xenapp and xendesktop policy planning guide

8/10/2019 XenApp and XenDesktop Policy Planning Guide

1/30

Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy

i

XenApp and XenDesktop

Policy Planning Guide


2/30


ii

Table of Contents

Overview .................................................................................................................................... 1

Guidelines .................................................................................................................................. 2

Policy Configuration....................................................................................................................................................... 2

Planning a Baseline Policy ............................................................................................................................................. 6

Security Policies ............................................................................................................................................................... 7

Connection based policy configuration ....................................................................................................................... 7

Device based policy configuration ............................................................................................................................... 8

User Profile Considerations .......................................................................................................................................... 8

Planning ..................................................................................................................................... 9

Citrix User Policy Settings ........................................................................................................................................... 10

Citrix Computer Policy Settings ................................................................................................................................. 15

Microsoft Windows Policy .......................................................................................................................................... 16

Folder Redirection Policy ............................................................................................................................................ 18

Conclusion ............................................................................................................................... 20

Appendix: Policy Quick Reference ........................................................................................ 21


3/30


1

Overview

Citrix policies provide the basis to configure and fine tune your XenDesktop and XenApp

environments, allowing organizations to control connection, security and bandwidth settings based

on various combinations of users, devices or connection types. Correctly defining an initial baseline

policy and assigning additional policies based on security requirements and specific access scenarios

can be important in delivering a high definition user experience.

This planning guide is intended to be a guideline during the decision process for creating a baseline

policy and additional policies based on connection, security, device and profile considerations.

While it creates a baseline policy and recommendations for policy settings, it should not be assumed

to be a complete configuration, or absolutely correct for every customer situation. Architects should

review the recommendations contained in this document against desired outcomes within the

organization to ensure requirements are met.

When making policy decisions it is important to consider both Microsoft Windows and Citrixpolicies as components within both policy configurations have an impact on user experience and

environment optimization. Within this planning guide a base set of windows policies that can be

used to optimize XenApp and XenDesktop environments is presented. For more details on specific

Windows related policies, refer to theGroup Policy Settings Reference for Windows and Windows

Server,specifically settings related to Windows Server 2008 R2 and Windows 7.

To help architects design a XenDesktop and XenApp solution based on real-world projects,

organizations can refer to theCitrix Desktop Transformation Acceleratorfor step by step

assessment, design and deployment guidance, and theXenDesktop Design Handbookfor reference

architectures, planning guides and best practices.
http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.citrix.com/successaccelerator/http://www.citrix.com/successaccelerator/http://www.citrix.com/successaccelerator/http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://www.citrix.com/successaccelerator/http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250


4/30


2

Guidelines

When creating a policy set for XenDesktop or XenApp environments, it is a good practice to define

a baseline policy set which outlines all of the common configuration options for an organization

within a single policy set, and then configure policy exceptions as required to override decisions for

specific needs. The key is to keep the policy configurations simple and well-structured in order to

avoid confusion about resultant set of policy as configurations grow and become more complex.

When creating a baseline and exception based policy structure, it is important to consider the

following major areas:

Policy configuration

o Group Policy vs. Citrix Policy engine

o Policy Integration

o Policy Filtering

o Policy Precedence

Baseline policy configuration Security policies

Connection based policy configuration

Device based policy configuration

User profile considerations

Policy Configuration

Group Policy vs. Citrix Policy Engine

With new versions of XenDesktop and XenApp, organizations have the option to configure

Citrix policies via the Citrix administrative consoles; AppCenter for XenApp or Desktop Studio

for XenDesktop, or through Active Directory group policy using Citrix ADMX files, which

extend group policy and provide advanced filtering mechanisms. Using Active Directory group

policy allows organizations to manage both Windows policies and Citrix policies in the same

location, and minimizes the administrative tools required for policy management. Group policies

are automatically replicated across domain controllers, protecting the information and simplifying

policy application. Citrix administrative consoles should be used if Citrix administrators do not

have access to Active Directory policies, or if filtering mechanisms such as Smart Access are

required. Architects should select one of the above two methods as appropriate for theirorganizations needs and use that method consistently to avoid confusion with multiple Citrix

policy locations.


5/30


3

Policy Integration

When configuring policies, organizations will often require both Active Directory policies and

Citrix policies to create a completely configured environment. With the use of both policy sets,

the resultant set of policies can become confusing to determine. In some cases, particularly with

respect to Windows Remote Desktop Services (RDS) and Citrix policies, similar functionality canbe configured in two different locations. For example, it is possible to enable client drive

mapping in Citrix policy and disable client drive mapping in RDS policy. The ability to use the

desired feature may be dependent upon the combination of RDS and Citrix policy. It is

important to understand that Citrix policies build upon functionality available in Remote Desktop

Services. If the required feature is explicitly disabled in RDS policy, Citrix policy will not be able

to affect a configuration as the underlying functionality has been disabled. In order to avoid this

confusion, it is recommended that RDS policies only be configured where required and there is

no corresponding policy in the XenDesktop or XenApp configuration, or the configuration is

specifically needed for RDS use within the organization. Configuring policies at the highest

common denominator will simplify the process of understanding resultant set of policies andtroubleshooting policy configurations.

Policy Filtering

Once policies have been created, they need to be applied to groups of users and/or computers

based on the required outcome. Policy filtering provides the ability to apply policies against the

requisite user or computer groups. With Active Directory based policies, a key decision is

whether to apply a policy to computers or users within site, domain or organizational unit (OU)

objects. Active Directory policies are broken down in to user configuration and computer

configuration. By default, the settings within the user configuration applied to users who reside

within the OU at logon, and settings within the computer configuration are applied to the

computer at system startup, and will affect all users who logon to the system. One challenge of

policy association with Active Directory and Citrix deployments revolves around three core areas:

Citrix specific computer policies. Citrix XenApp servers and virtual desktops often have

computer policies that are created and deployed specifically for the XenDesktop or

XenApp environment. Applying these policies is easily accomplished by creating separate

OU structures for the XenApp servers and the virtual desktops. Specific policies can

then be created and confidently applied to only the computers within the OU and below

and nothing else. Based upon requirements, virtual desktops and XenApp servers may be

further subdivided within the OU structure based on server roles, geographical locations

or business units.

Citrix specific user policies. When creating policies for XenDesktop and XenApp there

are a number of policies specific to user experience and security that are applied based on

the users connection to the Citrix environment. However the users accounts could be

located anywhere within the Active Directory structure, creating difficulty with simply

applying user configuration based policies. It is not desirable to apply the Citrix specific


6/30


4

configurations at the domain level as the settings would be applied to every system any

user logged on to. Simply applying the user configuration settings at the OU where the

XenApp servers or virtual desktops are located will also not work, as the user accounts

are not located within that OU. The answer is to apply a loopback policy, which is a

computer configuration policy that forces the computer to apply the assigned user

configuration policy of the OU to any user who logs into the server or virtual desktop,regardless of the users location within Active Directory. Loopback Processing can be

applied with either Merge or Replace settings. Using Replace overwrites the entire user

GPO with the policy from the XenApp or XenDesktop OU. Merge will combine the

user GPO with the GPO from the XenApp or XenDesktop OU. As the computer

GPOs are processed after the user GPOs when merge is used, the Citrix related OU

settings will have precedence and be applied in the event of a conflict.

Active Directory policy filtering. In more advanced cases, there may be a need to apply a

policy setting to a small subset of users like Citrix administrators. In this case, Loopback

Processing will not work as the policy is intended to be applied only to the subset ofusers, not all users who log in to the system. Active Directory policy filtering can be used

to specify specific users or groups of users to which the policy is applied. A policy can be

created for a specific function, and then a policy filter can be set to apply that policy only

to a group of users such as Citrix administrators. Policy filtering is accomplished using

the Security properties of each target policy.


7/30


5

Citrix policies created using the Citrix administrative consoles in either XenDesktop or XenApp

have specific filter settings available, which may be used to address policy-filtering situations that

cannot be handled using group policy. Filters may be applied using any combination of the

following filters:

Filter Name Filter Description Policy ScopeAccess Control Applies a policy based on access control conditions

through which a client is connecting. For example,users connecting through a Citrix Access Gateway canhave specific policies applied.

User policies

Branch Repeater Applies a policy based on whether or not a user sessionwas launched through Citrix Branch Repeater.

User policies

Client IP Address Applies a policy based on the IPv4 or IPv6 address ofthe user device used to connect the session. Care mustbe taken with this filter if IPv4 address ranges are usedin order to avoid unexpected results.

User policies

Client Name Applies a policy based on the name of the user device

used to connect the session.

User policies

Desktop Group Applies a policy based on the desktop groupmembership of the desktop running the session

XenDesktop useror machine policies

Desktop Type Applies a policy based on the type of machine runningthe session. For example, different policies can be setdepending upon whether a desktop is pooled,dedicated or streamed.


Organizational Unit Applies a policy based on the OU of the desktoprunning the session.


Tag Applies a policy based on any tags applying to thedesktop running the session. Tags are strings that canbe added to virtual desktops in XenDesktop

environments that can be used to search for or limitaccess to desktops.


User or Group Applies a policy based on the Active Directory groupmembership of the user connecting to the session.

User policies

Worker Group Applies a policy based on the worker groupmembership of the server hosting the session.

XenApp user orcomputer policies

Policy Precedence

With the tree-based structure of Active Directory, policies can be created and enforced at any

level in the tree structure. As such, it is important to understand how the aggregation of policies,known as policy precedence flows in order to understand how a resultant set of policies is

created. With Active Directory and Citrix policies, the precedence is as follows:

Processed first/lowest precedence: Local server policies

Processed second: Citrix policies created using the Citrix administrative consoles

Processed third: Site level AD policies


8/30


6

Processed fourth: Domain level AD policies

OU based AD policies

o Processed fifth: Highest level OU in domain

o Processed sixth and subsequent: Next level OU in domain

o Processed last/highest precedence: Lowest level OU containing object

Policies from each level are aggregated into a final policy that is applied to the user or computer.

In most enterprise deployments, Citrix administrators do not have rights to change policies

outside their specific OUs, which will typically be the highest level for precedence. In cases

where exceptions are required, the application of policy settings from higher up the OU tree can

be managed using Block Inheritance and No Override settings. The Block Inheritance setting

stops the settings from higher-level OUs (lower precedence) from being incorporated into the

policy. However if a higher-level OU policy is configured with No Override, the BlockInheritance setting will not be applied. Given this, care must be taken in policy planning, and

available tools such as the Active Directory Resultant Set of Policy tool or the XenDesktop

policy planning feature should be used to validate the observed outcomes with the expected

outcomes.

Planning a Baseline Policy

The baseline policy should contain all common elements required to deliver a high definition

experience to the majority of users within the organization. The baseline policy creates the

foundation for user access, and any exceptions that may need to be created to address specific access

requirements for groups of users. It should be comprehensive to cover as many use cases as

possible and should have the lowest priority, for example 99 (a priority number of 1 is the highest

priority), in order to create the simplest policy structure possible and avoid difficulties in

determining the resultant set of policies. The unfiltered policy set provided by Citrix as the default

policy may be used to create the baseline policy as it is applied to all users and connections. In the

baseline configuration presented in this whitepaper, Citrix policies have been enabled with default

settings in many cases in order to clearly identify the policies applied, and to avoid confusion should

default settings change over time.

The baseline policy configuration also includes Windows policies. Windows policies reflect user

specific settings that optimize the user experience and remove features that are not required or

desired in a XenDesktop or XenApp environment. For example, one common feature turned off

in these environments is Windows Update. In virtualized environments, particularly where desktops

and XenApp servers may be streamed and non-persistent, Windows update creates processing and

network overhead, and changes made by the update process will not persist a restart of the virtual

desktop or application server. Also in many cases, organizations use Windows Software Update

Service (WSUS) to control windows updates. In these cases, updates are applied to the master disk

and made available by the IT department on a scheduled basis. Additional configuration


9/30


7

considerations for virtual desktops and XenApp servers can be found in theWindows 7and

Windows 2008 R2optimization guides in theXenDesktop design handbook.

In addition to the above considerations, an organizations final baseline policy may include settings

specifically created to address security requirements, common network conditions, or to manage

user device or user profile requirements. These areas need to be addressed both in the defaultbaseline policy configuration, as well as in any additional policy sets created to address exceptions or

additional needs.

Security Policies

Security policies address policy decisions made to enforce corporate security requirements on the

XenDesktop or XenApp environments. Requirements pertaining to data security and access can be

controlled by the correct application of security policy. Users can be allowed to read and write to

local or removable media, connect USB devices such as storage devices, smart phones, or TWAIN

compliant devices, or cut and paste from the local system based on security requirements.

Organizations can also enforce encryption and authentication requirements through security related

Citrix policies. While security is a continuum, high and low security policy guidance has been

provided in this whitepaper. Architects should consider the most appropriate level of security and

add the policy settings to the baseline policy set, and then address security exceptions through

additional policy sets.

Connection based policy configuration

Connection based policy considerations are used to develop a policy solution that creates the best

user experience based on the network environment through which end-users access the network

infrastructure. Latency and bandwidth available will determine how to best provide access to audioand video over the HDX connection, providing the best quality experience based on the available

resources. Image quality and compression, audio quality and video frame rates can be adjusted

based on the connection quality to utilize the bandwidth and network performance appropriately.

Multi-stream ICA features can be utilized in concert with network Quality of Service (QoS) to

provide an optimized experience for multimedia, input and display and printing requirements. This

whitepaper outlines options for WAN/High Latency connections and LAN/Low Latency

connections. In addition to the settings outlined, there are Citrix policy settings available to limit the

bandwidth consumption for Citrix sessions generally, or specifically for audio, clipboard, COM and

LPT ports, local drive, or printer access. These policies can be configured based on specific

bandwidth consumption, or a percentage of available bandwidth. These settings are very specific to

the network constraints of a given environment, and thus have not been included in the policy

baselines presented in this guide. Architects should consider the requirements of their specific

network environment in determining whether to apply these settings, and the specific

configurations. As with security policies, architects should consider the appropriate base network

configuration and add the settings to the initial baseline configuration. Additional network

requirements can be dealt with by creating additional higher level policies to override baseline

configurations.
http://support.citrix.com/article/CTX127050/http://support.citrix.com/article/CTX127050/http://support.citrix.com/article/CTX127050/http://support.citrix.com/article/CTX131577/http://support.citrix.com/article/CTX131577/http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://support.citrix.com/article/CTX131577/http://support.citrix.com/article/CTX127050/


10/30


8

Device based policy configuration

Device based policy configuration deals with the management of specific device requirements such

as tablets and smart phones within an organization. Citrix has created a set of policies to optimize

the experience of tablets and smart phones when connecting to XenApp environments, allowing

these devices to use location services and to customize the user interface where appropriate.Multimedia specific features, such as Windows Media and Flash redirection will automatically drop

back from client side redirection to server side rendering of media content if the device does not

support it; therefore no specific configuration is required to address these features with tablets, or

with other devices such as thin clients that may not support these features.

Another consideration for device based policy configuration revolves around the security

requirements for bring your own (BYO) devices. These elements, such as the need to allow or

prohibit local access to hard drives or removable devices, should be addressed through security

policy settings.

User Profile Considerations

User profiles play a critical role in determining how successful the user experience is within a virtual

desktop or virtual application scenario. User profile management can be a key player in mitigating

the risks of lengthy logon times or lost settings, providing a consistent user experience across

multiple devices, and providing users with their specific data and settings in a virtualized

environment. With Citrix Profile Management (UPM), policies control two important aspects of

user profiles; folder redirection, handled through AD group policy, and UPM settings through Citrix

policy.

As stated in the Citrix blogCitrix Profile Management and VDIDoing it Right,there is more toconfiguring UPM than simply turning the features on via Citrix policy. Architects must consider the

correct folder redirection configuration for their environment, as well as configuring Citrix policy

settings for folder exclusions from the UPM environment. Settings for profile streaming and active

write back must also be carefully considered based on the size of the profile and whether the virtual

desktops or application servers are persistent or non-persistent respectively. The base configuration

for profile management is presented in the planning section of this guide. Profile management

policies should be included in the baseline policy if they are to be applied across all users in an

organization.
http://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-right


11/30


9

Planning

The planning section outlines the initial policy configurations recommended by Citrix Consulting for various scenarios, including baselineconfiguration, network related policies, security related policies, mobile device and profile policy considerations. Each policy configurationmay contain the following policy settings:

Policy Settings

Enabled - Enables the setting. Where applicable, specific settings are detailed.

Disabled

Disables the settingNote: Disabling the policy overrides lower priority policies settings.

AllowAllows the action controlled by the setting. Where applicable, specific

settings are detailed.

ProhibitProhibits the action controlled by the setting

Note: Prohibiting a feature or functionality overrides lower priority policies

settings.

Not ConfiguredUnless specifically set, un-configured policies use default

settings.

Note: The policy settings specified generally apply to XenApp 6.5 and XenDesktop 5.6 with Feature Pack 1 installed. If a previous version

is used, please review the Appendix of this whitepaper for applicability of settings to XenApp 6 and XenDesktop 5 or 5.5.


12/30


10

Citrix User Policy Settings

User Policy Setting XA XD Baseline LowSecurity

HighSecurity

LANSpeed

WANSpeed

Tablet Profile

ICA

Client clipboard redirection X X Allow Prohibit

Desktop launches X Disable

Launching of non-published programs during client connection X Disable

ICA\Adobe Flash Delivery\Flash Redirection

Flash acceleration X X Enabled

Flash default behavior X X Enable Flash Redirection

Flash event logging X X Enabled

Flash intelligent fallback X X Enabled

Flash latency threshold X X 30 milliseconds

ICA\Adobe Flash Delivery\Legacy Server Side Optimization

Flash quality adjustment X Allow

ICA\Audio

Audio over UDP Real-time Transport X Enabled Enabled

Audio Plug N Play X Allow

Audio quality X X Medium

Client audio redirection X X Allow

Client microphone redirection X X Prohibit

ICA\ Client Sensors\ Location

Allow applications to use the physical lo cations of the client device X Enable if

secure

connection

ICA\Desktop UI

Aero Redirection X Allow Prohibit

Aero Redirection Graphics Quality X High Disable

Desktop wallpaper X X Enable DisableMenu animation X X Allow Prohibit

View window contents while dragging X X Allow Prohibit

ICA\File Redirection

Auto connect client drives X X Allow Prohibit

Client fixed drives X X Enable Disable

Client floppy drives X X Prohibit

Client network drives X X Allow Prohibit

Client optical drives X X Prohibit

Client removable drives X X Allow Prohibit

Host to client redirection X Disable

Preserve client drive letters X Disable

Read-only client drive access X X Disable


13/30


11

Use asynchronous writes X X Disable

ICA\ Mobile Experience X X

Automatic Keyboard Display X Enable

Launch touch-optimized desktop X Enable

Remote the combo box X Enable

ICA\ Multi Stream Connections

Multi-Stream X X Enable

with QoS

Enable

with QoS

ICA\Port Redirection

Auto connect client COM ports X X Disable

Auto connect client LPT port s X X Disable

Client COM port redirection X X DisableClient LPT port redirection X X Disable

ICA\Printing

Client printer redirection X X Allow Prohibit

Default printer X X Set to clients main printer

Direct connections to print servers X X Enable Disable

Printer auto creation log preference X X Errors

Wait for printers to be created (desktop) X X Disabled

ICA\Printing\Client Printers

Auto-create client printers X X Default printer only

Auto-generate generic universal drive r X X Disabled

Client printer names X X Standard names

Printer properties retention X X Retained in

profile only

Retained and restored client printers X X Allowed

ICA\Printing\Drivers

Automatic installation of in-box printer drivers X X Disabled

Universal driver usage X X Use Universal Printing only if

requested driver is unavailableICA\Printing\Universal Printing

Universal printing EMF processing mode X X Spool to printer

Universal printing image compression limit X X Best Quality

Universal printing optimization defaults X X Standard Quality

Caching of embedded images

Caching of embedded fonts

Universal printing preview preference X X Use for auto-generated and

generic

ICA\SecureICA

SecureICA minimum encryption level X RCS 128 bit

Logon only

RCS 128 bit

ICA\Session Limits

Disconnected session timer X Disabled Enabled


14/30


12

Disconnected session timer interval X 30 Minutes

Linger Disconnect Timer Interval X 5 Minutes

Linger Terminate Timer Interval X 10 Minutes

Pre-Launch Disconnect Timer Interval X 15 Minutes

Pre-Launch Terminate Timer Interval X 30 Minutes

Session connection timer X Disabled

Session idle timer X Disabled Enabled

Session idle timer interval X 2 hours

ICA\Shadowing

Input from shadow connections X Allow Prohibit

Log shadow attempts X Allow

Notify user of pending shadow connections X AllowUsers who can shadow other users X Defined by security

ICA\Time Zone Control

Estimate local time for legacy clients X Enable

Use local time of client X X Use Client time zone

ICA\TWAIN devices

Client TWAIN device redirection X X Allow Prohibit

TWAIN compression level X X Low High

ICA\USB devices

Client USB device redirection X X Enable Disable

Client USB device redirection rules X X Allow Prohibit

Client USB Plug and Play device redirection X Allow Prohibit

ICA\Virtual Desktop Agent Settings\ICA Latency Monitoring

Enable Monitoring X Disabled

ICA\ Virtual Desktop Agent Settings\ Profile Load Time

Monitoring


ICA\Visual Display

Max Frames per Second X X 30 15ICA\Visual Display\Moving Images

Moving Image Compression X X Enabled

Minimum Image Quality X Very

High

Low

Target Minimum Frame Rate X 10 10

ICA\Visual Display\Still Images

Extra Color Compression X X Disabled Enabled

Extra Color Compression Threshold X X 8192

kbps

8192

kbps

Lossy compression level X X Low High

Lossy compression level threshold value X X Unlimited Unlimited

Profile Management

Enable Profile Management X X Enabled


15/30


13

Process Groups X X Configure groups

Path to User Store X X UNC Path

Active Write Back X X Enabled

(Persistent

desktops)

Process logons of local administrators X X Enabled

Profile Management\ Advanced Settings

Delete Redirected Folders X X Enabled

Directory of MFT Cache Files X X Local or

persistent

location

Process Internet cookie files on logoff X X EnabledProfile Management\ File System

Exclusion listdirectories X X Exclude

redirected

folders

Profile Management\ File System\ Synchronization

Directories to Synchronize X X Exclude

directories

Files to Synchronize X X Selected files

Folders to Mirror X X Selected

folders

Profile Management\ Profile handling

Local profile conflict handling X X Delete local

profile

Migration of existing profiles X X None

Profile Management\ Profile Streamed user profiles

Profile Streaming X X Enable if large

profile

Server Session Settings

Session importance X Normal

Single Sign-on X X Disabled


16/30


14

List of excluded files for Profile Management

AppData\Local

AppData\LocalLow

AppData\Roaming\Citrix\PNAgent\AppCache

AppData\Roaming\Citrix\PNAgent\Icon Cache

AppData\Roaming\Citrix\PNAgent\ResourceCache

AppData\Roaming\ICAClient\Cache

AppData\Roaming\Microsoft\Windows\Start Menu

AppData\Roaming\Sun\Java\Deployment\cache

AppData\Roaming\Sun\Java\Deployment\log

AppData\Roaming\Sun\Java\Deployment\tmp

Application Data

Citrix

Contacts

Desktop

Documents

Favorites

Java

Links

Local Settings

Music

My Documents

My Pictures

My Videos

Pictures

UserData

Videos

AppData\Roaming\Macromedia\Flash

Player\macromedia.com\support\flashplayer\sys

AppData\Roaming\Macromedia\Flash Player\#SharedObject

AppData\Roaming

Downloads

Saved Games

Searches

Synchronized Directories

AppData\Roaming\Microsoft\Credentials

AppData\Roaming\Microsoft\Crypto

AppData\Roaming\Microsoft\Protect

AppData\Roaming\Microsoft\SystemCertificates

AppData\Local\Microsoft\Credential


17/30


15

Synchronized Files

Example Synchronized Files for Microsoft Outlook and Google Earth AppData\Local\Microsoft\Office\*.qat

AppData\Local\Microsoft\Office\*.officeUI

AppData\LocalLow\Google\GoogleEarth\*.kml

Mirrored Folders

AppData\Roaming\Microsoft\Windows\Cookies

Citrix Computer Policy Settings

Computer Policy Setting XA XD Baseline LowSecurity

HighSecurity

LANSpeed

WANSpeed

Tablet Profile

ICA

ICA listener connection timeout X X 120000 ms

ICA listener port number X X 1494

ICA\ Auto Client Reconnect

Auto client reconnect X X Allow

Auto client reconnect authenti cation X Not required Require

Auto client reconnect log ging X X Disabled

ICA\ End User Monitoring

ICA round trip calculation X X Enable

ICA round trip calculations for idle connections X X Disable

ICA\ Graphics

Display memory limit X X 32768 KB

Display mode degrade preference X X Degrade Color Depth First

Dynamic Windows preview X X Enabled

Image caching X X Enabled

Maximum allowed color depth X 32 bit

Notify user when display mode is degraded X X Disabled

Queuing and tossing X X Enabled

ICA\Graphics\Caching

Persistent Cache Threshold X X 3000000 Kbps

ICA\ Keep Alive

ICA keep alive timeout X X 60 seconds

ICA keep alives X X Enabled

ICA\ Multimedia

Windows Media Redirection X X Allowed


18/30


16

Microsoft Windows Policy

User PolicyPolicy Path Setting Description Applies to

Control Panel\ Prohibit Access to the Control Panel Enable Disables all control panel programs XenApp, XenDesktop

Control Panel\ Personalization\ Enable screen saver Enable Enables the use of a Screen Saver XenApp, XenDesktop

Control Panel\ Personalization\ Force specific screen saver Enable scrnsave.scr Forces the use of the blank screen saver in Windows XenApp, XenDesktop

Control Panel\ Personalization\ Password protect the screen

saver

Enabled Forces password protection on the screen saver XenApp, XenDesktop

Control Panel\ Personalization\ Screen saver timeout Enabled

X Minutes (default 15)

Sets the amount of time in minutes that elapse before the screen saver is

activated

XenApp (Published Desktop),

XenDesktop

Desktop\ Dont save settings on exit Enabled Prevents users from changing some desktop configurations such as the size

of the taskbar or the position of open windows on exit.

XenApp

Desktop\ Hide Network Locations icon on desktop Enabled Removes the Network Locations icon from the desktop. XenApp

Desktop\ Prohibit user from manually redirecting Profile

Folders

Enabled Prevents users from manually changing the path to their profile folders. XenApp, XenDesktop

Desktop\ Remove Recycle Bin icon from desktop Enabled Removes most occurrences of the Recycle Bin icon. XenApp, XenDesktop

Start Menu and Taskbar\ Change Start Menu power button Enabled

Log Off

Set Start Menu power button functionality to Log Off user. XenApp, XenDesktop

Start Menu and Taskbar\ Prevent changes to Taskbar and Start

Menu settings

Enabled Removes the Taskbar and Start Menu settings from Settings on the Start

Menu.

XenApp

Start Menu and Taskbar\ Remove and prevent access to the

Shut Down, Restart, Sleep and Hibernate commands

Enabled Prevents user from performing these commands from the Start Menu or the

Windows Security screen.

XenApp

Start Menu and Taskbar\ Remove links and access to Enabled Prevents users from connecting to the Windows Update website. XenApp, XenDesktop

Windows Media Redirection Buffer Size X X 10 seconds

Windows Media Redirection Buffer Size Use X X Enabled

ICA\ Multistream Connections

Multistream X X Enabled

(QoS)

Enabled

(QoS)

ICA\ Session Reliability

Sessionreliability connections X X Prevent

ICA\ Virtual Desktop Agent Settings\ CPU Usage Monitoring


ICA\ Shadowing

Shadowing X Allow

LicensingLicense server host name X License Server Name

License server port X 27000


19/30


17

User PolicyPolicy Path Setting Description Applies to

Windows Update

Start Menu and Taskbar\ Remove network icon from the Start

Menu

Enabled Removes the network icon from the Start Menu XenApp, XenDesktop

Start Menu and Taskbar\ Remove Run menu from the Start

Menu

Enabled Removes the Run command from the Start Menu, Internet Explorer, and

Task Manager

XenApp

System\ Prevent access to registry editing tools Enabled Disables the Windows Registry Editor XenApp, XenDesktop

System\ Prevent access to the Command Prompt Enabled Prevents users from running the interactive command prompt cmd.exe XenApp

System\ Ctrl+Alt+Del Options\ Remove Task Manager Enabled Prevents users from starting Task Manager XenApp

System\ Folder Redirection\ Do not automatically make

redirected folders available offline

Enabled Prohibits redirected shell folders Contacts, Documents, Desktop, Favorites,

Music, Pictures, Videos, Start Menu and AppData\Roaming from being

available offline

XenApp, XenDesktop

System\ User Profiles\ Exclude Directories in Roaming

Profile

Citrix, Contacts,

Desktop, Downloads,

Favorites, Links,

Documents, Pictures,

Videos, Music, Saved

Games, Searches

Excludes the specified directories from the Roaming Profile XenApp, XenDesktop

Windows Components\ Windows Update\ Remove access to

use all Windows Update features

Enabled Removes all Windows Update functions XenApp, XenDesktop

Windows Explorer\ Do not move deleted files to the Recycle

Bin

Enabled Prohibits deleted files from being placed in the Recycle Bin. All files are

permanently deleted.

XenApp, XenDesktop

Windows Explorer\ Hide these specified drives in My

Computer

Enabled

Local hard drives

Hides local hard drives from My Computer XenApp

Windows Explorer\ Prevent access to drives from My

Computer

Enabled

Local hard drives

Prevents access to local hard drives from My Computer XenApp

Machine PolicyPolicy Path Setting Description Applies to

Internet Communication settings\ Turn off Windows

Customer Improvement Program

Enabled Turns off the Windows Customer Improvement Program for all users XenApp, XenDesktop

System\ Group Policy\ User Group Policy loopback

processing mode

Merge or Replace Applies alternate user settings when a user logs on to a computer affected by

this setting

XenApp, XenDesktop

System\ Power Management\ Select an active power plan High Performance Specifies a power plan from a list of available plans. XenApp, XenDesktop

System\ System Restore\ Turn off System Restore Enabled Turns off Windows System Restore features XenApp, XenDesktop

System\ User Profiles\ Do not check for user ownership of

Roaming Profile folders

Enabled Disables security check for roaming profile folders XenApp, XenDesktop

Windows Components\ AutoPlay Policies\ Turn off AutoPlay Enabled Turns off AutoPlay for removable devices. XenApp

Windows Components\ Internet Explorer\ Turn off reopen

last browsing session

Enabled Disables ability to reopen the users last browsing session XenApp

Windows Components\ Remote Desktop Services\ RD XenApp server security Specifies the servers to which RDS will provide licenses XenApp


20/30


18

Machine PolicyPolicy Path Setting Description Applies to

Licensing\ License server security group groups

Windows Components\ Remote Desktop Services\ Remote

Desktop Session Host\ Licensing\ Set the Remote Desktop

licensing mode

Per User or Per Device Specifies the licensing mode used by Remote Desktop Server XenApp

Windows Components\ Remote Desktop Services\ Remote

Desktop Session Host\ Licensing\ Use the specified Remote

Desktop license servers

Specified servers Specifies the preferred license servers for Remote Desktop Services XenApp

Windows Components\ Windows Update\ Configure

Automatic Updates

Disabled Specifies whether the computer system will receive automatic updates

through the Windows Update process.

XenApp, XenDesktop

Folder Redirection Policy

User Policy\Windows Settings\Security Settings\Folder RedirectionFolder Setting Options

AppData (Roaming) Basic Grant User Exclusive Rights: Disabled

Move Contents to new location: Enabled

Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled

Policy Removal Behavior: Leave Contents

Contacts Basic Grant User Exclusive Rights: Disabled




Desktop Basic Grant User Exclusive Rights: Disabled




Documents Basic Grant User Exclusive Rights: Disabled

Move Contents to new location: Disabled



Downloads Basic Grant User Exclusive Rights: Disabled




Favorites Basic Grant User Exclusive Rights: Disabled




Links Basic Grant User Exclusive Rights: Disabled


21/30


19

User Policy\Windows Settings\Security Settings\Folder RedirectionFolder Setting Options




Music Follow the Documents

Folder

Pictures Follow the Documents

Folder

Saved Games Basic Grant User Exclusive Rights: Disabled




Searches Basic Grant User Exclusive Rights: Disabled




Start Menu Basic Grant User Exclusive Rights: Disabled




Videos Follow the Documents

Folder


22/30


20

Conclusion

Creating policies for XenDesktop and XenApp configurations involves a combination of Citrix andMicrosoft Active Directory group policy settings. Correctly configuring a baseline policyconfiguration and keeping policy exceptions to a minimum allows organizations to create an

environment that meets user experience and security requirements, while providing a policystructure that is easy to review and diagnose. This planning guide has provided a suggested set ofpolicies as a starting point for a XenDesktop or XenApp configuration. It can be used as a basis forarchitects to customize an initial policy configuration for an organization.


23/30


21

Appendix: Policy Quick Reference

The following table provides a description for all Citrix policy settings contained in this document. For complete and up-to-date policy

settings, consult the policy settings references sections for the various technologies inCitrix eDocs.

User PolicyPolicy Group\ Policy Description Applies toICA

Client clipboard redirection Allow or prevent the clipboard on the client device to be mapped to the clipboard on the server. XA 6, XD 5

Desktop launches When allowed, non-administrative users can connect. XA 6 RDS only

Launching of non-published programs

during client connection

Specifies whether to launch initial applications or published applications on the server. XA 6

ICA\Adobe Flash Delivery\Flash Redirection

Flash acceleration Enables or disables, in Legacy mode only, Flash content rendering on client devices instead of

the server.

XA 6, XD 5

Flash backwards compatibility Enabling Flash backwards compatibility allows earlier versions of Citrix Receiver to work with

legacy Flash Redirection features

XA 6.5, XD 5.5

Flash default behavior Establishes the default behavior of second generation Flash acceleration. XA 6.5, XD 5.5

Flash event logging Allows Flash events to be recorded in the Windows application event log. XA 6, XD 5

Flash intelligent fallback If enabled, the system attempts to automatically revert to server-side rendering for Flash Player

instances for which client-side rendering is unnecessary or would provide a poor experience

XA 6.5, XD 5.5

Flash latency threshold Maximum latency threshold for Flash redirection. Only applies to Legacy mode features. Flash

backwards compatibility must be enabled.

XA 6, XD 5

ICA\Adobe Flash Delivery\Legacy Server Side Optimizations

Flash quality adjustment Adjusts quality of Flash content rendered on session hosts to improve performance. XA 6

ICA\ Audio

Audio over UDP Real-time Transport Allows transmission of audio between host and client over Real-time Transport Protocol (RTP)

using the user datagram protocol (UDP).

XD 5.5

Audio Plug N Play Allows the use of multiple audio devi ces. XA 6

Audio quality Specify the sound quality as low, medium, or high.

Select "Medium - optimized for speech" for delivering Voice over IP applications. Audio sent to

the client is compressed up to 64Kbps.

XA 6, XD 5

Client audio redirection Allows or prevents applications hosted on the server to play sounds through a sound device

installed on the client computer. Also allows or prevents users to record audio input.

XA 6, XD 5

Client microphone redirection Enables or disables client microphone redirection. XA 6, XD 5

ICA\ Client Sensors\ Location

Allow applications to use the physical

locations of the client device

Enables or disables the ability for applications to use the physical location of the client device. XA 6.5 FP1

ICA\ Desktop UI

Aero Redirection Allow the redirection of Aero commands from VDA to client to enrich user experience. XD 5.5
http://support.citrix.com/proddocshttp://support.citrix.com/proddocshttp://support.citrix.com/proddocshttp://support.citrix.com/proddocs


24/30


22

User PolicyPolicy Group\ Policy Description Applies to

Aero Redirection Graphics Quality Determine the quality of graphics for Aero Redirection. XD 5.5

Desktop wallpaper Enables or disables the desktop wallpaper in user sessions. XA 6, XD 5

Menu animation Allows or prevents menu animation. XA 6, XD 5

View window contents while dragging Controls the display of window content when dragging a window across the screen. XA 6, XD 5

ICA\ File Redirection

Auto connect client drives Allows or prevents automatic connection o f client drives when users log on. XA 6, XD 5

Client drive redirection Enables or disables file (drive) redirection to and from the client. XA 6, XD 5

Client floppy drives Allows or prevents users from accessing or saving files t o floppy drives on the client d evice. XA 6, XD 5

Client fixed drives Allows or prevents users from accessing or saving files to fixed drives on the user device. XA 6, XD 5

Client network drives Allows or prevents users from accessing and saving files to client network (remote) drives. XA 6, XD 5Client optical drives Allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM, and BD-

ROM drives on the client device.

XA 6, XD 5

Client removable drives Allows or prevents users from accessing or saving files to removable drives on the user device. XA 6, XD 5

Host to client redirection Enables or disables file type associations for URLs and some media content to be opened on

the client device.

XA 6

Preserve client drive letters Enables or disables preservation of client drive letters. XD 5

Read-only client drive access When enabled, files/folders on mapped client drives can only be accessed in read-only mode.

When disabled, files/folders on mapped client drives can be accessed in regul ar read/write

mode.

XA 6.5, XD 5.5

SecureICA minimum encryption level Specifies the minimum level at which to encrypt session data sent between the server and a

client device.

XA 6

Use asynchronous writes Enables or disables asynchronous disk writes. XA 6, XD 5

ICA\ Mobile Experience

Automatic Keyboard Display Enables or disables the automatic display of the soft keyboard on mobile devices. XA 6.5 FP1, XD 5.6 FP1

Launch touch-optimized desktop Enables or disables the launching of a touch-optimized desktop for mobile clients. XA 6.5 FP1, XD 5.6 FP1

Remote the combo box Enables or disables the remoting of the combo box on mobile devices. XA 6.5 FP1, XD 5.6 FP1


Multi-Stream Enables or disables the Multi-Stream feature for specified users. XA 6.5, XD 5.5

ICA\ Port Redirection

Auto connect client COM ports When enabled, COM ports from the client are automatically connected. XA 6, XD 5

Auto connect client LPT port s When enabled, LPT ports from the client are automatic ally connected. XA 6, XD 5

Client COM port redirection When enabled, COM port redirection to and from the client is allowed. XA 6, XD 5

Client LPT port redirection When enabled, LPT port redirection to the client is allowed. XA 6, XD 5

ICA\ Printing

Client printer redirection Allows or prevents client printers to be mapped to a server when a user logs on to a session. XA 6, XD 5

Default printer Specifies how the clients default printer is established in an ICA session. XA 6, XD 5

Printer auto-creation event log preference Specifies which events are logged during the printer auto-creation process. You can choose to

log no errors or warnings, only errors, or errors and warnings.

XA 6, XD 5

Wait for printers to be created (desktop) Allows or prevents a delay in connecting to a session so that desktop printers can be auto-

created.

XA 6, XD 5


25/30


23


ICA\ Printing \ Client Printers

Auto-create client printers Specifies which client printers are auto-created. XA 6, XD 5

Auto-create generic universal print er Enables or disables auto-creation of the Citrix UNIVERSAL Printer generic printing obje ct for

sessions with a UPD capable client.

XA 6, XD 5

Client printer names Selects the naming convention for auto-created client printers. XA 6, XD 5

Direct connections to print servers Enables or disables direct connections from the host to a print server for client printers hosted

on an accessible network share.

XA 6, XD 5

Printer properties retention Specifies whether and where to store printer properties. XA 6, XD 5

Retained and restored client printers Enables or disables the retention and re-creation of client printers. XA 6, XD 5

ICA\ Printing \ Drivers

Automatic installation of in-box printer

drivers

Enables or disables the automatic installation of printer drivers from the Windows in-box driver

set or from driver packages which have been staged onto the host using "pnputil.exe /a".

XA 6, XD 5

Universal driver usage Specifies when to use universal printing. Universal printing employs generic printer drivers

instead of standard model-specific drivers potentially simplifying burden of driver management

on host machines.

XA 6, XD 5

ICA\ Printing \ Universal Printing

Universal printing EMF processing mode Controls the method of processing the EMF spool file on the Windows client machine. XA 6, XD 5

Universal printing image compression

limit

Defines the maximum quality and the minimum compression level available for images printed

with the Universal Printer driver.

XA 6, XD 5

Universal printing optimization defaults Specifies the default settings for the Universal Printer when it is created for a session. XA 6, XD 5

Universal printing preview preference Specifies whether to use the print preview function for auto-created or generic universal

printers.

XA 6, XD 5

ICA\ Security

SecureICA minimum encryption level Specifies the minimum level at which to encrypt session data sent between the server and a

client device.

XA 6

ICA\ Session Limits

Disconnected session timer Enables or disables a timer to determine how long a disconnected, locked workstation can

remain locked before the session is logged off.

XD 5

Disconnected session timer interval Determines how long, in minutes, a disconnected, locked workstation can remain locked before

the session is logged off.

XD 5

Linger Disconnect Timer Interval Disconnects an existing session the specified number of minutes after the last application exits. XA 6.5

Linger Terminate Timer Interval Terminates an existing session the specified number of minutes after the last application exits. XA 6.5

Pre-launch Disconnect Timer Interval Disconnects an existing Pre-launch session after the specified number of minutes. XA 6.5

Pre-launch Terminate Timer Interval Terminates an existing Pre-launch session after the specified number of minutes. XA 6.5

Session connection timer Enables or disables a timer to determine the maximum duration of an uninterrupted connection

between a user device and a workstation.

XD 5

Session idle timer Enables or disables a timer to determine how long an uninterrupted user device connection to a XD 5


26/30


24


workstation will be maintained if there is no input from the user.

Session idle timer interval Determines, in minutes, how long an uninterrupted user device connection to a workstation will

be maintained if there is no input from the user.

XD 5

ICA\ Shadowing

Input from shadow connections Allows or prevents shadowing users to take control of the keyboard and mouse of the user

being shadowed during a shadowing session.

XA 6

Log shadow attempts Allows or prevents recording of attempted shadowing sessions in the Windows event log. XA 6

Notify user of pending shadow

connections

Allows or prevents shadowed users to receive notification of shadowing requests from other

users.

XA 6

Users who can shadow other users Specifies the users who can shadow other users. XA 6

ICA\ Time Zone Control

Estimate local time for legacy clients Enables or disables estimating the local time zone of client devices that send inaccurate time

zone information to the server.

XA 6

Use local time of client Determines the time zone setting of the user session. XA 6, XD 5

ICA\ TWAIN devices

Client TWAIN device redirection Allows or prevents users to access TWAIN devices, such as digital cameras or scanners, on the

client device from published image processing applications.

XA 6, XD 5.5

TWAIN compression level Specifies the level of compression of image t ransfers from client to server. XA 6, XD 5.5

ICA\ USB devices

Client USB device redirection Enables or disables redirection of USB devices to and from the client (workstation hosts only). XA 6 VM Hosted Apps,

XD 5

Client USB device redirection rules Lists redirection rules for USB devices. XA 6 VM Hosted Apps,

XD 5

Client USB Plug and Play device

redirection

Allows or prevents plug-n-pl ay devices such as cameras or point-of-sale (POS) devices to be

used in a client session.

XA 6 Terminal Server

ICA \ Visual Display

Max Frames per Second Sets the maximum number of frames per second that the virtual desktop will send to the client. XA 6, XD 5

ICA \ Visual Display \ Moving Images

Minimum Image Quality Adaptive Display JPEG Quality Floor. XD 5.5Moving Image Compression Enables Adaptive Display. XA 6.5 (with hotfix

XA650W2K8R2X64011),

XD 5.5

Target Minimum Frame Rate The system will try its best to maintain th is many frames per second when bandwidth is low. XD 5.5

ICA \ Visual Display \ Still Images

Extra Color Compression Extra color compression improves responsiveness over low bandwidth connections at the

expense of image quality.

XA 6.5, XD 5

Extra Color Compression Threshold Threshold at which Extra Color Compression is applied. XA 6.5, XD 5

Lossy compression level Degree of lossy compression used on images. XA 6, XD 5

Lossy compression threshold value The maximum bandwidth in kilobits per second for a connection to which lossy compression is

applied.

XA 6, XD 5

Server Session Settings


27/30


25


Session importance Specifies the importance level at which a session is run. XA 6

Single Sign-On Enables or disables the use of Single Sign-On when users connect to servers or published

applications in a XenApp farm.

XA 6.5, XD 5.5

ICA\ Virtual Desktop Agent Settings\ ICA Latency Monitoring

Enable Monitoring Enable or disable ICA Latency monitoring. XD 5.5

Monitoring Period Period of time, in seconds, during which the moving average for ICA Latency is calculated. XD 5.5

Threshold Threshold, in milliseconds, that trig gers a High Latency condition, displayed in Desktop Studio

and Desktop Director.

XD 5.5

ICA\ Virtual Desktop Agent Settings\ Profile Load Time Monitoring

Enable Monitoring Enable or disable Profile load time monitoring. XD 5.5

Threshold Threshold, in seconds, that triggers a High Profi le Load Time condition, displayed in Desktop

Studio and Desktop Director.

XD 5.5

Computer PolicyPolicy Group\ Policy Description Applies to

ICA

ICA listener connection timeout Maximum wait time for a connection using the ICA protocol to be completed. XA 6 (VM Hosted Apps),

XD 5

ICA listener port number The TCP/IP port number used by the ICA protocol on the server. XA 6 (VM Hosted Apps),

XD 5

ICA\ Auto Client Reconnect

Auto client reconnect Allows or prevents automatic reconnection by the same client after a connection has been

interrupted.

XA 6, XD 5

Auto client reconnect authenti cation Requires authentication for automatic client reconnections. XD 5

Auto client reconnect logging Records or prevents recording auto client reconnections in the event log. XA 6, XD 5

ICA\ End User MonitoringICA round trip calculation Enables or disables the calculation of ICA round trip measurements. XA 6, XD 5

ICA round trip calculations for idle

connections

Determines whether ICA round trip calculations are performed for idle connections. XA 6, XD 5

ICA\ Graphics

Display memory limit Specifies the maximum video buffer size in kilobytes for the session. XA 6, XD 5

Display mode degrade preference Degrades either color depth or resolution first when the session display memory limit is

reached.

XA 6, XD 5

Dynamic Windows preview Dynamic Windows preview enables the state of seamless windows to be seen on the various

windows previews (Flip, Flip 3D, Taskbar Preview, and Peek).

XA 6.5, XD 5.5

Image caching Cache image to make scrolling smoother XA 6, XD 5

Maximum allowed color depth Specifies the maximum color depth allowed for a session. XA 6

Notify user when display mode is Displays a popup with an explanation to the user when the color depth or resolution is XA 6, XD 5


28/30


26


degraded degraded.

Queuing and tossing Discards queued images that are replaced by another image. XA 6, XD 5

ICA\Graphics\Caching

Persistent Cache Threshold Caches bitmaps on the client disk. XA 6, XD 5

ICA\ Keep Alive

ICA keep alive timeout Seconds between successive ICA keep-alive messages. XA 6, XD 5

ICA keep alives Sends or prevents sending ICA keep-alive messages periodically. XA 6, XD 5

ICA\ Multimedia

Windows Media Redirection Controls and optimizes the way XenApp servers deliver streaming audio and video to users. XA 6, XD 5Windows Media Redirection Buffer Size Specify a buffer size from 1 to 10 seconds for Windows Media Redirection. XA 6, XD 5

Windows Media Redirection Buffer Size

Use

If this setting is enabled, the system will use the buffer size specified in the "Windows Media

Redirection Buffer Size" setting.

XA 6, XD 5


Multi-Stream Enables or disables the Multi-Stream feature on the server. By default, Multi-Stream is disabled.

This policy need not be enabled when using branch repeater that supports Multi- Stream.

Enable this policy when using 3rd party routers or legacy branch repeaters to achieve desired

QoS. Restart the server for the changes to take effect.

XA 6.5, XD 5.5

ICA\ Session Reliability

Session reliability connections Allow or prevent session reliability connections. XA 6, XD 5

ICA\ Virtual Desktop Agent Settings\ CPU Usage Monitoring

Enable Monitoring Enable or disable CPU usage monitoring. XD 5.5

Monitoring Period Period of time, in seconds, during which the moving average for CPU usage is calculated. XD 5.5

Threshold Threshold, as a percentage, that triggers a High CPU condition, displayed in Desktop Studio

and Desktop Director.

XD 5.5

ICA\ Shadowing

Shadowing Allow shadowing of ICA sessions XA 6

Licensing

License server host name The name of the server hosting XenApp licenses. XA 6

License server port The port number of the server hosting XenApp licenses. XA 6

Profile Management

Enable Profile Management Turns on Citrix Profile Management UPM 2.0

Process Groups Active Directory groups that will use Citrix Profile Management UPM 2.0

Path to User Store Network location of end-user profile store UPM 2.0

Active Write Back Files and folders (but not registry keys) will be synchronized as they are modified. UPM 3.0

Process logons of local administrators Process the profile of a user who is a local administrator on a system. UPM 2.0

Profile Management\ Advanced Settings

Delete Redirected Folders Folder is deleted from the local profile when the user next logs on. UPM 3.2

Directory of MFT Cache Files Identifies the location for the MFT Cache file. The MFT cache file should be saved in a

persistent, easily accessible location for best performance

UPM 2.0

Process Internet cookie files on logoff Stale Internet cookie files are removed on user logoff UPM


29/30


27


Profile Management\ File System

Exclusion listdirectories Identifies what directories to exclude from the user profile UPM 2.0

Profile Management\ File System\ Synchronization

Directories to Synchronize Identifies which directories should be synchronized from the system to the profile on logoff. UPM 2.0

Files to Synchronize Identifies specific files, which should be synchronized from the system to the profile on logoff. UPM 2.0

Folders to Mirror Mirroring folders allows Profile management to process a transactional folder and its contents

as a single entity, thereby avoiding profile bloat.

UPM 3.1

Profile Management\ Profile handling

Local profile conflict handling Identifies how UPM handles conflicts between Windows local profiles and Citrix profiles. UPM 2.0

Migration of existing profiles Determines which types of existing user profiles to migrate. UPM 2.0Profile Management\ Profile Streamed user profiles

Profile Streaming Enables streaming of profiles as files are requested. UPM 3.0


30/30


Acknowledgments

Citrix Consulting Solutions would like to thank all of the individuals that offered guidance andtechnical assistance during the course of this project including who were extremely helpfulanswering questions, providing technical guidance and reviewing documentation throughout the

project: Adeel Arshed

Thomas Berger

Daniel Feller

Nicholas Rintalan

Dimitrios Samorgiannidis

Product Versions

Product VersionXenDesktop 5.0 / 5.5 / 5.6XenApp 6.0 / 6.5Citrix Profile Manager 3.x / 4.0

Revision History

Revision Change Description Updated By Date1.0 Initial Document Rich Meesters July 13, 2012

About Citrix

Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help

companies deliver IT as an on-demand service. Founded in 1989, Citrix combines virtualization,

networking, and cloud computing technologies into a full portfolio of products that enable virtual

work styles for users and virtual datacenters for IT. More than 230,000 organizations worldwide rely

on Citrix to help them build simpler and more cost-effective IT environments. Citrix partners with

over 10,000 companies in more than 100 countries. Annual revenue in 2011 was $2.20 billion.

2012 Citrix Systems, Inc. All rights reserved. Citrix, Access Gateway, Branch Repeater,

Citrix Repeater, HDX, XenServer, XenApp, XenDesktop and Citrix Delivery Centerare trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered

in the United States Patent and Trademark Office and in other countries. All other trademarks and

registered trademarks are property of their respective owners.