jnordeng
asked on
Session Policies don't seem to be working as Idle Sessions stay connected
Hello. I have set Citrix policies within Citrix Studio in my XenApp 7.15. I am finding the session's are not disconnecting/clearing and are staying connected for over 12 hours, basically until I actually close the session though I have the following set. These are published applications, not published Desktops.
These settings are part of the Unfiltered default policy which is applied all objects in the site.
Is there a better practice for policies in XenApp 7.15 without using AD GPO's? Are there other settings I am not finding that would handle this communication?
I am looking at the following articles for reference,
https://support.citrix.com/article/CTX216719
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/policies-default-settings.html
Any thoughts are appreciated.
ICA keep alive timeout 60 seconds
Image caching Enabled
Server idle timer interval 5400000 milliseconds
Session reliability connections Allowed
Session reliability port 2598
Session reliability 180 seconds
Session connection timer Enabled
Session connection timer interval 90 minutes
Session idle timer Enabled
Session idle timer interval 90 minutes
Image caching Enabled
Server idle timer interval 5400000 milliseconds
Session reliability connections Allowed
Session reliability port 2598
Session reliability 180 seconds
Session connection timer Enabled
Session connection timer interval 90 minutes
Session idle timer Enabled
Session idle timer interval 90 minutes
These settings are part of the Unfiltered default policy which is applied all objects in the site.
Is there a better practice for policies in XenApp 7.15 without using AD GPO's? Are there other settings I am not finding that would handle this communication?
I am looking at the following articles for reference,
https://support.citrix.com/article/CTX216719
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/policies-default-settings.html
Any thoughts are appreciated.
In CTX216719 you did see that "This policies only apply to publish desktops and not publish apps (To XenDesktop and not XenApp)".
ASKER
I did, but there are 2 sets around 'sessions', and in the past this can be set against the session itself/published app or not. So, what is the equivalent now in XenApp 7.15?
ASKER
Arg, no I hadn't was trying to handle things through Citrix Policies rather than GPO's as our domain level is only at 2008 right now, working towards 2012 and wasn't sure if the templates would work with my 2016 XenApp systems.
ASKER
Was nice and tidy in XenApp 6.5 to have everything in one place.... so sprawling I guess.
Welcome to the new world. :)
Just wait until you move to the new and "improved" Citrix Cloud. Sorry, I can't seem to find EE's sarcasm font!
Just wait until you move to the new and "improved" Citrix Cloud. Sorry, I can't seem to find EE's sarcasm font!
ASKER
LOL... Taking some training on the Cloud at the end of the month. We're not there, but will be moving there at some point in the next couple of years.
ASKER
So really are the policies you can set within Citrix Studio useless for my design then? Do I really just have to use GPO's since I"m not using XenDesktop?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm.. ok, do you use published apps' or just Desktops? Curious....
I am a consultant. I have customers who do everything. I prefer published apps so users have no access to the desktop.
ASKER
Gotcha - all we're using as well, why I was curious.
So looks like the only policy that would work in Studio would be the Server idle timer interval, everything else is not applicable. So arguing that, that is set, but still doesn't work.
So looks like I'll have to go down the road of GPO's for all Citrix related settings in XenApp 7.15. And thinking out loud the templates would work as they are based on Citrix not the OS.
So looks like the only policy that would work in Studio would be the Server idle timer interval, everything else is not applicable. So arguing that, that is set, but still doesn't work.
So looks like I'll have to go down the road of GPO's for all Citrix related settings in XenApp 7.15. And thinking out loud the templates would work as they are based on Citrix not the OS.
All the policy settings in Studio are available in the Citrix Policies node in a GPO configured from a Delivery Controller. There are also some AD only settings for Citrix. I used to maintain the huge Excel spreadsheet of all the policy settings for XenApp 6.x/XD 5.xx/ and XA/XD 7.xx until Citrix started supplying a CSV file with every release. That Excel file goes through the initial release of 7.15.
https://carlwebster.com/do wnloads/do wnload-inf o/citrix-p olicy-sett ings/
https://carlwebster.com/do
ASKER
Nice, thanks.. I'll be perusing that now. :)
ASKER
Not sure if I'm just having a case of the Monday's on a Friday but where exactly to I obtain the templates themselves?
Thanks
Thanks
The Citrix Templates are built-in.
ASKER
Ok now I'm confused. When we last spoke I was trying to use the templates in Citrix Studio policies and determined that since we are using Published apps and not Desktops, it was ignoring my session settings and sessions weren't picking up the timeout requirements. Your suggestion was to use AD GPO's, so now I'm confused. To use in AD, I need adm templates to add into my Group Policy on the Domain Controller to take affect in AD and apply to the appropriate OU.
Thanks
Thanks
YOu missed something I stated.
All the policy settings in Studio are available in the Citrix Policies node in a GPO configured from a Delivery Controller.
All the policy settings in Studio are available in the Citrix Policies node in a GPO configured from a Delivery Controller.
By the way, that means you have to install the Group Policy Management Console feature on your delivery controller.
ASKER
Ok, I'm running Citrix Studio on my Delivery Controller's. So if I go to the mmc on my Delivery Controller and pull up the Group Policy Object Editor, this is where you're referencing? So yeah, I see the Unfiltered here but not the additional I setup via Studio.
So to clarify, you are saying I should be setting the templates up here in the local GPO settings and not in Studio. So is there a way to export/import or replicate across the Other Delivery Controller's?
So to clarify, you are saying I should be setting the templates up here in the local GPO settings and not in Studio. So is there a way to export/import or replicate across the Other Delivery Controller's?
The Policies you configure in Studio are never seen in GPMC for AD.
The Policies you configure in GPMC are never seen in Studio.
I know of no way to export from Studio and import to AD and vice versa.
You can run my CVAD V2 doc script to document the policy settings you have and then manually enter them into an AD policy.
The Policies you configure in GPMC are never seen in Studio.
I know of no way to export from Studio and import to AD and vice versa.
You can run my CVAD V2 doc script to document the policy settings you have and then manually enter them into an AD policy.
ASKER
Ok, I can do the policies here and set manually. I still have one area of confusion, if these are AD policies, these are only defined at the local server level, not at the domain level. Looking in GP Management on the AD Domain Controller, this doesn't exist. This makes sense to me, the issue is how to ensure that the Delivery Controller's all see the same policies since it's set at the Local Group Policy layer.
DON'T USE GPEDIT.MSC USE GPMC.
ASKER
I do appreciate your help, but feel I'm not understanding causing circular conversation here. If I use GPMC (That is Group Policy management Console) that exists on a Domain Controller. I am not able to get to any Citrix Templates unless I import the .admx.
If I look at the path where I have my build 7.15.5000 installation files and go to Citrix Policy CitrixGroupPolicyManagemen t_x64, and run it, it is already installed.
I can see the templates if I pull up the local Group Policy Editor on my Citrix Delivery Controller which is just a member server in the domain. So that's where I don't get how these are supposed to work in Active Directory or the latter, how this replicates across other Citrix Delivery Controller's in its farm.
Sorry in advance, but I'm missing a piece of the puzzle.
If I look at the path where I have my build 7.15.5000 installation files and go to Citrix Policy CitrixGroupPolicyManagemen
I can see the templates if I pull up the local Group Policy Editor on my Citrix Delivery Controller which is just a member server in the domain. So that's where I don't get how these are supposed to work in Active Directory or the latter, how this replicates across other Citrix Delivery Controller's in its farm.
Sorry in advance, but I'm missing a piece of the puzzle.
That is because there is nothing installed on your domain controller that allows it to read or see any Citrix policies. That is why I stated you have to do your Citrix AD-based policies on a delivery controller with GPMC installed.
If you want your DCs to see/read/write your Citrix policies, install Studio on your DCs. I really hope you don't do that though.
If you want your DCs to see/read/write your Citrix policies, install Studio on your DCs. I really hope you don't do that though.
ASKER
No, I can't put Citrix Studio on our Domain Controller's, not an option. Just trying to get this working with the best effort to keep everything in Citrix land. So it sounds like rather I need to install GPMC (Group Policy Management Console) on my Citrix Delivery Controller. So if I execute this, CitrixGroupPolicyManagemen t_x64 says it's already installed. How do I open on the Delivery Controller appropriately then... this is what I seem to be missing. Thanks.
Install the AD Feature Group Policy Management Console.
From PowerShell:
Install-WindowsFeature GPMC
From PowerShell:
Install-WindowsFeature GPMC
ASKER
Thanks I'll give that a shot and hopefully have everything I need. Appreciate your help.
ASKER
Thanks, I'm in so will convert my Current Citrix Studio Policies to AD policies and remove those. but will tackle this next week. Have a nice weekend and thanks :)
Glad to help.
ASKER
I haven't had a chance to convert my policies to AD policies just yet. But had one more question, once I do, what do I do within Studio to ensure that it's using the AD GPO's and not the Studio GPO's? Do I simply delete all that is there, though the unfiltered won't delete or ? Or is this really meant to be more of a hybrid, some base things set in Studio Policy and the rest in AD GPO?
Thanks in advance.
Thanks in advance.
You can safely DISABLE the Studio policies. Don't delete them yet.
ASKER
ok, thanks, was just thinking how does it know what to do, but that makes sense. Hoping to get to this soon to keep moving forward. Thanks.
ASKER
Hello. Just an update, I have updated the policy via Group Policy management on my Citrix Delivery Controller. I can see the contents at this level. I have confirmed the Citrix XenApp servers are seeing this GPO - however; the timeout settings per published applications and sessions still are not applying. I have attached what I have set currently. Thoughts?
Thanks in advance.
CtxGPO1.pngCtxGPO2.png
Thanks in advance.
CtxGPO1.pngCtxGPO2.png
Do a GPResult /h test.html and see what policies are applying. You may have a conflicting GPO somewhere.
"I have confirmed the Citrix XenApp servers are seeing this GPO - however; the timeout settings per published applications and sessions still are not applying."
Session limits policy settings not applying as expected
This setting enables or disables a timer that specifies the maximum duration of an uninterrupted connection between a user device and a desktop. The key phrase here is: "between a user and a desktop" This settings does not apply to application sessions.
Session limits policy settings not applying as expected
Solution
This policies only apply to publish desktops and not publish apps (To XenDesktop and not XenApp).This setting enables or disables a timer that specifies the maximum duration of an uninterrupted connection between a user device and a desktop. The key phrase here is: "between a user and a desktop" This settings does not apply to application sessions.
ASKER
Understood, but there has to be a way to control the Published App sessions, so how can those be controlled?
I know of no way to control that with published applications. Remember, those are Microsoft controlled settings. Citrix doesn't control them. Behind the scenes of every published application is a desktop running hidden (most people don't know that). Why those settings don't apply is beyond my thinking. I am sure Microsoft has its reasons. There may be a third-party tool that can handle what you need, but I don't know what it is.
ASKER
Interesting but disappointing.... this worked flawlessly in XenApp 6.5. I also can't believe we're the only ones using more of the Published Application side and not just Published Desktops... so there has to be a solution. Appreciate your input.
Welcome to the new and "improved" world of post-Server 2008 R2.