Home  ›  how do you see what policies are being applied to a server

how do you see what policies are being applied to a server

Written By Thursday, April 7, 2022 Add Comment Edit

Navigation

  • Change Log
  • Citrix Policy Settings – GPO Method Overview
  • Citrix Grouping Policy Management Plug-in
  • Computer Settings
  • User Settings
  • Citrix Policy Templates
  • Framehawk Configuration
  • Graphics Settings – Enlightened Data Transport (EDT), Thinwire Plus, H.264, Actively Changing Regions
    • Graphics Tools – RDAnalyzer, GPUPerf
  • Security Settings

💡 = Recently Updated

Change Log

  • 2022 Mar 28 – updated Group Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 2203
  • 2022 Mar 10 – User Settings – added PDF printing for Workspace app for Mac 2203
  • 2022 Mar 10 – updated Group Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU5
  • 2021 Dec 20 – User Settings – added Screen Sharing
  • 2021 Dec 18 – updated Group Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 2112
  • 2021 Nov three – updated Grouping Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU4
  • 2021 Sep 27 – Figurer Settings – added Virtual Aqueduct Let List in CVAD 2109
    • Added note about Adaptive Audio in CVAD 2109
  • 2021 Sep 27 – updated Group Policy Direction Plug-in department for Citrix Virtual Apps and Desktops (CVAD) 2109
  • 2021 Aug 12 – updated Group Policy Management Plug-in section for XenDesktop 7.fifteen.8000
  • 2021 June 17 – updated Group Policy Direction Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 2106
  • 2021 May 5 – User Settings – added note regarding SAP and Citrix Policies (source = https://support.citrix.com/commodity/CTX312474)
  • 2021 Mar 18 – updated Group Policy Management Plug-in department for Citrix Virtual Apps and Desktops (CVAD) 2103
  • 2020 Dec 15 – updated Group Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 2012
  • 2020 Dec 15 – Security Settings – disable Drag and Drib in CVAD 2012
  • 2020 Nov twenty – updated Group Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU2
  • 2020 Jul 1 – updated Grouping Policy Direction Plug-in section for XenDesktop 7.fifteen.6000
  • 2020 Jun 18 – updated Grouping Policy Management Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 2006
  • 2020 May 7 – updated Group Policy Direction Plug-in section for Citrix Virtual Apps and Desktops (CVAD) 1912 LTSR CU1
  • 2020 April 12 – Graphics Settings – added info from EDT MTU Discovery

Citrix Policy Settings – GPO Method

Citrix offers two methods of delivering Citrix Policy settings:

  • Citrix Studio – also known as FMA policies
  • Group Policy Object – the Citrix Group Policy installer (included with Studio) adds a Citrix Policy node to the regular Group Policy Editor.

For this page, Citrix Policy refers to policy settings that are provided past Citrix for VDAs. It does not include settings that are native to Microsoft group policies. See the VDA Group Policies articles for more than information on the recommended Microsoft group policy settings for a Citrix Virtual Apps and Desktops environs.

Citrix Policies can be easily configured in Citrix Studio and stored in the site database. However, they are non portable, meaning that yous tin can't export them from 1 Citrix Virtual Apps and Desktops site/subcontract and import them to another.

GPOs linked to an Agile Directory OU can utilize to VDAs in multiple Citrix Virtual Apps and Desktops sites/farms. If yous use the GPO method, brand certain the GPOs are linked to OUs that incorporate VDAs.

CTP Carl Webster et al compiled a complete list of 409 Citrix Group Policy Settings at Group Policy Settings Reference for Citrix XenApp and XenDesktop.

If y'all ever want to copy the Studio policies to a GPO, run the following PowerShell commands as mentioned at Citrix Discussions:

New-PSDrive -PSProvider CitrixGroupPolicy -Proper name LocalFarmGpo -Root \ -Controller "MyController"  New-PSDrive -PSProvider CitrixGroupPOlicy -Name TargetGPO -Root \ -DomainGpo "MyGPO"  cd LocalFarmGpo:\User  copy * TargetGPO:\User   cd LocalFarmGpo:\Figurer  copy * TargetGPO:\Computer

Citrix Group Policy Management Plug-in

To configure and deliver Citrix Policy Settings using a group policy object, you must install the Citrix Group Policy Management Plug-in on your group policy editing machine:

  1. Login to a machine that has the Group Policy Management Console (GPMC) Windows Feature installed.
  2. Citrix CTX225741 Citrix GPMC Console 3.0.0 crashing in Win 2K12R2 DC when editing polices says that Visual C++ Redistributable for Visual Studio 2015 should exist installed offset.
  3. If this machine doesn't have Citrix Studio installed, then install the Citrix Group Policy component from the \x64\Citrix Policy binder on the Citrix Virtual Apps and Desktops ISO. Brand sure all Group Policy consoles are closed showtime.
  4. Citrix Virtual Apps and Desktops (CVAD) 2203 LTSR comes with Citrix Grouping Policy Management 7.33.0.33.
  5. ClickStop to terminate the wizard.
  6. Citrix releases quarterly updates for this component, then whenever you lot update your Commitment Controllers, also update your Group Policy editing machines (machines with Group Policy Direction Console installed).

Computer Settings

  1. Run Group Policy Direction Panel.
  2. Edit a GPO that applies computer settings to the VDA machines.
  3. In the GPO, expand Figurer Configuration, expand Policies, and click Citrix Policies.
  4. On the right, on the Templates tab, you can create a new policy based on a congenital-in template. Note: Citrix (Daniel Feller XenDesktop 7.vii and Windows 7) has found that the High Server Scalability template can increase user density by xxx%.
  5. On the correct, on the Policies tab, you can either edit the Unfiltered policy, or you tin can create a new policy that is filtered.
  6. Switch to the Settings tab.
  7. Citrix Policies in the Computer Half of the GPO only shows Computer Settings. Afterward, we'll configure Citrix Policies in the User Half of the GPO, which has different settings (User Settings).
  8. Some of the setting detailed in this post require newer versions of Citrix Virtual Apps and Desktops.
  9. As you edit the policy settings, make note of the Applies to field. Some of the Citrix Policy settings do not apply to Virtual Commitment Agent seven.x.
  10. As well notice that some settings apply to Desktop Bone (virtual desktop) or Server OS (Remote Desktop Session Host) but not necessarily both. Read the Applies to section to verify.
  11. Modify the Categories drib-down to ICA.
  12. Curl down and add the setting Virtual channel let listing.
    • In VDA 2109 and newer, the setting Virtual channel allow list is enabled by default, which ways that non-Citrix virtual channels, like Zoom and WebEx, won't work. One choice is to disable this setting. Another pick is to detect the name of the third-party virtual channel and add it to this list as detailed in Citrix Docs. See Citrix Web log Post Virtual channel allow listing at present enabled by default for a list of virtual channels to add.
  13. Modify the Categories drib-down to Auto Client Reconnect.
  14. Click Add together side by side to the setting Auto client reconnect logging.
    • Modify the Value to Log auto-reconnect events, and click OK.
  15. Change the Categories drib-downward to End User Monitoring.
  16. Click Add next to the setting ICA circular trip calculations for idle connections.
    • Change the option to Enabled, and click OK.
  17. Modify the Categories drop-downwards to Local App Access.
  18. Click Add side by side to the setting Allow Local App Access.
    • Alter the selection to Allowed, and click OK. Note: Local App Admission interferes with Bidirectional Content Redirection in Receiver 4.vii and newer. Meet https://www.carlstalhood.com/published-applications/#laa for more info on Local App Access.
  19. Change the Categories drop-downwardly to Printing.
  20. Click Add side by side to the setting Universal Print Server enable. See Citrix Universal Print Server at Citrix Docs for more info.
    • Change the Value to Enabled with fallback to Windows' native remote printing. Click OK.
  21. Alter the Categories drop-down to Virtual Commitment Amanuensis Settings > Monitoring.
  22. Click Add side by side to the settingEnable monitoring of application failures.
    • Yous tin can optionally alter theValue drop-downwardly toBoth application errors and faults. ClickOK.
  23. Click Add adjacent to the settingEnable monitoring of application failures on Desktop Os VDAs.
    • Change the setting to Allowed, and clickOK. See CTX223927 How to apply Director to troubleshoot application launch errors for details.
  24. Click Add side by side to the setting Enable process monitoring.  Annotation: this setting could significantly increase the size of the Monitoring database. Come across Citrix Blog Post Citrix Director: CPU, Memory Usage and Process Information.
    • Change the setting to Allowed, and click OK. This is the last Computer setting.

User Settings

  1. With the GPO method of configuring Citrix Policies, Citrix Policy settings are carve up betwixt Computer and User. The remaining settings are User settings. Edit a GPO that applies to Users.
  2. Expand User Configuration, aggrandize Policies, and click Citrix Policies.
  3. On the right, select the Unfiltered policy, and edit it. Or you can create a new policy that is filtered. Yous can also use theTemplates tab to create a policy based on a template.
  4. In CVAD 2012 and newer, in the Search Box, enter Drag and Drop and click Add Value.
    • Elevate and Drop is enabled by default. Decide if this is acceptable to your security policies.
  5. In CVAD 2012 and newer, in the Search Box, enter WIA and click Add together Value.
    • WIA Redirection is disabled by default. You can enable information technology if you accept applications that use Windows Epitome Conquering.
  6. On the Settings tab, change the Categories drop-down to Audio.
  7. Click Add next to the setting Sound quality.
  8. Change the Categories drop-down to Client Sensors.
  9. Click Add side by side to the Allow applications to utilize the physical location setting.
    • Change the selection to Immune, and click OK.
  10. Modify the Categories drop-downwards to Graphics.
  11. CVAD 2112 and newer allow users to Screen sharing with each other. This setting requires Graphic status indicator to be enabled. 💡
  12. Change the Categories drop-down to Mobile Feel.
  13. Click Add next to the Automatic keyboard display setting.
    • Alter the selection to Allowed, and click OK. Note: this setting might break SAP.
  14. Click Add next to the Remote the combo box setting. Note: this setting might break SAP.
    • Modify the selection to Allowed, and clickOK.
  15. Change the Category drop-downwardly to Multimedia.
  16. Click Add together side by side to the Use GPU for optimizing Windows Media setting.
    • Change the selection to Allowed, and click OK.
  17. Change the Categories drop-down to Press.
  18. Click Add side by side to the setting Auto-create PDF Universal Printer.
  19. Click Add next to the setting Automatic installation of in-box printer drivers.
    • Modify the selection to Disabled, and click OK.
  20. Click Add next to the setting Direct connections to impress servers.
    • Change the choice to Disabled, and click OK.
  21. Click Add side by side to the setting Printer auto-creation event log preference.
    • Modify the Value to Log errors only, and click OK.
  22. Click Add next to the setting Universal impress driver usage.
    • Change the Value to Employ universal printing only.
  23. Workspace app for Mac version 2203 and newer along with VDA 2112 and newer supports PDF printing instead of Postscript press. With PDF, it'due south no longer necessary to install the HP Colour LaserJet 2800 Serial PS driver on the VDA. Citrix Policy setting Universal driver preference must be adjusted to enable PDF printing as college priority than PS (postscript) printing. See Citrix Docs for more than details.
  24. Change the Categories drop-downwardly to Session Limits.
  25. If y'all expect at the Applies to text for these settings, notice that they apply to virtual desktops (Desktop Bone), simply not Remote Desktop Session Hosts (Server Bone). Session timeouts for Remote Desktop Session Hosts tin can be configured in a Microsoft GPO.

  26. Modify the Categories drop-downward to Time Zone Command.
  27. Click Add next to the setting Employ local time of customer.
    • Modify Value to Employ client time zone. Note: yous must also configure the Microsoft GPO Remote Desktop Session Host fourth dimension zone setting.
  28. CVAD 1906 has a new policy for Desktop Bone only that tin can revert to the VDA's original fourth dimension zone when the user disconnects or logs off. Information technology's called Restore Desktop OS time zone on session disconnect or logoff.
  29. Change the Categories drop-downward to USB Devices.
  30. Click Add adjacent to the setting Client USB device redirection.
    • If your security policies permit it and so change the choice to Allowed, and click OK. This is the last generic setting. Come across the adjacent couple sections for more settings.

Also see:

  • Citrix CTX227534 Citrix Printing Quick Start Guide – includes information on printing terms, press configuration policies, and Citrix recommended configurations for common printing scenarios
  • Gareth Carson Everything you wanted to know almost out of the box printing merely were afraid to inquire! at CUGC

Citrix Policy Templates

  1. The Citrix Policies node of a GPO (or Citrix Studio) has a Templates tab. Each of these templates has pre-divers settings that you tin can apply as a basis for new policies. Note: Citrix (Daniel Feller XenDesktop vii.seven and Windows 7) has establish that the High Server Scalability template can increase user density past 30%.
  2. Citrix Docs Group Policy management template updates for XenApp and XenDesktop contains boosted templates that yous tin can download and import.

  3. If you are using a GPO to configure Citrix Policies, exist enlightened that user settings and computer settings are in different parts of the GPO.
  4. If you lot highlight a template, on the bottom of the window is a Settings tab that lets you lot see what'south independent in the template.
  5. To use a template, right-click it, and click New Policy.

Framehawk Configuration

As of Citrix Virtual Apps and Desktops (CVAD) 1811, Framehawk is a deprecated characteristic.

In CVAD 1903 and newer, Framehawk has been completely removed.

  1. Framehawk is disabled by default because information technology uses more bandwidth and more server resource. Citrix recommends only enabling information technology for users on lossy connections with high bandwidth. More details in the Framehawk Virtual Channel Administrator Guide at Citrix Docs. Also see Framehawk virtual channel at Citrix Docs.
  2. To enable Framehawk, you edit a Citrix Policy, either in Studio or in a GPO. In either case, you lot need the updated Group Policy Direction 2.iv Hotfix ii or Group Policy Management 2.5 (aka 7.half dozen.300) or newer (e.thousand. 7.20 included in Citrix Virtual Apps and Desktops 1811) on the automobile where you are editing the policy.

  3. If configuring a GPO, you'll discover the Framehawk settings in User Configuration > Policies > Citrix Policies. Edit i of the Citrix Policies.
  4. Search for Framehawk, add together the Framehawk display channel setting, and Enable information technology.

  5. Framehawk requires the newest Citrix Workspace app / Receiver (4.iii.100 or newer).



  6. To apply Framehawk through NetScaler Gateway you need NetScaler firmware xi.0 build 62 or newer.
  7. Then enable DTLS on the Gateway vServer. This is the same procedure equally enabling DTLS for UDP Audio.
  8. Note: in that location are limitations of Framehawk with NetScaler Gateway. For example, HA, AppFlow, and double-hop are not supported. See NetScaler Gateway back up for Framehawk at Citrix Docs.
  9. Framehawk defaults to ports UDP 3224-3324. Open these ports between the NetScaler SNIP and the VDAs.
    1. Also make certain these ports are open on the VDA'southward Windows Firewall. VDA seven.8 and newer opens these ports automatically. VDA seven.6.300 and VDA 7.7 do not open these ports automatically.

Graphics Settings (EDT, H.264, ThinWire Plus)

Citrix Blog Post What graphics policies do I need, and when? says you lot should not modify whatever Citrix Policy Graphics Settings. The but exception is 3D workloads, which should have theVisual Quality user setting set toBuild to Lossless.

Citrix Weblog Post HDX Graphics Encoder Configuration Overview: a comprehensive overview of all relevant HDX Graphics Encoder settings. This overview should give you a guidance and allow yous to configure an optimal HDX policy set based on your ain needs. A Visio chart with an overview of all relevant configurations and their possible combinations. Furthermore, nigh every setting has a review box. The review boxes contain, where applicable, the policy name, facts & figures, recommendations, and case utilise cases.

In 1811 and newer, Graphics Condition Indicator replaces the Lossless Indicator.

seven.xiii and newer: 7.13 adds a UDP version of HDX/ICA known as Enlightened Information Transport (EDT). EDT improves HDX/ICA operation across WAN links, Internet, etc. In seven.12, EDT was Tech Preview. In Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop seven.13 and  and newer, EDT is officially supported.

EDT (Adaptive Transport) is enabled past default in Citrix Virtual Apps and Desktops (CVAD) and XenApp/XenDesktop vii.xvi and newer, just it is not enabled by default in XenApp/XenDesktop 7.15 LTSR.

EDT has several requirements:

In vii.13 and newer, the Policy SettingUse hardware encoding for video codec now supports Intel Iris Pro Hardware. Install the Intel Graphics Drivers earlier installing the VDA. If VDA is already installed, run C:\Program Files\Citrix\ICAService\GfxDisplayTool.exe -vd enable . Meet Citrix CTX220731 How to Enable Hardware Encoding of H.264 streams using Intel Iris Pro Hardware.

seven.xi and newer:

7.9 and newer:

  • The VDA automatically chooses Thinwire Plus or H.264. The setting: User > Graphics > Apply video codec for compression defaults toUse video codec when preferred, which prefers Thinwire Plus. To force Thinwire Plus, prepare it to Exercise not use video codec. Citrix Blog Post "Use Video Codec for Compression": to Use or Not to Use? explains this setting.

7.6.300 and newer:

  • Thinwire Plus is a new graphics codec. It'due south recommended for devices that can't decode H.264. And Citrix has found that Thinwire Plus uses less bandwidth than H.264.
  • Citrix Blog Post Why Should Yous Care About the New HDX Thinwire describes the new Thinwire Plus codec in XenApp/XenDesktop vii.6.300 and how to use Citrix Policies to configure it.
  • Citrix CTX202687 HDX Graphics Modes – Which Policies Utilize to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.vi FP3

vii.0 – seven.vi:

  • Bram Wolfs A graphical deep dive into XenDesktop 7
  • Citrix Blog Post What'due south new with HDX brandish in XenDesktop & XenApp seven.ten?

Graphics Tools

  • Remote Display Analyzer (RDAnalyzer) lets you see the current Citrix codec and change information technology on the fly.

Security Settings

To improve security, Citrix recommends these additional Citrix Policy settings.

  • User \ ICA \ Customer clipboard redirection = Prohibit
  • User \ ICA \ Desktop launches = Disabled
  • User \ ICA \ Drag and Drop = Disabled (CVAD 2012 and newer)
  • User \ ICA \ Launching of not-published programs = Disabled
  • User \ ICA \ File Redirection \ Allow file transfer between desktop and client = Prohibited (7.6.300 and newer, for HTML5 Client)
  • User \ ICA \ File Redirection \ Auto connect client drives = Disabled
  • User \ ICA \ File Redirection \ Client drive redirection = Prohibited
  • User \ ICA \ File Redirection \ Stock-still drives = Disable
  • User \ ICA \ File Redirection \ Customer network drives = Prohibit
  • User \ ICA \ File Redirection \ Client removable drives = Prohibit
  • User \ ICA \ Printing \ Client printer redirection = Prohibit
  • User \ ICA \ SecureICA \ SecureICA minimum encryption level = RC5 128 bit
  • User \ ICA \ Session Limits \ Disconnected session timer = Enabled
  • User \ ICA \ Session Limits \ Disconnected session timer internal = 30 minutes
  • User \ ICA \ TWAIN devices \ Client TWAIN device redirection = Prohibit
  • User \ ICA \ USB devices \ Client USB device redirection = Disable
  • User \ ICA \ USB devices \ Client USB device redirection rules = Prohibit
  • User \ ICA \ USB devices \ Customer USB Plug and Play device redirection = Prohibit

Citrix's Common Criteria documentation includes boosted recommended Citrix Policy, Group Policy, and other security settings.

XenDesktop 7.17 adds a Session Watermark characteristic.

Find the settings in the user half of a Citrix Policy under theSession Watermark category.

  • For limitations of this characteristic, see Text-based session watermark at Citrix Docs.

Citrix Blog Post Receiver for HTML5 and Chrome File Transfer Explained:

  • How to apply the toolbar to transfer files
  • Citrix Policy settings to enable/disable file transfer
  • VDA registry settings to command file transfer
  • HTML5Client\Configuration.js settings for client-side configuration
  • View HTML5Client log file

Boosted clipboard settings were added in XenApp/XenDesktop 7.6 and newer. To encounter them, set the eye drib-down to All Settings and then search for clipboard. The setting Readonly clipboard does not apply to seven.6 and so skip information technology. Instead, review the three clipboard settings below it. Or you can plow off clipboard birthday by setting Client clipboard redirection to Prohibit.

Under File Redirection is a setting for Read-only client bulldoze access. This allows customer drive mapping but prevents files from existence copied to the client device.

For VDAs in Legacy Graphics Mode, the post-obit ICA/HDX protocol tuning options should be evaluated to optimize bandwidth consumption and virtual desktop resource utilization:

  • User \ ICA \ Desktop UI \ Desktop Wallpaper = Disable
  • User \ ICA \ Desktop UI \ Menu animation = Disable
  • User \ ICA \ Desktop UI \ View window contents while dragging = Disable
  • User \ ICA \ Multi Stream Connections \ Multi-Stream = Enable (and QoS)
  • User \ ICA \ Printing \ Direct connection to print servers = Disable
  • User \ ICA \ TWAIN devices \ TWAIN Compression Level = High
  • User \ ICA \ Visual Display \ Target Frames per Second = 15
  • User \ ICA \ Visual Display \ Moving Images \ Minimum Epitome Quality = Low
  • User \ ICA \ Visual Display \ Still Images \ Extra Colour Compression = Enabled in very low bandwidth scenarios. Please note that the "Actress Color Compression Threshold" should be configured to an appropriate value.
  • User \ ICA \ Visual Display \ Yet Images \ Lossy pinch level = High or "Heavyweight pinch" in case epitome quality loss is not acceptable (more CPU intensive)
  • Enable "Windows Media Redirection"
  • Enable "Flash acceleration" with customer side content fetching
  • Enable "Audio over UDP Real-Fourth dimension Transport". Please note that this configuration requires sound quality to exist gear up to "Medium – optimized for speech"
  • Gear up "Progressive compression level" to "Depression" or any higher value

For more information, please refer to the Citrix Knowledgebase Article CTX131859 – Best Practices and Recommendations for Citrix Receiver 3 and HDX Technology with XenDesktop 5.5.

bushthour1974.blogspot.com

Source: https://www.carlstalhood.com/citrix-policy-settings/

0 Response to "how do you see what policies are being applied to a server"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel