Solved

HDX redirection does not work if local device does not have external internet access - XenApp 6.5

Posted on 2014-04-21
12
1,406 Views
Last Modified: 2014-05-04
More HDX issues..

HDX redirection does not work if the client device does not have external internet access.

All of our client devices do not have external internet access when they are in their respective branch offices. They log into their Xenapp 6.5 Published desktops when they get to work. Their XenApp sessions are configured with the appropriate proxy settings. They access the internet via their published desktop so there is no need for any local internet access.

Showing our notebook users how to change between the Auto Detect option & the Proxy settings when they go home & then come back to work is a pain so we just leave it them as auto detect. This way they can access the internet at home, but not when at work. But since they can launch their published desktops & access the internet that way, it suited our needs perfectly.

The remainder of the client devices are Win 7 embedded thin clients. None are connected to the domain. They are all in a workgroup. All log in automatically with a generic "User" account and launch the citrix receiver so users can launch their published desktops. The local clients browser does not have any internet LAN options set. Since there was no local internet access required on the client devices, this was no issue.

Only way I can make HDX redirection work is to make sure the client device has the proxy settings configured in the local browser. This fixes it for the Notebooks. The Thin clients work also, however each time flash content is about to be loaded, the user is prompted to enter their domain credentials before the content will start.

If I leave the HDX settings blank or select Auto detect on either device, the Flash content will attempt to play, but just show a black screen for it's duration before restarting and playing whilst rendering on the server instead. No events are generated on either the client or server.

The only option I can see to resolve this is to add all thin clients to domain (and use domain logins), configure proxy address for all devices & then show notebook users how to change between auto detect & proxy settings.

The ability to better stream flash content has become a priority in our business as we are utilising a lot more online flash portals which contain many instructional/induction videos that we require by law to show our employees & contractors on a regular basis. Currently server rendering makes these videos painfully slow.


Would be forever grateful if anyone can think of another option for me here. I would prefer not to compromise our outgoing internet access if possible, but also would really like not to have to add all of those thin clients to the domain :)
0
Comment
Question by:Howzatt
  • 5
  • 5
  • 2
12 Comments
 
LVL 23

Expert Comment

by:Ayman Bakr
Comment Utility
Unless you have a valid business case, I believe joining the thin clients to the domain would on the contrary be more secure and more easily manageable. If I were you I would do that.

Since thin clients have limited hardware capabilities, I would keep the policy for them to have flash rendered on the server while redirecting flash content to the clients for the notebooks group. So if you have both of these policies in place you would have a balance of rendering flash on the server vs. on the client.

As for the black screen playing - is the mediastream acceleration enabled or disabled?

For the proxy, I heard of an option where you can provide the client with the setting through a .pac file. This could be set through a GPO. I think the .pac file can work around whether the client is accessing internet from home or work.
0
 

Author Comment

by:Howzatt
Comment Utility
Thanks for that. I will look into adding the thin clients to the Domain.

Re Pac files, tried those in the past. It's very hard to manage with the different browser types in the domain and the different OS versions.

Is there a way to make clients detect the appropriate proxy settings through autodetect?
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
My guess is that your proxy settings on the thin clients are causing your machines to have trouble talking to your Citrix servers.  

As a test, try adding your Citrix servers to the connection settings to bypass the proxy.  (Internet Options| Connections | LAN Settings, enable the Proxy settings, Advanced, and then use the Exceptions box.  (You should not need to actually set *anything* in the Proxy settings, other than the exceptions).

If that works, then you can use your device management solution for your thin clients to add that setting to all of them, or you can reimage them, etc.

Be sure you up your RAM disk on your thin clients.  Flash videos are cached in the temp directory (which will probably be on the RAM disk, most TC's have that feature), and if the temp space runs out, the Flash Redirection will have serious issues.  

Coralon
0
 

Author Comment

by:Howzatt
Comment Utility
The citrix server proxy settings seem to be fine. The issue is more to do with the client devices. The Flash content is passed onto them via HDX redirection, so the clients need access to the internet. Which none of them do when they are inside any of our branch offices on the WAN.

I could add the client devices to bypass the firewall which would allow the content to work (as they work fine when running from a separate ADSL connection with no firewall in place), but then it opens up another can of worms as we have relaxed security.

I was hoping there might be a way to make the local device use the proxy settings (& credentials) of the Xenapp session, but it is looking unlikely that it is possible.

At this stage it is looking like the only solution (which maintains all the security requirements), is to add the devices to the domain, use domain logins and look at using DHCP to publish the proxy settings so the devices can all use Auto-detect settings in the local browsers instead of manually adding the proxy address.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
Comment Utility
That's exactly what I'm talking about.. setting the proxy settings on the client device.

You need to look at your Content fetching settings.  Your server should do the fetching, and transmit the flash to the client.  The client should not be trying to do it's own content fetching (this is my understanding of what you are trying to accomplish).   Look here - a little more than 1/2 way down http://support.citrix.com/proddocs/topic/xendesktop-als/hd-flash-configure-server-ad.htmlI haven't had to do this, but I believe you will need to add your flash site list to a Citrix policy to get the server to do the fetching.

I don't think you will have to add it to the domain (that brings in a whole slew of issues to address (speaking from practical experience)).  

But, you are correct.. the proxy settings from the XA server have nothing to do with the client settings at all.  

Coralon
0
 
LVL 23

Expert Comment

by:Ayman Bakr
Comment Utility
At the start you can test with a couple of TCs joined to the domain to see if you get introduced to new issues and to compare the tradeoff between having your TCs joined to the domain or not.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Howzatt
Comment Utility
I have enabled the server side fetching for http://www.youtube.com/* as a test.
I have disabled the proxy settings on the client and launched a session. I then launch IE and open a video on youtube. The movie displays as blank again until the duration has finished (same as problem before).

I launched the HDX monitor whilst performing the test. I can confirm the Policy was applied to the user. It showed that the SSCF was enabled & that http://www.youtube.com/* in the SSCF whitelist.
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
1. Did you put youtube in the proxy exceptions?
2. Did you monitor the temp drive of the TC itself?  What we're looking for is to see if the flash file is being loaded to the client.  be sure you pick a *small* flash video, just to make sure that space is an issue.

If the file is not being downloaded to the client, then we obviously have a problem with the server side fetching.  However, if it is being downloaded, then we're looking at a client rendering problem.

Coralon
0
 

Author Comment

by:Howzatt
Comment Utility
The URL was indeed added to the exceptions list.

Where would the file be by default?
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
Depends on which version of the client/client OS.  *Generally* it goes into the temp drive which is typically a RAM drive on the client.  

Coralon
0
 

Author Comment

by:Howzatt
Comment Utility
Only seems to be the event logs in the RAM drive. Nothing else of significance.
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
And you are sure it is being generated?

One way to check is to change your file type association to a txt file, even if it is only temporary.  

The quickest way is from an elevated command prompt (assuming Windows).  
assoc .ica=txtfile

If you do that, then when you try to connect, it should open up in notepad automatically.

I'd also run procmon.exe on the terminal and check the logs to see if the .ica file shows up.


Coralon
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now