Post to Twitter |
Comments (4) |
Views (8650) |
It's been over 2 years since my initial post on XenApp/Group Policy integration... how time flies! This feature is finally seeing the light of day with XenApp for 2008 R2 (in Tech Preview right now). I'm really happy with the results, let me describe how it will enhance management of XenApp farms.
As I described in my previous post, our primary goal for XenApp management was to enable template-based management of XenApp servers. We realized that most environments used Group Policies and Active Directory OUs as a way to define these server templates. Most XenApp environments need GPOs in some capacity to configure RDS, profiles, lock-down servers, configure sessions and the operating system.
GPO integration therefore reduces the number of consoles used for common management task. This sounds counter-intuitive at first: the Group Policy Management Console (GPMC) is an extra console... But the reality is that tasks can be fully performed on the Active Directory consoles: Creating a new app silo or farm? Create a new OU, drop servers there, and assign a new Group Policy Object to that OU. Adding servers to the farm? Just drop to the right OU. Maintaining dev, test, and production farms? Just link the high-level policies to the right OUs, and override any farm-specific setting using child OUs.
Additionally, GPO integration means all GPO management features now apply to XenApp settings as well. GPMC supports backup/restore; migration; and resulting set of policies (planning and modeling). AGPM supports off-line editing; configuration logging; change control; role-based delegation; and more.
Finally, GPO integration allows separation of management roles within IT. XenApp administrators can delegate server provisioning more easily, knowing that the only required step is the correct OU assignment for the server - something non-XA admins can understand and perform without specific XA delegation.
How will it work?
When you install the XenApp for 2008 R2 Management Console, it will include extensions to GPMC and GP Editor. GP Editor will display new Citrix policy nodes under the existing Computer and User nodes. These apply to all servers and/or users under the scope of that GPO (generally the list of OUs the GPO is linked to). The GP Editor extension is also installed at all XenApp servers, so the Local GPO editor (gpedit.msc) will also display XA settings that apply to that computer alone.
This picture shows GPEdit after XenApp management consoles are installed:
In this example, I've selected "User Configuration", "Policies", and then "Citrix Policies". The UI is the same as the policy editor found in the native XenApp MMC console. The difference is that these policies are associated with the Group Policy itself, rather than any one farm! In other words, this policy will apply to all computers and users under the scope of this policy, even if the computers are in multiple XenApp farms.
Note that we didn't use standard ADMX files to represent our policies. ADMC couldn't handle our filtering requirements. Our policies support session filtering based on the client-side parameters - AAC tags; client IP range; client name; etc - as well as computer filtering based on IMA Worker Groups membership.
You can set any number of policies under "Computer Configuration" and "User Configuration" for a single GPO. Each policy has its own filter - in the example above I've set policies for any user connecting from IP addresses different than 10.15.* - representing remote users.
All the Group Policies rules and features apply to the Citrix extension: loopback, enforced policies, ACL and WMI filtering. For example, the following Modeling Report shows Windows and XenApp policies side-by-side:
I've launched this simulation from the "Citrix Group Policy Modeling" wizard, added to GPMC after you install the XenApp extension. That wizard replicates all steps of the "Group Policy Modeling", with one extra page where you can enter client IP, name, and AAC filters you want to simulate with.
Note that you can see which Group Policy setting "won" for every single setting. You can also see which XenApp filters "matched" the simulation, and the resulting policy group within the GPO.
We know, however, that some XenApp admins cannot effectively use Group Policy - they either lack delegated control to the XenApp OU; or they are not using Active Directory. In this case, you can fully manage your farm using the Policy node in the XenApp Delivery Services console. I've shown how that is done at this blog post here.
Does this mean we have two policy systems, one in IMA, and another with Group Policies?
Not at all! I will describe how the IMA Policies and Citrix Group Policies extension work together in my next post.
Learn more about XenApp for R2
Comments (4)
Feb 17, 2010
Neil Spellings says:
I still can't see a way of integrating these policies into existing WOrkspace ma...I still can't see a way of integrating these policies into existing WOrkspace management tools such as AppSense or RES PowerFuse.
Given many organisations don't allow their Citrix admins near AD, most now use these alternative tools to manage policy and lockdown on XenApp.
If the new XenApp policies can't be integrated into these tools then implementation is going to be painful for a lot of organisations.
Regards
Neil
http://neil.spellings.net
Feb 22, 2010
Juliano Maldaner says:
Hello Neil, we're working with our partners to transition these platforms to the...Hello Neil, we're working with our partners to transition these platforms to the new configuration engine in XA6. The new model is compatible with these solutions, but the products you mentioned will have to interface with a different SDK.
Jun 25
Anonymous says:
W2K8R2 is a requirement for XA6, but for AD GPO integrations what are the minimu...W2K8R2 is a requirement for XA6, but for AD GPO integrations what are the minimum requirements for AD? Will AD GPO integration work with a W2K3 AD forest?
Jun 28
Juliano Maldaner says:
Yes, XenApp 6 integration with AD Policies will work on a 2003 AD forest. The do...Yes, XenApp 6 integration with AD Policies will work on a 2003 AD forest. The domain needs to be at least Windows 2000 functionality for policy; RSoP requires at least one 2K3 domain controller.
Add Comment