Using Citrix Policies Part One
- Published: Thursday, 17 April 2008
Using Citrix Policies
Since Metaframe XP Citrix introduced Citrix Policies. Till now I still come at customers sites where those policies are not used. In this article I will explain on a basic level how to configure the policies, the advantage of using those policies and some best practices settings.
Creating a Policy
Creating a Policy
Citrix policies are configured on a farm level and even in CPS 4.5 they are still configured in the java based Citrix Management Console (nowadays called Presentation Server Console). Creating a policy is pretty simple. Right click the Policy component in the left screen of the console and choose New Policy.
Figure 1: Creating a new policy
Next you need to provide a name for the policy and a description for the policy. You can also specify the type of connection. When you select this option Citrix already configures the policy with optimal settings for that type of connection. Choices available are WAN, Dial-up or Satellite. Of course it is adjust the policy to your needs, but you can start with a good basis.
Figure 2: Naming the new policy
You can create more than one policy within the console. These policies (if not filtered, which I will explain later) will be combined based on a priority. The policy with highest priority will be run at last, so these settings will be set. If you have settings defined in more policies, the settings will be applied out of the policy with the highest priority level. If you have settings in a policy defined which are not defined in a policy with higher priority these settings will be preserved (settings are combined out of all defined policies). You can configure the priority level of the policies by right click the policy, choose Priority and raise or decrease the policy priority.
Figure 3: Change the priority of the policy
If you have already a policy defined and would like to use that as the template for another policy just right clicks the policy and choose Copy Policy.
Configuring the policy
When the policy is created it is time to configure him. Therefore double click the policy or right click the policy and choose properties. The policy will open and you will see five main components displayed: Bandwidth, Client Devices, Printing, User Workspace and Security. Every component exist of settings and subcomponents (with settings logically).
Figure 4: Start of configuring the policy.
I will not describe every settings in detail because this article will be 60 part series probably. But I will describe the settings in general and highlight some important ones.
First we start with the bandwidth component, which has three subcomponents. In the Visual Effect components you can disable the wallpaper, menu animation and/or show Windows contents while dragging. Of course these settings save bandwidth is also arranging a better performance view from the end user perspective. I would advice to enable those three for performance reasons, but remember that can differ from the experience users have from a fat client. Secondly SpeedScreen settings concerning images can be configured here by selecting the quality of images shown with the corresponding compression. Default of Citrix is the highest level, so you only need to change this if you would like to have better image quality. CPS4.5 administrators also have the possibility to enable SpeedScreen Progressive Display for high graphical 2D applications (default this is feature is disabled).
The session limit is really about bandwidth restrictions. Per virtual channel (client mappings) you can configure the maximum of bandwidth usage. There is also an overall bandwidth setting that counts all these channels together and limits in this way the total bandwidth that can be used. The configuration of bandwidth usage depends of the amount of users and the line between the users and the Citrix Farm and should be determined by monitoring this during the pilot phase.
Figure 5: Bandwidth settings configured.
Under the client devices component you can configure the settings for client mappings. Basically you can enable or disable the client mapping like COM port, LPT port, Twain redirection, PDA synchronisation and Microphone mappings. Also the sound quality can be set in this component. At the drives subcomponent you can also configure which type of client drives should be mapped like floppy disk, hard driver, CD-Rom drive or remote drives. Not a real client device but also available in this component is the possibility to turn off auto client update feature.
Figure 6: Client Devices options within the policy.
The following component has a pretty obvious name for the included settings. In the printers component settings can be found for both client printers as using session printing (importing the print server within your Citrix infrastructure. At the subcomponent client printer you can configure enable or disable auto creation. If you choose to enable the auto creation client printer you can also configure which printers should be mapped (all, default only, only local printers. For backwards compatibility you can enable the old name style for client printing again. Configure where printer properties should be stored can be configured via the policies in the userprofile, saved on the client or both. My personal opinion is saving this in the userprofile. If you are network printers you could configure that the jobs are directly send to the printserver or are routed via the client. If the print server is located on a WAN location routing via the ICA client is preferable because you can use the bandwidth restrictions earlier. Directly to the print server is normal Windows traffic, which can become huge. If you do no want auto create client printers, just enable the policy Turn off client printer mapping.
At the drivers tab you can configure if the operating system may install native drivers if they are available on the server on that moment. The second option is the configuration when the universal driver will be applied. Probably the most used setting is to use the universal driver if the requested driver is not available. Other options are only use specific model driver or only use universal driver.
Figure 7: Printer settings within the policy component
The last option is configure network printers directly for the user via session printer. You can add manually the printer shares into this one or when imported a printer server you can select them out of the list.
Within User Workspace configuration several items can be found which are not directly related to each other, but have some to do with settings in the user session. Let's start with the connection settings. First you can configure a possible limitation on the total sessions a user is allowed to have on all servers together. When using the PNAgent or Web Interface and have more locations where the Presentation Servers are located the zone preferences settings is very useful. With this setting you can configure the primary, back-ups zones or even configure that a specific zone may not be used.
If you would like to have different shadow configurations you can also set this via the policies. The same settings are available during the installation of the server like prohibit being shadowed without notification and prohibit remote input when being shadowed. Via the permissions you can configure which users are allowed to shadow sessions.
Also useful when using PNAgent or Web Interface is the content redirection. With the setting server to client you can configure that website links (out of other programs) will be redirected to the local browser in stead of on the Terminal Server. If you don't want that the local time is not displayed you can enable this here (remember that settings can also be configured on server level).
Figure 8: User Workspace policy settings
There are also settings for one of the other Citrix products Password Manager. You can configure the central credential store or that Password Manager should not be used. Within the Published Application wizard/properties you configure which type of application you are publishing (application from the server or a streamed application). With the policy configure delivery protocol you can override these settings. Be really careful with this setting because this can cause that applications are not functioning anymore. The advice is to use it only if there is very specific reason for. Also this setting will only be applied on CPS4.5 servers.
The last component is security which is hosting only one setting named SecureICA encryption. With this setting you can set the minimum required encryption level being used for the ICA session. Remember that you configure the published application at least with the same encryption level as configured in the policy otherwise the applications can not be started.
The configuration will be stored in the Citrix datastore when you press the OK or the apply button. There is no warning window displayed when you select the cross or the cancel button, so your just configured settings are lost immediately.
Figure 9: Security Policy Settings
In this first article about Using Citrix Policies we walked through the creating and configuration of Citrix policies. In this second article I will show you how the policies will be applied by using filters, summarize the advantages of Citrix policies and provide you with some best practices information.