Jeff Riechers

Do you have any tab sleeping setup via GPO? I have seen sleeping tabs crash with the Ah Snap. Unfortunately 1GB of Ram for tabs is pretty common if the tab is running a bunch of processing javascript.

If you choose the Ram cache to be larger than the VMs available ram you are going to have huge paging problems. You don't set any settings for how much disk cache you will use, so your writecache drive should be the size of your provisioned C:\ drive, and thin provisioned only. There is no need for thick provisioning of the storage, you don't get any performance benefit. If your VM has 12GB of ram, I would only set the Ram cache to 1GB. To do 10GB of cache you will need 48GB of ram or more on the VM. I did create a little script that allows you to query the VM to see exactly how much RAM cache you are using versus how much disk cache. https://www.jeffriechers.com/wiki/pvs-writecache-usage-script/

The SDX SVM is a similar build to the ADM. They don't use an ns.conf like the NetScaler VPX/MPX uses. You can backup the SVM as part of the backup engine, and then take a look at the code, but there isn't a single file to handle the environment.

Are the users connecting to the Storefront directly, and then having Optimal Gateway Routing have them going to Gateways? Or does the workspace App talk directly to the gateway and never see the storefront url. I have seen this if the Storefront URL is the same as the Gateway URL. So what I do to mitigate it is set the Storefront URL to a different address, and set the beacons to be non-accessible so that it will never try and connect to the storefront bypassing the gateway. Now Workspace will still cache some information, so if the Storefronts are not replicated together the IDs in the cached published resources won't match to the new storefront, so it will require either a refresh, or a full reset.

Don't touch those. Studio handles the naming and placement of those and everything is programmed to them. It will remove older files as part of it's own cleanup. Those old items are for rollback if needed.

Why do you need all machines running? All you need is enough machines to handle login loads. Have anything not needed shutdown to save resources for active users.

What are you looking to forward? An IIS site? An apache web server? If it is a single URL you create an SSL Load balancer with an IP and a certificate bound to it, and a service pointing to your backend server. If it is multiple URLS, you create an SSL Content Swith with an IP and certificate bound to it. They you create policies that will look at the hostname hitting the IP and send it to appropriate load balancer with the backend service. Don't just start with the name of the tech. Give us a run-down on what you are trying to do, and we can help design something for you.

Does the client NEED to connect directly to backend via IP? Because this will change the URL and Hostname so that the client connects directly. Instead you would setup a non-addressable LB and have the content switch keep the HOSTNAME, but just change the URL portion after the hostname. Then it would drop that to the LB that then goes to the backend server on how it is defined in the LB service.

I have seen this happen if users are reconnecting to an existing session, or if they try to launch 2 copies of the app at the same time. Are users actually not getting sessions, or are you just seeing these messages in director. Do you have gateway? If so, take VPN out of the mix and just use gateway.

I would do it as a published app. Users only have access to published app. They click that app and select the app they want and duration. This is logged and if they refresh storefront they see the new app. At time limit you have a process remove users from group. I am in the process of designing something like this myself.

You will need promon on the file server to see what is locking it. Make sure that Firefox is not set to auto update, and exclude Firefox from streaming if using upm.

It looks like there is some windows logoff process happening that is cleaning up the session. What is running under the unstuck process? Do you see anything in the event log during the logoff process?

I went through this with a customer. You will need to create new non persistent machine catalogs from the efi machine. Because it adjusts the vm in vmware, and windows itself.

Nice article, question though. Does wem gpo have the same potential performance hit with multiple policies similar to how traditional gpos do? Or is breaking out gpos for dedicated purposes a better scenario?

You also can just have MCS create the snapshot for you. It will name it in an appropriate manner and will save you a step in deployments.

Is there a WEM tool that can be run on a clean machine to gather all allowed exe files, and then use that to build the allow list? That way anything that gets loaded can be blocked? Something that we can re-run as part of a non-persistent sealing script to capture new hashes from updated files?

FSLogix's updated ADMX files have an option to store the Office legacy token in the profile. If you don't have the hybrid joined and prt that legacy token will store their settings.

I'm sorry. S1 can be a bit of a headache in Citrix environments. You need to ensure all the necessary Citrix exclusions are in place to keep the overhead from S1 from impacting your sessions.

So the problem is you have to change this setting in the default.ica to something else Hotkey5Char=F2 Hotkey5Shift=Ctrl Instead do this Hotkey5Char=F10 Hotkey5Shift=Ctrl That will free up Ctrl-F2 to not be captured by citrix. And instead will go to your app.

Is Ctrl-F2 used in the application and that isn't passing through? Can you share the .ica file that is generated with all the hotkey listings?

We have wanted this for quite some time. Unfortunately, you will have to manually duplicate your settings.

It depends on the AV agent. Most agents execute in each user space to monitor that particular user's session. If you are using Windows Defender you can offload the definitions to make it lighter per user. https://www.jeffriechers.com/wiki/vdi-defender-offloading/

Do you have any type of IAM in place for users to request access? If so you could publish that interface as an application, users requests control, then when they refresh storefront they see the new app.