Beruflich Dokumente
Kultur Dokumente
Table of Contents
Overview .................................................................................................................................... 1
Guidelines .................................................................................................................................. 2
Policy Configuration....................................................................................................................................................... 2
Planning a Baseline Policy ............................................................................................................................................. 6
Security Policies............................................................................................................................................................... 7
Connection based policy configuration....................................................................................................................... 7
Device based policy configuration ............................................................................................................................... 8
User Profile Considerations .......................................................................................................................................... 8
Planning ..................................................................................................................................... 9
Citrix User Policy Settings ........................................................................................................................................... 10
Citrix Computer Policy Settings ................................................................................................................................. 15
Microsoft Windows Policy .......................................................................................................................................... 16
Folder Redirection Policy ............................................................................................................................................ 18
Conclusion ............................................................................................................................... 20
Appendix: Policy Quick Reference ........................................................................................ 21
ii
Overview
Citrix policies provide the basis to configure and fine tune your XenDesktop and XenApp
environments, allowing organizations to control connection, security and bandwidth settings based
on various combinations of users, devices or connection types. Correctly defining an initial baseline
policy and assigning additional policies based on security requirements and specific access scenarios
can be important in delivering a high definition user experience.
This planning guide is intended to be a guideline during the decision process for creating a baseline
policy and additional policies based on connection, security, device and profile considerations.
While it creates a baseline policy and recommendations for policy settings, it should not be assumed
to be a complete configuration, or absolutely correct for every customer situation. Architects should
review the recommendations contained in this document against desired outcomes within the
organization to ensure requirements are met.
When making policy decisions it is important to consider both Microsoft Windows and Citrix
policies as components within both policy configurations have an impact on user experience and
environment optimization. Within this planning guide a base set of windows policies that can be
used to optimize XenApp and XenDesktop environments is presented. For more details on specific
Windows related policies, refer to the Group Policy Settings Reference for Windows and Windows
Server, specifically settings related to Windows Server 2008 R2 and Windows 7.
To help architects design a XenDesktop and XenApp solution based on real-world projects,
organizations can refer to the Citrix Desktop Transformation Accelerator for step by step
assessment, design and deployment guidance, and the XenDesktop Design Handbook for reference
architectures, planning guides and best practices.
Guidelines
When creating a policy set for XenDesktop or XenApp environments, it is a good practice to define
a baseline policy set which outlines all of the common configuration options for an organization
within a single policy set, and then configure policy exceptions as required to override decisions for
specific needs. The key is to keep the policy configurations simple and well-structured in order to
avoid confusion about resultant set of policy as configurations grow and become more complex.
When creating a baseline and exception based policy structure, it is important to consider the
following major areas:
Policy configuration
o Group Policy vs. Citrix Policy engine
o Policy Integration
o Policy Filtering
o Policy Precedence
Baseline policy configuration
Security policies
Connection based policy configuration
Device based policy configuration
User profile considerations
Policy Configuration
Group Policy vs. Citrix Policy Engine
With new versions of XenDesktop and XenApp, organizations have the option to configure
Citrix policies via the Citrix administrative consoles; AppCenter for XenApp or Desktop Studio
for XenDesktop, or through Active Directory group policy using Citrix ADMX files, which
extend group policy and provide advanced filtering mechanisms. Using Active Directory group
policy allows organizations to manage both Windows policies and Citrix policies in the same
location, and minimizes the administrative tools required for policy management. Group policies
are automatically replicated across domain controllers, protecting the information and simplifying
policy application. Citrix administrative consoles should be used if Citrix administrators do not
have access to Active Directory policies, or if filtering mechanisms such as Smart Access are
required. Architects should select one of the above two methods as appropriate for their
organizations needs and use that method consistently to avoid confusion with multiple Citrix
policy locations.
Policy Integration
When configuring policies, organizations will often require both Active Directory policies and
Citrix policies to create a completely configured environment. With the use of both policy sets,
the resultant set of policies can become confusing to determine. In some cases, particularly with
respect to Windows Remote Desktop Services (RDS) and Citrix policies, similar functionality can
be configured in two different locations. For example, it is possible to enable client drive
mapping in Citrix policy and disable client drive mapping in RDS policy. The ability to use the
desired feature may be dependent upon the combination of RDS and Citrix policy. It is
important to understand that Citrix policies build upon functionality available in Remote Desktop
Services. If the required feature is explicitly disabled in RDS policy, Citrix policy will not be able
to affect a configuration as the underlying functionality has been disabled. In order to avoid this
confusion, it is recommended that RDS policies only be configured where required and there is
no corresponding policy in the XenDesktop or XenApp configuration, or the configuration is
specifically needed for RDS use within the organization. Configuring policies at the highest
common denominator will simplify the process of understanding resultant set of policies and
troubleshooting policy configurations.
Policy Filtering
Once policies have been created, they need to be applied to groups of users and/or computers
based on the required outcome. Policy filtering provides the ability to apply policies against the
requisite user or computer groups. With Active Directory based policies, a key decision is
whether to apply a policy to computers or users within site, domain or organizational unit (OU)
objects. Active Directory policies are broken down in to user configuration and computer
configuration. By default, the settings within the user configuration applied to users who reside
within the OU at logon, and settings within the computer configuration are applied to the
computer at system startup, and will affect all users who logon to the system. One challenge of
policy association with Active Directory and Citrix deployments revolves around three core areas:
Citrix specific computer policies. Citrix XenApp servers and virtual desktops often have
computer policies that are created and deployed specifically for the XenDesktop or
XenApp environment. Applying these policies is easily accomplished by creating separate
OU structures for the XenApp servers and the virtual desktops. Specific policies can
then be created and confidently applied to only the computers within the OU and below
and nothing else. Based upon requirements, virtual desktops and XenApp servers may be
further subdivided within the OU structure based on server roles, geographical locations
or business units.
Citrix specific user policies. When creating policies for XenDesktop and XenApp there
are a number of policies specific to user experience and security that are applied based on
the users connection to the Citrix environment. However the users accounts could be
located anywhere within the Active Directory structure, creating difficulty with simply
applying user configuration based policies. It is not desirable to apply the Citrix specific
3
configurations at the domain level as the settings would be applied to every system any
user logged on to. Simply applying the user configuration settings at the OU where the
XenApp servers or virtual desktops are located will also not work, as the user accounts
are not located within that OU. The answer is to apply a loopback policy, which is a
computer configuration policy that forces the computer to apply the assigned user
configuration policy of the OU to any user who logs into the server or virtual desktop,
regardless of the users location within Active Directory. Loopback Processing can be
applied with either Merge or Replace settings. Using Replace overwrites the entire user
GPO with the policy from the XenApp or XenDesktop OU. Merge will combine the
user GPO with the GPO from the XenApp or XenDesktop OU. As the computer
GPOs are processed after the user GPOs when merge is used, the Citrix related OU
settings will have precedence and be applied in the event of a conflict.
Active Directory policy filtering. In more advanced cases, there may be a need to apply a
policy setting to a small subset of users like Citrix administrators. In this case, Loopback
Processing will not work as the policy is intended to be applied only to the subset of
users, not all users who log in to the system. Active Directory policy filtering can be used
to specify specific users or groups of users to which the policy is applied. A policy can be
created for a specific function, and then a policy filter can be set to apply that policy only
to a group of users such as Citrix administrators. Policy filtering is accomplished using
the Security properties of each target policy.
Citrix policies created using the Citrix administrative consoles in either XenDesktop or XenApp
have specific filter settings available, which may be used to address policy-filtering situations that
cannot be handled using group policy. Filters may be applied using any combination of the
following filters:
Filter Name
Access Control
Branch Repeater
Client IP Address
Client Name
Desktop Group
Desktop Type
Organizational Unit
Tag
User or Group
Worker Group
Filter Description
Applies a policy based on access control conditions
through which a client is connecting. For example,
users connecting through a Citrix Access Gateway can
have specific policies applied.
Applies a policy based on whether or not a user session
was launched through Citrix Branch Repeater.
Applies a policy based on the IPv4 or IPv6 address of
the user device used to connect the session. Care must
be taken with this filter if IPv4 address ranges are used
in order to avoid unexpected results.
Applies a policy based on the name of the user device
used to connect the session.
Applies a policy based on the desktop group
membership of the desktop running the session
Applies a policy based on the type of machine running
the session. For example, different policies can be set
depending upon whether a desktop is pooled,
dedicated or streamed.
Applies a policy based on the OU of the desktop
running the session.
Applies a policy based on any tags applying to the
desktop running the session. Tags are strings that can
be added to virtual desktops in XenDesktop
environments that can be used to search for or limit
access to desktops.
Applies a policy based on the Active Directory group
membership of the user connecting to the session.
Applies a policy based on the worker group
membership of the server hosting the session.
Policy Scope
User policies
User policies
User policies
User policies
XenDesktop user
or machine policies
XenDesktop user
or machine policies
XenDesktop user
or machine policies
XenDesktop user
or machine policies
User policies
XenApp user or
computer policies
Policy Precedence
With the tree-based structure of Active Directory, policies can be created and enforced at any
level in the tree structure. As such, it is important to understand how the aggregation of policies,
known as policy precedence flows in order to understand how a resultant set of policies is
created. With Active Directory and Citrix policies, the precedence is as follows:
Processed second: Citrix policies created using the Citrix administrative consoles
OU based AD policies
o Processed fifth: Highest level OU in domain
o Processed sixth and subsequent: Next level OU in domain
o Processed last/highest precedence: Lowest level OU containing object
Policies from each level are aggregated into a final policy that is applied to the user or computer.
In most enterprise deployments, Citrix administrators do not have rights to change policies
outside their specific OUs, which will typically be the highest level for precedence. In cases
where exceptions are required, the application of policy settings from higher up the OU tree can
be managed using Block Inheritance and No Override settings. The Block Inheritance setting
stops the settings from higher-level OUs (lower precedence) from being incorporated into the
policy. However if a higher-level OU policy is configured with No Override, the Block
Inheritance setting will not be applied. Given this, care must be taken in policy planning, and
available tools such as the Active Directory Resultant Set of Policy tool or the XenDesktop
policy planning feature should be used to validate the observed outcomes with the expected
outcomes.
considerations for virtual desktops and XenApp servers can be found in the Windows 7 and
Windows 2008 R2 optimization guides in the XenDesktop design handbook.
In addition to the above considerations, an organizations final baseline policy may include settings
specifically created to address security requirements, common network conditions, or to manage
user device or user profile requirements. These areas need to be addressed both in the default
baseline policy configuration, as well as in any additional policy sets created to address exceptions or
additional needs.
Security Policies
Security policies address policy decisions made to enforce corporate security requirements on the
XenDesktop or XenApp environments. Requirements pertaining to data security and access can be
controlled by the correct application of security policy. Users can be allowed to read and write to
local or removable media, connect USB devices such as storage devices, smart phones, or TWAIN
compliant devices, or cut and paste from the local system based on security requirements.
Organizations can also enforce encryption and authentication requirements through security related
Citrix policies. While security is a continuum, high and low security policy guidance has been
provided in this whitepaper. Architects should consider the most appropriate level of security and
add the policy settings to the baseline policy set, and then address security exceptions through
additional policy sets.
Planning
The planning section outlines the initial policy configurations recommended by Citrix Consulting for various scenarios, including baseline
configuration, network related policies, security related policies, mobile device and profile policy considerations. Each policy configuration
may contain the following policy settings:
Policy Settings
Enabled - Enables the setting. Where applicable, specific settings are detailed.
Disabled Disables the setting
Note: Disabling the policy overrides lower priority policies settings.
Allow Allows the action controlled by the setting. Where applicable, specific
settings are detailed.
Prohibit Prohibits the action controlled by the setting
Note: Prohibiting a feature or functionality overrides lower priority policies
settings.
Not Configured Unless specifically set, un-configured policies use default
settings.
Note: The policy settings specified generally apply to XenApp 6.5 and XenDesktop 5.6 with Feature Pack 1 installed. If a previous version
is used, please review the Appendix of this whitepaper for applicability of settings to XenApp 6 and XenDesktop 5 or 5.5.
ICA\Desktop UI
Aero Redirection
Aero Redirection Graphics Quality
Desktop wallpaper
Menu animation
View window contents while dragging
ICA\File Redirection
Auto connect client drives
Client fixed drives
Client floppy drives
Client network drives
Client optical drives
Client removable drives
Host to client redirection
Preserve client drive letters
Read-only client drive access
XA
XD
X
X
X
X
X
X
X
X
X
X
X
X
X
Baseline
Low
Security
High
Security
Allow
Prohibit
Disable
Disable
WAN
Speed
Enabled
Enabled
X
X
X
X
X
X
X
X
Profile
Allow
X
X
X
Allow
Medium
Allow
Prohibit
X
X
X
Tablet
Enabled
Enable Flash Redirection
Enabled
Enabled
30 milliseconds
X
X
X
X
X
LAN
Speed
Enable if
secure
connection
X
X
X
X
X
X
X
X
X
X
X
X
X
Allow
High
Enable
Allow
Allow
Allow
Enable
Prohibit
Disable
Allow
Prohibit
Allow
Prohibit
Prohibit
Disable
Disable
Prohibit
Prohibit
Prohibit
Prohibit
Disable
Disable
Disable
10
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Disable
Disable
Disable
Disable
X
X
X
X
X
X
X
X
X
X
Allow
Set to clients main printer
X
X
X
X
X
X
X
X
Allowed
X
X
X
X
Disabled
Use Universal Printing only if
requested driver is unavailable
X
X
X
X
X
X
Spool to printer
Best Quality
Standard Quality
Caching of embedded images
Caching of embedded fonts
Use for auto-generated and
generic
ICA\SecureICA
SecureICA minimum encryption level
ICA\Port Redirection
Auto connect client COM ports
Auto connect client LPT ports
Client COM port redirection
Client LPT port redirection
ICA\Printing
Client printer redirection
Default printer
Direct connections to print servers
Printer auto creation log preference
Wait for printers to be created (desktop)
ICA\Printing\Client Printers
Auto-create client printers
Auto-generate generic universal driver
Client printer names
Printer properties retention
Retained and restored client printers
ICA\Printing\Drivers
Automatic installation of in-box printer drivers
Universal driver usage
ICA\Printing\Universal Printing
Universal printing EMF processing mode
Universal printing image compression limit
Universal printing optimization defaults
ICA\Session Limits
Disconnected session timer
Disable
Enable
Enable
Enable
Enable
with QoS
Enable
with QoS
Enable
Disable
Prohibit
Errors
Disabled
Retained in
profile only
Disabled
Enabled
11
X
X
X
X
X
X
X
X
X
X
X
X
30 Minutes
5 Minutes
10 Minutes
15 Minutes
30 Minutes
Disabled
Disabled
Enabled
2 hours
Allow
Prohibit
Prohibit
Allow
Allow
Defined by security
X
X
Enable
Use Client time zone
X
X
X
X
Allow
X
X
X
X
X
Enable
Allow
Allow
Disabled
Disabled
X
X
X
X
X
X
X
X
X
X
X
Low
High
30
15
Very
High
10
Low
Disabled
8192
kbps
Low
Unlimited
Enabled
8192
kbps
High
Unlimited
Disable
Prohibit
Prohibit
Enabled
10
Enabled
12
X
X
X
X
X
X
X
X
X
X
Exclude
redirected
folders
X
X
X
X
Exclude
directories
Selected files
Selected
folders
X
X
Configure groups
UNC Path
Enabled
(Persistent
desktops)
Enabled
Enabled
Local or
persistent
location
Enabled
Delete local
profile
None
Enable if large
profile
Normal
Disabled
13
AppData\Local
AppData\LocalLow
AppData\Roaming\Citrix\PNAgent\AppCache
AppData\Roaming\Citrix\PNAgent\Icon Cache
AppData\Roaming\Citrix\PNAgent\ResourceCache
AppData\Roaming\ICAClient\Cache
AppData\Roaming\Microsoft\Windows\Start Menu
AppData\Roaming\Sun\Java\Deployment\cache
AppData\Roaming\Sun\Java\Deployment\log
AppData\Roaming\Sun\Java\Deployment\tmp
Application Data
Citrix
Contacts
Desktop
Documents
Favorites
Java
Links
Local Settings
Music
My Documents
My Pictures
My Videos
Pictures
UserData
Videos
AppData\Roaming\Macromedia\Flash
Player\macromedia.com\support\flashplayer\sys
AppData\Roaming\Macromedia\Flash Player\#SharedObject
AppData\Roaming
Downloads
Saved Games
Searches
Synchronized Directories
AppData\Roaming\Microsoft\Credentials
AppData\Roaming\Microsoft\Crypto
AppData\Roaming\Microsoft\Protect
AppData\Roaming\Microsoft\SystemCertificates
AppData\Local\Microsoft\Credential
14
Synchronized Files
Example Synchronized Files for Microsoft Outlook and Google Earth
AppData\Local\Microsoft\Office\*.qat
AppData\Local\Microsoft\Office\*.officeUI
AppData\LocalLow\Google\GoogleEarth\*.kml
Mirrored Folders
AppData\Roaming\Microsoft\Windows\Cookies
XA
XD
Baseline
X
X
X
X
120000 ms
1494
Allow
X
X
X
Disabled
X
X
X
X
Enable
Disable
X
X
X
X
X
X
X
X
X
X
X
X
X
32768 KB
Degrade Color Depth First
Enabled
Enabled
32 bit
Disabled
Enabled
3000000 Kbps
X
X
X
X
60 seconds
Enabled
Allowed
Low
Security
High
Security
Not required
Require
LAN
Speed
WAN
Speed
Tablet
Profile
15
X
X
X
X
10 seconds
Enabled
Prevent
Disabled
Enabled
(QoS)
Allow
X
X
Enabled
(QoS)
Setting
Enable
Enable
Enable scrnsave.scr
Enabled
Enabled
X Minutes (default 15)
Enabled
Enabled
Enabled
Enabled
Enabled
Log Off
Enabled
Enabled
Enabled
Description
Disables all control panel programs
Applies to
XenApp, XenDesktop
XenApp, XenDesktop
XenApp, XenDesktop
XenApp, XenDesktop
Sets the amount of time in minutes that elapse before the screen saver is
activated
Prevents users from changing some desktop configurations such as the size
of the taskbar or the position of open windows on exit.
Removes the Network Locations icon from the desktop.
Prevents users from manually changing the path to their profile folders.
XenApp, XenDesktop
XenApp, XenDesktop
Removes the Taskbar and Start Menu settings from Settings on the Start
Menu.
Prevents user from performing these commands from the Start Menu or the
Windows Security screen.
Prevents users from connecting to the Windows Update website.
XenApp
XenApp
XenApp, XenDesktop
XenApp
XenApp, XenDesktop
16
Machine Policy
Policy Path
Internet Communication settings\ Turn off Windows
Customer Improvement Program
System\ Group Policy\ User Group Policy loopback
processing mode
System\ Power Management\ Select an active power plan
System\ System Restore\ Turn off System Restore
System\ User Profiles\ Do not check for user ownership of
Roaming Profile folders
Windows Components\ AutoPlay Policies\ Turn off AutoPlay
Windows Components\ Internet Explorer\ Turn off reopen
last browsing session
Windows Components\ Remote Desktop Services\ RD
Setting
Description
Applies to
Enabled
XenApp, XenDesktop
Enabled
Removes the Run command from the Start Menu, Internet Explorer, and
Task Manager
Disables the Windows Registry Editor
Prevents users from running the interactive command prompt cmd.exe
Prevents users from starting Task Manager
Prohibits redirected shell folders Contacts, Documents, Desktop, Favorites,
Music, Pictures, Videos, Start Menu and AppData\Roaming from being
available offline
Excludes the specified directories from the Roaming Profile
XenApp
XenApp, XenDesktop
Prohibits deleted files from being placed in the Recycle Bin. All files are
permanently deleted.
Hides local hard drives from My Computer
XenApp, XenDesktop
XenApp
Description
Turns off the Windows Customer Improvement Program for all users
Applies to
XenApp, XenDesktop
XenApp, XenDesktop
Enabled
Enabled
XenApp
XenApp
XenApp
Enabled
Enabled
Enabled
Enabled
Citrix, Contacts,
Desktop, Downloads,
Favorites, Links,
Documents, Pictures,
Videos, Music, Saved
Games, Searches
Enabled
Enabled
Enabled
Local hard drives
Enabled
Local hard drives
Setting
Enabled
Merge or Replace
High Performance
Enabled
Enabled
XenApp, XenDesktop
XenApp
XenApp
XenApp, XenDesktop
XenApp, XenDesktop
XenApp
XenApp, XenDesktop
XenApp, XenDesktop
XenApp, XenDesktop
17
Setting
groups
Per User or Per Device
Specified servers
Disabled
Description
Applies to
XenApp
XenApp
XenApp, XenDesktop
Contacts
Desktop
Documents
Downloads
Favorites
Links
Basic
Basic
Basic
Basic
Basic
Basic
Options
Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003:
Policy Removal Behavior: Leave Contents
Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003:
Policy Removal Behavior: Leave Contents
Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003:
Policy Removal Behavior: Leave Contents
Grant User Exclusive Rights: Disabled
Move Contents to new location: Disabled
Apply Policy to Windows 2000, Windows XP, Windows 2003:
Policy Removal Behavior: Leave Contents
Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003:
Policy Removal Behavior: Leave Contents
Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003:
Policy Removal Behavior: Leave Contents
Grant User Exclusive Rights: Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
18
Music
Pictures
Saved Games
Searches
Basic
Start Menu
Basic
Videos
Options
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
19
Conclusion
Creating policies for XenDesktop and XenApp configurations involves a combination of Citrix and
Microsoft Active Directory group policy settings. Correctly configuring a baseline policy
configuration and keeping policy exceptions to a minimum allows organizations to create an
environment that meets user experience and security requirements, while providing a policy
structure that is easy to review and diagnose. This planning guide has provided a suggested set of
policies as a starting point for a XenDesktop or XenApp configuration. It can be used as a basis for
architects to customize an initial policy configuration for an organization.
20
Applies to
XA 6, XD 5
XA 6 RDS only
XA 6
XA 6, XD 5
XA 6.5, XD 5.5
XA 6.5, XD 5.5
XA 6, XD 5
XA 6.5, XD 5.5
XA 6, XD 5
XA 6
XD 5.5
XA 6
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6.5 FP1
XD 5.5
21
Description
Determine the quality of graphics for Aero Redirection.
Enables or disables the desktop wallpaper in user sessions.
Allows or prevents menu animation.
Controls the display of window content when dragging a window across the screen.
Applies to
XD 5.5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
Allows or prevents automatic connection of client drives when users log on.
Enables or disables file (drive) redirection to and from the client.
Allows or prevents users from accessing or saving files to floppy drives on the client device.
Allows or prevents users from accessing or saving files to fixed drives on the user device.
Allows or prevents users from accessing and saving files to client network (remote) drives.
Allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM, and BDROM drives on the client device.
Allows or prevents users from accessing or saving files to removable drives on the user device.
Enables or disables file type associations for URLs and some media content to be opened on
the client device.
Enables or disables preservation of client drive letters.
When enabled, files/folders on mapped client drives can only be accessed in read-only mode.
When disabled, files/folders on mapped client drives can be accessed in regular read/write
mode.
Specifies the minimum level at which to encrypt session data sent between the server and a
client device.
Enables or disables asynchronous disk writes.
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
Enables or disables the automatic display of the soft keyboard on mobile devices.
Enables or disables the launching of a touch-optimized desktop for mobile clients.
Enables or disables the remoting of the combo box on mobile devices.
XA 6.5, XD 5.5
When enabled, COM ports from the client are automatically connected.
When enabled, LPT ports from the client are automatically connected.
When enabled, COM port redirection to and from the client is allowed.
When enabled, LPT port redirection to the client is allowed.
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
Allows or prevents client printers to be mapped to a server when a user logs on to a session.
Specifies how the clients default printer is established in an ICA session.
XA 6, XD 5
XA 6, XD 5
Specifies which events are logged during the printer auto-creation process. You can choose to
log no errors or warnings, only errors, or errors and warnings.
Allows or prevents a delay in connecting to a session so that desktop printers can be autocreated.
XA 6, XD 5
XA 6, XD 5
XA 6
XD 5
XA 6.5, XD 5.5
XA 6
XA 6, XD 5
XA 6, XD 5
22
Description
Applies to
XA 6, XD 5
XA 6, XD 5
Enables or disables auto-creation of the Citrix UNIVERSAL Printer generic printing object for
sessions with a UPD capable client.
Selects the naming convention for auto-created client printers.
Enables or disables direct connections from the host to a print server for client printers hosted
on an accessible network share.
Specifies whether and where to store printer properties.
XA 6, XD 5
Enables or disables the automatic installation of printer drivers from the Windows in-box driver
set or from driver packages which have been staged onto the host using "pnputil.exe /a".
Specifies when to use universal printing. Universal printing employs generic printer drivers
instead of standard model-specific drivers potentially simplifying burden of driver management
on host machines.
XA 6, XD 5
Controls the method of processing the EMF spool file on the Windows client machine.
Defines the maximum quality and the minimum compression level available for images printed
with the Universal Printer driver.
Specifies the default settings for the Universal Printer when it is created for a session.
Specifies whether to use the print preview function for auto-created or generic universal
printers.
XA 6, XD 5
XA 6, XD 5
Specifies the minimum level at which to encrypt session data sent between the server and a
client device.
XA 6
Enables or disables a timer to determine how long a disconnected, locked workstation can
remain locked before the session is logged off.
XD 5
Determines how long, in minutes, a disconnected, locked workstation can remain locked before
the session is logged off.
Disconnects an existing session the specified number of minutes after the last application exits.
Terminates an existing session the specified number of minutes after the last application exits.
Disconnects an existing Pre-launch session after the specified number of minutes.
Terminates an existing Pre-launch session after the specified number of minutes.
Enables or disables a timer to determine the maximum duration of an uninterrupted connection
between a user device and a workstation.
Enables or disables a timer to determine how long an uninterrupted user device connection to a
XD 5
ICA\ Security
SecureICA minimum encryption level
ICA\ Session Limits
Disconnected session timer
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
XA 6.5
XA 6.5
XA 6.5
XA 6.5
XD 5
XD 5
23
Description
workstation will be maintained if there is no input from the user.
Determines, in minutes, how long an uninterrupted user device connection to a workstation will
be maintained if there is no input from the user.
Applies to
Allows or prevents shadowing users to take control of the keyboard and mouse of the user
being shadowed during a shadowing session.
Allows or prevents recording of attempted shadowing sessions in the Windows event log.
Allows or prevents shadowed users to receive notification of shadowing requests from other
users.
Specifies the users who can shadow other users.
XA 6
Enables or disables estimating the local time zone of client devices that send inaccurate time
zone information to the server.
Determines the time zone setting of the user session.
XA 6
Allows or prevents users to access TWAIN devices, such as digital cameras or scanners, on the
client device from published image processing applications.
Specifies the level of compression of image transfers from client to server.
XA 6, XD 5.5
Enables or disables redirection of USB devices to and from the client (workstation hosts only).
XA 6 VM Hosted Apps,
XD 5
XA 6 VM Hosted Apps,
XD 5
XA 6 Terminal Server
The system will try its best to maintain this many frames per second when bandwidth is low.
XD 5
XA 6
XA 6
XA 6
XA 6, XD 5
XA 6, XD 5.5
Sets the maximum number of frames per second that the virtual desktop will send to the client.
XA 6, XD 5
XD 5.5
XA 6.5 (with hotfix
XA650W2K8R2X64011),
XD 5.5
XD 5.5
Extra color compression improves responsiveness over low bandwidth connections at the
expense of image quality.
Threshold at which Extra Color Compression is applied.
Degree of lossy compression used on images.
The maximum bandwidth in kilobits per second for a connection to which lossy compression is
applied.
XA 6.5, XD 5
XA 6.5, XD 5
XA 6, XD 5
XA 6, XD 5
24
Description
Specifies the importance level at which a session is run.
Enables or disables the use of Single Sign-On when users connect to servers or published
applications in a XenApp farm.
ICA\ Virtual Desktop Agent Settings\ ICA Latency Monitoring
Enable Monitoring
Enable or disable ICA Latency monitoring.
Monitoring Period
Period of time, in seconds, during which the moving average for ICA Latency is calculated.
Threshold
Threshold, in milliseconds, that triggers a High Latency condition, displayed in Desktop Studio
and Desktop Director.
ICA\ Virtual Desktop Agent Settings\ Profile Load Time Monitoring
Enable Monitoring
Enable or disable Profile load time monitoring.
Threshold
Threshold, in seconds, that triggers a High Profile Load Time condition, displayed in Desktop
Studio and Desktop Director.
Computer Policy
Policy Group\ Policy
ICA
Applies to
XA 6
XA 6.5, XD 5.5
XD 5.5
XD 5.5
XD 5.5
XD 5.5
XD 5.5
Description
Applies to
Maximum wait time for a connection using the ICA protocol to be completed.
The TCP/IP port number used by the ICA protocol on the server.
Allows or prevents automatic reconnection by the same client after a connection has been
interrupted.
Requires authentication for automatic client reconnections.
Records or prevents recording auto client reconnections in the event log.
XA 6, XD 5
XA 6, XD 5
Determines whether ICA round trip calculations are performed for idle connections.
XA 6, XD 5
Specifies the maximum video buffer size in kilobytes for the session.
Degrades either color depth or resolution first when the session display memory limit is
reached.
Dynamic Windows preview enables the state of seamless windows to be seen on the various
windows previews (Flip, Flip 3D, Taskbar Preview, and Peek).
Cache image to make scrolling smoother
Specifies the maximum color depth allowed for a session.
Displays a popup with an explanation to the user when the color depth or resolution is
XA 6, XD 5
XA 6, XD 5
XD 5
XA 6, XD 5
XA 6.5, XD 5.5
XA 6, XD 5
XA 6
XA 6, XD 5
25
Description
degraded.
Discards queued images that are replaced by another image.
Applies to
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
Controls and optimizes the way XenApp servers deliver streaming audio and video to users.
Specify a buffer size from 1 to 10 seconds for Windows Media Redirection.
If this setting is enabled, the system will use the buffer size specified in the "Windows Media
Redirection Buffer Size" setting.
XA 6, XD 5
XA 6, XD 5
XA 6, XD 5
Enables or disables the Multi-Stream feature on the server. By default, Multi-Stream is disabled.
This policy need not be enabled when using branch repeater that supports Multi-Stream.
Enable this policy when using 3rd party routers or legacy branch repeaters to achieve desired
QoS. Restart the server for the changes to take effect.
XA 6.5, XD 5.5
XA 6, XD 5
XA 6, XD 5
XD 5.5
XD 5.5
XD 5.5
XA 6
XA 6
XA 6
UPM 2.0
UPM 2.0
UPM 2.0
UPM 3.0
UPM 2.0
UPM 3.2
UPM 2.0
UPM
26
Applies to
UPM 2.0
UPM 2.0
UPM 2.0
UPM 3.1
UPM 2.0
UPM 2.0
UPM 3.0
27
Acknowledgments
Citrix Consulting Solutions would like to thank all of the individuals that offered guidance and
technical assistance during the course of this project including who were extremely helpful
answering questions, providing technical guidance and reviewing documentation throughout the
project:
Adeel Arshed
Nicholas Rintalan
Thomas Berger
Dimitrios Samorgiannidis
Daniel Feller
Product Versions
Product
XenDesktop
XenApp
Citrix Profile Manager
Version
5.0 / 5.5 / 5.6
6.0 / 6.5
3.x / 4.0
Revision History
Revision
1.0
Change Description
Initial Document
Updated By
Rich Meesters
Date
July 13, 2012
About Citrix
Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help
companies deliver IT as an on-demand service. Founded in 1989, Citrix combines virtualization,
networking, and cloud computing technologies into a full portfolio of products that enable virtual
work styles for users and virtual datacenters for IT. More than 230,000 organizations worldwide rely
on Citrix to help them build simpler and more cost-effective IT environments. Citrix partners with
over 10,000 companies in more than 100 countries. Annual revenue in 2011 was $2.20 billion.
2012 Citrix Systems, Inc. All rights reserved. Citrix, Access Gateway, Branch Repeater,
Citrix Repeater, HDX, XenServer, XenApp, XenDesktop and Citrix Delivery Center
are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered
in the United States Patent and Trademark Office and in other countries. All other trademarks and
registered trademarks are property of their respective owners.
28