Product Documentation

Defining User Environments in XenApp

Apr 28, 2015

XenApp provides different ways to control what users experience in their session environments. You can customize user environments in the following ways:

  • By suppressing the number of progress bars users see when they first open an application, so that XenApp appears to be an integrated part of their everyday environment.
  • By either allowing or preventing users from accessing their local devices or ports during a session. You can also prevent users from accessing devices and ports during remote sessions.
  • By defining whether or not users can hear audio or use microphones during sessions. If you enable audio support, you can specify the level of audio compression and limit bandwidth, if necessary. You can control audio either at the group level through policies or at the published application level.
  • By ensuring that mobile workers, such as travelling salespeople or workers inside a hospital, always have the most appropriate printers and devices available to them inside of a session.

For the Citrix online plug-in, you can also customize the user’s experience by choosing whether you want published applications and desktops to appear in a window within a Remote Desktop window or “seamlessly.” In seamless window mode, published applications and desktops appear in separate resizable windows, which make the application appear to be installed locally. Certain features are available only in seamless mode.

Some features that relate to session environments or connections, such as dual-monitor mode support and information about logons, are plug-in specific. Details about these features are located in the Citrix online plug-in and the Web Interface documentation.

Controlling the Appearance of User Logons

When users connect to a server, they see all connection and logon status information in a sequence of screens, from the time they double-click a published application icon on the client device, through the authentication process, to the moment the published application launches in the session.

XenApp achieves this logon look and feel by suppressing the status screens generated by a server’s Windows operating system when a user connects. To do this, XenApp Setup enables the following Windows local group policies on the server on which you install the product:

  • Administrative Templates > System > Remove Boot / Shutdown / Logon / Logoff status messages
  • Administrative Templates > System > Verbose versus normal status messages

However, Active Directory group policies take precedence over equivalent local group policies on servers. Therefore, when you install XenApp on servers that belong to an Active Directory domain, those Active Directory policies may prevent XenApp from suppressing the status screens generated by the Windows operating systems of the individual servers. In that case, users see the status screens generated by the Windows operating system when connecting to that server. For optimal performance, do not configure these group policies in Active Directory.

Controlling Access to Devices and Ports

The Citrix online plug-in supports mapping devices on client computers so users can access the devices within sessions. Client device mapping provides:
  • Access to local drives and ports
  • Cut-and-paste data transfer between a session and the local clipboard
  • Audio (system sounds and .wav files) playback from the session

During logon, the plug-in reports the available client drives and COM ports to the server. By default, client drives appear as network resources so the drives appear to be directly connected to the server. The client’s drives are displayed with descriptive names so they are easy to locate among other network resources. These drives are used by Windows Explorer and other applications like any other network drive.

In Citrix policies, redirection settings are used for mapping.

Redirecting Client COM Ports and Audio

Client COM port redirection allows a remote application running on the server to access devices attached to COM ports on the user device. COM port and audio redirection are configured with the Client COM port redirection and Client audio redirection User policy settings.

For more information, see the documentation for the plug-ins you plan to deploy.

To enable user execute permissions on mapped drives

In general, XenApp displays client drive letters as they appear on the user device; for example, the user device's hard disk drive appears as "C: on ClientName," where ClientName is the name of the user device. This allows the user to access client drive letters in the same way locally and within sessions.

You can turn off client drive redirection through XenApp policies. In doing so, you also turn off mapping to client floppy disk drives, hard drive, CD-ROM drives, or remote drives regardless of the policy settings for those individual devices.

As a security precaution, when a user logs on to XenApp, by default, the server maps client drives without user execute permission. To enable users to execute files residing on mapped client drives, override this default by editing the registry on a XenApp server.
Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
  1. After installing XenApp, open the Registry Editor.
  2. Find the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\picadm\Parameters\ExecuteFromMappedDrive.
  3. To grant users execute permission on mapped drives, set ExecuteFromMappedDrive to 1.
  4. To deny users execute permission on mapped drives, set ExecuteFromMappedDrive to 0.
  5. Restart the server.

Displaying Local Special Folders in Sessions

To make it easier for your users to save files to their special folders locally, you can enable Special Folder Redirection. Special folders is a Microsoft term that refers to Windows folders such as Documents, Computer, and the Desktop.

Without Special Folder Redirection enabled, the Documents and Desktop icons that appear in a session point to the user’s Documents and Desktop folders on the server. Special Folder Redirection redirects actions, such as opening or saving a file, so that when users save or open files from special folders, they are accessing the special folder on their local computers. In addition, for the Citrix Receiver, the Documents folder in the Start menu maps to the Documents folder on the client device.

To use Special Folder Redirection, users must access the farm with the Citrix online plug-in 11.x or later or the Web Interface.

Restrictions

Do not enable Special Folders Redirection in situations when a user connects to the same session from multiple client devices simultaneously. For Special Folder Redirection to work, the user must log off from the session on the first client device and start a new session on the second client device. If users must run multiple sessions simultaneously, use roaming profiles or set a home folder for that user in the User Properties in Active Directory.

Because Special Folder Redirection must interact with the client device, some settings prevent Special Folder Redirection from working. You cannot have policy settings that prevent users from accessing or saving to their local hard drives.

Currently, for seamless and published desktops, Special Folder Redirection works only for the Documents folder. For seamless applications, Special Folder Redirection only works for the Desktop and Documents folders. Citrix does not recommend using Special Folder Redirection with published Windows Explorer.

Special Folder Redirection requires access to the Documents and Desktop folders on the user’s local computer. When a user launches an application through the Web Interface and uses File Security to select No Access in the File Security dialog box in Connection Center, access is denied to the user’s local workstation drives, including the user’s local Documents and Desktop folders. As a result, some applications might be unstable when trying to perform read/write operations to the denied folders. To avoid this, always grant full local access when Special Folder Redirection is enabled.

Caution: Special Folder Redirection does not redirect public folders on Windows Vista and Windows Server 2008. If users are connecting to servers that are not in their domain, instruct users not to save to public folders. If users save documents to public folders, they are saving them to a local folder on the server hosting the published application. In large environments where many servers host the same application, it could be difficult to determine which server contains the public folder where the user saved the document.

To enable Special Folder Redirection

First, enable Special Folder Redirection for XenApp Web sites or XenApp Services sites - you can enable Special Folder Redirection for all users, and allow users to enable the feature themselves in their client settings. Then, if you want to allow or prevent specific users from having redirected special folders, use the Special Folder Redirection Citrix policy setting.

If you enable Special Folder Redirection without success, use Search to determine if any settings conflict with this feature.

Tip: Let your users know that other Special Folders, such as Music or Recent Documents, still point to the server. If users save documents to these folders, they are saved to the server.

To enable Special Folder Redirection for a XenApp Web site

This procedure requires that you already created a XenApp Web site.

  1. From the Citrix Web Interface Management console, select a XenApp Web site.
  2. In the Actions menu, select Session Settings.
  3. On the Manage Session Settings - XenApp page, select Local Resources.
  4. Select the correct options.
    To Select the options

    Enable Special Folder Redirection by default and let users turn it off in their session options.

    Provide Special Folder Redirection to all users

    Allow users to customize Special Folder Redirection

    Disable Special Folder Redirection by default, but let users turn it on in their session options

    Allow users to customize Special Folder Redirection

    Enable Special Folder Redirection by default and prevent users from turning it on or off

    Provide Special Folder Redirection to all users

  5. Click OK.

To enable Special Folder Redirection for a XenApp Services site

This procedure requires that you already created a XenApp Services site.

  1. From the Citrix Web Interface Management console, select a XenApp Services site.
  2. Select Session Options.
  3. On the Change Session Options - PNAgent page, select Local Resources.
  4. Select the correct options.
    To Select the options

    Enable Special Folder Redirection by default and let users turn it off in their session options.

    Provide Special Folder Redirection to all users

    Allow users to customize Special Folder Redirection

    Disable Special Folder Redirection by default, but let users turn it on in their session options

    Allow users to customize Special Folder Redirection

    Enable Special Folder Redirection by default and prevent users from turning it on or off

    Provide Special Folder Redirection to all users

  5. Click OK.

To filter Special Folder Redirection users through a Citrix policy setting

You can allow or prevent specific users from having redirected special folders with the Special Folders Redirection policy setting.
  1. Enable the Special Folder Redirection policy setting and apply filters to ensure the setting is applied to the users you want accessing local special folders.

    To prevent local special folders from being redirected, ensure a filter is configured that targets the users you do not want accessing local special folders.

  2. Decide if you want to let users turn this feature on and off in their sessions. Instructions for users are provided in their plug-in help.
  3. Ensure you do not have any policy settings enabled that are not supported with Special Folder Redirection (such as preventing accessing or writing to local hard drives).

Configuring Audio for User Sessions

XenApp provides tools to manage and control the availability of sound in sessions, both in terms of quality and cost in resources, including:

  • Audio properties you configure for individual published applications
  • Audio related policy settings you configure for specific connection types
  • Audio settings the user configures on the user device

For example, you can use audio-related connection policy settings to control bandwidth usage and server CPU utilization. You can configure a policy setting to enable audio for connections where audio is essential, and configure another setting to disable audio for connections where it is not essential. Use policy settings to control the availability of speakers and microphones in sessions.

Important: To use audio in sessions, users must also enable audio on the user device.

When audio is enabled, you can also use policy settings to set compression levels and bandwidth allocation.

To enable or disable audio for published applications

If you disable audio for a published application, audio is not available within the application under any condition. If you enable audio for an application, you can use policy settings and filters to further define under what conditions audio is available within the application.

  1. In the Delivery Services Console, select the published application for which you want to enable or disable audio, and select Action > Application properties.
  2. In the Application Properties dialog box, click Advanced > Client options. Select or clear the Enable legacy audio check box.

To configure bandwidth limits for audio

Use policy settings to configure the amount of bandwidth you want to allocate to audio transfers between servers and client devices. For example, you might want to create separate policy settings for groups of dial-up users and for those who connect over a LAN, accommodating the different amounts of bandwidth each group will have available.

In this procedure, you are editing settings for a policy that applies to a specific group of filtered objects, such as servers or users.
  1. Configure the following Citrix User policy settings:
    • Audio redirection bandwidth limit. Specify the bandwidth available for audio in kilobits per second.
    • Audio redirection bandwidth limit percent. Limit the bandwidth available for audio to a percentage of the overall bandwidth available. If you configure this setting, you must enable the Overall session bandwidth limit setting.

To configure audio compression and output quality

Use Citrix policy settings to configure the compression levels to apply to sound files. Generally, higher sound quality requires more bandwidth and higher server CPU utilization. You can use sound compression to balance sound quality and overall session performance.

Consider creating separate policies for groups of dial-up users and for those who connect over a LAN. Over dial-up connections, where bandwidth typically is limited, users likely care more about download speed than sound quality. For such users, create a policy for dial-up connections that applies high compression levels to sound and another for LAN connections that applies lower compression levels.

In this procedure, you are editing settings for a policy that applies to a specific group of filtered objects, such as servers or users.

  1. Configure the Audio quality Citrix User policy setting with one of the following options:
    • Low - for low-speed connections. This causes any sounds sent to the client device to be compressed to a maximum of 16Kbps. This compression results in a significant decrease in the quality of the sound. The CPU requirements and benefits of this setting are similar to those of the Medium setting; however, the lower data rate allows reasonable performance for a low-bandwidth connection.
    • Medium - optimized for speech. This is recommended for most LAN-based connections. This setting causes any sounds sent to the client device to be compressed to a maximum of 64Kbps. This compression results in a moderate decrease in the quality of the sound played on the client device.
    • High - high definition audio. This is recommended for connections where bandwidth is plentiful and sound quality is important. This setting allows client devices to play a sound file at its native data rate. Sounds at the highest quality level require about 1.3Mbps of bandwidth to play clearly. Transmitting this amount of data can increase bandwidth requirements, and result in increased CPU utilization and network congestion.

To enable support for microphones and speakers

For users to use speaker and microphones in sessions, both audio input (for microphones) and output (for speakers) must be enabled. Audio input and output are controlled by two policy settings; you must configure both to ensure that audio input and output are enabled.

Note: Microphone input is supported on the Citrix online plug-in for Windows, Windows CE, and Linux.

This allows you to implement separate connection policies; for example, for users of mobile devices and for users who connect over a LAN. For the mobile user group, you may want to enable audio input but disable audio output. This lets mobile users record notes from the field, but prevents the server from sending audio to the mobile devices, ensuring better session performance. Enabling audio input and output also enables support for digital dictation.

On the client device, users control audio input and output in a single step—by selecting an audio quality level from the Options > Session Options dialog box.

By default, when you configure these settings, audio input is enabled on client devices. Web Interface users can override the policy and disable their microphones by selecting No in the Audio Security dialog box, which they access from the Citrix Connection Center.

In this procedure, you are editing settings for a policy that applies to a specific group of filtered objects, such as servers or users.

  1. To enable audio input for sessions, configure the Client microphone redirection Citrix User policy setting.
  2. To enable audio output for sessions, configure the Client audio redirection Citrix User policy setting.

To use and set sound quality for digital dictation devices

If you have enabled microphone and speaker support, XenApp requires no additional configuration to allow users to record audio using a standard microphone. However, to allow users to use digital dictation devices such as Philips SpeechMike devices and dictation software such as WinScribe Internet Author and Internet Typist, you must install and configure the associated software and set session sound quality to accommodate them.

To enable Phillips SpeechMike devices, go to the Philips web site for information and software downloads.

Note: The Citrix plug-ins for Linux and Windows CE do not support Philips SpeechMike products.

To make Philips SpeechMike devices or similar products available in user sessions, install the device drivers associated with the products on the XenApp server and on client devices. To make dictation software such as WinScribe Internet Author and Internet Typist available, install this software on the XenApp server. After installation, you might be required to enable the controls for the dictation device within the dictation software. Refer to the product documentation for instructions.

Set sound quality to at least medium quality. To enable the use of Philips SpeechMagic Speech Recognition server with WinScribe software, set sound quality to high to enable accurate speech-to-text translation.

  1. From Citrix Web Interface Management, select the XenApp Services site you want to configure.
  2. In the Action pane, select Session Options.
  3. Select Color and Sound.
  4. In the Sound area, select one of:
    • Medium - optimized for speech
    • High - high definition audio

Ensuring Session Continuity for Mobile Workers

The Workspace Control feature provides users with the ability to disconnect quickly from all running applications, to reconnect to applications, or to log off from all running applications. Workspace Control enables users to move among client devices and gain access to all of their open applications when they log on.

For example, you can use Workspace Control to assist health-care workers in a hospital who need to move quickly between workstations and access the same set of applications each time they log on to XenApp. If you configure Workspace Control options to allow it, these workers can disconnect from multiple applications at one client device and then reconnect to open the same applications at a different client device.

For users accessing applications through the Web Interface or the Citrix online plug-in, you can configure—and allow users to configure—these activities:

  • Logging on. By default, Workspace Control enables users to reconnect automatically to all running applications when logging on, bypassing the need to reopen individual applications. Through Workspace Control, users can open disconnected applications plus applications active on another client device. Disconnecting from an application leaves the application running on the server. If you have roaming users who need to keep some applications running on one client device while they reconnect to a subset of their applications on another client device, you can configure the logon reconnection behavior to open only the applications that the user disconnected from previously.
  • Reconnecting. After logging on to the server farm, users can reconnect to all their applications at any time by clicking Reconnect. By default, Reconnect opens applications that are disconnected plus any applications currently running on another client device. You can configure Reconnect to open only those applications that the user disconnected from previously.
  • Logging off. For users opening applications through the Web Interface, you can configure the Log Off command to log the user off from the Web Interface and all active sessions together, or log off from the Web Interface only.
  • Disconnecting. Users can disconnect from all running applications at once without needing to disconnect from each application individually.

Workspace Control is enabled in the server farm by default and is available only for users accessing applications through the Web Interface or the Citrix online plug-in.

User policies, client drive mappings, and printer configurations change appropriately when a user moves to a new client device. Policies and mappings are applied according to the client device where the user is currently logged on to the session. For example, if a health care worker logs off from a client device in the emergency room of a hospital and then logs on to a workstation in the hospital’s X-ray laboratory, the policies, printer mappings, and client drive mappings appropriate for the session in the X-ray laboratory go into effect at the session startup.

You can customize what printers appear to users when they change locations as well as control whether they can print to local printers, how much bandwidth is consumed when users connect remotely, and other aspects of their printing experiences.

For more information about enabling and configuring Workspace Control for users, see the Web Interface documentation.

Maintaining Session Activity

Users can lose network connectivity for various reasons, including unreliable networks, highly variable network latency, and range limitations of wireless devices. Losing connectivity often leads to user frustration and a loss of productivity. You can leverage these three features of XenApp to optimize the reliability of sessions and to reduce the amount of inconvenience, downtime, and loss of productivity users incur due to lost network connectivity.
  • Session Reliability
  • Auto Client Reconnect
  • ICA Keep-Alive

Configuring Session Reliability

Session Reliability keeps sessions active and on the user’s screen when network connectivity is interrupted. Users continue to see the application they are using until network connectivity resumes.

This feature is especially useful for mobile users with wireless connections. Take, for example, a user with a wireless connection who enters a railroad tunnel and momentarily loses connectivity. Ordinarily, the session is disconnected and disappears from the user’s screen, and the user has to reconnect to the disconnected session.

With Session Reliability, the session remains active on the server. To indicate that connectivity is lost, the user’s display freezes and the cursor changes to a spinning hourglass until connectivity resumes on the other side of the tunnel. The user continues to access the display during the interruption and can resume interacting with the application when the network connection is restored. Session Reliability reconnects users without reauthentication prompts.

Users of the Citrix online plug-in cannot override the server setting.

Note: You can use Session Reliability with Secure Sockets Layer (SSL).

By default, Session Reliability is enabled through policy settings. You can customize the policy settings for this feature as appropriate. You can edit the port on which XenApp listens for session reliability traffic and edit the amount of time Session Reliability keeps an interrupted session connected.

The Citrix Computer policy Session reliability connections setting allows or prevents session reliability.

The Session reliability timeout setting has a default of 180 seconds, or three minutes. Though you can extend the amount of time Session Reliability keeps a session open, this feature is designed to be convenient to the user and it does not, therefore, prompt the user for reauthentication. If you extend the amount of time a session is kept open indiscriminately, chances increase that a user may get distracted and walk away from the client device, potentially leaving the session accessible to unauthorized users.

Incoming session reliability connections use port 2598, unless you change the port number with the Citrix Computer policy Session reliability port number setting.

If you do not want users to be able to reconnect to interrupted sessions without having to reauthenticate, use the Auto Client Reconnect feature. You can configure the Citrix Computer policy Auto client reconnect authentication setting to prompt users to reauthenticate when reconnecting to interrupted sessions.

If you use both Session Reliability and Auto Client Reconnect, the two features work in sequence. Session Reliability closes, or disconnects, the user session after the amount of time you specify in the Citrix Computer policySession reliability timeout setting. After that, the Auto Client Reconnect policy settings take effect, attempting to reconnect the user to the disconnected session.

Configuring Automatic Client Reconnection

The Auto Client Reconnect feature allows Citrix plug-ins for Windows, Java, and Windows CE to detect broken connections and automatically reconnect users to disconnected sessions. When a plug-in detects an involuntary disconnection of a session, it attempts to reconnect the user to the session until there is a successful reconnection or the user cancels the reconnection attempts.

When a connection breaks, it may leave the server session in an active state. Users can reconnect only to sessions that are in a disconnected, or inactive, state. Cookies containing keys to user credentials and session IDs are created on the client device when sessions are started. Because users can be reconnected only to disconnected sessions, Auto Client Reconnect uses the cookie on the client device to disconnect an active session before attempting to reconnect.

Configure Auto Client Reconnect with the following Citrix Computer policy settings:
  • Auto client reconnect. Enables or disables automatic reconnection by the same client after a connection has been interrupted.
  • Auto client reconnect authentication. Enables or disables the requirement for user authentication upon automatic reconnection
  • Auto client reconnect logging. Enables or disables logging of reconnection events in the event log. Logging is disabled by default. When enabled, the server's System log captures information about successful and failed automatic reconnection events. Each server stores information about reconnection events in its own System log; the server farm does not provide a combined log of reconnection events for all servers.

Auto Client Reconnect incorporates an authentication mechanism based on encrypted user credentials. When a user initially logs on to a server farm, XenApp encrypts and stores the user credentials in memory, and creates and sends a cookie containing the encryption key to the plug-in. The plug-in submits the key to the server for reconnection. The server decrypts the credentials and submits them to Windows logon for authentication. When cookies expire, users must reauthenticate to reconnect to sessions.

Cookies are not used if you enable the Auto client reconnection authentication setting. Instead, XenApp displays a dialog box to users requesting credentials when the plug-in attempts to reconnect automatically.

Note: For maximum protection of users’ credentials and sessions, use SSL encryption for all communication between clients and the server farm.

Disable Auto Client Reconnect on the Citrix plug-in for Windows by using the icaclient.adm file. For more information about plug-in configuration, see the online plug-in documentation.

Settings for connections also affect Auto Client Reconnect.

Configuring Connections for Automatic Client Reconnection

By default, Auto Client Reconnect is enabled through policy settings on the farm level. User reauthentication is not required. However, if a server’s ICA TCP connection is configured to reset sessions with a broken communication link, automatic reconnection does not occur. Auto Client Reconnect works only if the server disconnects sessions when there is a broken or timed out connection.

In this context, the ICA TCP connection refers to a XenApp’s virtual port (rather than an actual network connection) that is used for sessions on TCP/IP networks.

By default, the ICA TCP connection on a XenApp server is set to disconnect sessions with broken or timed out connections. Disconnected sessions remain intact in system memory and are available for reconnection by the plug-in.

The connection can be configured to reset, or log off, sessions with broken or timed out connections. When a session is reset, attempting to reconnect initiates a new session; rather than restoring a user to the same place in the application in use, the application is restarted.

If XenApp is configured to reset sessions, Auto Client Reconnect creates a new session. This process requires users to enter their credentials to log on to the server.

Automatic reconnection can fail if the plug-in submits incorrect authentication information, which might occur during an attack or the server determines that too much time has elapsed since it detected the broken connection.

Configuring ICA Keep-Alive

Enabling the ICA Keep-Alive feature prevents broken connections from being disconnected. When enabled, if XenApp detects no activity (for example, no clock change, no mouse movement, no screen updates), this feature prevents Remote Desktop Services from disconnecting that session. XenApp sends keep-alive packets every few seconds to detect if the session is active. If the session is no longer active, XenApp marks the session as disconnected.

However, the ICA Keep-Alive feature does not work if you are using Session Reliability. Session Reliability has its own mechanisms to handle this issue. Only configure ICA Keep-Alive for connections that do not use Session Reliability.

ICA Keep-Alive settings override keep-alive settings that are configured in Microsoft Windows Group Policy.

  1. Configure the following Citrix Computer policy settings:
    1. ICA keep alive timeout. Specifies the interval (1-3600 seconds) used to send ICA keep-alive messages. Do not configure this option if you want your network monitoring software to close inactive connections in environments where broken connections are so infrequent that allowing users to reconnect to sessions is not a concern.

      The 60 second default interval causes ICA Keep-Alive packets to be sent to client devices every 60 seconds. If a client device does not respond in 60 seconds, the status of the ICA sessions changes to disconnected.

    2. ICA keep alives. Sends or prevents sending ICA keep-alive messages periodically.