Customizing Your Desktop Delivery Controller Environment

Customizing Your Desktop Delivery Controller Environment

Overview

After completing the initial setup tasks, you can customize and optimize your Desktop Delivery Controller deployment:

1. Create additional administrators for the farm, if necessary. 

2. Set up any general Citrix policies that you require, using the Presentation Server Console. See the Citrix Presentation Server Administrator’s Guide for details of configuring policies. Note the following points in relation XenDesktop:

• You can set up policies that filter on desktop group name. If you rename the desktop group, you must update the policy with the new name.

• You cannot filter polices on server name.

3. Configure USB support. See “Configuring USB Support” on page 95.

4. Optimize the user experience by ensuring that settings for desktops and users are appropriate. See “Optimizing the User Experience” on page 98.

5. Set up printers, using the Presentation Server Console. See the Citrix Presentation Server Administrator’s Guide for details of setting up and managing printers. In XenDesktop, the following XenApp printer management features are not available:

• Driver replication, compatibility, and mapping

• Support for legacy Windows CE and DOS clients that cannot correctly report which printers are attached to the endpoint device

• Control of the total bandwidth limit of all printing connections to a particular controller

Creating Administrators

To manage your Desktop Delivery Controller environment efficiently, you may need to create additional administrators. You may also need to delegate Active Directory permissions to these administrators.

Delegating Active Directory Access Control

Active Directory is used to store information about the controllers in a farm. To add or remove controllers, administrators need certain Active Directory rights. For further information about this, 

Delegating Desktop Delivery Controller Administration Tasks

When you install Desktop Delivery Controller, the account you use to log on is automatically granted full administration rights, with authority to manage and administer all areas of Desktop Delivery Controller farm management. Using this account, you can then start the Access Management Console and create further full or delegated administrators.

Delegated administrators can view all information in the Desktop Delivery Controller extension of the console and they can also:

• Send messages to users

• Disconnect users

• Log off users

• Put desktops into maintenance mode and remove them from maintenance mode

• Start, stop, suspend, and resume virtual machines

Delegated administrators cannot:

• Create, modify, or delete desktop groups

• Add, modify, or delete administrators

Administrators who will run the Access Management Console remotely must have DCOM remote launch permissions.

To create a new Desktop Delivery Controller administrator

1. In the left pane of the Access Management Console, under the farm, select the Administrators node.

2. From the Action menu, select Add administrator.

3. On the Select Users page, click Add.

4. Click OK to add the user as an administrator.

Use the Active Directory object picker to select your user or group. Note that:

• You can only browse account authorities and select users and groups that are accessible from the computer running the Access Management Console.

• You should not select users and groups outside the trust intersection of the farm. If you do this, errors will occur.

5. Continue selecting the administrators you want to add, then click OK.

6. Click Next.

7. On the Privileges page, choose one of the following options:

• Select Delegated Administration to delegate specific, limited tasks to the selected administrators.

• Select Full Administration to give the selected administrators full access to all areas of farm management.

8. Click Finish.

Configuring USB Support

You can enable users to interact with a wide range of USB devices during a XenDesktop session. USB support is available on endpoints running the Desktop Receiver 11.1 or later, or the Client for Linux 11.0 or later.

By default, certain types of USB device are not supported for remoting through XenDesktop. For example, a user may have a network interface card attached to the system board by internal USB. Remoting this would not be appropriate. The following types of USB device are not supported by default for use in a XenDesktop session:

• Keyboards

• Mice

• Bluetooth dongles

• Integrated network interface cards

• Smart cards

• USB hubs

For more detailed information about the devices included in each class or type of device and whether or not USB support is provided for them, see the relevant client documentation.

To configure USB support

1. Enable the USB policy rule, which is located in the USB subfolder of the Client Devices Resources folder in the Presentation Server Console. 

2. Enable USB support when you install the client on endpoint devices. For information about how to do this, see the Citrix Desktop Receiver Administrator’s Guide or the Client for Linux Administrator’s Guide.

3. If necessary, update the range of USB devices supported. To do this:

• Edit the Desktop Receiver registry (or the .ini files in the case of the Client for Linux). For information about how to do this, see the Citrix Desktop Receiver Administrator’s Guide or the Client for Linux Administrator’s Guide.

• Edit the administrator override rules in the Virtual Desktop Agent registry on the machine(s) hosting the desktops. The range specified in the Virtual Desktop Agent must correspond exactly to the range specified on the client; if it does not, then only the devices disallowed in both ranges are disallowed.

The product default rules are stored in

HKLM\SOFTWARE\Citrix\PortICA\GenericUSB Type=String Name=“DeviceRules”

Do not edit the product default rules.

The administrator override rules are stored in

HKLM\SOFTWARE\Policies\Citrix\PortICA\GenericUSB Type=String Name=“DeviceRules”

ADM files are included on the installation media to allow you to make changes to the Desktop Receiver and the Virtual Desktop Agent through

Active Directory Group Policy. The file for the Desktop Receiver is:

dvd root\os\lang\Support\Configuration\icaclient_usb.adm

and the file for the Virtual Desktop Agent is:

dvd root\os\lang\Support\Configuration\vda_usb.adm

For further information on setting up policies, see the Presentation Server Administrator’s Guide.

Support for USB Mass Storage Devices

For mass storage devices only, remote access is also available through client drive mapping, which you configure by enabling the Citrix Mappings rule. When this rule is applied, the drives on the endpoint device are automatically mapped to drive letters on the virtual desktop when users log on. The drives are displayed as shared folders with mapped drive letters. The Mappings rule is in the Drives subfolder of the Client Devices Resources folder in the Presentation Server Console.

The main differences between the two types of remoting policy are:

Feature :

Rule enabled by default

Read-only access configurable

Safe to remove device during a session

Mappings rule :

Yes

Yes

No

USB rule :

No

No 

Yes, provided users follow operating system recommendations for safe removal.

If both rules are enabled, then if a mass storage device is inserted before a session starts, it will be redirected using client drive mapping first, before being considered for redirection through USB support. If it is inserted after a session has started, it will be considered for redirection using USB support before client drive mapping. Automatic support of devices upon insertion, however, depends on the type of client being used and the individual user preferences; for further information, see the relevant client documentation.

Optimizing the User Experience

This topic describes how to:

• Configure time zone settings to allow users to see their local time when using desktops.

• Configure connection timers to provide appropriate durations for uninterrupted connections, idle sessions, and disconnected sessions.

• Disable RDP, because the use of RDP can interfere with the operation of ICA.

• Remove the Shut Down command to prevent users from powering off their desktops, which would then require a manual restart by an administrator. This is not necessary for VM-based desktop groups.

For the best user experience, consider preinstalling frequently used software, such as a Flash player or other browser plug-ins in your desktops. Also consider enabling Microsoft ClearType or other font-smoothing technologies by default in users’ profiles.

Configuring Time Zone Settings

By default, when non-privileged users connect to Windows XP desktops, they see the time zone of the system running the desktop instead of the time zone of their own endpoint device. To allow them to see their local time when using these desktops you need to give them rights to:

• Change the time on the system on which the desktop is running. To do this, set up a Group Policy with rights given to non-privileged users to change system time settings.

• Change the time zone registry area.

After you do this, users who connect to Windows XP desktops see their local time zone reflected in the desktop. When they log off or disconnect, the time zone of the desktop is reset to what it was before they logged on.

You can configure time zone settings through Citrix policies. If you want endpoint devices to use the time zone of the virtual desktop to which they are connected, enable the rule Do not use Clients’ local time, which is in the Time Zones subfolder of the User Workspace folder in the Presentation Server Console.

Configuring Connection Timers

You can configure three connection timers:

• A maximum connection timer. This setting determines the maximum duration of an uninterrupted connection between an endpoint device and a desktop. By default, this setting is disabled.

• A connection idle timer. This setting determines how long an uninterrupted endpoint device connection to a desktop will be maintained if there is no input from the user. By default, this is set to 1440 minutes (24 hours).

• A disconnect timer. This setting determines how long a disconnected, locked desktop can remain locked before the session is logged off. By default, this setting is disabled for pre-assigned or assigned-on-first-use desktop groups and enabled for pooled desktop groups. The default setting is 1440 minutes (24 hours).

If you need to update any of these settings, ensure that settings are consistent across your deployment.

After you update any of these settings, you must restart the computer hosting the desktop for the new setting to take effect.

To enable the maximum connection timer, create the following registry key (DWORD):

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\Session\ ConnectionTimer\enabled

and set the key to 1. To disable the timer, set the key to 0.

To update the maximum connection timer, create the following registry key (DWORD):

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\Session\

ConnectionTimer\MaxConnectionTime and set the maximum connection time in minutes.

To enable the connection idle timer, create the following registry key (DWORD):

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\Session\IdleTimer\ \enabled and set the key to 1. To disable the timer, set the key to 0.

To update the connection idle timer, create the following registry key (DWORD):

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\Session\IdleTimer\ \MaxIdleTime and set the maximum idle time in minutes.

To enable the disconnect timer, create the following registry key (DWORD):

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\Session\ DisconnectTimer\enabled and set the key to 1. To disable the timer, set the key to 0.

To update the disconnect timer, create the following registry key (DWORD): 

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\Session DisconnectTimer\MaxDisconnectTime and set the maximum time in minutes to wait before logging off a disconnected session.

Disabling RDP

If a user makes an RDP connection to a desktop, an ICA connection is not possible until either a user logs on interactively on the console of the computer hosting the desktop or the computer is restarted. Disconnecting the RDP session or logging off from RDP is not sufficient. 

Removing the Shut Down Command

Citrix recommends that you apply this Microsoft policy to all XenDesktop users. This prevents users from selecting Shut Down within a XenDesktop session and powering off the desktop, which would require manual intervention from the system administrator.

Locate this policy under User Configuration\Administrative Templates\Start Menu & Taskbar\Remove and prevent access to the Shut Down command and set it to Enabled.