View
223
Download
3
Category
Preview:
Citation preview
© 2014 Citrix Systems, Inc. All rights reserved.
App Orchestration 2.5
Getting Started with Citrix App Orchestration 2.5
Last Updated: August 8, 2014
Getting Started with Citrix App Orchestration 2.5
Page 2 © 2014 Citrix Systems, Inc. All rights reserved.
Contents
Welcome to App Orchestration 2.5 ........................................................................................................ 8
What’s New in This Release .............................................................................................................. 8
Documentation and support for App Orchestration ............................................................................. 8
App Orchestration components ............................................................................................................12
Configuration server ..........................................................................................................................12
What is it? .....................................................................................................................................12
What does it do? ...........................................................................................................................12
How many do I need? ....................................................................................................................13
Domain agent ...................................................................................................................................13
What is it? .....................................................................................................................................13
What does it do? ...........................................................................................................................13
How many do I need? ....................................................................................................................13
Delivery Sites and Delivery Controllers .............................................................................................13
What are they? ..............................................................................................................................13
What do they do? ..........................................................................................................................14
How many do I need? ....................................................................................................................14
Additional information ....................................................................................................................14
Session Machines, Catalogs, and Delivery Groups ...........................................................................14
What are they? ..............................................................................................................................14
What is a catalog? .........................................................................................................................14
How many do I need? ....................................................................................................................15
Additional information ....................................................................................................................15
StoreFront .........................................................................................................................................15
What is it? .....................................................................................................................................15
How many do I need? ....................................................................................................................16
Compute resources ...........................................................................................................................16
App Orchestration deployment overview ..............................................................................................17
Prepare to deploy App Orchestration 2.5 ..............................................................................................18
How many machines do I need? .......................................................................................................18
Network preparation task overview ...................................................................................................19
Machine preparation task overview ...................................................................................................20
Getting Started with Citrix App Orchestration 2.5
Page 3 © 2014 Citrix Systems, Inc. All rights reserved.
Prepare your Active Directory domains .............................................................................................20
Task 1: Prepare required domains .................................................................................................21
Task 2: Prepare required organizational units ................................................................................21
Task 3: Prepare tenant domains and user groups .........................................................................22
Configure the App Orchestration Group Policy ..................................................................................23
Task 1: Set the PowerShell execution policy .................................................................................24
Task 2: Configure PowerShell remoting .........................................................................................24
Task 3: To enable remote administration with WMI .......................................................................26
Create administrator accounts ..........................................................................................................26
Set up Citrix Licensing ......................................................................................................................27
Set up compute resources ................................................................................................................27
Set up NetScaler Gateway ................................................................................................................28
LDAP authentication for NetScaler Gateway .................................................................................28
Prepare the database server .............................................................................................................28
Supported database servers ..........................................................................................................29
Support for database mirroring ......................................................................................................29
System requirements .....................................................................................................................29
Task 1: Create a firewall exception ................................................................................................30
Prepare the App Orchestration configuration server ..........................................................................31
System requirements .....................................................................................................................32
Sequence of preparation tasks for Windows Server 2008 R2 SP1 ................................................33
Client OS and browser support for the management console ........................................................33
Prepare Delivery Controllers and Session Machines .........................................................................35
Supported platforms ......................................................................................................................35
System requirements .....................................................................................................................35
Support for aggregating existing Delivery Sites .............................................................................37
Considerations for Delivery Controllers in cross-forest private Delivery Sites ................................38
Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5 .....................................................38
Task 2: Configure SSL on Delivery Sites and Session Machines ...................................................38
Prepare StoreFront servers ...............................................................................................................39
System requirements .....................................................................................................................39
Server group requirements ............................................................................................................40
Security Considerations for App Orchestration 2.5 ............................................................................40
Getting Started with Citrix App Orchestration 2.5
Page 4 © 2014 Citrix Systems, Inc. All rights reserved.
SSL recommendations ..................................................................................................................41
Restrict PowerShell remoting sessions ..........................................................................................41
SMB security signatures ................................................................................................................41
Machine hardening techniques ......................................................................................................41
Restrict access for tenant user accounts .......................................................................................42
XenApp Session Machine isolation ................................................................................................42
Session Machine Catalog upgrades ..............................................................................................43
Install App Orchestration ......................................................................................................................43
Overview ...........................................................................................................................................43
Accounts and Permissions ............................................................................................................43
Prerequisites .................................................................................................................................43
Personas .......................................................................................................................................44
Pitfalls to avoid ..............................................................................................................................44
Task 1: Download the product media ................................................................................................45
Download App Orchestration .........................................................................................................45
Build out the product media folder .................................................................................................45
Task 2: Install App Orchestration components ..................................................................................46
Configure App Orchestration ................................................................................................................49
Accounts and permissions ................................................................................................................49
Prerequisites .....................................................................................................................................49
Personas ...........................................................................................................................................49
Pitfalls to avoid ..................................................................................................................................49
Task 1: Configure the App Orchestration configuration server ..........................................................49
Task 2: Configure global settings ......................................................................................................50
Define App Orchestration infrastructure ................................................................................................51
Accounts and permissions ................................................................................................................51
Prerequisites .....................................................................................................................................51
Personas ...........................................................................................................................................52
Pitfalls to avoid ..................................................................................................................................52
Task overview ...................................................................................................................................53
Design service offerings for tenants ......................................................................................................53
Accounts and permissions ................................................................................................................53
Prerequisites for Session Machine Catalogs using on-demand provisioning .....................................54
Getting Started with Citrix App Orchestration 2.5
Page 5 © 2014 Citrix Systems, Inc. All rights reserved.
Prerequisites for Session Machine Catalogs using external provisioning ..........................................54
Prerequisites for offerings .................................................................................................................54
Prerequisites for Delivery Sites .........................................................................................................55
Prerequisites for StoreFront ..............................................................................................................55
Personas ...........................................................................................................................................55
Pitfalls to avoid ..................................................................................................................................56
Task 1: Create a new Delivery Site ...................................................................................................56
Aggregate an existing Delivery Site ...............................................................................................57
Task 2: Create a Session Machine Catalog ......................................................................................58
Create a catalog with on-demand provisioning ..............................................................................58
Create a catalog for externally-provisioned machines ....................................................................58
Add Session Machines to the catalog ............................................................................................58
Task 3: Add a StoreFront Server Group ............................................................................................59
Task 4: Create an offering .................................................................................................................60
Deliver service offerings to tenants .......................................................................................................60
Accounts and permissions ................................................................................................................60
Prerequisites .....................................................................................................................................60
Personas ...........................................................................................................................................61
Pitfalls to avoid ..................................................................................................................................61
Task 1: Add a tenant and users ........................................................................................................62
Security considerations .................................................................................................................62
Task 2: Adjust capacity .....................................................................................................................62
Task 3: Subscribe the tenant to an offering .......................................................................................63
Task 4: Optional: Deploy tenant self-service features........................................................................63
Appendix: Setup Checklist ....................................................................................................................65
Shared resource domain ...................................................................................................................66
Default user domain ..........................................................................................................................67
Citrix product media folder ................................................................................................................68
Database Server ...............................................................................................................................70
Citrix License Server .........................................................................................................................71
NetScaler Gateway ...........................................................................................................................71
App Orchestration configuration server .............................................................................................72
Delivery Controllers ...........................................................................................................................73
Getting Started with Citrix App Orchestration 2.5
Page 6 © 2014 Citrix Systems, Inc. All rights reserved.
Session Machines .............................................................................................................................74
On-demand catalogs (on-demand provisioning enabled) ...............................................................74
Catalogs for externally-provisioned machines ................................................................................77
StoreFront servers ............................................................................................................................78
App Orchestration global settings......................................................................................................79
First tenant ........................................................................................................................................81
Getting Started with Citrix App Orchestration 2.5
Page 7 © 2014 Citrix Systems, Inc. All rights reserved.
Copyright and Trademarks
Use of the product documented herein is subject to your prior acceptance of the End User License
Agreement. A printable copy of the End User License Agreement is included with your installation
media.
Information in this document is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of Citrix Systems, Inc.
© 2014 Citrix Systems, Inc. All rights reserved.
The following are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be
registered in the United States Patent and Trademark Office and in other countries:
Citrix®, Citrix Access Gateway™, Citrix App Orchestration™, Citrix Receiver™, Citrix XenApp™,
CloudPlatform™, CloudPortal™, ICA®, NetScaler®, NetScaler App Delivery Controller™, NetScaler
Gateway™, XenApp®, XenDesktop™, XenServer™
All other trademarks and registered trademarks are the property of their respective owners.
Getting Started with Citrix App Orchestration 2.5
Page 8 © 2014 Citrix Systems, Inc. All rights reserved.
Welcome to App Orchestration 2.5
Thank you for choosing App Orchestration. This document includes information and instructions to help
you learn more about planning your App Orchestration deployment, prepare core components, and
perform tasks such as creating offerings and subscribing tenants to those offerings.
What’s New in This Release
Support for XenApp 7.5 and XenDesktop 7.5: App Orchestration deploys and manages apps and
desktops using XenApp 7.5 and XenDesktop 7.5 Sites in addition to XenApp 6.5 farms.
Zero Trust Agent: This domain agent enables management traffic to traverse NATs, easing the
connectivity requirements between the configuration server and orchestrated Controllers.
Additionally, domain trusts are no longer required between the target orchestrated domain and the
App Orchestration domain.
On-demand Provisioning: App Orchestration fully supports the automatic creation and preparation
of virtual machines for hosting applications and desktops. This feature also includes support for
compute resources running Citrix XenServer, Microsoft Hyper-V, and VMware ESX.
Cloud Provisioning: In addition to support for traditional hypervisors, App Orchestration includes
support for Citrix CloudPlatform as a compute resource with on-demand provisioning.
Upgradability: You can upgrade your existing App Orchestration 2.0 deployment using an intuitive
and easy to use interface.
Streamlined User Experience: App Orchestration provides a simplified installer and a streamlined
first-time user experience. Guided wizards provide assistance in learning the system as you
perform the initial configuration.
Documentation and support for App Orchestration
App Orchestration in Citrix eDocs: This section of eDocs is your primary source for all resources
that support App Orchestration 2.5. Access guides, videos and other materials to help you progress
smoothly through each stage of deployment.
App Orchestration 2.x Discussion Forum: Use this Citrix Discussions site to ask questions and
contribute your knowledge about App Orchestration.
Getting Started with Citrix App Orchestration 2.5
Page 9 © 2014 Citrix Systems, Inc. All rights reserved.
Use the following table as a guide to the materials available for planning and deploying App
Orchestration:
When you’re ready to… And you need more information
about…
Consult this document…
Plan your App Orchestration
deployment and prepare your
network environment
Known issues in App
Orchestration
Known Issues for App
Orchestration 2.5
The concepts and terminology
specific to App Orchestration
Terminology in App
Orchestration 2.5
System requirements for core
components, required pre-
deployment tasks, and security
considerations
Getting Started with App
Orchestration 2.5 (this
document)
Setup Checklist (Appendix
to this document)
Deploying App Orchestration in
an Active Directory environment
with multiple forests and
multiple domains
Deploying App Orchestration
2.5 in a Complex Active
Directory Environment
The user accounts you will
need to deploy the core App
Orchestration components and
perform tasks using the App
Orchestration web console
Credentials Used in App
Orchestration 2.5
Using SQL database mirroring
for adding high availability and
failover to the databases used
in App Orchestration
Configuring Database Mirroring
in App Orchestration 2.5
The virtual networks you will
need to provide tenant isolation
of private offerings
Isolation Methods in App
Orchestration 2.5
Getting Started with Citrix App Orchestration 2.5
Page 10 © 2014 Citrix Systems, Inc. All rights reserved.
When you’re ready to… And you need more information
about…
Consult this document…
Integrating Citrix CloudPlatform
with App Orchestration to
create Public and Private
Clouds
Using Citrix CloudPlatform to
Provision Session Machines
On-demand in App
Orchestration 2.5
Configuring SSL between the
core components of your
deployment
Configuring SSL for App
Orchestration 2.5
Install and configure App
Orchestration
Installing the core App
Orchestration components
Getting Started with App
Orchestration 2.5 (this
document)
Setup Checklist (Appendix
to this document)
Using domain agents to secure
communication between App
Orchestration and the resource
domains in your deployment
Deploying the Zero Trust Agent
in App Orchestration 2.5
Using multiple datacenters to
support resources deployed
across geographic locations
Deploying a Multi-Datacenter
Environment in App
Orchestration 2.5
Integrating NetScaler Gateway
with App Orchestration
Configuring NetScaler 10.1
Load Balancing with StoreFront
2.5.2 and NetScaler Gateway
for App Orchestration 2.5
or
Configuring NetScaler 10.5
Load Balancing with StoreFront
2.5.2 and NetScaler Gateway
for App Orchestration 2.5
Getting Started with Citrix App Orchestration 2.5
Page 11 © 2014 Citrix Systems, Inc. All rights reserved.
When you’re ready to… And you need more information
about…
Consult this document…
Use specific features of App
Orchestration
Enabling hosted desktops to
display the Windows 7 or
Windows 8 look and feel to
users
Configuring Enhanced Desktop
Experience for XenApp and
XenDesktop in App
Orchestration 2.5
Enabling on-demand
provisioning of Session
Machines to increase the
capacity of your deployment as
needed
Provisioning Session Machines
On-demand in App
Orchestration 2.5
Integrating Provisioning
Services with App Orchestration
to provide on-demand
provisioning of Session
Machines
Using Citrix Provisioning
Services to Provision Session
Machines in App Orchestration
2.5
Upgrade an existing App
Orchestration 2.0 deployment to
App Orchestration 2.5
The upgrade process,
preparation tasks, and
instructions
Upgradability Guide for App
Orchestration 2.5
Getting Started with Citrix App Orchestration 2.5
Page 12 © 2014 Citrix Systems, Inc. All rights reserved.
App Orchestration components
App Orchestration provides simple unified management of Citrix application and desktop delivery
technologies in a multi-tenant environment, using multiple datacenters across multiple domains. This
section describes the core components and shows how they work together to provision and manage
hosted applications and desktops for tenants and users.
A typical App Orchestration deployment includes the following components:
A configuration server, for hosting the App Orchestration engine and web-based management
console.
A domain agent, to enable the configuration server to communicate with any isolated tenant
domains in the deployment.
Delivery Controllers, for hosting XenApp or XenDesktop Delivery Sites.
Session Machines, for hosting the applications and desktops that users access through Citrix
Receiver.
StoreFront servers, for hosting the store that contains the offerings you create for tenants.
Compute resources, for providing the virtual networks required for tenant isolation and provisioning
identically-configured Session Machines as needed through on-demand provisioning.
For a visual overview of an App Orchestration deployment, refer to the App Orchestration 2.5
Architecture diagram.
Configuration server
What is it?
The App Orchestration configuration server hosts the App Orchestration engine and the web-based
management console. These are stateless components that can be deployed on multiple servers to
provide high availability and scalability. Additionally, an instance of Machine Creation Services (MCS)
and an agent reside on the configuration server. MCS provides the functionality for creating and
managing virtual machines (VMs) on the compute resources in the virtualization infrastructure.
What does it do?
When a change to the deployment occurs, such as creating a Delivery Site or adding a Session
Machine to a catalog, the change is written to the configuration database and the App Orchestration
engine issues all of the actions required to apply the change. These actions are called workflows, and
you can monitor them from the web management console. The configuration server can apply these
changes asynchronously, allowing multiple operations across different products in the correct sequence
and over extended periods of time. If any failures result, you can correct them and retry the workflow,
and the system will complete the change.
Getting Started with Citrix App Orchestration 2.5
Page 13 © 2014 Citrix Systems, Inc. All rights reserved.
Typically, the agent that resides on the configuration server interacts with Active Directory for
operations such as monitoring OUs. If you use zero-trust domains in your deployment, the Zero Trust
Agent handles communication with Active Directory. All Active Directory communication occurs through
Active Directory Web Services. The agent also communicates with Session Machines that have not yet
been allocated to host tenants' subscriptions. This occurs using PowerShell remoting (WinRM) and
executing pre-installed scripts.
How many do I need?
You need at least one configuration server in your deployment. However, you can deploy multiple
configuration servers to provide high availability and failover capabilities.
For system requirements and preparation instructions, see “Prepare the App Orchestration
configuration server” on page 31.
Domain agent
What is it?
The domain agent, also known as the Zero Trust Agent, allows the configuration server to orchestrate
resources in domains to which it cannot directly connect or where configuring Active Directory trusts
between the shared resource domain and the target orchestrated domain is not allowed.
What does it do?
The domain agent is installed on a dedicated machine in each resource domain of your App
Orchestration deployment. The agent establishes an SSL connection to the configuration server
through which the configuration server sends requests to the agent.
How many do I need?
You need at least one domain agent for each isolated tenant resource domain in your deployment. The
domain agent is installed on a dedicated server and requires SSL to be configured. For more
information about deploying the Zero Trust Agent, see the document Deploying the Zero Trust Agent in
App Orchestration 2.5.
Delivery Sites and Delivery Controllers
What are they?
Delivery Sites are composed of identically configured Delivery Controllers and include the Session
Machines, Delivery Groups, and other components that deliver hosted applications and desktops to
tenants and their users at the appropriate isolation level. For more information about isolation levels,
see the document Isolation Methods in App Orchestration 2.5.
Getting Started with Citrix App Orchestration 2.5
Page 14 © 2014 Citrix Systems, Inc. All rights reserved.
What do they do?
Delivery Controllers are responsible for distributing and managing user access to hosted applications
and desktops, power managing desktops, and reboot cycles for servers. Delivery Controllers can be
provisioned to run XenApp 6.5 or XenApp 7.5 and XenDesktop 7.5.
When you prepare machines to be Delivery Controllers, App Orchestration installs an agent on each
machine to establish communication with the orchestration engine API that is hosted on the
configuration server. The Delivery Controller manages Delivery Site configuration and the draining
process for Session Machines. Additionally, the agent joins Session Machines to the Delivery Site using
PowerShell remoting and executing pre-installed scripts.
How many do I need?
You need at least two Delivery Controllers for each Delivery Site you deploy. These Delivery
Controllers must be identically configured including hardware configuration, operating system, and
installed updates.
For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session
Machines” on page 35.
Additional information
XenApp 7.5 and XenDesktop 7.5 documentation
XenApp 6.5 product documentation
Session Machines, Catalogs, and Delivery Groups
What are they?
Session Machines host applications and desktops for tenants' users to access through Citrix Receiver.
Like Delivery Controllers, Session Machines can be provisioned to run XenApp 6.5, XenApp 7.5, or
XenDesktop 7.5.
What is a catalog?
Multiple Session Machines are collected in Session Machine Catalogs. All Session Machines in a
catalog are identically configured, using the same operating system and configuration settings, and the
same installed software. This ensures that users can access the applications and desktops associated
with the catalog when needed, regardless of the machines App Orchestration selects to host the
sessions. When additional capacity is needed for subscriptions, Session Machines from the catalog are
added to a Delivery Group that is associated with the subscribing tenant. Delivery Groups can be
dedicated to a single tenant's users or shared among the users of several tenants.
You can create two catalog types in App Orchestration: On-demand catalogs and catalogs for
externally-provisioned machines.
Getting Started with Citrix App Orchestration 2.5
Page 15 © 2014 Citrix Systems, Inc. All rights reserved.
On-demand catalogs use on-demand provisioning to create Session Machines whenever more capacity
is needed to host tenant subscriptions. Before you create an on-demand catalog, you must perform
additional tasks to enable on-demand provisioning in your deployment. For information about these
tasks, refer to the document Provisioning Session Machines On-demand in App Orchestration 2.5.
Catalogs for externally-provisioned machines allow you to use other means, such as Citrix Provisioning
Services or PowerShell scripts, to provision servers and add them to the catalog. When additional
capacity is needed in the catalog, App Orchestration notifies you to deploy more machines; additional
machines are not deployed automatically. For more information about using Provisioning Services for
externally-provisioned machines, refer to the document Using Citrix Provisioning Services to Provision
Session Machines in App Orchestration 2.5.
OS types for catalogs
When you create a new Session Machine Catalog, you must select an OS type which governs the
operating system installed on each machine in the catalog.
The Multi User type enables you to deploy a set of standard desktops and applications that are shared
by a large number of users. Desktops and applications are allocated to users on a first-come, first-serve
basis. Additionally, the desktop environment automatically resets to the default configuration when
users log off. Session Machines in a catalog with this OS type run only supported versions of Windows
Server.
The Single User type enables you to deploy desktops and applications that are assigned to individual
users. Users can personalize the desktop and install applications. Additionally, the desktop
environment remains unchanged between sessions. Session Machines in a catalog with this OS type
run on supported versions of Windows or Windows Server (with XenDesktop’s Server VDI capability).
How many do I need?
You need at least one Session Machine to host offerings for users. To increase capacity for your
offerings and host more user sessions, you can deploy multiple Session Machines.
For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session
Machines” on page 35.
Additional information
XenApp 7.5 and XenDesktop 7.5 documentation
XenApp 6.5 product documentation
StoreFront
What is it?
StoreFront authenticates users to sites hosting resources and manages stores of applications and
desktops that users access using Citrix Receiver.
Getting Started with Citrix App Orchestration 2.5
Page 16 © 2014 Citrix Systems, Inc. All rights reserved.
How many do I need?
To provide offerings to users, you need at least one StoreFront server group consisting of at least two
StoreFront servers.
For system requirements and preparation instructions, see “Prepare StoreFront servers” on page
39.
For more information about StoreFront 2.5.2, see the product documentation in Citrix eDocs.
When you add tenants to your deployment, you can specify whether the tenant’s users will use a
shared or private StoreFront site to access your offerings. The number of StoreFront servers you need
depends on the number of tenants who will be using shared or private StoreFront resources to access
your offerings. For more information about shared and private StoreFront resources, see the document
Isolation Methods in App Orchestration 2.5.
Compute resources
Compute resources are the hypervisors, hypervisor pools, and other components required to create
and manage virtual machines (VMs). These resources enable you to create virtual networks, a key
component in isolating tenants and ensuring shared and private resources are allocated appropriately.
To learn about the compute resources that App Orchestration supports, see the section “Set up
compute resources” on page 27.
Getting Started with Citrix App Orchestration 2.5
Page 17 © 2014 Citrix Systems, Inc. All rights reserved.
App Orchestration deployment overview
Deploying App Orchestration typically occurs using the following phased approach:
Phase Tasks
Prepare Download the software for App Orchestration
and its components.
Prepare your environment and the machines
you will use to deploy App Orchestration and
design and deliver offerings.
Install Use the App Orchestration Install Center to install
the required software on the machines you
prepare as the configuration server, Delivery
Controllers, Session Machines, and StoreFront
servers. This enables you to perform the
remaining deployment phases with minimal
interruption.
Configure Configure App Orchestration’s global settings.
Define Define additional domains.
Create additional datacenters.
Set up and configure compute resources.
Add instance configurations.
Design Create Delivery Sites.
Create a Session Machine Catalog for on-
demand provisioning or external provisioning.
Create a StoreFront Server Group.
Create an offering.
Deliver Add a tenant and add users.
Adjust capacity.
Subscribe the tenant to the offering.
(Optional) Enable tenant self-service with
CloudPortal Services Manager 11.5.
Getting Started with Citrix App Orchestration 2.5
Page 18 © 2014 Citrix Systems, Inc. All rights reserved.
Prepare to deploy App Orchestration 2.5
Before you install App Orchestration, some planning is required to prepare your environment and the
machines you will include in your deployment. Use this section to learn about:
Required tasks for preparing your network environment and the machines included in your
deployment.
System requirements for the core components of your deployment.
Deployment recommendations and requirements for using specific features of App Orchestration.
How many machines do I need?
The simplest App Orchestration deployment that enables you to create an offering and deliver it to a
tenant requires the following machines:
1 domain controller with a minimum domain functional level of Windows Server 2008 R2
1 database server running a supported version of Microsoft SQL Server
1 Citrix License Server
1 server, for the App Orchestration configuration server
1 server, for the Session Machine that will host applications and desktops for the tenant’s users
2 servers, for the Delivery Controllers that make up one Delivery Site
2 servers, for the StoreFront servers that make up one StoreFront server group
You can then add other components such as NetScaler Gateway and Citrix Provisioning Services,
depending on the needs of your deployment.
Getting Started with Citrix App Orchestration 2.5
Page 19 © 2014 Citrix Systems, Inc. All rights reserved.
Network preparation task overview
Perform the following tasks to prepare your network environment for App Orchestration:
Step # To perform this task Refer to this section
1 Create the shared resource and default user
domains and the root OU for the
deployment.
“Prepare your Active Directory domains” on
page 20
2 Create a policy for all machines in the
deployment that sets the PowerShell
execution policy, enables PowerShell
remoting, and enables remote
administration with WMI.
“Configure the App Orchestration Group
Policy” on page 23
3 Create the non-privileged user accounts
that you will use to install App Orchestration
and designate as the orchestration service
account for the deployment.
“Create administrator account” on page 26
4 Set up Citrix Licensing for your deployment. “Set up Citrix Licensing ” on page 27
5 Set up compute resources to create virtual
networks and provision Session Machines
on-demand.
“Set up compute resources” on page 27
6 Set up NetScaler Gateway to provide
secure remote access and load balancing
for the StoreFront servers in your
deployment.
“Set up NetScaler Gateway ” on page 28
Getting Started with Citrix App Orchestration 2.5
Page 20 © 2014 Citrix Systems, Inc. All rights reserved.
Machine preparation task overview
Perform the following tasks to prepare the machines that you include in your App Orchestration
deployment:
Step # To perform this task Refer to this section
1 Install and configure the SQL Server that
hosts the configuration database for your
deployment.
“Prepare the database server” on page 28
2 Prepare the machine that you deploy as the
App Orchestration configuration server,
including configuring SSL.
“Prepare the App Orchestration
configuration server” on page 31
3 Prepare the machines that you deploy as
Delivery Controllers and Session Machines,
including configuring SSL and updating the
Citrix Group Policy snap-in.
“Prepare Delivery Controllers and Session
Machines” on page 35
4 Prepare the machines that you deploy as
StoreFront servers, including configuring
SSL.
“Prepare StoreFront servers” on page 39
Prepare your Active Directory domains
To deploy App Orchestration successfully, you must have at least one domain controller in your
environment. With a single domain, you can create a deployment where users access offerings hosted
on resources that are shared by all tenants or on resources that are isolated for each tenant. You can
also create private offerings and allocate private resources to specific tenants.
App Orchestration also supports deployments that span multiple forests and domains. With a multi-
forest or multi-domain deployment, you can provide increased tenant isolation and separation of user
accounts and resources. For more information about multi-forest deployment, see the document
Deploying App Orchestration 2.5 in a Complex Active Directory Environment.
App Orchestration supports the following domain functional levels:
Resource Domain Functional Levels User Domain Functional Levels
Windows Server 2012
Windows Server 2008 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2003
Getting Started with Citrix App Orchestration 2.5
Page 21 © 2014 Citrix Systems, Inc. All rights reserved.
Task 1: Prepare required domains
Create the following domains:
Shared resource domain: The domain where the App Orchestration configuration server resides.
This domain contains components that are shared with multiple tenants. This is also where the App
Orchestration root OU is created.
Important: All configuration servers in your deployment must reside in the shared resource domain. App
Orchestration does not support the use of configuration servers in different domains.
Default user domain: The domain where App Orchestration user accounts reside (for example, the
user account designated as the orchestration service account). This domain also includes the
tenant users and groups that will access offerings delivered from the shared resource domain. You
can create a separate domain for these accounts or you can designate the shared resource domain
for this purpose.
If you intend to include multiple domains in your deployment, create these resource and user domains
as necessary. You will need to specify the shared resource and default user domains when you
configure App Orchestration's global settings. You can define additional domains through the App
Orchestration web console. For more information about using multiple domains with App Orchestration,
refer to the document Deploying App Orchestration 2.5 in a Complex Active Directory Environment.
Task 2: Prepare required organizational units
In the shared resource domain, create an OU that acts as the root OU for your App Orchestration
deployment. If your deployment includes multiple resource domains, create a root OU in each of these
domains.
You can name the root OU according to your preference; however, the root OU in each resource
domain must have the same name and path. You will specify the root OU for the shared resource
domain when you configure App Orchestration's global settings.
Important: The root OU in each resource domain must reside within the scope of the App Orchestration
Group Policy. For more information on configuring this policy and linking the root OUs, see the section
“Configure the App Orchestration Group Policy” on page 23.
After you configure the global settings, App Orchestration creates the DecommissionedServers OU
automatically within this root OU. The DecommissionedServers OU is for machines that have been
removed from the deployment.
Getting Started with Citrix App Orchestration 2.5
Page 22 © 2014 Citrix Systems, Inc. All rights reserved.
Task 3: Prepare tenant domains and user groups
Before you add tenants to the deployment, determine the tenants who will require shared or private
access to offerings. When you add tenants, you will need to specify the resource and user domains for
the tenant so that, when subscriptions are created later, App Orchestration can allocate the machines
hosting the tenant's offerings appropriately.
Create the resource and user domains for each tenant in Active Directory and add them as domains
through the App Orchestration web console before you add the tenants; App Orchestration does not
create these domains for you.
You will also need to location groups and subscription groups for each tenant:
Location groups map users to certain datacenters, enabling users to access applications and
desktops from different datacenters based on their group membership.
Subscription groups are Active Directory user groups that organize users according to the offerings
they need. A subscription group must be a member of a location group, but can belong to only one
location group at any given time. When you create an offering, you specify the subscription groups
that can access the offering.
Tenants with private domain isolation
For each tenant who needs private access to offerings, perform the following tasks:
1. Create a private resource domain and App Orchestration root OU. This is where App Orchestration
will allocate machines for hosting private offerings.
2. (Optional) Create a private user domain for the tenant's user accounts. Alternatively, you can use
the tenant's resource domain for this purpose.
3. In the user domain, create location and subscription groups for the tenant. Finally, add user
accounts to the subscription groups.
Tenants with shared domain isolation
For each tenant who needs shared access to offerings, perform the following tasks:
1. Create a resource OU for the tenant within the App Orchestration root OU in the shared resource
domain.
2. (Optional) Create a user domain for the tenant's user accounts. Alternatively, you can use App
Orchestration's default user domain for this purpose.
3. In the default user domain, create location and subscription groups for the tenant. Finally, add user
accounts to the subscription groups.
Required trusts for resource and user domains
If you deploy App Orchestration in an environment that includes different resource and user domains
(for example, a resource domain and a user domain exist that are each different than the shared
Getting Started with Citrix App Orchestration 2.5
Page 23 © 2014 Citrix Systems, Inc. All rights reserved.
resource domain), ensure that the resource domain trusts the user domain by establishing a one-way
trust. This trust enables users to access the offerings hosted on machines in the resource domain.
For more information about using multiple domains with App Orchestration, see the document
Deploying App Orchestration 2.5 in a Complex Active Directory Environment.
Required domain trusts for private tenant isolation
App Orchestration enables you to isolate tenants in their own domains using the following methods:
In a private domain using the Zero Trust Agent. The Zero Trust Agent facilitates secure
communication between the App Orchestration configuration server and the tenant’s isolated
resource domain. For more information, refer to the document Deploying the Zero Trust Agent in
App Orchestration 2.5.
In a private domain requiring a one-way trust in Active Directory with the shared resource domain.
App Orchestration verifies this trust exists when you add a resource domain through the web
console.
Configure the App Orchestration Group Policy
To facilitate remote administration, create a policy that applies to all machines in your App
Orchestration environment and include the following:
PowerShell execution policy is set to AllSigned.
PowerShell remoting is enabled, including auto-configuration of listeners, trusted hosts, and
Windows Remote Shell.
Allow inbound remote administration in Windows Firewall.
Note: By default, WinRM 2.5 uses the ports 5985 for HTTP traffic and 5986 for HTTPS traffic. If you are using
firewalls between the App Orchestration configuration server and the other servers in your deployment,
ensure these ports are enabled.
You can create this policy using one of the following methods:
Manually configure policy settings using the Group Policy Management Console. Use this topic to
configure these settings.
Automatically configure policy settings using the New-CamGPO.ps1 script.
Getting Started with Citrix App Orchestration 2.5
Page 24 © 2014 Citrix Systems, Inc. All rights reserved.
The New-CamGPO script creates a Group Policy Object (GPO) and configures all the required policy
settings described in this section. You can run this script after you prepare the server you want to use
as the App Orchestration configuration server, join it to the shared resource domain, and add it to the
App Orchestration root OU. This script is located in the
%Program Files%\Citrix\CloudAppManagement\InfrastructureTools directory on the App
Orchestration configuration server.
After you create this policy, link the GPO to the following objects:
App Orchestration root OU in the shared resource domain.
App Orchestration root OU in each additional private tenant resource domain that you create.
Important: When you deploy machines that reside in these OUs (for example, adding a Delivery Site), App
Orchestration issues workflows to complete the deployment tasks. For these workflows to complete
successfully, the machines on which they run must have these policy settings applied. App Orchestration
does not verify these policy settings are applied before issuing the workflows.
Task 1: Set the PowerShell execution policy
1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and
create a new GPO or edit an existing one.
2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Windows Components > Windows PowerShell.
3. Right-click Turn on Script Execution and select Edit.
4. Select Enabled and then, under Options, select Allow only signed scripts.
Task 2: Configure PowerShell remoting
To configure PowerShell remoting using Group Policy, use the Group Policy Management Console to
enable the WinRM service, configure listeners, set the amount of session memory available, and
provide a list of trusted hosts. You will also need to configure the WinRM service to start automatically
and ensure Windows Firewall allows traffic through the ports assigned to WinRM.
1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and
create a new Group Policy Object (GPO) or edit an existing one.
2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Windows Components.
3. Use the following table to configure the required policy settings:
Setting Location & Name Policy Setting Setting Values
Getting Started with Citrix App Orchestration 2.5
Page 25 © 2014 Citrix Systems, Inc. All rights reserved.
Setting Location & Name Policy Setting Setting Values
Windows Remote
Management (WinRM) >
WinRM Service
Allow automatic configuration
of listeners
Enabled.
To configure WinRM to
listen on all addresses,
type an asterisk (*) in the
IPv4 Filter and IPv6 Filter
fields.
Windows Remote
Management (WinRM) >
WinRM Client
Trusted Hosts Enabled.
In TrustedHostsList, type
an asterisk (*) to indicate
all hosts are trusted.
Windows Remote Shell Specify maximum amount of
memory in MB per Shell
Enabled.
In
MaxMemoryPerShellMB,
type 1024.
Specify maximum number of
remote shells per user
Enabled.
In MaxShellsPerUser,
typing 0 indicates an
unlimited number of shells.
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >
System Services.
5. Double-click the Windows Remote Management service and select the following options:
Define this policy setting
Automatic
6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >
Windows Firewall with Advanced Security > Windows Firewall with Advanced Security >
Inbound Rules.
7. Right-click Inbound Rules and select New Rule.
8. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined and then select the
Windows Remote Management rule. Click Next.
9. On the Predefined Rules page, accept the defaults and click Next.
10. On the Action page, ensure Allow the connection is selected and click Finish.
11. To apply the settings, on each server, open a PowerShell command window and run gpupdate.
Getting Started with Citrix App Orchestration 2.5
Page 26 © 2014 Citrix Systems, Inc. All rights reserved.
Task 3: To enable remote administration with WMI
As part of maintaining your App Orchestration environment, you might need to update Session Machine
Catalogs to deploy patches, upgrade installed applications, or take advantage of new hardware on
Session Machines. To ensure the update process occurs smoothly, a firewall exception is required to
enable inbound remote administrative connections on TCP ports 135 and 445. If this exception is not
present, the update process might fail.
1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and
create a new Group Policy Object (GPO) or edit an existing one. This GPO should be associated
with all servers in the App Orchestration environment.
2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >
Administrative Templates > Network > Network Connections > Windows Firewall > Domain
Profile.
3. Double-click the Windows Firewall: Allow inbound remote administration exception setting and
select Enabled.
4. Under Options, in Allow unsolicited incoming messages from these IP addresses, type an
asterisk (*).
5. Click OK to save your selection.
Create administrator accounts
To install and manage components in your App Orchestration deployment, create the following objects:
Orchestration service group: A user group for the user accounts for installing and administering
the deployment. This group confers full rights on member accounts. User accounts that are added
to this group should be non-privileged users with no administrator rights to the machines in the
deployment. Accounts in this group should not be members of the Domain Admins group. You will
need to supply this group name when you install the App Orchestration configuration server.
Note: After you supply this group name, it cannot be changed later.
Orchestration service account: The primary user account for performing administrative tasks in
the App Orchestration web console. This is a non-privileged user account that has permission to
access all App Orchestration functions and add and modify objects. This account should not be part
of the Domain Admins group. This account need not be the same as the App Orchestration
configuration server installation and configuration credentials.
Note: When adding administrator accounts to App Orchestration in a multi-domain environment, ensure the
accounts are members of a global or universal group in the user domain. If the account is a member of a
domain local group, App Orchestration does not recognize the account and, therefore, does not allow the
account to log on to the web console.
Getting Started with Citrix App Orchestration 2.5
Page 27 © 2014 Citrix Systems, Inc. All rights reserved.
For more information about requirements and permissions for these user accounts, as well as other
user accounts that App Orchestration uses to provision and manage machines, see the document
Credentials Used in App Orchestration 2.5.
Set up Citrix Licensing
Citrix Licensing 11.11.1 is required for configuring the App Orchestration configuration server as well as
configuring the Delivery Controllers, Session Machines, and StoreFront servers you want to deploy. If
you use an older version of Citrix Licensing, App Orchestration cannot validate the server during
configuration of global settings.
For Delivery Sites that use controllers running XenApp 6.5 Feature Pack 4, specify the Licensing server
using the FQDN or an IPv4 address. If you use an IPv6 address, App Orchestration cannot validate the
server and create the Delivery Site.
For more information about deployment steps, obtaining license files, and managing your Licensing
server, see Citrix Licensing 11.11.1 in Citrix eDocs.
Set up compute resources
Compute resources include the hypervisors and virtual networks and machines that form the foundation
for your App Orchestration deployment. These resources enable you to deploy Session Machines on
demand using on-demand provisioning, and use network isolation to provide tenants with private
resources.
App Orchestration supports using the following products to create the virtual networks and machines
you need for your deployment:
Citrix CloudPlatform 4.2.1
Citrix XenServer 6.2
VMware vSphere ESX 5.5
VMware vSphere ESX 5.1
Microsoft SCVMM 2012 R2
Microsoft SCVMM 2012 SP1
To use network isolation in your deployment, you create the following virtual networks:
Shared Controller Management Network
Shared Delivery Group Management Network
Private management network, for each tenant who requires network isolated access to hosted
applications and desktops
Getting Started with Citrix App Orchestration 2.5
Page 28 © 2014 Citrix Systems, Inc. All rights reserved.
Additionally, these networks must be labeled.
Important: You will need to supply these labels when you configure App Orchestration's global settings. In
App Orchestration, network labels are case-sensitive. When configuring the global settings, enter the labels
exactly as they are configured for your compute resources.
For more information about these networks and instructions for creating and labeling them, review the
document Isolation Methods in App Orchestration 2.5.
For more information about using Citrix CloudPlatform to provision machines in your App Orchestration
deployment, see the document Using Citrix CloudPlatform to Provision Session Machines On-demand
in App Orchestration 2.5.
Set up NetScaler Gateway
App Orchestration supports the use of NetScaler Gateway 10.1 or 10.5 to provide secure remote
access and load balancing for the StoreFront servers in your App Orchestration deployment. If you
intend to use NetScaler Gateway in your deployment, review the following information prior to
deployment:
Review the document Configuring NetScaler 10.1 Load Balancing with StoreFront 2.5.2 and
NetScaler Gateway for App Orchestration 2.5 or Configuring NetScaler 10.5 Load Balancing with
StoreFront 2.5.2 and NetScaler Gateway for App Orchestration 2.5. These documents provide
detailed requirements and instructions for integrating NetScaler Gateway with App Orchestration.
Review the security considerations as described in the Planning for Security with NetScaler
Gateway section of Citrix eDocs.
LDAP authentication for NetScaler Gateway
When configuring LDAP authentication for NetScaler Gateway to verify user accounts in Active
Directory, a user account is entered in the Administrator Bind DN setting to bind NetScaler Gateway to
the LDAP server and search for the user. Citrix strongly recommends using a non-privileged user
account that has bind DN permission in Active Directory. Do not use an administrator account for this
setting.
Prepare the database server
In an App Orchestration deployment, the database server hosts the App Orchestration configuration
database. If you choose, it can also host the databases for the Delivery Sites you deploy.
Prepare the database server before you install App Orchestration. You will need to supply information
about this server when you install the App Orchestration configuration server and deploy Delivery Sites.
Afterward, create a firewall exception as described in the section “Task 1: Create a firewall exception”
on page 30.
Getting Started with Citrix App Orchestration 2.5
Page 29 © 2014 Citrix Systems, Inc. All rights reserved.
When you install the App Orchestration configuration server, you are prompted to provide a service
deployment name. This name is used to create the configuration database. If you want to use an
existing database for your App Orchestration deployment, you specify that database name as the
service deployment name. If you enter a database name that does not exist on the database server, the
database is automatically created.
Supported database servers
App Orchestration supports using the following database servers:
Microsoft SQL Server 2012 Express, Standard, and Enterprise editions
Microsoft SQL Server 2008 R2 Express, Standard, Enterprise, and Datacenter editions
Support for database mirroring
For the configuration database, App Orchestration supports the use of mirrored and non-mirrored
databases.
If you want to use mirrored databases in your deployment, consider the following:
When planning for high availability or disaster recovery of the configuration database, be aware that
App Orchestration supports using only database mirroring for these purposes. App Orchestration
does not support using SQL Server clustering or the AlwaysOn feature of SQL Server 2012.
If you specify a database that does not yet exist when installing the App Orchestration configuration
server, the resulting database cannot be mirrored. The installer does not perform any mirroring
configuration or create a database that supports mirroring by default.
To use a mirrored database with the deployment, create the mirrored database before you deploy
the App Orchestration configuration server, and ensure the database is empty. When you are
prompted for the service deployment name during installation of the configuration server, enter the
name of this database.
For more information about using mirrored databases with App Orchestration, refer to the document
Configuring Database Mirroring in App Orchestration 2.5.
System requirements
When installing and configuring the database server for your deployment, ensure the following
requirements are met:
Authentication Mode Windows authentication is enabled.
TCP Enabled, along with all appropriate IP addresses,
in SQL Server Configuration Manager.
Getting Started with Citrix App Orchestration 2.5
Page 30 © 2014 Citrix Systems, Inc. All rights reserved.
SQL PowerShell Provider Installed. This provider is included with SQL
Management Studio.
SQL Server Browser service Enabled, and set to run automatically.
SQL Server instance Enabled, and set to run automatically.
Firewall Allow inbound connections to the database server
from the other servers in your App Orchestration
deployment. Additionally, enable firewall
exceptions for the SQL Server Browser and SQL
Server instance. See “Task 1: Create a firewall
exception” on page 30.
User account permissions The user account with which App Orchestration is
installed must have the Sysadmin role to create
the required accounts and databases during App
Orchestration configuration server setup. For
more information about required user accounts
and permissions, refer to the document
Credentials Used in App Orchestration 2.5.
Database security As a security best practice, ensure that only the
NetworkService account for the App Orchestraton
configuration server has permission to write to the
database.
Task 1: Create a firewall exception
To ensure the database server can communicate as required with the other servers in your App
Orchestration deployment, create a Windows Firewall exception on the database server that allows
connections with the other servers.
1. On the database server, click Start > Administrative Tools > Windows Firewall with Advanced
Security.
2. In the left pane, click Inbound Rules.
3. Right-click Inbound Rules and then select New Rule. The New Inbound Rule Wizard appears.
4. On the Rule Type page, select Program and then click Next.
5. On the Program page, select This program path and then click Browse.
Getting Started with Citrix App Orchestration 2.5
Page 31 © 2014 Citrix Systems, Inc. All rights reserved.
6. Locate and select the SQL Server executable and then click Open. Typically, the SQL Server
executable is located at C:\Program Files\Microsoft SQL
Server\MSSQL10_50.instancename\MSSQL\Binn\sqlservr.exe.
7. On the Action page, select Allow the connection and then click Next.
8. On the Profile page, select Domain, Private, and Public.
9. On the Name page, enter a name for the rule and click Finish.
Prepare the App Orchestration configuration server
The App Orchestration configuration server hosts the App Orchestration configuration engine and the
web management console.
Citrix recommends installing App Orchestration on servers containing fresh installations of supported
Microsoft Windows Server operating systems. To upgrade servers running App Orchestration 2.0 to
Version 2.5, refer to the document Upgradability Guide for App Orchestration 2.5. Do not attempt to
upgrade servers running App Orchestration versions older than Version 2.0. Additionally, do not join
servers running previous versions of App Orchestration to a deployment running App Orchestration 2.5.
Getting Started with Citrix App Orchestration 2.5
Page 32 © 2014 Citrix Systems, Inc. All rights reserved.
System requirements
The server you prepare to be the App Orchestration configuration server must meet the following
requirements:
Hardware Dual core processors, 2.6 GHz or higher
Minimum 3 GB RAM
Minimum 50 GB free disk space
Operating System One of the following:
Windows Server 2008 R2 SP1
Windows Server 2012 R2 (Standard,
Enterprise, or Datacenter edition)
Domain Functional Level Windows Server 2008 R2
Windows Management Framework and
PowerShell versions
Depending on your server operation system:
Version 3.0. The Windows Management
Framework is available for download from the
Microsoft web site at
http://www.microsoft.com/en-
us/download/details.aspx?id=34595
Version 4.0
.NET Framework version Version 4.5
PowerShell remoting Enabled. See “Configure the App Orchestration
Group Policy” on page 23.
Windows Update Service Enabled.
SSL certificates A server certificate signed by your domain
certificate authority is required for deploying the
configuration server. Refer to the document
Configuring SSL for App Orchestration 2.5.
System Temp folder Must be writable by the Network Service account.
Internet Access Enabled. Setup accesses Windows Update to
verify the full version of the .NET Framework 4.5
is installed and to install .NET updates, if required.
Getting Started with Citrix App Orchestration 2.5
Page 33 © 2014 Citrix Systems, Inc. All rights reserved.
Web browser (for accessing the web
management console)
Internet Explorer 10 or 11
Important: When preparing the configuration server for App Orchestration installation, ensure the server
operating system and anti-virus software have all appropriate updates and patches, and that the server is free
of untrusted software.
Sequence of preparation tasks for Windows Server 2008 R2 SP1
If you are preparing a server running Windows Server 2008 R2 SP1 as the configuration server, use
the following sequence of tasks to ensure the configuration server is deployed smoothly:
1. Install the operating system and apply all required updates and patches.
2. Install .NET Framework version 4.5.
3. Install Windows Management Framework 3.0, which includes Windows PowerShell 3.0.
4. Install the server certificate required for installation of the configuration server.
5. Join the server to the shared resource domain.
6. Verify the Group Policy settings described in “Configure the App Orchestration Group Policy” on
page 23 have been applied to the App Orchestration root OU of the shared resource domain for
your deployment. For more information about required OUs, see “Prepare your Active Directory
domains” on page 20.
Important: If you join the configuration server to the shared resource domain and enable PowerShell
remoting before you install the Windows Management Framework 3.0 and upgrade to PowerShell 3.0,
installing App Orchestration might fail. If this happens, execute the following command and retry the
installation:
winrm delete http://schemas.microsoft.com/wbem/wsman/1/config/plugin?Name=Microsoft.ServerManager
Client OS and browser support for the management console
To manage your deployment, App Orchestration includes a web-based management console. The
console is hosted, by default, on the configuration server, but you can also run the console on other
computers in your environment. To run the console, App Orchestration supports the following web
browsers and operating systems:
Getting Started with Citrix App Orchestration 2.5
Page 34 © 2014 Citrix Systems, Inc. All rights reserved.
Windows
Web Browser Windows 7
SP1 (32-bit
and 64-bit)
Windows 8
(32-bit and
64-bit)
Windows 8.1
(32-bit and
64-bit)
Windows
Server 2008
R2 SP1
Windows
Server 2012
R2
Internet
Explorer 10
X X X
Internet
Explorer 11
X X X
Mozilla Firefox
24
X X
Chrome 30
X X
Mac OS and Apple iOS
Web Browser Mac OS X (10.8) Apple iOS 7 (iPad only)
Mozilla Firefox 24 X
Google Chrome 30 X
Apple Safari for iOS X
Internet Explorer 11 Considerations
If you plan to use Internet Explorer 11 with the App Orchestration web console, perform the following
tasks to ensure the web console operates consistently:
Disable AutoComplete to prevent unauthorized console access. In addition to remembering
previous entries for forms and URLs, AutoComplete remembers entries for usernames and
passwords. To prevent unauthorized access to the App Orchestration web console due to
remembered credentials, Citrix recommends disabling AutoComplete on all machines on which
Internet Explorer 11 is used to access the web console. To do this, perform the following actions:
1. From the Start screen, click Settings > Control Panel > Internet Options.
2. Click the Content tab and then under AutoComplete click Settings.
3. Clear the User names and passwords on forms check box and then click OK.
Getting Started with Citrix App Orchestration 2.5
Page 35 © 2014 Citrix Systems, Inc. All rights reserved.
Add the web console as a Trusted Site. Because the web console uses JavaScript, Internet
Explorer 11 might prevent the web console from running. To ensure the web console runs
consistently, add the web console URL to the list of Trusted Sites. To do this, perform the following
actions:
1. From the Start screen, click Settings > Control Panel > Internet Options.
2. Click the Security tab and then select the Trusted sites security zone.
3. Click Sites and enter the web console URL. The default URL is https://FQDN-of-
AOConfigSvr/camconsole.
Prepare Delivery Controllers and Session Machines
Supported platforms
XenApp 7.5 and XenDesktop 7.5
XenApp 6.5 Feature Pack 4
Important: If you have an existing XenDesktop 7.1 deployment that you used with a previous version of App
Orchestration, you can continue to use that deployment with App Orchestration 2.5. However, you cannot
modify the configuration of the servers in that deployment. To use the full set of features of App Orchestration
2.5, Citrix recommends upgrading your XenDesktop 7.1 deployment to XenDesktop 7.5.
System requirements
Servers you prepare as Delivery Controllers and Session Machines must meet the following
requirements:
Hardware Dual core processors, 2.6 GHz or higher
Minimum 3.0 GB RAM
Minimum 50 GB free disk space
Getting Started with Citrix App Orchestration 2.5
Page 36 © 2014 Citrix Systems, Inc. All rights reserved.
Operating System
(XenApp 7.5 and
XenDesktop 7.5)
Delivery Controllers:
Windows Server 2008 R2 SP1, with PowerShell 4.0
Windows Server 2012 R2 (Standard, Enterprise, or Datacenter
edition)
Session Machines:
Windows XP SP3 (32-bit only), with PowerShell 2.5
Windows 7 SP1 (32-bit and 64-bit), with PowerShell 4.0
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2008 R2 SP1, with PowerShell 4.0
Windows Server 2012, with PowerShell 4.0
Windows Server 2012 R2
Operating System
(XenApp 6.5 FP4)
Windows Server 2008 R2 SP1, with PowerShell 4.0
Domain Functional Level Windows Server 2008 R2
Windows Server 2012
.NET Framework version Version 4.5. If the .NET Framework is not installed prior to deploying
the machine, the App Orchestration Install Center installs the software
automatically.
Windows Management
Framework (WMF) and
PowerShell version
Version 4.0.
For Windows 7, Windows Server 2008 R2 SP1, and Windows Server
2012, the WMF 4.0 package is included in the
Setup\ProductMedia\CloudAppManagement\Support\PowerShell4\
folder on the App Orchestration installation media. If WMF 4.0 is not
installed prior to deploying the machine, the App Orchestration Install
Center installs the software automatically. Alternatively, you can
download the package from the Microsoft web site at
http://www.microsoft.com/en-us/download/details.aspx?id=40855.
Important: For Session Machines running Windows 7 32-bit operating
systems, upgrading to WMF 4.0 can render PSSessionConfiguration
functions unusable, preventing the machine from being added to a
catalog. To avoid this issue, be sure to run the following cmdlet prior to
installing the single user Virtual Delivery Agent:
Register-PSSessionConfiguration –name
Microsoft.PowerShell
Getting Started with Citrix App Orchestration 2.5
Page 37 © 2014 Citrix Systems, Inc. All rights reserved.
PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on page
23.
Windows Update Service Enabled.
Automatic updates Disabled on all servers prepared as Session Machines.
Windows Server Roles .NET Framework 3.5.1.
Database server Microsoft SQL Server 2012 Express, Standard, and Enterprise
editions
Microsoft SQL Server 2008 R2 Express, Standard, Enterprise, and
Datacenter editions
Citrix software Use the App Orchestration Install Center to install the appropriate
Citrix software on the machine. If any Citrix products are installed prior
to using the Install Center, App Orchestration might remove or
overwrite these files. See “Install App Orchestration” on page 43.
Administrator accounts A Delivery Site administrator account is required for deploying Delivery
Sites in App Orchestration. For more information about the user
accounts required for deploying Delivery Sites and Session Machines,
refer to the document Credentials Used in App Orchestration 2.5.
Important: When you add the initial Controllers to a Delivery Site or Session Machines to a catalog, App
Orchestration uses these machines to construct machine profiles that are used to evaluate subsequent
machines that are added to the Site or catalog. If these machines do not match the profile for the Site or
catalog, they are not added to the deployment. Therefore, each machine you add to a Site or catalog must
have the same machine configuration, operating system and updates, Citrix product version, and installed
applications as the first machines you deployed. To add machines with differing configurations, create a new
Delivery Site or Session Machine Catalog as appropriate.
Support for aggregating existing Delivery Sites
Aggregating applications and desktops enables users to access offerings that are available in multiple
StoreFront stores from a single point of access. Using aggregation, you can add Delivery Sites that
already exist in your environment to your App Orchestration deployment.
App Orchestration supports aggregating existing Delivery Sites that run the following versions of
XenApp or XenDesktop:
XenApp 5.0, 6.0, and 6.5
XenDesktop 5.5, 5.6, 7.0, and 7.1
XenApp 7.5 and XenDesktop 7.5
Getting Started with Citrix App Orchestration 2.5
Page 38 © 2014 Citrix Systems, Inc. All rights reserved.
Aggregation of Delivery Sites running versions of XenApp or XenDesktop that are older than specified
in this section (such as Citrix Presentation Server 4.5) is not supported. For a complete list of all
XenApp and XenDesktop versions that are supported for Delivery Site aggregation, refer to the
StoreFront topic Infrastructure requirements on Citrix eDocs.
Considerations for Delivery Controllers in cross-forest private Delivery Sites
When creating a Delivery Site in a tenant’s private resource domain that resides in a different forest
than the shared resource domain, a trust relationship must exist between the Delivery Controllers in the
tenant’s resource domain and the shared resource domain. You can create this trust using one of the
following methods:
Using the Zero Trust Agent in the tenant’s resource domain and configuring SSL on the Delivery
Controllers. The Zero Trust Agent facilitates secure communication between the App Orchestration
configuration server and the tenant’s isolated resource domain. For more information, refer to the
documents Deploying the Zero Trust Agent in App Orchestration 2.5 and Configuring SSL for App
Orchestration 2.5
Establishing a one-way trust in which the shared resource domain trusts the tenant’s resource
domain. This trust allows the App Orchestration agents residing on the Delivery Controllers to
authenticate with the App Orchestration engine using integrated Active Directory authentication.
Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5
Because servers running XenApp 6.5 run an older version of the Citrix Group Policy snap-in by default
(Version 1.5.0.0), Group Policy settings associated with App Orchestration might not display correctly
when viewed with the Group Policy Management Console on a XenApp 6.5 server. To avoid this issue,
update the Citrix Group Policy snap-in with the newer version that comes with XenApp 7.5 and
XenDesktop 7.5 (Version 2.2.0.0). To do this perform the following actions:
1. On the XenApp 7.5 and XenDesktop 7.5 installation media, locate the
CitrixGroupPolicyManagement_x64.msi file in the /x64/Citrix Policy folder.
2. On the XenApp 6.5 servers in your deployment, run the CitrixGroupPolicyManagement_x64.msi
file to update the Citrix Group Policy snap-in.
Task 2: Configure SSL on Delivery Sites and Session Machines
To avoid security risks, Citrix recommends that you use SSL to secure communications between the
following components:
Between Delivery Controllers and StoreFront servers: For more information about configuring
SSL for App Orchestration, see the document Configuring SSL for App Orchestration 2.5.
Between Session Machines and NetScaler Gateway: As part of deploying NetScaler Gateway in
your environment, a signed SSL certificate and, if applicable, a trusted root certificate are required.
For Session Machines running XenDesktop 7.5, XenApp 7.5, or XenApp 6.5 FP4, manually
configure SSL and install a signed SSL certificate on each machine. If you use App Orchestration to
Getting Started with Citrix App Orchestration 2.5
Page 39 © 2014 Citrix Systems, Inc. All rights reserved.
aggregate Delivery Sites running XenDesktop 5.6, ensure the Session Machines and Delivery
Controllers in those Sites have the latest public hotfix applied.
Prepare StoreFront servers
StoreFront authenticates users to sites hosting resources and manages stores of applications and
desktops that users access with Citrix Receiver.
System requirements
Servers prepared as StoreFront servers have the following requirements:
Hardware Dual core processors, 2.6 GHz or higher
Minimum 3.0 GB RAM
Minimum 50 GB free disk space
Operating System Windows Server 2008 R2 SP1, with PowerShell 3.0
Windows Server 2012 R2 (Standard, Enterprise, or Datacenter
Edition)
Windows Management
Framework and PowerShell
version
Depending on your server operation system:
Version 3.0. For Windows Server 2008 R2 SP1, the Windows
Management Framework is available for download from the
Microsoft web site at http://www.microsoft.com/en-
us/download/details.aspx?id=34595
Version 4.0. For Windows Server 2012 R2, the Windows
Management Framework is included in the
Setup\ProductMedia\CloudAppManagement\Support\PowerSh
ell4\ folder on the App Orchestration installation media.
Alternatively, download the package from the Microsoft web site at
http://www.microsoft.com/en-us/download/details.aspx?id=40855.
Domain Functional Level Windows Server 2008 R2
Windows Server 2012
.NET Framework version Windows Server 2008 R2 SP1: .NET Framework 4.5. This
executable is located in the Support folder of the App
Orchestration installation media.
Windows Server 2012: .NET Framework 3.5. For information on
enabling this feature, see the article “Install or Uninstall Roles, Role
Services, or Features” on the Microsoft web site.
Getting Started with Citrix App Orchestration 2.5
Page 40 © 2014 Citrix Systems, Inc. All rights reserved.
PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on page
23.
Windows Update Service Enabled.
Windows Server Roles .NET Framework 3.5.1
Web Server (IIS), with all default role services
SSL certificate A server certificate signed by your domain certificate authority is
required for deploying StoreFront servers. Refer to the document
Configuring SSL for App Orchestration 2.5.
Database server Microsoft SQL Server 2012 Express, Standard, and Enterprise
editions
Microsoft SQL Server 2008 R2 Express, Standard, Enterprise, and
Datacenter editions
Citrix software Use the App Orchestration Install Center to install the appropriate
Citrix software on the machine. If any Citrix products are installed prior
to using the Install Center, App Orchestration might remove or
overwrite these files. See “Install App Orchestration” on page 43.
Server group requirements
In App Orchestration, you add StoreFront servers to a deployment by creating server groups. A server
group is a collection of two or more StoreFront servers. When adding StoreFront servers to your
deployment, consider the following requirements:
To add tenants, App Orchestration requires at least two StoreFront servers in the deployment. You
can deploy multiple StoreFront server groups to provide high availability and scalability.
The StoreFront servers that are included in the server group must have the same version of
StoreFront installed. Including servers of differing StoreFront versions in the same server group is
not supported.
Security Considerations for App Orchestration 2.5
When planning to deploy machines in your App Orchestration environment, be sure to review the
security best practices and recommendations for the Citrix products that are used with App
Orchestration. Refer to the following topics in Citrix eDocs:
XenApp 7.5 and XenDesktop 7.5: Security
XenApp 6.5: Security Standards and Deployment Scenarios
Getting Started with Citrix App Orchestration 2.5
Page 41 © 2014 Citrix Systems, Inc. All rights reserved.
StoreFront 2.5: Secure your StoreFront deployment
NetScaler Gateway: Planning for Security with NetScaler Gateway
Additionally, for up-to-date information about security standards and Citrix products, visit
http://www.citrix.com/security.
SSL recommendations
Some of the core components in your App Orchestration deployment – configuration server, Delivery
Controllers, and StoreFront servers – require that SSL be configured prior to inclusion in the
deployment. For instructions for configuring SSL for these components, refer to the document
Configuring SSL for App Orchestration 2.5.
Additionally, Citrix recommends using SSL to secure conections with the other components in your App
Orchestration deployment, including API calls, connections to and from the configuration database, and
the web management console.
Restrict PowerShell remoting sessions
Citrix recommends limiting access to PowerShell remoting sessions to the Authenticated Users group.
This helps ensure that one-time administrator credentials are not intercepted by a malicious user when
passed between a registered App Orchestration agent and a newly-installed agent.
SMB security signatures
Citrix recommends requiring client-side and server-side SMB security signatures for all servers in your
deployment. This helps ensure that SMB packets are not modified in transit among the servers in your
deployment. To require SMB security signatures, configure the following Group Policy settings:
Setting Location Policy Setting Setting Value
Computer Configuration >
Windows Settings > Security
Settings > Local Policies >
Security Options
Microsoft network client: Digitally
sign communications (always)
Enabled
Computer Configuration >
Windows Settings > Security
Settings > Local Policies >
Security Options
Microsoft network server:
Digitally sign communications
(always)
Enabled
Machine hardening techniques
To mitigate security risks such as "pass-the-hash" attacks, Citrix recommends the following techniques
for reducing the attack surface of the machines in your App Orchestration deployment:
Getting Started with Citrix App Orchestration 2.5
Page 42 © 2014 Citrix Systems, Inc. All rights reserved.
Use unique local account passwords. When deploying machines from an image or template,
ensure that each machine you deploy has unique local administrator credentials. This helps prevent
a malicious user from reusing credentials gained elsewhere to compromise additional machines.
Restrict remote access for local administrator accounts. Consider removing network and
remote interactive logon privileges from local non-service accounts, such as local administrator
accounts. This technique forces machines to be physically administered or remotely administered
using a domain account. When remotely administering machines in your deployment, use tools and
methods that do not leave reusable credentials in memory, such as using an MMC snap-in or
initiating a PowerShell remoting session (for example, Enter-PSSession ServerName). Additionally,
the domain accounts you use to administer machines should possess only the privileges required to
perform the tasks needed. Do not use highly trusted domain accounts to administer lower trusted
machines (for example, using a Domain Admin account to administer a client workstation).
Restrict access for tenant user accounts
To mitigate security risks to the machines in the shared resource domain, Citrix recommends that only
members of the orchestration service group have permission to access these machines. Tenants' users
should not have Domain Admin or local administrator privileges on any machines or components in the
App Orchestration deployment. Tenants' users should be able to access only the applications and
desktops that are hosted on these machines.
To limit tenants' access only to the machines that are privately allocated to them, Citrix recommends
using private Active Directory forests for each tenant, creating offerings that employ Private Delivery
Site isolation, and using Private server groups to deliver offerings to tenants' users. These isolation
levels help ensure that tenants' private machines are kept separate from the machines in the shared
resource domain, thus limiting the opportunity for a malicious user to gain access to other tenants'
machines or data in the deployment.
Additionally, for domain agent machines in a tenant’s resource domain, Citrix recommends that only
service provider administrators have permission to access these machines directly, as they are the only
users authorized to access the domain. Tenants’ users should not have Domain Admin or local
administrator privileges on these machines.
XenApp Session Machine isolation
To ensure Session Machines running XenApp 6.5 FP4 are adequately isolated in your App
Orchestration deployment, Citrix recommends creating offerings that employ Private Delivery Site
isolation. By using this isolation level, the Session Machines and the Delivery Site with which they are
associated are connected to a specific tenant's private management network and the desktops and
applications that are hosted on the machines are accessible only by the tenant's users. Because these
machines are privately allocated, not shared, this isolation level helps prevent a malicious user from
gaining elevated privileges on the XenApp Delivery Site by way of the associated Session Machines.
Getting Started with Citrix App Orchestration 2.5
Page 43 © 2014 Citrix Systems, Inc. All rights reserved.
Session Machine Catalog upgrades
When upgrading Session Machine Catalogs, consider the following:
When upgrading multiple machines through a scripted or otherwise automated process, ensure that
no administrator credentials are sent to updated Session Machines. This includes using Basic
authentication for PowerShell remoting.
If CredSSP is enabled in your environment, administrators should not use PowerShell remoting with
implicit authentication to connect to Session Machines.
Do not encode credentials in any updating scripts.
For more information about upgrading Session Machine Catalogs, see the Upgrading Session Machine
Catalogs in App Orchestration 2.5.
Install App Orchestration
There are four key tasks in the Install phase of App Orchestration:
1. Copy the downloaded files to the appropriate locations.
2. Install prerequisites.
3. Install the App Orchestration software.
4. Perform post-install configuration.
Overview
Accounts and Permissions
You’ll need the following accounts and permissions:
A Citrix web site account, for downloading and installing App Orchestration.
Permission to install the App Orchestration package on the server to be designated as the App
Orchestration configuration server.
Database administrator credentials for the SQL Server configuration database, for post-install
configuration.
Credentials to create a Group Policy Object and link it to the OU being used for App Orchestration,
so you can set policies for PowerShell remoting.
Prerequisites
Make sure that all of the machines you will be using with App Orchestration are under the root OU for
your deployment.
Getting Started with Citrix App Orchestration 2.5
Page 44 © 2014 Citrix Systems, Inc. All rights reserved.
Personas
Two personas are involved in the Install phase of App Orchestration: the Infrastructure Engineer and
Service Designer. In your organization, these functions may be performed by different people, or by
one person who does both jobs.
The Infrastructure Engineer provides the following items:
The SQL Server database administrator credentials.
The App Orchestration root OU in Active Directory and the credentials for that OU.
The required SSL certificates. You need a certificate for the following components:
o Each App Orchestration configuration server
o The global site Load Balancer
o Each StoreFront server group, and the load balancer for each server group
o Each NetScaler Gateway
Note: You can use a wildcard certificate for the AO configuration server and for multiple StoreFront server
groups in the same domain.
If you are using NetScaler Gateway, you can minimize your SSL certificate costs by getting only the
certificates for the App Orchestration configuration server and global site Load Balancer from a public
Certificate Authority. For the StoreFront server groups, the Load Balancer for each StoreFront server group,
and NetScaler, create your own Certificate Authority and use it to issue trusted certificates. At the network
layer, secure communications between NetScaler and the VDA, and between the StoreFront server group
and Delivery Controller, to ensure they cannot be intercepted.
If you are not using NetScaler Gateway, you can minimize cost by using a public Certificate Authority only for
the certificates for the App Orchestration configuration server and the Load Balancer for each StoreFront
server group.
The Service Designer performs the following tasks:
Install the App Orchestration software.
Perform post-Install configuration.
Pitfalls to avoid
The best way to avoid pitfalls in the Install phase is to follow the App Orchestration Setup Checklist
carefully. Make sure that:
The appropriate SSL certificates are installed.
The App Orchestration product media folder can be reached by the servers in your deployment.
Networks and routing are configured correctly.
Getting Started with Citrix App Orchestration 2.5
Page 45 © 2014 Citrix Systems, Inc. All rights reserved.
Task 1: Download the product media
To prepare Delivery Sites, Session Machines, and StoreFront server groups, App Orchestration
accesses a product media folder that hosts the Citrix software for these components. This folder can be
local to all machines (recommended), or on a portable drive, a network share of any kind, or any other
location that is visible to all of your machines. Citrix recommends that you protect this folder with
appropriate access controls, to prevent unauthorized access that might result in file corruption or the
introduction of malware.
Download App Orchestration
1. Navigate to the download page for the Citrix Cloud Provider Pack for XenApp or the Citrix Cloud
Provider Pack for XenDesktop.
2. Log on to your Citrix account and download App Orchestration 2.5.
3. Run the App_Orchestration_2.5.exe file you downloaded to extract the image contents into a
folder of your choice (for example, AO25), with the following layout:
Build out the product media folder
The product media folder hosts the media for App Orchestration and any related products that you
download and copy into the folder.
1. From the App Orchestration image folder, expand the Setup folder:
Getting Started with Citrix App Orchestration 2.5
Page 46 © 2014 Citrix Systems, Inc. All rights reserved.
2. In ProductMedia, create the following folders. Create the XenApp folder and its subfolders if your
deployment will use XenApp 6.5. Create the XenDesktop folder if your deployment will use XenApp
7.5 or XenDesktop 7.5.
3. Download the relevant software to the ProductMedia folder structure:
For this component Download this file Copy the downloaded file to this folder
StoreFront Navigate to the StoreFront
download page and download
StoreFront 2.5.2.
CitrixStoreFront
XenApp 6.5 Navigate to the XenApp 6.5
download page to download
XenApp 6.5 and Hotfix Rollup
Pack 4.
Copy the XenApp software
to the XenApp folder
Copy the entire contents of
the Hotfix Rollup Pack 4 to
XenApp\XenAppHRP
XenApp 7.5 and XenDesktop
7.5
Navigate to the XenApp
download page or the
XenDesktop download page and
download the Version 7.5
Platinum Edition.
XenDesktop
Task 2: Install App Orchestration components
Use the Citrix App Orchestration Install Center to install App Orchestration and prepare your machines
for deployment as Delivery Sites, Session Machines, and StoreFront servers. To save time when
installing the same component on multiple machines, you can install the component on one virtual
machine, and then create a template of that machine. When you need a new machine of that type,
simply reuse the template instead of repeating the installation steps.
Getting Started with Citrix App Orchestration 2.5
Page 47 © 2014 Citrix Systems, Inc. All rights reserved.
1. Copy the App Orchestration 2.5 image folder to each prepared machine.
2. From the image folder, double-click Setup.exe to launch the Citrix App Orchestration Install Center.
The Install Center screen appears.
3. Click App Orchestration Configuration Server to install the configuration server on one more
machines.
4. If you have any domains that are isolated from the App Orchestration configuration server, install
the App Orchestration Domain Agent on a dedicated machine in each of those domains. For
more information about using isolated domains, refer to the Deploying the Zero Trust Agent in App
Orchestration 2.5.
Note: If you need to install the domain agent software on multiple servers and are considering creating a
template, just install the domain agent software on the template machine. Do not continue to the App
Orchestration Server Configuration wizard. You will need to run the wizard on each new machine you create
from the template.
5. For Delivery Controllers, Session Machines, and StoreFront servers, create a template for each
machine type:
a. Create the first machine of the relevant type and install the appropriate software:
Getting Started with Citrix App Orchestration 2.5
Page 48 © 2014 Citrix Systems, Inc. All rights reserved.
For Delivery Sites using XenApp 7.5 or XenDesktop 7.5, install the XenApp and
XenDesktop 7.5 Delivery Controller software. The associated App Orchestration agent is
automatically installed.
For Delivery Sites using XenApp 6.5, install the XenApp 6.5 Controller software. The
associated App Orchestration agent is automatically installed.
Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and
select the XenApp 6.5 Controller tile to complete the installation.
For Session Machines running XenApp 7.5 and XenDesktop 7.5 that will use on-demand
provisioning, install the appropriate Virtual Delivery Agent on each Session Machine. For
more information, refer to the Provisioning Session Machines On-demand in App
Orchestration 2.5.
For Session Machines that will host offerings on Delivery Sites using XenApp 6.5, install the
XenApp 6.5 Session Host software.
Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and
select the appropriate Session Machines tile to complete the installation.
For StoreFront server groups, install the Citrix StoreFront 2.5 software. The associated
App Orchestration agent is automatically installed.
b. Delete the entire App Orchestration 2.5 image folder and its contents from this machine, and
also delete it from the Recycle Bin.
Note: This step is especially important for Session Machines, to prevent the installation software from being
available to subsequent user sessions on those machines.
c. Shut down the machine.
d. Make a Full Copy of the virtual machine.
e. Start the copied image and run sysprep. Do not reboot or restart the machine afterward. For
more information about sysprep, refer to the article Sysprep (System Preparation) Overview on
the Microsoft web site.
Important: If you are creating a XenDesktop Session Machine template to be used as the VDA master image
template for on-demand provisioning, skip this step; XenDesktop Machine Creation Services [MCS] cannot
provision machines from a master image template on which you have run sysprep.
cd %windir%\system32\sysprep
sysprep /generalize /shutdown /oobe
f. Convert the virtual machine into a template.
g. Use the template to create additional virtual machines of the same type:
At least two machines, for a single Delivery Site running XenApp 7.5 and XenDesktop 7.5 or
XenApp 6.5.
Getting Started with Citrix App Orchestration 2.5
Page 49 © 2014 Citrix Systems, Inc. All rights reserved.
At least one Session Machine for hosting applications and desktops, with additional Session
Machines as necessary to provide more capacity for offerings.
At least two machines running StoreFront 2.5, comprising a single StoreFront server group.
Configure App Orchestration
Accounts and permissions
In the Configuration phase of App Orchestration, you’ll need the following accounts and permissions:
App Orchestration configuration server installation and configuration credentials, which must be a
member of the orchestration server administrators group.
Optionally, read-only credentials for the default user domain.
Prerequisites
Before you start the Configuration phase, make sure you’ve set up your environment according to the
instructions in this document. For example, you’ll need to know the names for your shared resource
and default user domains, your default datacenter, and your external DNS suffix that users will use to
access their environments.
Personas
Typically, the only persona involved in this phase is the Service Designer, who is responsible for
configuring App Orchestration.
Pitfalls to avoid
Follow these simple rules to avoid pitfalls in the Configuration phase:
After you have configured the names for the resource domain and user domain, you cannot change
them.
The domain functional level for all resource domains must be Windows Server 2008 R2 or higher.
The network names on your compute resources must exactly match the names you specify in App
Orchestration under Global Settings Summary > Advanced Settings > Enable network
isolation.
Task 1: Configure the App Orchestration configuration server
After you install the App Orchestration software on the configuration server, you will need to supply
additional details about your deployment environment. The App Orchestration installer prompts you for
the following information:
Getting Started with Citrix App Orchestration 2.5
Page 50 © 2014 Citrix Systems, Inc. All rights reserved.
Service deployment name: This value becomes the name of the configuration database that App
Orchestration creates.
Database server: The FQDN of the SQL Server that hosts the App Orchestration configuration
database.
Administrators group: This group contains non-privileged user account for administering your App
Orchestration deployment. For more information about this group, see the document Credentials
Used in App Orchestration 2.5.
SSL certificate: A server certificate signed by your domain certificate authority is required to
secure connections with the configuration server. For more information about using SSL with App
Orchestration, see the document Configuring SSL for App Orchestration 2.5.
Existing deployment information: If you are deploying a configuration server to an existing App
Orchestration deployment, enter only the server’s FQDN. If you use the server’s IP address or
NetBIOS name instead, App Orchestration displays an error message indicating the server cannot
be contacted.
Task 2: Configure global settings
After you perform the initial configuration, use the App Orchestration web console to configure the
global settings for the deployment. This includes providing the following information:
Shared resource and default user domains: The shared resource domain contains the root OU
where the configuration server and all resources that will be shared among multiple tenants reside.
The default user domain contains the Active Directory users and groups for tenants using resources
delivered from the shared resource domain. You can specify different domains for resources and
user accounts or you can use the same domain for both. These domains and the App Orchestration
root OU (in each resource domain) must exist already in your environment; App Orchestration does
not create them. For more information about these domains, see “Prepare your Active Directory
domains” on page 20.
Orchestration service account: This is the primary App Orchestration administrator. The
orchestration service account is a non-privileged user account and must be a member of the
administrators group you specified during installation. This account should not belong to the
Domain Admins group. The orchestration service account must exist already in your environment;
the installation process does not create it. For more information about this account, see “Create
administrator account” on page 26.
Default datacenter: The default location for shared resources. In general, datacenters contain
resources in the same geographic location. For more information about datacenters, see the
document Deploying a Multi-Datacenter Environment in App Orchestration 2.5.
Licensing: The FQDN and port of the Citrix Licensing server in your environment.
Note: If you are using IPv6 addressing for the Licensing server, surround the address with brackets when you
specify it for App Orchestration. For example: [FE80::0202:B3FF:FE1E:8329]
Getting Started with Citrix App Orchestration 2.5
Page 51 © 2014 Citrix Systems, Inc. All rights reserved.
External DNS suffix: The DNS suffix that is used to configure the NetScaler Gateway address.
Network isolation and NetScaler Gateway: Select whether or not to enable network isolation and
use with NetScaler Gateway. If you enable network isolation, enter the labels of the virtual networks
you created on your compute resources. If you enable use with NetScaler Gateway, specify the
address for the appliance.
Note: When you enter the NetScaler Gateway address, enter only the URL of the appliance. As App
Orchestration uses port 443 by default, entering a port number can prevent App Orchestration from
communicating with the appliance. If you need to use a port number other than 443 for NetScaler Gateway,
you can customize the PowerShell script that uses this address when deploying StoreFront. For more
information, see the document Configuring NetScaler 10.1 Load Balancing with StoreFront 2.5.2 and
NetScaler Gateway for App Orchestration 2.5 or Configuring NetScaler 10.5 Load Balancing with StoreFront
2.5.2 and NetScaler Gateway for App Orchestration 2.5.
Define App Orchestration infrastructure
App Orchestration infrastructure refers to the datacenters, compute resources, domains, and instance
configurations that provide network and tenant isolation for your deployment.
Accounts and permissions
App Orchestration orchestrates across one or more Active Directory domains. Before using App
Orchestration, make sure you have at least one Active Directory resource domain to host the App
Orchestration configuration server and the database server. If you plan to store user accounts in a
separate domain, create that default user domain as well.
Within the shared resource domain, you must have a root OU with a credential that has full control and
is also able to initiate a PowerShell remoting session to all servers within that domain.
If you are using a separate user domain, you must also have a credential that is able to create Active
Directory user groups inside that domain.
Domains in App Orchestration can span multiple datacenters. If your deployment includes multiple
datacenters, Citrix recommends having a domain controller in every datacenter where a domain will be
used. Alternatively, you can use a DNS forward lookup zone in a datacenter. The shared resource
domain must exist in all datacenters and, therefore, must have a domain controller in every datacenter.
Prerequisites
Before you start the Define phase of App Orchestration, make sure:
The required domains exist.
You have credentials for each domain.
You have created the required OUs in each domain.
You must also apply a PowerShell remoting policy to all resource domains used by App Orchestration.
Remember to run gpupdate on each machine to apply the policy.
Getting Started with Citrix App Orchestration 2.5
Page 52 © 2014 Citrix Systems, Inc. All rights reserved.
Other prerequisites include:
Any compute resources that you want to use with App Orchestration.
The credentials for those compute resources to create virtual machines, access storage, and read
network information.
A Citrix Licensing server within each datacenter. If desired, you can use the same Licensing server
for all domains within a datacenter, or even for all datacenters.
Personas
Two personas are involved in the Define phase of App Orchestration: the Infrastructure Engineer and
the Service Designer. In your organization, these functions may be performed by two different people,
or by one person who does both jobs.
The Infrastructure Engineer tells the Service Designer about available datacenters, including:
The compute resources available in those datacenters.
The IP address ranges assigned to those datacenters.
Any NetScaler Gateway devices located in those datacenters.
Additionally, the Infrastructure Engineer performs the following tasks:
Supplies compute resource storage and networking details.
Provides a SQL Server for the Service Designer to use to deploy App Orchestration and other Citrix
components.
Provides machines for installing the App Orchestration configuration server and the Citrix Licensing
server.
Sets up and maintains the Active Directory domains used by App Orchestration, including the
shared resource domain and any tenant user domains.
The Service Designer:
Owns the Citrix licenses.
Installs the Citrix License Server and the product licenses on that server.
Installs, deploys, and maintains the App Orchestration configuration servers.
Pitfalls to avoid
Follow these simple rules to avoid pitfalls in the Define phase:
Ensure each machine configured and deployed by App Orchestration has all of the minimum
system requirements installed, including the Microsoft .NET Framework.
Each machine under App Orchestration control requires PowerShell remoting. Run the command
winrm quickconfig to verify that PowerShell remoting is functioning on all machines.
Getting Started with Citrix App Orchestration 2.5
Page 53 © 2014 Citrix Systems, Inc. All rights reserved.
If you are using multiple datacenters, make sure you can ping IP addresses in each datacenter from
the App Orchestration configuration server. Firewalls or WAN connectivity problems could prevent
App Orchestration from functioning correctly.
Task overview
1. Ensure the shared and private resource and user domains exist in your Active Directory structure.
Also, ensure that these domain contain the required OUs. Refer to “Prepare your Active Directory
domains” on page 20 and the document Deploying App Orchestration 2.5 in a Complex Active
Directory Environment.
2. Ensure you have the required credentials to add and modify objects in the shared and private
domains. Refer to the document Credentials Used in App Orchestration 2.5.
3. Define additional domains. If your deployment includes domains in addition to the shared resource
and user domains (for example, private tenant domains), you will need to add these domains
through the App Orchestration web console. Refer to the document Deploying App Orchestration
2.5 in a Complex Active Directory Environment.
4. Create additional datacenters. In addition to the default datacenter, you might also create a backup
datacenter. Refer to the document Deploying a Multi-Datacenter Environment in App Orchestration
2.5.
5. Set up and configure the compute resources you will use for provisioning Session Machines. Refer
to the following resources:
Provisioning Session Machines On-Demand in App Orchestration 2.5
Using Citrix CloudPlatform to Provision Session Machines On-Demand in App Orchestration 2.5
Using Citrix Provisioning Services to Provision Session Machines in App Orchestration 2.5
Design service offerings for tenants
Accounts and permissions
When you create a new Delivery Site, you will need a credential for Location settings. That credential
must be a member of the Delivery Site admin group in Active Directory, and the local administrator
group on machines used as Delivery Site controllers. You will also need a credential for the Database
settings. You can use the same credential for both, if desired.
Getting Started with Citrix App Orchestration 2.5
Page 54 © 2014 Citrix Systems, Inc. All rights reserved.
Prerequisites for Session Machine Catalogs using on-demand
provisioning
Before you can create a Session Machine Catalog that uses on-demand provisioning, you must first
create a compute resource.
On the compute resource, create a virtual machine to serve as the template for on-demand creation
of machines to host your service. The template should include the applications, operating system,
and desktop configuration that you want for your service.
The template should be a bootable virtual machine joined to a domain. The orchestration service
account credential from the shared resource domain must be able to connect to that domain via
PowerShell remoting, and execute commands there.
The compute resource storage must have enough free space to store a complete replica of the
input virtual machine template.
Prerequisites for Session Machine Catalogs using external
provisioning
When creating a Session Machine Catalog with externally-provisioned machines, the first thing you
need are the machines that you want to add to the catalog. These machines can be physical,
virtual, or created through any provisioning system.
The machines must be joined to an Active Directory domain where the orchestration service
account can connect to the machines remotely through PowerShell remoting.
The machines should have the appropriate Citrix software installed (either the appropriate Virtual
Delivery Agent or the XenApp 6.5 Session Host). You can install these packages through the App
Orchestration Install Center. For more information, see “Install App Orchestration” on page 43.
If the provisioning method that you use automatically resets the machines upon reboot (like Citrix
Provisioning Services), then you must have the Citrix software installed on the machine before
importing it into App Orchestration.
If you are importing multi-user machines running Microsoft Terminal Server, make sure Terminal
Services licensing is configured and functioning properly before you import the machines into App
Orchestration.
All of the machines you import should have the Windows Update Service enabled in the Server
Manager, but Automatic Windows Updates should be disabled.
Prerequisites for offerings
Before creating offerings, you must have created a Session Machine Catalog.
If the Session Machine Catalog uses on-demand provisioning, you need to wait for App
Orchestration to complete the preparation of the input VM template. This can take up to 30 minutes.
You can monitor progress from the Workflows tab.
Getting Started with Citrix App Orchestration 2.5
Page 55 © 2014 Citrix Systems, Inc. All rights reserved.
If the Session Machine Catalog uses external provisioning, you must have imported at least one
machine into the catalog before you create an offering. The import process may take 10-15
minutes.
Prerequisites for Delivery Sites
Before you add Delivery Sites in App Orchestration, you will need the following:
At least one SQL server, with an optional second server to use as a mirror.
SQL Server database admininistrator credentials.
At least two machines that will be used as Delivery Controllers:
o These machines should be joined to the shared resource domain, and the orchestration service
account configured within App Orchestration must be able to connect to these machines using
PowerShell remoting.
o The machines should be prepared as XenApp 6.5 controllers or XenApp 7.5 and XenDesktop
7.5 Delivery Controllers. You can install these packages through the App Orchestration Install
Center. This process also installs the required App Orchestration agent. For more information,
see “Install App Orchestration” on page 43.
Prerequisites for StoreFront
For App Orchestration to deploy and manage a StoreFront server group, you will need:
At least two machines joined to the same resource domain which has been added to the
deployment through the App Orchestration web console. To install the StoreFront software on these
machines, use the App Orchestration Install Center. The installation process also installs the
required App Orchestration agent.
You must also have an SSL certificate that is valid for the DNS addresses of these machines. The
certificate must be issued from a trusted certification authority.
You must also have a load balancer configured to balance web traffic between the two machines.
This load balancer should also be configured to use SSL.
Personas
Two personas are involved in the Design phase of App Orchestration: the Service Strategist and the
Service Designer. In your organization, these functions may be performed by two different people, or by
one person who does both jobs.
The Service Strategist performs the following tasks:
Decides which applications and desktops to offer.
Provides an initial estimate of the number of users expected to use those apps and desktops.
Getting Started with Citrix App Orchestration 2.5
Page 56 © 2014 Citrix Systems, Inc. All rights reserved.
The Service Designer performs the following tasks:
Uses the information provided by the Service Strategist to prepare machines or VM templates with
the operating system, apps, and desktop configuration needed to create offerings.
Decides on the appropriate FlexCast technology to deliver those apps and desktops to end users.
Decides on the scaling factor that determines how many users will fit per server for a particular
offering.
Prepares Delivery Sites and StoreFront Server Groups to meet the initial capacity requirements in
each datacenter.
Provisions an adequate number of Session Machines up front in each datacenter to meet the initial
capacity of the offerings.
Pitfalls to avoid
Provisioning Session Machines requires PowerShell remoting to be enabled and functional. To
ensure no environmental issues are preventing PowerShell remoting from functioning properly, run
winrm quickconfig on the Session Machines.
Verify connectivity from the App Orchestration configuration server to the Session Machine using
PowerShell remoting, using the orchestration service account credential.
To avoid DNS issues that may arise between newly-provisioned Session Machines and the App
Orchestration configuration server, ensure that you can execute nslookup from the App
Orchestration configuration server to the Session Machines, and from the Session Machines to the
configuration server.
Ensure that no operating system or application updates are being applied automatically on
externally-provisioned Session Machines, or on the input template used for on-demand
provisioning. Disable the Windows Update Service from applying updates automatically, and turn
off any application updaters on those machines.
You can enable Windows Update and other application update mechanisms on Delivery Controllers
and StoreFront servers.
App Orchestration requires that all Session Machines are configured identically, including hardware
and installed software. Therefore, App Orchestration will reject importing a machine that is different
from the template machine.
Task 1: Create a new Delivery Site
A Delivery Site consists of at least two Delivery Controllers. When you create a new Delivery Site, the
Delivery Site wizard prompts you for the following information:
Site name, licensing model, and Citrix product version to install on the machines you want to deploy
as Delivery Controllers. You can select XenApp 6.5 or XenDesktop 7.5 (which includes XenApp
7.5). A Delivery Site with one of these products installed will only work with Session Machines that
are running the same product. For example, if the Controllers in a Delivery Site are running
Getting Started with Citrix App Orchestration 2.5
Page 57 © 2014 Citrix Systems, Inc. All rights reserved.
XenDesktop 7.5, only Session Machines running XenDesktop 7.5 can join the Delivery Site to
deliver hosted applications and desktops.
The servers you want to deploy as Delivery Controllers to the Site, including the resource domain
and datacenter in which they should reside. App Orchestration requires at least two Controllers in a
Delivery Site (a primary Controller and a backup Controller).
The Delivery Site administrator group and Site administrator account for the Delivery Site. The Site
administrator account is a non-privileged user account and must be a member of the Delivery Site
administrator group. This account should not belong to the Domain Admins group. The Delivery Site
administrator group and Site administrator account must exist already in your environment; App
Orchestration does not create them. For more information about Delivery Site administrator
privileges in the shared and tenant resource domains, refer to the document Credentials Used in
App Orchestration 2.5.
The database server, credentials, and names for the Site databases to be created (configuration,
logging, and monitoring). For more information about the privileges required for the Delivery Site
database user, refer to the document Credentials Used in App Orchestration 2.5.
When specifying the database details for the Delivery Site, Citrix recommends using separate
databases for each database type. This enables you to create appropriate backup and recovery
protocols for each database, and prevents outages due to a single point of failure. By default, App
Orchestration creates separate databases for the Site's configuration, logging, and monitoring data. For
example, for a Delivery Site named "Site1," App Orchestration creates the "Site1" configuration
database, the "Site1Logging" logging database, and the "Site1Monitoring" monitoring database.
Additionally, App Orchestration uses the same database server for all three databases by default. You
can accept these defaults or specify different servers and names for each database.
After you complete the wizard, App Orchestration issues workflows that perform the following tasks:
Evaluate the machine configuration of the controllers and create a profile. App Orchestration uses
this profile to evaluate subsequent Delivery Controllers that you add to the Site. If new Delivery
Controllers do not match the profile, App Orchestration does not add them to the Site. Therefore, all
Delivery Controllers you add to a Site must be identically configured, including hardware
configuration, operating system, and software updates.
Create the Delivery Site and join the Delivery Controllers to it.
You can monitor these workflows using the Workflows tab in the App Orchestration web console.
Aggregate an existing Delivery Site
Aggregation is the means by which multiple instances of hosted applications or desktops from different
Delivery Sites are presented to users with a single icon when they access their StoreFront site with
Citrix Receiver. For example, if Microsoft Word is offered on multiple Delivery Sites, users see a single
icon for Microsoft Word when they log on to their StoreFront site.
For more information about resource aggregation, see the topic StoreFront high availability and multi-
site configuration in Citrix eDocs.
Getting Started with Citrix App Orchestration 2.5
Page 58 © 2014 Citrix Systems, Inc. All rights reserved.
For more information about the versions of XenApp and XenDesktop that StoreFront supports for
Delivery Site aggregation, see the topic Infrastructure requirements in Citrix eDocs.
Task 2: Create a Session Machine Catalog
This step consists of the following tasks:
1. From the App Orchestration web console, create a Session Machine catalog.
2. Add the servers you have prepared as the initial Session Machines to the catalog using on-demand
provisioning or external provisioning.
Create a catalog with on-demand provisioning
For information about using on-demand provisioning in your App Orchestration deployment, see the
document Provisioning Session Machines On-demand in App Orchestration 2.5. This guide provides
additional details and step-by-step instructions for provisioning Session Machines on-demand using on-
demand provisioning.
Create a catalog for externally-provisioned machines
As with Delivery Sites, you use the App Orchestration web console to complete the Session Machine
Catalog wizard.
If you choose to create a catalog for externally-provisioned machines, the wizard prompts you for the
following information:
Catalog name and OS Type for the Session Machines it will contain.
Type of Delivery Controllers that the machines will work with when hosting offerings for tenants
(XenApp 7.5 and XenDesktop 7.5 or XenApp 6.5). The controller type you specify determines the
Citrix product that App Orchestration requires and validates on the Session Machines you add to
the catalog. For example, if you specify XenDesktop 7.5 as the controller type, App Orchestration
will confirm that the Virtual Delivery Agent is installed on Session Machines that are added to the
catalog.
Number of users allowed to access each machine before it is considered fully loaded. You can also
allow App Orchestration to include CPU and memory in its calculations for determining server load.
Add Session Machines to the catalog
To add Session Machines to a catalog for externally-provisioned machines, you complete a separate
wizard. This wizard prompts you for the name of the Session Machine Catalog, resource domain, and
datacenter in which the Session Machine will reside. You also specify the names of the Session
Machines you want to add to the catalog. App Orchestration requires at least one Session Machine be
added to create offerings, but you can add up to 20 machines at one time. Deploying more than 20
machines places a heavy burden on the App Orchestration configuration server's resources, causing
workflows to time out before the machines can complete the provisioning process.
Getting Started with Citrix App Orchestration 2.5
Page 59 © 2014 Citrix Systems, Inc. All rights reserved.
Important: When you specify the Session Machines you want to add to the catalog, ensure the machines are
not members of an existing machine catalog in an existing Delivery Site that was created outside of App
Orchestration. When App Orchestration adds Session Machines to a catalog, App Orchestration assumes the
machines are free to be allocated to the Delivery Sites you create through the App Orchestration web
console. App Orchestration cannot verify whether the Session Machines you want to add are already
allocated to other XenDesktop deployments. If you create offerings and subscriptions that use resources
hosted on Session Machines that are already allocated to other XenDesktop deployments, users will not be
able to launch sessions on these machines when they attempt to access their subscriptions.
After you complete the Add Session Machines wizard, App Orchestration issues a workflow that
performs the following tasks:
Evaluate the machine configuration of the Session Machine and create a profile. App Orchestration
uses this profile to evaluate subsequent Session Machines that you add to the catalog. If new
Session Machines do not match the profile, App Orchestration does not add them to the catalog.
Therefore, all Session Machines you add to the catalog must be identically configured, including
hardware configuration, operating system, system updates, and installed applications. If you want to
add Session Machines that have, for example, different application installed, you must add them to
a different catalog.
Add the Session Machine to the catalog.
You can monitor these workflows using the Workflows tab in the web console.
Task 3: Add a StoreFront Server Group
In this step, you use the App Orchestration web console to create a StoreFront Server Group and
specify the servers you want to add to it. A server group consists of at least two StoreFront servers (a
primary server and a backup server). App Orchestration requires at least two StoreFront servers in the
deployment for making offerings available to tenants' users.
As with Delivery Sites and Controllers, you add StoreFront servers to your deployment using a wizard.
The wizard prompts you for the following information:
Server group name, SSL certificate, and load balancer URL. StoreFront requires that each machine
have an SSL certificate installed prior to deployment. For more information about StoreFront
requirements, see “Prepare StoreFront servers” on page 39. When entering the load balancer URL,
check to ensure the URL you enter is correct. Changing the URL later requires you to delete the
entire server group and redeploy it with the new URL.
Names of the StoreFront servers you want to add to the group.
Resource domain and datacenter in which the servers will reside.
After you complete the wizard, App Orchestration issues workflows that perform the following tasks:
Evaluate the machine configuration of the servers and create a profile. App Orchestration uses this
profile to evaluate subsequent StoreFront servers that you add to the group. If new StoreFront
servers do not match the profile, App Orchestration does not add them to the group. Therefore, all
Getting Started with Citrix App Orchestration 2.5
Page 60 © 2014 Citrix Systems, Inc. All rights reserved.
StoreFront servers you add to a server group must be identically configured, including StoreFront
version, operating system, and software updates.
Create the server group and join the StoreFront servers to it.
You can monitor these workflows using the Workflows tab in the web console.
Task 4: Create an offering
This step consists of making applications and desktops (hosted on the Session Machines) available for
subscription by tenants.
To create offerings, you use the App Orchestration web console to specify the applications and
desktops you want to include and the isolation level at which you want to provide the offering to
tenants. The isolation level you select depends on whether you want to create an offering that uses
shared machines or machines that are dedicated to an individual tenant. For more information about
these isolation levels, see the document Isolation Methods in App Orchestration 2.5.
Deliver service offerings to tenants
Accounts and permissions
To add a tenant, you will need a user domain and a resource domain in Active Directory, both of which
must be added to App Orchestration through the web console. The user domain and resource domain
can be the same domain. You can use the shared resource domain as both the user domain and
resource domain.
the .
In the user domain, you must have credentials of a user who can resolve other user accounts within
that domain.
In the resource domain, you must have credentials of a user who can move machines between
Active Directory OUs within that domain.
Prerequisites
Before adding tenants, make sure you know:
The user and resource domain details.
The StoreFront and NetScaler Gateway isolation modes you want to use for that tenant.
The NetScaler Gateway address, if the tenant will be using a private NetScaler Gateway.
The name of the tenant’s private management network, if the tenant will be using network isolation.
This must match the name configured in your compute resource that will be used for machines
provisioned for that tenant.
After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions.
Getting Started with Citrix App Orchestration 2.5
Page 61 © 2014 Citrix Systems, Inc. All rights reserved.
After you’ve preallocated capacity, you can create subscriptions. To do this, you should know:
The offerings to which users want to subscribe.
The tenant to whom those users belong.
The Active Directory group in their user domain that contains the users who want to subscribe to
that offering. This can can be the Location Group or a Subscription Group.
If you haven’t preallocated capacity, App Orchestration will create capacity of one machine on-demand.
Personas
Three personas are involved in the Deliver phase of App Orchestration: the Service Designer, the
Tenant Administrator, and the Subscribers. In your organization, the Service Designer and Tenant
Administrator functions may be performed by two different people, or by one person who does both
jobs.
The Service Designer performs the following tasks:
Onboards tenants by creating their OUs in Active Directory, their users, and user groups.
Sets up billing and chargeback for that tenant.
Adds the tenant into App Orchestration.
Asks the Tenant Administrator for the anticipated number of users, and based on that answer
preallocates capacity for the tenant to access offerings.
Informs the Tenant Administrator of the StoreFront address that the end users will need in order to
connect to and access their offerings.
The Tenant Administrator performs the following tasks:
Informs the Service Designer upfront how many users are expected to access each offering.
Subscribes end users to individual offerings.
Directs end users to the tenant’s StoreFront address, either directly or through configuration of
clients.
The Subscriber accesses offerings using Citrix Receiver.
Pitfalls to avoid
Follow these simple guidelines to avoid common pitfalls in the Deliver phase:
App Orchestration defaults to using the tenant’s name as the isolated network name. Ensure that
you have a network with this name in your virtualization infrastructure, or change the name in App
Orchestration when adding the tenant.
Also ensure that you use the correct isolation modes for StoreFront and NetScaler Gateway when
adding a tenant. If necessary, you can change these settings later by editing the tenant.
Getting Started with Citrix App Orchestration 2.5
Page 62 © 2014 Citrix Systems, Inc. All rights reserved.
After you create subscriptions or adjust capacity, you should monitor the status of those changes by
watching the Workflows tab or the Dashboard Notifications.
You can adjust capacity as needed, but remember that App Orchestration must execute workflows
to reconfigure the system to comply with that desired state. If there are not enough StoreFront
Server Groups or Delivery Sites or available Session Machines, a notification on the Dashboard will
explain how to correct the problem.
Task 1: Add a tenant and users
This step consists of adding tenants to the App Orchestration system and specifying the user groups
that will be accessing offerings through StoreFront.
To add tenants, you use the App Orchestration web console to specify the tenant's resource and user
domains, the default datacenter through which users will access offerings, the isolation level of the
tenant's StoreFront site, and whether the tenant accesses a shared or private NetScaler Gateway (if
NetScaler Gateway is enabled for the deployment). For more information about StoreFront isolation
levels, see the document Isolation Methods in App Orchestration 2.5.
To ensure the machines that are dedicated to tenants' exclusive use are adequately isolated, Citrix
recommends using a private Active Directory forest for each tenant, a private management network,
and offerings that employ Private Delivery Site isolation. This helps ensure that a tenant's resources
are isolated from other tenants and other tenants' users.
Security considerations
As a security consideration when adding tenants, include user groups that contain only domain users.
Users who belong to the Domain Admins group should not be added to these groups. This ensures that
a tenant's users can access only the Session Machines in the resource management network (either
shared or private). Additionally, keep the following considerations in mind:
Do not grant tenant users or administrators Domain Admin permissions in any Active Directory
domain included in the deployment.
If administrator permissions are granted to a tenant, ensure the tenant has local machine
administrator privileges only for privately allocated Session Machines. Tenants should not have
administrator privileges on any other server or component in the deployment.
Ensure that tenants do not have permissions to access any compute resources in the deployment.
Ensure that tenants do not have permissions to log on to or administer shared components such as
NetScaler Gateway appliances or StoreFront servers.
Task 2: Adjust capacity
Capacity refers to the number of Session Machines allocated to offerings and the tenants who access
them. By default, App Orchestration creates an initial capacity of one machine.
After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions. You
can adjust the capacity as needed to host more or fewer offerings or users.
Getting Started with Citrix App Orchestration 2.5
Page 63 © 2014 Citrix Systems, Inc. All rights reserved.
In the App Orchestration web console, go to the Dashboard and click the pencil to the right of Capacity
Allocation.
Select the offering and specify the desired capacity. App Orchestration estimates the number of users
that can fit per machine based on the load balancing settings, or whether the machines are single user.
When you are deciding how many machines to preallocate, you should consider whether the Session
Machine Catalog uses statically allocated or pooled machines.
For statically allocated machines, you should preallocate the number of machines necessary to
support all of the users who will be using the offering.
For pooled machines, you only need to preallocate the number of machines necessary to support
concurrent users of the offering.
Task 3: Subscribe the tenant to an offering
This step consists of creating a subscription for a tenant so that the tenant's users can access a
specific offering through StoreFront.
To create a subscription, you use the App Orchestration web console to specify the offering, tenant,
and user groups to include. The process of subscribing a tenant to an offering involves creating a
Delivery Group according to the isolation level defined for the offering. This Delivery Group restricts
access to the offering, ensuring only the specified users can access the offering through StoreFront.
Important: When subscribing users to offerings, ensure the users are members of domain global user
groups. This ensures that only users in the tenant’s user domain are authorized to access the tenant’s
offerings. Using domain local or universal user groups for subscriptions could allow users external to the
tenant’s user domain to be members of these groups and allow these users to access the tenant’s offerings.
For more information about Delivery Group isolation levels, see the document Isolation Methods in App
Orchestration 2.5.
Task 4: Optional: Deploy tenant self-service features
After you deploy App Orchestration, you can choose to integrate with CloudPortal Services Manager
11.0.1. This deployment option enables you to make App Orchestration offerings available for self-
service consumption through the Services Manager web-based control panel. Tenants can self-
administer the offerings to which they have subscribed and their users can request access to
subscribed offerings as needed.
To enable Services Manager to communicate with your App Orchestration deployment, you perform the
following tasks:
1. Download CloudPortal Services Manager 11.0.1 from the Citrix web site.
2. Install the Hosted Apps and Desktops web service on the App Orchestration configuration server.
3. Configure the Hosted Apps and Desktops service through the Services Manager control panel.
You can then use the control panel to manage offerings and provision the service to tenants. To enable
tenants’ users to self-subscribe to offerings, configure Workflow Approval for the tenant.
Getting Started with Citrix App Orchestration 2.5
Page 64 © 2014 Citrix Systems, Inc. All rights reserved.
When you enable this integration, the App Orchestration and Services Manager web consoles assume
specific roles with regard to the administration tasks you perform in your deployment. You use the
Services Manager control panel to manage tenant onboarding and subscribing users to offerings. You
use the App Orchestration web console to create new offerings, add capacity to existing offerings, and
manage the Delivery Sites, Session Machines, and StoreFront servers in your deployment.
Getting Started with Citrix App Orchestration 2.5
Page 65 © 2014 Citrix Systems, Inc. All rights reserved.
Appendix: Setup Checklist
This checklist is a convenient tool to help you plan and document your App Orchestration deployment.
Use this checklist along with the rest of the information in this guide to ensure all required preparation
tasks are performed.
This checklist helps you prepare the following components:
1 domain controller with a minimum domain functional level of Windows Server 2008 R2
1 database server running a supported version of Microsoft SQL Server
1 Citrix License Server
1 NetScaler Gateway
1 server, for the App Orchestration configuration server
1 server, for the Session Machine that will host applications and desktops for users
2 servers, for the Delivery Controllers that make up one Delivery Site
2 servers, for the StoreFront servers that make up one StoreFront server group
Use the Notes column to record the details of your preparation activities. You will need to supply this
information when you configure App Orchestration’s global settings.
Getting Started with Citrix App Orchestration 2.5
Page 66 © 2014 Citrix Systems, Inc. All rights reserved.
Shared resource domain
Complete the tasks in this section before you install App Orchestration. You will need to supply the
information below when you configure App Orchestration’s global settings. For more information about
the tasks in this section, see “Prepare your Active Directory domains” on page 20.
Completed ()
Task Notes
Create a domain to be used as the shared
resource domain.
Minimum domain functional level: Windows
Server 2008 R2.
Domain name:
Create a Group Policy object that will be
associated with all machines in the shared
resource domain and configure the following
settings:
Set the PowerShell execution policy to
AllSigned.
Configure PowerShell remoting.
Allow WinRM traffic through Windows
Firewall.
Allow WinRM remote server management
for all servers.
Allow WinRM clients to trust all servers.
Set Windows Remote Shell maximum
memory to 1 GB or more.
Allow unlimited number of remote shells
per user.
For detailed instructions, refer to the section
“Configure the App Orchestration Group
Policy” on page 23.
Create an Active Directory security group that
you designate as the orchestration service
group (for example,
MyDomain\OrchestrationAdmins).
Group name:
Getting Started with Citrix App Orchestration 2.5
Page 67 © 2014 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Create an organizational unit as the root OU
for App Orchestration.
App Orchestration will have permission in this
OU to create, move, and remove objects.
Root OU name:
Create an orchestration service account with
the following permissions:
Read and Write permissions on the App
Orchestration root OU
Permission to use PowerShell remoting to
access all servers in the shared resource
domain
Add the account to the orchestration
service group
Important: For security reasons, do not add
this account to the Domain Admins group.
User name:
Password:
Default user domain
The default user domain is where App Orchestration service accounts reside. You can create a
separate domain or you can designate the shared resource domain for this purpose when you
configure App Orchestration’s global settings.
Completed ()
Task Notes
Create a domain to be used as the default user
domain.
This domain must have a minimum domain
functional level of Windows Server 2003.
Domain name:
Create a user account in the user domain.
Important: For security reasons, do not add
this account to the Domain Admins group.
User name:
Password:
Getting Started with Citrix App Orchestration 2.5
Page 68 © 2014 Citrix Systems, Inc. All rights reserved.
Citrix product media folder
The Citrix product media folder contains the software for App Orchestration and other components that
are required to provision Delivery Sites, Session Machines, and StoreFront servers. This folder can be
local to all machines (recommended), or on a portable drive, a network share of any kind, or any other
location that is visible to all of your machines. Citrix recommends that you protect this folder with
appropriate access controls, to prevent unauthorized access that might result in file corruption or the
introduction of malware.
Completed ()
Task Notes
Download the App Orchestration 2.5 from the
Citrix web site.
Choose one of the following locations:
Citrix Cloud Provider Pack for
XenApp
Citrix Cloud Provider Pack for
XenDesktop
Run the downloaded executable
(App_Orchestration_2.5.exe) to extract the
image contents into a folder of your choice (for
example, AO25), with the following layout:
Getting Started with Citrix App Orchestration 2.5
Page 69 © 2014 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
In the /Setup/ProductMedia folder, create the
following structure:
CitrixStoreFront folder: Copy the entire
contents of the StoreFront 2.5.2 installation
media to this folder.
StoreFront download page
XenDesktop folder: Copy the entire contents
of the XenApp 7.5 and XenDesktop 7.5
Platinum Edition installation media to this
folder.
Choose one of the following locations:
XenApp download page
XenDesktop download page
XenApp folder: Copy the entire contents of
the XenApp 6.5 installation media to this
folder.
XenApp 6.5 download page
XenApp/XenAppHRP folder: Copy the entire
contents of the Hotfix Rollup Pack 4 to this
folder.
Getting Started with Citrix App Orchestration 2.5
Page 70 © 2014 Citrix Systems, Inc. All rights reserved.
Database Server
The database server hosts the App Orchestration configuration database. For more information about
supported databases, refer to the “Prepare the database server” section on page 28.
Completed ()
Task Notes
Prepare a server and install Microsoft SQL
Server 2008 R2 (minimum):
Join the server to the shared resource
domain.
Use Windows authentication.
Ensure SQL Server Browser and the SQL
Server instance services are enabled and
set to start automatically
Enable remote TCP connections.
Allow SQL traffic to traverse Windows
Firewall.
Optionally, you can prepare another SQL
Server for mirroring to increase availability. For
more information, refer to the document
Configuring Database Mirroring in App
Orchestration 2.5.
Primary database server name:
Secondary database server name
(optional):
Create a SQL database administrator account.
This account must be a Windows account,
using Windows authentication. The account
you use to install App Orchestration must have
permission to create databases.
User name:
Password:
Getting Started with Citrix App Orchestration 2.5
Page 71 © 2014 Citrix Systems, Inc. All rights reserved.
Citrix License Server
Completed ()
Task Notes
Prepare a server and install Citrix Licensing
11.11.1 according to product instructions.
License server name:
Install XenApp or XenDesktop Platinum
licenses.
NetScaler Gateway
To secure access to your App Orchestration deployment, NetScaler Gateway enables you to configure
policy and action controls while allowing tenants’ users to access the apps and desktops they need. For
more information about integrating NetScaler Gateway with App Orchestration, refer to the document
Configuring NetScaler 10.1 Load Balancing with StoreFront 2.5.2 and NetScaler Gateway for App
Orchestration 2.5 or Configuring NetScaler 10.5 Load Balancing with StoreFront 2.5.2 and NetScaler
Gateway for App Orchestration 2.5.
Completed ()
Task Notes
Install and configure NetScaler Gateway
according to product instructions.
Gateway address:
Getting Started with Citrix App Orchestration 2.5
Page 72 © 2014 Citrix Systems, Inc. All rights reserved.
App Orchestration configuration server
Completed ()
Task Notes
Prepare one or more servers to be used as the
App Orchestration configuration server(s).
For system requirements, refer to the section
“Prepare the App Orchestration configuration
server” section on page 31.
Note: If you deploy multiple configuration
servers, enter only the server’s FQDN when
prompted. If you use the server’s IP address or
NetBIOS name instead, App Orchestration
displays an error message indicating the server
cannot be contacted.
Primary server FQDN:
Backup server FQDN (optional):
Join the server(s) to the shared resource
domain.
Install a valid SSL certificate, signed by a
trusted Certificate Authority, in the local
computer’s certificate store.
For proof-of-concept deployments, you can
use a wildcard certificate.
For more information about using SSL with
App Orchestration, see the document
Configuring SSL for App Orchestration 2.5.
Friendly name:
Getting Started with Citrix App Orchestration 2.5
Page 73 © 2014 Citrix Systems, Inc. All rights reserved.
Delivery Controllers
Completed ()
Task Notes
Prepare two or more servers to be used as the
Delivery Controllers.
For system requirements, refer to the section
“Prepare Delivery Controllers and Session
Machines” on page 35.
Primary Controller name:
Backup Controller name:
Run the App Orchestration Install Center to
install the appropriate Citrix software on the
servers:
For Delivery Sites running XenApp 7.5 and
XenDesktop 7.5, select XenApp and
XenDesktop 7.5 Delivery Controller (and
App Orchestration Agent)
For farms running XenApp 6.5, select
XenApp 6.5 Controller (and App
Orchestration Agent)
For more information, see “Install App
Orchestration” on page 43.
Join the servers to the shared resource
domain.
Getting Started with Citrix App Orchestration 2.5
Page 74 © 2014 Citrix Systems, Inc. All rights reserved.
Session Machines
On-demand catalogs (on-demand provisioning enabled)
For more information about preparing your environment for and enabling on-demand provisioning, refer
to the document Provisioning Session Machines On-demand in App Orchestration 2.5.
Completed ()
Task Notes
Prepare a compute resource (host and
management machines) according to the
product documentation and the needs of your
organization.
When you create an on-demand catalog in
App Orchestration, you must specify the
following details about the compute resource:
Whether the compute resource is running
XenServer, ESX, or Hyper-V (resource
type).
A friendly name by which you can identify
the compute resource.
The location (URL or IP address) of the
compute resource.
Credentials for the compute resource.
Resource type:
Friendly name:
Address:
User name:
Password:
Getting Started with Citrix App Orchestration 2.5
Page 75 © 2014 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Using the management console for the
compute resource, create and set up a VM to
use as a template for other Session Machines
that are added to the catalog.
Setting up a VM might include:
Installing the guest operating system
and applicable service packs or
updates.
Verifying virtual devices such as hard
disks are configured correctly.
Installing integration tools required to
optimize interaction with the host
machine.
Installing third-party tools such as
antivirus software.
Installing applications you want to
include in offerings.
Installing the required Citrix software
using the App Orchestration Install
Center. For more information, see
“Install App Orchestration” on page 43.
VM name:
Getting Started with Citrix App Orchestration 2.5
Page 76 © 2014 Citrix Systems, Inc. All rights reserved.
Completed ()
Task Notes
Join the VM to the domain for which you want
newly-created Session Machines to be
members.
The domain to which you join the VM must
have a Group Policy defined that allows
PowerShell remoting and sets the execution
policy. For more information, refer to the
section “Configure the App Orchestration
Group Policy” on page 23.
The VM must be a member of either the
shared resource domain or a domain that has
a two-way trust with the shared resource
domain. Ensure that the orchestration service
administrator account (defined in App
Orchestration’s global settings) has the ability
to use PowerShell remoting to connect to the
VM and install software.
On the VM, in Advanced TCP/IP Settings,
configure the following settings for the VM’s
network connection:
In DNS suffix for this connection, enter
the shared resource domain name.
Select Use this connection’s DNS suffix
in DNS registration.
Getting Started with Citrix App Orchestration 2.5
Page 77 © 2014 Citrix Systems, Inc. All rights reserved.
Catalogs for externally-provisioned machines
Completed ()
Task Notes
Prepare one or more machines to be used as
Session Machines.
All machines to be added to the catalog must
meet the following requirements:
Have the same hardware configuration and
all installed software (including operating
system, installed updates, and
applications).
Capable of running XenApp 6.5 or
XenDesktop 7.5 VDA software, according
to the product’s system requirements
Machine #1 name:
Machine #2 name:
Machine #3 name:
Machine #4 name:
Join the machines to the appropriate resource
domain.
If the machines will be shared among multiple
tenants, join them to the shared resource
domain. If the machines will be allocated to a
specific tenant, join them to the tenant’s private
resource domain.
Resource domain name:
Getting Started with Citrix App Orchestration 2.5
Page 78 © 2014 Citrix Systems, Inc. All rights reserved.
StoreFront servers
Completed ()
Task Notes
Prepare two or more servers to be used as the
StoreFront Server Group.
For system requirements, refer to “Prepare
StoreFront servers” on page 39.
Primary StoreFront server name:
Backup StoreFront server name:
Run the App Orchestration Install Center to
install the StoreFront 2.5 software.
For more information, see “Install App
Orchestration” on page 43.
Join the servers to the shared resource
domain.
Install a valid SSL certificate, signed by a
trusted Certificate Authority, in the local
computer’s certificate store.
For proof-of-concept deployments, you can
use a wildcard certificate. The certificate must
have the same Friendly Name on all
computers.
Friendly name:
Install and configure a load balancer for the
StoreFront Server Group.
For more information about configuring load
balancing with StoreFront, refer to the
document Configuring NetScaler 10.1 Load
Balancing with StoreFront 2.5.2 and NetScaler
Gateway for App Orchestration 2.5 or
Configuring NetScaler 10.5 Load Balancing
with StoreFront 2.5.2 and NetScaler Gateway
for App Orchestration 2.5.
Load Balancer URL:
Getting Started with Citrix App Orchestration 2.5
Page 79 © 2014 Citrix Systems, Inc. All rights reserved.
App Orchestration global settings
After installing the App Orchestration configuration server, you configure the global settings using the
App Orchestration web console. During this process, you must specify the default datacenter for the
deployment and the external DNS suffix. You must also decide whether or not to enable network
isolation in your deployment.
In App Orchestration, datacenters are used for providing hosted apps and desktops to tenants in
distributed geographic locations and for failover. App Orchestration requires at least one datacenter in
the deployment. For more information about datacenters, refer to document Deploying a Multi-
Datacenter Environment in App Orchestration 2.5.
In general, network isolation should be enabled if you intend to provide offerings exclusively to specific
tenants. For more information about network isolation, refer to the document Isolation Methods in App
Orchestration 2.5.
Completed ()
Task Notes
Specify the name of the primary datacenter. Name:
Specify the external DNS suffix.
The external DNS suffix is the top-level domain
of your external-facing DNS server. This
influences the defaults for connection routing,
but can be overridden, if necessary.
Example: For a datacenter named
ag.us.mycompany.com, the suffix
“mycompany.com” results in the default routing
for user connections to a datacenter named
“us.”
Suffix:
Getting Started with Citrix App Orchestration 2.5
Page 80 © 2014 Citrix Systems, Inc. All rights reserved.
Enable network isolation?
If you intend to enable network isolation, you
must create and label at least three virtual
networks on your compute resources. These
networks must exist before you configure the
global settings.
For instructions for creating and labeling these
networks, refer to the product documentation
for your server virtualization solution.
Important: The labels for the virtual networks
are case-sensitive. When entering the network
labels in App Orchestration, ensure they match
exactly the labels configured on your compute
resources.
Yes / No
Shared Controller Management Network
label:
Shared Delivery Group Management
Network label:
Private Management Network label:
Getting Started with Citrix App Orchestration 2.5
Page 81 © 2014 Citrix Systems, Inc. All rights reserved.
First tenant
Completed ()
Task Notes
Specify the tenant name. Tenant Name:
Create at least one location group for the
tenant in the user domain. Each user group
can be a member of only one location group.
Location groups connect users with certain
datacenters, enabling users to access
applications and desktops based on
datacenter affinity.
User domain name:
OU Name:
Create user groups for the tenant in the user
domain.
These user groups will be used later for
creating subscriptions, so they should organize
users by the sets of apps and desktops that
you intend to deliver to those users.
User Group #1:
User Group #2:
User Group #3:
User Group #4:
Create user accounts for the tenant’s users
and add them to the appropriate user groups.
Recommended