Jump to content
Welcome to our new Citrix community!
  • 0

UPL mounting - slower because of antivirus?


Alexander Spies

Question

We experience long start-times with the User Personalization Layer CVAD 1912 LTSR. The user has to wait at the Storefront landing page for quite a while, until the ICA-Session for the UPL-Desktop finally opens up. This has to be during UPL-mount-time. In our lab we compared the mount-times between a golden-image with only Windows-Defender as antivirus and a golden image with Symantec Endpoint Protection as antivirus. Both sessions started slow, but the Symantec one took even longer.

 

Has anyone experienced similiar issues? Any suggestions or best-practices regarding antivirus when using Citrix User Personalization Layer (e.g. list of exclusions)? Any other startup-bottlenecks you experienced and hopefully have resolved?

 

Thanks and best regard

Link to comment

3 answers to this question

Recommended Posts

  • 0

Hello,

 

Regarding the experiencing similar issues or best practices, the following discussion thread seems to point to the same issue you are face (no resolution though, but there are additional things they tried to resolve the issue):

https://discussions.citrix.com/topic/392969-app-layering-4x-av-exclusions/?ct=1594041919

 

Can you confirm (as per https://discussions.citrix.com/topic/392969-app-layering-4x-av-exclusions/?ct=1594041919) that you are running a supported version of SEP (and are following the guidance of the deployment of SEP to the layer; could you provide details on how you are deploying SEP to the layer)?  I didn't see anything in the first discussion URL posted above regarding their version, but it's always a good thing to verify when troubleshooting.

 

In Director, is the session startup portion of the session details page showing any difference in start up times from the with/without SEP present testing?  If so, could you provide a screenshot of each to show the differences?

 

Not sure how else to troubleshoot this (I don't have access to SEP in a lab for testing), but I'm willing to continue to poke at this with the hopes of getting to a resolution for you (or at least a understanding of the 'why').

 

Regards,

Jim G.

 

 

Link to comment
  • 0

Hello Jim,
thanks for the heads up regarding the existing discussion. I'll take a look into the suggestions with my colleagues.

Quote

Can you confirm (as per https://discussions.citrix.com/topic/392969-app-layering-4x-av-exclusions/?ct=1594041919) that you are running a supported version of SEP (and are following the guidance of the deployment of SEP to the layer; could you provide details on how you are deploying SEP to the layer)? 

This shouldn't probably link to the discussion again, but another source? Still I'm prretty certain we run a supported version of SEP.

Edit: You probably meant to link to this: https://docs.citrix.com/en-us/citrix-app-layering/4/layer/layer-antivirus-apps.html#symantec-endpoint-protection - Yes, we are using a supported version.

 

The main difference between the existing discussion and our issues is that we aren't using App-Layering via ELM, but the User Personalization Layer Feature inside the VDA and Studio of CVAD 1912 LTSR. This means we have the Symantec antivirus installed in our golden image and than creat a Pool of desktops via MCS, with the UPL-Policies configured. I know this goes side-by-side with the App-Layering via ELM, but e.g. we can't create an isolated Symantec-Layer.

 

I attached the VDA session start-up times for the Symantec-start-up and the Win10-Vanilla-/Defender-startup.

Edit: Not nearly as bad as 4 minutes as mentioned in the former discussion, but the VDA-Launch-Duration isn't the only amount of time the user experiences as well.

 

Best regards,

Alex

Symantec.png

Defender.png

Edited by fraport.spies
Found further informations.
Link to comment
  • 0

After further investigation with the Citrix Support I received a link towards antivirus exclusions best-practices for Citrix environments, sadly it doesn't mention UPL and its services at all. 

 

Meanwhile we experimented with a vanilla Windows 10 golden-image, meaning no Symantec Endpoint Protection, just Windows defender. This fastened up logons by at least 25-30 seconds, meaning Symantec is definitely part of the slow-down. I asked support if the User-Layer-Services (namely Citrix UPL Support Service & Citrix Layering Service) should be excluded from antivirus as well, but instead it was suggested by  support that we include the UPL-Services into the the regkey [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\unifltr] "AlwaysOnBoot" (MULTI_SZ:), but we didn't see any difference in behaviour so far. Any experience about using this regkey to it's full potential?

 

We checked or issues when mounting the .vhd-file directly into a Non-UPL-Windows10 - no issues or delays there, but the disk isn't mounted as C:\ but e.g. D:\ instead (obviously). Support so far remains silent about revealing what service or file triggers the VHD-Mount and masks it as C:\.

 

We also contacted Symantec Support, but they only told us, that they are not certain that any version of SEP is officially tested with the UPL-Part of Citrix CVAD 1912 LTSR and we should talk to Citrix... Does anyone have better experiences with a different antivirus and UPL?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...