app orchestration 2 - docs. · pdf filegetting started with citrix app orchestration 2.6 ......

© 2015 Citrix Systems, Inc. All rights reserved.

App Orchestration 2.6

Getting Started with Citrix App Orchestration 2.6

Version: 1.0

Last Updated: July 9, 2015



Contents

Copyright and Trademarks .................................................................................................................... 7

Welcome to App Orchestration 2.6 ........................................................................................................ 8

What’s New in This Release .............................................................................................................. 8

Documentation and support for App Orchestration ............................................................................. 8

App Orchestration components ............................................................................................................13

Configuration server ..........................................................................................................................13

What is it? .....................................................................................................................................13

What does it do? ...........................................................................................................................13

How many do I need? ....................................................................................................................14

Domain agent ...................................................................................................................................14

What is it? .....................................................................................................................................14

What does it do? ...........................................................................................................................14

How many do I need? ....................................................................................................................14

Delivery Sites and Delivery Controllers .............................................................................................14

What are they? ..............................................................................................................................14

What do they do? ..........................................................................................................................15

How many do I need? ....................................................................................................................15

Additional information ....................................................................................................................15

Session Machines, Catalogs, and Delivery Groups ...........................................................................15

What are they? ..............................................................................................................................15

What is a catalog? .........................................................................................................................15

How many do I need? ....................................................................................................................16

Additional information ....................................................................................................................16

StoreFront .........................................................................................................................................16

What is it? .....................................................................................................................................16

How many do I need? ....................................................................................................................17

Compute resources ...........................................................................................................................17

App Orchestration deployment overview ..............................................................................................18

Prepare to deploy App Orchestration 2.6 ..............................................................................................20

How many machines do I need? .......................................................................................................20

Network preparation task overview ...................................................................................................20



Machine preparation task overview ...................................................................................................21

Prepare your Active Directory domains .............................................................................................22

Task 1: Prepare required domains .................................................................................................22

Task 2: Prepare required organizational units ................................................................................23

Task 3: Prepare tenant domains and organizational units ..............................................................23

Configure the App Orchestration Group Policy ..................................................................................24

Task 1: Set the PowerShell execution policy .................................................................................25

Task 2: Configure PowerShell remoting .........................................................................................25

Task 3: To enable remote administration with WMI .......................................................................27

Create administrator accounts ..........................................................................................................27

Setup Citrix Licensing .......................................................................................................................28

Set up compute resources ................................................................................................................28

Set up NetScaler Gateway ................................................................................................................29

LDAP authentication for NetScaler Gateway .................................................................................29

Prepare the database server .............................................................................................................29

Supported database servers ..........................................................................................................30

Support for database mirroring ......................................................................................................30

Support for SQL Server AlwaysOn Availability Group ....................................................................30

System requirements .....................................................................................................................30

Task 1: Create a firewall exception ................................................................................................31

Prepare the App Orchestration configuration server ..........................................................................32


Sequence of preparation tasks for Windows Server 2008 R2 SP1 ................................................33

Client OS and browser support for the management console ........................................................34

Prepare Delivery Controllers and Session Machines .........................................................................35

Supported platforms ......................................................................................................................35


Support for aggregating existing Delivery Sites .............................................................................38

Considerations for Delivery Controllers in cross-forest private Delivery Sites ................................38

Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5 .....................................................39

Task 2: Configure SSL on Delivery Sites and Session Machines ...................................................39

Prepare StoreFront servers ...............................................................................................................39




Server group requirements ............................................................................................................41

Security Considerations for App Orchestration 2.6 ............................................................................41

SSL recommendations ..................................................................................................................42

Restrict PowerShell remoting sessions ..........................................................................................42

SMB security signatures ................................................................................................................42

Machine hardening techniques ......................................................................................................42

Restrict access for tenant user accounts .......................................................................................43

XenApp Session Machine isolation ................................................................................................43

Session Machine Catalog upgrades ..............................................................................................43

Install App Orchestration ......................................................................................................................45

Overview ...........................................................................................................................................45

Accounts and Permissions ............................................................................................................45

Prerequisites .................................................................................................................................45

Personas .......................................................................................................................................45

Pitfalls to Avoid ..............................................................................................................................46

Task 1: Download the product media ................................................................................................46

Download App Orchestration .........................................................................................................46

Build out the product media folder .................................................................................................47

Task 2: Install App Orchestration components ..................................................................................56

Configure App Orchestration ................................................................................................................58

Accounts and Permissions ................................................................................................................58

Prerequisites .....................................................................................................................................58

Personas ...........................................................................................................................................58

Pitfalls to Avoid .................................................................................................................................58

Task 1: Configure the App Orchestration configuration server ..........................................................59

Task 2: Configure global settings ......................................................................................................59

Define App Orchestration infrastructure ................................................................................................60


Prerequisites .....................................................................................................................................61

Personas ...........................................................................................................................................61


Task overview ...................................................................................................................................62

Design service offerings for tenants ......................................................................................................62




Prerequisites for Session Machine Catalogs using integrated provisioning .......................................63

Prerequisites for Session Machine Catalogs using external provisioning ..........................................63

Prerequisites for Offerings ................................................................................................................63

Prerequisites for Delivery Sites .........................................................................................................64

Prerequisites for StoreFront ..............................................................................................................64

Personas ...........................................................................................................................................64


Task 1: Create a new Delivery Site ...................................................................................................65

Aggregate an existing Delivery Site ...............................................................................................67

Task 2: Create a Session Machine Catalog ......................................................................................67

Create a catalog with integrated provisioning ................................................................................67

Create a catalog for externally-provisioned machines ....................................................................67

Add Session Machines to the catalog ............................................................................................68

Task 3: Add a StoreFront server group .............................................................................................68

Task 4: Create a offering ...................................................................................................................69

Deliver service offerings to tenants .......................................................................................................69


Prerequisites .....................................................................................................................................69

Personas ...........................................................................................................................................70


Task 1: Add a tenant and add users ..................................................................................................71

Security considerations .................................................................................................................71

Task 2: Adjust capacity .....................................................................................................................71

Task 3: Subscribe the tenant to an offering .......................................................................................72

Task 4: Optional: Deploy tenant self-service features........................................................................72

Appendix: Setup Checklist ....................................................................................................................74

Shared resource domain ...................................................................................................................75

Default user domain ..........................................................................................................................76

Citrix ProductMedia folder .................................................................................................................77

Database Server ...............................................................................................................................86

Citrix License Server .........................................................................................................................87

NetScaler Gateway ...........................................................................................................................87



App Orchestration configuration server .............................................................................................88

Delivery Controllers ...........................................................................................................................89

Session Machines .............................................................................................................................90

On-demand Catalogs (Integrated Provisioning enabled) ...............................................................90

Catalogs for Externally Provisioned Machines ...............................................................................92

StoreFront servers ............................................................................................................................93

App Orchestration Global Settings ....................................................................................................93

First Tenant .......................................................................................................................................95



Copyright and Trademarks

Use of the product documented herein is subject to your prior acceptance of the End User License

Agreement. A printable copy of the End User License Agreement is included with your installation

media.

Information in this document is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express

written permission of Citrix Systems, Inc.


The following are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be

registered in the United States Patent and Trademark Office and in other countries:

Citrix®, Citrix Access Gateway™, Citrix App Orchestration™, Citrix Receiver™, Citrix XenApp™,

CloudPlatform™, CloudPortal™, ICA®, NetScaler®, NetScaler App Delivery Controller™, NetScaler

Gateway™, XenApp®, XenDesktop™, XenServer™

All other trademarks and registered trademarks are the property of their respective owners.



Welcome to App Orchestration 2.6

Thank you for choosing App Orchestration. This document includes information and instructions to help

you learn more about planning your App Orchestration deployment, prepare core components, and

perform tasks such as creating offerings and subscribing tenants to those offerings.

What’s New in This Release

• Support for XenDesktop 7.6: App Orchestration 2.6 brings support for deploying and managing

app and desktop delivery infrastructure across multiple tenants, domains and datacenters using

XenDesktop 7.6 Feature Pack 2. Learn more about the benefits and new features of XenDesktop

7.6.

• Support for StoreFront 3.0: App Orchestration 2.6 provides support for deployment and

orchestration of StoreFront 3.0 Server Groups and Sites. Server group and site isolation is easily

managed for each tenant using one of three pre-defined isolation modes (shared, private and private

site). Learn more about StoreFront 3.0.

• In-Place Upgrade: Upgrade App Orchestration 2.5 deployments in-place and carry forward existing

XenDesktop 7.5 Delivery Sites and 2.5 StoreFront Server Groups under orchestration to the latest

7.6 and 3.0 versions. View the upgrade guide to review the provided upgrade scripts, installers and

process.

• High Availability and Disaster Recovery Guidance: New guidance on configuring App

Orchestration for high availability and disaster recovery is now available. This release validates

disaster tolerant, multi-datacenter designs where delivery infrastructure is orchestrated and

managed across datacenters, even during a dacenter outage. During a disaster event, App

Orchestration can be used to quickly scale up capacity in backup datacenters to restore or expand

availability of services. Learn more about these configurations.

• Lean Deployment: In this release high availability requirements are now optional, allowing for sites

and server groups to be created using a single server. This change reduces cost and deployment

time for lean deployments.

• Bundled Delivery: To get started fast, all Citrix product media is wrapped up into a single

download. The unpacking process deploys the product media ready for image prep using App

Orchestration Install Center. The bundled delivery saves administrators time downloading and

packaging XenDesktop, StoreFront and App Orchestration installers and hotfixes

• Customer Experience Improvement Program: New in this release is optional enrollment into the

CEIP program. When enrolled, App Orchestration will collect and report anonymous information

about product use to better support and improve the product moving forward.

http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-whats-new.html



http://docs.citrix.com/en-us/storefront/3/sf-about-30.html



Documentation and support for App Orchestration

• App Orchestration in Citrix eDocs: This section of eDocs is your primary source for all resources that

support App Orchestration 2.6. Access guides, videos and other materials to help you progress

smoothly through each stage of deployment.

• App Orchestration 2.x Discussion Forum: Use this Citrix Discussions site to ask questions and

contribute your knowledge about App Orchestration.

http://docs.citrix.com/en-us/app-orchestration/app-orchestration-2-6.html

http://discussions.citrix.com/forum/1382-app-orchestration-2x/



Use the following table as a guide to the materials available for planning and deploying App

Orchestration:

When you’re ready to… And you need more information

about…

Consult this document…

Plan your App Orchestration

deployment and prepare your

network environment

Known issues in App

Orchestration

Known Issues for App

Orchestration 2.6

The concepts and terminology

specific to App Orchestration

App Orchestration Key

Concepts and Terms

System requirements for core

components, required

pre-deployment tasks, and

security considerations

• Getting Started with App

Orchestration 2.6 (this

document)

• Setup Checklist

(Appendix to this

document)

Deploying App Orchestration in

an Active Directory environment

with multiple forests and

multiple domains

Deploy App Orchestration in a

complex Active Directory

environment

The user accounts you will need

to deploy the core App

Orchestration components and

perform tasks using the App

Orchestration web console

Credentials Used in App

Orchestration 2.6

Using SQL database mirroring

for adding high availability and

failover to the databases used

in App Orchestration

Configure SQL Database

Mirroring in App Orchestration

2.6

The virtual networks you will

need to provide tenant isolation

of private offerings

Isolation Methods in App

Orchestration 2.6

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-known-issues-26.pdf

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-known-issues-26.pdf

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-terminology.pdf

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-terminology.pdf

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-ad-deploy.pdf



http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-credentials.pdf


http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-database-mirroring.pdf



http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-isolation-methods.pdf





about…


Integrate Citrix CloudPlatform

with App Orchestration to create

Public and Private Clouds

Using Citrix CloudPlatform to

Provision Session Machines

On-demand in App

Orchestration 2.6

Configuring SSL between the

core components of your

deployment

Configure SSL for App

Orchestration

Install and configure App

Orchestration

Installing the core App

Orchestration components

• Getting Started with App

Orchestration 2.6 (this

document)

• Setup Checklist

(Appendix to this

document)

Using domain agents to secure

communication between App

Orchestration and the resource

domains in your deployment

Deploying the Zero Trust Agent

Deployment Guide

Using multiple datacenters to

support resources deployed

across geographic locations

Deploying a Multi-Datacenter

Environment in App

Orchestration 2.6

Integrating NetScaler Gateway

with App Orchestration

Configuring NetScaler 10.1

Load Balancing with StoreFront

3.0 and NetScaler Gateway for


or

Configuring NetScaler 10.5

Load Balancing with StoreFront

3.0 and NetScaler Gateway for


Use specific features of App

Orchestration

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-ccp-provisioning.pdf




http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-ssl-config.pdf


http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-zero-trust-agent.pdf


http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-multi-datacenter-overview.pdf



http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-nsg10_1-load-balancing.pdf











about…


Enabling hosted desktops to

display the Windows 7 look and

feel to users

Configuring Enhanced Desktop

Experience for XenApp and

XenDesktop in App

Orchestration 2.6

Enabling on-demand

provisioning of Session

Machines to increase the

capacity of your deployment as

needed

Provisioning Session Machines

On-demand in App

Orchestration 2.6

Integrating Provisioning

Services with App Orchestration

to provide on-demand

provisioning of Session

Machines

Using Citrix Provisioning

Services to Provision Session

Machines in App Orchestration

2.6

Upgrade an existing App

Orchestration 2.5 deployment to


The upgrade process,

preparation tasks, and

instructions

Upgradability Guide for App

Orchestration 2.6

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-enhanced-desktop-experience.pdf




http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-integrated-provision.pdf







http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-upgradability-guide.pdf




App Orchestration components

App Orchestration provides simple unified management of Citrix application and desktop delivery

technologies in a multi-tenant environment, using multiple datacenters across multiple domains. This

section describes the core components and shows how they work together to provision and manage

hosted applications and desktops for tenants and users.

• A typical App Orchestration deployment includes the following components:

• A configuration server, for hosting the App Orchestration engine and web-based management

console.

• A domain agent, to enable the configuration server to communicate with any isolated tenant domains

in the deployment.

• Delivery Controllers, for hosting XenApp or XenDesktop Delivery Sites.

• Session Machines, for hosting the applications and desktops that users access through Citrix

Receiver.

• StoreFront servers, for hosting the store that contains the offerings you create for tenants.

• Compute resources, for providing the virtual networks required for tenant isolation and provisioning

identically-configured Session Machines as needed through integrated provisioning.

For a visual overview of an App Orchestration deployment, refer to the App Orchestration Architecture

diagram.

Configuration server

What is it?

The App Orchestration configuration server hosts the App Orchestration engine and the web-based

management console. These are stateless components that can be deployed on multiple servers to

provide high availability and scalability. Additionally, an instance of Machine Creation Services (MCS)

and an agent reside on the configuration server. MCS provides the functionality for creating and

managing virtual machines (VMs) on the compute resources in the virtualization infrastructure.

What does it do?

When a change to the deployment occurs, such as creating a Delivery Site or adding a Session Machine

to a catalog, the change is written to the configuration database and the App Orchestration engine

issues all of the actions required to apply the change. These actions are called workflows which you can

monitor from the web management console. The configuration server can apply these changes

asynchronously, allowing multiple operations across different products in the correct sequence and over

extended periods of time. If any failures result, they can be corrected and the system will complete the

change.

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-architecture.pdf



Typically, the agent that resides on the configuration server interacts with Active Directory for operations

such as monitoring OUs. If you use zero-trust domains in your deployment, the Zero Trust Agent

handles communication with Active Directory. All Active Directory communication occurs through Active

Directory Web Services. The agent also communicates with Session Machines that have not yet been

allocated to host tenants' subscriptions. This occurs using PowerShell remoting (WinRM) and executing

pre-installed scripts.

How many do I need?

You need at least one configuration server in your deployment. However, you can deploy multiple

configuration servers to provide high availability and failover capabilities.

For system requirements and preparation instructions, see “Prepare the App Orchestration configuration

server” on page 32.

Domain agent

What is it?

The domain agent, also known as the Zero Trust Agent, allows the configuration server to orchestrate

resources in domains to which it cannot directly connect or where configuring Active Directory trusts

between the shared resource domain and the target orchestrated domain is not allowed.

What does it do?

The domain agent is installed on a dedicated machine in each resource domain of your App

Orchestration deployment. The agent establishes an SSL connection to the configuration server through

which the configuration server sends requests to the agent.

How many do I need?

You need at least one domain agent for each isolated tenant resource domain in your deployment. The

domain agent is installed on a dedicated server and requires SSL to be configured. For more information

about deploying the Zero Trust Agent, see the Deploying the Zero Trust Agent in App Orchestration 2.6.

Delivery Sites and Delivery Controllers

What are they?

Delivery Sites are composed of identically configured Delivery Controllers and include the Session

Machines, Delivery Groups, and other components that deliver hosted applications and desktops to

tenants and their users at the appropriate isolation level. For more information about isolation levels, see

the document Isolation Methods in App Orchestration 2.6.





What do they do?

Delivery Controllers are responsible for distributing and managing user access to hosted applications

and desktops, power managing desktops, and reboot cycles for servers. Delivery Controllers can be

provisioned to run XenApp 6.5 or XenApp 7.6 and XenDesktop 7.6.

When you prepare machines to be Delivery Controllers, App Orchestration installs an agent on each

machine to establish communication with the orchestration engine API that is hosted on the

configuration server. The Delivery Controller manages Delivery Site configuration and the draining

process for Session Machines. Additionally, the agent joins Session Machines to the Delivery Site using

PowerShell remoting and executing pre-installed scripts.

How many do I need?

You need at least one Delivery Controller for each Delivery Site you deploy. If more than one Delivery

Controller are deployed, these Delivery Controllers must be identically configured including hardware

configuration, operating system, and installed updates.

For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session

Machines” on page 35.

Additional information

• XenApp 7.6 and XenDesktop 7.6 documentation

• XenApp 6.5 product documentation

Session Machines, Catalogs, and Delivery Groups

What are they?

Session Machines host applications and desktops for tenants' users to access through Citrix Receiver.

Like Delivery Controllers, Session Machines can be provisioned to run XenApp 6.5, XenApp 7.6, or

XenDesktop 7.6.

What is a catalog?

Multiple Session Machines are collected in Session Machine Catalogs. All Session Machines in a

catalog are identically configured, using the same operating system and configuration settings, and the

same installed software. This ensures that users can access the applications and desktops associated

with the catalog when needed, regardless of the machines App Orchestration selects to host the

sessions. When additional capacity is needed for subscriptions, Session Machines from the catalog are

added to a Delivery Group that is associated with the subscribing tenant. Delivery Groups can be

dedicated to a single tenant's users or shared among the users of several tenants.

You can create two catalog types in App Orchestration: On-demand catalogs and catalogs for

externally-provisioned machines.

http://support.citrix.com/proddocs/topic/xenapp-xendesktop/xad-xenapp-xendesktop-76-landing.html

http://support.citrix.com/proddocs/topic/xenapp-xendesktop/xenapp65-w2k8-wrapper.html



On-demand catalogs use on-demand provisioning to create Session Machines whenever more capacity

is needed to host tenant subscriptions. Before you create an on-demand catalog, you must perform

additional tasks to enable on-demand provisioning in your deployment. For information about these

tasks, refer to the document Provisioning Session Machines On-demand in App Orchestration 2.6.

Catalogs for externally-provisioned machines allow you to use other means, such as Citrix Provisioning

Services or PowerShell scripts, to provision servers and add them to the catalog. When additional

capacity is needed in the catalog, App Orchestration notifies you to deploy more machines; additional

machines are not deployed automatically. For more information about using Provisioning Services for

externally-provisioned machines, refer to the document Using Citrix Provisioning Services to Provision

Session Machines in App Orchestration 2.6.

OS types for catalogs

When you create a new Session Machine Catalog, you must select an OS type which governs the

operating system installed on each machine in the catalog.

The Multi User type enables you to deploy a set of standard desktops and applications that are shared

by a large number of users. Desktops and applications are allocated to users on a first-come, first-serve

basis. Additionally, the desktop environment automatically resets to the default configuration when users

log off. Session Machines in a catalog with this OS type run only supported versions of Windows Server.

The Single User type enables you to deploy desktops and applications that are assigned to individual

users. Users can personalize the desktop and install applications. Additionally, the desktop environment

remains unchanged between sessions. Session Machines in a catalog with this OS type run on

supported versions of Windows or Windows Server (with XenDesktop’s Server VDI capability).

How many do I need?

You need at least one Session Machine to host offerings for users. To increase capacity for your

offerings and host more user sessions, you can deploy multiple Session Machines.

For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session


Additional information

• XenApp 7.6 and XenDesktop 7.6 documentation

• XenApp 6.5 product documentation

StoreFront

What is it?

StoreFront authenticates users to sites hosting resources and manages stores of applications and

desktops that users access using Citrix Receiver.




http://support.citrix.com/proddocs/topic/xenapp-xendesktop/xad-xenapp-xendesktop-76-landing.html

http://support.citrix.com/proddocs/topic/xenapp-xendesktop/xenapp65-w2k8-wrapper.html



How many do I need?

To provide offerings to users, you need at least one StoreFront server group consisting of at least one

StoreFront server.

• For system requirements and preparation instructions, see “Prepare StoreFront servers” on page 39.

• For more information about StoreFront 3.0, see the product documentation in Citrix eDocs.

When you add tenants to your deployment, you can specify whether the tenant’s users will use a shared

or private StoreFront site to access your offerings. The number of StoreFront servers you need depends

on the number of tenants who will be using shared or private StoreFront resources to access your

offerings. For more information about shared and private StoreFront resources, see the document

Isolation Methods in App Orchestration 2.6.

Compute resources

Compute resources are the hypervisors, hypervisor pools, and other components required to create and

manage virtual machines (VMs). These resources enable you to create virtual networks, a key

component in isolating tenants and ensuring shared and private resources are allocated appropriately.

To learn about the compute resources that App Orchestration supports, see the section “Set up compute

resourc” on page 28.

http://docs.citrix.com/en-us/storefront/3.html




App Orchestration deployment overview

Deploying App Orchestration typically occurs using the following phased approach:

Phase Tasks

Prepare • Download the software for App

Orchestration and its components.

• Prepare your environment and the

machines you will use to deploy App

Orchestration and design and deliver

offerings.

Install Use the App Orchestration Install Center to install

the required software on the machines you

prepare as the configuration server, Delivery

Controllers, Session Machines, and StoreFront

servers. This enables you to perform the

remaining deployment phases with minimal

interruption.

Configure Configure App Orchestration’s global settings.

Define • Define additional domains.

• Create additional datacenters.

• Set up and configure compute resources.

• Add instance configurations.

Design • Create Delivery Sites.

• Create a Session Machine Catalog for on-

demand provisioning or external

provisioning.

• Create a StoreFront server group.

• Create an offering.



Phase Tasks

Deliver • Add a tenant and add users.

• Adjust capacity.

• Subscribe the tenant to the offering.

• (Optional) Enable tenant self-service with

CloudPortal Services Manager 11.5.



Prepare to deploy App Orchestration 2.6

Before you install App Orchestration, some planning is required to prepare your environment and the

machines you will include in your deployment. Use this section to learn about:

• Required tasks for preparing your network environment and the machines included in your

deployment.

• System requirements for the core components of your deployment.

• Deployment recommendations and requirements for using specific features of App Orchestration.

How many machines do I need?

The simplest App Orchestration deployment that enables you to create an offering and deliver it to a

tenant requires the following machines:

• 1 domain controller with a minimum domain functional level of Windows Server 2008 R2

• 1 database server running a supported version of Microsoft SQL Server

• 1 Citrix License Server

• 1 server, for the App Orchestration configuration server

• 1 server, for the Session Machine that will host applications and desktops for the tenant’s users

• 1 server, for the Delivery Controller that make up one Delivery Site

• 1 server, for the StoreFront server that make up one StoreFront server group

You can then add other components such as NetScaler Gateway and Citrix Provisioning Services,

depending on the needs of your deployment.

Network preparation task overview

Perform the following tasks to prepare your network environment for App Orchestration:

Step # To perform this task Refer to this section

1 Create the shared resource and default user

domains and the root OU for the

deployment.

“Prepare your Active Directory domains” on

page 22




2 Create a policy for all machines in the

deployment that sets the PowerShell

execution policy, enables PowerShell

remoting, and enables remote

administration with WMI.

“Configure the App Orchestration Group

Policy” on page 24

3 Create the non-privileged user accounts that

you will use to install App Orchestration and

designate as the orchestration service

account for the deployment.

“Create administrator account” on page 27

4 Set up Citrix Licensing for your deployment. “Setup Citrix Licensing ” on page 28

5 Set up compute resources to create virtual

networks and provision Session Machines

on-demand.

“Set up compute resources” on page 28

6 Set up NetScaler Gateway to provide secure

remote access and load balancing for the

StoreFront servers in your deployment.

“Set up NetScaler Gateway ” on page 29

Machine preparation task overview

Perform the following tasks to prepare the machines that you include in your App Orchestration

deployment:


1 Install and configure the SQL Server that

hosts the configuration database for your

deployment.

“Prepare the database server” on page 29

2 Prepare the machine that you deploy as the

App Orchestration configuration server,

including configuring SSL.

“Prepare the App Orchestration

configuration server” on page 32

3 Prepare the machines that you deploy as

Delivery Controllers and Session Machines,

including configuring SSL and updating the

Citrix Group Policy snap-in.

“Prepare Delivery Controllers and Session

Machines” on page 35




4 Prepare the machines that you deploy as

StoreFront servers, including configuring

SSL.

“Prepare StoreFront servers” on page 39

Prepare your Active Directory domains

To deploy App Orchestration successfully, you must have at least one domain controller in your

environment. With a single domain, you can create a deployment in which users access offerings that

are hosted on resources that are shared amongst all tenants.

App Orchestration also supports deployments that span multiple forests and domains. With a

multi-forest or multi-domain deployment, you can provide tenant isolation, create private offerings, and

allocate private resources to specific tenants. For more information about multi-forest deployment, see

the document Deploy App Orchestration 2.6 in a Complex Active Directory Environment.

App Orchestration supports the following domain functional levels:

Resource Domain Functional Levels User Domain Functional Levels

Windows Server 2012

Windows Server 2008 R2

• Windows Server 2012

• Windows Server 2008 R2


Task 1: Prepare required domains

Create the following domains:

Shared resource domain: The domain where the App Orchestration configuration server resides.

This domain contains all components that are shared with multiple tenants. This is also where the

App Orchestration root OU is created.

Important: All configuration servers in your deployment must reside in the shared resource domain. App

Orchestration does not support the use of configuration servers in different domains.

Default user domain: The domain where App Orchestration user accounts reside (for example, the

user account designated as the orchestration service account). You can create a separate domain

for these accounts or you can designate the shared resource domain for this purpose.

If you intend to include multiple domains in your deployment, create these resource and user domains

as necessary. You will need to specify the shared resource and default user domains when you

configure App Orchestration's global settings. You can define additional domains through the App

Orchestration web console. For more information about using multiple domains with App Orchestration,

refer to the document Deploy App Orchestration in a Complex Active Directory Environment.





Task 2: Prepare required organizational units

In the shared resource domain, create an OU that acts as the root OU for your App Orchestration

deployment. If your deployment includes multiple resource domains, create a root OU in each of these

domains.

You can name the root OU according to your preference; however, the root OU in each resource domain

must have the same name and path. You will specify the root OU for the shared resource domain when

you configure App Orchestration's global settings.

Important: The root OU in each resource domain must reside within the scope of the App Orchestration Group

Policy. For more information on configuring this policy and linking the root OUs, see the section “Configure the

App Orchestration Group Policy” on page 24.

After you configure the global settings, App Orchestration creates the DecommissionedServers OU

automatically within this root OU. The DecommissionedServers OU is for machines that have been

removed from the deployment.

Task 3: Prepare tenant domains and organizational units

Before you add tenants to the deployment, determine the tenants who will require shared or private

access to offerings. When you add tenants, you will need to specify the resource and user domains for

the tenant so that, when subscriptions are created later, App Orchestration can allocate the machines

hosting the tenant's offerings appropriately.

Create the resource and user domains for each tenant in Active Directory and add them as domains

through the App Orchestration web console before you add the tenants; App Orchestration does not

create these domains for you.

You will also need location groups and subscription groups for each tenant:

• Location groups map users to certain datacenters, enabling users to access applications and

desktops from different datacenters based on their group membership.

• Subscription groups are Active Directory user groups that organize users according to the offerings

they need. A subscription group must be a member of a location group, but can belong to only one

location group at any given time. When you create an offering, you specify the subscription groups

that can access the offering.

Tenants with private domain isolation

For each tenant who needs private access to offerings, perform the following tasks:

1. Create a private resource domain and App Orchestration root OU. This is where App Orchestration

will allocate machines for hosting private offerings.

2. (Optional) Create a private user domain for the tenant's user accounts. Alternatively, you can use the

tenant's resource domain for this purpose.

3. In the user domain, create location and subscription groups for the tenant. Finally, add user accounts

to the subscription groups.



Tenants with shared domain isolation

For each tenant who needs shared access to offerings, perform the following tasks:

1. Create a resource OU for the tenant within the App Orchestration root OU in the shared resource

domain.

2. (Optional) Create a user domain for the tenant's user accounts. Alternatively, you can use App

Orchestration's default user domain for this purpose.

3. In the default user domain, create location and subscription groups for the tenant. Finally, add user

accounts to the subscription groups.

Required trusts for resource and user domains

If you deploy App Orchestration in an environment that includes different resource and user domains (for

example, a resource domain and a user domain exist that are each different than the shared resource

domain), ensure that the resource domain trusts the user domain by establishing a one-way trust. This

trust enables users to access the offerings hosted on machines in the resource domain.

For more information about using multiple domains with App Orchestration, see the document Deploy

App Orchestration 2.6 in a Complex Active Directory Environment.

Required domain trusts for private offerings

App Orchestration enables you to isolate tenants in their own domains using the following methods:

• In a private domain using the Zero Trust Agent. The Zero Trust Agent facilitates secure communication between the App Orchestration configuration server and the tenant’s isolated resource domain. For more information, refer to the document Deploying the Zero T rust Agent in App Orchestration 2.6.

• In a private domain requiring a one-way trust in Active Directory with the shared resource domain. App Orchestration verifies this trust exists when you add a resource domain through the web console.

Configure the App Orchestration Group Policy

To facilitate remote administration, create a policy that applies to all machines in your App Orchestration

environment and include the following:

• PowerShell execution policy is set to AllSigned.

• PowerShell remoting is enabled, including auto-configuration of listeners, trusted hosts, and

Windows Remote Shell

• Allow inbound remote administration in Windows Firewall

Note: By default, WinRM 2.5 uses the ports 5985 for HTTP traffic and 5986 for HTTPS traffic. If you are using

firewalls between the App Orchestration configuration server and the other servers in your deployment, ensure

these ports are enabled.

You can create this policy using one of the following methods:







• Manually configure policy settings using the Group Policy Management Console. Use this topic to

configure these settings.

• Automatically configure policy settings using the New-CamGPO.ps1 script.

The New-CamGPO script creates a Group Policy Object (GPO) and configures all the required policy

settings described in this section. You can run this script after you prepare the server you want to use as

the App Orchestration configuration server, join it to the shared resource domain, and add it to the App

Orchestration root OU. This script is located in the %Program

Files%\Citrix\CloudAppManagement\InfrastructureTools directory on the App Orchestration

configuration server.

After you create this policy, link the GPO to the following objects:

• App Orchestration root OU in the shared resource domain.

• App Orchestration root OU in each additional private tenant resource domain that you create.

Important: When you deploy machines that reside in these OUs (for example, adding a Delivery Site), App

Orchestration issues workflows to complete the deployment tasks. For these workflows to complete

successfully, the machines on which they run must have these policy settings applied. App Orchestration does

not verify these policy settings are applied before issuing the workflows.

Task 1: Set the PowerShell execution policy

1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and

create a new GPO or edit an existing one.

2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >

Administrative Templates > Windows Components > Windows PowerShell.

3. Right-click Turn on Script Execution and select Edit.

4. Select Enabled and then, under Options, select Allow only signed scripts.

Task 2: Configure PowerShell remoting

To configure PowerShell remoting using Group Policy, use the Group Policy Management Console to

enable the WinRM service, configure listeners, set the amount of session memory available, and provide

a list of trusted hosts. You will also need to configure the WinRM service to start automatically and

ensure Windows Firewall allows traffic through the ports assigned to WinRM.


create a new Group Policy Object (GPO) or edit an existing one.


Administrative Templates > Windows Components.



3. Use the following table to configure the required policy settings:

Setting Location & Name Policy Setting Setting Values

Windows Remote

Management (WinRM) >

WinRM Service

Allow automatic configuration

of listeners

Enabled.

To configure WinRM to

listen on all addresses,

type an asterisk (*) in

the IPv4 Filter and

IPv6 Filter fields.

Windows Remote

Management (WinRM) >

WinRM Client

Trusted Hosts Enabled.

In TrustedHostsList,

type an asterisk (*) to

indicate all hosts are

trusted.

Windows Remote Shell Specify maximum amount of

memory in MB per Shell

Enabled.

In

MaxMemoryPerShell

MB, type 1024.

Specify maximum number of

remote shells per user

Enabled.

In MaxShellsPerUser,

typing 0 indicates an

unlimited number of

shells.

4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >

System Services.

5. Double-click the Windows Remote Management service and select the following options:

Define this policy setting

Automatic

6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >

Windows Firewall with Advanced Security > Windows Firewall with Advanced Security >

Inbound Rules.

7. Right-click Inbound Rules and select New Rule.

8. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined and then select the

Windows Remote Management rule. Click Next.

9. On the Predefined Rules page, accept the defaults and click Next.



10. On the Action page, ensure Allow the connection is selected and click Finish.

11. To apply the settings, on each server, open a PowerShell command window and run gpupdate.

Task 3: To enable remote administration with WMI

As part of maintaining your App Orchestration environment, you might need to update Session Machine

Catalogs to deploy patches, upgrade installed applications, or take advantage of new hardware on

Session Machines. To ensure the update process occurs smoothly, a firewall exception is required to

enable inbound remote administrative connections on TCP ports 135 and 445. If this exception is not

present, the update process might fail.


create a new Group Policy Object (GPO) or edit an existing one. This GPO should be associated

with all servers in the App Orchestration environment.


Administrative Templates > Network > Network Connections > Windows Firewall > Domain

Profile.

3. Double-click the Windows Firewall: Allow inbound remote administration exception setting and

select Enabled.

4. Under Options, in Allow unsolicited incoming messages from these IP addresses, type an

asterisk (*).

5. Click OK to save your selection.

Create administrator accounts

To install and manage components in your App Orchestration deployment, create the following objects:

• Orchestration service group: A user group for the user accounts for installing and administering

the deployment. This group confers full rights on member accounts. User accounts that are added to

this group should be non-privileged users with no administrator rights to the machines in the

deployment. Accounts in this group should not be members of the Domain Admins group. You will

need to supply this group name when you install the App Orchestration configuration server.

Note: After you supply this group name, it cannot be changed later.

• Orchestration service account: The primary user account for performing administrative tasks in

the App Orchestration web console. This is a non-privileged user account that has permission to

access all App Orchestration functions and add and modify objects. This account should not be part

of the Domain Admins group. This account need not be the same as the App Orchestration

configuration server installation and configuration credentials.

Note: When adding administrator accounts to App Orchestration in a multi-domain environment, ensure the

accounts are members of a global or universal group in the user domain. If the account is a member of a



domain local group, App Orchestration does not recognize the account and, therefore, does not allow the

account to log on to the web console.

For more information about requirements and permissions for these user accounts, as well as other user

accounts that App Orchestration uses to provision and manage machines, see the document

Credentials Used in App Orchestration 2.6.

Setup Citrix Licensing

Citrix Licensing 11.12.1 is required for configuring the App Orchestration configuration server as well as

configuring the Delivery Controllers, Session Machines, and StoreFront servers you want to deploy. If

you use an older version of Citrix Licensing, App Orchestration cannot validate the server during

configuration of global settings.

For Delivery Sites that use controllers running XenApp 6.5 Feature Pack 4, specify the Licensing server

using the FQDN or an IPv4 address. If you use an IPv6 address, App Orchestration cannot validate the

server and create the Delivery Site.

For more information about deployment steps, obtaining license files, and managing your Licensing

server, see Citrix Licensing 11.12.1 in Citrix eDocs.

Set up compute resources

Compute resources include the hypervisors and virtual networks and machines that form the foundation

for your App Orchestration deployment. These resources enable you to deploy Session Machines on

demand using integrated provisioning and use network isolation to provide tenants with private

resources.

App Orchestration supports using the following products to create the virtual networks and machines

you need for your deployment:

• Citrix CloudPlatform 4.2.1

• Citrix XenServer 6.2

• VMware vSphere ESX 5.5

• VMware vSphere ESX 5.1

• Microsoft SCVMM 2012 R2

• Microsoft SCVMM 2012 SP1

To use network isolation in your deployment, you create the following virtual networks:

• Shared Controller Management Network

• Shared Delivery Group Management Network


http://support.citrix.com/proddocs/topic/licensing-11121/lic-licensing-11121.html



• Private management network, for each tenant who requires private access to hosted applications

and desktops

Additionally, these networks must be labeled.

Important: You will need to supply these labels when you configure App Orchestration's global settings. In

App Orchestration, network labels are case-sensitive. When configuring the global settings, enter the labels

exactly as they are configured for your compute resources.

For more information about these networks and instructions for creating and labeling them, review the

document Isolation Methods in App Orchestration 2.6 Methods.

For more information about using Citrix CloudPlatform to provision machines in your App Orchestration

deployment, see the Using Citrix CloudPlatform to Provision Session Machines On-demand.

Set up NetScaler Gateway

App Orchestration supports the use of NetScaler Gateway 10.1 or 10.5 to provide secure remote access

and load balancing for the StoreFront servers in your App Orchestration deployment. If you intend to use

NetScaler Gateway in your deployment, review the following information prior to deployment:

• Review the document Configuring NetScaler 10.1 Load Balancing with StoreFront 3.0 and NetScaler

Gateway for App Orchestration 2.6 or Configuring NetScaler 10.5 Load Balancing with StoreFront

3.0 and NetScaler Gateway for App Orchestration 2.6. These documents provide detailed

requirements and instructions for integrating NetScaler Gateway with App Orchestration.

• Review the security considerations as described in the Planning for Security with NetScaler Gateway

section of Citrix eDocs.

LDAP authentication for NetScaler Gateway

When configuring LDAP authentication for NetScaler Gateway to verify user accounts in Active Directory,

a user account is entered in the Administrator Bind DN setting to bind NetScaler Gateway to the LDAP

server and search for the user. Citrix strongly recommends using a non-privileged user account that has

bind DN permission in Active Directory. Do not use an administrator account for this setting.

Prepare the database server

In an App Orchestration deployment, the database server hosts the App Orchestration configuration and

logging databases. If you choose, it can also host the databases for the Delivery Sites you deploy.

Prepare the database server before you install App Orchestration. You will need to supply information

about this server when you install the App Orchestration configuration server and deploy Delivery Sites,

Session Machines, and StoreFront server groups. Afterward, create a firewall exception as described in

the section “Task 1: Create a firewall exception” on page 31.







http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-planning-for-security-con.html



When you install the App Orchestration configuration server, you are prompted to provide a service

deployment name. This name is used to create the configuration database. If you want to use an

existing database for your App Orchestration deployment, you specify that database name as the

service deployment name. If you enter a database name that does not exist on the database server, the

database is automatically created.

Supported database servers

App Orchestration supports using the following database servers:

• Microsoft SQL Server 2014 Express, Standard, and Enterprise editions

• Microsoft SQL Server 2012 Express, Standard, and Enterprise editions

•

Support for database mirroring

For the configuration database, App Orchestration supports the use of mirrored and non-mirrored

databases.

If you want to use mirrored databases in your deployment, consider the following:

• When planning for high availability or disaster recovery of the configuration database, be aware that

App Orchestration only supports using database mirroring and the AlwaysOn feature for these

purposes.

• If you specify a database that does not yet exist when installing the App Orchestration configuration

server, the resulting database cannot be mirrored. The installer does not perform any mirroring

configuration or create a database that supports mirroring by default.

• To use a mirrored database with the deployment, create the mirrored database before you deploy

the App Orchestration configuration server, and ensure the database is empty. When you are

prompted for the service deployment name during installation of the configuration server, enter the

name of this database.

For more information about using mirrored databases with App Orchestration, refer to the Configuring

Database Mirroring in App Orchestration 2.6.

Support for SQL Server AlwaysOn Availability Group

For the configuration database, App Orchestration supports the use of SQL Server AlwaysOn Availablity

Group. If you want to use this feature in your deployment, please refer to the section “Detailed steps to

configure a an AlwaysOn Group for App Orchestration” of AppOrchestration High Availability.

System requirements

When installing a configuring the database server for your deployment, ensure the following

requirements are met:



http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-high-availability.pdf



Authentication Mode Windows authentication is enabled.

TCP Enabled, along with all appropriate IP addresses,

in SQL Server Configuration Manager.

SQL PowerShell Provider Installed. This provider is included with SQL

Management Studio.

SQL Server Browser service Enabled, and set to run automatically.

SQL Server instance Enabled, and set to run automatically

Firewall Allow inbound connections to the database server

from the other servers in your App Orchestration

deployment. Additionally, enable firewall

exceptions for the SQL Server Browser and SQL

Server instance. See “Task 1: Create a firewall

exception” on page 31.

User account permissions The user account with which App Orchestration is

installed must have the Sysadmin role to create

the required accounts and databases during App

Orchestration configuration server setup. For more

information about required user accounts and

permissions, refer to the document Credentials

Used in App Orchestration 2.6.

Database security As a security best practice, ensure that only the

NetworkService account for the App Orchestraton

configuration server has permission to write to the

database.

Task 1: Create a firewall exception

To ensure the database server can communicate as required with the other servers in your App

Orchestration deployment, create a Windows Firewall exception on the database server that allows

connections with the other servers.

1. On the database server, click Start > Administrative Tools > Windows Firewall with Advanced

Security.

2. In the left pane, click Inbound Rules.

3. Right-click Inbound Rules and then select New Rule. The New Inbound Rule Wizard appears.





4. On the Rule Type page, select Program and then click Next.

5. On the Program page, select This program path and then click Browse.

6. Locate and select the SQL Server executable and then click Open. Typically, the SQL Server

executable is located at C:\Program Files\Microsoft SQL

Server\MSSQL11.instancename\MSSQL\Binn\sqlservr.exe.

7. On the Action page, select Allow the connection and then click Next.

8. On the Profile page, select Domain, Private, and Public.

9. On the Name page, enter a name for the rule and click Finish.

Prepare the App Orchestration configuration server

The App Orchestration configuration server hosts the App Orchestration configuration engine and the

web management console.

Citrix recommends installing App Orchestration on servers containing fresh installations of supported

Microsoft Windows Server operating systems. To upgrade servers running App Orchestration 2.5 to

Version 2.6, refer to the document Upgradability Guide for App Orchestration 2.6. Do not attempt to

upgrade servers running App Orchestration versions older than Version 2.5. Additionally, do not join

servers running previous versions of App Orchestration to a deployment running App Orchestration 2.6.

System requirements

The server you prepare to be the App Orchestration configuration server must meet the following

requirements:

Hardware Dual core processors, 2.6 GHz or higher

Minimum 3 GB RAM

Minimum 50 GB free disk space

Operating System One of the following:

Windows Server 2008 R2 SP1

Windows Server 2012 R2 (Standard, Enterprise, or

Datacenter edition)

Domain Functional Level Windows Server 2008 R2




Windows Management Framework

and PowerShell versions

Depending on your server operation system:

Version 3.0. The Windows Management Framework is

available for download from the Microsoft web site at

http://www.microsoft.com/en-us/download/details.aspx?id=34

595.

Version 4.0

.NET Framework version Version 4.5

PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy”

on page 24.

Windows Update Service Enabled.

SSL certificates A server certificate signed by your domain certificate authority is

required for deploying the configuration server. Refer to the

document Configure SSL for App Orchestration 2.6.

System Temp folder Must be writable by the Network Service account.

Internet Access Enabled. Setup accesses Windows Update to verify the full

version of the .NET Framework 4.5 is installed and to

install .NET updates, if required.

Web browser (for accessing the

web management console)

Internet Explorer 10 or 11

Important: When preparing the configuration server for App Orchestration installation, ensure the server

operating system and anti-virus software have all appropriate updates and patches, and that the server is free

of untrusted software.

Sequence of preparation tasks for Windows Server 2008 R2 SP1

If you are preparing a server running Windows Server 2008 R2 SP1 as the configuration server, use the

following sequence of tasks to ensure the configuration server is deployed smoothly:

1. Install the operating system and apply all required updates and patches.

2. Install .NET Framework version 4.5.

3. Install Windows Management Framework 3.0, which includes Windows PowerShell 3.0.

4. Install the server certificate required for installation of the configuration server.

5. Join the server to the shared resource domain.






6. Verify the Group Policy settings described in “Configure the App Orchestration Group Policy” on

page 24 have been applied to the App Orchestration root OU of the shared resource domain for your

deployment. For more information about required OUs, see “Prepare your Active Directory domains”

on page 22.

Important: If you join the configuration server to the shared resource domain and enable PowerShell remoting

before you install the Windows Management Framework 3.0 and upgrade to PowerShell 3.0, installing App

Orchestration might fail. If this happens, execute the following command and retry the installation:

winrm delete http://schemas.microsoft.com/wbem/wsman/1/config/plugin?Name=Microsoft.ServerManager

Client OS and browser support for the management console

To manage your deployment, App Orchestration includes a web-based management console. The

console is hosted, by default, on the configuration server, but you can also run the console on other

computers in your environment. To run the console, App Orchestration supports the following web

browsers and operating systems:

Windows

Web Browser Windows 7

SP1 (32-bit

and 64-bit)

Windows 8

(32-bit and

64-bit)

Windows 8.1

(32-bit and

64-bit)

Windows

Server 2008

R2 SP1

Windows

Server 2012

R2

Internet

Explorer 10

X X X

Internet

Explorer 11

X X X

Mozilla Firefox

24

X X

Google

Chrome 30

X X

Mac OS and Apple iOS

Web Browser Mac OS X (10.8) Apple iOS 7 (iPad only)

Mozilla Firefox 24 X

Google Chrome 30 X

Apple Safari for iOS X



Internet Explorer 11 Considerations

If you plan to use Internet Explorer 11 with the App Orchestration web console, perform the following

tasks to ensure the web console operates consistently:

Disable AutoComplete to prevent unauthorized console access. In addition to remembering

previous entries for forms and URLs, AutoComplete remembers entries for usernames and passwords.

To prevent unauthorized access to the App Orchestration web console due to remembered credentials,

Citrix recommends disabling AutoComplete on all machines on which Internet Explorer 11 is used to

access the web console. To do this, perform the following actions:

1. From the Start screen, click Settings > Control Panel > Internet Options.

2. Click the Content tab and then under AutoComplete click Settings.

3. Clear the User names and passwords on forms check box and then click OK.

Add the web console as a Trusted Site. Because the web console uses JavaScript, Internet Explorer

11 might prevent the web console from running. To ensure the web console runs consistently, add the

web console URL to the list of Trusted Sites. To do this, perform the following actions:

1. From the Start screen, click Settings > Control Panel > Internet Options.

2. Click the Security tab and then select the Trusted sites security zone.

3. Click Sites and enter the web console URL. The default URL is

https://FQDN-of-AOConfigSvr/camconsole.

Prepare Delivery Controllers and Session Machines

Supported platforms

• XenApp 7.6 and XenDesktop 7.6

• XenApp 6.5 Hotfix Rollup Pack 5

Important: If you have an existing XenDesktop 7.5 deployment that you used with a previous version of App

Orchestration, you can continue to use that deployment with App Orchestration 2.6. However, you cannot

modify the configuration of the servers in that deployment. To use the full set of features of App Orchestration

2.6, Citrix recommends upgrading your XenDesktop 7.5 deployment to XenDesktop 7.6.

System requirements

Servers you prepare as Delivery Controllers and Session Machines must meet the following

requirements:

Hardware Dual core processors, 2.6 GHz or higher

Minimum 3.0 GB RAM

Minimum 50 GB free disk space



Operating System

(XenApp 7.6 and XenDesktop

7.6)

Delivery Controllers:

Windows Server 2008 R2 SP1, with PowerShell 4.0

Windows Server 2012 R2 (Standard, Enterprise, or

Datacenter edition)

Session Machines:

Windows XP SP3 (32-bit only), with PowerShell 2.5

Windows 7 SP1 (32-bit and 64-bit), with PowerShell 4.0

Windows 8 (32-bit and 64-bit)

Windows 8.1 (32-bit and 64-bit)


Windows Server 2012, with PowerShell 4.0

Windows Server 2012 R2

Operating System

(XenApp 6.5 HRP5)


Domain Functional Level Windows Server 2008 R2

Windows Server 2012

.NET Framework version Version 4.5. If the .NET Framework is not installed prior to

deploying the machine, the App Orchestration Install Center

installs the software automatically.

Note: For Session Machines running Windows 2008 R2 or prior

version, please make sure .NET Framework 3.5.1 is installed before

running App Orchestration Install Center.



Windows Management

Framework (WMF) and

PowerShell version

Version 4.0.

For Windows 7, Windows Server 2008 R2 SP1, and Windows

Server 2012, the WMF 4.0 package is included in the

Setup\ProductMedia\CloudAppManagement\Support\PowerShell4\

folder on the App Orchestration installation media. If WMF 4.0 is

not installed prior to deploying the machine, the App Orchestration

Install Center installs the software automatically. Alternatively, you

can download the package from the Microsoft web site at

http://www.microsoft.com/en-us/download/details.aspx?id=40855.

Important: For Session Machines running Windows 7 32-bit

operating systems, upgrading to WMF 4.0 can render

PSSessionConfiguration functions unusable, preventing the machine

from being imported to a catalog. To avoid this issue, be sure to run

the following cmdlet prior to installing the single user Virtual Delivery

Agent:

Register-PSSessionConfiguration –name

Microsoft.PowerShell

PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on

page 24.


Automatic updates Disabled on all servers prepared as Session Machines.

Windows Server Roles .NET Framework 3.5.1.

Database server Microsoft SQL Server 2012 Express, Standard, and

Enterprise editions

Citrix software Use the App Orchestration Install Center to install the appropriate

Citrix software on the machine. If any Citrix products are installed

prior to using the Install Center, App Orchestration might remove or

overwrite these files. See "Install App Orchestration” on page 45.

Administrator accounts A Delivery Site administrator account is required for deploying

Delivery Sites in App Orchestration. For more information about

the user accounts required for deploying Delivery Sites and

Session Machines, refer to the document Credentials Used in App

Orchestration 2.6.






Important: When you add the initial Controllers to a Delivery Site or Session Machines to a catalog, App

Orchestration uses these machines to construct machine profiles that are used to evaluate subsequent

machines that are added to the Site or catalog. If these machines do not match the profile for the Site or

catalog, they are not added to the deployment. Therefore, each machine you add to a Site or catalog must

have the same machine configuration, operating system and updates, Citrix product version, and installed

applications as the first machines you deployed. To add machines with differing configurations, create a new

Delivery Site or Session Machine Catalog as appropriate.

Support for aggregating existing Delivery Sites

Aggregating applications and desktops enables users to access offerings that are available in multiple

StoreFront stores from a single point of access. Using aggregation, you can add Delivery Sites that

already exist in your environment to your App Orchestration deployment.

App Orchestration supports aggregating existing Delivery Sites that run the following versions of

XenApp or XenDesktop:

• XenApp 5.0, 6.0, and 6.5

• XenDesktop 5.5, 5.6, 7.0, and 7.1



Aggregation of Delivery Sites running versions of XenApp or XenDesktop that are older than specified in

this section (such as Citrix Presentation Server 4.5) is not supported. For a complete list of all XenApp

and XenDesktop versions that are supported for Delivery Site aggregation, refer to the StoreFront topic

Infrastructure requirements on Citrix eDocs.

Considerations for Delivery Controllers in cross-forest private Delivery Sites

When creating a Delivery Site in a tenant’s private resource domain that resides in a different forest than

the shared resource domain, a trust relationship must exist between the Delivery Controllers in the

tenant’s resource domain and the shared resource domain. You can create this trust using one of the

following methods:

• Using the Zero Trust Agent in the tenant’s resource domain and configuring SSL on the Delivery

Controllers. The Zero Trust Agent facilitates secure communication between the App Orchestration

configuration server and the tenant’s isolated resource domain. For more information, refer to the

documents Deploying the Zero Trust Agent in App Orchestration 2.6 and Configuring SSL for App

Orchestration 2.6

• Establishing a one-way trust in which the shared resource domain trusts the tenant’s resource

domain. This trust allows the App Orchestration agents residing on the Delivery Controllers to

authenticate with the App Orchestration engine using integrated Active Directory authentication.

http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-system-requirements-server.html






Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5

Because servers running XenApp 6.5 run an older version of the Citrix Group Policy snap-in by default

(Version 1.5.0.0), Group Policy settings associated with App Orchestration might not display correctly

when viewed with the Group Policy Management Console on a XenApp 6.5 server. To avoid this issue,

update the Citrix Group Policy snap-in with the newer version that comes with XenApp 7.6 and

XenDesktop 7.6 (Version 2.4.0.0). To do this perform the following actions:

1. On the XenApp 7.6 and XenDesktop 7.6 installation media, locate the

CitrixGroupPolicyManagement_x64.msi file in the /x64/Citrix Policy folder.

2. On the XenApp 6.5 servers in your deployment, run the CitrixGroupPolicyManagement_x64.msi

file to update the Citrix Group Policy snap-in.

Task 2: Configure SSL on Delivery Sites and Session Machines

To avoid security risks, Citrix recommends that you use SSL to secure communications between the

following components:

• Between Delivery Controllers and StoreFront servers: For more information about configuring

SSL for App Orchestration, see the document Configure SSL for App Orchestration 2.6.

• Between Session Machines and NetScaler Gateway: As part of deploying NetScaler Gateway in

your environment, a signed SSL certificate and, if applicable, a trusted root certificate are required.

For Session Machines running XenDesktop 7.6, XenApp 7.6, or XenApp 6.5 FP4, manually

configure SSL and install a signed SSL certificate on each machine. If you use App Orchestration to

aggregate Delivery Sites running XenDesktop 5.6, ensure the Session Machines and Delivery

Controllers in those Sites have the latest public hotfix applied.

Prepare StoreFront servers

StoreFront authenticates users to sites hosting resources and manages stores of applications and

desktops that users access with Citrix Receiver.

System requirements

Servers prepared as StoreFront servers have the following requirements:

Hardware • Dual core processors, 2.6 GHz or higher

• Minimum 3.0 GB RAM

• Minimum 50 GB free disk space

Operating System • Windows Server 2008 R2 SP1, with PowerShell 3.0

• Windows Server 2012 R2 (Standard, Enterprise, or Datacenter

Edition)




Windows Management

Framework and PowerShell

version

Depending on your server operation system:

• Version 3.0. For Windows Server 2008 R2 SP1, the Windows

Management Framework is available for download from the

Microsoft web site at


95

• Version 4.0. For Windows Server 2012 R2, the Windows

Management Framework is included in the

Setup\ProductMedia\CloudAppManagement\Support\PowerSh

ell4\ folder on the App Orchestration installation media.

Alternatively, download the package from the Microsoft web

site at


55.

Domain Functional Level • Windows Server 2008 R2


.NET Framework version • Windows Server 2008 R2 SP1: .NET Framework 4.5. This

executable is located in the Support folder of the App

Orchestration installation media.

• Windows Server 2012: .NET Framework 3.5. For information

on enabling this feature, see the article “Install or Uninstall

Roles, Role Services, or Features” on the Microsoft web site.

PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on page

24.


Windows Server Roles • .NET Framework 3.5.1

• Web Server (IIS), with all default role services

SSL certificate A server certificate signed by your domain certificate authority is

required for deploying StoreFront servers. Refer to the document

Configure SSL for App Orchestratio 2.6.

Database server • Microsoft SQL Server 2012 Express, Standard, and Enterprise

editions





http://technet.microsoft.com/en-us/library/hh831809.aspx

http://technet.microsoft.com/en-us/library/hh831809.aspx




Citrix software Use the App Orchestration Install Center to install the appropriate

Citrix software on the machine. If any Citrix products are installed prior

to using the Install Center, App Orchestration might remove or

overwrite these files. See "Install App Orchestration” on page 45.

Server group requirements

In App Orchestration, you add StoreFront servers to a deployment by creating server groups. A server

group is a collection of one or more StoreFront servers. When adding StoreFront servers to your

deployment, consider the following requirements:

To add tenants, App Orchestration requires at least one StoreFront server in the deployment. You can

deploy multiple StoreFront server groups to provide high availability and scalability.

The StoreFront servers that are included in the server group must have the same version of StoreFront

installed. Including servers of differing StoreFront versions in the same server group is not supported.

Security Considerations for App Orchestration 2.6

When planning to deploy machines in your App Orchestration environment, be sure to review the

security best practices and recommendations for the Citrix products that are used with App

Orchestration. Refer to the following topics in Citrix eDocs:

• XenApp 7.6 and XenDesktop 7.6: Security

• XenApp 6.5: Security Standards and Deployment Scenarios

• StoreFront 3.0: Secure your StoreFront deployment

• NetScaler Gateway: Planning for Security with NetScaler Gateway

Additionally, for up-to-date information about security standards and Citrix products, visit

http://www.citrix.com/security.

http://support.citrix.com/proddocs/topic/xenapp-xendesktop-76/xad-security-article.html

http://support.citrix.com/proddocs/topic/xenapp/ps-sec-node-wrapper-xa65.html

http://support.citrix.com/proddocs/topic/storefront-30/sf-secure.html

http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-planning-for-security-con.html

http://www.citrix.com/security/



SSL recommendations

Some of the core components in your App Orchestration deployment – configuration server, Delivery

Controllers, and StoreFront servers – require that SSL be configured prior to inclusion in the deployment.

For instructions for configuring SSL for these components, refer to the document Configure SSL for App

Orchestration 2.6.

Additionally, Citrix recommends using SSL to secure conections with the other components in your App

Orchestration deployment, including API calls, connections to and from the configuration database, and

the web management console.

Restrict PowerShell remoting sessions

Citrix recommends limiting access to PowerShell remoting sessions to the Authenticated Users group.

This helps ensure that one-time administrator credentials are not intercepted by a malicious user when

passed between a registered App Orchestration agent and a newly-installed agent.

SMB security signatures

Citrix recommends requiring client-side and server-side SMB security signatures for all servers in your

deployment. This helps ensure that SMB packets are not modified in transit among the servers in your

deployment. To require SMB security signatures, configure the following Group Policy settings:

Setting Location Policy Setting Setting Value

Computer Configuration >

Windows Settings > Security

Settings > Local Policies >

Security Options

Microsoft network client: Digitally

sign communications (always)

Enabled

Computer Configuration >

Windows Settings > Security

Settings > Local Policies >

Security Options

Microsoft network server:

Digitally sign communications

(always)

Enabled

Machine hardening techniques

To mitigate security risks such as "pass-the-hash" attacks, Citrix recommends the following techniques

for reducing the attack surface of the machines in your App Orchestration deployment:

• Use unique local account passwords. When deploying machines from an image or template,

ensure that each machine you deploy has unique local administrator credentials. This helps prevent

a malicious user from reusing credentials gained elsewhere to compromise additional machines.

• Restrict remote access for local administrator accounts. Consider removing network and

remote interactive logon privileges from local non-service accounts, such as local administrator

accounts. This technique forces machines to be physically administered or remotely administered

using a domain account. When remotely administering machines in your deployment, use tools and





methods that do not leave reusable credentials in memory, such as using an MMC snap-in or

initiating a PowerShell remoting session (for example, Enter-PSSession ServerName). Additionally,

the domain accounts you use to administer machines should possess only the privileges required to

perform the tasks needed. Do not use highly trusted domain accounts to administer lower trusted

machines (for example, using a Domain Admin account to administer a client workstation).

Restrict access for tenant user accounts

To mitigate security risks to the machines in the shared resource domain, Citrix recommends that only

members of the orchestration service group have permission to access these machines. Tenants' users

should not have Domain Admin or local administrator privileges on any machines or components in the

App Orchestration deployment. Tenants' users should be able to access only the applications and

desktops that are hosted on these machines.

To limit tenants' access only to the machines that are privately allocated to them, Citrix recommends

using private Active Directory forests for each tenant, creating offerings that employ Private Delivery Site

isolation, and using Private server groups to deliver offerings to tenants' users. These isolation levels

help ensure that tenants' private machines are kept separate from the machines in the shared resource

domain, thus limiting the opportunity for a malicious user to gain access to other tenants' machines or

data in the deployment.

Additionally, for domain agent machines in a tenant’s resource domain, Citrix recommends that only

service provider administrators have permission to access these machines directly, as they are the only

users authorized to access the domain. Tenants’ users should not have Domain Admin or local

administrator privileges on these machines.

XenApp Session Machine isolation

To ensure Session Machines running XenApp 6.5 FP4 are adequately isolated in your App

Orchestration deployment, Citrix recommends creating offerings that employ Private Delivery Site

isolation. By using this isolation level, the Session Machines and the Delivery Site with which they are

associated are connected to a specific tenant's private management network and the desktops and

applications that are hosted on the machines are accessible only by the tenant's users. Because these

machines are privately allocated, not shared, this isolation level helps prevent a malicious user from

gaining elevated privileges on the XenApp Delivery Site by way of the associated Session Machines.

Session Machine Catalog upgrades

• When upgrading Session Machine Catalogs, consider the following:

• When upgrading multiple machines through a scripted or otherwise automated process, ensure that

no administrator credentials are sent to updated Session Machines. This includes using Basic

authentication for PowerShell remoting.

• If CredSSP is enabled in your environment, administrators should not use PowerShell remoting with

implicit authentication to connect to Session Machines.

• Do not encode credentials in any updating scripts.



For more information about upgrading Session Machine Catalogs, see the Upgrading Session Machine

Catalogs in App Orchestration 2.6.

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-smc-upgrade.pdf

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-smc-upgrade.pdf



Install App Orchestration

There are four key tasks in the Install phase of App Orchestration:

1. Copy the downloaded files to the appropriate locations.

2. Install prerequisites.

3. Install the App Orchestration software.

4. Perform post-install configuration.

Overview

Accounts and Permissions

You’ll need the following accounts and permissions:

A Citrix web site account, for downloading and installing App Orchestration.

Permission to install the App Orchestration package on the server to be designated as the App

Orchestration configuration server.

Database administrator credentials for the SQL Server configuration database, for post-install

configuration.

Credentials to create a Group Policy Object and link it to the OU being used for App Orchestration,

so you can set policies for PowerShell remoting.

Prerequisites

Make sure that all of the machines you will be using with App Orchestration are under the root OU for

your deployment.

Personas

Two personas are involved in the Install phase of App Orchestration: the Infrastructure Engineer and

Service Designer. In your organization, these functions may be performed by different people, or by one

person who wears both hats.

The Infrastructure Engineer provides the following items:

The SQL Server database administrator credentials

The App Orchestration root OU in Active Directory and the credentials for that OU

The required SSL certificates. You need a certificate for the following components:

o Each App Orchestration configuration server

o The global site Load Balancer

o Each StoreFront server group, and the load balancer for each server group

o Each NetScaler Gateway



Note: You can use a wildcard certificate for the AO Configuration Server and for multiple StoreFront Server

Groups in the same domain.

If you are using NetScaler Gateway, you can minimize your SSL certificate costs by getting only the certificates

for the App Orchestration Configuration Server and global site Load Balancer from a public Certificate

Authority. For the StoreFront Server Groups, the Load Balancer for each StoreFront Server Group, and

NetScaler, create your own Certificate Authority and use it to issue trusted certificates. At the network layer,

secure communications between NetScaler and the VDA, and between the StoreFront Server Group and

Delivery Controller, to ensure they cannot be intercepted.

If you are not using NetScaler Gateway, you can minimize cost by using a public Certificate Authority only for

the certificates for the App Orchestration Configuration Server and the Load Balancer for each StoreFront

Server Group.

The Service Designer performs the following tasks:

Install the App Orchestration software

Perform post-Install configuration

Pitfalls to Avoid

The best way to avoid pitfalls in the Install phase is to follow the Appendix: Setup Checklist carefully.

Make sure that:

The appropriate SSL certificates are installed

The App Orchestration product media folder can be reached by the servers in your deployment

Networks and routing are configured correctly.

Task 1: Download the product media

To prepare Delivery Sites, Session Machines, and StoreFront server groups, App Orchestration

accesses a product media folder that hosts the Citrix software for these components. This folder can be

local to all machines (recommended), or on a portable drive, a network share of any kind, or any other

location that is visible to all of your machines. Citrix recommends that you protect this folder with

appropriate access controls, to prevent unauthorized access that might result in file corruption or the

introduction of malware.

Option 1: App Orchestration 2.6 with bundle

1. Navigate to the download page for the Citrix Cloud Provider Pack.

2. Log on to your Citrix account and download App Orchestration 2.6 with Bundle.

3. Extract the downloaded App_Orchestration_2.6_Bundle.zip file into a folder of your choice (for

example, AO) with the following layout:

https://www.citrix.com/downloads/xendesktop/product-software/citrix-cloud-provider-pack.html



You do not need to do anything more to build the product media folder.

Option 2: App Orchestion 2.6

1. Navigate to the download page for the Citrix Cloud Provider Pack.

2. Log on to your Citrix account and download App Orchestration 2.6.

3. Extract the downloaded App_Orchestration_2.6.zip file into a folder of your choice, for example,

AO with the following layout.




4. From the App Orchestration image folder, expand the Setup folder:

Setup

ProductMedia

CloudAppManagement

5. Build out the product media folder.

Note: The product media folder hosts the media for App Orchestration and any related products

required during App Orchestration installation.

In ProductMedia, create the following folders. Create the XenApp folder and its subfolders if your

deployment will use XenApp 6.5. Create the XenDesktop folder if your deployment will use XenApp

7.6 or XenDesktop 7.6. Create the CitrixStoreFront folder if your deployment will use StoreFront

3.0.



6. Download the relevant software to the ProductMedia folder:

For this component Download this file Copy the downloaded file to this folder StoreFront 3.0 Navigate to the

StoreFront download

page and download

StoreFront 3.0.

Copy the download file to CitrixStoreFront

folder

XenApp 6.5 Navigate to the

XenApp 6.5

download page to

download XenApp

6.5 and Hotfix Rollup

Pack 5 from HRP 5

download page.

Copy the XenApp software to the XenApp

folder

Copy the entire contents of the Hotfix Rollup

Pack 5 to XenApp\XenAppHRP

Copy the entire Setup\ProductMedia\CloudApp Management\Support\SQLServer2012 folder to XenApp\Support folder

https://www.citrix.com/downloads/storefront-web-interface.html


https://www.citrix.com/downloads/xenapp.html


http://support.citrix.com/article/CTX141075




For this component Download this file Copy the downloaded file to this folder XenApp 7.6 and

XenDesktop 7.6

Navigate to the

XenApp download

page or the

XenDesktop

download page and

download the Version

7.6 Platinum Edition.

Copy the XenDesktop software to the

XenDesktop folder

Hotfix for Citrix

Studio 7.6

Download the hotfix

from x64 version

download page or

x86 version download

page

Extract the download .zip package

Rename the downloaded .msi files and

replace the same files under XenDesktop

folder:

For x64 version

Rename DStudio760WX64002.msi to

DesktopStudio_x64.msi and copy to

XenDesktop\x64\DesktopStudio folder

For x86 version






https://www.citrix.com/downloads/xendesktop/product-software.html








For this component Download this file Copy the downloaded file to this folder Hotfixes Update 2 -

For Delivery

Controller 7.6 (x64

version)

Download the hotfix

from x64 version

download page


Rename the downloaded .msi files and copy

to XenDesktop folder:

Rename BrokerSrvc760WX64002.msi to

Broker_Service_x64.msi and copy to

XenDesktop\x64\Citrix Desktop Delivery

Controller folder

Rename ConfigMgrWOL760WX64002.msi

to ConfigMgr_WOL_Plugin_x64.msi and

copy to XenDesktop\x64\Citrix Desktop

Delivery Controller folder

Rename HostSrvc760WX64002.msi to

Host_Service_x64.msi and copy to


Controller folder

Rename MCSrvc760WX64002.msi to

MachineCreation_Service_x64.msi and



Rename MonitorPSSI760WX64002.msi to

Monitor_PowerShellSnapIn_x64.msi and



Rename MonitorSrvc760WX64002.msi to

Monitor_Service_x64.msi and copy to


Controller folder





For this component Download this file Copy the downloaded file to this folder Hotfixes Update 2 -

For Delivery

Controller 7.6 (x86

version)

Download the hotfix

from x86 version

download page







Controller folder

Rename ConfigMgrWOL760WX86002.msi

to ConfigMgr_WOL_Plugin_x86.msi and






Controller folder





Rename MonitorPSSI760WX86002.msi to

Monitor_PowerShellSnapIn_x86.msi and



Rename MonitorSrvc760WX86002.msi to

Monitor_Service_x86.msi and copy to


Controller folder





For this component Download this file Copy the downloaded file to this folder Hotfix For Machine

Identity Service

Agent 7.6

Download the hotfix

from x64 version

download page or

x86 version download

page



For x64 version:

Rename MISA760WX64001.msi to

MachineIdentityServiceAgent_x64.msi

and copy to XenDesktop\x64\Virtual

Desktop Components folder

For x86 version:











For this component Download this file Copy the downloaded file to this folder Feature Pack 2 - For

XenDesktop 7.6

Download feature

pack from

XenDesktop FP2

download page



replace the same .msi files under

XenDesktop folder:

Copy DesktopDirector_x64.msi and

replace XenDesktop\x64\DesktopDirector

\DesktopDirector.msi

Copy DesktopDirector.msi and replace

XenDesktop\x86\DesktopDirector

\DesktopDirector.msi

Rename GPMx240WX64002.msi to

CitrixGroupPolicyManagement_x64.msi

and copy to XenDesktop\x64\Citrix Policy


CitrixGroupPolicyManagement_x86.msi

and copy to XenDesktop\x86\Citrix Policy

Rename HDXWMIPROV220WX64001.msi

to CitrixHDXWMIProvider-x64.msi and

copy to XenDesktop\x64\Virtual Desktop

Components\TS

copy WMIProxy_x64.msi to

XenDesktop\x64\Virtual Desktop

Components



Components

Rename XDPoshModule760WX64002.msi

to XDPoshSnapin_x64.msi and copy to


Controller

Rename XDPoshModule760WX86002.msi

to XDPoshSnapin_x86.msi and copy to


Controller

https://www.citrix.com/downloads/xendesktop/product-software/xendesktop-76-feature-pack-2-platinum




For this component Download this file Copy the downloaded file to this folder Feature Pack 2 - For

XenDesktop 7.6

(Cont.)

Copy the download .msp files to

XenDesktop\MspHotfixes:

copy ICATS760WX64022.msp to

XenDesktop\MspHotfixes\x64\Virtual

Desktop Components\Server

copy ICAWS760WX64022.msp to


Desktop Components\WorkStation






Task 2: Install App Orchestration components

Use the Citrix App Orchestration Install Center to install App Orchestration and prepare your machines

for deployment as Delivery Sites, Session Machines, and StoreFront servers. To save time when

installing the same component on multiple machines, you can install the component on one virtual

machine, and then creating a template of that machine. When you need a new machine of that type,

simply reuse the template instead of repeating the installation steps.

1. Copy the App Orchestration 2.6 image folder to each prepared machine.

2. From the image folder, double-click Setup.exe to launch the Citrix App Orchestration Install Center.

The Install Center screen appears.

3. Click App Orchestration Configuration Server to install the configuration server on one more

machines.

4. If you have any domains that are isolated from the App Orchestration configuration server, install the

App Orchestration Domain Agent on a dedicated machine in each of those domains. For more

information about using isolated domains, refer to the Deploying the Zero Trust Agent in App

Orchestration 2.6.

Note: If you need to install the domain agent software on multiple servers and are considering creating a

template, just install the domain agent software on the template machine. Do not continue to the App





Orchestration Server Configuration wizard. You will need to run the wizard on each new machine you create

from the template.

5. For Delivery Controllers, Session Machines, and StoreFront servers, create a template for each

machine type

a. Create the first machine of the relevant type and install the appropriate software:

For Delivery Sites using XenApp 7.6 or XenDesktop 7.6, install the XenApp and

XenDesktop 7.6 Delivery Controller software. The associated App Orchestration agent

is automatically installed.

For Delivery Sites using XenApp 6.5, install the XenApp 6.5 Controller software. The

associated App Orchestration agent is automatically installed.

Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and

select the XenApp 6.5 Controller tile to complete the installation.

For Session Machines running XenApp 7.6 and XenDesktop 7.6 that will use on-demand

provisioning, install the appropriate Virtual Delivery Agent on each Session Machine. For

more information, refer to the Provisioning Session Machines On-demand in App

Orchestration 2.6.

For Session Machines that will host offerings on Delivery Sites using XenApp 6.5, install

the XenApp 6.5 Session Host software.

Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and

select the appropriate Session Machines tile to complete the installation.

For StoreFront server groups, install the Citrix StoreFront 3.0 software. The associated

App Orchestration agent is automatically installed.

b. Delete the entire App Orchestration 2.6 image folder and its contents from this machine, and also

delete it from the Recycle Bin.

Note: This step is especially important for Session Machines, to prevent the installation software from

being available to subsequent user sessions on those machines.

c. Shut down the machine.

d. Make a Full Copy of the virtual machine.

e. Start the copied image and run sysprep. Do not reboot or restart the machine afterward. For

more information about sysprep, refer to the article Sysprep (System Preparation) Overview on

the Microsoft web site.

Important: If you are creating a XenDesktop Session Machine template to be used as the VDA master image

template for on-demand provisioning, skip this step; XenDesktop Machine Creation Services [MCS] cannot

provision machines from a master image template on which you have run sysprep.

cd %windir%\system32\sysprep

sysprep /generalize /shutdown /oobe

f. Convert the virtual machine into a template.



http://msdn.microsoft.com/en-us/library/windows/hardware/hh825209.aspx



g. Use the template to create additional virtual machines of the same type:

At least one machine, for a single Delivery Site running XenApp 7.6 and XenDesktop 7.6

or XenApp 6.5.

At least one Session Machine for hosting applications and desktops, with additional

Session Machines as necessary to provide more capacity for offerings.

At least one machine running StoreFront 3.0, comprising a single StoreFront server

group.

Configure App Orchestration


In the Configuration phase of App Orchestration, you’ll need the following accounts and permissions:

App Orchestration configuration server installation and configuration credentials, which must be a

member of the orchestration server administrators group.

Optionally, read-only credentials for the default user domain.

Prerequisites

Before you start the Configuration phase, make sure you’ve set up your environment according to the

instructions in this document. For example, you’ll need to know the names for your shared resource and

default user domains, your default datacenter, and your external DNS suffix that users will use to access

their environments.

Personas

Typically, the only persona involved in this phase is the Service Designer, who is responsible for

configuring App Orchestration.

Pitfalls to Avoid

Follow these simple rules to avoid pitfalls in the Configuration phase:

After you have configured the names for the resource domain and user domain, you cannot change

them.

The domain functional level for all RESOURCE domains must be Windows Server 2008 R2 or

higher.

The network names on your compute resources must exactly match the names you specify in App

Orchestration under Global Settings Summary > Advanced Settings > Enable network

isolation.



Task 1: Configure the App Orchestration configuration server

After you install the App Orchestration software on the configuration server, you will need to supply

additional details about your deployment environment. The App Orchestration installer prompts you for

the following information:

Service deployment name: This value becomes the name of the configuration database that App

Orchestration creates. Additionally, App Orchestration creates a logging database for the

deployment using the format “ServiceDeploymentNameLogging.”

Database server: The FQDN of the SQL Server that hosts the App Orchestration configuration and

logging databases.

Administrators group: This group contains non-privileged user account for administering your App

Orchestration deployment. For more information about this group, see the document Credentials

Used in App Orchestration 2.6.

SSL certificate: A server certificate signed by your domain certificate authority is required to secure

connections with the configuration server. For more information about using SSL with App

Orchestration, see the document Configuring SSL for App Orchestration 2.6.

Existing deployment information: If you are deploying a configuration server to an existing App

Orchestration deployment, enter only the server’s FQDN. If you use the server’s IP address or

NetBIOS name instead, App Orchestration displays an error message indicating the server cannot

be contacted.

Task 2: Configure global settings

After you perform the initial configuration, use the App Orchestration web console to configure the global

settings for the deployment. This includes providing the following information:

Shared resource and default user domains: The shared resource domain contains the root OU

where the configuration server and all resources that will be shared among multiple tenants reside.

The default user domain contains the OUs where user accounts for tenants using shared resources

reside. You can specify different domains for shared resources and user accounts or you can use

the same domain for both. These domains and the root OU must exist already in your environment;

App Orchestration does not create them. For more information about these domains, see “Prepare

your Active Directory domains” on page 22.

Orchestration service account: This is the primary App Orchestration administrator. The

orchestration service account is a non-privileged user account and must be a member of the

administrators group you specified during installation. This account should not belong to the Domain

Admins group. The orchestration service account must exist already in your environment; the

installation process does not create it. For more information about this account, see “Create

administrator account” on page 27.






Default datacenter: The default location for shared resources. In general, datacenters contain

resources in the same geographic location. For more information about datacenters, see the

document Deploying a Multi-Datacenter Environment in App Orchestration 2.6.

Licensing: The FQDN and port of the Citrix Licensing server in your environment.

Note: If you are using IPv6 addressing for the Licensing server, surround the address with brackets when you

specify it for App Orchestration. For example: [FE80::0202:B3FF:FE1E:8329]

External DNS suffix: The DNS suffix that is used to configure the NetScaler Gateway address.

Network isolation and NetScaler Gateway: Select whether or not to enable network isolation and

use with NetScaler Gateway. If you enable network isolation, enter the labels of the virtual networks

you created on your compute resources. If you enable use with NetScaler Gateway, specify the

correct address for the appliance.

Customer Experience Improvement Program: Select whether or not join Citrix Customer

Experience Improvement Program (CEIP). it gives you the opportunity to contribute to the design

and development of Citrix products. When you enroll in the program, Citrix collects anonymous

information about your deployment, which is used to improve product quality, reliability, and

performance.

Define App Orchestration infrastructure

App Orchestration infrastructure refers to the datacenters, compute resources, domains, and instance

configurations that provide network and tenant isolation for your deployment.


App Orchestration orchestrates across one or more Active Directory domains. Before using App

Orchestration, make sure you have at least one Active Directory resource domain to use for shared

resources. If you plan to store user accounts in a separate domain, create that default user domain as

well.

Within the shared resource domain, you must have one OU with a credential that has full control and is

also able to initiate a PowerShell remoting session to all servers within that domain.

If you are using a separate user domain, you must also have a credential that is able to create Active

Directory user groups inside that domain.

Domains in App Orchestration can span multiple datacenters. If your deployment includes multiple

datacenters, ensure that you have a domain controller in every datacenter where a domain will be used.

The shared resource domain must exist in all datacenters and, therefore, must have a domain controller

in every datacenter.




Prerequisites

Before you start the Define phase of App Orchestration, make sure:

The required domains exist

You have credentials for each domain

You have created the required OUs in each domain

You must also apply a PowerShell remoting policy to all resource domains used by App Orchestration.

Remember to run gpupdate on each machine to apply the policy.

Other prerequisites include:

Any compute resources that you want to use with App Orchestration

The credentials for those compute resources to create virtual machines, access storage, and read

network information

A Citrix Licensing server within each datacenter. If desired, you can use the same Licensing server

for all domains within a datacenter, or even for all datacenters.

Personas

Two personas are involved in the Define phase of App Orchestration: the Infrastructure Engineer and

the Service Designer. In your organization, these functions may be performed by two different people, or

by one person who wears both hats.

The Infrastructure Engineer tells the Service Designer about available datacenters, including:

The compute resources available in those datacenters

The IP address ranges assigned to those datacenters

Any NetScaler Gateway devices located in those datacenters

Additionally, the Infrastructure Engineer performs the following tasks:

Supplies compute resource storage and networking details

Provides a SQL Server for the Service Designer to use to deploy App Orchestration and other Citrix

components

Provides machines for installing the App Orchestration configuration server and the Citrix Licensing

Server

Sets up and maintains the Active Directory domains used by App Orchestration, including the shared

resource domain and any tenant user domains.

The Service Designer:

Owns the Citrix licenses

Installs the Citrix Licensing Server and the product licenses on that server



Installs, deploys, and maintains the App Orchestration configuration servers

Pitfalls to Avoid

Follow these simple rules to avoid pitfalls in the Define phase:

Ensure each machine configured and deployed by App Orchestration has all of the minimum system

requirements installed, including the Microsoft .NET Framework.

Each machine under App Orchestration control requires PowerShell remoting. Run the command

winrm quickconfig to verify that PowerShell remoting is functioning on all machines.

If you are using multiple datacenters, make sure you can ping IP addresses in each datacenter from

the App Orchestration configuration server. Firewalls or WAN connectivity problems could prevent

App Orchestration from functioning correctly.

Task overview

1. Ensure the shared and private resource and user domains exist in your Active Directory structure.

Also, ensure that these domain contain the required OUs. Refer to "Prepare your Active Directory

domains” on page 22 and the document Deploying App Orchestration 2.6 in a Complex Active

Directory Environment.

2. Ensure you have the required credentials to add and modify objects in the shared and private

domains. Refer to the document Credentials Used in App Orchestration 2.6.

3. Define additional domains. If your deployment includes domains in addition to the shared resource

and user domains (for example, private tenant domains), you will need to add these domains

through the App Orchestration web console. Refer to the document Deploying App Orchestration 2.5

in a Complex Active Directory Environment.

4. Create additional datacenters. In addition to the default datacenter, you might also create a backup

datacenter. Refer to the document Deploying a Multi-Datacenter Environment in App Orchestration

2.6.

5. Set up and configure the compute resources you will use for provisioning Session Machines. Refer

to the following resources:

Provisioning Session Machines On-Demand in App Orchestration 2.6

Using Citrix CloudPlatform to Provision Session Machines On-Demand in App Orchestration 2.6

Using Citrix Provisioning Services to Provision Session Machines in App Orchestration 2.6

Design service offerings for tenants


When you create a new Delivery Site, you will need a credential for Location settings. That credential

must be a member of the Delivery Site admin group in Active Directory, and the local administrator










http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-provisioning-services.pdf



group on machines used as Delivery Site controllers. You will also need a credential for the Database

settings. You can use the same credential for both, if desired.

Prerequisites for Session Machine Catalogs using integrated

provisioning

• Before you can create a Session Machine Catalog that uses on-demand provisioning, you must first

create a compute resource.

• On the compute resource, create a virtual machine to serve as the template for on-demand creation

of machines to host your service. The template should include the applications, operating system,

and desktop configuration that you want for your service.

• The template should be a bootable virtual machine joined to a domain. The orchestration service

account credential from the shared resource domain must be able to connect to that domain via

PowerShell remoting, and execute commands there.

• The compute resource storage must have enough free space to store a complete replica of the input

virtual machine template.

Prerequisites for Session Machine Catalogs using external provisioning

• When creating a Session Machine Catalog with externally-provisioned machines, the first thing you

need are the machines that you want to add to the catalog. These machines can be physical, virtual,

or created through any provisioning system.

• The machines must be joined to an Active Directory domain where the orchestration service account

can connect to the machines remotely through PowerShell remoting.

• The machines should have the appropriate Citrix software installed (either the appropriate Virtual

Delivery Agent or the XenApp 6.5 Session Host). You can install these packages through the App

Orchestration Install Center. For more information, see "Install App Orchestration” on page 43.

• If the provisioning method that you use automatically resets the machines upon reboot (like Citrix

Provisioning Services), then you must have the Citrix software installed on the machine before

importing it into App Orchestration.

• If you are importing multi-user machines running Microsoft Terminal Server, make sure Terminal

Services licensing is configured and functioning properly before you import the machines into App

Orchestration.

• All of the machines you import should have the Windows Update Service enabled in the Server

Manager, but Automatic Windows Updates should be disabled.

Prerequisites for Offerings

• Before creating offerings, you must have created a Session Machine Catalog.



• If the Session Machine Catalog uses on-demand provisioning, you need to wait for App

Orchestration to complete the preparation of the input VM template. This can take up to 30 minutes.

You can monitor progress from the Workflows tab.

• If the Session Machine Catalog uses external provisioning, you must have imported at least one

machine into the catalog before you create an offering. The import process may take 10-15 minutes.

Prerequisites for Delivery Sites

Before you import Delivery Sites into App Orchestration, you will need the following:

• At least one SQL server, with an optional second server to use as a mirror.

• SQL Server database administrator credentials.

• At least one machine that will be used as Delivery Controller:

o The machine should be joined to the shared resource domain, and the orchestration service

account configured within App Orchestration must be able to connect to the machine using

PowerShell remoting.

o The machine should be prepared as XenApp 6.5 controller or XenApp 7.6 and XenDesktop 7.6

Delivery Controller. You can install these packages through the App Orchestration Install Center.

This process also installs the required App Orchestration agent. For more information, see

"Install App Orchestration” on page 45.

Prerequisites for StoreFront

For App Orchestration to deploy and manage a StoreFront server group, you will need:

• At least one machine joined to the same resource domain which has been added to the deployment

through the App Orchestration web console. To install the StoreFront software on the machine, use

the App Orchestration Install Center. The installation process also installs the required App

Orchestration agent.

• You must also have an SSL certificate that is valid for the DNS addresses of the machine. The

certificate must be issued from a trusted certification authority.

• If more than one StoreFront servers have been deployed, you must also have a load balancer

configured to balance web traffic between the machines. This load balancer should also be

configured to use SSL.

Personas

Two personas are involved in the Design phase of App Orchestration: the Service Strategist and the

Service Designer. In your organization, these functions may be performed by two different people, or by

one person who does both jobs.

The Service Strategist performs the following tasks:



• Decides which applications and desktops to offer.

• Provides an initial estimate of the number of users expected to use those apps and desktops.


• Uses the information provided by the Service Strategist to prepare machines or VM templates with

the operating system, apps, and desktop configuration needed to create offerings.

• Decides on the appropriate FlexCast technology to deliver those apps and desktops to end users.

• Decides on the scaling factor that determines how many users will fit per server for a particular

offering.

• Prepares Delivery Sites and StoreFront Server Groups to meet the initial capacity requirements in

each datacenter.

• Provisions an adequate number of Session Machines up front in each datacenter to meet the initial

capacity of the offerings.

Pitfalls to Avoid

• Provisioning Session Machines requires PowerShell remoting to be enabled and functional. To

ensure no environmental issues are preventing PowerShell remoting from functioning properly, run

winrm quickconfig on the Session Machines.

• Verify connectivity from the App Orchestration configuration server to the Session Machine using

PowerShell remoting, using the orchestration service account credential.

• To avoid DNS issues that may arise between newly-provisioned Session Machines and the App

Orchestration configuration server, ensure that you can execute nslookup from the App

Orchestration configuration server to the Session Machines, and from the Session Machines to the

configuration server.

• Ensure that no operating system or application updates are being applied automatically on

externally-provisioned Session Machines, or on the input template used for on-demand provisioning.

Disable the Windows Update Service from applying updates automatically, and turn off any

application updaters on those machines.

• You can enable Windows Update and other application update mechanisms on Delivery Controllers

and StoreFront servers.

• App Orchestration requires that all Session Machines are configured identically, including hardware

and installed software. Therefore, App Orchestration will reject importing a machine that is different

from the template machine.

Task 1: Create a new Delivery Site

A Delivery Site consists of at least one Delivery Controller. When you create a new Delivery Site, the

Delivery Site wizard prompts you for the following information:



• Site name, licensing model, and Citrix product version to install on the machines you want to deploy

as Delivery Controllers. You can select XenApp 6.5 or XenDesktop 7.6. A Delivery Site with one of

these products installed will only work with Session Machines that are running the same product. For

example, if the Controllers in a Delivery Site are running XenDesktop 7.6, only Session Machines

running XenDesktop 7.6 can join the Delivery Site to deliver hosted applications and desktops.

• The servers you want to deploy as Delivery Controllers to the Site, including the resource domain

and datacenter in which they should reside. App Orchestration requires at least one Controller in a

Delivery Site.

• The Delivery Site administrator group and Site administrator account for the Delivery Site. The Site

administrator account is a non-privileged user account and must be a member of the Delivery Site

administrator group. This account should not belong to the Domain Admins group. The Delivery Site

administrator group and Site administrator account must exist already in your environment; App

Orchestration does not create them. For more information about Delivery Site administrator

privileges in the shared and tenant resource domains, refer to the document Credentials Used With

App Orchestratio 2.6.

• The database server, credentials, and names for the Site databases to be created (configuration,

logging, and monitoring). For more information about the privileges required for the Delivery Site

database user, refer to the document Credentials Used in App Orchestration 2.6.

When specifying the database details for the Delivery Site, Citrix recommends using separate

databases for each database type. This enables you to create appropriate backup and recovery

protocols for each database, and prevents outages due to a single point of failure. By default, App

Orchestration creates separate databases for the Site's configuration, logging, and monitoring data. For

example, for a Delivery Site named "Site1," App Orchestration creates the "Site1" configuration

database, the "Site1Logging" logging database, and the "Site1Monitoring" monitoring database.

Additionally, App Orchestration uses the same database server for all three databases by default. You

can accept these defaults or specify different servers and names for each database. By default, “Enroll

this site in Customer Experience Improvement Program” is selected.

Note: If you enroll the delivery site in Customer Experience Improvement Program, you can only disable it in

Desktop Delivery Controller via PowerShell cmdlet, App Orchestration does not allow you to disable it in Config

Server.

After you complete the wizard, App Orchestration issues workflows that perform the following tasks.

• Evaluate the machine configuration of the controllers and create a profile. App Orchestration uses

this profile to evaluate subsequent Delivery Controllers that you add to the Site. If new Delivery

Controllers do not match the profile, App Orchestration does not add them to the Site. Therefore, all

Delivery Controllers you add to a Site must be identically configured, including hardware

configuration, operating system, and software updates.

• Create the Delivery Site and join the Delivery Controllers to it.

You can monitor these workflows using the Workflows tab in the App Orchestration web console.






Aggregate an existing Delivery Site

Aggregation is the means by which multiple instances of hosted applications or desktops from multiple

Delivery Sites are presented to users with a single icon when they access their StoreFront site with Citrix

Receiver. For example, if Microsoft Word is offered on multiple Delivery Sites, users see a single icon for

Microsoft Word when they log on to their StoreFront site.

For more information about resource aggregation, see the topic StoreFront high availability and

multi-site configuration in Citrix eDocs.

For more information about the versions of XenApp and XenDesktop that StoreFront supports for

Delivery Site aggregation, see the topic Infrastructure requirements in Citrix eDocs.

Task 2: Create a Session Machine Catalog

This step consists of the following tasks:

1. From the App Orchestration web console, create a Session Machine catalog.

2. Add the servers you have prepared as the first Session Machines to the catalog using integrated

provisioning or external provisioning.

Create a catalog with integrated provisioning

For information about using integrated provisioning in your App Orchestration deployment, see the

document Provisioning Session Machines On-demand in App Orchestration 2.6. This guide provides

additional details and step-by-step instructions for provisioning Session Machines on-demand using

integrated provisioning.

Create a catalog for externally-provisioned machines

As with Delivery Sites, you use the App Orchestration web console to complete the Session Machine

Catalog wizard.

If you choose to create a catalog for externally-provisioned machines, the wizard prompts you for the

following information:

• Catalog name and OS Type for the Session Machines it will contain.

• Type of Delivery Controllers that the machines will work with when hosting offerings for tenants

(XenApp 7.6 and XenDesktop 7.6 or XenApp 6.5). The controller type you specify determines the

Citrix product that App Orchestration requires and validates on the Session Machines you add to the

catalog. For example, if you specify XenDesktop 7.6 as the controller type, App Orchestration will

confirm that the Virtual Delivery Agent is installed on Session Machines that are added to the

catalog.

• Number of users allowed to access each machine before it is considered fully loaded. You can also

allow App Orchestration to include CPU and memory in its calculations for determining server load.

http://support.citrix.com/proddocs/topic/storefront-30/sf-plan-ha.html

http://support.citrix.com/proddocs/topic/storefront-30/sf-plan-ha.html

http://support.citrix.com/proddocs/topic/storefront-30/sf-system-requirements.html




Add Session Machines to the catalog

To add Session Machines to a catalog for externally-provisioned machines, you complete a separate

wizard. This wizard prompts you for the name of the Session Machine Catalog, resource domain, and

datacenter in which the Session Machine will reside. You also specify the names of the Session

Machines you want to add to the catalog. App Orchestration requires at least one Session Machine be

added to create offerings, but you can add up to 20 machines at one time. Deploying more than 20

machines places a heavy burden on the App Orchestration configuration server's resources, causing

workflows to time out before the machines can complete the provisioning process.

Important: When you specify the Session Machines you want to add to the catalog, ensure the machines are

not members of an existing machine catalog in an existing Delivery Site that was created outside of App

Orchestration. When App Orchestration adds Session Machines to a catalog, App Orchestration assumes the

machines are free to be allocated to the Delivery Sites you create through the App Orchestration web console.

App Orchestration cannot verify whether the Session Machines you want to add are already allocated to other

XenDesktop deployments. If you create offerings and subscriptions that use resources hosted on Session

Machines that are already allocated to other XenDesktop deployments, users will not be able to launch

sessions on these machines when they attempt to access their subscriptions.

After you complete the Add Session Machines wizard, App Orchestration issues a workflow that

performs the following tasks:

• Evaluate the machine configuration of the Session Machine and create a profile. App Orchestration

uses this profile to evaluate subsequent Session Machines that you add to the catalog. If new

Session Machines do not match the profile, App Orchestration does not add them to the catalog.

Therefore, all Session Machines you add to the catalog must be identically configured, including

hardware configuration, operating system, system updates, and installed applications. If you want to

add Session Machines that have, for example, different application installed, you must add them to a

different catalog.

• Add the Session Machine to the catalog.

You can monitor these workflows using the Workflows tab in the web console.

Task 3: Add a StoreFront server group

In this step, you use the App Orchestration web console to create a StoreFront Server Group and

specify the servers you want to add to it. A server group consists of at least one StoreFront server. App

Orchestration requires at least one StoreFront server in the deployment for making offerings available to

tenants' users.

As with Delivery Sites and Controllers, you add StoreFront servers to your deployment using a wizard.

The wizard prompts you for the following information:

• Server group name, SSL certificate, and load balancer URL. StoreFront requires that each machine

have an SSL certificate installed prior to deployment. For more information about StoreFront

requirements, see "Prepare StoreFront servers” on page 39. When entering the load balancer URL,

check to ensure the URL you enter is correct. Changing the URL later requires you to delete the

entire server group and redeploy it with the new URL.



• Names of the StoreFront servers you want to add to the group.

• Resource domain and datacenter in which the servers will reside.

After you complete the wizard, App Orchestration issues workflows that perform the following tasks:

• Evaluate the machine configuration of the servers and create a profile. App Orchestration uses this

profile to evaluate subsequent StoreFront servers that you add to the group. If new StoreFront

servers do not match the profile, App Orchestration does not add them to the group. Therefore, all

StoreFront servers you add to a server group must be identically configured, including StoreFront

version, operating system, and software updates.

• Create the server group and join the StoreFront servers to it.

You can monitor these workflows using the Workflows tab in the web console.

Task 4: Create a offering

This step consists of making applications and desktops (hosted on the Session Machines) available for

subscription by tenants.

To create offerings, you use the App Orchestration web console to specify the applications and desktops

you want to include and the isolation level at which you want to provide the offering to tenants. The

isolation level you select depends on whether you want to create an offering that uses shared machines

or machines that are dedicated to an individual tenant. For more information about these isolation levels,

see the document Isolation Methods in App Orchestration 2.6.

Deliver service offerings to tenants


To add a tenant, you will need a user domain and a resource domain in Active Directory, both of which

must be added to App Orchestration through the web console. The user domain and resource domain

can be the same domain. You can use the shared resource domain as both the user domain and

resource domain.

• In the user domain, you must have credentials of a user who can resolve other user accounts within

that domain.

• In the resource domain, you must have credentials of a user who can move machines between

Active Directory OUs within that domain.

Prerequisites

Before adding tenants, make sure you know:

• The user and resource domain details.

• The StoreFront and NetScaler Gateway isolation modes you want to use for that tenant.

• The NetScaler Gateway address, if the tenant will be using a private NetScaler Gateway.




• The name of the tenant’s private management network, if the tenant will be using network isolation.

This must match the name configured in your compute resource that will be used for machines

provisioned for that tenant.

• After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions.

• After you’ve preallocated capacity, you can create subscriptions. To do this, you should know:

• The offerings to which users want to subscribe.

• The tenant to whom those users belong.

• The Active Directory group in their user domain that contains the users who want to subscribe to that

offering. This can can be the Location Group or a Subscription Group.

If you haven’t preallocated capacity, App Orchestration will create capacity of one machine on-demand.

Personas

Three personas are involved in the Deliver phase of App Orchestration: the Service Designer, the

Tenant Administrator, and the Subscribers. In your organization, the Service Designer and Tenant

Administrator functions may be performed by two different people, or by one person who does both jobs.


• Onboards tenants by creating their OUs in Active Directory, their users, and user groups.

• Sets up billing and chargeback for that tenant.

• Adds the tenant into App Orchestration.

• Asks the Tenant Administrator for the anticipated number of users, and based on that answer

preallocates capacity for the tenant to access offerings.

• Informs the Tenant Administrator of the StoreFront address that the end users will need in order to

connect to and access their offerings.

The Tenant Administrator performs the following tasks:

• Informs the Service Designer upfront how many users are expected to access each offering.

• Subscribes end users to individual offerings.

• Directs end users to the tenant’s StoreFront address, either directly or through configuration of

clients.

The Subscriber accesses offerings using Citrix Receiver.

Pitfalls to Avoid

Follow these simple guidelines to avoid common pitfalls in the Deliver phase:

• App Orchestration defaults to using the tenant’s name as the isolated network name. Ensure that

you have a network with this name in your virtualization infrastructure, or change the name in App

Orchestration when adding the tenant.



• Also ensure that you use the correct isolation modes for StoreFront and NetScaler Gateway when

adding a tenant. If necessary, you can change these settings later by editing the tenant.

• After you create subscriptions or adjust capacity, you should monitor the status of those changes by

watching the Workflows tab or the Dashboard Notifications.

• You can adjust capacity as needed, but remember that App Orchestration must execute workflows

to reconfigure the system to comply with that desired state. If there are not enough StoreFront

Server Groups or Delivery Sites or available Session Machines, a notification on the Dashboard will

explain how to correct the problem.

Task 1: Add a tenant and add users

This step consists of adding tenants to the App Orchestration system and specifying the user groups

that will be accessing offerings through StoreFront.

To add tenants, you use the App Orchestration web console to specify the tenant's resource and user

domains, the default datacenter through which users will access offerings, the isolation level of the

tenant's StoreFront site, and whether the tenant accesses a shared or private NetScaler Gateway (if

NetScaler Gateway is enabled for the deployment). For more information about StoreFront isolation

levels, see the document Isolation Methods in App Orchestration 2.6.

To ensure the machines that are dedicated to tenants' exclusive use are adequately isolated, Citrix

recommends using a private Active Directory forest for each tenant, a private management network, and

offerings that employ Private Delivery Site isolation. This helps ensure that a tenant's resources are

isolated from other tenants and other tenants' users.

Security considerations

As a security consideration when adding tenants, include user groups that contain only domain users.

Users who belong to the Domain Admins group should not be added to these groups. This ensures that

a tenant's users can access only the Session Machines in the resource management network (either

shared or private). Additionally, keep the following considerations in mind:

• Do not grant tenant users or administrators Domain Admin permissions in any Active Directory

domain included in the deployment.

• If administrator permissions are granted to a tenant, ensure the tenant has local machine

administrator privileges only for privately allocated Session Machines. Tenants should not have

administrator privileges on any other server or component in the deployment.

• Ensure that tenants do not have permissions to access any compute resources in the deployment.

• Ensure that tenants do not have permissions to log on to or administer shared components such as

NetScaler Gateway appliances or StoreFront servers.

Task 2: Adjust capacity

Capacity refers to the number of Session Machines allocated to offerings and the tenants who access

them. By default, App Orchestration creates an initial capacity of one machine.




After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions. You

can adjust the capacity as needed to host more or fewer offerings or users.

In the App Orchestration web console, go to the Dashboard and click the pencil to the right of Capacity

Allocation.

Select the offering and specify the desired capacity. App Orchestration estimates the number of users

that can fit per machine based on the load balancing settings, or whether the machines are single user.

When you are deciding how many machines to preallocate, you should consider whether the Session

Machine Catalog uses statically allocated or pooled machines.

• For statically allocated machines, you should preallocate the number of machines necessary to

support all of the users who will be using the offering.

• For pooled machines, you only need to preallocate the number of machines necessary to support

concurrent users of the offering.

Task 3: Subscribe the tenant to an offering

This step consists of creating a subscription for a tenant so that the tenant's users can access a specific

offering through StoreFront.

To create a subscription, you use the App Orchestration web console to specify the offering, tenant, and

user groups to include. The process of subscribing a tenant to an offering involves creating a Delivery

Group according to the isolation level defined for the offering. This Delivery Group restricts access to the

offering, ensuring only the specified users can access the offering through StoreFront.

Important: When subscribing users to offerings, ensure the users are members of domain global user groups.

This ensures that only users in the tenant’s user domain are authorized to access the tenant’s offerings. Using

domain local or universal user groups for subscriptions could allow users external to the tenant’s user domain

to be members of these groups and allow these users to access the tenant’s offerings.

For more information about Delivery Group isolation levels, see the document Isolation Methods in App

Orchestration 2.6.

Task 4: Optional: Deploy tenant self-service features

After you deploy App Orchestration, you can choose to integrate with CloudPortal Services Manager

11.5. This deployment option enables you to make App Orchestration offerings available for self¬service

consumption through the Services Manager web-based control panel. Tenants can self- administer the

offerings to which they have subscribed and their users can request access to subscribed offerings as

needed.

To enable Services Manager to communicate with your App Orchestration deployment, you perform the

following tasks:

1. Download CloudPortal Services Manager 11.5 from the Citrix web site.

2. Install the Hosted Apps and Desktops web service on the App Orchestration configuration server.

3. Configure the Hosted Apps and Desktops service through the Services Manager control panel.



https://www.citrix.com/welcome.html?resource=%2Fdownloads%2Fcloudportal%2Fproduct-software%2Fcloudportal-services-manager-11

http://support.citrix.com/proddocs/topic/ccps-115/ccps-install-haad.html

http://support.citrix.com/proddocs/topic/ccps-115/ccps-haad-config.html



You can then use the control panel to manage offerings and provision the service to tenants. To enable

tenants’ users to self-subscribe to offerings, configure Workflow Approval for the tenant.

When you enable this integration, the App Orchestration and Services Manager web consoles assume

specific roles with regard to the administration tasks you perform in your deployment. You use the

Services Manager control panel to manage tenant onboarding and subscribing users to offerings. You

use the App Orchestration web console to create new offerings, add capacity to existing offerings, and

manage the Delivery Sites, Session Machines, and StoreFront servers in your deployment.

http://support.citrix.com/proddocs/topic/ccps-115/ccps-haad-config-offerings.html

http://support.citrix.com/proddocs/topic/ccps-115/ccps-haad-provision.html

http://support.citrix.com/proddocs/topic/ccps-115/ccps-workflow.html



Appendix: Setup Checklist

This checklist is a convenient tool to help you plan and document your App Orchestration deployment.

Use this checklist along with the rest of the information in this guide to ensure all required preparation

tasks are performed.

This checklist helps you prepare the following components:

• 1 domain controller with a minimum domain functional level of Windows Server 2008 R2

• 1 database server running a supported version of Microsoft SQL Server

• 1 Citrix License Server

• 1 NetScaler Gateway

• 1 server, for the App Orchestration configuration server

• 1 server, for the Session Machine that will host applications and desktops for users

• 1 server, for the Delivery Controller that makes up one Delivery Site

• 1 server, for the StoreFront server that makes up one StoreFront server group

Use the Notes column to record the details of your preparation activities. You will need to supply this

information when you configure App Orchestration’s global settings.



Shared resource domain

Complete the tasks in this section before you install App Orchestration. You will need to supply the

information below when you configure App Orchestration’s global settings. For more information about

the tasks in this section, see “Prepare your Active Directory domains” on page 22.

Completed ()

Task Notes

Create a domain to be used as the shared

resource domain.

Minimum domain functional level: Windows

Server 2008 R2.

Domain name:

Create a Group Policy object that will be

associated with all machines in the shared

resource domain and configure the following

settings:

Set the PowerShell execution policy to

AllSigned

Configure PowerShell remoting

Allow WinRM traffic through Windows Firewall

Allow WinRM remote server management for

all servers

Allow WinRM clients to trust all servers

Set Windows Remote Shell maximum memory

to 1 GB or more.

Allow unlimited number of remote shells per

user.

For detailed instructions, refer to the section

“Configure the App Orchestration Group

Policy” on page 24.

Create an Active Directory security group that

you designate as the orchestration service

group (for example,

MyDomain\OrchestrationAdmins).

Group name:

Create an organizational unit as the root OU

for App Orchestration.

App Orchestration will have permission in this

OU to create, move, and remove objects.

Root OU name:



Completed ()

Task Notes

Create an orchestration service account with

the following permissions:

• Read and Write permissions on the

App Orchestration root OU

• Permission to use PowerShell

remoting to access all servers in the

shared resource domain

• Add the account to the orchestration

service group

Important: For security reasons, do not add

this account to the Domain Admins group.

User name:

Password:

Default user domain

The default user domain is where App Orchestration service accounts reside. You can create a separate

domain or you can designate the shared resource domain for this purpose when you configure App

Orchestration’s global settings.

Completed ()

Task Notes

Create a domain to be used as the default user

domain.

This domain must have a minimum domain

functional level of Windows Server 2003.

Domain name:

Create a user account in the user domain.

Important: For security reasons, do not add

this account to the Domain Admins group.

User name:

Password:



Citrix ProductMedia folder

The Citrix ProductMedia folder contains the software for App Orchestration and other components that

are required to provision Delivery Sites, Session Machines, and StoreFront servers. This folder can be

local to all machines (recommended), or on a portable drive, a network share of any kind, or any other

location that is visible to all of your machines. Citrix recommends that you protect this folder with

appropriate access controls, to prevent unauthorized access that might result in file corruption or the

introduction of malware.

Option 1: From App Orchestration bundle

Completed ()

Task Notes

Download the App Orchestration 2.6 with

bundle from the Citrix web site.

Choose App Orchestration 2.6 with

Bundle from the download page for:

Citrix Cloud Provider Pack.




Completed ()

Task Notes

Extract the downloaded zip file

(App_Orchestration_2.6_Bundle.exe) into

a folder of your choice (for example, AO),

with the following layout:

You do not need to do anything more to

prepare product media folder.

Option 2: From App Orchestration 2.6

Completed ()

Task Notes

Download the App Orchestration

2.6 from the Citrix web site.

Choose App Orchestration 2.6 from the

download page for:

Citrix Cloud Provider Pack.




Completed ()

Task Notes

Extract the downloaded zip file

(App_Orchestration_2.6.zip) into

a folder of your choice (for example,

AO), with the following layout:

In the /Setup/ProductMedia folder,

create the following structure:

CitrixStoreFront folder Download StoreFront 3.0 from StoreFront

download page

Copy the download file to

CitrixStoreFront folder





Completed ()

Task Notes

XenDesktop folder Dowload XenDesktop 7.6 from

XenDesktop download page

Copy the entire contents to XenDesktop

folder

Hotfix for Citrix Studio 7.6 Download the hotfix from x64 version

download page or x86 version download

page


For x64 version




For x86 version











Completed ()

Task Notes

Hotfixes Update 2 - For Delivery

Controller 7.6 (x64 version)

Download the hotfix from x64 version

download page


Rename the downloaded .msi files and copy to XenDesktop folder:



XenDesktop\x64\Citrix Desktop


Rename

ConfigMgrWOL760WX64002.msi to

ConfigMgr_WOL_Plugin_x64.msi and











Rename MonitorPSSI760WX64002.msi

to Monitor_PowerShellSnapIn_x64.msi

and copy to XenDesktop\x64\Citrix

Desktop Delivery Controller folder

Rename MonitorSrvc760WX64002.msi

to Monitor_Service_x64.msi and copy to







Completed ()

Task Notes

Hotfixes Update 2 - For Delivery

Controller 7.6 (x86 version)


download page







Rename

ConfigMgrWOL760WX86002.msi to

ConfigMgr_WOL_Plugin_x86.msi and











Rename MonitorPSSI760WX86002.msi

to Monitor_PowerShellSnapIn_x86.msi

and copy to XenDesktop\x86\Citrix

Desktop Delivery Controller folder

Rename MonitorSrvc760WX86002.msi

to Monitor_Service_x86.msi and copy to







Completed ()

Task Notes

Hotfix For Machine Identity

Service Agent 7.6


download page or x86 version download

page


For x64 version:





For x86 version:











Completed ()

Task Notes

XenDesktop 7.6 Feature Pack 2:

Download feature pack from

XenDesktop FP2 download page



replace the same .msi files under

XenDesktop folder:

Copy DesktopDirector_x64.msi and

replace

XenDesktop\x64\DesktopDirector\

DesktopDirector.msi

Copy DesktopDirector.msi and replace

XenDesktop\x86\DesktopDirector\

DesktopDirector.msi


CitrixGroupPolicyManagement_x64

.msi and copy to XenDesktop\x64\Citrix

Policy


CitrixGroupPolicyManagement_x86

.msi and copy to XenDesktop\x86\Citrix

Policy

Rename

HDXWMIPROV220WX64001.msi to

CitrixHDXWMIProvider-x64.msi and

copy to XenDesktop\x64\Virtual

Desktop Components\TS



Components



Components




Completed ()

Task Notes

Feature Pack 2 - For XenDesktop

7.6 (Cont.)

Rename

XDPoshModule760WX64002.msi to

XDPoshSnapin_x64.msi and copy to


Delivery Controller

Rename

XDPoshModule760WX86002.msi to

XDPoshSnapin_x86.msi and copy to


Delivery Controller

Copy the download .msp files to

XenDesktop\MspHotfixes:

copy ICATS760WX64022.msp to


Desktop Components\Server







XenApp 6.5 Download XenApp 6.5 from XenApp 6.5

download page

Copy the entire contents to XenApp

folder

XenApp 6.5 HRP5 Download XenApp 6.5 HRP5 from

XenApp 6.5 HRP 5 download page

Copy the entire contents to

XenApp/XenAppHRP folder

XenApp 6.5 SQL Server 2012

folder

Copy the entire Setup\ProductMedia\CloudApp Management\Support\SQLServer2012

folder to XenApp\Support folder






Database Server

The database server hosts the App Orchestration configuration database. For more information about

supported databases, refer to the “Prepare the database server” section on page 29.

Completed ()

Task Notes

Prepare a server and install Microsoft SQL

Server 2012 (minimum):

Join the server to the shared resource domain.

Use Windows authentication.

Ensure SQL Server Browser and the SQL

Server instance services are enabled and set

to start automatically

Enable remote TCP connections.

Allow SQL traffic to traverse Windows Firewall.

Optionally, you can prepare another SQL

Server for mirroring to increase availability. For

more information, refer to the Configuring

Database Mirroring in App Orchestration 2.6. or

you want to enable SQL AlwaysOn Availability

Group, refer to the section “Detailed steps to

configure a an AlwaysOn Group for App

Orchestration” of AppOrchestration High

Availability

Primary database server name:

Secondary database server name

(optional):

Create a SQL database administrator account.

This account must be a Windows account,

using Windows authentication. The account

you use to install App Orchestration must have

permission to create databases.

User name:

Password:







Citrix License Server

Completed ()

Task Notes

Prepare a server and install Citrix Licensing

11.12.1 according to product instructions.

License server name:

Install XenApp or XenDesktop Platinum

licenses.

NetScaler Gateway

To secure access to your App Orchestration deployment, NetScaler Gateway enables you to configure

policy and action controls while allowing tenants’ users to access the apps and desktops they need. For

more information about integrating NetScaler Gateway with App Orchestration, refer to the document

Configuring NetScaler 10.1 Load Balancing with StoreFront 3.0 and NetScaler Gateway for App

Orchestration 2.6 or Configuring NetScaler 10.5 Load Balancing with StoreFront 3.0 and NetScaler

Gateway for App Orchestration 2.6.

Completed ()

Task Notes

Install and configure NetScaler Gateway

according to product instructions.

Gateway address:







App Orchestration configuration server

Completed ()

Task Notes

Prepare one or more servers to be used as the

App Orchestration configuration server(s).

For system requirements, refer to the section

“Prepare the App Orchestration configuration

server” section on page 32.

Note: If you deploy multiple configuration

servers, enter only the server’s FQDN when

prompted. If you use the server’s IP address or

NetBIOS name instead, App Orchestration

displays an error message indicating the server

cannot be contacted.

Primary server FQDN:

Backup server FQDN (optional):

Join the server(s) to the shared resource

domain.

Install a valid SSL certificate, signed by a

trusted Certificate Authority, in the local

computer’s certificate store.

For proof-of-concept deployments, you can use

a wildcard certificate.

For more information about using SSL with App

Orchestration, see the document Configuring

SSL for App Orchestration 2.6.

Friendly name:





Delivery Controllers

Completed ()

Task Notes


Delivery Controllers.

For system requirements, refer to the section

“Prepare Delivery Controllers and Session


Primary Controller name:

Backup Controller name:

Run the App Orchestration Install Center to

install the appropriate Citrix software on the

servers:

• For Delivery Sites running XenApp 7.6

and XenDesktop 7.6, select XenApp

and XenDesktop 7.6 Delivery

Controller (and App Orchestration

Agent)

• For farms running XenApp 6.5, select

XenApp 6.5 Controller (and App

Orchestration Agent)

For more information, see "Install App

Orchestration” on page 45.

Join the servers to the shared resource

domain.



Session Machines

On-demand Catalogs (Integrated Provisioning enabled)

For more information about preparing your environment for and enabling integrated provisioning, refer to

the document Provisioning Session Machines On-demand in App Orchestration 2.6.

Completed ()

Task Notes

Prepare a compute resource (host and

management machines) according to the

product documentation and the needs of your

organization.

When you create an on-demand catalog in App

Orchestration, you must specify the following

details about the compute resource:

• Whether the compute resource is

running XenServer, ESX, or Hyper-V

(resource type)

• A friendly name by which you can

identify the compute resource

• The location (URL or IP address) of the

compute resource

• Credentials for the compute resource

Resource type:

Friendly name:

Address:

User name:

Password:




Completed ()

Task Notes

Using the management console for the

compute resource, create and set up a VM to

use as a template for other Session Machines

that are added to the catalog.

Setting up a VM might include:

Installing the guest operating system

and applicable service packs or

updates

Verifying virtual devices such as hard

disks are configured correctly

Installing integration tools required to

optimize interaction with the host

machine

Installing third-party tools such as

antivirus software

Installing applications you want to

include in offerings

VM name:

Join the VM to the domain for which you want

newly-created Session Machines to be

members.

The domain to which you join the VM must

have a Group Policy defined that allows

PowerShell remoting and sets the execution

policy. For more information, refer to the

section “Configure the App Orchestration

Group Policy” on page 24.

The VM must be a member of either the shared

resource domain or a domain that has a

two-way trust with the shared resource domain.

Ensure that the Orchestration Service

Administrator account (defined in App

Orchestration’s global settings) has the ability

to use PowerShell remoting to connect to the

VM and install software.



Completed ()

Task Notes

On the VM, in Advanced TCP/IP Settings,

configure the following settings for the VM’s

network connection:

In DNS suffix for this connection, enter the

shared resource domain name.

Select Use this connection’s DNS suffix in

DNS registration.

Catalogs for Externally Provisioned Machines

Completed ()

Task Notes

Prepare one or more machines to be used as

Session Machines.

All machines to be added to the catalog must

meet the following requirements:

Have the same hardware configuration and all

installed software (including operating system,

installed updates, and applications).

Capable of running XenApp 6.5 or XenDesktop

7.6 VDA software, according to the product’s

system requirements

Machine #1 name:

Machine #2 name:

Machine #3 name:

Machine #4 name:

Join the machines to the appropriate resource

domain.

If the machines will be shared among multiple

tenants, join them to the shared resource

domain. If the machines will be allocated to a

specific tenant, join them to the tenant’s private

resource domain.

Resource domain name:



StoreFront servers

Completed ()

Task Notes


StoreFront server group.

For system requirements, refer to the “Prepare

StoreFront servers” on page 39.

Primary StoreFront server name:

Backup StoreFront server name:

Run the App Orchestration Install Center to

install the StoreFront 3.0 software..

For more information, see "Install App

Orchestration” on page 45.

Join the servers to the shared resource

domain.

Install a valid SSL certificate, signed by a

trusted Certificate Authority, in the local

computer’s certificate store.

For proof-of-concept deployments, you can use

a wildcard certificate. The certificate must have

the same Friendly Name on all computers.

Friendly name:

Install and configure a load balancer for the

StoreFront server group.

For more information about configuring load

balancing with StoreFront, refer to the

document Configuring NetScaler 10.1 Load

Balancing with StoreFront 3.0 and NetScaler

Gateway for App Orchestration 2.6 or

Configuring NetScaler 10.5 Load Balancing

with StoreFront 3.0 and NetScaler Gateway for

App Orchestration 2.6.

Load Balancer URL:

App Orchestration Global Settings

After installing the App Orchestration configuration server, you configure the global settings using the

App Orchestration web console. During this process, you must specify the default datacenter for the

deployment and the external DNS suffix. You must also decide whether or not to enable network

isolation in your deployment.

http://support.citrix.com/article/ctx140598








In App Orchestration, datacenters are used for providing hosted apps and desktops to tenants in

distributed geographic locations and for failover. App Orchestration requires at least one datacenter in

the deployment. For more information about datacenters, refer to document Deploying a

Multi¬Datacenter Environment in App Orchestration 2.6.

In general, network isolation should be enabled if you intend to provide offerings exclusively to specific

tenants. For more information about network isolation, refer to the document Isolation Methods in App

Orchestration 2.6.

Completed ()

Task Notes

Specify the name of the primary datacenter. Name:

Specify the external DNS suffix.

The external DNS suffix is the top-level domain

of your external-facing DNS server. This

influences the defaults for connection routing,

but can be overridden, if necessary.

Example: For a datacenter named

ag.us.mycompany.com, the suffix

“mycompany.com” results in the default routing

for user connections to a datacenter named

“us.”

Suffix:

Enable network isolation?

If you intend to enable network isolation, you

must create and label at least three virtual

networks on your compute resources. These

networks must exist before you configure the

global settings.

For instructions for creating and labeling these

networks, refer to the product documentation

for your server virtualization solution.

Important: The labels for the virtual networks

are case-sensitive. When entering the network

labels in App Orchestration, ensure they match

exactly the labels configured on your compute

resources.

Yes / No

Shared Delivery Controller Management

Network label:

Shared Delivery Group Management

Network label:

Private Management Network label:







First Tenant

Completed ()

Task Notes

Specify the tenant name. Tenant Name:

Create an organizational unit in the shared

resource domain where the tenant’s private

machines will reside.

OU Name:

Create the tenant’s user domain and add an

organizational unit where the tenant’s user

accounts will reside.

User domain name:

OU Name:

Create user groups for the tenant in the user

domain, under the tenant’s user OU.

These user groups will be used later for

creating subscriptions, so they should organize

users by the sets of apps and desktops that

you intend to deliver to those users.

User Group #1:

User Group #2:

User Group #3:

User Group #4:

Create user accounts for the tenant’s users and

add them to the appropriate user groups.

app orchestration 2 - docs. · pdf filegetting started with citrix app orchestration 2.6 ......

Documents