Best practices, security considerations, and default operations
May 28, 2016
Many factors determine the best printing solution for a particular environment. Some of these best practices might not apply to your Site.
Use the Citrix Universal Print Server.
Use the Universal printer driver or Windows-native drivers.
Minimize the number of printer drivers installed on Server OS machines.
Use driver mapping to native drivers.
Never install untested printer drivers on a production site.
Avoid updating a driver. Always attempt to uninstall a driver, restart the print server, and then install the replacement driver.
Uninstall unused drivers or use the Printer driver mapping and compatibility policy to prevent printers from being created with the driver.
Try to avoid using version 2 kernel-mode drivers.
To determine if a printer model is supported, contact the manufacturer or see the Citrix Ready product guide at www.citrix.com/ready.
In general, all of the Microsoft-supplied printer drivers are tested with Terminal Services and guaranteed to work with Citrix. However, before using a third-party printer driver, consult your printer driver vendor to ensure the driver is certified for Terminal Services by the Windows Hardware Quality Labs (WHQL) program. Citrix does not certify printer drivers.
Citrix printing solutions are secure by design.
- The Citrix Print Manager Service constantly monitors and responds to session events such as logon and logoff, disconnect, reconnect, and session termination. It handles service requests by impersonating the actual session user.
- Citrix printing assigns each printer a unique namespace in a session.
- Citrix printing sets the default security descriptor for auto-created printers to ensure that client printers auto-created in one session are inaccessible to users running in other sessions. By default, administrative users cannot accidentally print to another session’s client printer, even though they can see and manually adjust permissions for any client printer.
Default print operations
By default, if you do not configure any policy rules, printing behavior is as follows:
The Universal Print Server is disabled.
All printers configured on the user device are created automatically at the beginning of each session.
This behavior is equivalent to configuring the Citrix policy setting Auto-create client printers with the Auto-create all client printers option.
The system routes all print jobs queued to printers locally attached to user devices as client print jobs (that is, over the ICA channel and through the user device).
The system routes all print jobs queued to network printers directly from Server OS machines. If the system cannot route the jobs over the network, it will route them through the user device as a redirected client print job.
This behavior is equivalent to disabling the Citrix policy setting Direct connection to print servers.
The system attempts to store printing properties, a combination of the user’s printing preferences and printing device-specific settings, on the user device. If the client does not support this operation, the system stores printing properties in user profiles on the Server OS machine.
This behavior is equivalent to configuring the Citrix policy setting Printer properties retention with the Held in profile only if not saved on client option.
The system uses the Windows version of the printer driver if it is available on the Server OS machine. If the printer driver is not available, the system attempts to install the driver from the Windows operating system. If the driver is not available in Windows, it uses a Citrix Universal print driver.
This behavior is equivalent to enabling the Citrix policy setting Automatic installation of in-box printer drivers and configuring the Universal printing setting with the Use universal printing only if requested driver is unavailable.
Enabling Automatic installation of in-box printer drivers might result in the installation of a large number of native printer drivers.
Note: If you are unsure about what the shipping defaults are for printing, display them by creating a new policy and setting all printing policy rules to Enabled. The option that appears is the default.
XenApp and XenDesktop include an Always-On logging feature for the print server and printing subsystem on the VDA.
In order to collate the logs as a ZIP for emailing, or to automatically upload to Citrix Insights Services, use the PowerShell cmdlet (Start-TelemetryUpload) supplied with the VDA installer.