app orchestration 2 - docs. · pdf filegetting started with citrix app orchestration 2.6 ......
TRANSCRIPT
© 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration 2.6
Getting Started with Citrix App Orchestration 2.6
Version: 1.0
Last Updated: July 9, 2015
Getting Started with Citrix App Orchestration 2.6
Page 2 © 2015 Citrix Systems, Inc. All rights reserved.
Contents
Copyright and Trademarks .................................................................................................................... 7
Welcome to App Orchestration 2.6 ........................................................................................................ 8
What’s New in This Release .............................................................................................................. 8
Documentation and support for App Orchestration ............................................................................. 8
App Orchestration components ............................................................................................................13
Configuration server ..........................................................................................................................13
What is it? .....................................................................................................................................13
What does it do? ...........................................................................................................................13
How many do I need? ....................................................................................................................14
Domain agent ...................................................................................................................................14
What is it? .....................................................................................................................................14
What does it do? ...........................................................................................................................14
How many do I need? ....................................................................................................................14
Delivery Sites and Delivery Controllers .............................................................................................14
What are they? ..............................................................................................................................14
What do they do? ..........................................................................................................................15
How many do I need? ....................................................................................................................15
Additional information ....................................................................................................................15
Session Machines, Catalogs, and Delivery Groups ...........................................................................15
What are they? ..............................................................................................................................15
What is a catalog? .........................................................................................................................15
How many do I need? ....................................................................................................................16
Additional information ....................................................................................................................16
StoreFront .........................................................................................................................................16
What is it? .....................................................................................................................................16
How many do I need? ....................................................................................................................17
Compute resources ...........................................................................................................................17
App Orchestration deployment overview ..............................................................................................18
Prepare to deploy App Orchestration 2.6 ..............................................................................................20
How many machines do I need? .......................................................................................................20
Network preparation task overview ...................................................................................................20
Getting Started with Citrix App Orchestration 2.6
Page 3 © 2015 Citrix Systems, Inc. All rights reserved.
Machine preparation task overview ...................................................................................................21
Prepare your Active Directory domains .............................................................................................22
Task 1: Prepare required domains .................................................................................................22
Task 2: Prepare required organizational units ................................................................................23
Task 3: Prepare tenant domains and organizational units ..............................................................23
Configure the App Orchestration Group Policy ..................................................................................24
Task 1: Set the PowerShell execution policy .................................................................................25
Task 2: Configure PowerShell remoting .........................................................................................25
Task 3: To enable remote administration with WMI .......................................................................27
Create administrator accounts ..........................................................................................................27
Setup Citrix Licensing .......................................................................................................................28
Set up compute resources ................................................................................................................28
Set up NetScaler Gateway ................................................................................................................29
LDAP authentication for NetScaler Gateway .................................................................................29
Prepare the database server .............................................................................................................29
Supported database servers ..........................................................................................................30
Support for database mirroring ......................................................................................................30
Support for SQL Server AlwaysOn Availability Group ....................................................................30
System requirements .....................................................................................................................30
Task 1: Create a firewall exception ................................................................................................31
Prepare the App Orchestration configuration server ..........................................................................32
System requirements .....................................................................................................................32
Sequence of preparation tasks for Windows Server 2008 R2 SP1 ................................................33
Client OS and browser support for the management console ........................................................34
Prepare Delivery Controllers and Session Machines .........................................................................35
Supported platforms ......................................................................................................................35
System requirements .....................................................................................................................35
Support for aggregating existing Delivery Sites .............................................................................38
Considerations for Delivery Controllers in cross-forest private Delivery Sites ................................38
Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5 .....................................................39
Task 2: Configure SSL on Delivery Sites and Session Machines ...................................................39
Prepare StoreFront servers ...............................................................................................................39
System requirements .....................................................................................................................39
Getting Started with Citrix App Orchestration 2.6
Page 4 © 2015 Citrix Systems, Inc. All rights reserved.
Server group requirements ............................................................................................................41
Security Considerations for App Orchestration 2.6 ............................................................................41
SSL recommendations ..................................................................................................................42
Restrict PowerShell remoting sessions ..........................................................................................42
SMB security signatures ................................................................................................................42
Machine hardening techniques ......................................................................................................42
Restrict access for tenant user accounts .......................................................................................43
XenApp Session Machine isolation ................................................................................................43
Session Machine Catalog upgrades ..............................................................................................43
Install App Orchestration ......................................................................................................................45
Overview ...........................................................................................................................................45
Accounts and Permissions ............................................................................................................45
Prerequisites .................................................................................................................................45
Personas .......................................................................................................................................45
Pitfalls to Avoid ..............................................................................................................................46
Task 1: Download the product media ................................................................................................46
Download App Orchestration .........................................................................................................46
Build out the product media folder .................................................................................................47
Task 2: Install App Orchestration components ..................................................................................56
Configure App Orchestration ................................................................................................................58
Accounts and Permissions ................................................................................................................58
Prerequisites .....................................................................................................................................58
Personas ...........................................................................................................................................58
Pitfalls to Avoid .................................................................................................................................58
Task 1: Configure the App Orchestration configuration server ..........................................................59
Task 2: Configure global settings ......................................................................................................59
Define App Orchestration infrastructure ................................................................................................60
Accounts and Permissions ................................................................................................................60
Prerequisites .....................................................................................................................................61
Personas ...........................................................................................................................................61
Pitfalls to Avoid .................................................................................................................................62
Task overview ...................................................................................................................................62
Design service offerings for tenants ......................................................................................................62
Getting Started with Citrix App Orchestration 2.6
Page 5 © 2015 Citrix Systems, Inc. All rights reserved.
Accounts and Permissions ................................................................................................................62
Prerequisites for Session Machine Catalogs using integrated provisioning .......................................63
Prerequisites for Session Machine Catalogs using external provisioning ..........................................63
Prerequisites for Offerings ................................................................................................................63
Prerequisites for Delivery Sites .........................................................................................................64
Prerequisites for StoreFront ..............................................................................................................64
Personas ...........................................................................................................................................64
Pitfalls to Avoid .................................................................................................................................65
Task 1: Create a new Delivery Site ...................................................................................................65
Aggregate an existing Delivery Site ...............................................................................................67
Task 2: Create a Session Machine Catalog ......................................................................................67
Create a catalog with integrated provisioning ................................................................................67
Create a catalog for externally-provisioned machines ....................................................................67
Add Session Machines to the catalog ............................................................................................68
Task 3: Add a StoreFront server group .............................................................................................68
Task 4: Create a offering ...................................................................................................................69
Deliver service offerings to tenants .......................................................................................................69
Accounts and Permissions ................................................................................................................69
Prerequisites .....................................................................................................................................69
Personas ...........................................................................................................................................70
Pitfalls to Avoid .................................................................................................................................70
Task 1: Add a tenant and add users ..................................................................................................71
Security considerations .................................................................................................................71
Task 2: Adjust capacity .....................................................................................................................71
Task 3: Subscribe the tenant to an offering .......................................................................................72
Task 4: Optional: Deploy tenant self-service features........................................................................72
Appendix: Setup Checklist ....................................................................................................................74
Shared resource domain ...................................................................................................................75
Default user domain ..........................................................................................................................76
Citrix ProductMedia folder .................................................................................................................77
Database Server ...............................................................................................................................86
Citrix License Server .........................................................................................................................87
NetScaler Gateway ...........................................................................................................................87
Getting Started with Citrix App Orchestration 2.6
Page 6 © 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration configuration server .............................................................................................88
Delivery Controllers ...........................................................................................................................89
Session Machines .............................................................................................................................90
On-demand Catalogs (Integrated Provisioning enabled) ...............................................................90
Catalogs for Externally Provisioned Machines ...............................................................................92
StoreFront servers ............................................................................................................................93
App Orchestration Global Settings ....................................................................................................93
First Tenant .......................................................................................................................................95
Getting Started with Citrix App Orchestration 2.6
Page 7 © 2015 Citrix Systems, Inc. All rights reserved.
Copyright and Trademarks
Use of the product documented herein is subject to your prior acceptance of the End User License
Agreement. A printable copy of the End User License Agreement is included with your installation
media.
Information in this document is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of Citrix Systems, Inc.
© 2014 Citrix Systems, Inc. All rights reserved.
The following are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be
registered in the United States Patent and Trademark Office and in other countries:
Citrix®, Citrix Access Gateway™, Citrix App Orchestration™, Citrix Receiver™, Citrix XenApp™,
CloudPlatform™, CloudPortal™, ICA®, NetScaler®, NetScaler App Delivery Controller™, NetScaler
Gateway™, XenApp®, XenDesktop™, XenServer™
All other trademarks and registered trademarks are the property of their respective owners.
Getting Started with Citrix App Orchestration 2.6
Page 8 © 2015 Citrix Systems, Inc. All rights reserved.
Welcome to App Orchestration 2.6
Thank you for choosing App Orchestration. This document includes information and instructions to help
you learn more about planning your App Orchestration deployment, prepare core components, and
perform tasks such as creating offerings and subscribing tenants to those offerings.
What’s New in This Release
• Support for XenDesktop 7.6: App Orchestration 2.6 brings support for deploying and managing
app and desktop delivery infrastructure across multiple tenants, domains and datacenters using
XenDesktop 7.6 Feature Pack 2. Learn more about the benefits and new features of XenDesktop
7.6.
• Support for StoreFront 3.0: App Orchestration 2.6 provides support for deployment and
orchestration of StoreFront 3.0 Server Groups and Sites. Server group and site isolation is easily
managed for each tenant using one of three pre-defined isolation modes (shared, private and private
site). Learn more about StoreFront 3.0.
• In-Place Upgrade: Upgrade App Orchestration 2.5 deployments in-place and carry forward existing
XenDesktop 7.5 Delivery Sites and 2.5 StoreFront Server Groups under orchestration to the latest
7.6 and 3.0 versions. View the upgrade guide to review the provided upgrade scripts, installers and
process.
• High Availability and Disaster Recovery Guidance: New guidance on configuring App
Orchestration for high availability and disaster recovery is now available. This release validates
disaster tolerant, multi-datacenter designs where delivery infrastructure is orchestrated and
managed across datacenters, even during a dacenter outage. During a disaster event, App
Orchestration can be used to quickly scale up capacity in backup datacenters to restore or expand
availability of services. Learn more about these configurations.
• Lean Deployment: In this release high availability requirements are now optional, allowing for sites
and server groups to be created using a single server. This change reduces cost and deployment
time for lean deployments.
• Bundled Delivery: To get started fast, all Citrix product media is wrapped up into a single
download. The unpacking process deploys the product media ready for image prep using App
Orchestration Install Center. The bundled delivery saves administrators time downloading and
packaging XenDesktop, StoreFront and App Orchestration installers and hotfixes
• Customer Experience Improvement Program: New in this release is optional enrollment into the
CEIP program. When enrolled, App Orchestration will collect and report anonymous information
about product use to better support and improve the product moving forward.
Getting Started with Citrix App Orchestration 2.6
Page 9 © 2015 Citrix Systems, Inc. All rights reserved.
Documentation and support for App Orchestration
• App Orchestration in Citrix eDocs: This section of eDocs is your primary source for all resources that
support App Orchestration 2.6. Access guides, videos and other materials to help you progress
smoothly through each stage of deployment.
• App Orchestration 2.x Discussion Forum: Use this Citrix Discussions site to ask questions and
contribute your knowledge about App Orchestration.
Getting Started with Citrix App Orchestration 2.6
Page 10 © 2015 Citrix Systems, Inc. All rights reserved.
Use the following table as a guide to the materials available for planning and deploying App
Orchestration:
When you’re ready to… And you need more information
about…
Consult this document…
Plan your App Orchestration
deployment and prepare your
network environment
Known issues in App
Orchestration
Known Issues for App
Orchestration 2.6
The concepts and terminology
specific to App Orchestration
App Orchestration Key
Concepts and Terms
System requirements for core
components, required
pre-deployment tasks, and
security considerations
• Getting Started with App
Orchestration 2.6 (this
document)
• Setup Checklist
(Appendix to this
document)
Deploying App Orchestration in
an Active Directory environment
with multiple forests and
multiple domains
Deploy App Orchestration in a
complex Active Directory
environment
The user accounts you will need
to deploy the core App
Orchestration components and
perform tasks using the App
Orchestration web console
Credentials Used in App
Orchestration 2.6
Using SQL database mirroring
for adding high availability and
failover to the databases used
in App Orchestration
Configure SQL Database
Mirroring in App Orchestration
2.6
The virtual networks you will
need to provide tenant isolation
of private offerings
Isolation Methods in App
Orchestration 2.6
Getting Started with Citrix App Orchestration 2.6
Page 11 © 2015 Citrix Systems, Inc. All rights reserved.
When you’re ready to… And you need more information
about…
Consult this document…
Integrate Citrix CloudPlatform
with App Orchestration to create
Public and Private Clouds
Using Citrix CloudPlatform to
Provision Session Machines
On-demand in App
Orchestration 2.6
Configuring SSL between the
core components of your
deployment
Configure SSL for App
Orchestration
Install and configure App
Orchestration
Installing the core App
Orchestration components
• Getting Started with App
Orchestration 2.6 (this
document)
• Setup Checklist
(Appendix to this
document)
Using domain agents to secure
communication between App
Orchestration and the resource
domains in your deployment
Deploying the Zero Trust Agent
Deployment Guide
Using multiple datacenters to
support resources deployed
across geographic locations
Deploying a Multi-Datacenter
Environment in App
Orchestration 2.6
Integrating NetScaler Gateway
with App Orchestration
Configuring NetScaler 10.1
Load Balancing with StoreFront
3.0 and NetScaler Gateway for
App Orchestration 2.6
or
Configuring NetScaler 10.5
Load Balancing with StoreFront
3.0 and NetScaler Gateway for
App Orchestration 2.6
Use specific features of App
Orchestration
Getting Started with Citrix App Orchestration 2.6
Page 12 © 2015 Citrix Systems, Inc. All rights reserved.
When you’re ready to… And you need more information
about…
Consult this document…
Enabling hosted desktops to
display the Windows 7 look and
feel to users
Configuring Enhanced Desktop
Experience for XenApp and
XenDesktop in App
Orchestration 2.6
Enabling on-demand
provisioning of Session
Machines to increase the
capacity of your deployment as
needed
Provisioning Session Machines
On-demand in App
Orchestration 2.6
Integrating Provisioning
Services with App Orchestration
to provide on-demand
provisioning of Session
Machines
Using Citrix Provisioning
Services to Provision Session
Machines in App Orchestration
2.6
Upgrade an existing App
Orchestration 2.5 deployment to
App Orchestration 2.6
The upgrade process,
preparation tasks, and
instructions
Upgradability Guide for App
Orchestration 2.6
Getting Started with Citrix App Orchestration 2.6
Page 13 © 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration components
App Orchestration provides simple unified management of Citrix application and desktop delivery
technologies in a multi-tenant environment, using multiple datacenters across multiple domains. This
section describes the core components and shows how they work together to provision and manage
hosted applications and desktops for tenants and users.
• A typical App Orchestration deployment includes the following components:
• A configuration server, for hosting the App Orchestration engine and web-based management
console.
• A domain agent, to enable the configuration server to communicate with any isolated tenant domains
in the deployment.
• Delivery Controllers, for hosting XenApp or XenDesktop Delivery Sites.
• Session Machines, for hosting the applications and desktops that users access through Citrix
Receiver.
• StoreFront servers, for hosting the store that contains the offerings you create for tenants.
• Compute resources, for providing the virtual networks required for tenant isolation and provisioning
identically-configured Session Machines as needed through integrated provisioning.
For a visual overview of an App Orchestration deployment, refer to the App Orchestration Architecture
diagram.
Configuration server
What is it?
The App Orchestration configuration server hosts the App Orchestration engine and the web-based
management console. These are stateless components that can be deployed on multiple servers to
provide high availability and scalability. Additionally, an instance of Machine Creation Services (MCS)
and an agent reside on the configuration server. MCS provides the functionality for creating and
managing virtual machines (VMs) on the compute resources in the virtualization infrastructure.
What does it do?
When a change to the deployment occurs, such as creating a Delivery Site or adding a Session Machine
to a catalog, the change is written to the configuration database and the App Orchestration engine
issues all of the actions required to apply the change. These actions are called workflows which you can
monitor from the web management console. The configuration server can apply these changes
asynchronously, allowing multiple operations across different products in the correct sequence and over
extended periods of time. If any failures result, they can be corrected and the system will complete the
change.
Getting Started with Citrix App Orchestration 2.6
Page 14 © 2015 Citrix Systems, Inc. All rights reserved.
Typically, the agent that resides on the configuration server interacts with Active Directory for operations
such as monitoring OUs. If you use zero-trust domains in your deployment, the Zero Trust Agent
handles communication with Active Directory. All Active Directory communication occurs through Active
Directory Web Services. The agent also communicates with Session Machines that have not yet been
allocated to host tenants' subscriptions. This occurs using PowerShell remoting (WinRM) and executing
pre-installed scripts.
How many do I need?
You need at least one configuration server in your deployment. However, you can deploy multiple
configuration servers to provide high availability and failover capabilities.
For system requirements and preparation instructions, see “Prepare the App Orchestration configuration
server” on page 32.
Domain agent
What is it?
The domain agent, also known as the Zero Trust Agent, allows the configuration server to orchestrate
resources in domains to which it cannot directly connect or where configuring Active Directory trusts
between the shared resource domain and the target orchestrated domain is not allowed.
What does it do?
The domain agent is installed on a dedicated machine in each resource domain of your App
Orchestration deployment. The agent establishes an SSL connection to the configuration server through
which the configuration server sends requests to the agent.
How many do I need?
You need at least one domain agent for each isolated tenant resource domain in your deployment. The
domain agent is installed on a dedicated server and requires SSL to be configured. For more information
about deploying the Zero Trust Agent, see the Deploying the Zero Trust Agent in App Orchestration 2.6.
Delivery Sites and Delivery Controllers
What are they?
Delivery Sites are composed of identically configured Delivery Controllers and include the Session
Machines, Delivery Groups, and other components that deliver hosted applications and desktops to
tenants and their users at the appropriate isolation level. For more information about isolation levels, see
the document Isolation Methods in App Orchestration 2.6.
Getting Started with Citrix App Orchestration 2.6
Page 15 © 2015 Citrix Systems, Inc. All rights reserved.
What do they do?
Delivery Controllers are responsible for distributing and managing user access to hosted applications
and desktops, power managing desktops, and reboot cycles for servers. Delivery Controllers can be
provisioned to run XenApp 6.5 or XenApp 7.6 and XenDesktop 7.6.
When you prepare machines to be Delivery Controllers, App Orchestration installs an agent on each
machine to establish communication with the orchestration engine API that is hosted on the
configuration server. The Delivery Controller manages Delivery Site configuration and the draining
process for Session Machines. Additionally, the agent joins Session Machines to the Delivery Site using
PowerShell remoting and executing pre-installed scripts.
How many do I need?
You need at least one Delivery Controller for each Delivery Site you deploy. If more than one Delivery
Controller are deployed, these Delivery Controllers must be identically configured including hardware
configuration, operating system, and installed updates.
For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session
Machines” on page 35.
Additional information
• XenApp 7.6 and XenDesktop 7.6 documentation
• XenApp 6.5 product documentation
Session Machines, Catalogs, and Delivery Groups
What are they?
Session Machines host applications and desktops for tenants' users to access through Citrix Receiver.
Like Delivery Controllers, Session Machines can be provisioned to run XenApp 6.5, XenApp 7.6, or
XenDesktop 7.6.
What is a catalog?
Multiple Session Machines are collected in Session Machine Catalogs. All Session Machines in a
catalog are identically configured, using the same operating system and configuration settings, and the
same installed software. This ensures that users can access the applications and desktops associated
with the catalog when needed, regardless of the machines App Orchestration selects to host the
sessions. When additional capacity is needed for subscriptions, Session Machines from the catalog are
added to a Delivery Group that is associated with the subscribing tenant. Delivery Groups can be
dedicated to a single tenant's users or shared among the users of several tenants.
You can create two catalog types in App Orchestration: On-demand catalogs and catalogs for
externally-provisioned machines.
Getting Started with Citrix App Orchestration 2.6
Page 16 © 2015 Citrix Systems, Inc. All rights reserved.
On-demand catalogs use on-demand provisioning to create Session Machines whenever more capacity
is needed to host tenant subscriptions. Before you create an on-demand catalog, you must perform
additional tasks to enable on-demand provisioning in your deployment. For information about these
tasks, refer to the document Provisioning Session Machines On-demand in App Orchestration 2.6.
Catalogs for externally-provisioned machines allow you to use other means, such as Citrix Provisioning
Services or PowerShell scripts, to provision servers and add them to the catalog. When additional
capacity is needed in the catalog, App Orchestration notifies you to deploy more machines; additional
machines are not deployed automatically. For more information about using Provisioning Services for
externally-provisioned machines, refer to the document Using Citrix Provisioning Services to Provision
Session Machines in App Orchestration 2.6.
OS types for catalogs
When you create a new Session Machine Catalog, you must select an OS type which governs the
operating system installed on each machine in the catalog.
The Multi User type enables you to deploy a set of standard desktops and applications that are shared
by a large number of users. Desktops and applications are allocated to users on a first-come, first-serve
basis. Additionally, the desktop environment automatically resets to the default configuration when users
log off. Session Machines in a catalog with this OS type run only supported versions of Windows Server.
The Single User type enables you to deploy desktops and applications that are assigned to individual
users. Users can personalize the desktop and install applications. Additionally, the desktop environment
remains unchanged between sessions. Session Machines in a catalog with this OS type run on
supported versions of Windows or Windows Server (with XenDesktop’s Server VDI capability).
How many do I need?
You need at least one Session Machine to host offerings for users. To increase capacity for your
offerings and host more user sessions, you can deploy multiple Session Machines.
For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session
Machines” on page 35.
Additional information
• XenApp 7.6 and XenDesktop 7.6 documentation
• XenApp 6.5 product documentation
StoreFront
What is it?
StoreFront authenticates users to sites hosting resources and manages stores of applications and
desktops that users access using Citrix Receiver.
Getting Started with Citrix App Orchestration 2.6
Page 17 © 2015 Citrix Systems, Inc. All rights reserved.
How many do I need?
To provide offerings to users, you need at least one StoreFront server group consisting of at least one
StoreFront server.
• For system requirements and preparation instructions, see “Prepare StoreFront servers” on page 39.
• For more information about StoreFront 3.0, see the product documentation in Citrix eDocs.
When you add tenants to your deployment, you can specify whether the tenant’s users will use a shared
or private StoreFront site to access your offerings. The number of StoreFront servers you need depends
on the number of tenants who will be using shared or private StoreFront resources to access your
offerings. For more information about shared and private StoreFront resources, see the document
Isolation Methods in App Orchestration 2.6.
Compute resources
Compute resources are the hypervisors, hypervisor pools, and other components required to create and
manage virtual machines (VMs). These resources enable you to create virtual networks, a key
component in isolating tenants and ensuring shared and private resources are allocated appropriately.
To learn about the compute resources that App Orchestration supports, see the section “Set up compute
resourc” on page 28.
Getting Started with Citrix App Orchestration 2.6
Page 18 © 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration deployment overview
Deploying App Orchestration typically occurs using the following phased approach:
Phase Tasks
Prepare • Download the software for App
Orchestration and its components.
• Prepare your environment and the
machines you will use to deploy App
Orchestration and design and deliver
offerings.
Install Use the App Orchestration Install Center to install
the required software on the machines you
prepare as the configuration server, Delivery
Controllers, Session Machines, and StoreFront
servers. This enables you to perform the
remaining deployment phases with minimal
interruption.
Configure Configure App Orchestration’s global settings.
Define • Define additional domains.
• Create additional datacenters.
• Set up and configure compute resources.
• Add instance configurations.
Design • Create Delivery Sites.
• Create a Session Machine Catalog for on-
demand provisioning or external
provisioning.
• Create a StoreFront server group.
• Create an offering.
Getting Started with Citrix App Orchestration 2.6
Page 19 © 2015 Citrix Systems, Inc. All rights reserved.
Phase Tasks
Deliver • Add a tenant and add users.
• Adjust capacity.
• Subscribe the tenant to the offering.
• (Optional) Enable tenant self-service with
CloudPortal Services Manager 11.5.
Getting Started with Citrix App Orchestration 2.6
Page 20 © 2015 Citrix Systems, Inc. All rights reserved.
Prepare to deploy App Orchestration 2.6
Before you install App Orchestration, some planning is required to prepare your environment and the
machines you will include in your deployment. Use this section to learn about:
• Required tasks for preparing your network environment and the machines included in your
deployment.
• System requirements for the core components of your deployment.
• Deployment recommendations and requirements for using specific features of App Orchestration.
How many machines do I need?
The simplest App Orchestration deployment that enables you to create an offering and deliver it to a
tenant requires the following machines:
• 1 domain controller with a minimum domain functional level of Windows Server 2008 R2
• 1 database server running a supported version of Microsoft SQL Server
• 1 Citrix License Server
• 1 server, for the App Orchestration configuration server
• 1 server, for the Session Machine that will host applications and desktops for the tenant’s users
• 1 server, for the Delivery Controller that make up one Delivery Site
• 1 server, for the StoreFront server that make up one StoreFront server group
You can then add other components such as NetScaler Gateway and Citrix Provisioning Services,
depending on the needs of your deployment.
Network preparation task overview
Perform the following tasks to prepare your network environment for App Orchestration:
Step # To perform this task Refer to this section
1 Create the shared resource and default user
domains and the root OU for the
deployment.
“Prepare your Active Directory domains” on
page 22
Getting Started with Citrix App Orchestration 2.6
Page 21 © 2015 Citrix Systems, Inc. All rights reserved.
Step # To perform this task Refer to this section
2 Create a policy for all machines in the
deployment that sets the PowerShell
execution policy, enables PowerShell
remoting, and enables remote
administration with WMI.
“Configure the App Orchestration Group
Policy” on page 24
3 Create the non-privileged user accounts that
you will use to install App Orchestration and
designate as the orchestration service
account for the deployment.
“Create administrator account” on page 27
4 Set up Citrix Licensing for your deployment. “Setup Citrix Licensing ” on page 28
5 Set up compute resources to create virtual
networks and provision Session Machines
on-demand.
“Set up compute resources” on page 28
6 Set up NetScaler Gateway to provide secure
remote access and load balancing for the
StoreFront servers in your deployment.
“Set up NetScaler Gateway ” on page 29
Machine preparation task overview
Perform the following tasks to prepare the machines that you include in your App Orchestration
deployment:
Step # To perform this task Refer to this section
1 Install and configure the SQL Server that
hosts the configuration database for your
deployment.
“Prepare the database server” on page 29
2 Prepare the machine that you deploy as the
App Orchestration configuration server,
including configuring SSL.
“Prepare the App Orchestration
configuration server” on page 32
3 Prepare the machines that you deploy as
Delivery Controllers and Session Machines,
including configuring SSL and updating the
Citrix Group Policy snap-in.
“Prepare Delivery Controllers and Session
Machines” on page 35
Getting Started with Citrix App Orchestration 2.6
Page 22 © 2015 Citrix Systems, Inc. All rights reserved.
Step # To perform this task Refer to this section
4 Prepare the machines that you deploy as
StoreFront servers, including configuring
SSL.
“Prepare StoreFront servers” on page 39
Prepare your Active Directory domains
To deploy App Orchestration successfully, you must have at least one domain controller in your
environment. With a single domain, you can create a deployment in which users access offerings that
are hosted on resources that are shared amongst all tenants.
App Orchestration also supports deployments that span multiple forests and domains. With a
multi-forest or multi-domain deployment, you can provide tenant isolation, create private offerings, and
allocate private resources to specific tenants. For more information about multi-forest deployment, see
the document Deploy App Orchestration 2.6 in a Complex Active Directory Environment.
App Orchestration supports the following domain functional levels:
Resource Domain Functional Levels User Domain Functional Levels
Windows Server 2012
Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2008 R2
• Windows Server 2003
Task 1: Prepare required domains
Create the following domains:
Shared resource domain: The domain where the App Orchestration configuration server resides.
This domain contains all components that are shared with multiple tenants. This is also where the
App Orchestration root OU is created.
Important: All configuration servers in your deployment must reside in the shared resource domain. App
Orchestration does not support the use of configuration servers in different domains.
Default user domain: The domain where App Orchestration user accounts reside (for example, the
user account designated as the orchestration service account). You can create a separate domain
for these accounts or you can designate the shared resource domain for this purpose.
If you intend to include multiple domains in your deployment, create these resource and user domains
as necessary. You will need to specify the shared resource and default user domains when you
configure App Orchestration's global settings. You can define additional domains through the App
Orchestration web console. For more information about using multiple domains with App Orchestration,
refer to the document Deploy App Orchestration in a Complex Active Directory Environment.
Getting Started with Citrix App Orchestration 2.6
Page 23 © 2015 Citrix Systems, Inc. All rights reserved.
Task 2: Prepare required organizational units
In the shared resource domain, create an OU that acts as the root OU for your App Orchestration
deployment. If your deployment includes multiple resource domains, create a root OU in each of these
domains.
You can name the root OU according to your preference; however, the root OU in each resource domain
must have the same name and path. You will specify the root OU for the shared resource domain when
you configure App Orchestration's global settings.
Important: The root OU in each resource domain must reside within the scope of the App Orchestration Group
Policy. For more information on configuring this policy and linking the root OUs, see the section “Configure the
App Orchestration Group Policy” on page 24.
After you configure the global settings, App Orchestration creates the DecommissionedServers OU
automatically within this root OU. The DecommissionedServers OU is for machines that have been
removed from the deployment.
Task 3: Prepare tenant domains and organizational units
Before you add tenants to the deployment, determine the tenants who will require shared or private
access to offerings. When you add tenants, you will need to specify the resource and user domains for
the tenant so that, when subscriptions are created later, App Orchestration can allocate the machines
hosting the tenant's offerings appropriately.
Create the resource and user domains for each tenant in Active Directory and add them as domains
through the App Orchestration web console before you add the tenants; App Orchestration does not
create these domains for you.
You will also need location groups and subscription groups for each tenant:
• Location groups map users to certain datacenters, enabling users to access applications and
desktops from different datacenters based on their group membership.
• Subscription groups are Active Directory user groups that organize users according to the offerings
they need. A subscription group must be a member of a location group, but can belong to only one
location group at any given time. When you create an offering, you specify the subscription groups
that can access the offering.
Tenants with private domain isolation
For each tenant who needs private access to offerings, perform the following tasks:
1. Create a private resource domain and App Orchestration root OU. This is where App Orchestration
will allocate machines for hosting private offerings.
2. (Optional) Create a private user domain for the tenant's user accounts. Alternatively, you can use the
tenant's resource domain for this purpose.
3. In the user domain, create location and subscription groups for the tenant. Finally, add user accounts
to the subscription groups.
Getting Started with Citrix App Orchestration 2.6
Page 24 © 2015 Citrix Systems, Inc. All rights reserved.
Tenants with shared domain isolation
For each tenant who needs shared access to offerings, perform the following tasks:
1. Create a resource OU for the tenant within the App Orchestration root OU in the shared resource
domain.
2. (Optional) Create a user domain for the tenant's user accounts. Alternatively, you can use App
Orchestration's default user domain for this purpose.
3. In the default user domain, create location and subscription groups for the tenant. Finally, add user
accounts to the subscription groups.
Required trusts for resource and user domains
If you deploy App Orchestration in an environment that includes different resource and user domains (for
example, a resource domain and a user domain exist that are each different than the shared resource
domain), ensure that the resource domain trusts the user domain by establishing a one-way trust. This
trust enables users to access the offerings hosted on machines in the resource domain.
For more information about using multiple domains with App Orchestration, see the document Deploy
App Orchestration 2.6 in a Complex Active Directory Environment.
Required domain trusts for private offerings
App Orchestration enables you to isolate tenants in their own domains using the following methods:
• In a private domain using the Zero Trust Agent. The Zero Trust Agent facilitates secure communication between the App Orchestration configuration server and the tenant’s isolated resource domain. For more information, refer to the document Deploying the Zero T rust Agent in App Orchestration 2.6.
• In a private domain requiring a one-way trust in Active Directory with the shared resource domain. App Orchestration verifies this trust exists when you add a resource domain through the web console.
Configure the App Orchestration Group Policy
To facilitate remote administration, create a policy that applies to all machines in your App Orchestration
environment and include the following:
• PowerShell execution policy is set to AllSigned.
• PowerShell remoting is enabled, including auto-configuration of listeners, trusted hosts, and
Windows Remote Shell
• Allow inbound remote administration in Windows Firewall
Note: By default, WinRM 2.5 uses the ports 5985 for HTTP traffic and 5986 for HTTPS traffic. If you are using
firewalls between the App Orchestration configuration server and the other servers in your deployment, ensure
these ports are enabled.
You can create this policy using one of the following methods:
Getting Started with Citrix App Orchestration 2.6
Page 25 © 2015 Citrix Systems, Inc. All rights reserved.
• Manually configure policy settings using the Group Policy Management Console. Use this topic to
configure these settings.
• Automatically configure policy settings using the New-CamGPO.ps1 script.
The New-CamGPO script creates a Group Policy Object (GPO) and configures all the required policy
settings described in this section. You can run this script after you prepare the server you want to use as
the App Orchestration configuration server, join it to the shared resource domain, and add it to the App
Orchestration root OU. This script is located in the %Program
Files%\Citrix\CloudAppManagement\InfrastructureTools directory on the App Orchestration
configuration server.
After you create this policy, link the GPO to the following objects:
• App Orchestration root OU in the shared resource domain.
• App Orchestration root OU in each additional private tenant resource domain that you create.
Important: When you deploy machines that reside in these OUs (for example, adding a Delivery Site), App
Orchestration issues workflows to complete the deployment tasks. For these workflows to complete
successfully, the machines on which they run must have these policy settings applied. App Orchestration does
not verify these policy settings are applied before issuing the workflows.
Task 1: Set the PowerShell execution policy
1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and
create a new GPO or edit an existing one.
2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Windows Components > Windows PowerShell.
3. Right-click Turn on Script Execution and select Edit.
4. Select Enabled and then, under Options, select Allow only signed scripts.
Task 2: Configure PowerShell remoting
To configure PowerShell remoting using Group Policy, use the Group Policy Management Console to
enable the WinRM service, configure listeners, set the amount of session memory available, and provide
a list of trusted hosts. You will also need to configure the WinRM service to start automatically and
ensure Windows Firewall allows traffic through the ports assigned to WinRM.
1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and
create a new Group Policy Object (GPO) or edit an existing one.
2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Windows Components.
Getting Started with Citrix App Orchestration 2.6
Page 26 © 2015 Citrix Systems, Inc. All rights reserved.
3. Use the following table to configure the required policy settings:
Setting Location & Name Policy Setting Setting Values
Windows Remote
Management (WinRM) >
WinRM Service
Allow automatic configuration
of listeners
Enabled.
To configure WinRM to
listen on all addresses,
type an asterisk (*) in
the IPv4 Filter and
IPv6 Filter fields.
Windows Remote
Management (WinRM) >
WinRM Client
Trusted Hosts Enabled.
In TrustedHostsList,
type an asterisk (*) to
indicate all hosts are
trusted.
Windows Remote Shell Specify maximum amount of
memory in MB per Shell
Enabled.
In
MaxMemoryPerShell
MB, type 1024.
Specify maximum number of
remote shells per user
Enabled.
In MaxShellsPerUser,
typing 0 indicates an
unlimited number of
shells.
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >
System Services.
5. Double-click the Windows Remote Management service and select the following options:
Define this policy setting
Automatic
6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >
Windows Firewall with Advanced Security > Windows Firewall with Advanced Security >
Inbound Rules.
7. Right-click Inbound Rules and select New Rule.
8. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined and then select the
Windows Remote Management rule. Click Next.
9. On the Predefined Rules page, accept the defaults and click Next.
Getting Started with Citrix App Orchestration 2.6
Page 27 © 2015 Citrix Systems, Inc. All rights reserved.
10. On the Action page, ensure Allow the connection is selected and click Finish.
11. To apply the settings, on each server, open a PowerShell command window and run gpupdate.
Task 3: To enable remote administration with WMI
As part of maintaining your App Orchestration environment, you might need to update Session Machine
Catalogs to deploy patches, upgrade installed applications, or take advantage of new hardware on
Session Machines. To ensure the update process occurs smoothly, a firewall exception is required to
enable inbound remote administrative connections on TCP ports 135 and 445. If this exception is not
present, the update process might fail.
1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and
create a new Group Policy Object (GPO) or edit an existing one. This GPO should be associated
with all servers in the App Orchestration environment.
2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Network > Network Connections > Windows Firewall > Domain
Profile.
3. Double-click the Windows Firewall: Allow inbound remote administration exception setting and
select Enabled.
4. Under Options, in Allow unsolicited incoming messages from these IP addresses, type an
asterisk (*).
5. Click OK to save your selection.
Create administrator accounts
To install and manage components in your App Orchestration deployment, create the following objects:
• Orchestration service group: A user group for the user accounts for installing and administering
the deployment. This group confers full rights on member accounts. User accounts that are added to
this group should be non-privileged users with no administrator rights to the machines in the
deployment. Accounts in this group should not be members of the Domain Admins group. You will
need to supply this group name when you install the App Orchestration configuration server.
Note: After you supply this group name, it cannot be changed later.
• Orchestration service account: The primary user account for performing administrative tasks in
the App Orchestration web console. This is a non-privileged user account that has permission to
access all App Orchestration functions and add and modify objects. This account should not be part
of the Domain Admins group. This account need not be the same as the App Orchestration
configuration server installation and configuration credentials.
Note: When adding administrator accounts to App Orchestration in a multi-domain environment, ensure the
accounts are members of a global or universal group in the user domain. If the account is a member of a
Getting Started with Citrix App Orchestration 2.6
Page 28 © 2015 Citrix Systems, Inc. All rights reserved.
domain local group, App Orchestration does not recognize the account and, therefore, does not allow the
account to log on to the web console.
For more information about requirements and permissions for these user accounts, as well as other user
accounts that App Orchestration uses to provision and manage machines, see the document
Credentials Used in App Orchestration 2.6.
Setup Citrix Licensing
Citrix Licensing 11.12.1 is required for configuring the App Orchestration configuration server as well as
configuring the Delivery Controllers, Session Machines, and StoreFront servers you want to deploy. If
you use an older version of Citrix Licensing, App Orchestration cannot validate the server during
configuration of global settings.
For Delivery Sites that use controllers running XenApp 6.5 Feature Pack 4, specify the Licensing server
using the FQDN or an IPv4 address. If you use an IPv6 address, App Orchestration cannot validate the
server and create the Delivery Site.
For more information about deployment steps, obtaining license files, and managing your Licensing
server, see Citrix Licensing 11.12.1 in Citrix eDocs.
Set up compute resources
Compute resources include the hypervisors and virtual networks and machines that form the foundation
for your App Orchestration deployment. These resources enable you to deploy Session Machines on
demand using integrated provisioning and use network isolation to provide tenants with private
resources.
App Orchestration supports using the following products to create the virtual networks and machines
you need for your deployment:
• Citrix CloudPlatform 4.2.1
• Citrix XenServer 6.2
• VMware vSphere ESX 5.5
• VMware vSphere ESX 5.1
• Microsoft SCVMM 2012 R2
• Microsoft SCVMM 2012 SP1
To use network isolation in your deployment, you create the following virtual networks:
• Shared Controller Management Network
• Shared Delivery Group Management Network
Getting Started with Citrix App Orchestration 2.6
Page 29 © 2015 Citrix Systems, Inc. All rights reserved.
• Private management network, for each tenant who requires private access to hosted applications
and desktops
Additionally, these networks must be labeled.
Important: You will need to supply these labels when you configure App Orchestration's global settings. In
App Orchestration, network labels are case-sensitive. When configuring the global settings, enter the labels
exactly as they are configured for your compute resources.
For more information about these networks and instructions for creating and labeling them, review the
document Isolation Methods in App Orchestration 2.6 Methods.
For more information about using Citrix CloudPlatform to provision machines in your App Orchestration
deployment, see the Using Citrix CloudPlatform to Provision Session Machines On-demand.
Set up NetScaler Gateway
App Orchestration supports the use of NetScaler Gateway 10.1 or 10.5 to provide secure remote access
and load balancing for the StoreFront servers in your App Orchestration deployment. If you intend to use
NetScaler Gateway in your deployment, review the following information prior to deployment:
• Review the document Configuring NetScaler 10.1 Load Balancing with StoreFront 3.0 and NetScaler
Gateway for App Orchestration 2.6 or Configuring NetScaler 10.5 Load Balancing with StoreFront
3.0 and NetScaler Gateway for App Orchestration 2.6. These documents provide detailed
requirements and instructions for integrating NetScaler Gateway with App Orchestration.
• Review the security considerations as described in the Planning for Security with NetScaler Gateway
section of Citrix eDocs.
LDAP authentication for NetScaler Gateway
When configuring LDAP authentication for NetScaler Gateway to verify user accounts in Active Directory,
a user account is entered in the Administrator Bind DN setting to bind NetScaler Gateway to the LDAP
server and search for the user. Citrix strongly recommends using a non-privileged user account that has
bind DN permission in Active Directory. Do not use an administrator account for this setting.
Prepare the database server
In an App Orchestration deployment, the database server hosts the App Orchestration configuration and
logging databases. If you choose, it can also host the databases for the Delivery Sites you deploy.
Prepare the database server before you install App Orchestration. You will need to supply information
about this server when you install the App Orchestration configuration server and deploy Delivery Sites,
Session Machines, and StoreFront server groups. Afterward, create a firewall exception as described in
the section “Task 1: Create a firewall exception” on page 31.
Getting Started with Citrix App Orchestration 2.6
Page 30 © 2015 Citrix Systems, Inc. All rights reserved.
When you install the App Orchestration configuration server, you are prompted to provide a service
deployment name. This name is used to create the configuration database. If you want to use an
existing database for your App Orchestration deployment, you specify that database name as the
service deployment name. If you enter a database name that does not exist on the database server, the
database is automatically created.
Supported database servers
App Orchestration supports using the following database servers:
• Microsoft SQL Server 2014 Express, Standard, and Enterprise editions
• Microsoft SQL Server 2012 Express, Standard, and Enterprise editions
•
Support for database mirroring
For the configuration database, App Orchestration supports the use of mirrored and non-mirrored
databases.
If you want to use mirrored databases in your deployment, consider the following:
• When planning for high availability or disaster recovery of the configuration database, be aware that
App Orchestration only supports using database mirroring and the AlwaysOn feature for these
purposes.
• If you specify a database that does not yet exist when installing the App Orchestration configuration
server, the resulting database cannot be mirrored. The installer does not perform any mirroring
configuration or create a database that supports mirroring by default.
• To use a mirrored database with the deployment, create the mirrored database before you deploy
the App Orchestration configuration server, and ensure the database is empty. When you are
prompted for the service deployment name during installation of the configuration server, enter the
name of this database.
For more information about using mirrored databases with App Orchestration, refer to the Configuring
Database Mirroring in App Orchestration 2.6.
Support for SQL Server AlwaysOn Availability Group
For the configuration database, App Orchestration supports the use of SQL Server AlwaysOn Availablity
Group. If you want to use this feature in your deployment, please refer to the section “Detailed steps to
configure a an AlwaysOn Group for App Orchestration” of AppOrchestration High Availability.
System requirements
When installing a configuring the database server for your deployment, ensure the following
requirements are met:
Getting Started with Citrix App Orchestration 2.6
Page 31 © 2015 Citrix Systems, Inc. All rights reserved.
Authentication Mode Windows authentication is enabled.
TCP Enabled, along with all appropriate IP addresses,
in SQL Server Configuration Manager.
SQL PowerShell Provider Installed. This provider is included with SQL
Management Studio.
SQL Server Browser service Enabled, and set to run automatically.
SQL Server instance Enabled, and set to run automatically
Firewall Allow inbound connections to the database server
from the other servers in your App Orchestration
deployment. Additionally, enable firewall
exceptions for the SQL Server Browser and SQL
Server instance. See “Task 1: Create a firewall
exception” on page 31.
User account permissions The user account with which App Orchestration is
installed must have the Sysadmin role to create
the required accounts and databases during App
Orchestration configuration server setup. For more
information about required user accounts and
permissions, refer to the document Credentials
Used in App Orchestration 2.6.
Database security As a security best practice, ensure that only the
NetworkService account for the App Orchestraton
configuration server has permission to write to the
database.
Task 1: Create a firewall exception
To ensure the database server can communicate as required with the other servers in your App
Orchestration deployment, create a Windows Firewall exception on the database server that allows
connections with the other servers.
1. On the database server, click Start > Administrative Tools > Windows Firewall with Advanced
Security.
2. In the left pane, click Inbound Rules.
3. Right-click Inbound Rules and then select New Rule. The New Inbound Rule Wizard appears.
Getting Started with Citrix App Orchestration 2.6
Page 32 © 2015 Citrix Systems, Inc. All rights reserved.
4. On the Rule Type page, select Program and then click Next.
5. On the Program page, select This program path and then click Browse.
6. Locate and select the SQL Server executable and then click Open. Typically, the SQL Server
executable is located at C:\Program Files\Microsoft SQL
Server\MSSQL11.instancename\MSSQL\Binn\sqlservr.exe.
7. On the Action page, select Allow the connection and then click Next.
8. On the Profile page, select Domain, Private, and Public.
9. On the Name page, enter a name for the rule and click Finish.
Prepare the App Orchestration configuration server
The App Orchestration configuration server hosts the App Orchestration configuration engine and the
web management console.
Citrix recommends installing App Orchestration on servers containing fresh installations of supported
Microsoft Windows Server operating systems. To upgrade servers running App Orchestration 2.5 to
Version 2.6, refer to the document Upgradability Guide for App Orchestration 2.6. Do not attempt to
upgrade servers running App Orchestration versions older than Version 2.5. Additionally, do not join
servers running previous versions of App Orchestration to a deployment running App Orchestration 2.6.
System requirements
The server you prepare to be the App Orchestration configuration server must meet the following
requirements:
Hardware Dual core processors, 2.6 GHz or higher
Minimum 3 GB RAM
Minimum 50 GB free disk space
Operating System One of the following:
Windows Server 2008 R2 SP1
Windows Server 2012 R2 (Standard, Enterprise, or
Datacenter edition)
Domain Functional Level Windows Server 2008 R2
Getting Started with Citrix App Orchestration 2.6
Page 33 © 2015 Citrix Systems, Inc. All rights reserved.
Windows Management Framework
and PowerShell versions
Depending on your server operation system:
Version 3.0. The Windows Management Framework is
available for download from the Microsoft web site at
http://www.microsoft.com/en-us/download/details.aspx?id=34
595.
Version 4.0
.NET Framework version Version 4.5
PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy”
on page 24.
Windows Update Service Enabled.
SSL certificates A server certificate signed by your domain certificate authority is
required for deploying the configuration server. Refer to the
document Configure SSL for App Orchestration 2.6.
System Temp folder Must be writable by the Network Service account.
Internet Access Enabled. Setup accesses Windows Update to verify the full
version of the .NET Framework 4.5 is installed and to
install .NET updates, if required.
Web browser (for accessing the
web management console)
Internet Explorer 10 or 11
Important: When preparing the configuration server for App Orchestration installation, ensure the server
operating system and anti-virus software have all appropriate updates and patches, and that the server is free
of untrusted software.
Sequence of preparation tasks for Windows Server 2008 R2 SP1
If you are preparing a server running Windows Server 2008 R2 SP1 as the configuration server, use the
following sequence of tasks to ensure the configuration server is deployed smoothly:
1. Install the operating system and apply all required updates and patches.
2. Install .NET Framework version 4.5.
3. Install Windows Management Framework 3.0, which includes Windows PowerShell 3.0.
4. Install the server certificate required for installation of the configuration server.
5. Join the server to the shared resource domain.
Getting Started with Citrix App Orchestration 2.6
Page 34 © 2015 Citrix Systems, Inc. All rights reserved.
6. Verify the Group Policy settings described in “Configure the App Orchestration Group Policy” on
page 24 have been applied to the App Orchestration root OU of the shared resource domain for your
deployment. For more information about required OUs, see “Prepare your Active Directory domains”
on page 22.
Important: If you join the configuration server to the shared resource domain and enable PowerShell remoting
before you install the Windows Management Framework 3.0 and upgrade to PowerShell 3.0, installing App
Orchestration might fail. If this happens, execute the following command and retry the installation:
winrm delete http://schemas.microsoft.com/wbem/wsman/1/config/plugin?Name=Microsoft.ServerManager
Client OS and browser support for the management console
To manage your deployment, App Orchestration includes a web-based management console. The
console is hosted, by default, on the configuration server, but you can also run the console on other
computers in your environment. To run the console, App Orchestration supports the following web
browsers and operating systems:
Windows
Web Browser Windows 7
SP1 (32-bit
and 64-bit)
Windows 8
(32-bit and
64-bit)
Windows 8.1
(32-bit and
64-bit)
Windows
Server 2008
R2 SP1
Windows
Server 2012
R2
Internet
Explorer 10
X X X
Internet
Explorer 11
X X X
Mozilla Firefox
24
X X
Chrome 30
X X
Mac OS and Apple iOS
Web Browser Mac OS X (10.8) Apple iOS 7 (iPad only)
Mozilla Firefox 24 X
Google Chrome 30 X
Apple Safari for iOS X
Getting Started with Citrix App Orchestration 2.6
Page 35 © 2015 Citrix Systems, Inc. All rights reserved.
Internet Explorer 11 Considerations
If you plan to use Internet Explorer 11 with the App Orchestration web console, perform the following
tasks to ensure the web console operates consistently:
Disable AutoComplete to prevent unauthorized console access. In addition to remembering
previous entries for forms and URLs, AutoComplete remembers entries for usernames and passwords.
To prevent unauthorized access to the App Orchestration web console due to remembered credentials,
Citrix recommends disabling AutoComplete on all machines on which Internet Explorer 11 is used to
access the web console. To do this, perform the following actions:
1. From the Start screen, click Settings > Control Panel > Internet Options.
2. Click the Content tab and then under AutoComplete click Settings.
3. Clear the User names and passwords on forms check box and then click OK.
Add the web console as a Trusted Site. Because the web console uses JavaScript, Internet Explorer
11 might prevent the web console from running. To ensure the web console runs consistently, add the
web console URL to the list of Trusted Sites. To do this, perform the following actions:
1. From the Start screen, click Settings > Control Panel > Internet Options.
2. Click the Security tab and then select the Trusted sites security zone.
3. Click Sites and enter the web console URL. The default URL is
https://FQDN-of-AOConfigSvr/camconsole.
Prepare Delivery Controllers and Session Machines
Supported platforms
• XenApp 7.6 and XenDesktop 7.6
• XenApp 6.5 Hotfix Rollup Pack 5
Important: If you have an existing XenDesktop 7.5 deployment that you used with a previous version of App
Orchestration, you can continue to use that deployment with App Orchestration 2.6. However, you cannot
modify the configuration of the servers in that deployment. To use the full set of features of App Orchestration
2.6, Citrix recommends upgrading your XenDesktop 7.5 deployment to XenDesktop 7.6.
System requirements
Servers you prepare as Delivery Controllers and Session Machines must meet the following
requirements:
Hardware Dual core processors, 2.6 GHz or higher
Minimum 3.0 GB RAM
Minimum 50 GB free disk space
Getting Started with Citrix App Orchestration 2.6
Page 36 © 2015 Citrix Systems, Inc. All rights reserved.
Operating System
(XenApp 7.6 and XenDesktop
7.6)
Delivery Controllers:
Windows Server 2008 R2 SP1, with PowerShell 4.0
Windows Server 2012 R2 (Standard, Enterprise, or
Datacenter edition)
Session Machines:
Windows XP SP3 (32-bit only), with PowerShell 2.5
Windows 7 SP1 (32-bit and 64-bit), with PowerShell 4.0
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2008 R2 SP1, with PowerShell 4.0
Windows Server 2012, with PowerShell 4.0
Windows Server 2012 R2
Operating System
(XenApp 6.5 HRP5)
Windows Server 2008 R2 SP1, with PowerShell 4.0
Domain Functional Level Windows Server 2008 R2
Windows Server 2012
.NET Framework version Version 4.5. If the .NET Framework is not installed prior to
deploying the machine, the App Orchestration Install Center
installs the software automatically.
Note: For Session Machines running Windows 2008 R2 or prior
version, please make sure .NET Framework 3.5.1 is installed before
running App Orchestration Install Center.
Getting Started with Citrix App Orchestration 2.6
Page 37 © 2015 Citrix Systems, Inc. All rights reserved.
Windows Management
Framework (WMF) and
PowerShell version
Version 4.0.
For Windows 7, Windows Server 2008 R2 SP1, and Windows
Server 2012, the WMF 4.0 package is included in the
Setup\ProductMedia\CloudAppManagement\Support\PowerShell4\
folder on the App Orchestration installation media. If WMF 4.0 is
not installed prior to deploying the machine, the App Orchestration
Install Center installs the software automatically. Alternatively, you
can download the package from the Microsoft web site at
http://www.microsoft.com/en-us/download/details.aspx?id=40855.
Important: For Session Machines running Windows 7 32-bit
operating systems, upgrading to WMF 4.0 can render
PSSessionConfiguration functions unusable, preventing the machine
from being imported to a catalog. To avoid this issue, be sure to run
the following cmdlet prior to installing the single user Virtual Delivery
Agent:
Register-PSSessionConfiguration –name
Microsoft.PowerShell
PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on
page 24.
Windows Update Service Enabled.
Automatic updates Disabled on all servers prepared as Session Machines.
Windows Server Roles .NET Framework 3.5.1.
Database server Microsoft SQL Server 2012 Express, Standard, and
Enterprise editions
Citrix software Use the App Orchestration Install Center to install the appropriate
Citrix software on the machine. If any Citrix products are installed
prior to using the Install Center, App Orchestration might remove or
overwrite these files. See "Install App Orchestration” on page 45.
Administrator accounts A Delivery Site administrator account is required for deploying
Delivery Sites in App Orchestration. For more information about
the user accounts required for deploying Delivery Sites and
Session Machines, refer to the document Credentials Used in App
Orchestration 2.6.
Getting Started with Citrix App Orchestration 2.6
Page 38 © 2015 Citrix Systems, Inc. All rights reserved.
Important: When you add the initial Controllers to a Delivery Site or Session Machines to a catalog, App
Orchestration uses these machines to construct machine profiles that are used to evaluate subsequent
machines that are added to the Site or catalog. If these machines do not match the profile for the Site or
catalog, they are not added to the deployment. Therefore, each machine you add to a Site or catalog must
have the same machine configuration, operating system and updates, Citrix product version, and installed
applications as the first machines you deployed. To add machines with differing configurations, create a new
Delivery Site or Session Machine Catalog as appropriate.
Support for aggregating existing Delivery Sites
Aggregating applications and desktops enables users to access offerings that are available in multiple
StoreFront stores from a single point of access. Using aggregation, you can add Delivery Sites that
already exist in your environment to your App Orchestration deployment.
App Orchestration supports aggregating existing Delivery Sites that run the following versions of
XenApp or XenDesktop:
• XenApp 5.0, 6.0, and 6.5
• XenDesktop 5.5, 5.6, 7.0, and 7.1
• XenApp 7.5 and XenDesktop 7.5
• XenApp 7.6 and XenDesktop 7.6
Aggregation of Delivery Sites running versions of XenApp or XenDesktop that are older than specified in
this section (such as Citrix Presentation Server 4.5) is not supported. For a complete list of all XenApp
and XenDesktop versions that are supported for Delivery Site aggregation, refer to the StoreFront topic
Infrastructure requirements on Citrix eDocs.
Considerations for Delivery Controllers in cross-forest private Delivery Sites
When creating a Delivery Site in a tenant’s private resource domain that resides in a different forest than
the shared resource domain, a trust relationship must exist between the Delivery Controllers in the
tenant’s resource domain and the shared resource domain. You can create this trust using one of the
following methods:
• Using the Zero Trust Agent in the tenant’s resource domain and configuring SSL on the Delivery
Controllers. The Zero Trust Agent facilitates secure communication between the App Orchestration
configuration server and the tenant’s isolated resource domain. For more information, refer to the
documents Deploying the Zero Trust Agent in App Orchestration 2.6 and Configuring SSL for App
Orchestration 2.6
• Establishing a one-way trust in which the shared resource domain trusts the tenant’s resource
domain. This trust allows the App Orchestration agents residing on the Delivery Controllers to
authenticate with the App Orchestration engine using integrated Active Directory authentication.
Getting Started with Citrix App Orchestration 2.6
Page 39 © 2015 Citrix Systems, Inc. All rights reserved.
Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5
Because servers running XenApp 6.5 run an older version of the Citrix Group Policy snap-in by default
(Version 1.5.0.0), Group Policy settings associated with App Orchestration might not display correctly
when viewed with the Group Policy Management Console on a XenApp 6.5 server. To avoid this issue,
update the Citrix Group Policy snap-in with the newer version that comes with XenApp 7.6 and
XenDesktop 7.6 (Version 2.4.0.0). To do this perform the following actions:
1. On the XenApp 7.6 and XenDesktop 7.6 installation media, locate the
CitrixGroupPolicyManagement_x64.msi file in the /x64/Citrix Policy folder.
2. On the XenApp 6.5 servers in your deployment, run the CitrixGroupPolicyManagement_x64.msi
file to update the Citrix Group Policy snap-in.
Task 2: Configure SSL on Delivery Sites and Session Machines
To avoid security risks, Citrix recommends that you use SSL to secure communications between the
following components:
• Between Delivery Controllers and StoreFront servers: For more information about configuring
SSL for App Orchestration, see the document Configure SSL for App Orchestration 2.6.
• Between Session Machines and NetScaler Gateway: As part of deploying NetScaler Gateway in
your environment, a signed SSL certificate and, if applicable, a trusted root certificate are required.
For Session Machines running XenDesktop 7.6, XenApp 7.6, or XenApp 6.5 FP4, manually
configure SSL and install a signed SSL certificate on each machine. If you use App Orchestration to
aggregate Delivery Sites running XenDesktop 5.6, ensure the Session Machines and Delivery
Controllers in those Sites have the latest public hotfix applied.
Prepare StoreFront servers
StoreFront authenticates users to sites hosting resources and manages stores of applications and
desktops that users access with Citrix Receiver.
System requirements
Servers prepared as StoreFront servers have the following requirements:
Hardware • Dual core processors, 2.6 GHz or higher
• Minimum 3.0 GB RAM
• Minimum 50 GB free disk space
Operating System • Windows Server 2008 R2 SP1, with PowerShell 3.0
• Windows Server 2012 R2 (Standard, Enterprise, or Datacenter
Edition)
Getting Started with Citrix App Orchestration 2.6
Page 40 © 2015 Citrix Systems, Inc. All rights reserved.
Windows Management
Framework and PowerShell
version
Depending on your server operation system:
• Version 3.0. For Windows Server 2008 R2 SP1, the Windows
Management Framework is available for download from the
Microsoft web site at
http://www.microsoft.com/en-us/download/details.aspx?id=345
95
• Version 4.0. For Windows Server 2012 R2, the Windows
Management Framework is included in the
Setup\ProductMedia\CloudAppManagement\Support\PowerSh
ell4\ folder on the App Orchestration installation media.
Alternatively, download the package from the Microsoft web
site at
http://www.microsoft.com/en-us/download/details.aspx?id=408
55.
Domain Functional Level • Windows Server 2008 R2
• Windows Server 2012
.NET Framework version • Windows Server 2008 R2 SP1: .NET Framework 4.5. This
executable is located in the Support folder of the App
Orchestration installation media.
• Windows Server 2012: .NET Framework 3.5. For information
on enabling this feature, see the article “Install or Uninstall
Roles, Role Services, or Features” on the Microsoft web site.
PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on page
24.
Windows Update Service Enabled.
Windows Server Roles • .NET Framework 3.5.1
• Web Server (IIS), with all default role services
SSL certificate A server certificate signed by your domain certificate authority is
required for deploying StoreFront servers. Refer to the document
Configure SSL for App Orchestratio 2.6.
Database server • Microsoft SQL Server 2012 Express, Standard, and Enterprise
editions
Getting Started with Citrix App Orchestration 2.6
Page 41 © 2015 Citrix Systems, Inc. All rights reserved.
Citrix software Use the App Orchestration Install Center to install the appropriate
Citrix software on the machine. If any Citrix products are installed prior
to using the Install Center, App Orchestration might remove or
overwrite these files. See "Install App Orchestration” on page 45.
Server group requirements
In App Orchestration, you add StoreFront servers to a deployment by creating server groups. A server
group is a collection of one or more StoreFront servers. When adding StoreFront servers to your
deployment, consider the following requirements:
To add tenants, App Orchestration requires at least one StoreFront server in the deployment. You can
deploy multiple StoreFront server groups to provide high availability and scalability.
The StoreFront servers that are included in the server group must have the same version of StoreFront
installed. Including servers of differing StoreFront versions in the same server group is not supported.
Security Considerations for App Orchestration 2.6
When planning to deploy machines in your App Orchestration environment, be sure to review the
security best practices and recommendations for the Citrix products that are used with App
Orchestration. Refer to the following topics in Citrix eDocs:
• XenApp 7.6 and XenDesktop 7.6: Security
• XenApp 6.5: Security Standards and Deployment Scenarios
• StoreFront 3.0: Secure your StoreFront deployment
• NetScaler Gateway: Planning for Security with NetScaler Gateway
Additionally, for up-to-date information about security standards and Citrix products, visit
http://www.citrix.com/security.
Getting Started with Citrix App Orchestration 2.6
Page 42 © 2015 Citrix Systems, Inc. All rights reserved.
SSL recommendations
Some of the core components in your App Orchestration deployment – configuration server, Delivery
Controllers, and StoreFront servers – require that SSL be configured prior to inclusion in the deployment.
For instructions for configuring SSL for these components, refer to the document Configure SSL for App
Orchestration 2.6.
Additionally, Citrix recommends using SSL to secure conections with the other components in your App
Orchestration deployment, including API calls, connections to and from the configuration database, and
the web management console.
Restrict PowerShell remoting sessions
Citrix recommends limiting access to PowerShell remoting sessions to the Authenticated Users group.
This helps ensure that one-time administrator credentials are not intercepted by a malicious user when
passed between a registered App Orchestration agent and a newly-installed agent.
SMB security signatures
Citrix recommends requiring client-side and server-side SMB security signatures for all servers in your
deployment. This helps ensure that SMB packets are not modified in transit among the servers in your
deployment. To require SMB security signatures, configure the following Group Policy settings:
Setting Location Policy Setting Setting Value
Computer Configuration >
Windows Settings > Security
Settings > Local Policies >
Security Options
Microsoft network client: Digitally
sign communications (always)
Enabled
Computer Configuration >
Windows Settings > Security
Settings > Local Policies >
Security Options
Microsoft network server:
Digitally sign communications
(always)
Enabled
Machine hardening techniques
To mitigate security risks such as "pass-the-hash" attacks, Citrix recommends the following techniques
for reducing the attack surface of the machines in your App Orchestration deployment:
• Use unique local account passwords. When deploying machines from an image or template,
ensure that each machine you deploy has unique local administrator credentials. This helps prevent
a malicious user from reusing credentials gained elsewhere to compromise additional machines.
• Restrict remote access for local administrator accounts. Consider removing network and
remote interactive logon privileges from local non-service accounts, such as local administrator
accounts. This technique forces machines to be physically administered or remotely administered
using a domain account. When remotely administering machines in your deployment, use tools and
Getting Started with Citrix App Orchestration 2.6
Page 43 © 2015 Citrix Systems, Inc. All rights reserved.
methods that do not leave reusable credentials in memory, such as using an MMC snap-in or
initiating a PowerShell remoting session (for example, Enter-PSSession ServerName). Additionally,
the domain accounts you use to administer machines should possess only the privileges required to
perform the tasks needed. Do not use highly trusted domain accounts to administer lower trusted
machines (for example, using a Domain Admin account to administer a client workstation).
Restrict access for tenant user accounts
To mitigate security risks to the machines in the shared resource domain, Citrix recommends that only
members of the orchestration service group have permission to access these machines. Tenants' users
should not have Domain Admin or local administrator privileges on any machines or components in the
App Orchestration deployment. Tenants' users should be able to access only the applications and
desktops that are hosted on these machines.
To limit tenants' access only to the machines that are privately allocated to them, Citrix recommends
using private Active Directory forests for each tenant, creating offerings that employ Private Delivery Site
isolation, and using Private server groups to deliver offerings to tenants' users. These isolation levels
help ensure that tenants' private machines are kept separate from the machines in the shared resource
domain, thus limiting the opportunity for a malicious user to gain access to other tenants' machines or
data in the deployment.
Additionally, for domain agent machines in a tenant’s resource domain, Citrix recommends that only
service provider administrators have permission to access these machines directly, as they are the only
users authorized to access the domain. Tenants’ users should not have Domain Admin or local
administrator privileges on these machines.
XenApp Session Machine isolation
To ensure Session Machines running XenApp 6.5 FP4 are adequately isolated in your App
Orchestration deployment, Citrix recommends creating offerings that employ Private Delivery Site
isolation. By using this isolation level, the Session Machines and the Delivery Site with which they are
associated are connected to a specific tenant's private management network and the desktops and
applications that are hosted on the machines are accessible only by the tenant's users. Because these
machines are privately allocated, not shared, this isolation level helps prevent a malicious user from
gaining elevated privileges on the XenApp Delivery Site by way of the associated Session Machines.
Session Machine Catalog upgrades
• When upgrading Session Machine Catalogs, consider the following:
• When upgrading multiple machines through a scripted or otherwise automated process, ensure that
no administrator credentials are sent to updated Session Machines. This includes using Basic
authentication for PowerShell remoting.
• If CredSSP is enabled in your environment, administrators should not use PowerShell remoting with
implicit authentication to connect to Session Machines.
• Do not encode credentials in any updating scripts.
Getting Started with Citrix App Orchestration 2.6
Page 44 © 2015 Citrix Systems, Inc. All rights reserved.
For more information about upgrading Session Machine Catalogs, see the Upgrading Session Machine
Catalogs in App Orchestration 2.6.
Getting Started with Citrix App Orchestration 2.6
Page 45 © 2015 Citrix Systems, Inc. All rights reserved.
Install App Orchestration
There are four key tasks in the Install phase of App Orchestration:
1. Copy the downloaded files to the appropriate locations.
2. Install prerequisites.
3. Install the App Orchestration software.
4. Perform post-install configuration.
Overview
Accounts and Permissions
You’ll need the following accounts and permissions:
A Citrix web site account, for downloading and installing App Orchestration.
Permission to install the App Orchestration package on the server to be designated as the App
Orchestration configuration server.
Database administrator credentials for the SQL Server configuration database, for post-install
configuration.
Credentials to create a Group Policy Object and link it to the OU being used for App Orchestration,
so you can set policies for PowerShell remoting.
Prerequisites
Make sure that all of the machines you will be using with App Orchestration are under the root OU for
your deployment.
Personas
Two personas are involved in the Install phase of App Orchestration: the Infrastructure Engineer and
Service Designer. In your organization, these functions may be performed by different people, or by one
person who wears both hats.
The Infrastructure Engineer provides the following items:
The SQL Server database administrator credentials
The App Orchestration root OU in Active Directory and the credentials for that OU
The required SSL certificates. You need a certificate for the following components:
o Each App Orchestration configuration server
o The global site Load Balancer
o Each StoreFront server group, and the load balancer for each server group
o Each NetScaler Gateway
Getting Started with Citrix App Orchestration 2.6
Page 46 © 2015 Citrix Systems, Inc. All rights reserved.
Note: You can use a wildcard certificate for the AO Configuration Server and for multiple StoreFront Server
Groups in the same domain.
If you are using NetScaler Gateway, you can minimize your SSL certificate costs by getting only the certificates
for the App Orchestration Configuration Server and global site Load Balancer from a public Certificate
Authority. For the StoreFront Server Groups, the Load Balancer for each StoreFront Server Group, and
NetScaler, create your own Certificate Authority and use it to issue trusted certificates. At the network layer,
secure communications between NetScaler and the VDA, and between the StoreFront Server Group and
Delivery Controller, to ensure they cannot be intercepted.
If you are not using NetScaler Gateway, you can minimize cost by using a public Certificate Authority only for
the certificates for the App Orchestration Configuration Server and the Load Balancer for each StoreFront
Server Group.
The Service Designer performs the following tasks:
Install the App Orchestration software
Perform post-Install configuration
Pitfalls to Avoid
The best way to avoid pitfalls in the Install phase is to follow the Appendix: Setup Checklist carefully.
Make sure that:
The appropriate SSL certificates are installed
The App Orchestration product media folder can be reached by the servers in your deployment
Networks and routing are configured correctly.
Task 1: Download the product media
To prepare Delivery Sites, Session Machines, and StoreFront server groups, App Orchestration
accesses a product media folder that hosts the Citrix software for these components. This folder can be
local to all machines (recommended), or on a portable drive, a network share of any kind, or any other
location that is visible to all of your machines. Citrix recommends that you protect this folder with
appropriate access controls, to prevent unauthorized access that might result in file corruption or the
introduction of malware.
Option 1: App Orchestration 2.6 with bundle
1. Navigate to the download page for the Citrix Cloud Provider Pack.
2. Log on to your Citrix account and download App Orchestration 2.6 with Bundle.
3. Extract the downloaded App_Orchestration_2.6_Bundle.zip file into a folder of your choice (for
example, AO) with the following layout:
Getting Started with Citrix App Orchestration 2.6
Page 47 © 2015 Citrix Systems, Inc. All rights reserved.
You do not need to do anything more to build the product media folder.
Option 2: App Orchestion 2.6
1. Navigate to the download page for the Citrix Cloud Provider Pack.
2. Log on to your Citrix account and download App Orchestration 2.6.
3. Extract the downloaded App_Orchestration_2.6.zip file into a folder of your choice, for example,
AO with the following layout.
Getting Started with Citrix App Orchestration 2.6
Page 48 © 2015 Citrix Systems, Inc. All rights reserved.
4. From the App Orchestration image folder, expand the Setup folder:
Setup
ProductMedia
CloudAppManagement
5. Build out the product media folder.
Note: The product media folder hosts the media for App Orchestration and any related products
required during App Orchestration installation.
In ProductMedia, create the following folders. Create the XenApp folder and its subfolders if your
deployment will use XenApp 6.5. Create the XenDesktop folder if your deployment will use XenApp
7.6 or XenDesktop 7.6. Create the CitrixStoreFront folder if your deployment will use StoreFront
3.0.
Getting Started with Citrix App Orchestration 2.6
Page 49 © 2015 Citrix Systems, Inc. All rights reserved.
6. Download the relevant software to the ProductMedia folder:
For this component Download this file Copy the downloaded file to this folder StoreFront 3.0 Navigate to the
StoreFront download
page and download
StoreFront 3.0.
Copy the download file to CitrixStoreFront
folder
XenApp 6.5 Navigate to the
XenApp 6.5
download page to
download XenApp
6.5 and Hotfix Rollup
Pack 5 from HRP 5
download page.
Copy the XenApp software to the XenApp
folder
Copy the entire contents of the Hotfix Rollup
Pack 5 to XenApp\XenAppHRP
Copy the entire Setup\ProductMedia\CloudApp Management\Support\SQLServer2012 folder to XenApp\Support folder
Getting Started with Citrix App Orchestration 2.6
Page 50 © 2015 Citrix Systems, Inc. All rights reserved.
For this component Download this file Copy the downloaded file to this folder XenApp 7.6 and
XenDesktop 7.6
Navigate to the
XenApp download
page or the
XenDesktop
download page and
download the Version
7.6 Platinum Edition.
Copy the XenDesktop software to the
XenDesktop folder
Hotfix for Citrix
Studio 7.6
Download the hotfix
from x64 version
download page or
x86 version download
page
Extract the download .zip package
Rename the downloaded .msi files and
replace the same files under XenDesktop
folder:
For x64 version
Rename DStudio760WX64002.msi to
DesktopStudio_x64.msi and copy to
XenDesktop\x64\DesktopStudio folder
For x86 version
Rename DStudio760WX86002.msi to
DesktopStudio_x86.msi and copy to
XenDesktop\x86\DesktopStudio folder
Getting Started with Citrix App Orchestration 2.6
Page 51 © 2015 Citrix Systems, Inc. All rights reserved.
For this component Download this file Copy the downloaded file to this folder Hotfixes Update 2 -
For Delivery
Controller 7.6 (x64
version)
Download the hotfix
from x64 version
download page
Extract the download .zip package
Rename the downloaded .msi files and copy
to XenDesktop folder:
Rename BrokerSrvc760WX64002.msi to
Broker_Service_x64.msi and copy to
XenDesktop\x64\Citrix Desktop Delivery
Controller folder
Rename ConfigMgrWOL760WX64002.msi
to ConfigMgr_WOL_Plugin_x64.msi and
copy to XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename HostSrvc760WX64002.msi to
Host_Service_x64.msi and copy to
XenDesktop\x64\Citrix Desktop Delivery
Controller folder
Rename MCSrvc760WX64002.msi to
MachineCreation_Service_x64.msi and
copy to XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename MonitorPSSI760WX64002.msi to
Monitor_PowerShellSnapIn_x64.msi and
copy to XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename MonitorSrvc760WX64002.msi to
Monitor_Service_x64.msi and copy to
XenDesktop\x64\Citrix Desktop Delivery
Controller folder
Getting Started with Citrix App Orchestration 2.6
Page 52 © 2015 Citrix Systems, Inc. All rights reserved.
For this component Download this file Copy the downloaded file to this folder Hotfixes Update 2 -
For Delivery
Controller 7.6 (x86
version)
Download the hotfix
from x86 version
download page
Extract the download .zip package
Rename the downloaded .msi files and copy
to XenDesktop folder:
Rename BrokerSrvc760WX86002.msi to
Broker_Service_x86.msi and copy to
XenDesktop\x86\Citrix Desktop Delivery
Controller folder
Rename ConfigMgrWOL760WX86002.msi
to ConfigMgr_WOL_Plugin_x86.msi and
copy to XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename HostSrvc760WX86002.msi to
Host_Service_x86.msi and copy to
XenDesktop\x86\Citrix Desktop Delivery
Controller folder
Rename MCSrvc760WX86002.msi to
MachineCreation_Service_x86.msi and
copy to XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename MonitorPSSI760WX86002.msi to
Monitor_PowerShellSnapIn_x86.msi and
copy to XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename MonitorSrvc760WX86002.msi to
Monitor_Service_x86.msi and copy to
XenDesktop\x86\Citrix Desktop Delivery
Controller folder
Getting Started with Citrix App Orchestration 2.6
Page 53 © 2015 Citrix Systems, Inc. All rights reserved.
For this component Download this file Copy the downloaded file to this folder Hotfix For Machine
Identity Service
Agent 7.6
Download the hotfix
from x64 version
download page or
x86 version download
page
Rename the downloaded .msi files and copy
to XenDesktop folder:
For x64 version:
Rename MISA760WX64001.msi to
MachineIdentityServiceAgent_x64.msi
and copy to XenDesktop\x64\Virtual
Desktop Components folder
For x86 version:
Rename MISA760WX86001.msi to
MachineIdentityServiceAgent_x86.msi
and copy to XenDesktop\x86\Virtual
Desktop Components folder
Getting Started with Citrix App Orchestration 2.6
Page 54 © 2015 Citrix Systems, Inc. All rights reserved.
For this component Download this file Copy the downloaded file to this folder Feature Pack 2 - For
XenDesktop 7.6
Download feature
pack from
XenDesktop FP2
download page
Extract the download .zip package
Rename the downloaded .msi files and
replace the same .msi files under
XenDesktop folder:
Copy DesktopDirector_x64.msi and
replace XenDesktop\x64\DesktopDirector
\DesktopDirector.msi
Copy DesktopDirector.msi and replace
XenDesktop\x86\DesktopDirector
\DesktopDirector.msi
Rename GPMx240WX64002.msi to
CitrixGroupPolicyManagement_x64.msi
and copy to XenDesktop\x64\Citrix Policy
Rename GPMx240WX86002.msi to
CitrixGroupPolicyManagement_x86.msi
and copy to XenDesktop\x86\Citrix Policy
Rename HDXWMIPROV220WX64001.msi
to CitrixHDXWMIProvider-x64.msi and
copy to XenDesktop\x64\Virtual Desktop
Components\TS
copy WMIProxy_x64.msi to
XenDesktop\x64\Virtual Desktop
Components
copy WMIProxy_x86.msi to
XenDesktop\x86\Virtual Desktop
Components
Rename XDPoshModule760WX64002.msi
to XDPoshSnapin_x64.msi and copy to
XenDesktop\x64\Citrix Desktop Delivery
Controller
Rename XDPoshModule760WX86002.msi
to XDPoshSnapin_x86.msi and copy to
XenDesktop\x86\Citrix Desktop Delivery
Controller
Getting Started with Citrix App Orchestration 2.6
Page 55 © 2015 Citrix Systems, Inc. All rights reserved.
For this component Download this file Copy the downloaded file to this folder Feature Pack 2 - For
XenDesktop 7.6
(Cont.)
Copy the download .msp files to
XenDesktop\MspHotfixes:
copy ICATS760WX64022.msp to
XenDesktop\MspHotfixes\x64\Virtual
Desktop Components\Server
copy ICAWS760WX64022.msp to
XenDesktop\MspHotfixes\x64\Virtual
Desktop Components\WorkStation
copy ICAWS760WX86022.msp to
XenDesktop\MspHotfixes\x86\Virtual
Desktop Components\WorkStation
Getting Started with Citrix App Orchestration 2.6
Page 56 © 2015 Citrix Systems, Inc. All rights reserved.
Task 2: Install App Orchestration components
Use the Citrix App Orchestration Install Center to install App Orchestration and prepare your machines
for deployment as Delivery Sites, Session Machines, and StoreFront servers. To save time when
installing the same component on multiple machines, you can install the component on one virtual
machine, and then creating a template of that machine. When you need a new machine of that type,
simply reuse the template instead of repeating the installation steps.
1. Copy the App Orchestration 2.6 image folder to each prepared machine.
2. From the image folder, double-click Setup.exe to launch the Citrix App Orchestration Install Center.
The Install Center screen appears.
3. Click App Orchestration Configuration Server to install the configuration server on one more
machines.
4. If you have any domains that are isolated from the App Orchestration configuration server, install the
App Orchestration Domain Agent on a dedicated machine in each of those domains. For more
information about using isolated domains, refer to the Deploying the Zero Trust Agent in App
Orchestration 2.6.
Note: If you need to install the domain agent software on multiple servers and are considering creating a
template, just install the domain agent software on the template machine. Do not continue to the App
Getting Started with Citrix App Orchestration 2.6
Page 57 © 2015 Citrix Systems, Inc. All rights reserved.
Orchestration Server Configuration wizard. You will need to run the wizard on each new machine you create
from the template.
5. For Delivery Controllers, Session Machines, and StoreFront servers, create a template for each
machine type
a. Create the first machine of the relevant type and install the appropriate software:
For Delivery Sites using XenApp 7.6 or XenDesktop 7.6, install the XenApp and
XenDesktop 7.6 Delivery Controller software. The associated App Orchestration agent
is automatically installed.
For Delivery Sites using XenApp 6.5, install the XenApp 6.5 Controller software. The
associated App Orchestration agent is automatically installed.
Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and
select the XenApp 6.5 Controller tile to complete the installation.
For Session Machines running XenApp 7.6 and XenDesktop 7.6 that will use on-demand
provisioning, install the appropriate Virtual Delivery Agent on each Session Machine. For
more information, refer to the Provisioning Session Machines On-demand in App
Orchestration 2.6.
For Session Machines that will host offerings on Delivery Sites using XenApp 6.5, install
the XenApp 6.5 Session Host software.
Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and
select the appropriate Session Machines tile to complete the installation.
For StoreFront server groups, install the Citrix StoreFront 3.0 software. The associated
App Orchestration agent is automatically installed.
b. Delete the entire App Orchestration 2.6 image folder and its contents from this machine, and also
delete it from the Recycle Bin.
Note: This step is especially important for Session Machines, to prevent the installation software from
being available to subsequent user sessions on those machines.
c. Shut down the machine.
d. Make a Full Copy of the virtual machine.
e. Start the copied image and run sysprep. Do not reboot or restart the machine afterward. For
more information about sysprep, refer to the article Sysprep (System Preparation) Overview on
the Microsoft web site.
Important: If you are creating a XenDesktop Session Machine template to be used as the VDA master image
template for on-demand provisioning, skip this step; XenDesktop Machine Creation Services [MCS] cannot
provision machines from a master image template on which you have run sysprep.
cd %windir%\system32\sysprep
sysprep /generalize /shutdown /oobe
f. Convert the virtual machine into a template.
Getting Started with Citrix App Orchestration 2.6
Page 58 © 2015 Citrix Systems, Inc. All rights reserved.
g. Use the template to create additional virtual machines of the same type:
At least one machine, for a single Delivery Site running XenApp 7.6 and XenDesktop 7.6
or XenApp 6.5.
At least one Session Machine for hosting applications and desktops, with additional
Session Machines as necessary to provide more capacity for offerings.
At least one machine running StoreFront 3.0, comprising a single StoreFront server
group.
Configure App Orchestration
Accounts and Permissions
In the Configuration phase of App Orchestration, you’ll need the following accounts and permissions:
App Orchestration configuration server installation and configuration credentials, which must be a
member of the orchestration server administrators group.
Optionally, read-only credentials for the default user domain.
Prerequisites
Before you start the Configuration phase, make sure you’ve set up your environment according to the
instructions in this document. For example, you’ll need to know the names for your shared resource and
default user domains, your default datacenter, and your external DNS suffix that users will use to access
their environments.
Personas
Typically, the only persona involved in this phase is the Service Designer, who is responsible for
configuring App Orchestration.
Pitfalls to Avoid
Follow these simple rules to avoid pitfalls in the Configuration phase:
After you have configured the names for the resource domain and user domain, you cannot change
them.
The domain functional level for all RESOURCE domains must be Windows Server 2008 R2 or
higher.
The network names on your compute resources must exactly match the names you specify in App
Orchestration under Global Settings Summary > Advanced Settings > Enable network
isolation.
Getting Started with Citrix App Orchestration 2.6
Page 59 © 2015 Citrix Systems, Inc. All rights reserved.
Task 1: Configure the App Orchestration configuration server
After you install the App Orchestration software on the configuration server, you will need to supply
additional details about your deployment environment. The App Orchestration installer prompts you for
the following information:
Service deployment name: This value becomes the name of the configuration database that App
Orchestration creates. Additionally, App Orchestration creates a logging database for the
deployment using the format “ServiceDeploymentNameLogging.”
Database server: The FQDN of the SQL Server that hosts the App Orchestration configuration and
logging databases.
Administrators group: This group contains non-privileged user account for administering your App
Orchestration deployment. For more information about this group, see the document Credentials
Used in App Orchestration 2.6.
SSL certificate: A server certificate signed by your domain certificate authority is required to secure
connections with the configuration server. For more information about using SSL with App
Orchestration, see the document Configuring SSL for App Orchestration 2.6.
Existing deployment information: If you are deploying a configuration server to an existing App
Orchestration deployment, enter only the server’s FQDN. If you use the server’s IP address or
NetBIOS name instead, App Orchestration displays an error message indicating the server cannot
be contacted.
Task 2: Configure global settings
After you perform the initial configuration, use the App Orchestration web console to configure the global
settings for the deployment. This includes providing the following information:
Shared resource and default user domains: The shared resource domain contains the root OU
where the configuration server and all resources that will be shared among multiple tenants reside.
The default user domain contains the OUs where user accounts for tenants using shared resources
reside. You can specify different domains for shared resources and user accounts or you can use
the same domain for both. These domains and the root OU must exist already in your environment;
App Orchestration does not create them. For more information about these domains, see “Prepare
your Active Directory domains” on page 22.
Orchestration service account: This is the primary App Orchestration administrator. The
orchestration service account is a non-privileged user account and must be a member of the
administrators group you specified during installation. This account should not belong to the Domain
Admins group. The orchestration service account must exist already in your environment; the
installation process does not create it. For more information about this account, see “Create
administrator account” on page 27.
Getting Started with Citrix App Orchestration 2.6
Page 60 © 2015 Citrix Systems, Inc. All rights reserved.
Default datacenter: The default location for shared resources. In general, datacenters contain
resources in the same geographic location. For more information about datacenters, see the
document Deploying a Multi-Datacenter Environment in App Orchestration 2.6.
Licensing: The FQDN and port of the Citrix Licensing server in your environment.
Note: If you are using IPv6 addressing for the Licensing server, surround the address with brackets when you
specify it for App Orchestration. For example: [FE80::0202:B3FF:FE1E:8329]
External DNS suffix: The DNS suffix that is used to configure the NetScaler Gateway address.
Network isolation and NetScaler Gateway: Select whether or not to enable network isolation and
use with NetScaler Gateway. If you enable network isolation, enter the labels of the virtual networks
you created on your compute resources. If you enable use with NetScaler Gateway, specify the
correct address for the appliance.
Customer Experience Improvement Program: Select whether or not join Citrix Customer
Experience Improvement Program (CEIP). it gives you the opportunity to contribute to the design
and development of Citrix products. When you enroll in the program, Citrix collects anonymous
information about your deployment, which is used to improve product quality, reliability, and
performance.
Define App Orchestration infrastructure
App Orchestration infrastructure refers to the datacenters, compute resources, domains, and instance
configurations that provide network and tenant isolation for your deployment.
Accounts and Permissions
App Orchestration orchestrates across one or more Active Directory domains. Before using App
Orchestration, make sure you have at least one Active Directory resource domain to use for shared
resources. If you plan to store user accounts in a separate domain, create that default user domain as
well.
Within the shared resource domain, you must have one OU with a credential that has full control and is
also able to initiate a PowerShell remoting session to all servers within that domain.
If you are using a separate user domain, you must also have a credential that is able to create Active
Directory user groups inside that domain.
Domains in App Orchestration can span multiple datacenters. If your deployment includes multiple
datacenters, ensure that you have a domain controller in every datacenter where a domain will be used.
The shared resource domain must exist in all datacenters and, therefore, must have a domain controller
in every datacenter.
Getting Started with Citrix App Orchestration 2.6
Page 61 © 2015 Citrix Systems, Inc. All rights reserved.
Prerequisites
Before you start the Define phase of App Orchestration, make sure:
The required domains exist
You have credentials for each domain
You have created the required OUs in each domain
You must also apply a PowerShell remoting policy to all resource domains used by App Orchestration.
Remember to run gpupdate on each machine to apply the policy.
Other prerequisites include:
Any compute resources that you want to use with App Orchestration
The credentials for those compute resources to create virtual machines, access storage, and read
network information
A Citrix Licensing server within each datacenter. If desired, you can use the same Licensing server
for all domains within a datacenter, or even for all datacenters.
Personas
Two personas are involved in the Define phase of App Orchestration: the Infrastructure Engineer and
the Service Designer. In your organization, these functions may be performed by two different people, or
by one person who wears both hats.
The Infrastructure Engineer tells the Service Designer about available datacenters, including:
The compute resources available in those datacenters
The IP address ranges assigned to those datacenters
Any NetScaler Gateway devices located in those datacenters
Additionally, the Infrastructure Engineer performs the following tasks:
Supplies compute resource storage and networking details
Provides a SQL Server for the Service Designer to use to deploy App Orchestration and other Citrix
components
Provides machines for installing the App Orchestration configuration server and the Citrix Licensing
Server
Sets up and maintains the Active Directory domains used by App Orchestration, including the shared
resource domain and any tenant user domains.
The Service Designer:
Owns the Citrix licenses
Installs the Citrix Licensing Server and the product licenses on that server
Getting Started with Citrix App Orchestration 2.6
Page 62 © 2015 Citrix Systems, Inc. All rights reserved.
Installs, deploys, and maintains the App Orchestration configuration servers
Pitfalls to Avoid
Follow these simple rules to avoid pitfalls in the Define phase:
Ensure each machine configured and deployed by App Orchestration has all of the minimum system
requirements installed, including the Microsoft .NET Framework.
Each machine under App Orchestration control requires PowerShell remoting. Run the command
winrm quickconfig to verify that PowerShell remoting is functioning on all machines.
If you are using multiple datacenters, make sure you can ping IP addresses in each datacenter from
the App Orchestration configuration server. Firewalls or WAN connectivity problems could prevent
App Orchestration from functioning correctly.
Task overview
1. Ensure the shared and private resource and user domains exist in your Active Directory structure.
Also, ensure that these domain contain the required OUs. Refer to "Prepare your Active Directory
domains” on page 22 and the document Deploying App Orchestration 2.6 in a Complex Active
Directory Environment.
2. Ensure you have the required credentials to add and modify objects in the shared and private
domains. Refer to the document Credentials Used in App Orchestration 2.6.
3. Define additional domains. If your deployment includes domains in addition to the shared resource
and user domains (for example, private tenant domains), you will need to add these domains
through the App Orchestration web console. Refer to the document Deploying App Orchestration 2.5
in a Complex Active Directory Environment.
4. Create additional datacenters. In addition to the default datacenter, you might also create a backup
datacenter. Refer to the document Deploying a Multi-Datacenter Environment in App Orchestration
2.6.
5. Set up and configure the compute resources you will use for provisioning Session Machines. Refer
to the following resources:
Provisioning Session Machines On-Demand in App Orchestration 2.6
Using Citrix CloudPlatform to Provision Session Machines On-Demand in App Orchestration 2.6
Using Citrix Provisioning Services to Provision Session Machines in App Orchestration 2.6
Design service offerings for tenants
Accounts and Permissions
When you create a new Delivery Site, you will need a credential for Location settings. That credential
must be a member of the Delivery Site admin group in Active Directory, and the local administrator
Getting Started with Citrix App Orchestration 2.6
Page 63 © 2015 Citrix Systems, Inc. All rights reserved.
group on machines used as Delivery Site controllers. You will also need a credential for the Database
settings. You can use the same credential for both, if desired.
Prerequisites for Session Machine Catalogs using integrated
provisioning
• Before you can create a Session Machine Catalog that uses on-demand provisioning, you must first
create a compute resource.
• On the compute resource, create a virtual machine to serve as the template for on-demand creation
of machines to host your service. The template should include the applications, operating system,
and desktop configuration that you want for your service.
• The template should be a bootable virtual machine joined to a domain. The orchestration service
account credential from the shared resource domain must be able to connect to that domain via
PowerShell remoting, and execute commands there.
• The compute resource storage must have enough free space to store a complete replica of the input
virtual machine template.
Prerequisites for Session Machine Catalogs using external provisioning
• When creating a Session Machine Catalog with externally-provisioned machines, the first thing you
need are the machines that you want to add to the catalog. These machines can be physical, virtual,
or created through any provisioning system.
• The machines must be joined to an Active Directory domain where the orchestration service account
can connect to the machines remotely through PowerShell remoting.
• The machines should have the appropriate Citrix software installed (either the appropriate Virtual
Delivery Agent or the XenApp 6.5 Session Host). You can install these packages through the App
Orchestration Install Center. For more information, see "Install App Orchestration” on page 43.
• If the provisioning method that you use automatically resets the machines upon reboot (like Citrix
Provisioning Services), then you must have the Citrix software installed on the machine before
importing it into App Orchestration.
• If you are importing multi-user machines running Microsoft Terminal Server, make sure Terminal
Services licensing is configured and functioning properly before you import the machines into App
Orchestration.
• All of the machines you import should have the Windows Update Service enabled in the Server
Manager, but Automatic Windows Updates should be disabled.
Prerequisites for Offerings
• Before creating offerings, you must have created a Session Machine Catalog.
Getting Started with Citrix App Orchestration 2.6
Page 64 © 2015 Citrix Systems, Inc. All rights reserved.
• If the Session Machine Catalog uses on-demand provisioning, you need to wait for App
Orchestration to complete the preparation of the input VM template. This can take up to 30 minutes.
You can monitor progress from the Workflows tab.
• If the Session Machine Catalog uses external provisioning, you must have imported at least one
machine into the catalog before you create an offering. The import process may take 10-15 minutes.
Prerequisites for Delivery Sites
Before you import Delivery Sites into App Orchestration, you will need the following:
• At least one SQL server, with an optional second server to use as a mirror.
• SQL Server database administrator credentials.
• At least one machine that will be used as Delivery Controller:
o The machine should be joined to the shared resource domain, and the orchestration service
account configured within App Orchestration must be able to connect to the machine using
PowerShell remoting.
o The machine should be prepared as XenApp 6.5 controller or XenApp 7.6 and XenDesktop 7.6
Delivery Controller. You can install these packages through the App Orchestration Install Center.
This process also installs the required App Orchestration agent. For more information, see
"Install App Orchestration” on page 45.
Prerequisites for StoreFront
For App Orchestration to deploy and manage a StoreFront server group, you will need:
• At least one machine joined to the same resource domain which has been added to the deployment
through the App Orchestration web console. To install the StoreFront software on the machine, use
the App Orchestration Install Center. The installation process also installs the required App
Orchestration agent.
• You must also have an SSL certificate that is valid for the DNS addresses of the machine. The
certificate must be issued from a trusted certification authority.
• If more than one StoreFront servers have been deployed, you must also have a load balancer
configured to balance web traffic between the machines. This load balancer should also be
configured to use SSL.
Personas
Two personas are involved in the Design phase of App Orchestration: the Service Strategist and the
Service Designer. In your organization, these functions may be performed by two different people, or by
one person who does both jobs.
The Service Strategist performs the following tasks:
Getting Started with Citrix App Orchestration 2.6
Page 65 © 2015 Citrix Systems, Inc. All rights reserved.
• Decides which applications and desktops to offer.
• Provides an initial estimate of the number of users expected to use those apps and desktops.
The Service Designer performs the following tasks:
• Uses the information provided by the Service Strategist to prepare machines or VM templates with
the operating system, apps, and desktop configuration needed to create offerings.
• Decides on the appropriate FlexCast technology to deliver those apps and desktops to end users.
• Decides on the scaling factor that determines how many users will fit per server for a particular
offering.
• Prepares Delivery Sites and StoreFront Server Groups to meet the initial capacity requirements in
each datacenter.
• Provisions an adequate number of Session Machines up front in each datacenter to meet the initial
capacity of the offerings.
Pitfalls to Avoid
• Provisioning Session Machines requires PowerShell remoting to be enabled and functional. To
ensure no environmental issues are preventing PowerShell remoting from functioning properly, run
winrm quickconfig on the Session Machines.
• Verify connectivity from the App Orchestration configuration server to the Session Machine using
PowerShell remoting, using the orchestration service account credential.
• To avoid DNS issues that may arise between newly-provisioned Session Machines and the App
Orchestration configuration server, ensure that you can execute nslookup from the App
Orchestration configuration server to the Session Machines, and from the Session Machines to the
configuration server.
• Ensure that no operating system or application updates are being applied automatically on
externally-provisioned Session Machines, or on the input template used for on-demand provisioning.
Disable the Windows Update Service from applying updates automatically, and turn off any
application updaters on those machines.
• You can enable Windows Update and other application update mechanisms on Delivery Controllers
and StoreFront servers.
• App Orchestration requires that all Session Machines are configured identically, including hardware
and installed software. Therefore, App Orchestration will reject importing a machine that is different
from the template machine.
Task 1: Create a new Delivery Site
A Delivery Site consists of at least one Delivery Controller. When you create a new Delivery Site, the
Delivery Site wizard prompts you for the following information:
Getting Started with Citrix App Orchestration 2.6
Page 66 © 2015 Citrix Systems, Inc. All rights reserved.
• Site name, licensing model, and Citrix product version to install on the machines you want to deploy
as Delivery Controllers. You can select XenApp 6.5 or XenDesktop 7.6. A Delivery Site with one of
these products installed will only work with Session Machines that are running the same product. For
example, if the Controllers in a Delivery Site are running XenDesktop 7.6, only Session Machines
running XenDesktop 7.6 can join the Delivery Site to deliver hosted applications and desktops.
• The servers you want to deploy as Delivery Controllers to the Site, including the resource domain
and datacenter in which they should reside. App Orchestration requires at least one Controller in a
Delivery Site.
• The Delivery Site administrator group and Site administrator account for the Delivery Site. The Site
administrator account is a non-privileged user account and must be a member of the Delivery Site
administrator group. This account should not belong to the Domain Admins group. The Delivery Site
administrator group and Site administrator account must exist already in your environment; App
Orchestration does not create them. For more information about Delivery Site administrator
privileges in the shared and tenant resource domains, refer to the document Credentials Used With
App Orchestratio 2.6.
• The database server, credentials, and names for the Site databases to be created (configuration,
logging, and monitoring). For more information about the privileges required for the Delivery Site
database user, refer to the document Credentials Used in App Orchestration 2.6.
When specifying the database details for the Delivery Site, Citrix recommends using separate
databases for each database type. This enables you to create appropriate backup and recovery
protocols for each database, and prevents outages due to a single point of failure. By default, App
Orchestration creates separate databases for the Site's configuration, logging, and monitoring data. For
example, for a Delivery Site named "Site1," App Orchestration creates the "Site1" configuration
database, the "Site1Logging" logging database, and the "Site1Monitoring" monitoring database.
Additionally, App Orchestration uses the same database server for all three databases by default. You
can accept these defaults or specify different servers and names for each database. By default, “Enroll
this site in Customer Experience Improvement Program” is selected.
Note: If you enroll the delivery site in Customer Experience Improvement Program, you can only disable it in
Desktop Delivery Controller via PowerShell cmdlet, App Orchestration does not allow you to disable it in Config
Server.
After you complete the wizard, App Orchestration issues workflows that perform the following tasks.
• Evaluate the machine configuration of the controllers and create a profile. App Orchestration uses
this profile to evaluate subsequent Delivery Controllers that you add to the Site. If new Delivery
Controllers do not match the profile, App Orchestration does not add them to the Site. Therefore, all
Delivery Controllers you add to a Site must be identically configured, including hardware
configuration, operating system, and software updates.
• Create the Delivery Site and join the Delivery Controllers to it.
You can monitor these workflows using the Workflows tab in the App Orchestration web console.
Getting Started with Citrix App Orchestration 2.6
Page 67 © 2015 Citrix Systems, Inc. All rights reserved.
Aggregate an existing Delivery Site
Aggregation is the means by which multiple instances of hosted applications or desktops from multiple
Delivery Sites are presented to users with a single icon when they access their StoreFront site with Citrix
Receiver. For example, if Microsoft Word is offered on multiple Delivery Sites, users see a single icon for
Microsoft Word when they log on to their StoreFront site.
For more information about resource aggregation, see the topic StoreFront high availability and
multi-site configuration in Citrix eDocs.
For more information about the versions of XenApp and XenDesktop that StoreFront supports for
Delivery Site aggregation, see the topic Infrastructure requirements in Citrix eDocs.
Task 2: Create a Session Machine Catalog
This step consists of the following tasks:
1. From the App Orchestration web console, create a Session Machine catalog.
2. Add the servers you have prepared as the first Session Machines to the catalog using integrated
provisioning or external provisioning.
Create a catalog with integrated provisioning
For information about using integrated provisioning in your App Orchestration deployment, see the
document Provisioning Session Machines On-demand in App Orchestration 2.6. This guide provides
additional details and step-by-step instructions for provisioning Session Machines on-demand using
integrated provisioning.
Create a catalog for externally-provisioned machines
As with Delivery Sites, you use the App Orchestration web console to complete the Session Machine
Catalog wizard.
If you choose to create a catalog for externally-provisioned machines, the wizard prompts you for the
following information:
• Catalog name and OS Type for the Session Machines it will contain.
• Type of Delivery Controllers that the machines will work with when hosting offerings for tenants
(XenApp 7.6 and XenDesktop 7.6 or XenApp 6.5). The controller type you specify determines the
Citrix product that App Orchestration requires and validates on the Session Machines you add to the
catalog. For example, if you specify XenDesktop 7.6 as the controller type, App Orchestration will
confirm that the Virtual Delivery Agent is installed on Session Machines that are added to the
catalog.
• Number of users allowed to access each machine before it is considered fully loaded. You can also
allow App Orchestration to include CPU and memory in its calculations for determining server load.
Getting Started with Citrix App Orchestration 2.6
Page 68 © 2015 Citrix Systems, Inc. All rights reserved.
Add Session Machines to the catalog
To add Session Machines to a catalog for externally-provisioned machines, you complete a separate
wizard. This wizard prompts you for the name of the Session Machine Catalog, resource domain, and
datacenter in which the Session Machine will reside. You also specify the names of the Session
Machines you want to add to the catalog. App Orchestration requires at least one Session Machine be
added to create offerings, but you can add up to 20 machines at one time. Deploying more than 20
machines places a heavy burden on the App Orchestration configuration server's resources, causing
workflows to time out before the machines can complete the provisioning process.
Important: When you specify the Session Machines you want to add to the catalog, ensure the machines are
not members of an existing machine catalog in an existing Delivery Site that was created outside of App
Orchestration. When App Orchestration adds Session Machines to a catalog, App Orchestration assumes the
machines are free to be allocated to the Delivery Sites you create through the App Orchestration web console.
App Orchestration cannot verify whether the Session Machines you want to add are already allocated to other
XenDesktop deployments. If you create offerings and subscriptions that use resources hosted on Session
Machines that are already allocated to other XenDesktop deployments, users will not be able to launch
sessions on these machines when they attempt to access their subscriptions.
After you complete the Add Session Machines wizard, App Orchestration issues a workflow that
performs the following tasks:
• Evaluate the machine configuration of the Session Machine and create a profile. App Orchestration
uses this profile to evaluate subsequent Session Machines that you add to the catalog. If new
Session Machines do not match the profile, App Orchestration does not add them to the catalog.
Therefore, all Session Machines you add to the catalog must be identically configured, including
hardware configuration, operating system, system updates, and installed applications. If you want to
add Session Machines that have, for example, different application installed, you must add them to a
different catalog.
• Add the Session Machine to the catalog.
You can monitor these workflows using the Workflows tab in the web console.
Task 3: Add a StoreFront server group
In this step, you use the App Orchestration web console to create a StoreFront Server Group and
specify the servers you want to add to it. A server group consists of at least one StoreFront server. App
Orchestration requires at least one StoreFront server in the deployment for making offerings available to
tenants' users.
As with Delivery Sites and Controllers, you add StoreFront servers to your deployment using a wizard.
The wizard prompts you for the following information:
• Server group name, SSL certificate, and load balancer URL. StoreFront requires that each machine
have an SSL certificate installed prior to deployment. For more information about StoreFront
requirements, see "Prepare StoreFront servers” on page 39. When entering the load balancer URL,
check to ensure the URL you enter is correct. Changing the URL later requires you to delete the
entire server group and redeploy it with the new URL.
Getting Started with Citrix App Orchestration 2.6
Page 69 © 2015 Citrix Systems, Inc. All rights reserved.
• Names of the StoreFront servers you want to add to the group.
• Resource domain and datacenter in which the servers will reside.
After you complete the wizard, App Orchestration issues workflows that perform the following tasks:
• Evaluate the machine configuration of the servers and create a profile. App Orchestration uses this
profile to evaluate subsequent StoreFront servers that you add to the group. If new StoreFront
servers do not match the profile, App Orchestration does not add them to the group. Therefore, all
StoreFront servers you add to a server group must be identically configured, including StoreFront
version, operating system, and software updates.
• Create the server group and join the StoreFront servers to it.
You can monitor these workflows using the Workflows tab in the web console.
Task 4: Create a offering
This step consists of making applications and desktops (hosted on the Session Machines) available for
subscription by tenants.
To create offerings, you use the App Orchestration web console to specify the applications and desktops
you want to include and the isolation level at which you want to provide the offering to tenants. The
isolation level you select depends on whether you want to create an offering that uses shared machines
or machines that are dedicated to an individual tenant. For more information about these isolation levels,
see the document Isolation Methods in App Orchestration 2.6.
Deliver service offerings to tenants
Accounts and Permissions
To add a tenant, you will need a user domain and a resource domain in Active Directory, both of which
must be added to App Orchestration through the web console. The user domain and resource domain
can be the same domain. You can use the shared resource domain as both the user domain and
resource domain.
• In the user domain, you must have credentials of a user who can resolve other user accounts within
that domain.
• In the resource domain, you must have credentials of a user who can move machines between
Active Directory OUs within that domain.
Prerequisites
Before adding tenants, make sure you know:
• The user and resource domain details.
• The StoreFront and NetScaler Gateway isolation modes you want to use for that tenant.
• The NetScaler Gateway address, if the tenant will be using a private NetScaler Gateway.
Getting Started with Citrix App Orchestration 2.6
Page 70 © 2015 Citrix Systems, Inc. All rights reserved.
• The name of the tenant’s private management network, if the tenant will be using network isolation.
This must match the name configured in your compute resource that will be used for machines
provisioned for that tenant.
• After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions.
• After you’ve preallocated capacity, you can create subscriptions. To do this, you should know:
• The offerings to which users want to subscribe.
• The tenant to whom those users belong.
• The Active Directory group in their user domain that contains the users who want to subscribe to that
offering. This can can be the Location Group or a Subscription Group.
If you haven’t preallocated capacity, App Orchestration will create capacity of one machine on-demand.
Personas
Three personas are involved in the Deliver phase of App Orchestration: the Service Designer, the
Tenant Administrator, and the Subscribers. In your organization, the Service Designer and Tenant
Administrator functions may be performed by two different people, or by one person who does both jobs.
The Service Designer performs the following tasks:
• Onboards tenants by creating their OUs in Active Directory, their users, and user groups.
• Sets up billing and chargeback for that tenant.
• Adds the tenant into App Orchestration.
• Asks the Tenant Administrator for the anticipated number of users, and based on that answer
preallocates capacity for the tenant to access offerings.
• Informs the Tenant Administrator of the StoreFront address that the end users will need in order to
connect to and access their offerings.
The Tenant Administrator performs the following tasks:
• Informs the Service Designer upfront how many users are expected to access each offering.
• Subscribes end users to individual offerings.
• Directs end users to the tenant’s StoreFront address, either directly or through configuration of
clients.
The Subscriber accesses offerings using Citrix Receiver.
Pitfalls to Avoid
Follow these simple guidelines to avoid common pitfalls in the Deliver phase:
• App Orchestration defaults to using the tenant’s name as the isolated network name. Ensure that
you have a network with this name in your virtualization infrastructure, or change the name in App
Orchestration when adding the tenant.
Getting Started with Citrix App Orchestration 2.6
Page 71 © 2015 Citrix Systems, Inc. All rights reserved.
• Also ensure that you use the correct isolation modes for StoreFront and NetScaler Gateway when
adding a tenant. If necessary, you can change these settings later by editing the tenant.
• After you create subscriptions or adjust capacity, you should monitor the status of those changes by
watching the Workflows tab or the Dashboard Notifications.
• You can adjust capacity as needed, but remember that App Orchestration must execute workflows
to reconfigure the system to comply with that desired state. If there are not enough StoreFront
Server Groups or Delivery Sites or available Session Machines, a notification on the Dashboard will
explain how to correct the problem.
Task 1: Add a tenant and add users
This step consists of adding tenants to the App Orchestration system and specifying the user groups
that will be accessing offerings through StoreFront.
To add tenants, you use the App Orchestration web console to specify the tenant's resource and user
domains, the default datacenter through which users will access offerings, the isolation level of the
tenant's StoreFront site, and whether the tenant accesses a shared or private NetScaler Gateway (if
NetScaler Gateway is enabled for the deployment). For more information about StoreFront isolation
levels, see the document Isolation Methods in App Orchestration 2.6.
To ensure the machines that are dedicated to tenants' exclusive use are adequately isolated, Citrix
recommends using a private Active Directory forest for each tenant, a private management network, and
offerings that employ Private Delivery Site isolation. This helps ensure that a tenant's resources are
isolated from other tenants and other tenants' users.
Security considerations
As a security consideration when adding tenants, include user groups that contain only domain users.
Users who belong to the Domain Admins group should not be added to these groups. This ensures that
a tenant's users can access only the Session Machines in the resource management network (either
shared or private). Additionally, keep the following considerations in mind:
• Do not grant tenant users or administrators Domain Admin permissions in any Active Directory
domain included in the deployment.
• If administrator permissions are granted to a tenant, ensure the tenant has local machine
administrator privileges only for privately allocated Session Machines. Tenants should not have
administrator privileges on any other server or component in the deployment.
• Ensure that tenants do not have permissions to access any compute resources in the deployment.
• Ensure that tenants do not have permissions to log on to or administer shared components such as
NetScaler Gateway appliances or StoreFront servers.
Task 2: Adjust capacity
Capacity refers to the number of Session Machines allocated to offerings and the tenants who access
them. By default, App Orchestration creates an initial capacity of one machine.
Getting Started with Citrix App Orchestration 2.6
Page 72 © 2015 Citrix Systems, Inc. All rights reserved.
After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions. You
can adjust the capacity as needed to host more or fewer offerings or users.
In the App Orchestration web console, go to the Dashboard and click the pencil to the right of Capacity
Allocation.
Select the offering and specify the desired capacity. App Orchestration estimates the number of users
that can fit per machine based on the load balancing settings, or whether the machines are single user.
When you are deciding how many machines to preallocate, you should consider whether the Session
Machine Catalog uses statically allocated or pooled machines.
• For statically allocated machines, you should preallocate the number of machines necessary to
support all of the users who will be using the offering.
• For pooled machines, you only need to preallocate the number of machines necessary to support
concurrent users of the offering.
Task 3: Subscribe the tenant to an offering
This step consists of creating a subscription for a tenant so that the tenant's users can access a specific
offering through StoreFront.
To create a subscription, you use the App Orchestration web console to specify the offering, tenant, and
user groups to include. The process of subscribing a tenant to an offering involves creating a Delivery
Group according to the isolation level defined for the offering. This Delivery Group restricts access to the
offering, ensuring only the specified users can access the offering through StoreFront.
Important: When subscribing users to offerings, ensure the users are members of domain global user groups.
This ensures that only users in the tenant’s user domain are authorized to access the tenant’s offerings. Using
domain local or universal user groups for subscriptions could allow users external to the tenant’s user domain
to be members of these groups and allow these users to access the tenant’s offerings.
For more information about Delivery Group isolation levels, see the document Isolation Methods in App
Orchestration 2.6.
Task 4: Optional: Deploy tenant self-service features
After you deploy App Orchestration, you can choose to integrate with CloudPortal Services Manager
11.5. This deployment option enables you to make App Orchestration offerings available for self¬service
consumption through the Services Manager web-based control panel. Tenants can self- administer the
offerings to which they have subscribed and their users can request access to subscribed offerings as
needed.
To enable Services Manager to communicate with your App Orchestration deployment, you perform the
following tasks:
1. Download CloudPortal Services Manager 11.5 from the Citrix web site.
2. Install the Hosted Apps and Desktops web service on the App Orchestration configuration server.
3. Configure the Hosted Apps and Desktops service through the Services Manager control panel.
Getting Started with Citrix App Orchestration 2.6
Page 73 © 2015 Citrix Systems, Inc. All rights reserved.
You can then use the control panel to manage offerings and provision the service to tenants. To enable
tenants’ users to self-subscribe to offerings, configure Workflow Approval for the tenant.
When you enable this integration, the App Orchestration and Services Manager web consoles assume
specific roles with regard to the administration tasks you perform in your deployment. You use the
Services Manager control panel to manage tenant onboarding and subscribing users to offerings. You
use the App Orchestration web console to create new offerings, add capacity to existing offerings, and
manage the Delivery Sites, Session Machines, and StoreFront servers in your deployment.
Getting Started with Citrix App Orchestration 2.6
Page 74 © 2015 Citrix Systems, Inc. All rights reserved.
Appendix: Setup Checklist
This checklist is a convenient tool to help you plan and document your App Orchestration deployment.
Use this checklist along with the rest of the information in this guide to ensure all required preparation
tasks are performed.
This checklist helps you prepare the following components:
• 1 domain controller with a minimum domain functional level of Windows Server 2008 R2
• 1 database server running a supported version of Microsoft SQL Server
• 1 Citrix License Server
• 1 NetScaler Gateway
• 1 server, for the App Orchestration configuration server
• 1 server, for the Session Machine that will host applications and desktops for users
• 1 server, for the Delivery Controller that makes up one Delivery Site
• 1 server, for the StoreFront server that makes up one StoreFront server group
Use the Notes column to record the details of your preparation activities. You will need to supply this
information when you configure App Orchestration’s global settings.
Getting Started with Citrix App Orchestration 2.6
Page 75 © 2015 Citrix Systems, Inc. All rights reserved.
Shared resource domain
Complete the tasks in this section before you install App Orchestration. You will need to supply the
information below when you configure App Orchestration’s global settings. For more information about
the tasks in this section, see “Prepare your Active Directory domains” on page 22.
Completed ()
Task Notes
Create a domain to be used as the shared
resource domain.
Minimum domain functional level: Windows
Server 2008 R2.
Domain name:
Create a Group Policy object that will be
associated with all machines in the shared
resource domain and configure the following
settings:
Set the PowerShell execution policy to
AllSigned
Configure PowerShell remoting
Allow WinRM traffic through Windows Firewall
Allow WinRM remote server management for
all servers
Allow WinRM clients to trust all servers
Set Windows Remote Shell maximum memory
to 1 GB or more.
Allow unlimited number of remote shells per
user.
For detailed instructions, refer to the section
“Configure the App Orchestration Group
Policy” on page 24.
Create an Active Directory security group that
you designate as the orchestration service
group (for example,
MyDomain\OrchestrationAdmins).
Group name:
Create an organizational unit as the root OU
for App Orchestration.
App Orchestration will have permission in this
OU to create, move, and remove objects.
Root OU name:
Getting Started with Citrix App Orchestration 2.6
Page 76 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Create an orchestration service account with
the following permissions:
• Read and Write permissions on the
App Orchestration root OU
• Permission to use PowerShell
remoting to access all servers in the
shared resource domain
• Add the account to the orchestration
service group
Important: For security reasons, do not add
this account to the Domain Admins group.
User name:
Password:
Default user domain
The default user domain is where App Orchestration service accounts reside. You can create a separate
domain or you can designate the shared resource domain for this purpose when you configure App
Orchestration’s global settings.
Completed ()
Task Notes
Create a domain to be used as the default user
domain.
This domain must have a minimum domain
functional level of Windows Server 2003.
Domain name:
Create a user account in the user domain.
Important: For security reasons, do not add
this account to the Domain Admins group.
User name:
Password:
Getting Started with Citrix App Orchestration 2.6
Page 77 © 2015 Citrix Systems, Inc. All rights reserved.
Citrix ProductMedia folder
The Citrix ProductMedia folder contains the software for App Orchestration and other components that
are required to provision Delivery Sites, Session Machines, and StoreFront servers. This folder can be
local to all machines (recommended), or on a portable drive, a network share of any kind, or any other
location that is visible to all of your machines. Citrix recommends that you protect this folder with
appropriate access controls, to prevent unauthorized access that might result in file corruption or the
introduction of malware.
Option 1: From App Orchestration bundle
Completed ()
Task Notes
Download the App Orchestration 2.6 with
bundle from the Citrix web site.
Choose App Orchestration 2.6 with
Bundle from the download page for:
Citrix Cloud Provider Pack.
Getting Started with Citrix App Orchestration 2.6
Page 78 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Extract the downloaded zip file
(App_Orchestration_2.6_Bundle.exe) into
a folder of your choice (for example, AO),
with the following layout:
You do not need to do anything more to
prepare product media folder.
Option 2: From App Orchestration 2.6
Completed ()
Task Notes
Download the App Orchestration
2.6 from the Citrix web site.
Choose App Orchestration 2.6 from the
download page for:
Citrix Cloud Provider Pack.
Getting Started with Citrix App Orchestration 2.6
Page 79 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Extract the downloaded zip file
(App_Orchestration_2.6.zip) into
a folder of your choice (for example,
AO), with the following layout:
In the /Setup/ProductMedia folder,
create the following structure:
CitrixStoreFront folder Download StoreFront 3.0 from StoreFront
download page
Copy the download file to
CitrixStoreFront folder
Getting Started with Citrix App Orchestration 2.6
Page 80 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
XenDesktop folder Dowload XenDesktop 7.6 from
XenDesktop download page
Copy the entire contents to XenDesktop
folder
Hotfix for Citrix Studio 7.6 Download the hotfix from x64 version
download page or x86 version download
page
Extract the download .zip package
For x64 version
Rename DStudio760WX64002.msi to
DesktopStudio_x64.msi and copy to
XenDesktop\x64\DesktopStudio folder
For x86 version
Rename DStudio760WX86002.msi to
DesktopStudio_x86.msi and copy to
XenDesktop\x86\DesktopStudio folder
Getting Started with Citrix App Orchestration 2.6
Page 81 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Hotfixes Update 2 - For Delivery
Controller 7.6 (x64 version)
Download the hotfix from x64 version
download page
Extract the download .zip package
Rename the downloaded .msi files and copy to XenDesktop folder:
Rename BrokerSrvc760WX64002.msi to
Broker_Service_x64.msi and copy to
XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename
ConfigMgrWOL760WX64002.msi to
ConfigMgr_WOL_Plugin_x64.msi and
copy to XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename HostSrvc760WX64002.msi to
Host_Service_x64.msi and copy to
XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename MCSrvc760WX64002.msi to
MachineCreation_Service_x64.msi and
copy to XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Rename MonitorPSSI760WX64002.msi
to Monitor_PowerShellSnapIn_x64.msi
and copy to XenDesktop\x64\Citrix
Desktop Delivery Controller folder
Rename MonitorSrvc760WX64002.msi
to Monitor_Service_x64.msi and copy to
XenDesktop\x64\Citrix Desktop
Delivery Controller folder
Getting Started with Citrix App Orchestration 2.6
Page 82 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Hotfixes Update 2 - For Delivery
Controller 7.6 (x86 version)
Download the hotfix from x86 version
download page
Extract the download .zip package
Rename the downloaded .msi files and copy to XenDesktop folder:
Rename BrokerSrvc760WX86002.msi to
Broker_Service_x86.msi and copy to
XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename
ConfigMgrWOL760WX86002.msi to
ConfigMgr_WOL_Plugin_x86.msi and
copy to XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename HostSrvc760WX86002.msi to
Host_Service_x86.msi and copy to
XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename MCSrvc760WX86002.msi to
MachineCreation_Service_x86.msi and
copy to XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Rename MonitorPSSI760WX86002.msi
to Monitor_PowerShellSnapIn_x86.msi
and copy to XenDesktop\x86\Citrix
Desktop Delivery Controller folder
Rename MonitorSrvc760WX86002.msi
to Monitor_Service_x86.msi and copy to
XenDesktop\x86\Citrix Desktop
Delivery Controller folder
Getting Started with Citrix App Orchestration 2.6
Page 83 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Hotfix For Machine Identity
Service Agent 7.6
Download the hotfix from x64 version
download page or x86 version download
page
Rename the downloaded .msi files and copy to XenDesktop folder:
For x64 version:
Rename MISA760WX64001.msi to
MachineIdentityServiceAgent_x64.msi
and copy to XenDesktop\x64\Virtual
Desktop Components folder
For x86 version:
Rename MISA760WX86001.msi to
MachineIdentityServiceAgent_x86.msi
and copy to XenDesktop\x86\Virtual
Desktop Components folder
Getting Started with Citrix App Orchestration 2.6
Page 84 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
XenDesktop 7.6 Feature Pack 2:
Download feature pack from
XenDesktop FP2 download page
Extract the download .zip package
Rename the downloaded .msi files and
replace the same .msi files under
XenDesktop folder:
Copy DesktopDirector_x64.msi and
replace
XenDesktop\x64\DesktopDirector\
DesktopDirector.msi
Copy DesktopDirector.msi and replace
XenDesktop\x86\DesktopDirector\
DesktopDirector.msi
Rename GPMx240WX64002.msi to
CitrixGroupPolicyManagement_x64
.msi and copy to XenDesktop\x64\Citrix
Policy
Rename GPMx240WX86002.msi to
CitrixGroupPolicyManagement_x86
.msi and copy to XenDesktop\x86\Citrix
Policy
Rename
HDXWMIPROV220WX64001.msi to
CitrixHDXWMIProvider-x64.msi and
copy to XenDesktop\x64\Virtual
Desktop Components\TS
copy WMIProxy_x64.msi to
XenDesktop\x64\Virtual Desktop
Components
copy WMIProxy_x86.msi to
XenDesktop\x86\Virtual Desktop
Components
Getting Started with Citrix App Orchestration 2.6
Page 85 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Feature Pack 2 - For XenDesktop
7.6 (Cont.)
Rename
XDPoshModule760WX64002.msi to
XDPoshSnapin_x64.msi and copy to
XenDesktop\x64\Citrix Desktop
Delivery Controller
Rename
XDPoshModule760WX86002.msi to
XDPoshSnapin_x86.msi and copy to
XenDesktop\x86\Citrix Desktop
Delivery Controller
Copy the download .msp files to
XenDesktop\MspHotfixes:
copy ICATS760WX64022.msp to
XenDesktop\MspHotfixes\x64\Virtual
Desktop Components\Server
copy ICAWS760WX64022.msp to
XenDesktop\MspHotfixes\x64\Virtual
Desktop Components\WorkStation
copy ICAWS760WX86022.msp to
XenDesktop\MspHotfixes\x86\Virtual
Desktop Components\WorkStation
XenApp 6.5 Download XenApp 6.5 from XenApp 6.5
download page
Copy the entire contents to XenApp
folder
XenApp 6.5 HRP5 Download XenApp 6.5 HRP5 from
XenApp 6.5 HRP 5 download page
Copy the entire contents to
XenApp/XenAppHRP folder
XenApp 6.5 SQL Server 2012
folder
Copy the entire Setup\ProductMedia\CloudApp Management\Support\SQLServer2012
folder to XenApp\Support folder
Getting Started with Citrix App Orchestration 2.6
Page 86 © 2015 Citrix Systems, Inc. All rights reserved.
Database Server
The database server hosts the App Orchestration configuration database. For more information about
supported databases, refer to the “Prepare the database server” section on page 29.
Completed ()
Task Notes
Prepare a server and install Microsoft SQL
Server 2012 (minimum):
Join the server to the shared resource domain.
Use Windows authentication.
Ensure SQL Server Browser and the SQL
Server instance services are enabled and set
to start automatically
Enable remote TCP connections.
Allow SQL traffic to traverse Windows Firewall.
Optionally, you can prepare another SQL
Server for mirroring to increase availability. For
more information, refer to the Configuring
Database Mirroring in App Orchestration 2.6. or
you want to enable SQL AlwaysOn Availability
Group, refer to the section “Detailed steps to
configure a an AlwaysOn Group for App
Orchestration” of AppOrchestration High
Availability
Primary database server name:
Secondary database server name
(optional):
Create a SQL database administrator account.
This account must be a Windows account,
using Windows authentication. The account
you use to install App Orchestration must have
permission to create databases.
User name:
Password:
Getting Started with Citrix App Orchestration 2.6
Page 87 © 2015 Citrix Systems, Inc. All rights reserved.
Citrix License Server
Completed ()
Task Notes
Prepare a server and install Citrix Licensing
11.12.1 according to product instructions.
License server name:
Install XenApp or XenDesktop Platinum
licenses.
NetScaler Gateway
To secure access to your App Orchestration deployment, NetScaler Gateway enables you to configure
policy and action controls while allowing tenants’ users to access the apps and desktops they need. For
more information about integrating NetScaler Gateway with App Orchestration, refer to the document
Configuring NetScaler 10.1 Load Balancing with StoreFront 3.0 and NetScaler Gateway for App
Orchestration 2.6 or Configuring NetScaler 10.5 Load Balancing with StoreFront 3.0 and NetScaler
Gateway for App Orchestration 2.6.
Completed ()
Task Notes
Install and configure NetScaler Gateway
according to product instructions.
Gateway address:
Getting Started with Citrix App Orchestration 2.6
Page 88 © 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration configuration server
Completed ()
Task Notes
Prepare one or more servers to be used as the
App Orchestration configuration server(s).
For system requirements, refer to the section
“Prepare the App Orchestration configuration
server” section on page 32.
Note: If you deploy multiple configuration
servers, enter only the server’s FQDN when
prompted. If you use the server’s IP address or
NetBIOS name instead, App Orchestration
displays an error message indicating the server
cannot be contacted.
Primary server FQDN:
Backup server FQDN (optional):
Join the server(s) to the shared resource
domain.
Install a valid SSL certificate, signed by a
trusted Certificate Authority, in the local
computer’s certificate store.
For proof-of-concept deployments, you can use
a wildcard certificate.
For more information about using SSL with App
Orchestration, see the document Configuring
SSL for App Orchestration 2.6.
Friendly name:
Getting Started with Citrix App Orchestration 2.6
Page 89 © 2015 Citrix Systems, Inc. All rights reserved.
Delivery Controllers
Completed ()
Task Notes
Prepare one or more servers to be used as the
Delivery Controllers.
For system requirements, refer to the section
“Prepare Delivery Controllers and Session
Machines” on page 35.
Primary Controller name:
Backup Controller name:
Run the App Orchestration Install Center to
install the appropriate Citrix software on the
servers:
• For Delivery Sites running XenApp 7.6
and XenDesktop 7.6, select XenApp
and XenDesktop 7.6 Delivery
Controller (and App Orchestration
Agent)
• For farms running XenApp 6.5, select
XenApp 6.5 Controller (and App
Orchestration Agent)
For more information, see "Install App
Orchestration” on page 45.
Join the servers to the shared resource
domain.
Getting Started with Citrix App Orchestration 2.6
Page 90 © 2015 Citrix Systems, Inc. All rights reserved.
Session Machines
On-demand Catalogs (Integrated Provisioning enabled)
For more information about preparing your environment for and enabling integrated provisioning, refer to
the document Provisioning Session Machines On-demand in App Orchestration 2.6.
Completed ()
Task Notes
Prepare a compute resource (host and
management machines) according to the
product documentation and the needs of your
organization.
When you create an on-demand catalog in App
Orchestration, you must specify the following
details about the compute resource:
• Whether the compute resource is
running XenServer, ESX, or Hyper-V
(resource type)
• A friendly name by which you can
identify the compute resource
• The location (URL or IP address) of the
compute resource
• Credentials for the compute resource
Resource type:
Friendly name:
Address:
User name:
Password:
Getting Started with Citrix App Orchestration 2.6
Page 91 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Using the management console for the
compute resource, create and set up a VM to
use as a template for other Session Machines
that are added to the catalog.
Setting up a VM might include:
Installing the guest operating system
and applicable service packs or
updates
Verifying virtual devices such as hard
disks are configured correctly
Installing integration tools required to
optimize interaction with the host
machine
Installing third-party tools such as
antivirus software
Installing applications you want to
include in offerings
VM name:
Join the VM to the domain for which you want
newly-created Session Machines to be
members.
The domain to which you join the VM must
have a Group Policy defined that allows
PowerShell remoting and sets the execution
policy. For more information, refer to the
section “Configure the App Orchestration
Group Policy” on page 24.
The VM must be a member of either the shared
resource domain or a domain that has a
two-way trust with the shared resource domain.
Ensure that the Orchestration Service
Administrator account (defined in App
Orchestration’s global settings) has the ability
to use PowerShell remoting to connect to the
VM and install software.
Getting Started with Citrix App Orchestration 2.6
Page 92 © 2015 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
On the VM, in Advanced TCP/IP Settings,
configure the following settings for the VM’s
network connection:
In DNS suffix for this connection, enter the
shared resource domain name.
Select Use this connection’s DNS suffix in
DNS registration.
Catalogs for Externally Provisioned Machines
Completed ()
Task Notes
Prepare one or more machines to be used as
Session Machines.
All machines to be added to the catalog must
meet the following requirements:
Have the same hardware configuration and all
installed software (including operating system,
installed updates, and applications).
Capable of running XenApp 6.5 or XenDesktop
7.6 VDA software, according to the product’s
system requirements
Machine #1 name:
Machine #2 name:
Machine #3 name:
Machine #4 name:
Join the machines to the appropriate resource
domain.
If the machines will be shared among multiple
tenants, join them to the shared resource
domain. If the machines will be allocated to a
specific tenant, join them to the tenant’s private
resource domain.
Resource domain name:
Getting Started with Citrix App Orchestration 2.6
Page 93 © 2015 Citrix Systems, Inc. All rights reserved.
StoreFront servers
Completed ()
Task Notes
Prepare one or more servers to be used as the
StoreFront server group.
For system requirements, refer to the “Prepare
StoreFront servers” on page 39.
Primary StoreFront server name:
Backup StoreFront server name:
Run the App Orchestration Install Center to
install the StoreFront 3.0 software..
For more information, see "Install App
Orchestration” on page 45.
Join the servers to the shared resource
domain.
Install a valid SSL certificate, signed by a
trusted Certificate Authority, in the local
computer’s certificate store.
For proof-of-concept deployments, you can use
a wildcard certificate. The certificate must have
the same Friendly Name on all computers.
Friendly name:
Install and configure a load balancer for the
StoreFront server group.
For more information about configuring load
balancing with StoreFront, refer to the
document Configuring NetScaler 10.1 Load
Balancing with StoreFront 3.0 and NetScaler
Gateway for App Orchestration 2.6 or
Configuring NetScaler 10.5 Load Balancing
with StoreFront 3.0 and NetScaler Gateway for
App Orchestration 2.6.
Load Balancer URL:
App Orchestration Global Settings
After installing the App Orchestration configuration server, you configure the global settings using the
App Orchestration web console. During this process, you must specify the default datacenter for the
deployment and the external DNS suffix. You must also decide whether or not to enable network
isolation in your deployment.
Getting Started with Citrix App Orchestration 2.6
Page 94 © 2015 Citrix Systems, Inc. All rights reserved.
In App Orchestration, datacenters are used for providing hosted apps and desktops to tenants in
distributed geographic locations and for failover. App Orchestration requires at least one datacenter in
the deployment. For more information about datacenters, refer to document Deploying a
Multi¬Datacenter Environment in App Orchestration 2.6.
In general, network isolation should be enabled if you intend to provide offerings exclusively to specific
tenants. For more information about network isolation, refer to the document Isolation Methods in App
Orchestration 2.6.
Completed ()
Task Notes
Specify the name of the primary datacenter. Name:
Specify the external DNS suffix.
The external DNS suffix is the top-level domain
of your external-facing DNS server. This
influences the defaults for connection routing,
but can be overridden, if necessary.
Example: For a datacenter named
ag.us.mycompany.com, the suffix
“mycompany.com” results in the default routing
for user connections to a datacenter named
“us.”
Suffix:
Enable network isolation?
If you intend to enable network isolation, you
must create and label at least three virtual
networks on your compute resources. These
networks must exist before you configure the
global settings.
For instructions for creating and labeling these
networks, refer to the product documentation
for your server virtualization solution.
Important: The labels for the virtual networks
are case-sensitive. When entering the network
labels in App Orchestration, ensure they match
exactly the labels configured on your compute
resources.
Yes / No
Shared Delivery Controller Management
Network label:
Shared Delivery Group Management
Network label:
Private Management Network label:
Getting Started with Citrix App Orchestration 2.6
Page 95 © 2015 Citrix Systems, Inc. All rights reserved.
First Tenant
Completed ()
Task Notes
Specify the tenant name. Tenant Name:
Create an organizational unit in the shared
resource domain where the tenant’s private
machines will reside.
OU Name:
Create the tenant’s user domain and add an
organizational unit where the tenant’s user
accounts will reside.
User domain name:
OU Name:
Create user groups for the tenant in the user
domain, under the tenant’s user OU.
These user groups will be used later for
creating subscriptions, so they should organize
users by the sets of apps and desktops that
you intend to deliver to those users.
User Group #1:
User Group #2:
User Group #3:
User Group #4:
Create user accounts for the tenant’s users and
add them to the appropriate user groups.