Managing Citrix policies

Understanding Citrix policies

In the Active Directory, a Group Policy contains two categories (also called nodes): Computer Configuration and User Configuration settings.

• The Computer Configuration node contains policy settings applied to computers, XenApp servers, when we use GPO to manage servers
• The User Configuration node contains settings applied to users accessing the machine, the XenApp server in our case, regardless of where they log on

Citrix policies also have same categories: computer and user.

• Computer policy settings in Citrix applied to XenApp servers. When the server is rebooted, these policies are applied to the server.
• User policy settings are used for the duration of the session and are applied to user sessions. Policy settings changes can also take effect when XenApp re-evaluates policies every 90 minutes.

Citrix policies are the preferred way to manage session settings or user access and the most effective method of controlling connection, security, and bandwidth settings on XenApp farms.

We can create and assign Citrix policies to users, groups, machines, or connection types and each policy can contain one or several settings. Using policies allows us to turn on/off settings like:

• ICA session settings, like Auto Client Reconnect, Keep Alive, Session Reliability, or Multimedia configuration
• Licensing configuration, like license server hostname or port
• Mapping of local drivers, printer, and ports
• Server settings, like Connections Settings, Reboot Behavior, Memory/CPU Management
• Shadowing options and permissions

Working with Citrix policies

A policy is basically a collection of settings or rules. Citrix policies include the user, server, and environment settings that will affect XenApp sessions when the policy is enforced. Policy settings can be enabled, disabled, or not configured.

For some policy settings, we can enter a value or we can choose a value from a list when we add the setting to a policy.

We can set some policies to one of the following conditions to enable or permit a policy setting: Enabled or Allowed and we can use Disabled or Prohibited to turn off or disallow a policy setting.

Also, we can limit configuration of the setting by selecting Use default value. Selecting this option disables configuration of the setting and allows only the setting’s default value to be used when the policy is enforced.

If we create more than one policy in our environment, we need to prioritize the policies. The best way to track applied settings is to run a Resulting Set of Policies Logging report from the Group Policy Management Console or the Citrix Policy Modeling Wizard.

These reports will show all Citrix settings configured via a policy, and which Group Policy Object, including the farm GPO, has actually won the merging calculation. We are going to talk about this in detail later.

Usually, Citrix policies will override the same or similar settings applied to the farm, specific XenApp servers, or on the client machine, except for the highest encryption setting and the most restrictive shadowing setting, which always overrides other rules or settings.

Best practices for creating Citrix policies

The following is a list of recommendations when configuring policy settings:

• Reduce the amount of policies: Avoid creating multiple policies for different groups of users. Create one policy and apply filters to it.
• Disable unused policies: Unused policies waste processing resources. If we are using Active Directory Group Policies, we can disable the unused part of the policy (Computer or User part).
• Assign policies to groups: If we assign policies to groups rather than a user, management is easy and can reduce processing time.
• Remote Desktop Session Host Configuration settings are similar to Citrix policy settings in a few ways. We need to avoid using Remote Desktop Session Host Configuration to reduce overlapping of settings.

We can use Remote Desktop Session Host Configuration (formerly known as Terminal Services Configuration on Windows Server 2003) to configure settings for new connections, modify the settings of existing connections, and delete connections. We can configure settings on a per connection basis or for the server as a whole.

Guidelines for working with policies

The process for configuring policies is as follows:

• Create and give a name to the policy: We need to create and provide a name for the new policy.
• Configure policy settings: We need to choose if we are going to create a User Configuration or Computer Configuration policy and then set the policies.
• Apply the policy to connections using filters: Using filters we can choose to apply the policy to a specific group of users or computers.
• Prioritize the policy: In the final (and optional) step, we will assign priority so that policies will override or take precedence over other policies.

Working with management consoles

In previous versions of Citrix XenApp, Citrix Presentation Server and Citrix MetaFrame policies were stored on the IMA and we managed Citrix policies from the Citrix Management Console.

Starting with XenApp 6, policies are stored on the Active Directory and we can manage Citrix policies through the Group Policy Management Console or Local Group Policy Editor in Windows or the Delivery Services Console in XenApp servers. Choosing the right console depends on our network environment and permissions.

Using the Group Policy Management Console

The Group Policy Management Console (shown in the following screenshot) allows us to view or create Active Directory policies. It also enables us to view the resulting policies applied to users or computers, which is very useful for troubleshooting (more about this is discussed later).

If our network environment is based on the Active Directory and we have the appropriate permissions to manage Group Policies (GPO), using the Group Policy Management Console to create policies for our farm is the preferred option.

The main reason to use the Group Policy Management Console over the Citrix Delivery Service Console is because Active Directory GPOs take precedence over the farm GPO (also known as IMA GPO).

Using the Delivery Services Console

The Citrix Delivery Services Console (shown in the following screenshot), formerly known as the Citrix Access Management Console, is a tool that integrates into the Microsoft Management Console (MMC) and enables us to execute management tasks, including creating and viewing Citrix Policies.

If we don’t have permissions to manage the Active Directory of our company or if our environment doesn’t use the Active Directory, we need to use the Citrix Delivery Services Console to create policies for our farm. Policies are stored in a farm GPO in the Citrix data store.

In the Citrix Delivery Services Console, we can view the policies configuration by clicking on the Policies node, then select either the Computer or User tabs in the middle pane.

When we click on one of these two tabs, three more tabs will be displayed, as shown in the following screenshot.

• Summary: Shows the settings and filters configured for the selected policy
• Settings: Shows available and configured settings by category for the selected policy
• Filters: Shows the available and configured filters applied to the selected policy

  

Using the Local Group Policy Editor

If we don’t want to use the Citrix Delivery Services Console, we don’t have permissions to modify or create a GPO in the Active Directory, or we don’t have an Active Directory domain (a NetWare network or workgroup, for example), we have another option. We can create a local GPO using the Local Group Policy Editor (shown in the following screenshot).

If we type GPEDIT.MSC, from Start | Run, the Local Group Policy Editor will open. We can modify the local policy of a single server, so it is useful to create or edit a policy in one or maybe a couple of servers, for example, silos or test servers, but it is not useful for medium to large farms. The Local Group Policy will affect everyone who logs onto this machine—including users accessing via Citrix and administrators.

We can access policies and their settings in the Local Group Policy Editor, by clicking the Citrix Policies node under User Configuration or the Computer Configuration in the tree pane, located on the left.

Active Directory Group policies take precedence over farm GPO; and farm GPO takes precedence over Local Group policies.