirection: (Values Allowed or Prohibited) With this important policy you can permit or prohibit USB drives redirection.
      • Client USB device redirection rules: Through this policy you can generate rules for specific USB devices and vendors, in order to filter or not; and if yes, what types of external devices mapping.
    • The Visual Display subsection
      • Max Frame Per Second: Insert a value, in terms of frames per second, which will define the number of frames sent from the virtual desktop to the user client. This parameter could dramatically impact the network performance, so be careful about it and your network connection.
    • The Server Session Settings section
      • Single Sign-On: (Values Enabled or Disabled) This policy decides whether to turn on or turn off the SSO for the user sessions.
      • Single Sign-On central store: Specify the SSO store server to which the user will connect for the logon operations, in the form of a UNC path.
    • The Virtual Desktop Agent Settings section
    • The HDX3DPro subsection
      • EnableLossLess: (Values Allowed or Prohibited) This policy permits or prohibits the use of a lossless codec.
      • HDX3DPro Quality Settings: Specify two values, Minimum Quality and Maximum Quality (from 0 to 100), as HDX 3D Pro quality levels. In the absence of a valid HDX 3D Pro license, this policy has no effect.
    • The ICA Latency Monitoring subsection
      • Enable Monitoring: (Values Allowed or Prohibited) This rule will or will not monitor the ICA latency problems.
      • Monitoring Period: Define a value in seconds to run the ICA latency monitor.
      • Threshold: Insert a threshold value in milliseconds to check if the ICA latency has arrived to the highest level.
    • The Profile Load Time Monitoring subsection
      • Enable Monitoring: (Values Allowed or Prohibited) With this policy you can monitor the time required to load a user profile.
      • Threshold: Specify a value in seconds to activate the trigger for the high profile loading time event.

        These are important policies to troubleshoot performance issues in the profile loading activities, especially referred to the centralized profiles.

  9. After configuring click on the OK button to save the modifications.
  10. For both the edited policy categories (Machines and Users), click on the Edit button, select the Filters tab, and add one or more of the following filters:
    • Access Control: (Mode: Allow or Deny, Connection Type: With Access Gateway or Without Access Gateway) Insert the parameters for the type of connection to which you are applying the policies, using or not using Citrix Access Gateway.
    • Branch Repeater: (Values Connections with Branch Repeater or Connections without Branch Repeater) This policy decides whether or not to apply the policies to the connection that passes or doesn’t pass through a configured Citrix Branch Repeater.
    • Client IP Address: (Mode: Allow or Deny) Specify a client IP address to which you are allowing or denying the policy application.
    • Client Name: (Mode: Allow or Deny) Specify a client name to which you are allowing or denying the policy application.
    • Desktop Group: (Mode: Allow or Deny) Select from the drop-down list an existing desktop or application group to which you are applying or not applying the configured policies.
    • Desktop Type: (Mode: Allow or Deny) This policy decides to allow or deny the policy application to the existing deployed resources (Private Desktop or Shared Desktop, Private Applications or Shared Applications).
    • Organizational Unit: (Mode: Allow or Deny) Browse for an existing domain OU to which you are applying or not applying the configured policies.
    • Tag: (Mode: Allow or Deny) This policy decides to allow or deny the application of the policies to specific tags applied to the desktops.
    • User or Group: (Mode: Allow or Deny) Browse for existing domain users and groups to which you are applying or not applying the configured policies.

      For the machine section, you’ll only have the desktop group, desktop type, organizational unit, and tag categories of filters.

  11. After completing this, click on the OK button to save the changed filters.

How it works…

The Citrix XenDesktop policies work at two different levels of components, machines and users, and for each of them you can apply a set of filters to decide when and where to permit or not to permit the policy utilization. These configurations should be strongly oriented to the performance and security optimization, so the best practices to apply is to generate different sets of policies and specifically apply them to different kinds of virtual desktops, clients, and users. The following is the explanation of the previously applied configurations:

    • Machines policy level: These kinds of policies apply at the machine level, trying to regulate and optimize the session management, and the multimedia resources redirection.

      With this group of settings you are able to configure the standard ICA port to listen, and the relative connection timeouts. It’s possible to decide whether or not to automatically reconnect a client in case of broken connections. Enabling Auto client reconnect policy could be right in some cases, especially when you have interrupted an important working session, but on the other hand, you could not have calculated waste of resources, because the Citrix broker could run a new session in the presence of issues with the session cookies.

      With the ICA round trip policies, you can monitor and measure the response time taken by the users for the operations. This data permits you to understand the responsiveness of your Citrix infrastructure. In case it allows you to apply remediation to the configuration, especially for the policies that involve graphics components, you can size the display memory and the image caching area, or turn on or off specific Windows advanced graphical features, such as the Dynamic Windows Preview (DWP).

With the queuing and tossing policy active, you could have problems of lost frames when reproducing animations.

The Windows media redirection policy optimizes the reproduction of multimedia objects; by applying a correct sizing to its buffer size you should obtain evident improvements in the streaming and reproduction operations. So, you should consider disabling this policy, demanding the processing of audio and video to the clients only when you can see no particular benefits.

Another important feature offered by these policies is the QoS implementation; you can enable the multistream connection configurations and apply the traffic priority levels to them, permitting to give precedence and more bandwidth to the traffic that is considered more critical than others.

The Multi-Stream policy for the QoS can be considered a less powerful alternative to Citrix Branch Repeater.

As the last part of this section, the Virtual Desktop Agent Settings section permits you to restrict the access to only pre-configured resources, such as specific Desktop Controllers.

    • Users policy level: Combined with the machines policies we have the users policies. These policies apply settings from a user session perspective, so you can configure, for instance, processing the Adobe Flash contents, deciding whether or not to activate the compatibility with the oldest version of this software, and whether to elaborate the Flash multimedia objects on the user’s clients or on the Citrix servers. Moreover, you can configure the audio settings, such as audio and microphone client redirection (in the sense of using the local device resources), the desktop settings (Aero parameters, desktop wallpapers, and so on), or the HDX protocol quality settings.

Be careful when applying policies for the desktop graphical settings.

To optimize the information transmission for the desktops the bandwidth policy is extremely important; by this you can assign, in the form of maximum Kbps or percentage, the values for the traffic types such as audio, USB, clipboard, COM and LPT ports, and file redirection. These configurations require a good analysis of the traffic levels and their priorities within your organization.

The last great configuration is the redirection of the client drives to the remote Citrix sessions; in fact, you can activate the mount (automatic or not) and the users rights (read only or read/write) on the client drives, removable or not, such as CD-ROM or DVD-ROM, removable USB devices, and fixed drives as the client device operating system root. This option gives you the flexibility to transfer information from the local device to the XenDesktop instance through the use of properly configured Virtual Desktop Agent.

This last device policy could make your infrastructure more secure, thanks to the use of the USB device redirection rules; through it, in fact, you could only permit the use of USB keys approved by your company, prohibiting any other nonpolicy-compliant device.

The granularity of the policy application is granted by the configuration of the filters; by using these-you can apply the policies to specific clients, desktop or application groups, or domain users and groups. In this way you can create different policies with different configurations, and apply them to specific areas of your company, without generalizing and overriding settings.

There’s more…

To verify the effective running of the policies applied to your VDI infrastructure, there’s a tool called Citrix Group Policy Modeling Wizard inside the HDX Policy section, which performs this task. This tool performs a simulation for the policy applications, returning a report with the current configuration. This is something similar to Microsoft Windows Domain Group Policy Results.

The simulations apply to one or all the domain controllers configured within your domain, being able to test the application for a specific user or computer object, including organizational units containing them.

Moreover, you can apply filters based on the client IP address, the client name, the type of machine (private or shared desktop, private or shared application), or you can apply the simulation to a specific desktop group.

In the Advanced Options section you can simulate slow network connections and/or loopback processing (basically, a policy application only based on the computer object locations, instead of both the user and computer object positions) for a configured XenDesktop site.

After running the policy application test, you can check the results by right-clicking on the generated report name, and selecting the View Report option.

This tool is extremely powerful when you have to verify unexpected behaviors of your desktop instances or user rights because of the application of incorrect policies.

Summery

In this article we discussed the configuration of the XenDesktop infrastructural policies.

Resources for Article :


Further resources on this subject:


LEAVE A REPLY

Please enter your comment!
Please enter your name here