![](http://content.invisioncic.com/m329563/set_resources_3/84c1e40ea0e759e3f1505eb1788ddf3c_pattern.png)
James Kindon
-
Posts
1,351 -
Joined
-
Last visited
-
Days Won
66
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by James Kindon
-
-
You should engage with a Microsoft L.icensing partner to discuss the appropriate licensing model. There are considerations that may be unique to your environment - best to get the full picture based on your organization
-
-
I haven't seen blobs used in Azure for FSLogix in years - https://learn.microsoft.com/en-us/fslogix/concepts-container-storage-options#azure-page-blob-storage-accounts
-
Good stuff, I know of a few customers that keep BIS-F locally to the image so you definitely aren't doing anything too strange :)
-
1
-
-
You don't need to do anything with ADMX on the endpoint - they ADMX is the frontend for Admins to configure and play with, ultimately, policy settings are written as reg keys on end the endpoint.
I would not put your BIS-F config in via WEM, BIS-F will help with resetting the WEM cache, which in turn could remove your configurations - I am not sure how well that would pan out.
You could use BIS-F locally ADMX on the base image (I know you want to avoid that), or you could use BIS-F shared configuration instead.
-
1
-
-
? Hopefully it's on the money ?
-
A standard Cloud connection flow does this assuming you are using the Gateway Service:
Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> The connection is tunneled via the Gateway Service -> through the Cloud Connector -> To the VDA
If you turn on Rendezvous Protocol, the following occurs:
Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> The connection is tunneled via the Gateway Service directly to the VDA. The Cloud Connector is no longer in the connection path. The VDA reaches out to the Gateway Service on 443 to make this happen
Direct Workload Connection changes things again:
Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> IF the network where the user lives has been defined as a network location in Citrix Cloud AND that location has direct line of sight to the VDA -> The Gateway Service is bypassed entirely, and the user connects straight to the VDA
This makes it very similar to a traditional storefront flow on-prem. You now have a single connection from endpoint to VDA
HDX Direct is the future of Direct Workload Connection, it will effectively do the same thing, but you will not need to define network locations for the behavior to occur. It uses the Gateway Service to establish a connection, and then learns if there is a direct connection to the VDA possible. There are certs and other info passed around along with some use of STUN etc to make this secure a bit more robust
-
1
-
-
Citrix direction is that the product sets should be effectively on par - it's just the Cloud will likely get new features first due to the release pipelines etc
If you want to compare being on prem to Citrix Cloud from a feature standpoint, you probably need to shift the thinking to more of a Current Release strategy. The next LTSR is going to have a load more stuff, but like any LTSR, it will be static capability whilst the CR and Cloud streams run ahead with new stuff so you will end up watching features arrive that you won't have in LTSR - Autoscale for example is something that has features added to it fairly regularly
-
It's been a while, but do you happen to have accelerated networking enabled on the NICS? Had all sorts of issues with that in previous deployments
-
Happy New Year Martin
On 12/29/2023 at 6:57 PM, Martin Munk Mouritsen1709164054 said:Yes we are using that "Include Outlook Personalization" - Among other things like "include teams" , onenote, one drive , office activation ect...
This could be problematic in a migration scenario; I wonder if that is what is breaking your outlook piece.
On 12/29/2023 at 6:57 PM, Martin Munk Mouritsen1709164054 said:Sadly we don't use WEM, even though i am a massive fan ? but i guess we can do similar things with a logon script. (Maybe i should bring that up again..)
Yeah, any tool will do the job, WEM was just my tool of choice, PowerShell etc. will get the job done.
On 12/29/2023 at 6:57 PM, Martin Munk Mouritsen1709164054 said:Not sure what i was hopeing for in terms of answer either. i'm just a bit baffled about the current setup ?
This is a pretty common deployment model - UPM with Office Containers was pretty solid. Typically, I think if you can, undoing each component bit by bit is probably going to be your friend.
-> AppData redirection -> Kill it, low hanging fruit
-> Then maybe a look at those outlook settings in the office container -> Also have a look a the silent config options via GPO for outlook
-> Once those are out of the way, you should be back to normal profile migration considerations -> Which i still vote for kill if you can, crud-in crud-out as it goes ?
-
1
-
-
4 hours ago, Cory Zaner said:
@James Kindoni am trying this with Citrix cloud and FAS, I have it working on the first domain, but when I add another domain I get a SID mismatch error, yes I already removed the SID required and have matching UPNs. Its like we need a trust between the domains :(. Any ideas?
I've got nothing on that one - multi-forest and SAML stuff -> an area I haven't had to think about for a while now. Wonder if you need to maybe look at the Adaptive Authentication piece
-
In the current deployment with FSLogix Office Containers, I wonder if they are using the "Include Outlook Personalization" component -> this could be hurting if it's enabled, and then the office container is taken away?
Usually when handling profile migrations, I tried to start as clean as possible and then bring what was needed, some examples from memory:
- Things like signatures etc were in appdata -> copied them using a one off WEM task. Same for office caches, quick launches etc.
- Outlook profiles, typically recreated and used the auto config/silent config to make sure it was as smooth for a user as possible.
Resetting AppData redirection back to defaults is always one of the most enjoyable parts -> i have a small script that might help here https://jkindon.com/stop-redirecting-appdata/
Good test on how much a profile is actually needed is simply reset a user's profile and see what they are not happy with - typically easy enough to fix those bits
You should be able to get away with CPM for all requirements above, it's just going to be an order of execution thing,
-
On 12/14/2023 at 7:33 AM, Greg Beck said:
To close the loop with this. I have been working with support on the issue.
The final answer is this is the expected behavior. The infrastructure server requires that the SQL database is available. Their suggestion is to stop the infrastructure service on the server. That will get the agents to switch over to using their cache.
Or put the database in a highly available SQL server.
This does not sound right at all. There is a Cache on the Broker that is supposed to sustain the loss of SQL connectivity. The product team have eyes on this, but will need more info, I will DM you
-
hrmm it seems strange that you would be impacted by that service, that shouldn't be causing any issues these days.
You could try exempting the auto logon user from WEM altogether (the same as you would probably exempt it from profile management etc). You can do that in the WEM console.
-
I had some challenges with kerberos realm name that needed adding into the resolv.conf file
Make sure to kill off that CNAME after testing, it does not play nicely.
Ill ping this at the product team for visibility as well
-
Try adding these two directories to your "list of Directories to Sync" policy for CPM
AppData\Local\Microsoft\Credentials Appdata\Roaming\Microsoft\Credentials
And add this to your folders to mirror policy
AppData\Local\Microsoft\Vault
-
This is a well-known frustration. There are a number of ways to do tackle this:
- You can use something like Desktop Probe via Citrix.
- You can use a logon simulator from Control Up or EG etc.
- You can follow George post here (works a treat) https://jgspiers.com/citrix-director-reduce-logon-times/#Autologon-Account
Other fun one is app-prefetch (loading binaries into memory upfront). A normal pre-logon won't address this unless you execute specific items within the logon itself
- You can script it and run a startup script. Examples here https://github.com/JamesKindon/Citrix/blob/master/PreFetchStartApps.ps1
- Jeremey Saunders has a framework here https://www.jhouseconsulting.com/2023/06/27/cold-starting-andor-hydrating-your-applications-to-improve-their-startup-times-2352
- You could drive the process via BIS-F if using PVS https://eucweb.com/kba/281219084515-2
-
1
-
Citrix doc states it’s not supported - you choose where you want to land with it functionally ?
-
You don't have "hide common start menu programs" enabled in conjunction with a bad UPM config do you?
Make sure to follow this - don't mistake windows 10 settings for Server OS
-
What do your FAS logs say? It's been a while since I have been in FAS land, but the FAS and CA logs were typically pretty good at letting you know what's going on
-
You can’t publish an application that comes from an app layer, that isn’t supported
-
Means your account doesn’t have access. You will need to sort that out with support or whoever owns the keys to your contracts with Citrix
-
You can use AAA groups and Session Policies to achieve this on the NetScaler
-
There will be a tag on the VM on the hypervisor. XDProv or something like that. Remove the tag and it will show up in the list of vms
-
2
-
Open ports to and from VDA (Source and Destination)
in XenDesktop 7.x
Posted
The techzone link above has everything and more that you are asking for here - it's pretty clearly laid out already?