Embed Size (px)
Citation preview
602: StoreFront 2.5 Enterprise Deployment
Hands-on Lab Exercise Guide This session is offered as both an instructor led training and a self-paced online lab. Make money selling Field Services Stop by the Education and Consulting booths in the Solutions Expo to find out how! We're here to help.
| 1 |
Contents Contents .................................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 4
Exercise 1 .................................................................................................................................. 5
Configure Site2 StoreFront server for NetScaler Gateway support............................................. 5
Exercise 2 .................................................................................................................................21
Automate deployment of Citrix Receiver for domain member PCs and Test pass-through authentication ...........................................................................................................................21
Exercise 3 .................................................................................................................................39
Configure Optimal routing for StoreFront...................................................................................39
Exercise 4 .................................................................................................................................44
Configure Failover for StoreFront Sites with user group site pinning .........................................44
Exercise 5 .................................................................................................................................50
Application Filtering in StoreFront .............................................................................................50
Exercise 6 .................................................................................................................................56
Configure Locked down store and user self-service store activation process ............................56
Overview ...................................................................................................................................56
Exercise 7 .................................................................................................................................59
Enable HTML5 client for StoreFront ..........................................................................................59
| 2 |
Overview Hands-on Training Module Objective This training will provide hands on experience with a StoreFront deployment inside of an enterprise environment. This lab will cover how StoreFront can be used in the enterprise environment and how to manage user workload distribution and fail over in a XenDesktop environment.
Prerequisites Active Directory, XenDesktop and XenApp administration and management.
Audience Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support
Lab Environment Details The system diagram of the lab is shown below:
| 3 |
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All windows applications such as XenCenter, (the XenServer GUI management tool), are accessed from the Student Desktop.
Lab Guide Conventions This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information
reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
Shows where to click or select an item on a screen shot (R:255 G:102 B:0)
List of Virtual Machines Used VM Name IP Address Description / OS
AD.training.lab 192.168.10.11 DC/DNS/Software file share Site1-CDC1.training.lab 192.168.10.20 Site2 Citrix Delivery Controller with StoreFront NS.training.lab (MIP) 192.168.10.60 Management IP for NetScaler in Training lab Student1-PC 192.168.10.100 Domain Joined Student PC Site1-XA1 192.168.10.21 XenApp 7.5 host for Site1 Site2-AD2.remote.lab 192.168.20.11 DC /DNS /Software file share Site2-CDC2.remote.lab 192.168.20.20 Site2 Citrix Delivery Controller with StoreFront NS.remote.lab (MIP) 192.168.10.60 Management IP for NetScaler in Remote.lab Site2-Student2-PC 192.168.20.60 Domain Joined Student PC Site2-XA2 192.168.10.21 XenApp 7.5 host for Site2
Required Lab Credentials The credentials required to connect to the environment and complete the lab exercises.
VM Name User ID Password Description
*.Training.lab User1 Citrix123 Training domain User1 *.Remote.lab User1 Citrix456 Remote domain User1 *.Training.lab CitrixAdmin Citrix123 Citrix XenDesktop Site and Domain Admin *.Remote.lab CitrixAdmin Citrix123 Citrix XenDesktop Site and Domain Admin *.Remote.lab Administrator Citrix123 Domain Admin
| 4 |
NetScaler Admin nsroot nsroot Netscaler admin account
Scenario In this Lab, the environment contains 2 enterprise domain forests joined through a cross domain forest trust. In each domain, one XenDesktop 7.5 site was configured to allow user access to the XenDesktop environment. In each desktop site there is one XenApp 7.5 server. Site1 delivers Microsoft Office 2007 applications and Site 2 delivers Microsoft Office 2010 applications.
In this lab, you will configure the following items:
• Basic NetScaler Gateway configuration.
• Deploy Receivers for Windows to domain-joined PC via startup scripts.
• Configure and enable pass-through authentication on Receiver for Windows via GPO.
• Enable Optimal routing on the StoreFront store.
• Configure user group Site Pinning and Site failover.
• Enable application filtering for the StoreFront site, and configure keywords for mandatory application.
• Configure Locked-down Store for StoreFront.
• Enable HTML5 Receiver deployment.
| 5 |
Exercise 1 Configure Site2 StoreFront server for NetScaler Gateway support Overview In this exercise, we will be configuring Site2-CDC2.remote.lab to work with NetScaler Gateway (192.168.20.60) and add external access to the Site2 XenDesktop Site.
Step by step guidance Estimated time to complete this lab: 30 minutes.
Step Action 1. On the Student Desktop, open up Internet Explorer and go to ns.remote.lab. Log on with
UserID: nsroot Password: nsroot.
2. Go to System > Settings > Configure basic features. Select all features except Application Firewall and click OK.
| 6 |
3. Configure SSL Certificates and install the certificates loaded on the VPX. (To save time the certificates and keys are loaded on the NetScaler server already.)
Select Traffic Management > SSL > Certificates > Install.
4. Enter the following data to install the certificate:
Certificate-Key Pair Name: Wildcard-Remote
Certificate file Name*: /nsconfig/ssl/Wildcard-remote.cer
Key File Name: /nsconfig/ssl/Wildcard-remote.cer
(The Wildcard-remote.cer file was converted from a Windows certificate export .PFX file using a NetScaler internal Open SSL utility therefore the Key is also in the same .CER file.)
Certificate Format: PEM
Password: Citrix123
Click Create.
Do not click Close. You need to install a second certificate first.
| 7 |
5. Enter the following data to install the second certificate:
Certificate-Key Pair Name: Wildcard-Mycitrixtraining
Certificate file Name*: /nsconfig/ssl/MCTWildcard.cer
Key File Name: /nsconfig/ssl/MyCitrixTraining.key
Certificate Format: PEM
Password: Citrix123
Click Create.
Do not click Close. You need to install an intermediate certificate next.
| 8 |
6. Enter the following data to install an Intermediate certificate for MyCitrixtraining.net:
Certificate-Key Pair Name: Intermediate-MCT
Certificate file Name*: /nsconfig/ssl/MCTIntermediate.cer
Key File Name: (leave this field blank)
Password: (leave this field blank)
Click Create and then click Close.
7. Link the intermediate certificate to the Wildcard-mycitrixtraining certificate.
Click Traffic Management > SSL > Certificates in the navigation pane.
Click Wildcard-mycitrixtraining > Action > Link….
| 9 |
8. Select Intermediate-MCT certificate and then click OK.
9. Verify the certificate link for Wildcard-mycitrixtraining.
Right-click the Wildcard-mycitrixtraining certificate and then click Cert Links….
Verify that the Intermediate-MCT certificate is linked and then click OK to exit the window.
10. Configure NetScaler Gateway for external access.
Click NetScaler Gateway > Configure NetScaler Gateway for Enterprise Store.
11. Click Get Started in the Welcome screen.
| 10 |
12. Enter the NetScaler Gateway settings:
Name: SF2.mycitrixtraining.net
IP Address: 192.168.20.13
Port: 443
Select Redirect requests from port 80 to secure port
Gateway FQDN: sf2.mycitrixtraining.net
Click Continue.
13. Select Wildcard-mycitrixtraining in the Certificate field and click Continue.
| 11 |
14. Configure the LDAP server.
Select Configure New and enter the following data.
IP Address*: 192.168.20.11
Base DN*: DC=Remote,DC=lab
Admin Base DN*: [email protected] (In a production environment, an LDAP query account should be used.)
Server Logon Name Attribute*: sAMAccountName
Password*: Citrix123
Confirm Password*: Citrix123
Click Continue.
| 12 |
15. Set the Enterprise Store for NetScaler Gateway using the following data.
Select XenApp / XenDesktop
Select Deployment Type*: StoreFront
StoreFront FQDN*: Site2-CDC2.remote.lab
Select Use HTTPS (It is selected by default.)
Receiver for Web Path*: /Citrix/Store2Web (Make sure the 2 is inserted in the existing name.)
Single Sign-on Domain*: Remote.lab
STA URL*: https://Site2-CDC2.remote.lab
Click Done.
16. Create an internal use Gateway.
Click Create New NetScaler Gateway.
| 13 |
17. Enter the following data to configure the NetScaler Gateway settings.
Name: NG.remote.lab
IP: 192.168.20.12
Select Redirect requests from port 80 to secure port set Gateway FQDN Gateway
FQDN: NG.remote.lab
Click Continue.
18. Select the Wildcard-Remote certificate and then Continue.
19. Select the LDAP Policy that you created before (192.168.20.11_LDAP_pol). (It should be pre-selected.) Click Continue.
| 14 |
20. Enter the following data to set the Enterprise Store for NetScaler Gateway.
Select XenApp /XenDesktop
Select Deployment Type*: StoreFront
StoreFront FQDN*: Site2-CDC2.remote.lab
Select Use HTTPS (It is selected by default.)
Receiver for Web Path*: /Citrix/Store2Web
Single Sign-on Domain*: Remote.lab
STA URL*: https://Site2-CDC2.remote.lab
Click Done.
Close Internet Explorer.
| 15 |
21. Change the NetScaler Gateway UI to use the Green Bubble theme.
Click NetScaler Gateway > Global Settings > Change global settings.
Select the Client Experience tab.
In the UI Theme drop-down list, select Green Bubble and click OK.
22. Configure the StoreFront Site for Netscaler Gateway access.
Log on to the Site2-CDC2 VM with User ID: Remote.lab\Citrixadmin Password: Citrix123.
If a Remote Desktop Connection message appears, select Don’t ask me again for connections to this computer and then click Yes.
Open Citrix StoreFront from the taskbar.
Click Yes in the User Account Control message, if it appears.
| 16 |
23. Select Don’t show this again and then click Close in the Welcome screen.
Expand the Citrix StoreFront node in the left pane. Click Stores and select Store2. Click Enable Remote Access in the Actions pane. Select No VPN tunnel. Click Add….
24. Enter the following data to add the NetScaler Gateway appliances.
Display name: SF2.MyCitrixtraining.net
NetScaler Gateway URL: https://SF2.Mycitrixtraining.net
Version: 10.0 (Build 69.4) or later
Callback URL: https://SF2.MyCitrixtraining.net (This is used by the StoreFront server to communicate with NetScaler Gateway to validate the authentication of the LDAP services in NetScaler.)
Click Next.
Note: In this lab, SF2.mycitrixtraining.net and SF1.mycitrixtraining.net are internal FQDNs which are defined via a host file in the Lab VM.
| 17 |
25. Click Add....
Enter the STA URL used on the NetScaler Gateway. (This must match the entry on the NetScaler Gateway.)
STA URL: https://Site2-CDC2.remote.lab
Click OK and then click Create.
26. Add a Second NetScaler Gateway using the following data.
Click Add.
Display name: NG.remote.lab
NetScaler Gateway URL: https://ng.remote.lab
Version: 10.0 (Build 69.4) or later
Callback URL: https://ng.remote.lab (This is used by the StoreFront server to communicate with the Netscaler Gateway to validate the authentication of the LDAP services in NetScaler.)
Click Next.
| 18 |
27. Click Add....
Enter the STA URL used on NetScaler Gateway. (This must match with the entry on NetScaler Gateway.)
STA URL: https://Site2-CDC2.remote.lab
Click OK and then click Create.
28. Enable Remote Access and set the Default appliance.
Select No VPN tunnel.
Select both NetScaler Gateway appliances.
Select SF2.MyCitrixtraining.net as the Default appliance and click OK.
| 19 |
29. Add Domain pass-through to the Authentication Methods.
Click Authentication in the left pane.
Click Add/Remove Methods in the Actions pane.
Select Domain pass-through to enable pass-through authentication and then click OK.
30. Enable Receiver for Web to accept domain pass-through for both Store2Web and Site2VDI Receiver.
Click Receiver for Web > Store2 Receiver.
Click Choose Authentication Methods in the Actions pane.
Select Domain pass-through to enable pass-through authentication and then click OK.
Click Receiver for Web > Site2VDI Receiver.
Click Choose Authentication Methods in the Actions pane.
Select Domain pass-through to enable pass-through authentication and then click OK.
| 20 |
31. Enable Trust XML Service Port so the pass-through authentication will work.
Open Windows PowerShell from the taskbar of the Site2-CDC2 VM.
Enter the following commands:
asnp Citrix*
set-brokerSite -TrustRequestsSentToTheXmlServicePort $True
The Store2 Receiver is now configured to work with Netscaler Gateway. Site2VDI Receiver is an internal network only store, so you do not have to associate a NetScaler Gateway with it.
Exercise Summary In this exercise, you configured NetScaler Gateway and multiple StoreFront Stores to support Pass-through authentication.
| 21 |
Exercise 2 Automate deployment of Citrix Receiver for domain member PCs and Test pass-through authentication Overview In this exercise you will deploy Citrix Receiver to domain-joined PCs and enable pass-through authentication using a GPO.
Step by step guidance Estimated time to complete this lab: 30 minutes.
Step Action 1. Log on to the Site2-AD2.remote.lab VM using the remote.lab\Administrator and
Citrix123 credentials.
If a Remote Desktop Connection message appears, select Don’t ask me again for connections to this computer and then click Yes.
| 22 |
2. Open Windows Explorer (folder icon) from the taskbar and navigate to the c:\Software\Receiver\Startup_Logon_Scripts\ folder.
Right-click the CheckAndDeployCitrixReceiverPerMachineStartupScript.bat file and click Copy. Press Ctrl +V to paste a copy of the file in the same folder.
Rename the copied file to CheckAndDeployCitrixReceiver4PerMachineStartupScript.bat (or any name you can identify). Note: The extension for the file is already .BAT.)
Right-click your copy of the file and click Edit to open the CheckAndDeployCitrixReceiver4PerMachineStartupScript.bat file.
*The Scripts used in this lab are copied from the XenDesktop ISO media. Under the Receiver for Windows folder. There are also uninstall scripts in the folder, but we will not use them in this lab.
| 23 |
3. In Notepad, click Edit > Go To… and enter Line number 47. Click Go To.
Use the following data to change the entries.
set DesiredVersion=14.1 set DeployDirectory=\\AD2.remote.lab\Software\Receiver set logshare=\\AD2.remote.lab\software\log set CommandLineOptions=/includeSSON /Silent Note: Ensure that you change the domain name from “training.lab” to “remote.lab”. Failure to do so will result in an error in Step 26 of this exercise.
Click Edit > Find…, type CitrixReceiver.exe and click Find Next.
Add /includeSSON to the line after CitrixReceiver.exe, if it is not already there.
Click File > Save to save the file and then close Notepad.
| 24 |
4. Open Group Policy Management on the Site2-Ad2.remote.lab VM.
Click the Server Manager icon in the taskbar.
Click Tools > Group Policy Management.
5. Expand Forest:remote.lab > Domains > remote.lab > Group Policy Objects, right-click Group Policy Objects and click New.
Type Receiver Deployment in the Name field and then click OK.
6. Right-click the Receiver Deployment GPO under the Group Policy Objects node and click Edit.
| 25 |
7. Configure the Startup Script.
Expand Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
Double-click on Startup.
8. Add a startup script in the GPO store.
Click Show Files… to open the AD sysvol store.
| 26 |
9. Copy the startup script you edited to the sysvol store.
Click Windows Explorer in the taskbar and return to the c:\Software\Receiver\Startup_Logon_Scripts folder. Right-click the CheckAndRemoteCitrixReceiver4PerMachineStartupScript file that you edited and click Copy.
Click Windows Explorer in the taskbar and return to the Startup folder. Right-click in the Startup folder and click Paste.
Close the Startup folder window.
10. In the Startup Properties window, click Add. Click Browse. Select the CheckAndDeployCitrixReceiver4PerMachineStartupScript.bat script. Click Open and then click OK.
Now the Startup script is configured for the Receiver Deployment policy.
| 27 |
11. Click OK to close the properties.
Close the Group Policy Management Editor window.
12. Create a pass-through authentication policy.
In the Group Policy Management window, right-click Group Policy Objects and then click New.
Type Receiver pass-through enabled as the name of the policy and click OK.
| 28 |
13. Add the ICAClient.ADM template to configure the ICA client for pass-through authentication.
Right-click the Receiver pass-through enabled policy and click Edit.
Double-click Computer Configuration > Policies > Administrative Templates.
Right-click Administrative Templates and click Add/Remove Templates > Add.
14. Add the ICAClient.ADM template.
Navigate to c:\software\Receiver\.
Select icaclient.adm.
Click Open.
| 29 |
15. Click Close.
16. Configure the StoreFront Account List for the Receiver pass-through enabled policy in the Group Policy Management Editor.
Navigate to Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > Storefront. Double-click Storefront Accounts List.
| 30 |
17. Click Enabled.
Click Show….
In the Value field, type:
Store2;https://site2-cdc2.remote.lab/Citrix/Store2/discovery;on;Site2 Store
Explanation of the text you are entering in the Value field:
Green Text: Name of the Store configured on StoreFront Site
Black Text: StoreFront URL for the Store discovery
Red text: Enables the Store
Blue Text: Site name displayed in Receiver
Click OK and OK to close the window.
| 31 |
18. Enable user Account pass-through for Receiver.
Click User authentication in the left pane of the Group Policy Management Editor and then double-click Local user name and password.
Select Enabled.
Select the following options:
Enable pass-through authentication
Allow pass-through authentication for all ICA connections
Click OK.
| 32 |
19. Configure the Zone Assignment List using Group Policy Management to allow pass-through authentication for domain-joined PCs. The StoreFront URL needs to be in the trusted intranet zone, if not the pass-through option will fail and fall back to form-based user authentication.
Double-click Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
Double-click Site to Zone Assignment List in the left pane and select Enabled.
Click Show….
Type *://*.training.lab in the Value name field and set the Value to 1.
Add the remote.lab to the zone assignments.
Type *://*.remote.lab in the Value name field and set the Value to 1.
(This makes the training.lab and remote.lab URL trusted as an Intranet site.) This is required for Receiver for Web to allow pass-through. We have multiple domains so we are adding both domains to allow users to access StoreFront sites in both domains.
Click OK and then click OK again.
Close the Group Policy Management Editor and the Group Policy Management window.
| 33 |
20. Create an OU for the Client Desktop, which will be used to link to the Receiver Deployment GPO.
Open Server Manager from the taskbar, if you previously closed it.
Select Tools > Active Directory User and Computers.
Click remote.lab and then click Action > New > Organizational Unit.
Type Client Desktop in the Name field and then click OK.
| 34 |
21. Verify that the Client Desktop OU is created.
22. In Server Manager, select Tools > Group Policy Management.
Right-click the Client Desktop OU and click Link an Existing GPO….
| 35 |
23. Select the two GPOs created in the previous lab steps.
Press Ctrl and select the Receiver Deployment and Receiver Pass-through enabled GPOs and then click OK.
24. Verify that no Citrix Receiver (ICA client) is installed.
Power on Site2-Student2-PC in XenCenter (if it is not already started.)
Log on to Site2-Student2-PC using the Remote.lab\User1 and Citrix456 credentials.
Note: You will not be able to log on to this VM using a Remote Desktop connection.
Click Start > Control Panel > Uninstall a program.
Verify that no Citrix Receiver is installed.
Shut down the Site2-Student2-PC from XenCenter.
At this time, the Student2-PC is only a domain member PC in the Computers OU.
| 36 |
25. Log on to the Site2-AD2.remote.lab VM using the remote\CitrixAdmin and Citrix123 credentials.
Note: If you are logged on with the remote\Administrator account, you can sign out by clicking Start > Shut down or sign out > Sign out. Click Send Ctrl+Alt+Del (Ctrl+Alt+Insert) to log on with the remote\CitrixAdmin account.
Click Server Manager > Tools > Active Directory User and Computers. Select the remote.lab > Computers > Student2-PC computer object and drag it to the remote.lab > Client Desktop OU. Click Yes.
| 37 |
26. Power on the Site2-Student2-PC VM.
Log on using the Remote.lab\user1 and Citrix456 credentials.
Click Start > Citrix Receiver.
Verify that user pass-through works. That is, you are presented with the following screen without having to enter your credentials in Citrix Receiver. If the pass-through did not work, then reboot the Site2-Student2-PC one more time.
Click Start and notice that Microsoft Excel 2010 has been added to the Start > All Programs menu.
If pass-through does not work after the reboot, verify Steps 16-19 in this exercise. The StoreFront site requires Local Intranet security zone rights.
| 38 |
27. From the Site2-Student2-PC VM, open up Internet Explorer and log on to Citrix Receiver.
Type https://site2-cdc2.remote.lab/Citrix/Store2web in the browser and press Enter.
Click Log on.
Verify that pass-through works. That is, you see the available applications and desktops without having to enter credentials (remote\user1 and Citrix456).
Close both instances of Citrix Receiver.
Exercise Summary In this exercise, you:
• Configured Receiver for Windows deployment using GPOs.
• Configured pass-through authentication
• Configured the store for Citrix Receiver for Windows via GPOs.
• Validated the deployment and that pass-through authentication works.
| 39 |
Exercise 3 Configure Optimal routing for StoreFront Overview In this exercise, we will be demonstrate Optimal routing configuration to route all Site1 and Site2 connections through two independent gateways.
Step by step guidance Estimated time to complete this lab: 15 minutes.
Step Action 1. Configure Optimal routing for Store2 to route XenDesktop Site 1 HDX traffic through
SF1.mycitrixtraining.net gateway and also force the Site2 traffic through the internal ng.remote.lab gateway. (This is an example use case to demonstrate how optimal gateway routing can be used.in two different ways for two different XenDesktop sites)
Why do we want to route all ICA traffic through NetScaler Gateway?
1. This forces all client connections to be protected via SSL.
2. Routing ICA traffic through NetScaler helps HDX Insight to collect NetFlow data.
| 40 |
2. Add the training Site1 external NetScaler Gateway to the Site 2 StoreFront server store named Remote access. (This is optional, but it helps administrators identify and document which NetScaler Gateway is being used in the store.)
On the Site2-CDC2 VM, click Citrix Studio in the taskbar and then click Citrix StoreFront > Stores > Store2.
Click Enable Remote Access in the Actions pane.
Click Add in the Enable Remote Access window.
Add SF1.Mycitrixtraining.net to the NetScaler Gateway appliances list using the following data.
Display name: SF1.Mycitrixtraining.net
NetScaler Gateway URL: https://SF1.mycitrixtraining.net
Callback URL: https://SF1.mycitrixtraining.net
Click Next.
Set the STA server for the NetScaler Gateway.
Click Add….
In the STA URL field, type https://site1-cdc1.training.lab and then click OK.
Click Create.
Click OK to save the configuration. Wait for the configuration to be saved.
| 41 |
3. Open PowerShell in admin mode.
Right-click the PowerShell icon in the taskbar and click Run as Administrator. Click Yes in the User Access Control message.
First, we need to make a backup of the Web.config file used for the StoreFront Store2.
In PowerShell, type
Copy c:\inetpub\wwwroot\citrix\store2\web.config c:\inetpub\wwwroot\citrix\store2\web.config.backup
Press Enter.
Type Notepad in PowerShell and then press Enter to launch Notepad.
4.
Important Notification before editing the web.config file:
In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
| 42 |
5. In Notepad, click File > Open, navigate to the c:\inetpub\wwwroot\citrix\store2\web.config file and click Open.
Note: You may need to switch the Filter field to All Files in order to see files with extensions other than TXT.
Click Edit > GoTo …, type 270 in the Line field and click Go To. The cursor should be at the <optimalGatewayForFarmsCollection /> line in the file.
In PowerShell, type Notepad and press Enter to open a second Notepad.
In the second Notepad, click File > Open, in the File name field type \\AD2\Software\Lab files\Optimal Gateway.txt and press Enter. Click Edit > Select All, and Edit > Copy.
Return to the Notepad instance containing the web.config file, select the <optimalGatewayForFarmsCollection /> line and press Ctrl+V to replace the line with the text you copied from the Optimal Gateway.txt file.
Click File > Save to save the updated web.config file.
Close both instances of Notepad.
To force the web.config file to apply, type IISreset in PowerShell and press Enter.
Notes:
• enabledOnDirectAccess=”true” is the setting that overwrites internal Direct Access traffic to route through NetScaler Gateway. Customers can use this setting to force all ICA traffic to go through NetScaler Gateway.
• One of the use cases for this is to route all HDX traffic through NetScaler Gateway to allow NetScaler HDX Insight to collect NetFlow data on HDX.
• In this lab, Site 2 is using an internal only gateway for lab demo only so we can identify the connection via IP in netstat. In production, we should use external and internal accessible gateway if you want to force all HDX traffic through NetScaler Gateway. An example setting can be found in the \\ad2\software\lab
| 43 |
6. Log on to the Site2-Student2-PC VM using your Remote\User1 and Citrix456 credentials.
Click Start > Citrix Receiver.
Click Microsoft Excel 2010 (running from Site2) to launch it.
Click the + icon in Citrix Receiver. Click Office2007 > Microsoft Office Excel 2007 to add it to your applications. Click Microsoft Office Excel 2007 (running from Site1) to launch it.
Click Start and then enter cmd.exe to open a command prompt.
Type netstat –n at the command prompt and press Enter. Verify that the network connection is going to 192.168.20.12 (ng.remote.lab) and 192.168.10.13 (sf1.mycitrixtraining.net).
Close both versions of Excel.
Exercise Summary In this lab, we demonstrated the configuration for optimal routing and how optimal routing overwrites the Remote Access configuration.
| 44 |
Exercise 4 Configure Failover for StoreFront Sites with user group site pinning Overview In this exercise, we are going to configure two user groups for user site pinning. In each group, we will configure failover order for redundancy. In this lab, we are also going to leverage the domain local group to manually failover users from one site to another.
Step by step guidance Estimated time to complete this lab: 30 minutes.
Step Action 1. Log on to the Site2-CDC2 VM using the remote\CitrixAdmin and Citrix123 credentials.
Right-click the PowerShell icon in the taskbar and select Run as Administrator to open the PowerShell console in Administrator mode.
Click Yes in the User Account Control message.
| 45 |
2. Type Notepad in PowerShell and press Enter to launch Notepad with Administrator rights.
3. Click File > Open and open the c:\inetpub\wwwroot\Citrix\Store2\Web.config file using Notepad. Note: You might need to change the Filter to All Files in order to see the Web.config file.
4. Press Ctrl+F and find the resourcesWingConfigurations section in the Web.config file.
| 46 |
5. In PowerShell, type Notepad and press Enter to open a second Notepad.
In Notepad, click File > Open and type \\AD2\Software\Lab files\Site2 StoreFront failover Sample.txt in the File name field and press Enter. Click Edit > Select All and Edit > Copy.
Replace <resourceswingconfigurations> section in the Web.config file with the selected text file.
Select the following text in the Web.config file in Notepad. Right-click the selected text and click Paste to replace the text with the text from the Sample file. The original text should be replaced.
(In this configuration the Group SID is required. We can use the PSGetSID.exe tool from Microsoft to get the required SID.) The PSGetSID tool is installed on AD2 and Site2-CDC2 servers. In this lab, the sample configuration file already have the Group SID entered.
<resourcesWingConfigurations>
<resourcesWingConfiguration name="Default" wingName="Default">
<userFarmMappings>
<clear />
<userFarmMapping name="user_mapping_Site2_Store2_Site1Primary">
<groups>
<group name="Remote\Site1Users" sid="S-1-5-21-3712741401-4088014674-3169384540-2103" />
</groups>
<equivalentFarmSets>
<equivalentFarmSet name="Site1" loadBalanceMode="Failover" aggregationGroup="Site1_Site2_Aggregate_Failover">
<primaryFarmRefs>
<farm name="Site1" />
</primaryFarmRefs>
<backupFarmRefs>
<farm name="Site2" />
</backupFarmRefs>
</equivalentFarmSet>
</equivalentFarmSets>
</userFarmMapping>
<userFarmMapping name="user_mapping_Site2_Store2_Site2Primary">
<groups>
<group name="Remote\Site2Users" sid="S-1-5-21-3712741401-4088014674-3169384540-2102" />
</groups>
| 47 |
6. Click File > Save in Notepad to save the file web.config file.
Close the Notepad window containing the Site2 StoreFront failover Sample.txt file.
7. Configure the AD domain local group.
Log on to Site2-AD2.remote.lab using the remote.lab\Citrixadmin and Citrix123 credentials.
Open Server Manager > Tools > Active Directory Users and Computers.
Double-click remote.lab > Users. Right-click Site1Primary and click Add to a group…. Click Advanced > Find Now > Site1 Users and click OK. Click OK and then click OK in the message.
Right-click Site2Primary and click Add to a group…. Click Advanced > Find Now > Site2Users and click OK. Click OK and then click OK in the message.
| 48 |
8. Log off of Site2-Student2 PC and log on again using the remote\user1 and Citrix456 credentials. (Due to pass-through authentication, it is recommended if the user is already logged on from the last exercise log off and then log back on to get a new logon token.)
Click Start > Citrix Receiver. Click Remove in the message that appears stating that some apps are no longer available. Click + and verify that only the Office 2007 applications (from Site 1) are shown in the application list.
Log off User1 from the Site2-Student2 PC and then log on using the remote\User2 and Citrix456 credentials.
Click Start > All Programs > Citrix Receiver and verify that only the Office 2010 applications (from Site 2) are shown in the application list.
Log off User2 from Site2-Student2 PC and then log on using the remote\CitrixAdmin and Citrix123 credentials.
Click Start > Citrix Receiver and verify that no applications are shown in the list. This is because the CitrixAdmin is not listed in any of the groups defined in the site configuration. An administrator can use the group site pinning feature to also filter remote access user assignment to add an additional layer of access control.
*The Delivery Group on Site1 and Site2 are assigned to Remote.lab\Domain Users and Training.lab\Domain Users but the StoreFront server is filtering the access based on groups defined in the Web.config for the store.
9. Fail over the user from Site1 to Site2 by adding the user group Site1Primary to Site2Users and then remove the Site1Primary from the Site1Users group. (This helps administrators to migrate large numbers of users from one Site to another by just moving a user group.)
On the Site2-AD2.remote.lab VM, log on using the remote\CitrixAdmin and Citrix123 credentials.
Open Server Manager > Tools > Active Directory Users and Computers.
Double-click remote.lab > Users. Right-click Site1Primary and click Add to a group…. Click Advanced > Find Now > Site2 Users. Click OK and then click OK in the message.
Right-click Site1Users group and click Properties. Click the Members tab, select Site1Primary and click Remove. Click Yes and then click OK.
10. Log on to the Site2-Student2-PC VM with the Remote\User1 and Citrix456 credentials to test whether the server assignment changed to Site2. (Click Start > Citrix Receiver, you should see Office 2010.)
Exercise Summary In this exercise, we configured StoreFront user group-based site pinning. Within each site pinning group, we configured a primary site and a backup site. We also tested the failover of user site
| 49 |
pinning which can be used by an administrator to move all Site1 users to Site2 without modify the StoreFront server configuration.
| 50 |
Exercise 5 Application Filtering in StoreFront Overview In this exercise, we are going to enable the Application Filtering feature on StoreFront.
Step by step guidance Estimated time to complete this lab: 20 minutes.
Step Action 1. Log on to Site2-CDC2 VM using the Remote\citrixadmin and Citrix123 credentials.
Right-click the PowerShell icon in the taskbar and click Run as Administrator. Click Yes in the User Account Control message.
| 51 |
2. Load the PowerShell plugins using the following steps.
Type Notepad at the PowerShell prompt and press Enter.
Click File > Open in Notepad, and type \\AD2\software\lab files\Hide Application by Type.txt in the File name field and click Open.
Select the following text in the file and click Ctrl+C to copy the text to the clipboard.
$dsInstallProp = Get-ItemProperty ‘
-Path HKLM:\SOFTWARE\Citrix\DeliveryServicesManagement -Name InstallDir
$dsInstallDir = $dsInstallProp.InstallDir
& $dsInstallDir\..\Scripts\ImportModules.ps1
Click in PowerShell at the prompt and press Ctrl+V to paste the selected text into PowerShell. Note: If the text does not paste, right-click the mouse at the command prompt.
Press Enter to run the command. The PowerShell prompt will appear when the command has been run successfully.
Select the following text in the file and click Ctrl+C to copy the text to the clipboard.
Set-DSResourceFilterType -SiteId 1 -VirtualPath "/Citrix/Site2VDI" -IncludeTypes @("Applications")
Click in PowerShell at the prompt and press Ctrl+V to paste the selected text into PowerShell.
Press Enter to run the command. The PowerShell prompt will appear when the command has been run successfully.
Notes: “ -SiteId 1” is the IIS site ID that indicates the location of the site in IIS.
-VirtualPath “/Citrix/Site2VDI” is the store that we are configuring for filtering.
Do not close the PowerShell window, we will use it later in Step 4.
| 52 |
3. Log on to the Site2-Student2-PC VM using the remote\User1 and Citrix456 credentials. Click Start > Citrix Receiver. Click + > All Applications > Hosted Desktops.
Launch the Hosted Desktop and then log on to Citrix Receiver in the hosted desktop. (This is to simulate a user using a VDI session with Receiver inside the VDI session.)
Click Hosted Desktops in Citrix Receiver.
Click Read/write access in the message.
Type Citrix Receiver on the Desktop and then press Enter to launch Citrix Receiver.
Log on using the remote\User1 and Citrix456 credentials.
You see only apps, but no desktop.
| 53 |
4. Return to the Site2-CDC2 VM and enable filter by Keyword using PowerShell and the following steps.
Type the following command at the prompt.
Set-DSResourceFilterkeyword –SiteId 1 –VirtualPath “/Citrix/Site2VDI” –ExcludeKeywords @(“HideFromVDI”)
Note: There is a space before the @ sign, but not after the @ sign. Press Enter to run the command.
This will filter any Keyword. In this case, we are hiding applications with “HideFromVDI” in the keyword.
| 54 |
5. Log on to Site1-CDC1 using the training\Citrixadmin and Citrix123 credentials. Note: The domain name is “training” not “remote” as was used in the past.
Open Citrix Studio. If a User Account Control message appears, click Yes.
Click Citrix Studio > Delivery Groups > Applications tab.
Right-click Inkscape and click Properties in the Actions pane.
Add KEYWORDS:Featured HideFromVDI in the Description and keywords field (with a “space” after Featured) and then click OK.
Select Microsoft Office OneNote 2007 from the Applications tab in Studio.
Click Properties in the Actions pane.
Add KEYWORDS: mandatory to the Description and keywords field and then click OK.
| 55 |
6. Log on to Site2-Student2-PC using the Remote\User2 and Citrix456 credentials.
Start Hosted Desktops to open as a VDI session. (Again, we will run Citrix Receiver inside the VDI session for this application keyword filter example.)
Click Read/write access in the HDX File Access message.
From within the Hosted Desktops VDI, click the down arrow > Citrix Receiver and log on using the Remote\User2 and Citrix456 credentials. (We did not enable pass-through authentication on the Site2-XA2 server.)
Verify the application list. (Site1 and Site2 content was merged. There is no Desktop and no Inkscape app. Microsoft Office OneNote 2007 is displayed on the application page and cannot be permanently removed. That is, it will come back when you next log on.)
Exercise Summary In this lab, we enabled the application filtering feature to filter out the applications presented to the users accessing the internal Site2VDI store used by the VDI session hosted on Site2-XA2 server.
| 56 |
Exercise 6 Configure Locked down store and user self-service store activation process Overview In this exercise, you will configure a locked down Store which will display all applications users have access to and lock down the subscription for the user. This is not recommended in the environment where users have access to hundreds of apps and might be difficult for users to use. However, it offers a good mandatory application delivery solution without using Keyword options as you did in Exercise 5.
Step by step guidance Estimated time to complete this lab: 20 minutes.
Step Action 1. Log on to Site1-CDC1 using the Training\CitrixAdmin and Citrix123 credentials.
Right-click the PowerShell icon in the taskbar and click Run as Administrator. Click Yes in the User Account Control message.
Type Notepad at the PowerShell prompt and press Enter.
Click File > Open and navigate to the C:\inetpub\wwwroot\Citrix\Store1\web.config file. Click Open to open the file.
Press Ctrl+F and find StoreLockedDown in the file.
Change to StoreLockedDown=”true”.
Click File > Save to save the web.config file and then close Notepad.
| 57 |
2. From the Student Desktop, open Internet Explorer or the Google Chrome browser.
Type https://sf1.mycitrixtraining.net in the Address field and press Enter.
Log on using the training\user1 and Citrix123 credentials. (Note that this is user1 in the Training domain and the password is different from the Remote domain.)
Click the Apps tab. All applications show up in the Receiver for Web.
3. Activate the Citrix Receiver subscription.
In the Citrix Receiver window, click the User One drop-down menu and click Activate….
4. Click Open to download the receiverconfig.cr file. Note: In Google Chrome, click the down arrow to the right of the receiverconfig.cr file button at the bottom of the Receiver window to access the Open option.
| 58 |
5. Click Add in the message.
6. Log on to Citrix Receiver using the training\user1 and Citrix123 credentials.
7. All applications should be displayed in the Receiver window and the user should get an Updates are available message indicating that the GoToMeeting plugin needs to be downloaded. If the message does not appear, check the taskbar. The message may be hidden behind the current window.
Click Update Now and the download will start in the background.
Close both instances of Receiver for Web.
| 59 |
Exercise Summary In this exercise, you enabled the Store Locked Down feature to force all applications to be listed for the user. In addition, you also tested the user self-service store activation process from a non-domain joined external device.
Exercise 7 Enable HTML5 client for StoreFront Overview In this exercise, we will enable HTML5 Client access for StoreFront and set up the required policy in Citrix Studio.
Step by step guidance Estimated time to complete this lab: 20 minutes.
Step Action 1. Log on to the Site1-CDC1 VM in XenCenter using the Training\CitrixAdmin and
Citrix123 credentials.
Open Citrix Studio from the taskbar.
Click the Policies node. If the Welcome screen appears, click Close.
Click Create Policy in the Actions pane.
| 60 |
2. Enable WebSockets to support the HTML5 client. Note: The WebSocket protocol enables two-way communication between browser-based applications and servers without opening multiple HTTP connections. Having fewer connections enhances security and reduces overhead on the XenApp server.
Type websockets in the Search field and press Enter.
Select WebSockets connections and then click Select.
Select Allowed and then click OK.
Click Next.
Click Assign to the right of Delivery Group.
| 61 |
3. Select XenApp Hosted Desktop from the Delivery Group drop-down menu and click OK.
Click Next.
4. Click Finish.
| 62 |
5. Expand the Citrix StoreFront node and click Receiver for Web. Select Store1 Receiver2 and click Deploy Citrix Receiver in the Actions pane.
6. Select Always use Receiver for HTML5 and click OK. Note: Receiver for HTML5 is a zero install client allowing connection to XenApp and XenDesktop resources from Chrome and Firefox browsers. This client is useful in environments where a native client is not installed or cannot be installed.
Notice the HTML 5 client version on the Store1 Receiver2 page.
| 63 |
7. On the Student Desktop, open the Google Chrome browser.
Type sf1.mycitrixtraining.net in the Address field and press Enter. Log on using the training\User1 and Citrix123 credentials.
Click Apps and the Inkscape application.
Notice that a new tab opened in the browser.
Exercise Summary In this lab, we configured the HTML5 Receiver and enabled the required Websockets policy.
| 64 |
Please complete this survey
We value your feedback! Please take a moment to let us know about your training experience by completing the brief Learning Lab Survey
Revision Change Descriptions Updated By Date
1.0 Original Version James Hsu May 2014
About Citrix Citrix Systems, Inc. designs, develops and markets technology solutions that enable information technology (IT) services. The Enterprise division and the Online Services division constitute its two segments. Its revenues are derived from sales of Enterprise division products, which include its Desktop Solutions, Datacenter and Cloud Solutions, Cloud-based Data Solutions and related technical services and from its Online Services division's Web collaboration, remote access and support services. It markets and licenses its products directly to enterprise customers, over the Web, and through systems integrators (Sis) in addition to indirectly through value-added resellers (VARs), value-added distributors (VADs) and original equipment manufacturers (OEMs). In July 2012, the Company acquired Bytemobile, provider of data and video optimization solutions for mobile network operators.
http://www.citrix.com
![StoreFront 3 - Citrix Docs · If the Citrix SCOM Management Pack Agent service is installed on the StoreFront server, StoreFront cannot upgrade. [#DNA-34792] On upgrade, StoreFront](https://img.pdfslide.us/doc/110x75/60ea15540160bf6e9274e47a/storefront-3-citrix-docs-if-the-citrix-scom-management-pack-agent-service-is-installed.jpg)
