[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1060
  • Last Modified:

Configure Citrix load evaluator to allow only domain admin logon

We dont use load evaluators for anything except server maint., when we apply that load evaluator it takes that particular citrix server out of rotation so that it can be serviced. The problem i am having is that when i have to test a new app i have to put the server back into rotation so i can access it to test, which also makes it available to all other users. During the time i am testing, users log on so i am forced to assign the server maint. load eval and wait for their sessions to dissconnect before i can continue working. I would like to (if possible) build a load eval that will deny access to everyone except those of us in the domain admin group. How would I go about doing that?
0
uwaadmin
Asked:
uwaadmin
  • 5
  • 5
1 Solution
 
Carl WebsterCommented:
See if this Citrix article helps.

http://support.citrix.com/article/CTX119661
0
 
uwaadminAuthor Commented:
This article seems to describe ways to use the server maint. load eval. We already assign that load eval when doing maint. since it denies ALL logons to that particular server while we are working on it. The problem is that is denies us admins access as well (and when i say that, i mean that we cant run through the process like an end user by going to the web interface, logging in and launching apps). I just need to know how to configure a load eval that basically says the exact same thing as our current load eval but with a stipulation that allows domain admins to still launch apps just like the server wasnt in maint mode. Does that make sense?
0
 
Carl WebsterCommented:
I don't have to test this right now but doesn't the drain load evaluator work on ICA connections only?  THerefore you can still RDP to the box because logins are NOT disabled.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
uwaadminAuthor Commented:
Yes, i can always RDP to the box when the load eval is assigned. The server maint load eval does indeed block any and all new incoming ICA connections. That is my problem. I want to be able to have a subset of users have the ability to test app launch while the server is in maint mode. Here is a brief description of the problem i am having.

We packaged office 2010 for streaming. It worked on some of my servers and not on others. After some research i realized that i forgot to add the AppHubWhiteList reg key to all the servers. I added it and it needed a reboot. To reboot i assign the "server maint" load eval which blocks all new incoming connections so i can reboot the box after current ICA sessions log off. So i reboot after the reg key change and now the server SHOULD be ready to run office 2010 streaming but of course i need to test. and to test you always want to do it like an end user would, which is by going to the web interface, logging in and launching the desired app. The problem occurs when i take the server out of "server maint" and put the load eval back to "default" which allows me to test the apps BUT it also allows all new incoming users to hit that server for apps as well. So lets say the office 2010 streaming thing still had issues after that and i needed to continue testing, well now 12 users have hit that node since i put it back into rotation so now i have to go in and re-assign the "server maint" load eval and wait what could be hours for those active sessions to disconnect. The much easier route would be to have a group of users that were able to launch apps even while the server is in maint mode. that way i dont have to worry about flipping it back and forth and waiting for new connections to drop off. This may not even be possible since the point of the load eval is to bloack ALL incoming ICA connections but i thought it was worth looking into.
0
 
Carl WebsterCommented:
XenApp 5 or XenApp 6?
0
 
uwaadminAuthor Commented:
5
0
 
Carl WebsterCommented:
If you have PowerShell installed and the XenApp 5 PS stuff, you could script this easily.  WHat you need to do is have a test user security group added to the published app.  Remove the other users and or groups and leave the test group.  WHen testing is done, add the other users and or groups back to the app.  That is all I can come up with.  In your evaluator, Allow the restriction on the other users/groups and deny it on your test group.  But if you use a test group, you don't need the evaluator.
0
 
uwaadminAuthor Commented:
yeah, i was thinking of something along those lines or another less than easy way would be to edit the properties of each app and remove the server i am working on from the server list but that would be a bummer because we have so many apps. I was sort of hoping there was just some tweak i could do within the load eval stuff that comes built in, maybe something i was just missing, but it doesnt appear that way.
0
 
Carl WebsterCommented:
That is why I suggested PowerShell to script this.
0
 
uwaadminAuthor Commented:
yeah, im not much the scripter. That is something i will have to dedicate some time to and i am a bit short on that. Sure seems like it would be a nice feature to have available out of the box though without having to script stuff.

Anyway, thanks for the help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now