Citrix Virtual Apps and Desktops data source

The Virtual Apps and Desktops data source represents the Citrix Virtual Apps and Desktops deployments in your organization.

Citrix Virtual Apps and Desktops is available in two offerings: service and on-premises. Citrix Analytics supports both offerings and receives user events from the data source. This article walks you through the prerequisites and the procedures to enable Analytics on both the offerings- service and on-premises.

Citrix Analytics for Security receives user events from the following components of Virtual Apps and Desktops:

• Citrix Workspace app installed on the user devices

• Citrix Director for on-premises deployment

• Session recording servers

The user events are received in real time in Citrix Analytics for Security when users use Citrix Virtual Apps and Desktops.

Supported client versions

Citrix Analytics receives user events when a supported client version is used on the user endpoints. If users are using any unsupported client versions, they must upgrade their clients to one of the following versions:

• Citrix Workspace app for Windows 1907 or later

• Citrix Workspace app for Mac 1910.2 or later

• Citrix Workspace app for HTML5 2007 or later

• Citrix Workspace app for Chrome-Latest version available in Chrome Web Store

• Citrix Workspace app for Android-Latest version available in Google Play

• Citrix Workspace app for iOS-Latest version available in Apple App Store

• Citrix Workspace app for Linux 2006 or later

Enable Analytics on Virtual Apps and Desktops service

Prerequisites

• Subscribe to the Citrix Virtual Apps and Desktops service offered on Citrix Cloud. Citrix Virtual Apps and Desktops Essentials is not supported on Citrix Analytics. To learn how to get started with the Citrix Virtual Apps and Desktops service, see Install and configure.

• Review the System Requirements section and ensure that you met the requirements.

View the data source and turn on data processing

Citrix Analytics automatically discovers the Virtual Apps and Desktops service (data source) associated with your Citrix Cloud account.

To view the data source:

From the top bar, click Settings > Data Sources > Security.

The Virtual Apps and Desktops- Workspace app site card appears on the Data Sources page. Click Turn On Data Processing to allow Citrix Analytics to begin processing data for this data source.

View cloud site, users, and received events

The site card displays the number of Virtual Apps and Desktops users, the discovered cloud site, and the received events for the last one hour, which is the default time selection. You can also select 1 week (1 W) and view the data.

Click the number of received events to view the events on the self-service search page.

After you have enabled data processing, the site card might display the No data received status. This status appears for two reasons:

1. If you have turned on data processing for the first time, the events take some time to reach the event hub in Citrix Analytics. When Citrix Analytics receives the events, the status changes to Data processing on. If the status does not change after some time, refresh the Data Sources page.

2. Analytics has not received any events from the data source in the last one hour.

   

Enable Analytics on Virtual Apps and Desktops on-premises

Citrix Analytics receives user events from on-premises sites added to Workspace and sites accessed through StoreFront deployments.

If your organization is using on-premises sites, you must use one of the following methods to onboard your sites so that Analytics discovers the sites:

• Onboard your sites using Workspace

• Onboard your sites using StoreFront

Prerequisites

• You must have a license to use the Citrix Virtual Apps and Desktops on-premises solution. To learn how to get started with Virtual Apps and Desktops on-premises, see Install and configure.

• Review the System Requirements section and ensure that you met the requirements.

• Your Delivery Controller version must be 7.16 or later

• Your Director version must be 7.16 or later

• Subscription to Citrix Workspace. If you want to add your sites to Citrix Workspace, you must require a Workspace subscription. Citrix Workspace is included with new subscriptions of Virtual Apps and Desktops after December 2017, as either a trial or as a purchased service.

  Citrix Virtual Apps and Desktops Essentials is not supported on Citrix Analytics.

  To purchase a Citrix Workspace subscription, visit https://www.citrix.com/products/citrix-workspace/get-started.html and contact a Citrix Workspace expert who can help you.

• Sites added to Workspace. Citrix Analytics automatically discovers the sites added to Citrix Workspace. Add your sites to Citrix Workspace before proceeding with onboarding on Citrix Analytics. This process is known as Site aggregation.

  Site aggregation requires you to install Cloud Connector, configure NetScaler Gateway STA servers for internal and external connectivity to Workspace resources, and then add the sites to Workspace. For detailed instructions on Site aggregation, see Aggregate on-premises virtual apps and desktops in workspaces.

• StoreFront version. If you are using a StoreFront deployment for your sites, ensure that the StoreFront version is 1906 or later.

• Site credentials for Citrix Analytics. While configuring your Site for the Actions feature of Citrix Analytics, you have to provide the Citrix administrator credentials for your on-premises Site. These credentials must have the following permissions:

  1. Citrix administrator role: Full Administrator

  2. Active Directory: Domain Users

• Server URL for Citrix Director. Using this information, Citrix Analytics accesses the real-time data available to provide in-depth analysis of user behavior in your Site.

• Delivery Controller. During the process of configuring your Site for advanced Citrix Analytics features such as policies and actions, you have to install a policy agent on a Delivery Controller in your on-premises Site. This agent enables your Site to communicate with Citrix Analytics on port 443 (HTTPS).

  Ensure that the Delivery Controller hosting the agent meets the following requirements:

  • Supports PowerShell 3.0 or later.

  • Outbound connections on TCP port 443 (HTTPS) are allowed.

Onboard Virtual Apps and Desktops sites using Workspace

Sites already added to Citrix Workspace

Citrix Analytics automatically discovers the sites that are already added to Citrix Workspace and displays them on the data source site card.

To view the data source:

From the top bar, click Settings > Data Sources > Security.

The Virtual Apps and Desktops site card displays the number of sites added to Workspace and the users connected to these sites. Click the site count to view the discovered sites. Click the user count to view the discovered users on the Users page.

Sites not added to Citrix Workspace

If you have not already added your on-premises sites to Workspace, Analytics cannot discover your sites. The site card displays 0 discovered sites.

To add a Site to Workspace:

1. Click + on the site card.

   

2. On the Workspace Configuration page, click +Add Site.

   

3. Follow the on-screen instructions to add a Site. For more information, see Aggregate on-premises virtual apps and desktops in workspaces.

4. After adding the Site, log back to Citrix Analytics and refresh the Data Sources page to view the recently added Site on the site card.

Turn on data processing and view received events

To allow Analytics to begin processing data for the discovered sites, click Turn On Data Processing on the Site card and follow the prompts on the screen.

If you have multiple sites added to the same Workspace, Analytics processes and stores data for all the sites in the Workspace. You get a success message when Analytics is successfully enabled on all your sites.

The site card displays the received events for the last one hour, which is the default time selection. You can also select 1 week (1 W) and view the data. Click the number of received events to view the events on the corresponding self-service search page.

After you have enabled data processing, the site card might display the No data received status. This status appears for two reasons:

1. If you have turned on data processing for the first time, the events take some time to reach the event hub in Citrix Analytics. When Citrix Analytics receives the events, the status changes to Data processing on. If the status does not change after some time, refresh the Data Sources page.

2. Analytics has not received any events from the data source in the last one hour.

   

Configure a policy agent on your Site

The Site card displays the Policy configuration incomplete message when a policy agent is not installed on your discovered Site. The policy agent enables you to apply the policies and actions on the user events received from your Site.

Note

The policy agent is required only for configuring policies and has no role in data transmission from your Site. After the Site is onboarded, Citrix Analytics receives data regardless of whether the policy agent is installed or not.

Connectivity requirements:

• If you are using a proxy server in your Citrix environment, ensure that the following connectivity requirements are met:

  • The proxy server must use the basic authentication method.

  • The proxy server must forward the HTTPS or HTTP request from the policy agent without any change.

  • The https://manage-disc.citrix.com address must be accessible. You must not get any proxy error while accessing the address.

    Note

    However you might get the page not secure or the connection not private warning message while accessing the address through a web browser. You can proceed with the warning to view the page. The page does not contain any information to display. The policy agent uses this address to connect to the application server on the Citrix environment.

  • The policy agent uses the proxy configuration details defined for the machine on which the policy agent is installed. Ensure that the proxy configuration details are the same for the web browser and the machine.

• If the machine on which you are installing a policy agent is behind a firewall, add the following addresses in your firewall exception list. These addresses are required to establish a connection between the policy agent on your machine and the application server on the Citrix environment:

  • https://smart.cloud.com

  • https://rttf.citrix.com

  • https://citrixworkspacesapi.net

  • https://ctxsym.citrix.com

  • https://manage-disc.citrix.com

  • 13.82.89.73

  • 40.87.65.119

  • 52.168.86.226

  • 13.92.86.28

To install and configure a policy agent:

1. Click either Sites or Policy configuration incomplete on the site card to view to the Discovered Sites page to install the policy agent.

   

2. Click the Site that displays the Policy configuration incomplete message.

   

3. Click Continue. The Install and Configure Analytics Policy Agent wizard appears.

   

4. Click Download Agent and save the policy agent package. Install the policy agent on one of the Delivery Controllers in your Site. For high availability and reliability, Citrix recommends that you install multiple policy agents on each Site.

   Note

   Ensure that your browser settings are configured to not block pop-up windows, else the policy agent might not download to your system.

   

5. After the installation finishes, click Connect to Installed Agent. The agent registers your Site with Citrix Analytics. This process might take a few minutes.

6. Enter the user name and password for your Site administrator account and then click Next. Citrix Analytics verifies your entries.

   

7. Enter your Site’s Director URL and click Next.

   

8. Review the configuration summary, verify that your Site is available for Citrix Analytics, and the policy agent is online. Click Done to close the wizard.

   

The Citrix Virtual Apps and Desktops Site setup is completed successfully.

Add a Site

If you want to add another on-premises Site to Workspace, you can add it from Analytics:

1. On the site card, click the number of sites to view the Discovered Sites page.

   

2. On the Discovered Sites page, click + Add more Virtual Apps and Desktops Sites to Workspace.

   

3. On the Workspace Configuration page, click +Add Site.

   

4. Follow the on-screen instructions to add a Site. For more information, see Aggregate on-premises virtual apps and desktops in workspaces.

5. After adding the Site, go to Citrix Analytics and refresh the Data Sources page to view the recently added Site on the site card.

Onboard Virtual Apps and Desktops sites using StoreFront

If your organization uses an on-premises StoreFront deployment, you must configure your StoreFront servers to enable Citrix Workspace app to send user events to Analytics. The user events are processed by Analytics to provide actionable insights into user behaviors. For more information on how to configure a StoreFront deployment, see the Citrix Analytics service article in the StoreFront documentation.

If you do not configure your StoreFront server, Analytics does not receive any user events. As a result, you cannot turn on data processing. You see the following message when StoreFront is not configured. For details about how to configure the StoreFront server, see the Connect to a StoreFront deployment section.

Prerequisites

Before you begin, ensure the following:

• Your StoreFront version must be 1906 or later.

• The StoreFront deployment must be able to connect to the following addresses:

  • https://*.cloud.com

  • https://api.analytics.cloud.com

• The StoreFront deployment must have port 443 open for outbound internet connections. Any proxy servers on the network must allow this communication with Citrix Analytics.

• If the StoreFront deployment is hosted on a webserver that uses a web proxy to connect to the internet, the proxy for each store must be manually configured to allow outbound traffic. StoreFront does not automatically use the proxy setting of the host webserver. For more information, see Configure a StoreFront deployment hosted on a webserver that uses HTTP proxy.

• The StoreFront deployment must be accessed using one of the following clients:

  • Citrix Receiver for Web sites in HTML5-compatible browsers.

    Note

    If you are an HTML5 user, Virtual Apps and Desktops can launch events when certain configurations are enabled on StoreFront. For information about the configuration steps, see the Install article in the Citrix Workspace app for HTML5 documentation. For print-related events, extra policies must be configured on StoreFront. For more information, see the PDF Printing article in the Citrix Workspace app for HTML5 documentation.

  • Citrix Workspace app 1907 for Windows or later.

  • Citrix Workspace app 2006 for Linux or later.

  • Citrix Workspace app 2006 for Mac or later

• If you are using Citrix Virtual Apps and Desktops 7 1912 LTSR, the supported StoreFront version is 1912.

Connect to a StoreFront deployment

1. On the Virtual Apps and Desktops- Workspace app site card, click the vertical ellipsis (⋮) and then select Connect StoreFront deployment.

   

   Note

   The Connect StoreFront deployment option is disabled if you do not have a Site already discovered by Analytics. Add your on-premises sites to Workspace to enable this option.

2. On the Connect StoreFront Deployment page, review the checklist and select all the mandatory requirements. If you do not select a mandatory requirement, the Download File option is disabled.

   

3. Click Download File to download the StoreFrontConfigurationFile.json file.

   Note

   The file contains sensitive information. Keep the file in a safe and secure location.

   

4. Copy the file to your StoreFront deployment. If you are using multi server deployment, copy the file to a server in the StoreFront server group.

5. On the StoreFront server, open the PowerShell ISE and run the following command to import the configuration settings:

   Import-STFCasConfiguration -Path "configuration file path"
   

   For example, if the StoreFrontConfigurationFile.json file is on the desktop, specify the command as follows:

   Import-STFCasConfiguration –Path "$Env:UserProfile\Desktop\ StoreFrontConfigurationFile.json"
   

6. Run the following command to verify the imported configuration settings:

   Get-STFCasConfiguration
   

7. If you are using multi server deployment, you must propagate the configuration settings to all the servers in the server group. Use either the StoreFront management console or run the following command to propagate the settings:

   Publish-STFServerGroupConfiguration
   

8. After configuration is successful, go to Citrix Analytics to view the connected StoreFront deployment. Click Turn On Data Processing to allow Citrix Analytics to process the data.

View received events

The site card displays the number of connected StoreFront deployments and the events received from these deployments for the last one hour, which is the default time selection. You can also select 1 week (1 W) and view the data. Click the number of received events to view the events on the self-service search page.

After you have enabled data processing, the site card might display the No data received status. This status appears for two reasons:

1. If you have turned on data processing for the first time, the events take some time to reach the event hub in Citrix Analytics. When Citrix Analytics receives the events, the status changes to Data processing on. If the status does not change after some time, refresh the Data Sources page.

2. Analytics has not received any events from the data source in the last one hour.

   

View connected StoreFront deployments

The StoreFront deployments appear on Virtual Apps and Desktops- Workspace app site card only if the configuration is successful. The site card shows how many StoreFront deployments have established connections with Citrix Analytics.

Click the number of StoreFront deployments on the site card to view the server groups. For example, click 2 StoreFront deployments to view the connected server or server groups. Each StoreFront deployment is represented by a base URL and a ServerGroupID.

Add or remove StoreFront deployments

To add a StoreFront deployment, click Connect to StoreFront Deployments on the Discovered Sites for Workspace app page. Download the configuration file and follow the steps to configure a StoreFront deployment.

To stop the event transmission from a configured StoreFront deployment and remove it from Citrix Analytics:

1. Go to the StoreFront deployment that you want to remove from Citrix Analytics. Run the following command to remove the configuration settings from your StoreFront server:

   Remove-STFCasConfiguration
   

2. If you are using multi server deployment, run the following command to propagate the changes and remove the configuration settings from all the servers in the StoreFront server group:

   Publish-STFServerGroupConfiguration
   

3. Run the following command to verify that the configuration settings have been successfully removed. The command returns nothing if the settings have been successfully removed.

   Get-STFCasConfiguration
   

4. Log back to Citrix Analytics and choose the StoreFront deployment on the Discovered Sites for Workspace app page. Click the vertical ellipsis (⋮) and select Remove StoreFront deployments from Analytics.

   

   Note

   Run the specified commands on the StoreFront deployment before removing it from Citrix Analytics. If you fail to run the commands, Citrix Analytics continues to receive the events and the StoreFront deployment is added again at the next event pooling cycle.

Configure a StoreFront deployment hosted on a webserver that uses HTTP proxy

If a StoreFront is hosted on a webserver that uses a web proxy to connect to the internet, the store must be manually configured to register with Citrix Analytics. This configuration requires you to add a <system.net> section to the store web.config file. You must configure every store on the StoreFront deployment that sends events to Citrix Analytics.

There are two methods by which you can add the <system.net> section to the store web.config file:

• Set the store proxy configuration via PowerShell for one or more stores (recommended method).

• Manually add a <system.net> section to the store web.config file.

For more information on these methods, see the Configure StoreFront to use a web proxy to contact Citrix Cloud and register with Citrix Analytics article in the StoreFront documentation.

Connect to Citrix Director for on-premises sites

Citrix Director is a monitoring and troubleshooting console for Citrix Virtual Apps and Desktops. You can use Director to configure your on-premises sites for Citrix Analytics for Security (Security Analytics). After the sites are configured, Director sends monitoring events to Security Analytics. These events are used to discover the users connected to Security Analytics and determine the Workspace app versions installed on the users’ devices. For more information on Citrix Workspace app status, see Users dashboard.

Prerequisite and configuration steps

Notes

• Currently, the Director user interface displays the configuration steps related to Citrix Analytics for Performance (Performance Analytics). These configuration steps are also applicable for Citrix Analytics for Security (Security Analytics). If you have an active Citrix Cloud entitlement for Security Analytics, you can connect to Citrix Director by following those steps.

• If your Citrix Cloud account has active entitlements for both Security Analytics and Performance Analytics and you have already configured your site for Performance Analytics, you do not need to configure Director again for Security Analytics.

For information on the prerequisites and configuration steps, see Citrix Analytics for Performance documentation.

View your connected sites

After configuring your on-premises sites on Director, do the following:

1. In Citrix Analytics, go to the Data Sources page.

2. Click the Security tab.

3. On the Virtual Apps and Desktops- Monitoring site card, the sites configured on your Citrix Director get displayed after some time.

   

   Notes

   • The first time you configure a site, events from the site might take some time (approximately an hour) to get processed; causing a delay in the display of the connected site on the Virtual Apps and Desktops- Monitoring site card.

   • The data processing for the Director data source is enabled by default.

   • Unlike other data source site cards, you do not see any received events on the Virtual Apps and Desktops- Monitoring site card. It always shows zero received events. The reason is, currently Security Analytics does not provide insights into the user events received from the Director data source. This data source is used only for discovering the connected users and determining the Workspace app versions on the users’ devices.

4. Click the sites to view the details.

   

Connect to Session Recording deployment

Session Recording allows you to record the on-screen activity of any user session in Citrix Virtual Apps and Desktops. You can configure the Session Recording servers to send the user events to Citrix Analytics for Security. The user events are processed to provide actionable insights into the users’ risky behaviors.

Prerequisites

Before you begin, ensure the following:

• Your Session Recording server and the VDA agent must be 2103 or later.

• The Session Recording server must be able to connect to the following addresses:

  • https://*.cloud.com

  • https://*.citrixdata.com

  • https://api.analytics.cloud.com

• The Session Recording deployment must have port 443 open for outbound internet connections. Any proxy servers on the network must allow this communication with Citrix Analytics for Security.

• If you are using Citrix Virtual Apps and Desktops 7 1912 LTSR, the supported Session Recording version is 2103 or later.

Configure your Session Recording server

1. On the Virtual Apps and Desktops- Session Recording site card, click Connect Session Recording server.

   

2. On the Connect Session Recording Server page, review the checklist, and select all the mandatory requirements. If you do not select a mandatory requirement, the Download File option is disabled.

   

3. If you have proxy servers in your network, enter the proxy address in the SsRecStorageManager.exe.config file in your Session Recording server.

   The configuration file is located at <Session Recording Server installation path>\bin\SsRecStorageManager.exe.config

   For example: C:\Program Files\Citrix\SessionRecording\Server\Bin\SsRecStorageManager.exe.config

   

4. Click Download File to download the SessionRecordingConfigurationFile.json file.

   Note

   The file contains sensitive information. Keep the file in a safe and secure location.

5. Copy the file to the Session Recording server that you want to connect to Citrix Analytics for Security.

6. If you have multiple Session Recording servers in your deployment, you must copy the file in each server that you want to connect and follow the steps to configure each server.

7. On the Session Recording server, run the following command to import the settings:

   <Session Recording Server installation path>\bin\SsRecUtils.exe -Import_SRCasConfigurations <configuration file path>
   

   For example:

   C:\Program Files\Citrix\SessionRecording\Server\bin\ SsRecUtils.exe -Import_SRCasConfigurations C:\Users\administrator \Downloads\SessionRecordingConfigurationFile.json

8. Restart the following services:

   • Citrix Session Recording Analytics Service

   • Citrix Session Recording Storage Manager

9. After configuration is successful, go to Citrix Analytics for Security to view the connected Session Recording server. Click Turn On Data Processing to allow Citrix Analytics for Security to process the data.

   Note

   If you are using Session Recording server version 2103 or 2104, you must first launch a Virtual Apps and Desktops session to view the connected Session Recording server on Citrix Analytics for Security. Otherwise the connected Session Recording server fails to get displayed. This requirement is not applicable for Session Recording server version 2106 and later.

View the connected deployments

The server deployments appear on the Session Recording site card only if the configuration is successful. The site card shows the number of configured servers that have established connections with Citrix Analytics for Security.

If you don’t see your Session Recording servers even after the configuration was successful, refer to the Troubleshooting article.

On the site card, click the number of deployments to view the connected server groups with Citrix Analytics for Security. For example, click 1 Session Recording Deployment to view the connected server or server groups. Each Session Recording server is represented by a base URL and a ServerGroupID.

View received events

The site card displays the connected Session Recording deployments and the events received from these deployments for the last one hour, which is the default time selection. You can also select 1 week (1 W) and view the data. Click the number of received events to view the events on the self-service search page.

After you have enabled data processing, the site card might display the No data received status. This status appears for two reasons:

1. If you have turned on data processing for the first time, the events take some time to reach the event hub in Citrix Analytics. When Citrix Analytics receives the events, the status changes to Data processing on. If the status does not change after some time, refresh the Data Sources page.

2. Citrix Analytics has not received any events from the data source in the last one hour.

Add Session Recording servers

To add a Session Recording server, do one of the following:

• On the Connected Session Recording Deployments page, click Connect to Session recording server.

  

• On the Virtual Apps and Desktops- Session Recording site card, click the vertical ellipsis (⋮) and then select Connect Session Recording server.

  

Follow the steps to download the configuration file and configure a Session Recording server.

Remove Session Recording servers

To remove a Session Recording server:

1. On Citrix Analytics for Security, go to the Connected Session Recording Deployments page and select the server deployment that you want to remove.

2. Click the vertical ellipses (⋮) and select Remove Session Recording server from Analytics.

   

3. On the Session Recording server that you have removed from Citrix Analytics, run the following command:

   <Session Recording Server installation path>\bin\SsRecUtils.exe -Remove_SRCasConfigurations
   

   For example:

   C:\Program Files\Citrix\SessionRecording\Server\bin\ SsRecUtils.exe -Remove_SRCasConfigurations

Turn on or off data processing on the data source

You can stop the data processing at any time for a particular data source- Director and Workspace app. On the data source site card, click the vertical ellipsis (⋮) > Turn off data processing. Citrix Analytics stops processing data for that data source. You can also stop the data processing from the Virtual Apps and Desktops site card. This option applies to both data sources- Director and Workspace app.

To enable data processing again, click Turn On Data Processing.