XenDesktop policies explained

Andrzej GolebiowskiSolution Architect
Published:
Citrix policies are the most efficient method to configure and tune XenDesktop environments, allowing organizations to control connection, security and bandwidth settings based on various combinations of users, devices or connection types.
 

Citrix Policies Planing Guidelines


When making policy decisions it is important to consider both Microsoft and Citrix policies to ensure that all user experience, security and optimization settings are considered. For more information on specific Windows related policies, please refer to the Microsoft white paper – Group Policy Settings Reference for Windows and Windows Server, for a list of all Citrix-related policies, please refer to the Citrix Policy Reference spreadsheet. Visit also my blog to find more usefull info about Citrix XenDesktop and XenApp.

Decision: Preferred Policy Engine

With XenDesktop 7 administrators have the option to configure Citrix policies via Citrix Studio or through Active Directory group policy using Citrix ADMX files, which extend group policy and provide advanced filtering mechanisms. Using Active Directory group policy allows organizations to manage both Windows policies and Citrix policies in the same location, and minimizes the administrative tools required for policy management. Group policies are automatically replicated across domain controllers, protecting the information and simplifying policy application.
Recommendation: Citrix administrative consoles should be used if Citrix administrators do not have access to Active Directory policies. In order to avoid confusion with multiple Citrix policy locations one of the above two methods should be selected and used consistently.

Decision: Policy Integration

When configuring policies, organizations often require both Active Directory policies and Citrix policies to create a completely configured environment. With the use of both policy sets, the resultant set of policies can become confusing to determine. In some cases, particularly with respect to Windows Remote Desktop Services (RDS) and Citrix policies, similar functionality can be configured in two different locations. For example, it is possible to enable client drive mapping in a Citrix policy and disable client drive mapping in a RDS policy. The ability to use the desired feature may be dependent upon the combination of RDS and Citrix policy. It is important to understand that Citrix policies build upon functionality available in Remote Desktop Services. If the required feature is explicitly disabled in RDS policy, Citrix policy will not be able to affect a configuration as the underlying functionality has been disabled.
Recommendation: In order to avoid this confusion, it is recommended that RDS policies only be configured where required and there is no corresponding policy in the XenDesktop configuration, or the configuration is specifically needed for RDS use within the organization. Configuring policies at the highest common denominator will simplify the process of understanding resultant set of policies and troubleshooting policy configurations.

Decision: Policy Filtering

Once policies have been created, they need to be applied to groups of users and/or computers based on the required outcome. Policy filtering provides the ability to apply policies against the requisite user or computer groups. With Active Directory based policies, a key decision is whether to apply a policy to computers or users within site, domain or organizational unit (OU) objects. Active Directory policies are broken down into user configuration and computer configuration, where:
user configuration – the settings within the user configuration apply to users who reside within the OU at logon

computer configuration – settings within the computer configuration are applied to the computer at system startup, and will affect all users who logon to the system
One challenge of policy association with Active Directory and Citrix deployments revolves around three core areas:

Citrix specific computer policies – Citrix servers and virtual desktops often have computer policies that are created and deployed specifically for the XenDesktop environment Applying these policies is easily accomplished by creating separate OU structures for the servers and the virtual desktops. Specific policies can then be created and confidently applied to only the computers within the OU and below and nothing else. Based upon requirements, virtual desktops and servers may be further subdivided within the OU structure based on server roles, geographical locations or business units.

Citrix specific user policies – When creating policies for XenDesktop there are a number of policies specific to user experience and security that are applied based on the user’s connection to the Citrix environment. However, the user’s account could be located anywhere within the Active Directory structure, creating difficulty with simply applying user configuration based policies. It is not desirable to apply the Citrix specific configurations at the domain level as the settings would be applied to every system any user logs on to. Simply applying the user configuration settings at the OU where the Citrix servers or virtual desktops are located will also not work, as the user accounts are not located within that OU. The solution is to apply a loopback policy, which is a computer configuration policy that forces the computer to apply the assigned user configuration policy of the OU to any user who logs onto the server or virtual desktop, regardless of the user’s location within Active Directory. Loopback processing can be applied with either merge or replace settings. Using replace overwrites the entire user GPO with the policy from the Citrix server or virtual desktop OU. Merge will combine the user GPO with the GPO from the Citrix server or desktop OU. As the computer GPOs are processed after the user GPOs when merge is used, the Citrix related OU settings will have precedence and be applied in the event of a conflict. For more information, please refer to the Microsoft TechNet article – Understand User Group Policy Loopback Mode.

Active Directory policy filtering – In more advanced cases, there may be a need to apply a policy setting to a small subset of users such as Citrix administrators. In this case, loopback processing will not work, as the policy should only be applied to a subset of users, not all users who logon to the system. Active Directory policy filtering can be used to specify specific users or groups of users to which the policy is applied. A policy can be created for a specific function, and then a policy filter can be set to apply that policy only to a group of users such as Citrix administrators. Policy filtering is accomplished using the security properties of each target policy.
Citrix policies created using Citrix Studio have specific filter settings available, which may be used to address policy-filtering situations that cannot be handled using group policy. Citrix policies may be applied using any combination of the following filters:


Decision: Policy Precedence

With the tree-based structure of Active Directory, policies can be created and enforced at any level in the tree structure. As such, it is important to understand how the aggregation of policies, known as policy precedence flows in order to understand how a resultant set of policies is created. With Active Directory and Citrix policies, the precedence is as follows:
 
Processed first/lowest precedence: Local server policies

Processed second: Citrix policies created using the Citrix administrative consoles

Processed third: Site level AD policies

Processed fourth: Domain level AD policies

OU based AD policies

Processed fifth: Highest level OU in domain

Processed sixth and subsequent: Next level OU in domain

Processed last/highest precedence: Lowest level OU containing object
Policies from each level are aggregated into a final policy that is applied to the user or computer. In most enterprise deployments, Citrix administrators do not have rights to change policies outside their specific OUs, which will typically be the highest level for precedence. In cases where exceptions are required, the application of policy settings from higher up the OU tree can be managed using “block inheritance” and “no override” settings. Block inheritance stops settings from higher-level OUs (lower precedence) from being incorporated into the policy. However, if a higher-level OU policy is configured with no override, the block inheritance setting will not be applied. Given this, care must be taken in policy planning, and available tools such as the “Active Directory Resultant Set of Policy” tool or the “Citrix Group Policy Modeling” wizard should be used to validate the observed outcomes with the expected outcomes.

Decision: Baseline Policy

A baseline policy should contain all common elements required to deliver a high-definition experience to the majority of users within the organization. A baseline policy creates the foundation for user access, and any exceptions that may need to be created to address specific access requirements for groups of users. It should be comprehensive to cover as many use cases as possible and should have the lowest priority, for example 99 (a priority number of “1” is the highest priority), in order to create the simplest policy structure possible and avoid difficulties in determining the resultant set of policies. The unfiltered policy set provided by Citrix as the default policy may be used to create the baseline policy as it is applied to all users and connections. In the baseline configuration, Citrix policies should be enabled with default settings in order to clearly identify the policies applied, and to avoid confusion should default settings change over time.
A baseline policy configuration should also include Windows policies. Windows policies reflect user specific settings that optimize the user experience and remove features that are not required or desired in a XenDesktop environment. For example, one common feature turned off in these environments is Windows update. In virtualized environments, particularly where desktops and servers may be streamed and non-persistent, Windows update creates processing and network overhead, and changes made by the update process will not persist a restart of the virtual desktop or application server. Also in many cases, organizations use Windows software update service (WSUS) to control Windows updates. In these cases, updates are applied to the master disk and made available by the IT department on a scheduled basis.

Citrix Policy templates can be used to configure Citrix policies to effectively manage the end-user experience within an environment and can serve as an initial starting point for a baseline policy. Templates consist of pre-configured settings that optimize performance for specific environments or network conditions. Policy templates are local files that are stored on the machine running Studio and not in the site database. Local files are controlled by Windows administrative permissions rather than Delegated Administration roles and scopes.

You can use templates in the following ways:
As a source for creating other policies

As a tool with which to compare existing policies

As a method for delivering or receiving policy configurations from Citrix Support or trusted third parties
You can perform the following tasks with policy templates:
Create new templates using existing templates or policies

Create new policies using existing templates

Import and export templates
The built-in templates included in XenDesktop are shown below:
High Definition User Experience templates include settings for providing high quality audio, graphics, and video to users.

High Server Scalability templates include settings for providing an optimized user experience while hosting more users on a single server.

Optimized Bandwidth for WAN templates include settings for providing an optimized experience to users with low bandwidth or high latency connections; for example, users working from branch offices over a shared WAN connection.

Security and Control templates include settings for disabling access to peripheral devices, drive mapping, port redirection, and Flash acceleration on user devices.
For more information on Citrix policy templates, please refer to Citrix eDocs – Manage Citrix Policy Templates.
In addition to the above considerations, an organization’s final baseline policy may include settings specifically created to address security requirements, common network conditions, or to manage user device or user profile requirements:
Security policies – Security policies address policy decisions made to enforce corporate security requirements on the XenDesktop environment. Requirements pertaining to data security and access can be controlled by the correct application of security policy. Users can be allowed to read and write to local or removable media, connect USB devices such as storage devices, smart phones, or TWAIN compliant devices, or cut and paste from the local system based on security requirements. Organizations can also enforce encryption and authentication requirements through security related Citrix policies. Architects should consider the most appropriate level of security and add the policy settings to the baseline policy set, and then address security exceptions through additional policy sets.

Connection-based policies – Connection based policy considerations are used to develop a policy solution that creates the best user experience based on the network environment through which end-users access the network infrastructure. Latency and available bandwidth will determine how to best provide access to audio and video over the HDX connection, providing the best quality experience based on the available resources. Image quality and compression, audio quality and video frame rates can be adjusted based on the connection quality to utilize the bandwidth and network performance appropriately. Multi-stream ICA features can be utilized in concert with network Quality of Service (QoS) to provide an optimized experience for multimedia, input and display and printing requirements. As with security policies, architects should consider the appropriate base network configuration and add the settings to the initial baseline configuration. Additional network requirements can be dealt with by creating additional higher-level policies to override baseline configurations.

Device-based policies – Device based policy configuration deals with the management of specific device requirements such as tablets and smart phones within an organization. Citrix has created a set of policies to optimize the experience of tablets and smart phones when connecting to XenDesktop environments, allowing these devices to use location services and to customize the user interface where appropriate. Multimedia specific features, such as Windows media and Flash redirection will automatically drop back from client side redirection to server side rendering of media content if the device does not support it; therefore no specific configuration is required to address these features with tablets, or with other devices such as thin clients that may not support these features. Another consideration for device based policy configuration revolves around the security requirements for bring your own devices (BYOD). These elements, such as the need to allow or prohibit local access to hard drives or removable devices, should be addressed through security policy settings.

Profile-based policies – User profiles play a critical role in determining how successful the user experience is within a virtual desktop or virtual application scenario. User profile management can be a key player in mitigating the risks of lengthy logon times or lost settings, providing a consistent user experience across multiple devices, and providing users with their specific data and settings in a virtualized environment. With Citrix Profile Management, policies control two important aspects of user profiles; folder redirection, handled through AD group policy, and Citrix Profile Management settings through Citrix policy. There is more to configuring Citrix Profile Management than simply turning the features on via Citrix policy. Architects must consider the correct folder redirection configuration for their environment, as well as configuring Citrix policy settings for folder exclusions. Settings for profile streaming and active write back must also be carefully considered based on the size of the profile and whether the operating system is persistent or non-persistent. Profile management policies should be included in the baseline policy if they are to be applied across all users in an organization.
2
1,027 Views
Andrzej GolebiowskiSolution Architect

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.