[Open ports to and from VDA (Source and Destination)]

The techzone link above has everything and more that you are asking for here - it's pretty clearly laid out already?

[RDS CALs License type for Citrix Hosted Shared Desktop Deployment]

You should engage with a Microsoft L.icensing partner to discuss the appropriate licensing model. There are considerations that may be unique to your environment - best to get the full picture based on your organization

[Citrix WEM logs for Administration]

https://docs.citrix.com/en-us/workspace-environment-management/service/using-environment-management/administration#administrative

[Can FSLogix use RW Disk inside of Cloud Cache Containers using Azure Blob Storage?]

I haven't seen blobs used in Azure for FSLogix in years - https://learn.microsoft.com/en-us/fslogix/concepts-container-storage-options#azure-page-blob-storage-accounts

[WEM and importing ADMX templates]

Good stuff, I know of a few customers that keep BIS-F locally to the image so you definitely aren't doing anything too strange :)

[WEM and importing ADMX templates]

You don't need to do anything with ADMX on the endpoint - they ADMX is the frontend for Admins to configure and play with, ultimately, policy settings are written as reg keys on end the endpoint.

 

I would not put your BIS-F config in via WEM, BIS-F will help with resetting the WEM cache, which in turn could remove your configurations - I am not sure how well that would pan out.

 

You could use BIS-F locally ADMX on the base image (I know you want to avoid that), or you could use BIS-F shared configuration instead.

[HDX direct, Direct Workload, and Rendezvous explained and differences]

? Hopefully it's on the money ? 

[HDX direct, Direct Workload, and Rendezvous explained and differences]

A standard Cloud connection flow does this assuming you are using the Gateway Service:

 

Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> The connection is tunneled via the Gateway Service -> through the Cloud Connector -> To the VDA

 

If you turn on Rendezvous Protocol, the following occurs:

 

Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> The connection is tunneled via the Gateway Service directly to the VDA. The Cloud Connector is no longer in the connection path. The VDA reaches out to the Gateway Service on 443 to make this happen

 

Direct Workload Connection changes things again:

 

Citrix Workspace handles Authentication and Resource Enumeration -> The user launches a desktop -> IF the network where the user lives has been defined as a network location in Citrix Cloud AND that location has direct line of sight to the VDA -> The Gateway Service is bypassed entirely, and the user connects straight to the VDA

 

This makes it very similar to a traditional storefront flow on-prem. You now have a single connection from endpoint to VDA

 

HDX Direct is the future of Direct Workload Connection, it will effectively do the same thing, but you will not need to define network locations for the behavior to occur. It uses the Gateway Service to establish a connection, and then learns if there is a direct connection to the VDA possible. There are certs and other info passed around along with some use of STUN etc to make this secure a bit more robust

 

[Citrix Autoscale for Onprem LTSR]

Citrix direction is that the product sets should be effectively on par - it's just the Cloud will likely get new features first due to the release pipelines etc

 

If you want to compare being on prem to Citrix Cloud from a feature standpoint, you probably need to shift the thinking to more of a Current Release strategy. The next LTSR is going to have a load more stuff, but like any LTSR, it will be static capability whilst the CR and Cloud streams run ahead with new stuff so you will end up watching features arrive that you won't have in LTSR - Autoscale for example is something that has features added to it fairly regularly

[Azure NetScaler Pairs locking up.]

It's been a while, but do you happen to have accelerated networking enabled on the NICS? Had all sorts of issues with that in previous deployments

[Profile mangement consolidation - how to?]

Happy New Year Martin

 

On 12/29/2023 at 6:57 PM, Martin Munk Mouritsen1709164054 said:

Yes we are using that "Include Outlook Personalization" - Among other things like "include teams" , onenote, one drive , office activation ect...

This could be problematic in a migration scenario; I wonder if that is what is breaking your outlook piece.

 

On 12/29/2023 at 6:57 PM, Martin Munk Mouritsen1709164054 said:

Sadly we don't use WEM, even though i am a massive fan ? but i guess we can do similar things with a logon script. (Maybe i should bring that up again..)

Yeah, any tool will do the job, WEM was just my tool of choice, PowerShell etc. will get the job done.

 

On 12/29/2023 at 6:57 PM, Martin Munk Mouritsen1709164054 said:

Not sure what i was hopeing for in terms of answer either. i'm just a bit baffled about the current setup ?

 

This is a pretty common deployment model - UPM with Office Containers was pretty solid. Typically, I think if you can, undoing each component bit by bit is probably going to be your friend.

-> AppData redirection -> Kill it, low hanging fruit

-> Then maybe a look at those outlook settings in the office container -> Also have a look a the silent config options via GPO for outlook

-> Once those are out of the way, you should be back to normal profile migration considerations -> Which i still vote for kill if you can, crud-in crud-out as it goes ?

[Authentication and design question for multiple domains]

4 hours ago, Cory Zaner said:

@James Kindoni am trying this with Citrix cloud and FAS, I have it working on the first domain, but when I add another domain I get a SID mismatch error, yes I already removed the SID required and have matching UPNs. Its like we need a trust between the domains :(. Any ideas?

I've got nothing on that one - multi-forest and SAML stuff -> an area I haven't had to think about for a while now. Wonder if you need to maybe look at the Adaptive Authentication piece

[Profile mangement consolidation - how to?]

In the current deployment with FSLogix Office Containers, I wonder if they are using the "Include Outlook Personalization" component -> this could be hurting if it's enabled, and then the office container is taken away?

 

Usually when handling profile migrations, I tried to start as clean as possible and then bring what was needed, some examples from memory:

• Things like signatures etc were in appdata -> copied them using a one off WEM task. Same for office caches, quick launches etc.
• Outlook profiles, typically recreated and used the auto config/silent config to make sure it was as smooth for a user as possible.

Resetting AppData redirection back to defaults is always one of the most enjoyable parts -> i have a small script that might help here https://jkindon.com/stop-redirecting-appdata/

 

Good test on how much a profile is actually needed is simply reset a user's profile and see what they are not happy with - typically easy enough to fix those bits

 

You should be able to get away with CPM for all requirements above, it's just going to be an order of execution thing,

 

[Citrix WEM 2305 - Service Preventing Logins]

On 12/14/2023 at 7:33 AM, Greg Beck said:

To close the loop with this.  I have been working with support on the issue.  

 

The final answer is this is the expected behavior.  The infrastructure server requires that the SQL database is available.  Their suggestion is to stop the infrastructure service on the server.  That will get the agents to switch over to using their cache.

 

Or put the database in a highly available SQL server.

This does not sound right at all. There is a Cache on the Broker that is supposed to sustain the loss of SQL connectivity. The product team have eyes on this, but will need more info, I will DM you

[First worker logon slow]

hrmm it seems strange that you would be impacted by that service, that shouldn't be causing any issues these days.

 

You could try exempting the auto logon user from WEM altogether (the same as you would probably exempt it from profile management etc). You can do that in the WEM console.

[Ubuntu VDA not registering on DDC]

I had some challenges with kerberos realm name that needed adding into the resolv.conf file

 

Make sure to kill off that CNAME after testing, it does not play nicely.

 

Ill ping this at the product team for visibility as well

[Citrix profile manager not syncing saved windows credentials]

Try adding these two directories to your "list of Directories to Sync" policy for CPM

AppData\Local\Microsoft\Credentials

Appdata\Roaming\Microsoft\Credentials

 

And add this to your folders to mirror policy

AppData\Local\Microsoft\Vault

 

[First worker logon slow]

This is a well-known frustration. There are a number of ways to do tackle this:

• You can use something like Desktop Probe via Citrix.
• You can use a logon simulator from Control Up or EG etc.
• You can follow George post here (works a treat) https://jgspiers.com/citrix-director-reduce-logon-times/#Autologon-Account

Other fun one is app-prefetch (loading binaries into memory upfront). A normal pre-logon won't address this unless you execute specific items within the logon itself

• You can script it and run a startup script. Examples here https://github.com/JamesKindon/Citrix/blob/master/PreFetchStartApps.ps1 
• Jeremey Saunders has a framework here  https://www.jhouseconsulting.com/2023/06/27/cold-starting-andor-hydrating-your-applications-to-improve-their-startup-times-2352
• You could drive the process via BIS-F if using PVS https://eucweb.com/kba/281219084515-2

[We are using Published applications on multisession host and not the desktops, will elastic layer still work, user will launch only an application?]

Citrix doc states it’s not supported - you choose where you want to land with it functionally ?

[start menu tiles is broken for window server 2019 (vda 1912 cu8)]

You don't have "hide common start menu programs" enabled in conjunction with a bad UPM config do you?

 

Make sure to follow this - don't mistake windows 10 settings for Server OS

https://docs.citrix.com/en-us/profile-management/current-release/profile-management-best-practices.html#start-menu-roaming

[Windows Login Prompt when using Azure AD SAML Integration]

What do your FAS logs say? It's been a while since I have been in FAS land, but the FAS and CA logs were typically pretty good at letting you know what's going on

[We are using Published applications on multisession host and not the desktops, will elastic layer still work, user will launch only an application?]

You can’t publish an application that comes from an app layer, that isn’t supported 

 

https://docs.citrix.com/en-us/citrix-app-layering/4/layer/assign-elastic-layers.html#about-elastic-layers

[How to download Virtual App and desktop]

Means your account doesn’t have access. You will need to sort that out with support or whoever owns the keys to your contracts with Citrix 

[How to restrict a single app to users connecting from home?]

You can use AAA groups and Session Policies to achieve this on the NetScaler

[How to add Static MCS VDA to Another Technology ( Existing )]

There will be a tag on the VM on the hypervisor. XDProv or something like that. Remove the tag and it will show up in the list of vms