App Orchestration 2 - Citrix.com · App Orchestration 2.x Discussion Forum: Use this Citrix Discussions site to ask questions and contribute your knowledge about App Orchestration

© 2014 Citrix Systems, Inc. All rights reserved.

App Orchestration 2.5

Getting Started with Citrix App Orchestration 2.5

Last Updated: August 8, 2014


Page 2 © 2014 Citrix Systems, Inc. All rights reserved.

Contents

Welcome to App Orchestration 2.5 ........................................................................................................ 8

What’s New in This Release .............................................................................................................. 8

Documentation and support for App Orchestration ............................................................................. 8

App Orchestration components ............................................................................................................12

Configuration server ..........................................................................................................................12

What is it? .....................................................................................................................................12

What does it do? ...........................................................................................................................12

How many do I need? ....................................................................................................................13

Domain agent ...................................................................................................................................13

What is it? .....................................................................................................................................13

What does it do? ...........................................................................................................................13

How many do I need? ....................................................................................................................13

Delivery Sites and Delivery Controllers .............................................................................................13

What are they? ..............................................................................................................................13

What do they do? ..........................................................................................................................14

How many do I need? ....................................................................................................................14

Additional information ....................................................................................................................14

Session Machines, Catalogs, and Delivery Groups ...........................................................................14

What are they? ..............................................................................................................................14

What is a catalog? .........................................................................................................................14

How many do I need? ....................................................................................................................15

Additional information ....................................................................................................................15

StoreFront .........................................................................................................................................15

What is it? .....................................................................................................................................15

How many do I need? ....................................................................................................................16

Compute resources ...........................................................................................................................16

App Orchestration deployment overview ..............................................................................................17

Prepare to deploy App Orchestration 2.5 ..............................................................................................18

How many machines do I need? .......................................................................................................18

Network preparation task overview ...................................................................................................19

Machine preparation task overview ...................................................................................................20



Prepare your Active Directory domains .............................................................................................20

Task 1: Prepare required domains .................................................................................................21

Task 2: Prepare required organizational units ................................................................................21

Task 3: Prepare tenant domains and user groups .........................................................................22

Configure the App Orchestration Group Policy ..................................................................................23

Task 1: Set the PowerShell execution policy .................................................................................24

Task 2: Configure PowerShell remoting .........................................................................................24

Task 3: To enable remote administration with WMI .......................................................................26

Create administrator accounts ..........................................................................................................26

Set up Citrix Licensing ......................................................................................................................27

Set up compute resources ................................................................................................................27

Set up NetScaler Gateway ................................................................................................................28

LDAP authentication for NetScaler Gateway .................................................................................28

Prepare the database server .............................................................................................................28

Supported database servers ..........................................................................................................29

Support for database mirroring ......................................................................................................29

System requirements .....................................................................................................................29

Task 1: Create a firewall exception ................................................................................................30

Prepare the App Orchestration configuration server ..........................................................................31


Sequence of preparation tasks for Windows Server 2008 R2 SP1 ................................................33

Client OS and browser support for the management console ........................................................33

Prepare Delivery Controllers and Session Machines .........................................................................35

Supported platforms ......................................................................................................................35


Support for aggregating existing Delivery Sites .............................................................................37

Considerations for Delivery Controllers in cross-forest private Delivery Sites ................................38

Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5 .....................................................38

Task 2: Configure SSL on Delivery Sites and Session Machines ...................................................38

Prepare StoreFront servers ...............................................................................................................39


Server group requirements ............................................................................................................40

Security Considerations for App Orchestration 2.5 ............................................................................40



SSL recommendations ..................................................................................................................41

Restrict PowerShell remoting sessions ..........................................................................................41

SMB security signatures ................................................................................................................41

Machine hardening techniques ......................................................................................................41

Restrict access for tenant user accounts .......................................................................................42

XenApp Session Machine isolation ................................................................................................42

Session Machine Catalog upgrades ..............................................................................................43

Install App Orchestration ......................................................................................................................43

Overview ...........................................................................................................................................43

Accounts and Permissions ............................................................................................................43

Prerequisites .................................................................................................................................43

Personas .......................................................................................................................................44

Pitfalls to avoid ..............................................................................................................................44

Task 1: Download the product media ................................................................................................45

Download App Orchestration .........................................................................................................45

Build out the product media folder .................................................................................................45

Task 2: Install App Orchestration components ..................................................................................46

Configure App Orchestration ................................................................................................................49

Accounts and permissions ................................................................................................................49

Prerequisites .....................................................................................................................................49

Personas ...........................................................................................................................................49

Pitfalls to avoid ..................................................................................................................................49

Task 1: Configure the App Orchestration configuration server ..........................................................49

Task 2: Configure global settings ......................................................................................................50

Define App Orchestration infrastructure ................................................................................................51


Prerequisites .....................................................................................................................................51

Personas ...........................................................................................................................................52


Task overview ...................................................................................................................................53

Design service offerings for tenants ......................................................................................................53


Prerequisites for Session Machine Catalogs using on-demand provisioning .....................................54



Prerequisites for Session Machine Catalogs using external provisioning ..........................................54

Prerequisites for offerings .................................................................................................................54

Prerequisites for Delivery Sites .........................................................................................................55

Prerequisites for StoreFront ..............................................................................................................55

Personas ...........................................................................................................................................55


Task 1: Create a new Delivery Site ...................................................................................................56

Aggregate an existing Delivery Site ...............................................................................................57

Task 2: Create a Session Machine Catalog ......................................................................................58

Create a catalog with on-demand provisioning ..............................................................................58

Create a catalog for externally-provisioned machines ....................................................................58

Add Session Machines to the catalog ............................................................................................58

Task 3: Add a StoreFront Server Group ............................................................................................59

Task 4: Create an offering .................................................................................................................60

Deliver service offerings to tenants .......................................................................................................60


Prerequisites .....................................................................................................................................60

Personas ...........................................................................................................................................61


Task 1: Add a tenant and users ........................................................................................................62

Security considerations .................................................................................................................62

Task 2: Adjust capacity .....................................................................................................................62

Task 3: Subscribe the tenant to an offering .......................................................................................63

Task 4: Optional: Deploy tenant self-service features........................................................................63

Appendix: Setup Checklist ....................................................................................................................65

Shared resource domain ...................................................................................................................66

Default user domain ..........................................................................................................................67

Citrix product media folder ................................................................................................................68

Database Server ...............................................................................................................................70

Citrix License Server .........................................................................................................................71

NetScaler Gateway ...........................................................................................................................71

App Orchestration configuration server .............................................................................................72

Delivery Controllers ...........................................................................................................................73



Session Machines .............................................................................................................................74

On-demand catalogs (on-demand provisioning enabled) ...............................................................74

Catalogs for externally-provisioned machines ................................................................................77

StoreFront servers ............................................................................................................................78

App Orchestration global settings......................................................................................................79

First tenant ........................................................................................................................................81



Copyright and Trademarks

Use of the product documented herein is subject to your prior acceptance of the End User License

Agreement. A printable copy of the End User License Agreement is included with your installation

media.

Information in this document is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the

express written permission of Citrix Systems, Inc.

© 2014 Citrix Systems, Inc. All rights reserved.

The following are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be

registered in the United States Patent and Trademark Office and in other countries:

Citrix®, Citrix Access Gateway™, Citrix App Orchestration™, Citrix Receiver™, Citrix XenApp™,

CloudPlatform™, CloudPortal™, ICA®, NetScaler®, NetScaler App Delivery Controller™, NetScaler

Gateway™, XenApp®, XenDesktop™, XenServer™

All other trademarks and registered trademarks are the property of their respective owners.



Welcome to App Orchestration 2.5

Thank you for choosing App Orchestration. This document includes information and instructions to help

you learn more about planning your App Orchestration deployment, prepare core components, and

perform tasks such as creating offerings and subscribing tenants to those offerings.

What’s New in This Release

Support for XenApp 7.5 and XenDesktop 7.5: App Orchestration deploys and manages apps and

desktops using XenApp 7.5 and XenDesktop 7.5 Sites in addition to XenApp 6.5 farms.

Zero Trust Agent: This domain agent enables management traffic to traverse NATs, easing the

connectivity requirements between the configuration server and orchestrated Controllers.

Additionally, domain trusts are no longer required between the target orchestrated domain and the

App Orchestration domain.

On-demand Provisioning: App Orchestration fully supports the automatic creation and preparation

of virtual machines for hosting applications and desktops. This feature also includes support for

compute resources running Citrix XenServer, Microsoft Hyper-V, and VMware ESX.

Cloud Provisioning: In addition to support for traditional hypervisors, App Orchestration includes

support for Citrix CloudPlatform as a compute resource with on-demand provisioning.

Upgradability: You can upgrade your existing App Orchestration 2.0 deployment using an intuitive

and easy to use interface.

Streamlined User Experience: App Orchestration provides a simplified installer and a streamlined

first-time user experience. Guided wizards provide assistance in learning the system as you

perform the initial configuration.

Documentation and support for App Orchestration

App Orchestration in Citrix eDocs: This section of eDocs is your primary source for all resources

that support App Orchestration 2.5. Access guides, videos and other materials to help you progress

smoothly through each stage of deployment.

App Orchestration 2.x Discussion Forum: Use this Citrix Discussions site to ask questions and

contribute your knowledge about App Orchestration.

http://support.citrix.com/proddocs/topic/app-orchestration/cao-app-orchestration-25-landing.html

http://discussions.citrix.com/forum/1382-app-orchestration-2x/



Use the following table as a guide to the materials available for planning and deploying App

Orchestration:

When you’re ready to… And you need more information

about…

Consult this document…

Plan your App Orchestration

deployment and prepare your

network environment

Known issues in App

Orchestration

Known Issues for App

Orchestration 2.5

The concepts and terminology

specific to App Orchestration

Terminology in App

Orchestration 2.5

System requirements for core

components, required pre-

deployment tasks, and security

considerations

Getting Started with App

Orchestration 2.5 (this

document)

Setup Checklist (Appendix

to this document)

Deploying App Orchestration in

an Active Directory environment

with multiple forests and

multiple domains

Deploying App Orchestration

2.5 in a Complex Active

Directory Environment

The user accounts you will

need to deploy the core App

Orchestration components and

perform tasks using the App

Orchestration web console

Credentials Used in App

Orchestration 2.5

Using SQL database mirroring

for adding high availability and

failover to the databases used

in App Orchestration

Configuring Database Mirroring

in App Orchestration 2.5

The virtual networks you will

need to provide tenant isolation

of private offerings

Isolation Methods in App

Orchestration 2.5

http://support.citrix.com/article/ctx140886
















about…


Integrating Citrix CloudPlatform

with App Orchestration to

create Public and Private

Clouds

Using Citrix CloudPlatform to

Provision Session Machines

On-demand in App

Orchestration 2.5

Configuring SSL between the

core components of your

deployment

Configuring SSL for App

Orchestration 2.5

Install and configure App

Orchestration

Installing the core App

Orchestration components

Getting Started with App

Orchestration 2.5 (this

document)

Setup Checklist (Appendix

to this document)

Using domain agents to secure

communication between App

Orchestration and the resource

domains in your deployment

Deploying the Zero Trust Agent

in App Orchestration 2.5

Using multiple datacenters to

support resources deployed

across geographic locations

Deploying a Multi-Datacenter

Environment in App

Orchestration 2.5

Integrating NetScaler Gateway

with App Orchestration

Configuring NetScaler 10.1

Load Balancing with StoreFront

2.5.2 and NetScaler Gateway

for App Orchestration 2.5

or

Configuring NetScaler 10.5

Load Balancing with StoreFront

2.5.2 and NetScaler Gateway

for App Orchestration 2.5























about…


Use specific features of App

Orchestration

Enabling hosted desktops to

display the Windows 7 or

Windows 8 look and feel to

users

Configuring Enhanced Desktop

Experience for XenApp and

XenDesktop in App

Orchestration 2.5

Enabling on-demand

provisioning of Session

Machines to increase the

capacity of your deployment as

needed

Provisioning Session Machines

On-demand in App

Orchestration 2.5

Integrating Provisioning

Services with App Orchestration

to provide on-demand

provisioning of Session

Machines

Using Citrix Provisioning

Services to Provision Session

Machines in App Orchestration

2.5

Upgrade an existing App

Orchestration 2.0 deployment to

App Orchestration 2.5

The upgrade process,

preparation tasks, and

instructions

Upgradability Guide for App

Orchestration 2.5
















App Orchestration components

App Orchestration provides simple unified management of Citrix application and desktop delivery

technologies in a multi-tenant environment, using multiple datacenters across multiple domains. This

section describes the core components and shows how they work together to provision and manage

hosted applications and desktops for tenants and users.

A typical App Orchestration deployment includes the following components:

A configuration server, for hosting the App Orchestration engine and web-based management

console.

A domain agent, to enable the configuration server to communicate with any isolated tenant

domains in the deployment.

Delivery Controllers, for hosting XenApp or XenDesktop Delivery Sites.

Session Machines, for hosting the applications and desktops that users access through Citrix

Receiver.

StoreFront servers, for hosting the store that contains the offerings you create for tenants.

Compute resources, for providing the virtual networks required for tenant isolation and provisioning

identically-configured Session Machines as needed through on-demand provisioning.

For a visual overview of an App Orchestration deployment, refer to the App Orchestration 2.5

Architecture diagram.

Configuration server

What is it?

The App Orchestration configuration server hosts the App Orchestration engine and the web-based

management console. These are stateless components that can be deployed on multiple servers to

provide high availability and scalability. Additionally, an instance of Machine Creation Services (MCS)

and an agent reside on the configuration server. MCS provides the functionality for creating and

managing virtual machines (VMs) on the compute resources in the virtualization infrastructure.

What does it do?

When a change to the deployment occurs, such as creating a Delivery Site or adding a Session

Machine to a catalog, the change is written to the configuration database and the App Orchestration

engine issues all of the actions required to apply the change. These actions are called workflows, and

you can monitor them from the web management console. The configuration server can apply these

changes asynchronously, allowing multiple operations across different products in the correct sequence

and over extended periods of time. If any failures result, you can correct them and retry the workflow,

and the system will complete the change.

http://support.citrix.com/article/CTX140561




Typically, the agent that resides on the configuration server interacts with Active Directory for

operations such as monitoring OUs. If you use zero-trust domains in your deployment, the Zero Trust

Agent handles communication with Active Directory. All Active Directory communication occurs through

Active Directory Web Services. The agent also communicates with Session Machines that have not yet

been allocated to host tenants' subscriptions. This occurs using PowerShell remoting (WinRM) and

executing pre-installed scripts.

How many do I need?

You need at least one configuration server in your deployment. However, you can deploy multiple

configuration servers to provide high availability and failover capabilities.

For system requirements and preparation instructions, see “Prepare the App Orchestration

configuration server” on page 31.

Domain agent

What is it?

The domain agent, also known as the Zero Trust Agent, allows the configuration server to orchestrate

resources in domains to which it cannot directly connect or where configuring Active Directory trusts

between the shared resource domain and the target orchestrated domain is not allowed.

What does it do?

The domain agent is installed on a dedicated machine in each resource domain of your App

Orchestration deployment. The agent establishes an SSL connection to the configuration server

through which the configuration server sends requests to the agent.

How many do I need?

You need at least one domain agent for each isolated tenant resource domain in your deployment. The

domain agent is installed on a dedicated server and requires SSL to be configured. For more

information about deploying the Zero Trust Agent, see the document Deploying the Zero Trust Agent in

App Orchestration 2.5.

Delivery Sites and Delivery Controllers

What are they?

Delivery Sites are composed of identically configured Delivery Controllers and include the Session

Machines, Delivery Groups, and other components that deliver hosted applications and desktops to

tenants and their users at the appropriate isolation level. For more information about isolation levels,

see the document Isolation Methods in App Orchestration 2.5.






What do they do?

Delivery Controllers are responsible for distributing and managing user access to hosted applications

and desktops, power managing desktops, and reboot cycles for servers. Delivery Controllers can be

provisioned to run XenApp 6.5 or XenApp 7.5 and XenDesktop 7.5.

When you prepare machines to be Delivery Controllers, App Orchestration installs an agent on each

machine to establish communication with the orchestration engine API that is hosted on the

configuration server. The Delivery Controller manages Delivery Site configuration and the draining

process for Session Machines. Additionally, the agent joins Session Machines to the Delivery Site using

PowerShell remoting and executing pre-installed scripts.

How many do I need?

You need at least two Delivery Controllers for each Delivery Site you deploy. These Delivery

Controllers must be identically configured including hardware configuration, operating system, and

installed updates.

For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session

Machines” on page 35.

Additional information

XenApp 7.5 and XenDesktop 7.5 documentation

XenApp 6.5 product documentation

Session Machines, Catalogs, and Delivery Groups

What are they?

Session Machines host applications and desktops for tenants' users to access through Citrix Receiver.

Like Delivery Controllers, Session Machines can be provisioned to run XenApp 6.5, XenApp 7.5, or

XenDesktop 7.5.

What is a catalog?

Multiple Session Machines are collected in Session Machine Catalogs. All Session Machines in a

catalog are identically configured, using the same operating system and configuration settings, and the

same installed software. This ensures that users can access the applications and desktops associated

with the catalog when needed, regardless of the machines App Orchestration selects to host the

sessions. When additional capacity is needed for subscriptions, Session Machines from the catalog are

added to a Delivery Group that is associated with the subscribing tenant. Delivery Groups can be

dedicated to a single tenant's users or shared among the users of several tenants.

You can create two catalog types in App Orchestration: On-demand catalogs and catalogs for

externally-provisioned machines.

http://support.citrix.com/proddocs/topic/xenapp-xendesktop/cds-xenapp-xendesktop-75-landing.html

http://support.citrix.com/proddocs/topic/xenapp-xendesktop/xenapp65-w2k8-wrapper.html



On-demand catalogs use on-demand provisioning to create Session Machines whenever more capacity

is needed to host tenant subscriptions. Before you create an on-demand catalog, you must perform

additional tasks to enable on-demand provisioning in your deployment. For information about these

tasks, refer to the document Provisioning Session Machines On-demand in App Orchestration 2.5.

Catalogs for externally-provisioned machines allow you to use other means, such as Citrix Provisioning

Services or PowerShell scripts, to provision servers and add them to the catalog. When additional

capacity is needed in the catalog, App Orchestration notifies you to deploy more machines; additional

machines are not deployed automatically. For more information about using Provisioning Services for

externally-provisioned machines, refer to the document Using Citrix Provisioning Services to Provision

Session Machines in App Orchestration 2.5.

OS types for catalogs

When you create a new Session Machine Catalog, you must select an OS type which governs the

operating system installed on each machine in the catalog.

The Multi User type enables you to deploy a set of standard desktops and applications that are shared

by a large number of users. Desktops and applications are allocated to users on a first-come, first-serve

basis. Additionally, the desktop environment automatically resets to the default configuration when

users log off. Session Machines in a catalog with this OS type run only supported versions of Windows

Server.

The Single User type enables you to deploy desktops and applications that are assigned to individual

users. Users can personalize the desktop and install applications. Additionally, the desktop

environment remains unchanged between sessions. Session Machines in a catalog with this OS type

run on supported versions of Windows or Windows Server (with XenDesktop’s Server VDI capability).

How many do I need?

You need at least one Session Machine to host offerings for users. To increase capacity for your

offerings and host more user sessions, you can deploy multiple Session Machines.

For system requirements and preparation instructions, see “Prepare Delivery Controllers and Session


Additional information

XenApp 7.5 and XenDesktop 7.5 documentation

XenApp 6.5 product documentation

StoreFront

What is it?

StoreFront authenticates users to sites hosting resources and manages stores of applications and

desktops that users access using Citrix Receiver.




http://support.citrix.com/proddocs/topic/xenapp-xendesktop/cds-xenapp-xendesktop-75-landing.html

http://support.citrix.com/proddocs/topic/xenapp-xendesktop/xenapp65-w2k8-wrapper.html



How many do I need?

To provide offerings to users, you need at least one StoreFront server group consisting of at least two

StoreFront servers.

For system requirements and preparation instructions, see “Prepare StoreFront servers” on page

39.

For more information about StoreFront 2.5.2, see the product documentation in Citrix eDocs.

When you add tenants to your deployment, you can specify whether the tenant’s users will use a

shared or private StoreFront site to access your offerings. The number of StoreFront servers you need

depends on the number of tenants who will be using shared or private StoreFront resources to access

your offerings. For more information about shared and private StoreFront resources, see the document

Isolation Methods in App Orchestration 2.5.

Compute resources

Compute resources are the hypervisors, hypervisor pools, and other components required to create

and manage virtual machines (VMs). These resources enable you to create virtual networks, a key

component in isolating tenants and ensuring shared and private resources are allocated appropriately.

To learn about the compute resources that App Orchestration supports, see the section “Set up

compute resources” on page 27.

http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-version-wrapper.html




App Orchestration deployment overview

Deploying App Orchestration typically occurs using the following phased approach:

Phase Tasks

Prepare Download the software for App Orchestration

and its components.

Prepare your environment and the machines

you will use to deploy App Orchestration and

design and deliver offerings.

Install Use the App Orchestration Install Center to install

the required software on the machines you

prepare as the configuration server, Delivery

Controllers, Session Machines, and StoreFront

servers. This enables you to perform the

remaining deployment phases with minimal

interruption.

Configure Configure App Orchestration’s global settings.

Define Define additional domains.

Create additional datacenters.

Set up and configure compute resources.

Add instance configurations.

Design Create Delivery Sites.

Create a Session Machine Catalog for on-

demand provisioning or external provisioning.

Create a StoreFront Server Group.

Create an offering.

Deliver Add a tenant and add users.

Adjust capacity.

Subscribe the tenant to the offering.

(Optional) Enable tenant self-service with

CloudPortal Services Manager 11.5.



Prepare to deploy App Orchestration 2.5

Before you install App Orchestration, some planning is required to prepare your environment and the

machines you will include in your deployment. Use this section to learn about:

Required tasks for preparing your network environment and the machines included in your

deployment.

System requirements for the core components of your deployment.

Deployment recommendations and requirements for using specific features of App Orchestration.

How many machines do I need?

The simplest App Orchestration deployment that enables you to create an offering and deliver it to a

tenant requires the following machines:

1 domain controller with a minimum domain functional level of Windows Server 2008 R2

1 database server running a supported version of Microsoft SQL Server

1 Citrix License Server

1 server, for the App Orchestration configuration server

1 server, for the Session Machine that will host applications and desktops for the tenant’s users

2 servers, for the Delivery Controllers that make up one Delivery Site

2 servers, for the StoreFront servers that make up one StoreFront server group

You can then add other components such as NetScaler Gateway and Citrix Provisioning Services,

depending on the needs of your deployment.



Network preparation task overview

Perform the following tasks to prepare your network environment for App Orchestration:

Step # To perform this task Refer to this section

1 Create the shared resource and default user

domains and the root OU for the

deployment.

“Prepare your Active Directory domains” on

page 20

2 Create a policy for all machines in the

deployment that sets the PowerShell

execution policy, enables PowerShell

remoting, and enables remote

administration with WMI.

“Configure the App Orchestration Group

Policy” on page 23

3 Create the non-privileged user accounts

that you will use to install App Orchestration

and designate as the orchestration service

account for the deployment.

“Create administrator account” on page 26

4 Set up Citrix Licensing for your deployment. “Set up Citrix Licensing ” on page 27

5 Set up compute resources to create virtual

networks and provision Session Machines

on-demand.

“Set up compute resources” on page 27

6 Set up NetScaler Gateway to provide

secure remote access and load balancing

for the StoreFront servers in your

deployment.

“Set up NetScaler Gateway ” on page 28



Machine preparation task overview

Perform the following tasks to prepare the machines that you include in your App Orchestration

deployment:

Step # To perform this task Refer to this section

1 Install and configure the SQL Server that

hosts the configuration database for your

deployment.

“Prepare the database server” on page 28

2 Prepare the machine that you deploy as the

App Orchestration configuration server,

including configuring SSL.

“Prepare the App Orchestration

configuration server” on page 31

3 Prepare the machines that you deploy as

Delivery Controllers and Session Machines,

including configuring SSL and updating the

Citrix Group Policy snap-in.

“Prepare Delivery Controllers and Session

Machines” on page 35

4 Prepare the machines that you deploy as

StoreFront servers, including configuring

SSL.

“Prepare StoreFront servers” on page 39

Prepare your Active Directory domains

To deploy App Orchestration successfully, you must have at least one domain controller in your

environment. With a single domain, you can create a deployment where users access offerings hosted

on resources that are shared by all tenants or on resources that are isolated for each tenant. You can

also create private offerings and allocate private resources to specific tenants.

App Orchestration also supports deployments that span multiple forests and domains. With a multi-

forest or multi-domain deployment, you can provide increased tenant isolation and separation of user

accounts and resources. For more information about multi-forest deployment, see the document

Deploying App Orchestration 2.5 in a Complex Active Directory Environment.

App Orchestration supports the following domain functional levels:

Resource Domain Functional Levels User Domain Functional Levels

Windows Server 2012

Windows Server 2008 R2

Windows Server 2012


Windows Server 2003




Task 1: Prepare required domains

Create the following domains:

Shared resource domain: The domain where the App Orchestration configuration server resides.

This domain contains components that are shared with multiple tenants. This is also where the App

Orchestration root OU is created.

Important: All configuration servers in your deployment must reside in the shared resource domain. App

Orchestration does not support the use of configuration servers in different domains.

Default user domain: The domain where App Orchestration user accounts reside (for example, the

user account designated as the orchestration service account). This domain also includes the

tenant users and groups that will access offerings delivered from the shared resource domain. You

can create a separate domain for these accounts or you can designate the shared resource domain

for this purpose.

If you intend to include multiple domains in your deployment, create these resource and user domains

as necessary. You will need to specify the shared resource and default user domains when you

configure App Orchestration's global settings. You can define additional domains through the App

Orchestration web console. For more information about using multiple domains with App Orchestration,

refer to the document Deploying App Orchestration 2.5 in a Complex Active Directory Environment.

Task 2: Prepare required organizational units

In the shared resource domain, create an OU that acts as the root OU for your App Orchestration

deployment. If your deployment includes multiple resource domains, create a root OU in each of these

domains.

You can name the root OU according to your preference; however, the root OU in each resource

domain must have the same name and path. You will specify the root OU for the shared resource

domain when you configure App Orchestration's global settings.

Important: The root OU in each resource domain must reside within the scope of the App Orchestration

Group Policy. For more information on configuring this policy and linking the root OUs, see the section

“Configure the App Orchestration Group Policy” on page 23.

After you configure the global settings, App Orchestration creates the DecommissionedServers OU

automatically within this root OU. The DecommissionedServers OU is for machines that have been

removed from the deployment.




Task 3: Prepare tenant domains and user groups

Before you add tenants to the deployment, determine the tenants who will require shared or private

access to offerings. When you add tenants, you will need to specify the resource and user domains for

the tenant so that, when subscriptions are created later, App Orchestration can allocate the machines

hosting the tenant's offerings appropriately.

Create the resource and user domains for each tenant in Active Directory and add them as domains

through the App Orchestration web console before you add the tenants; App Orchestration does not

create these domains for you.

You will also need to location groups and subscription groups for each tenant:

Location groups map users to certain datacenters, enabling users to access applications and

desktops from different datacenters based on their group membership.

Subscription groups are Active Directory user groups that organize users according to the offerings

they need. A subscription group must be a member of a location group, but can belong to only one

location group at any given time. When you create an offering, you specify the subscription groups

that can access the offering.

Tenants with private domain isolation

For each tenant who needs private access to offerings, perform the following tasks:

1. Create a private resource domain and App Orchestration root OU. This is where App Orchestration

will allocate machines for hosting private offerings.

2. (Optional) Create a private user domain for the tenant's user accounts. Alternatively, you can use

the tenant's resource domain for this purpose.

3. In the user domain, create location and subscription groups for the tenant. Finally, add user

accounts to the subscription groups.

Tenants with shared domain isolation

For each tenant who needs shared access to offerings, perform the following tasks:

1. Create a resource OU for the tenant within the App Orchestration root OU in the shared resource

domain.

2. (Optional) Create a user domain for the tenant's user accounts. Alternatively, you can use App

Orchestration's default user domain for this purpose.

3. In the default user domain, create location and subscription groups for the tenant. Finally, add user

accounts to the subscription groups.

Required trusts for resource and user domains

If you deploy App Orchestration in an environment that includes different resource and user domains

(for example, a resource domain and a user domain exist that are each different than the shared



resource domain), ensure that the resource domain trusts the user domain by establishing a one-way

trust. This trust enables users to access the offerings hosted on machines in the resource domain.

For more information about using multiple domains with App Orchestration, see the document

Deploying App Orchestration 2.5 in a Complex Active Directory Environment.

Required domain trusts for private tenant isolation

App Orchestration enables you to isolate tenants in their own domains using the following methods:

In a private domain using the Zero Trust Agent. The Zero Trust Agent facilitates secure

communication between the App Orchestration configuration server and the tenant’s isolated

resource domain. For more information, refer to the document Deploying the Zero Trust Agent in


In a private domain requiring a one-way trust in Active Directory with the shared resource domain.

App Orchestration verifies this trust exists when you add a resource domain through the web

console.

Configure the App Orchestration Group Policy

To facilitate remote administration, create a policy that applies to all machines in your App

Orchestration environment and include the following:

PowerShell execution policy is set to AllSigned.

PowerShell remoting is enabled, including auto-configuration of listeners, trusted hosts, and

Windows Remote Shell.

Allow inbound remote administration in Windows Firewall.

Note: By default, WinRM 2.5 uses the ports 5985 for HTTP traffic and 5986 for HTTPS traffic. If you are using

firewalls between the App Orchestration configuration server and the other servers in your deployment,

ensure these ports are enabled.

You can create this policy using one of the following methods:

Manually configure policy settings using the Group Policy Management Console. Use this topic to

configure these settings.

Automatically configure policy settings using the New-CamGPO.ps1 script.






The New-CamGPO script creates a Group Policy Object (GPO) and configures all the required policy

settings described in this section. You can run this script after you prepare the server you want to use

as the App Orchestration configuration server, join it to the shared resource domain, and add it to the

App Orchestration root OU. This script is located in the

%Program Files%\Citrix\CloudAppManagement\InfrastructureTools directory on the App

Orchestration configuration server.

After you create this policy, link the GPO to the following objects:

App Orchestration root OU in the shared resource domain.

App Orchestration root OU in each additional private tenant resource domain that you create.

Important: When you deploy machines that reside in these OUs (for example, adding a Delivery Site), App

Orchestration issues workflows to complete the deployment tasks. For these workflows to complete

successfully, the machines on which they run must have these policy settings applied. App Orchestration

does not verify these policy settings are applied before issuing the workflows.

Task 1: Set the PowerShell execution policy

1. On a server joined to the domain, open the Group Policy Management Console (gpmc.msc) and

create a new GPO or edit an existing one.

2. From the Group Policy Management Editor, navigate to Computer Configuration > Policies >

Administrative Templates > Windows Components > Windows PowerShell.

3. Right-click Turn on Script Execution and select Edit.

4. Select Enabled and then, under Options, select Allow only signed scripts.

Task 2: Configure PowerShell remoting

To configure PowerShell remoting using Group Policy, use the Group Policy Management Console to

enable the WinRM service, configure listeners, set the amount of session memory available, and

provide a list of trusted hosts. You will also need to configure the WinRM service to start automatically

and ensure Windows Firewall allows traffic through the ports assigned to WinRM.


create a new Group Policy Object (GPO) or edit an existing one.


Administrative Templates > Windows Components.

3. Use the following table to configure the required policy settings:

Setting Location & Name Policy Setting Setting Values



Setting Location & Name Policy Setting Setting Values

Windows Remote

Management (WinRM) >

WinRM Service

Allow automatic configuration

of listeners

Enabled.

To configure WinRM to

listen on all addresses,

type an asterisk (*) in the

IPv4 Filter and IPv6 Filter

fields.

Windows Remote

Management (WinRM) >

WinRM Client

Trusted Hosts Enabled.

In TrustedHostsList, type

an asterisk (*) to indicate

all hosts are trusted.

Windows Remote Shell Specify maximum amount of

memory in MB per Shell

Enabled.

In

MaxMemoryPerShellMB,

type 1024.

Specify maximum number of

remote shells per user

Enabled.

In MaxShellsPerUser,

typing 0 indicates an

unlimited number of shells.

4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >

System Services.

5. Double-click the Windows Remote Management service and select the following options:

Define this policy setting

Automatic

6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings >

Windows Firewall with Advanced Security > Windows Firewall with Advanced Security >

Inbound Rules.

7. Right-click Inbound Rules and select New Rule.

8. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined and then select the

Windows Remote Management rule. Click Next.

9. On the Predefined Rules page, accept the defaults and click Next.

10. On the Action page, ensure Allow the connection is selected and click Finish.

11. To apply the settings, on each server, open a PowerShell command window and run gpupdate.



Task 3: To enable remote administration with WMI

As part of maintaining your App Orchestration environment, you might need to update Session Machine

Catalogs to deploy patches, upgrade installed applications, or take advantage of new hardware on

Session Machines. To ensure the update process occurs smoothly, a firewall exception is required to

enable inbound remote administrative connections on TCP ports 135 and 445. If this exception is not

present, the update process might fail.


create a new Group Policy Object (GPO) or edit an existing one. This GPO should be associated

with all servers in the App Orchestration environment.


Administrative Templates > Network > Network Connections > Windows Firewall > Domain

Profile.

3. Double-click the Windows Firewall: Allow inbound remote administration exception setting and

select Enabled.

4. Under Options, in Allow unsolicited incoming messages from these IP addresses, type an

asterisk (*).

5. Click OK to save your selection.

Create administrator accounts

To install and manage components in your App Orchestration deployment, create the following objects:

Orchestration service group: A user group for the user accounts for installing and administering

the deployment. This group confers full rights on member accounts. User accounts that are added

to this group should be non-privileged users with no administrator rights to the machines in the

deployment. Accounts in this group should not be members of the Domain Admins group. You will

need to supply this group name when you install the App Orchestration configuration server.

Note: After you supply this group name, it cannot be changed later.

Orchestration service account: The primary user account for performing administrative tasks in

the App Orchestration web console. This is a non-privileged user account that has permission to

access all App Orchestration functions and add and modify objects. This account should not be part

of the Domain Admins group. This account need not be the same as the App Orchestration

configuration server installation and configuration credentials.

Note: When adding administrator accounts to App Orchestration in a multi-domain environment, ensure the

accounts are members of a global or universal group in the user domain. If the account is a member of a

domain local group, App Orchestration does not recognize the account and, therefore, does not allow the

account to log on to the web console.



For more information about requirements and permissions for these user accounts, as well as other

user accounts that App Orchestration uses to provision and manage machines, see the document

Credentials Used in App Orchestration 2.5.

Set up Citrix Licensing

Citrix Licensing 11.11.1 is required for configuring the App Orchestration configuration server as well as

configuring the Delivery Controllers, Session Machines, and StoreFront servers you want to deploy. If

you use an older version of Citrix Licensing, App Orchestration cannot validate the server during

configuration of global settings.

For Delivery Sites that use controllers running XenApp 6.5 Feature Pack 4, specify the Licensing server

using the FQDN or an IPv4 address. If you use an IPv6 address, App Orchestration cannot validate the

server and create the Delivery Site.

For more information about deployment steps, obtaining license files, and managing your Licensing

server, see Citrix Licensing 11.11.1 in Citrix eDocs.

Set up compute resources

Compute resources include the hypervisors and virtual networks and machines that form the foundation

for your App Orchestration deployment. These resources enable you to deploy Session Machines on

demand using on-demand provisioning, and use network isolation to provide tenants with private

resources.

App Orchestration supports using the following products to create the virtual networks and machines

you need for your deployment:

Citrix CloudPlatform 4.2.1

Citrix XenServer 6.2

VMware vSphere ESX 5.5

VMware vSphere ESX 5.1

Microsoft SCVMM 2012 R2

Microsoft SCVMM 2012 SP1

To use network isolation in your deployment, you create the following virtual networks:

Shared Controller Management Network

Shared Delivery Group Management Network

Private management network, for each tenant who requires network isolated access to hosted

applications and desktops


http://support.citrix.com/proddocs/topic/licensing-1111/lic-licensing-1111.html



Additionally, these networks must be labeled.

Important: You will need to supply these labels when you configure App Orchestration's global settings. In

App Orchestration, network labels are case-sensitive. When configuring the global settings, enter the labels

exactly as they are configured for your compute resources.

For more information about these networks and instructions for creating and labeling them, review the

document Isolation Methods in App Orchestration 2.5.

For more information about using Citrix CloudPlatform to provision machines in your App Orchestration

deployment, see the document Using Citrix CloudPlatform to Provision Session Machines On-demand

in App Orchestration 2.5.

Set up NetScaler Gateway

App Orchestration supports the use of NetScaler Gateway 10.1 or 10.5 to provide secure remote

access and load balancing for the StoreFront servers in your App Orchestration deployment. If you

intend to use NetScaler Gateway in your deployment, review the following information prior to

deployment:

Review the document Configuring NetScaler 10.1 Load Balancing with StoreFront 2.5.2 and

NetScaler Gateway for App Orchestration 2.5 or Configuring NetScaler 10.5 Load Balancing with

StoreFront 2.5.2 and NetScaler Gateway for App Orchestration 2.5. These documents provide

detailed requirements and instructions for integrating NetScaler Gateway with App Orchestration.

Review the security considerations as described in the Planning for Security with NetScaler

Gateway section of Citrix eDocs.

LDAP authentication for NetScaler Gateway

When configuring LDAP authentication for NetScaler Gateway to verify user accounts in Active

Directory, a user account is entered in the Administrator Bind DN setting to bind NetScaler Gateway to

the LDAP server and search for the user. Citrix strongly recommends using a non-privileged user

account that has bind DN permission in Active Directory. Do not use an administrator account for this

setting.

Prepare the database server

In an App Orchestration deployment, the database server hosts the App Orchestration configuration

database. If you choose, it can also host the databases for the Delivery Sites you deploy.

Prepare the database server before you install App Orchestration. You will need to supply information

about this server when you install the App Orchestration configuration server and deploy Delivery Sites.

Afterward, create a firewall exception as described in the section “Task 1: Create a firewall exception”

on page 30.








http://support.citrix.com/proddocs/topic/netscaler-gateway-101/ng-planning-for-security-con.html




When you install the App Orchestration configuration server, you are prompted to provide a service

deployment name. This name is used to create the configuration database. If you want to use an

existing database for your App Orchestration deployment, you specify that database name as the

service deployment name. If you enter a database name that does not exist on the database server, the

database is automatically created.

Supported database servers

App Orchestration supports using the following database servers:

Microsoft SQL Server 2012 Express, Standard, and Enterprise editions

Microsoft SQL Server 2008 R2 Express, Standard, Enterprise, and Datacenter editions

Support for database mirroring

For the configuration database, App Orchestration supports the use of mirrored and non-mirrored

databases.

If you want to use mirrored databases in your deployment, consider the following:

When planning for high availability or disaster recovery of the configuration database, be aware that

App Orchestration supports using only database mirroring for these purposes. App Orchestration

does not support using SQL Server clustering or the AlwaysOn feature of SQL Server 2012.

If you specify a database that does not yet exist when installing the App Orchestration configuration

server, the resulting database cannot be mirrored. The installer does not perform any mirroring

configuration or create a database that supports mirroring by default.

To use a mirrored database with the deployment, create the mirrored database before you deploy

the App Orchestration configuration server, and ensure the database is empty. When you are

prompted for the service deployment name during installation of the configuration server, enter the

name of this database.

For more information about using mirrored databases with App Orchestration, refer to the document

Configuring Database Mirroring in App Orchestration 2.5.

System requirements

When installing and configuring the database server for your deployment, ensure the following

requirements are met:

Authentication Mode Windows authentication is enabled.

TCP Enabled, along with all appropriate IP addresses,

in SQL Server Configuration Manager.




SQL PowerShell Provider Installed. This provider is included with SQL

Management Studio.

SQL Server Browser service Enabled, and set to run automatically.

SQL Server instance Enabled, and set to run automatically.

Firewall Allow inbound connections to the database server

from the other servers in your App Orchestration

deployment. Additionally, enable firewall

exceptions for the SQL Server Browser and SQL

Server instance. See “Task 1: Create a firewall

exception” on page 30.

User account permissions The user account with which App Orchestration is

installed must have the Sysadmin role to create

the required accounts and databases during App

Orchestration configuration server setup. For

more information about required user accounts

and permissions, refer to the document

Credentials Used in App Orchestration 2.5.

Database security As a security best practice, ensure that only the

NetworkService account for the App Orchestraton

configuration server has permission to write to the

database.

Task 1: Create a firewall exception

To ensure the database server can communicate as required with the other servers in your App

Orchestration deployment, create a Windows Firewall exception on the database server that allows

connections with the other servers.

1. On the database server, click Start > Administrative Tools > Windows Firewall with Advanced

Security.

2. In the left pane, click Inbound Rules.

3. Right-click Inbound Rules and then select New Rule. The New Inbound Rule Wizard appears.

4. On the Rule Type page, select Program and then click Next.

5. On the Program page, select This program path and then click Browse.




6. Locate and select the SQL Server executable and then click Open. Typically, the SQL Server

executable is located at C:\Program Files\Microsoft SQL

Server\MSSQL10_50.instancename\MSSQL\Binn\sqlservr.exe.

7. On the Action page, select Allow the connection and then click Next.

8. On the Profile page, select Domain, Private, and Public.

9. On the Name page, enter a name for the rule and click Finish.

Prepare the App Orchestration configuration server

The App Orchestration configuration server hosts the App Orchestration configuration engine and the

web management console.

Citrix recommends installing App Orchestration on servers containing fresh installations of supported

Microsoft Windows Server operating systems. To upgrade servers running App Orchestration 2.0 to

Version 2.5, refer to the document Upgradability Guide for App Orchestration 2.5. Do not attempt to

upgrade servers running App Orchestration versions older than Version 2.0. Additionally, do not join

servers running previous versions of App Orchestration to a deployment running App Orchestration 2.5.




System requirements

The server you prepare to be the App Orchestration configuration server must meet the following

requirements:

Hardware Dual core processors, 2.6 GHz or higher

Minimum 3 GB RAM

Minimum 50 GB free disk space

Operating System One of the following:

Windows Server 2008 R2 SP1

Windows Server 2012 R2 (Standard,

Enterprise, or Datacenter edition)

Domain Functional Level Windows Server 2008 R2

Windows Management Framework and

PowerShell versions

Depending on your server operation system:

Version 3.0. The Windows Management

Framework is available for download from the

Microsoft web site at

http://www.microsoft.com/en-

us/download/details.aspx?id=34595

Version 4.0

.NET Framework version Version 4.5

PowerShell remoting Enabled. See “Configure the App Orchestration

Group Policy” on page 23.

Windows Update Service Enabled.

SSL certificates A server certificate signed by your domain

certificate authority is required for deploying the

configuration server. Refer to the document

Configuring SSL for App Orchestration 2.5.

System Temp folder Must be writable by the Network Service account.

Internet Access Enabled. Setup accesses Windows Update to

verify the full version of the .NET Framework 4.5

is installed and to install .NET updates, if required.

http://www.microsoft.com/en-us/download/details.aspx?id=34595





Web browser (for accessing the web

management console)

Internet Explorer 10 or 11

Important: When preparing the configuration server for App Orchestration installation, ensure the server

operating system and anti-virus software have all appropriate updates and patches, and that the server is free

of untrusted software.

Sequence of preparation tasks for Windows Server 2008 R2 SP1

If you are preparing a server running Windows Server 2008 R2 SP1 as the configuration server, use

the following sequence of tasks to ensure the configuration server is deployed smoothly:

1. Install the operating system and apply all required updates and patches.

2. Install .NET Framework version 4.5.

3. Install Windows Management Framework 3.0, which includes Windows PowerShell 3.0.

4. Install the server certificate required for installation of the configuration server.

5. Join the server to the shared resource domain.

6. Verify the Group Policy settings described in “Configure the App Orchestration Group Policy” on

page 23 have been applied to the App Orchestration root OU of the shared resource domain for

your deployment. For more information about required OUs, see “Prepare your Active Directory

domains” on page 20.

Important: If you join the configuration server to the shared resource domain and enable PowerShell

remoting before you install the Windows Management Framework 3.0 and upgrade to PowerShell 3.0,

installing App Orchestration might fail. If this happens, execute the following command and retry the

installation:

winrm delete http://schemas.microsoft.com/wbem/wsman/1/config/plugin?Name=Microsoft.ServerManager

Client OS and browser support for the management console

To manage your deployment, App Orchestration includes a web-based management console. The

console is hosted, by default, on the configuration server, but you can also run the console on other

computers in your environment. To run the console, App Orchestration supports the following web

browsers and operating systems:



Windows

Web Browser Windows 7

SP1 (32-bit

and 64-bit)

Windows 8

(32-bit and

64-bit)

Windows 8.1

(32-bit and

64-bit)

Windows

Server 2008

R2 SP1

Windows

Server 2012

R2

Internet

Explorer 10

X X X

Internet

Explorer 11

X X X

Mozilla Firefox

24

X X

Google

Chrome 30

X X

Mac OS and Apple iOS

Web Browser Mac OS X (10.8) Apple iOS 7 (iPad only)

Mozilla Firefox 24 X

Google Chrome 30 X

Apple Safari for iOS X

Internet Explorer 11 Considerations

If you plan to use Internet Explorer 11 with the App Orchestration web console, perform the following

tasks to ensure the web console operates consistently:

Disable AutoComplete to prevent unauthorized console access. In addition to remembering

previous entries for forms and URLs, AutoComplete remembers entries for usernames and

passwords. To prevent unauthorized access to the App Orchestration web console due to

remembered credentials, Citrix recommends disabling AutoComplete on all machines on which

Internet Explorer 11 is used to access the web console. To do this, perform the following actions:

1. From the Start screen, click Settings > Control Panel > Internet Options.

2. Click the Content tab and then under AutoComplete click Settings.

3. Clear the User names and passwords on forms check box and then click OK.



Add the web console as a Trusted Site. Because the web console uses JavaScript, Internet

Explorer 11 might prevent the web console from running. To ensure the web console runs

consistently, add the web console URL to the list of Trusted Sites. To do this, perform the following

actions:

1. From the Start screen, click Settings > Control Panel > Internet Options.

2. Click the Security tab and then select the Trusted sites security zone.

3. Click Sites and enter the web console URL. The default URL is https://FQDN-of-

AOConfigSvr/camconsole.

Prepare Delivery Controllers and Session Machines

Supported platforms

XenApp 7.5 and XenDesktop 7.5

XenApp 6.5 Feature Pack 4

Important: If you have an existing XenDesktop 7.1 deployment that you used with a previous version of App

Orchestration, you can continue to use that deployment with App Orchestration 2.5. However, you cannot

modify the configuration of the servers in that deployment. To use the full set of features of App Orchestration

2.5, Citrix recommends upgrading your XenDesktop 7.1 deployment to XenDesktop 7.5.

System requirements

Servers you prepare as Delivery Controllers and Session Machines must meet the following

requirements:


Minimum 3.0 GB RAM




Operating System

(XenApp 7.5 and

XenDesktop 7.5)

Delivery Controllers:

Windows Server 2008 R2 SP1, with PowerShell 4.0

Windows Server 2012 R2 (Standard, Enterprise, or Datacenter

edition)

Session Machines:

Windows XP SP3 (32-bit only), with PowerShell 2.5

Windows 7 SP1 (32-bit and 64-bit), with PowerShell 4.0

Windows 8 (32-bit and 64-bit)

Windows 8.1 (32-bit and 64-bit)


Windows Server 2012, with PowerShell 4.0


Operating System

(XenApp 6.5 FP4)



Windows Server 2012

.NET Framework version Version 4.5. If the .NET Framework is not installed prior to deploying

the machine, the App Orchestration Install Center installs the software

automatically.

Windows Management

Framework (WMF) and

PowerShell version

Version 4.0.

For Windows 7, Windows Server 2008 R2 SP1, and Windows Server

2012, the WMF 4.0 package is included in the

Setup\ProductMedia\CloudAppManagement\Support\PowerShell4\

folder on the App Orchestration installation media. If WMF 4.0 is not

installed prior to deploying the machine, the App Orchestration Install

Center installs the software automatically. Alternatively, you can

download the package from the Microsoft web site at

http://www.microsoft.com/en-us/download/details.aspx?id=40855.

Important: For Session Machines running Windows 7 32-bit operating

systems, upgrading to WMF 4.0 can render PSSessionConfiguration

functions unusable, preventing the machine from being added to a

catalog. To avoid this issue, be sure to run the following cmdlet prior to

installing the single user Virtual Delivery Agent:

Register-PSSessionConfiguration –name

Microsoft.PowerShell




PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on page

23.


Automatic updates Disabled on all servers prepared as Session Machines.

Windows Server Roles .NET Framework 3.5.1.

Database server Microsoft SQL Server 2012 Express, Standard, and Enterprise

editions

Microsoft SQL Server 2008 R2 Express, Standard, Enterprise, and

Datacenter editions

Citrix software Use the App Orchestration Install Center to install the appropriate

Citrix software on the machine. If any Citrix products are installed prior

to using the Install Center, App Orchestration might remove or

overwrite these files. See “Install App Orchestration” on page 43.

Administrator accounts A Delivery Site administrator account is required for deploying Delivery

Sites in App Orchestration. For more information about the user

accounts required for deploying Delivery Sites and Session Machines,

refer to the document Credentials Used in App Orchestration 2.5.

Important: When you add the initial Controllers to a Delivery Site or Session Machines to a catalog, App

Orchestration uses these machines to construct machine profiles that are used to evaluate subsequent

machines that are added to the Site or catalog. If these machines do not match the profile for the Site or

catalog, they are not added to the deployment. Therefore, each machine you add to a Site or catalog must

have the same machine configuration, operating system and updates, Citrix product version, and installed

applications as the first machines you deployed. To add machines with differing configurations, create a new

Delivery Site or Session Machine Catalog as appropriate.

Support for aggregating existing Delivery Sites

Aggregating applications and desktops enables users to access offerings that are available in multiple

StoreFront stores from a single point of access. Using aggregation, you can add Delivery Sites that

already exist in your environment to your App Orchestration deployment.

App Orchestration supports aggregating existing Delivery Sites that run the following versions of

XenApp or XenDesktop:

XenApp 5.0, 6.0, and 6.5

XenDesktop 5.5, 5.6, 7.0, and 7.1

XenApp 7.5 and XenDesktop 7.5




Aggregation of Delivery Sites running versions of XenApp or XenDesktop that are older than specified

in this section (such as Citrix Presentation Server 4.5) is not supported. For a complete list of all

XenApp and XenDesktop versions that are supported for Delivery Site aggregation, refer to the

StoreFront topic Infrastructure requirements on Citrix eDocs.

Considerations for Delivery Controllers in cross-forest private Delivery Sites

When creating a Delivery Site in a tenant’s private resource domain that resides in a different forest

than the shared resource domain, a trust relationship must exist between the Delivery Controllers in the

tenant’s resource domain and the shared resource domain. You can create this trust using one of the

following methods:

Using the Zero Trust Agent in the tenant’s resource domain and configuring SSL on the Delivery

Controllers. The Zero Trust Agent facilitates secure communication between the App Orchestration

configuration server and the tenant’s isolated resource domain. For more information, refer to the

documents Deploying the Zero Trust Agent in App Orchestration 2.5 and Configuring SSL for App

Orchestration 2.5

Establishing a one-way trust in which the shared resource domain trusts the tenant’s resource

domain. This trust allows the App Orchestration agents residing on the Delivery Controllers to

authenticate with the App Orchestration engine using integrated Active Directory authentication.

Task 1: Update the Citrix Group Policy snap-in for XenApp 6.5

Because servers running XenApp 6.5 run an older version of the Citrix Group Policy snap-in by default

(Version 1.5.0.0), Group Policy settings associated with App Orchestration might not display correctly

when viewed with the Group Policy Management Console on a XenApp 6.5 server. To avoid this issue,

update the Citrix Group Policy snap-in with the newer version that comes with XenApp 7.5 and

XenDesktop 7.5 (Version 2.2.0.0). To do this perform the following actions:

1. On the XenApp 7.5 and XenDesktop 7.5 installation media, locate the

CitrixGroupPolicyManagement_x64.msi file in the /x64/Citrix Policy folder.

2. On the XenApp 6.5 servers in your deployment, run the CitrixGroupPolicyManagement_x64.msi

file to update the Citrix Group Policy snap-in.

Task 2: Configure SSL on Delivery Sites and Session Machines

To avoid security risks, Citrix recommends that you use SSL to secure communications between the

following components:

Between Delivery Controllers and StoreFront servers: For more information about configuring

SSL for App Orchestration, see the document Configuring SSL for App Orchestration 2.5.

Between Session Machines and NetScaler Gateway: As part of deploying NetScaler Gateway in

your environment, a signed SSL certificate and, if applicable, a trusted root certificate are required.

For Session Machines running XenDesktop 7.5, XenApp 7.5, or XenApp 6.5 FP4, manually

configure SSL and install a signed SSL certificate on each machine. If you use App Orchestration to

http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-system-requirements-server.html







aggregate Delivery Sites running XenDesktop 5.6, ensure the Session Machines and Delivery

Controllers in those Sites have the latest public hotfix applied.

Prepare StoreFront servers

StoreFront authenticates users to sites hosting resources and manages stores of applications and

desktops that users access with Citrix Receiver.

System requirements

Servers prepared as StoreFront servers have the following requirements:


Minimum 3.0 GB RAM


Operating System Windows Server 2008 R2 SP1, with PowerShell 3.0

Windows Server 2012 R2 (Standard, Enterprise, or Datacenter

Edition)

Windows Management

Framework and PowerShell

version

Depending on your server operation system:

Version 3.0. For Windows Server 2008 R2 SP1, the Windows

Management Framework is available for download from the

Microsoft web site at http://www.microsoft.com/en-

us/download/details.aspx?id=34595

Version 4.0. For Windows Server 2012 R2, the Windows

Management Framework is included in the

Setup\ProductMedia\CloudAppManagement\Support\PowerSh

ell4\ folder on the App Orchestration installation media.

Alternatively, download the package from the Microsoft web site at

http://www.microsoft.com/en-us/download/details.aspx?id=40855.


Windows Server 2012

.NET Framework version Windows Server 2008 R2 SP1: .NET Framework 4.5. This

executable is located in the Support folder of the App

Orchestration installation media.

Windows Server 2012: .NET Framework 3.5. For information on

enabling this feature, see the article “Install or Uninstall Roles, Role

Services, or Features” on the Microsoft web site.




http://technet.microsoft.com/en-us/library/hh831809.aspx

http://technet.microsoft.com/en-us/library/hh831809.aspx



PowerShell remoting Enabled. See “Configure the App Orchestration Group Policy” on page

23.


Windows Server Roles .NET Framework 3.5.1

Web Server (IIS), with all default role services

SSL certificate A server certificate signed by your domain certificate authority is

required for deploying StoreFront servers. Refer to the document


Database server Microsoft SQL Server 2012 Express, Standard, and Enterprise

editions

Microsoft SQL Server 2008 R2 Express, Standard, Enterprise, and

Datacenter editions

Citrix software Use the App Orchestration Install Center to install the appropriate

Citrix software on the machine. If any Citrix products are installed prior

to using the Install Center, App Orchestration might remove or

overwrite these files. See “Install App Orchestration” on page 43.

Server group requirements

In App Orchestration, you add StoreFront servers to a deployment by creating server groups. A server

group is a collection of two or more StoreFront servers. When adding StoreFront servers to your

deployment, consider the following requirements:

To add tenants, App Orchestration requires at least two StoreFront servers in the deployment. You

can deploy multiple StoreFront server groups to provide high availability and scalability.

The StoreFront servers that are included in the server group must have the same version of

StoreFront installed. Including servers of differing StoreFront versions in the same server group is

not supported.

Security Considerations for App Orchestration 2.5

When planning to deploy machines in your App Orchestration environment, be sure to review the

security best practices and recommendations for the Citrix products that are used with App

Orchestration. Refer to the following topics in Citrix eDocs:

XenApp 7.5 and XenDesktop 7.5: Security

XenApp 6.5: Security Standards and Deployment Scenarios


http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-plan-security-rho.html

http://support.citrix.com/proddocs/topic/xenapp/ps-sec-node-wrapper-xa65.html



StoreFront 2.5: Secure your StoreFront deployment

NetScaler Gateway: Planning for Security with NetScaler Gateway

Additionally, for up-to-date information about security standards and Citrix products, visit

http://www.citrix.com/security.

SSL recommendations

Some of the core components in your App Orchestration deployment – configuration server, Delivery

Controllers, and StoreFront servers – require that SSL be configured prior to inclusion in the

deployment. For instructions for configuring SSL for these components, refer to the document


Additionally, Citrix recommends using SSL to secure conections with the other components in your App

Orchestration deployment, including API calls, connections to and from the configuration database, and

the web management console.

Restrict PowerShell remoting sessions

Citrix recommends limiting access to PowerShell remoting sessions to the Authenticated Users group.

This helps ensure that one-time administrator credentials are not intercepted by a malicious user when

passed between a registered App Orchestration agent and a newly-installed agent.

SMB security signatures

Citrix recommends requiring client-side and server-side SMB security signatures for all servers in your

deployment. This helps ensure that SMB packets are not modified in transit among the servers in your

deployment. To require SMB security signatures, configure the following Group Policy settings:

Setting Location Policy Setting Setting Value

Computer Configuration >

Windows Settings > Security

Settings > Local Policies >

Security Options

Microsoft network client: Digitally

sign communications (always)

Enabled

Computer Configuration >

Windows Settings > Security

Settings > Local Policies >

Security Options

Microsoft network server:

Digitally sign communications

(always)

Enabled

Machine hardening techniques

To mitigate security risks such as "pass-the-hash" attacks, Citrix recommends the following techniques

for reducing the attack surface of the machines in your App Orchestration deployment:

http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-secure.html


http://www.citrix.com/security/




Use unique local account passwords. When deploying machines from an image or template,

ensure that each machine you deploy has unique local administrator credentials. This helps prevent

a malicious user from reusing credentials gained elsewhere to compromise additional machines.

Restrict remote access for local administrator accounts. Consider removing network and

remote interactive logon privileges from local non-service accounts, such as local administrator

accounts. This technique forces machines to be physically administered or remotely administered

using a domain account. When remotely administering machines in your deployment, use tools and

methods that do not leave reusable credentials in memory, such as using an MMC snap-in or

initiating a PowerShell remoting session (for example, Enter-PSSession ServerName). Additionally,

the domain accounts you use to administer machines should possess only the privileges required to

perform the tasks needed. Do not use highly trusted domain accounts to administer lower trusted

machines (for example, using a Domain Admin account to administer a client workstation).

Restrict access for tenant user accounts

To mitigate security risks to the machines in the shared resource domain, Citrix recommends that only

members of the orchestration service group have permission to access these machines. Tenants' users

should not have Domain Admin or local administrator privileges on any machines or components in the

App Orchestration deployment. Tenants' users should be able to access only the applications and

desktops that are hosted on these machines.

To limit tenants' access only to the machines that are privately allocated to them, Citrix recommends

using private Active Directory forests for each tenant, creating offerings that employ Private Delivery

Site isolation, and using Private server groups to deliver offerings to tenants' users. These isolation

levels help ensure that tenants' private machines are kept separate from the machines in the shared

resource domain, thus limiting the opportunity for a malicious user to gain access to other tenants'

machines or data in the deployment.

Additionally, for domain agent machines in a tenant’s resource domain, Citrix recommends that only

service provider administrators have permission to access these machines directly, as they are the only

users authorized to access the domain. Tenants’ users should not have Domain Admin or local

administrator privileges on these machines.

XenApp Session Machine isolation

To ensure Session Machines running XenApp 6.5 FP4 are adequately isolated in your App

Orchestration deployment, Citrix recommends creating offerings that employ Private Delivery Site

isolation. By using this isolation level, the Session Machines and the Delivery Site with which they are

associated are connected to a specific tenant's private management network and the desktops and

applications that are hosted on the machines are accessible only by the tenant's users. Because these

machines are privately allocated, not shared, this isolation level helps prevent a malicious user from

gaining elevated privileges on the XenApp Delivery Site by way of the associated Session Machines.



Session Machine Catalog upgrades

When upgrading Session Machine Catalogs, consider the following:

When upgrading multiple machines through a scripted or otherwise automated process, ensure that

no administrator credentials are sent to updated Session Machines. This includes using Basic

authentication for PowerShell remoting.

If CredSSP is enabled in your environment, administrators should not use PowerShell remoting with

implicit authentication to connect to Session Machines.

Do not encode credentials in any updating scripts.

For more information about upgrading Session Machine Catalogs, see the Upgrading Session Machine

Catalogs in App Orchestration 2.5.

Install App Orchestration

There are four key tasks in the Install phase of App Orchestration:

1. Copy the downloaded files to the appropriate locations.

2. Install prerequisites.

3. Install the App Orchestration software.

4. Perform post-install configuration.

Overview

Accounts and Permissions

You’ll need the following accounts and permissions:

A Citrix web site account, for downloading and installing App Orchestration.

Permission to install the App Orchestration package on the server to be designated as the App

Orchestration configuration server.

Database administrator credentials for the SQL Server configuration database, for post-install

configuration.

Credentials to create a Group Policy Object and link it to the OU being used for App Orchestration,

so you can set policies for PowerShell remoting.

Prerequisites

Make sure that all of the machines you will be using with App Orchestration are under the root OU for

your deployment.





Personas

Two personas are involved in the Install phase of App Orchestration: the Infrastructure Engineer and

Service Designer. In your organization, these functions may be performed by different people, or by

one person who does both jobs.

The Infrastructure Engineer provides the following items:

The SQL Server database administrator credentials.

The App Orchestration root OU in Active Directory and the credentials for that OU.

The required SSL certificates. You need a certificate for the following components:

o Each App Orchestration configuration server

o The global site Load Balancer

o Each StoreFront server group, and the load balancer for each server group

o Each NetScaler Gateway

Note: You can use a wildcard certificate for the AO configuration server and for multiple StoreFront server

groups in the same domain.

If you are using NetScaler Gateway, you can minimize your SSL certificate costs by getting only the

certificates for the App Orchestration configuration server and global site Load Balancer from a public

Certificate Authority. For the StoreFront server groups, the Load Balancer for each StoreFront server group,

and NetScaler, create your own Certificate Authority and use it to issue trusted certificates. At the network

layer, secure communications between NetScaler and the VDA, and between the StoreFront server group

and Delivery Controller, to ensure they cannot be intercepted.

If you are not using NetScaler Gateway, you can minimize cost by using a public Certificate Authority only for

the certificates for the App Orchestration configuration server and the Load Balancer for each StoreFront

server group.

The Service Designer performs the following tasks:

Install the App Orchestration software.

Perform post-Install configuration.

Pitfalls to avoid

The best way to avoid pitfalls in the Install phase is to follow the App Orchestration Setup Checklist

carefully. Make sure that:

The appropriate SSL certificates are installed.

The App Orchestration product media folder can be reached by the servers in your deployment.

Networks and routing are configured correctly.



Task 1: Download the product media

To prepare Delivery Sites, Session Machines, and StoreFront server groups, App Orchestration

accesses a product media folder that hosts the Citrix software for these components. This folder can be

local to all machines (recommended), or on a portable drive, a network share of any kind, or any other

location that is visible to all of your machines. Citrix recommends that you protect this folder with

appropriate access controls, to prevent unauthorized access that might result in file corruption or the

introduction of malware.

Download App Orchestration

1. Navigate to the download page for the Citrix Cloud Provider Pack for XenApp or the Citrix Cloud

Provider Pack for XenDesktop.

2. Log on to your Citrix account and download App Orchestration 2.5.

3. Run the App_Orchestration_2.5.exe file you downloaded to extract the image contents into a

folder of your choice (for example, AO25), with the following layout:

Build out the product media folder

The product media folder hosts the media for App Orchestration and any related products that you

download and copy into the folder.

1. From the App Orchestration image folder, expand the Setup folder:

https://www.citrix.com/downloads/xenapp/product-software/citrix-cloud-provider-pack

http://www.citrix.com/downloads/xendesktop/product-software/citrix-cloud-provider-pack.html




2. In ProductMedia, create the following folders. Create the XenApp folder and its subfolders if your

deployment will use XenApp 6.5. Create the XenDesktop folder if your deployment will use XenApp

7.5 or XenDesktop 7.5.

3. Download the relevant software to the ProductMedia folder structure:

For this component Download this file Copy the downloaded file to this folder

StoreFront Navigate to the StoreFront

download page and download

StoreFront 2.5.2.

CitrixStoreFront

XenApp 6.5 Navigate to the XenApp 6.5

download page to download

XenApp 6.5 and Hotfix Rollup

Pack 4.

Copy the XenApp software

to the XenApp folder

Copy the entire contents of

the Hotfix Rollup Pack 4 to

XenApp\XenAppHRP

XenApp 7.5 and XenDesktop

7.5

Navigate to the XenApp

download page or the

XenDesktop download page and

download the Version 7.5

Platinum Edition.

XenDesktop

Task 2: Install App Orchestration components

Use the Citrix App Orchestration Install Center to install App Orchestration and prepare your machines

for deployment as Delivery Sites, Session Machines, and StoreFront servers. To save time when

installing the same component on multiple machines, you can install the component on one virtual

machine, and then create a template of that machine. When you need a new machine of that type,

simply reuse the template instead of repeating the installation steps.

http://www.citrix.com/downloads/storefront-web-interface/product-software.html


https://www.citrix.com/downloads/xenapp.html




https://www.citrix.com/downloads/xendesktop/product-software.html



1. Copy the App Orchestration 2.5 image folder to each prepared machine.

2. From the image folder, double-click Setup.exe to launch the Citrix App Orchestration Install Center.

The Install Center screen appears.

3. Click App Orchestration Configuration Server to install the configuration server on one more

machines.

4. If you have any domains that are isolated from the App Orchestration configuration server, install

the App Orchestration Domain Agent on a dedicated machine in each of those domains. For

more information about using isolated domains, refer to the Deploying the Zero Trust Agent in App

Orchestration 2.5.

Note: If you need to install the domain agent software on multiple servers and are considering creating a

template, just install the domain agent software on the template machine. Do not continue to the App

Orchestration Server Configuration wizard. You will need to run the wizard on each new machine you create

from the template.

5. For Delivery Controllers, Session Machines, and StoreFront servers, create a template for each

machine type:

a. Create the first machine of the relevant type and install the appropriate software:





For Delivery Sites using XenApp 7.5 or XenDesktop 7.5, install the XenApp and

XenDesktop 7.5 Delivery Controller software. The associated App Orchestration agent is

automatically installed.

For Delivery Sites using XenApp 6.5, install the XenApp 6.5 Controller software. The

associated App Orchestration agent is automatically installed.

Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and

select the XenApp 6.5 Controller tile to complete the installation.

For Session Machines running XenApp 7.5 and XenDesktop 7.5 that will use on-demand

provisioning, install the appropriate Virtual Delivery Agent on each Session Machine. For

more information, refer to the Provisioning Session Machines On-demand in App

Orchestration 2.5.

For Session Machines that will host offerings on Delivery Sites using XenApp 6.5, install the

XenApp 6.5 Session Host software.

Note: If prompted, reboot the machine. After the machine reboots, relaunch the Install Center and

select the appropriate Session Machines tile to complete the installation.

For StoreFront server groups, install the Citrix StoreFront 2.5 software. The associated

App Orchestration agent is automatically installed.

b. Delete the entire App Orchestration 2.5 image folder and its contents from this machine, and

also delete it from the Recycle Bin.

Note: This step is especially important for Session Machines, to prevent the installation software from being

available to subsequent user sessions on those machines.

c. Shut down the machine.

d. Make a Full Copy of the virtual machine.

e. Start the copied image and run sysprep. Do not reboot or restart the machine afterward. For

more information about sysprep, refer to the article Sysprep (System Preparation) Overview on

the Microsoft web site.

Important: If you are creating a XenDesktop Session Machine template to be used as the VDA master image

template for on-demand provisioning, skip this step; XenDesktop Machine Creation Services [MCS] cannot

provision machines from a master image template on which you have run sysprep.

cd %windir%\system32\sysprep

sysprep /generalize /shutdown /oobe

f. Convert the virtual machine into a template.

g. Use the template to create additional virtual machines of the same type:

At least two machines, for a single Delivery Site running XenApp 7.5 and XenDesktop 7.5 or

XenApp 6.5.



http://msdn.microsoft.com/en-us/library/windows/hardware/hh825209.aspx



At least one Session Machine for hosting applications and desktops, with additional Session

Machines as necessary to provide more capacity for offerings.

At least two machines running StoreFront 2.5, comprising a single StoreFront server group.

Configure App Orchestration

Accounts and permissions

In the Configuration phase of App Orchestration, you’ll need the following accounts and permissions:

App Orchestration configuration server installation and configuration credentials, which must be a

member of the orchestration server administrators group.

Optionally, read-only credentials for the default user domain.

Prerequisites

Before you start the Configuration phase, make sure you’ve set up your environment according to the

instructions in this document. For example, you’ll need to know the names for your shared resource

and default user domains, your default datacenter, and your external DNS suffix that users will use to

access their environments.

Personas

Typically, the only persona involved in this phase is the Service Designer, who is responsible for

configuring App Orchestration.

Pitfalls to avoid

Follow these simple rules to avoid pitfalls in the Configuration phase:

After you have configured the names for the resource domain and user domain, you cannot change

them.

The domain functional level for all resource domains must be Windows Server 2008 R2 or higher.

The network names on your compute resources must exactly match the names you specify in App

Orchestration under Global Settings Summary > Advanced Settings > Enable network

isolation.

Task 1: Configure the App Orchestration configuration server

After you install the App Orchestration software on the configuration server, you will need to supply

additional details about your deployment environment. The App Orchestration installer prompts you for

the following information:



Service deployment name: This value becomes the name of the configuration database that App

Orchestration creates.

Database server: The FQDN of the SQL Server that hosts the App Orchestration configuration

database.

Administrators group: This group contains non-privileged user account for administering your App

Orchestration deployment. For more information about this group, see the document Credentials

Used in App Orchestration 2.5.

SSL certificate: A server certificate signed by your domain certificate authority is required to

secure connections with the configuration server. For more information about using SSL with App

Orchestration, see the document Configuring SSL for App Orchestration 2.5.

Existing deployment information: If you are deploying a configuration server to an existing App

Orchestration deployment, enter only the server’s FQDN. If you use the server’s IP address or

NetBIOS name instead, App Orchestration displays an error message indicating the server cannot

be contacted.

Task 2: Configure global settings

After you perform the initial configuration, use the App Orchestration web console to configure the

global settings for the deployment. This includes providing the following information:

Shared resource and default user domains: The shared resource domain contains the root OU

where the configuration server and all resources that will be shared among multiple tenants reside.

The default user domain contains the Active Directory users and groups for tenants using resources

delivered from the shared resource domain. You can specify different domains for resources and

user accounts or you can use the same domain for both. These domains and the App Orchestration

root OU (in each resource domain) must exist already in your environment; App Orchestration does

not create them. For more information about these domains, see “Prepare your Active Directory

domains” on page 20.

Orchestration service account: This is the primary App Orchestration administrator. The

orchestration service account is a non-privileged user account and must be a member of the

administrators group you specified during installation. This account should not belong to the

Domain Admins group. The orchestration service account must exist already in your environment;

the installation process does not create it. For more information about this account, see “Create

administrator account” on page 26.

Default datacenter: The default location for shared resources. In general, datacenters contain

resources in the same geographic location. For more information about datacenters, see the

document Deploying a Multi-Datacenter Environment in App Orchestration 2.5.

Licensing: The FQDN and port of the Citrix Licensing server in your environment.

Note: If you are using IPv6 addressing for the Licensing server, surround the address with brackets when you

specify it for App Orchestration. For example: [FE80::0202:B3FF:FE1E:8329]







External DNS suffix: The DNS suffix that is used to configure the NetScaler Gateway address.

Network isolation and NetScaler Gateway: Select whether or not to enable network isolation and

use with NetScaler Gateway. If you enable network isolation, enter the labels of the virtual networks

you created on your compute resources. If you enable use with NetScaler Gateway, specify the

address for the appliance.

Note: When you enter the NetScaler Gateway address, enter only the URL of the appliance. As App

Orchestration uses port 443 by default, entering a port number can prevent App Orchestration from

communicating with the appliance. If you need to use a port number other than 443 for NetScaler Gateway,

you can customize the PowerShell script that uses this address when deploying StoreFront. For more

information, see the document Configuring NetScaler 10.1 Load Balancing with StoreFront 2.5.2 and

NetScaler Gateway for App Orchestration 2.5 or Configuring NetScaler 10.5 Load Balancing with StoreFront

2.5.2 and NetScaler Gateway for App Orchestration 2.5.

Define App Orchestration infrastructure

App Orchestration infrastructure refers to the datacenters, compute resources, domains, and instance

configurations that provide network and tenant isolation for your deployment.


App Orchestration orchestrates across one or more Active Directory domains. Before using App

Orchestration, make sure you have at least one Active Directory resource domain to host the App

Orchestration configuration server and the database server. If you plan to store user accounts in a

separate domain, create that default user domain as well.

Within the shared resource domain, you must have a root OU with a credential that has full control and

is also able to initiate a PowerShell remoting session to all servers within that domain.

If you are using a separate user domain, you must also have a credential that is able to create Active

Directory user groups inside that domain.

Domains in App Orchestration can span multiple datacenters. If your deployment includes multiple

datacenters, Citrix recommends having a domain controller in every datacenter where a domain will be

used. Alternatively, you can use a DNS forward lookup zone in a datacenter. The shared resource

domain must exist in all datacenters and, therefore, must have a domain controller in every datacenter.

Prerequisites

Before you start the Define phase of App Orchestration, make sure:

The required domains exist.

You have credentials for each domain.

You have created the required OUs in each domain.

You must also apply a PowerShell remoting policy to all resource domains used by App Orchestration.

Remember to run gpupdate on each machine to apply the policy.







Other prerequisites include:

Any compute resources that you want to use with App Orchestration.

The credentials for those compute resources to create virtual machines, access storage, and read

network information.

A Citrix Licensing server within each datacenter. If desired, you can use the same Licensing server

for all domains within a datacenter, or even for all datacenters.

Personas

Two personas are involved in the Define phase of App Orchestration: the Infrastructure Engineer and

the Service Designer. In your organization, these functions may be performed by two different people,

or by one person who does both jobs.

The Infrastructure Engineer tells the Service Designer about available datacenters, including:

The compute resources available in those datacenters.

The IP address ranges assigned to those datacenters.

Any NetScaler Gateway devices located in those datacenters.

Additionally, the Infrastructure Engineer performs the following tasks:

Supplies compute resource storage and networking details.

Provides a SQL Server for the Service Designer to use to deploy App Orchestration and other Citrix

components.

Provides machines for installing the App Orchestration configuration server and the Citrix Licensing

server.

Sets up and maintains the Active Directory domains used by App Orchestration, including the

shared resource domain and any tenant user domains.

The Service Designer:

Owns the Citrix licenses.

Installs the Citrix License Server and the product licenses on that server.

Installs, deploys, and maintains the App Orchestration configuration servers.

Pitfalls to avoid

Follow these simple rules to avoid pitfalls in the Define phase:

Ensure each machine configured and deployed by App Orchestration has all of the minimum

system requirements installed, including the Microsoft .NET Framework.

Each machine under App Orchestration control requires PowerShell remoting. Run the command

winrm quickconfig to verify that PowerShell remoting is functioning on all machines.



If you are using multiple datacenters, make sure you can ping IP addresses in each datacenter from

the App Orchestration configuration server. Firewalls or WAN connectivity problems could prevent

App Orchestration from functioning correctly.

Task overview

1. Ensure the shared and private resource and user domains exist in your Active Directory structure.

Also, ensure that these domain contain the required OUs. Refer to “Prepare your Active Directory

domains” on page 20 and the document Deploying App Orchestration 2.5 in a Complex Active

Directory Environment.

2. Ensure you have the required credentials to add and modify objects in the shared and private

domains. Refer to the document Credentials Used in App Orchestration 2.5.

3. Define additional domains. If your deployment includes domains in addition to the shared resource

and user domains (for example, private tenant domains), you will need to add these domains

through the App Orchestration web console. Refer to the document Deploying App Orchestration

2.5 in a Complex Active Directory Environment.

4. Create additional datacenters. In addition to the default datacenter, you might also create a backup

datacenter. Refer to the document Deploying a Multi-Datacenter Environment in App Orchestration

2.5.

5. Set up and configure the compute resources you will use for provisioning Session Machines. Refer

to the following resources:

Provisioning Session Machines On-Demand in App Orchestration 2.5

Using Citrix CloudPlatform to Provision Session Machines On-Demand in App Orchestration 2.5

Using Citrix Provisioning Services to Provision Session Machines in App Orchestration 2.5

Design service offerings for tenants


When you create a new Delivery Site, you will need a credential for Location settings. That credential

must be a member of the Delivery Site admin group in Active Directory, and the local administrator

group on machines used as Delivery Site controllers. You will also need a credential for the Database

settings. You can use the same credential for both, if desired.













Prerequisites for Session Machine Catalogs using on-demand

provisioning

Before you can create a Session Machine Catalog that uses on-demand provisioning, you must first

create a compute resource.

On the compute resource, create a virtual machine to serve as the template for on-demand creation

of machines to host your service. The template should include the applications, operating system,

and desktop configuration that you want for your service.

The template should be a bootable virtual machine joined to a domain. The orchestration service

account credential from the shared resource domain must be able to connect to that domain via

PowerShell remoting, and execute commands there.

The compute resource storage must have enough free space to store a complete replica of the

input virtual machine template.

Prerequisites for Session Machine Catalogs using external

provisioning

When creating a Session Machine Catalog with externally-provisioned machines, the first thing you

need are the machines that you want to add to the catalog. These machines can be physical,

virtual, or created through any provisioning system.

The machines must be joined to an Active Directory domain where the orchestration service

account can connect to the machines remotely through PowerShell remoting.

The machines should have the appropriate Citrix software installed (either the appropriate Virtual

Delivery Agent or the XenApp 6.5 Session Host). You can install these packages through the App

Orchestration Install Center. For more information, see “Install App Orchestration” on page 43.

If the provisioning method that you use automatically resets the machines upon reboot (like Citrix

Provisioning Services), then you must have the Citrix software installed on the machine before

importing it into App Orchestration.

If you are importing multi-user machines running Microsoft Terminal Server, make sure Terminal

Services licensing is configured and functioning properly before you import the machines into App

Orchestration.

All of the machines you import should have the Windows Update Service enabled in the Server

Manager, but Automatic Windows Updates should be disabled.

Prerequisites for offerings

Before creating offerings, you must have created a Session Machine Catalog.

If the Session Machine Catalog uses on-demand provisioning, you need to wait for App

Orchestration to complete the preparation of the input VM template. This can take up to 30 minutes.

You can monitor progress from the Workflows tab.



If the Session Machine Catalog uses external provisioning, you must have imported at least one

machine into the catalog before you create an offering. The import process may take 10-15

minutes.

Prerequisites for Delivery Sites

Before you add Delivery Sites in App Orchestration, you will need the following:

At least one SQL server, with an optional second server to use as a mirror.

SQL Server database admininistrator credentials.

At least two machines that will be used as Delivery Controllers:

o These machines should be joined to the shared resource domain, and the orchestration service

account configured within App Orchestration must be able to connect to these machines using

PowerShell remoting.

o The machines should be prepared as XenApp 6.5 controllers or XenApp 7.5 and XenDesktop

7.5 Delivery Controllers. You can install these packages through the App Orchestration Install

Center. This process also installs the required App Orchestration agent. For more information,

see “Install App Orchestration” on page 43.

Prerequisites for StoreFront

For App Orchestration to deploy and manage a StoreFront server group, you will need:

At least two machines joined to the same resource domain which has been added to the

deployment through the App Orchestration web console. To install the StoreFront software on these

machines, use the App Orchestration Install Center. The installation process also installs the

required App Orchestration agent.

You must also have an SSL certificate that is valid for the DNS addresses of these machines. The

certificate must be issued from a trusted certification authority.

You must also have a load balancer configured to balance web traffic between the two machines.

This load balancer should also be configured to use SSL.

Personas

Two personas are involved in the Design phase of App Orchestration: the Service Strategist and the

Service Designer. In your organization, these functions may be performed by two different people, or by

one person who does both jobs.

The Service Strategist performs the following tasks:

Decides which applications and desktops to offer.

Provides an initial estimate of the number of users expected to use those apps and desktops.




Uses the information provided by the Service Strategist to prepare machines or VM templates with

the operating system, apps, and desktop configuration needed to create offerings.

Decides on the appropriate FlexCast technology to deliver those apps and desktops to end users.

Decides on the scaling factor that determines how many users will fit per server for a particular

offering.

Prepares Delivery Sites and StoreFront Server Groups to meet the initial capacity requirements in

each datacenter.

Provisions an adequate number of Session Machines up front in each datacenter to meet the initial

capacity of the offerings.

Pitfalls to avoid

Provisioning Session Machines requires PowerShell remoting to be enabled and functional. To

ensure no environmental issues are preventing PowerShell remoting from functioning properly, run

winrm quickconfig on the Session Machines.

Verify connectivity from the App Orchestration configuration server to the Session Machine using

PowerShell remoting, using the orchestration service account credential.

To avoid DNS issues that may arise between newly-provisioned Session Machines and the App

Orchestration configuration server, ensure that you can execute nslookup from the App

Orchestration configuration server to the Session Machines, and from the Session Machines to the

configuration server.

Ensure that no operating system or application updates are being applied automatically on

externally-provisioned Session Machines, or on the input template used for on-demand

provisioning. Disable the Windows Update Service from applying updates automatically, and turn

off any application updaters on those machines.

You can enable Windows Update and other application update mechanisms on Delivery Controllers

and StoreFront servers.

App Orchestration requires that all Session Machines are configured identically, including hardware

and installed software. Therefore, App Orchestration will reject importing a machine that is different

from the template machine.

Task 1: Create a new Delivery Site

A Delivery Site consists of at least two Delivery Controllers. When you create a new Delivery Site, the

Delivery Site wizard prompts you for the following information:

Site name, licensing model, and Citrix product version to install on the machines you want to deploy

as Delivery Controllers. You can select XenApp 6.5 or XenDesktop 7.5 (which includes XenApp

7.5). A Delivery Site with one of these products installed will only work with Session Machines that

are running the same product. For example, if the Controllers in a Delivery Site are running



XenDesktop 7.5, only Session Machines running XenDesktop 7.5 can join the Delivery Site to

deliver hosted applications and desktops.

The servers you want to deploy as Delivery Controllers to the Site, including the resource domain

and datacenter in which they should reside. App Orchestration requires at least two Controllers in a

Delivery Site (a primary Controller and a backup Controller).

The Delivery Site administrator group and Site administrator account for the Delivery Site. The Site

administrator account is a non-privileged user account and must be a member of the Delivery Site

administrator group. This account should not belong to the Domain Admins group. The Delivery Site

administrator group and Site administrator account must exist already in your environment; App

Orchestration does not create them. For more information about Delivery Site administrator

privileges in the shared and tenant resource domains, refer to the document Credentials Used in


The database server, credentials, and names for the Site databases to be created (configuration,

logging, and monitoring). For more information about the privileges required for the Delivery Site

database user, refer to the document Credentials Used in App Orchestration 2.5.

When specifying the database details for the Delivery Site, Citrix recommends using separate

databases for each database type. This enables you to create appropriate backup and recovery

protocols for each database, and prevents outages due to a single point of failure. By default, App

Orchestration creates separate databases for the Site's configuration, logging, and monitoring data. For

example, for a Delivery Site named "Site1," App Orchestration creates the "Site1" configuration

database, the "Site1Logging" logging database, and the "Site1Monitoring" monitoring database.

Additionally, App Orchestration uses the same database server for all three databases by default. You

can accept these defaults or specify different servers and names for each database.

After you complete the wizard, App Orchestration issues workflows that perform the following tasks:

Evaluate the machine configuration of the controllers and create a profile. App Orchestration uses

this profile to evaluate subsequent Delivery Controllers that you add to the Site. If new Delivery

Controllers do not match the profile, App Orchestration does not add them to the Site. Therefore, all

Delivery Controllers you add to a Site must be identically configured, including hardware

configuration, operating system, and software updates.

Create the Delivery Site and join the Delivery Controllers to it.

You can monitor these workflows using the Workflows tab in the App Orchestration web console.

Aggregate an existing Delivery Site

Aggregation is the means by which multiple instances of hosted applications or desktops from different

Delivery Sites are presented to users with a single icon when they access their StoreFront site with

Citrix Receiver. For example, if Microsoft Word is offered on multiple Delivery Sites, users see a single

icon for Microsoft Word when they log on to their StoreFront site.

For more information about resource aggregation, see the topic StoreFront high availability and multi-

site configuration in Citrix eDocs.




http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-plan-ha.html

http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-plan-ha.html



For more information about the versions of XenApp and XenDesktop that StoreFront supports for

Delivery Site aggregation, see the topic Infrastructure requirements in Citrix eDocs.

Task 2: Create a Session Machine Catalog

This step consists of the following tasks:

1. From the App Orchestration web console, create a Session Machine catalog.

2. Add the servers you have prepared as the initial Session Machines to the catalog using on-demand

provisioning or external provisioning.

Create a catalog with on-demand provisioning

For information about using on-demand provisioning in your App Orchestration deployment, see the

document Provisioning Session Machines On-demand in App Orchestration 2.5. This guide provides

additional details and step-by-step instructions for provisioning Session Machines on-demand using on-

demand provisioning.

Create a catalog for externally-provisioned machines

As with Delivery Sites, you use the App Orchestration web console to complete the Session Machine

Catalog wizard.

If you choose to create a catalog for externally-provisioned machines, the wizard prompts you for the

following information:

Catalog name and OS Type for the Session Machines it will contain.

Type of Delivery Controllers that the machines will work with when hosting offerings for tenants

(XenApp 7.5 and XenDesktop 7.5 or XenApp 6.5). The controller type you specify determines the

Citrix product that App Orchestration requires and validates on the Session Machines you add to

the catalog. For example, if you specify XenDesktop 7.5 as the controller type, App Orchestration

will confirm that the Virtual Delivery Agent is installed on Session Machines that are added to the

catalog.

Number of users allowed to access each machine before it is considered fully loaded. You can also

allow App Orchestration to include CPU and memory in its calculations for determining server load.

Add Session Machines to the catalog

To add Session Machines to a catalog for externally-provisioned machines, you complete a separate

wizard. This wizard prompts you for the name of the Session Machine Catalog, resource domain, and

datacenter in which the Session Machine will reside. You also specify the names of the Session

Machines you want to add to the catalog. App Orchestration requires at least one Session Machine be

added to create offerings, but you can add up to 20 machines at one time. Deploying more than 20

machines places a heavy burden on the App Orchestration configuration server's resources, causing

workflows to time out before the machines can complete the provisioning process.

http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-system-requirements-server.html




Important: When you specify the Session Machines you want to add to the catalog, ensure the machines are

not members of an existing machine catalog in an existing Delivery Site that was created outside of App

Orchestration. When App Orchestration adds Session Machines to a catalog, App Orchestration assumes the

machines are free to be allocated to the Delivery Sites you create through the App Orchestration web

console. App Orchestration cannot verify whether the Session Machines you want to add are already

allocated to other XenDesktop deployments. If you create offerings and subscriptions that use resources

hosted on Session Machines that are already allocated to other XenDesktop deployments, users will not be

able to launch sessions on these machines when they attempt to access their subscriptions.

After you complete the Add Session Machines wizard, App Orchestration issues a workflow that

performs the following tasks:

Evaluate the machine configuration of the Session Machine and create a profile. App Orchestration

uses this profile to evaluate subsequent Session Machines that you add to the catalog. If new

Session Machines do not match the profile, App Orchestration does not add them to the catalog.

Therefore, all Session Machines you add to the catalog must be identically configured, including

hardware configuration, operating system, system updates, and installed applications. If you want to

add Session Machines that have, for example, different application installed, you must add them to

a different catalog.

Add the Session Machine to the catalog.

You can monitor these workflows using the Workflows tab in the web console.

Task 3: Add a StoreFront Server Group

In this step, you use the App Orchestration web console to create a StoreFront Server Group and

specify the servers you want to add to it. A server group consists of at least two StoreFront servers (a

primary server and a backup server). App Orchestration requires at least two StoreFront servers in the

deployment for making offerings available to tenants' users.

As with Delivery Sites and Controllers, you add StoreFront servers to your deployment using a wizard.

The wizard prompts you for the following information:

Server group name, SSL certificate, and load balancer URL. StoreFront requires that each machine

have an SSL certificate installed prior to deployment. For more information about StoreFront

requirements, see “Prepare StoreFront servers” on page 39. When entering the load balancer URL,

check to ensure the URL you enter is correct. Changing the URL later requires you to delete the

entire server group and redeploy it with the new URL.

Names of the StoreFront servers you want to add to the group.

Resource domain and datacenter in which the servers will reside.

After you complete the wizard, App Orchestration issues workflows that perform the following tasks:

Evaluate the machine configuration of the servers and create a profile. App Orchestration uses this

profile to evaluate subsequent StoreFront servers that you add to the group. If new StoreFront

servers do not match the profile, App Orchestration does not add them to the group. Therefore, all



StoreFront servers you add to a server group must be identically configured, including StoreFront

version, operating system, and software updates.

Create the server group and join the StoreFront servers to it.

You can monitor these workflows using the Workflows tab in the web console.

Task 4: Create an offering

This step consists of making applications and desktops (hosted on the Session Machines) available for

subscription by tenants.

To create offerings, you use the App Orchestration web console to specify the applications and

desktops you want to include and the isolation level at which you want to provide the offering to

tenants. The isolation level you select depends on whether you want to create an offering that uses

shared machines or machines that are dedicated to an individual tenant. For more information about

these isolation levels, see the document Isolation Methods in App Orchestration 2.5.

Deliver service offerings to tenants


To add a tenant, you will need a user domain and a resource domain in Active Directory, both of which

must be added to App Orchestration through the web console. The user domain and resource domain

can be the same domain. You can use the shared resource domain as both the user domain and

resource domain.

the .

In the user domain, you must have credentials of a user who can resolve other user accounts within

that domain.

In the resource domain, you must have credentials of a user who can move machines between

Active Directory OUs within that domain.

Prerequisites

Before adding tenants, make sure you know:

The user and resource domain details.

The StoreFront and NetScaler Gateway isolation modes you want to use for that tenant.

The NetScaler Gateway address, if the tenant will be using a private NetScaler Gateway.

The name of the tenant’s private management network, if the tenant will be using network isolation.

This must match the name configured in your compute resource that will be used for machines

provisioned for that tenant.

After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions.




After you’ve preallocated capacity, you can create subscriptions. To do this, you should know:

The offerings to which users want to subscribe.

The tenant to whom those users belong.

The Active Directory group in their user domain that contains the users who want to subscribe to

that offering. This can can be the Location Group or a Subscription Group.

If you haven’t preallocated capacity, App Orchestration will create capacity of one machine on-demand.

Personas

Three personas are involved in the Deliver phase of App Orchestration: the Service Designer, the

Tenant Administrator, and the Subscribers. In your organization, the Service Designer and Tenant

Administrator functions may be performed by two different people, or by one person who does both

jobs.


Onboards tenants by creating their OUs in Active Directory, their users, and user groups.

Sets up billing and chargeback for that tenant.

Adds the tenant into App Orchestration.

Asks the Tenant Administrator for the anticipated number of users, and based on that answer

preallocates capacity for the tenant to access offerings.

Informs the Tenant Administrator of the StoreFront address that the end users will need in order to

connect to and access their offerings.

The Tenant Administrator performs the following tasks:

Informs the Service Designer upfront how many users are expected to access each offering.

Subscribes end users to individual offerings.

Directs end users to the tenant’s StoreFront address, either directly or through configuration of

clients.

The Subscriber accesses offerings using Citrix Receiver.

Pitfalls to avoid

Follow these simple guidelines to avoid common pitfalls in the Deliver phase:

App Orchestration defaults to using the tenant’s name as the isolated network name. Ensure that

you have a network with this name in your virtualization infrastructure, or change the name in App

Orchestration when adding the tenant.

Also ensure that you use the correct isolation modes for StoreFront and NetScaler Gateway when

adding a tenant. If necessary, you can change these settings later by editing the tenant.



After you create subscriptions or adjust capacity, you should monitor the status of those changes by

watching the Workflows tab or the Dashboard Notifications.

You can adjust capacity as needed, but remember that App Orchestration must execute workflows

to reconfigure the system to comply with that desired state. If there are not enough StoreFront

Server Groups or Delivery Sites or available Session Machines, a notification on the Dashboard will

explain how to correct the problem.

Task 1: Add a tenant and users

This step consists of adding tenants to the App Orchestration system and specifying the user groups

that will be accessing offerings through StoreFront.

To add tenants, you use the App Orchestration web console to specify the tenant's resource and user

domains, the default datacenter through which users will access offerings, the isolation level of the

tenant's StoreFront site, and whether the tenant accesses a shared or private NetScaler Gateway (if

NetScaler Gateway is enabled for the deployment). For more information about StoreFront isolation

levels, see the document Isolation Methods in App Orchestration 2.5.

To ensure the machines that are dedicated to tenants' exclusive use are adequately isolated, Citrix

recommends using a private Active Directory forest for each tenant, a private management network,

and offerings that employ Private Delivery Site isolation. This helps ensure that a tenant's resources

are isolated from other tenants and other tenants' users.

Security considerations

As a security consideration when adding tenants, include user groups that contain only domain users.

Users who belong to the Domain Admins group should not be added to these groups. This ensures that

a tenant's users can access only the Session Machines in the resource management network (either

shared or private). Additionally, keep the following considerations in mind:

Do not grant tenant users or administrators Domain Admin permissions in any Active Directory

domain included in the deployment.

If administrator permissions are granted to a tenant, ensure the tenant has local machine

administrator privileges only for privately allocated Session Machines. Tenants should not have

administrator privileges on any other server or component in the deployment.

Ensure that tenants do not have permissions to access any compute resources in the deployment.

Ensure that tenants do not have permissions to log on to or administer shared components such as

NetScaler Gateway appliances or StoreFront servers.

Task 2: Adjust capacity

Capacity refers to the number of Session Machines allocated to offerings and the tenants who access

them. By default, App Orchestration creates an initial capacity of one machine.

After adding tenants, Citrix recommends you preallocate capacity before you create subscriptions. You

can adjust the capacity as needed to host more or fewer offerings or users.




In the App Orchestration web console, go to the Dashboard and click the pencil to the right of Capacity

Allocation.

Select the offering and specify the desired capacity. App Orchestration estimates the number of users

that can fit per machine based on the load balancing settings, or whether the machines are single user.

When you are deciding how many machines to preallocate, you should consider whether the Session

Machine Catalog uses statically allocated or pooled machines.

For statically allocated machines, you should preallocate the number of machines necessary to

support all of the users who will be using the offering.

For pooled machines, you only need to preallocate the number of machines necessary to support

concurrent users of the offering.

Task 3: Subscribe the tenant to an offering

This step consists of creating a subscription for a tenant so that the tenant's users can access a

specific offering through StoreFront.

To create a subscription, you use the App Orchestration web console to specify the offering, tenant,

and user groups to include. The process of subscribing a tenant to an offering involves creating a

Delivery Group according to the isolation level defined for the offering. This Delivery Group restricts

access to the offering, ensuring only the specified users can access the offering through StoreFront.

Important: When subscribing users to offerings, ensure the users are members of domain global user

groups. This ensures that only users in the tenant’s user domain are authorized to access the tenant’s

offerings. Using domain local or universal user groups for subscriptions could allow users external to the

tenant’s user domain to be members of these groups and allow these users to access the tenant’s offerings.

For more information about Delivery Group isolation levels, see the document Isolation Methods in App

Orchestration 2.5.

Task 4: Optional: Deploy tenant self-service features

After you deploy App Orchestration, you can choose to integrate with CloudPortal Services Manager

11.0.1. This deployment option enables you to make App Orchestration offerings available for self-

service consumption through the Services Manager web-based control panel. Tenants can self-

administer the offerings to which they have subscribed and their users can request access to

subscribed offerings as needed.

To enable Services Manager to communicate with your App Orchestration deployment, you perform the

following tasks:

1. Download CloudPortal Services Manager 11.0.1 from the Citrix web site.

2. Install the Hosted Apps and Desktops web service on the App Orchestration configuration server.

3. Configure the Hosted Apps and Desktops service through the Services Manager control panel.

You can then use the control panel to manage offerings and provision the service to tenants. To enable

tenants’ users to self-subscribe to offerings, configure Workflow Approval for the tenant.



http://www.citrix.com/downloads/cloudportal/product-software/cloudportal-services-manager-11.html

http://support.citrix.com/proddocs/topic/ccps-11/ccps-install-haad.html

http://support.citrix.com/proddocs/topic/ccps-11/ccps-haad-config.html

http://support.citrix.com/proddocs/topic/ccps-11/ccps-haad-config-offerings.html

http://support.citrix.com/proddocs/topic/ccps-11/ccps-haad-provision.html

http://support.citrix.com/proddocs/topic/ccps-11/ccps-workflow.html



When you enable this integration, the App Orchestration and Services Manager web consoles assume

specific roles with regard to the administration tasks you perform in your deployment. You use the

Services Manager control panel to manage tenant onboarding and subscribing users to offerings. You

use the App Orchestration web console to create new offerings, add capacity to existing offerings, and

manage the Delivery Sites, Session Machines, and StoreFront servers in your deployment.



Appendix: Setup Checklist

This checklist is a convenient tool to help you plan and document your App Orchestration deployment.

Use this checklist along with the rest of the information in this guide to ensure all required preparation

tasks are performed.

This checklist helps you prepare the following components:

1 domain controller with a minimum domain functional level of Windows Server 2008 R2

1 database server running a supported version of Microsoft SQL Server

1 Citrix License Server

1 NetScaler Gateway

1 server, for the App Orchestration configuration server

1 server, for the Session Machine that will host applications and desktops for users

2 servers, for the Delivery Controllers that make up one Delivery Site

2 servers, for the StoreFront servers that make up one StoreFront server group

Use the Notes column to record the details of your preparation activities. You will need to supply this

information when you configure App Orchestration’s global settings.



Shared resource domain

Complete the tasks in this section before you install App Orchestration. You will need to supply the

information below when you configure App Orchestration’s global settings. For more information about

the tasks in this section, see “Prepare your Active Directory domains” on page 20.

Completed ()

Task Notes

Create a domain to be used as the shared

resource domain.

Minimum domain functional level: Windows

Server 2008 R2.

Domain name:

Create a Group Policy object that will be

associated with all machines in the shared

resource domain and configure the following

settings:

Set the PowerShell execution policy to

AllSigned.

Configure PowerShell remoting.

Allow WinRM traffic through Windows

Firewall.

Allow WinRM remote server management

for all servers.

Allow WinRM clients to trust all servers.

Set Windows Remote Shell maximum

memory to 1 GB or more.

Allow unlimited number of remote shells

per user.

For detailed instructions, refer to the section

“Configure the App Orchestration Group

Policy” on page 23.

Create an Active Directory security group that

you designate as the orchestration service

group (for example,

MyDomain\OrchestrationAdmins).

Group name:



Completed ()

Task Notes

Create an organizational unit as the root OU

for App Orchestration.

App Orchestration will have permission in this

OU to create, move, and remove objects.

Root OU name:

Create an orchestration service account with

the following permissions:

Read and Write permissions on the App

Orchestration root OU

Permission to use PowerShell remoting to

access all servers in the shared resource

domain

Add the account to the orchestration

service group

Important: For security reasons, do not add

this account to the Domain Admins group.

User name:

Password:

Default user domain

The default user domain is where App Orchestration service accounts reside. You can create a

separate domain or you can designate the shared resource domain for this purpose when you

configure App Orchestration’s global settings.

Completed ()

Task Notes

Create a domain to be used as the default user

domain.

This domain must have a minimum domain

functional level of Windows Server 2003.

Domain name:

Create a user account in the user domain.

Important: For security reasons, do not add

this account to the Domain Admins group.

User name:

Password:



Citrix product media folder

The Citrix product media folder contains the software for App Orchestration and other components that

are required to provision Delivery Sites, Session Machines, and StoreFront servers. This folder can be

local to all machines (recommended), or on a portable drive, a network share of any kind, or any other

location that is visible to all of your machines. Citrix recommends that you protect this folder with

appropriate access controls, to prevent unauthorized access that might result in file corruption or the

introduction of malware.

Completed ()

Task Notes

Download the App Orchestration 2.5 from the

Citrix web site.

Choose one of the following locations:

Citrix Cloud Provider Pack for

XenApp

Citrix Cloud Provider Pack for

XenDesktop

Run the downloaded executable

(App_Orchestration_2.5.exe) to extract the

image contents into a folder of your choice (for

example, AO25), with the following layout:







Completed ()

Task Notes

In the /Setup/ProductMedia folder, create the

following structure:

CitrixStoreFront folder: Copy the entire

contents of the StoreFront 2.5.2 installation

media to this folder.

StoreFront download page

XenDesktop folder: Copy the entire contents

of the XenApp 7.5 and XenDesktop 7.5

Platinum Edition installation media to this

folder.

Choose one of the following locations:

XenApp download page

XenDesktop download page

XenApp folder: Copy the entire contents of

the XenApp 6.5 installation media to this

folder.

XenApp 6.5 download page

XenApp/XenAppHRP folder: Copy the entire

contents of the Hotfix Rollup Pack 4 to this

folder.



https://www.citrix.com/downloads/xendesktop/product-software.html




Database Server

The database server hosts the App Orchestration configuration database. For more information about

supported databases, refer to the “Prepare the database server” section on page 28.

Completed ()

Task Notes

Prepare a server and install Microsoft SQL

Server 2008 R2 (minimum):

Join the server to the shared resource

domain.

Use Windows authentication.

Ensure SQL Server Browser and the SQL

Server instance services are enabled and

set to start automatically

Enable remote TCP connections.

Allow SQL traffic to traverse Windows

Firewall.

Optionally, you can prepare another SQL

Server for mirroring to increase availability. For

more information, refer to the document

Configuring Database Mirroring in App

Orchestration 2.5.

Primary database server name:

Secondary database server name

(optional):

Create a SQL database administrator account.

This account must be a Windows account,

using Windows authentication. The account

you use to install App Orchestration must have

permission to create databases.

User name:

Password:





Citrix License Server

Completed ()

Task Notes

Prepare a server and install Citrix Licensing

11.11.1 according to product instructions.

License server name:

Install XenApp or XenDesktop Platinum

licenses.

NetScaler Gateway

To secure access to your App Orchestration deployment, NetScaler Gateway enables you to configure

policy and action controls while allowing tenants’ users to access the apps and desktops they need. For

more information about integrating NetScaler Gateway with App Orchestration, refer to the document

Configuring NetScaler 10.1 Load Balancing with StoreFront 2.5.2 and NetScaler Gateway for App

Orchestration 2.5 or Configuring NetScaler 10.5 Load Balancing with StoreFront 2.5.2 and NetScaler

Gateway for App Orchestration 2.5.

Completed ()

Task Notes

Install and configure NetScaler Gateway

according to product instructions.

Gateway address:







App Orchestration configuration server

Completed ()

Task Notes

Prepare one or more servers to be used as the

App Orchestration configuration server(s).

For system requirements, refer to the section

“Prepare the App Orchestration configuration

server” section on page 31.

Note: If you deploy multiple configuration

servers, enter only the server’s FQDN when

prompted. If you use the server’s IP address or

NetBIOS name instead, App Orchestration

displays an error message indicating the server

cannot be contacted.

Primary server FQDN:

Backup server FQDN (optional):

Join the server(s) to the shared resource

domain.

Install a valid SSL certificate, signed by a

trusted Certificate Authority, in the local

computer’s certificate store.

For proof-of-concept deployments, you can

use a wildcard certificate.

For more information about using SSL with

App Orchestration, see the document


Friendly name:




Delivery Controllers

Completed ()

Task Notes

Prepare two or more servers to be used as the

Delivery Controllers.

For system requirements, refer to the section

“Prepare Delivery Controllers and Session


Primary Controller name:

Backup Controller name:

Run the App Orchestration Install Center to

install the appropriate Citrix software on the

servers:

For Delivery Sites running XenApp 7.5 and

XenDesktop 7.5, select XenApp and

XenDesktop 7.5 Delivery Controller (and

App Orchestration Agent)

For farms running XenApp 6.5, select

XenApp 6.5 Controller (and App

Orchestration Agent)

For more information, see “Install App

Orchestration” on page 43.

Join the servers to the shared resource

domain.



Session Machines

On-demand catalogs (on-demand provisioning enabled)

For more information about preparing your environment for and enabling on-demand provisioning, refer

to the document Provisioning Session Machines On-demand in App Orchestration 2.5.

Completed ()

Task Notes

Prepare a compute resource (host and

management machines) according to the

product documentation and the needs of your

organization.

When you create an on-demand catalog in

App Orchestration, you must specify the

following details about the compute resource:

Whether the compute resource is running

XenServer, ESX, or Hyper-V (resource

type).

A friendly name by which you can identify

the compute resource.

The location (URL or IP address) of the

compute resource.

Credentials for the compute resource.

Resource type:

Friendly name:

Address:

User name:

Password:




Completed ()

Task Notes

Using the management console for the

compute resource, create and set up a VM to

use as a template for other Session Machines

that are added to the catalog.

Setting up a VM might include:

Installing the guest operating system

and applicable service packs or

updates.

Verifying virtual devices such as hard

disks are configured correctly.

Installing integration tools required to

optimize interaction with the host

machine.

Installing third-party tools such as

antivirus software.

Installing applications you want to

include in offerings.

Installing the required Citrix software

using the App Orchestration Install

Center. For more information, see

“Install App Orchestration” on page 43.

VM name:



Completed ()

Task Notes

Join the VM to the domain for which you want

newly-created Session Machines to be

members.

The domain to which you join the VM must

have a Group Policy defined that allows

PowerShell remoting and sets the execution

policy. For more information, refer to the

section “Configure the App Orchestration

Group Policy” on page 23.

The VM must be a member of either the

shared resource domain or a domain that has

a two-way trust with the shared resource

domain. Ensure that the orchestration service

administrator account (defined in App

Orchestration’s global settings) has the ability

to use PowerShell remoting to connect to the

VM and install software.

On the VM, in Advanced TCP/IP Settings,

configure the following settings for the VM’s

network connection:

In DNS suffix for this connection, enter

the shared resource domain name.

Select Use this connection’s DNS suffix

in DNS registration.



Catalogs for externally-provisioned machines

Completed ()

Task Notes

Prepare one or more machines to be used as

Session Machines.

All machines to be added to the catalog must

meet the following requirements:

Have the same hardware configuration and

all installed software (including operating

system, installed updates, and

applications).

Capable of running XenApp 6.5 or

XenDesktop 7.5 VDA software, according

to the product’s system requirements

Machine #1 name:

Machine #2 name:

Machine #3 name:

Machine #4 name:

Join the machines to the appropriate resource

domain.

If the machines will be shared among multiple

tenants, join them to the shared resource

domain. If the machines will be allocated to a

specific tenant, join them to the tenant’s private

resource domain.

Resource domain name:



StoreFront servers

Completed ()

Task Notes

Prepare two or more servers to be used as the

StoreFront Server Group.

For system requirements, refer to “Prepare

StoreFront servers” on page 39.

Primary StoreFront server name:

Backup StoreFront server name:

Run the App Orchestration Install Center to

install the StoreFront 2.5 software.

For more information, see “Install App

Orchestration” on page 43.

Join the servers to the shared resource

domain.

Install a valid SSL certificate, signed by a

trusted Certificate Authority, in the local

computer’s certificate store.

For proof-of-concept deployments, you can

use a wildcard certificate. The certificate must

have the same Friendly Name on all

computers.

Friendly name:

Install and configure a load balancer for the

StoreFront Server Group.

For more information about configuring load

balancing with StoreFront, refer to the

document Configuring NetScaler 10.1 Load

Balancing with StoreFront 2.5.2 and NetScaler

Gateway for App Orchestration 2.5 or

Configuring NetScaler 10.5 Load Balancing

with StoreFront 2.5.2 and NetScaler Gateway

for App Orchestration 2.5.

Load Balancer URL:









App Orchestration global settings

After installing the App Orchestration configuration server, you configure the global settings using the

App Orchestration web console. During this process, you must specify the default datacenter for the

deployment and the external DNS suffix. You must also decide whether or not to enable network

isolation in your deployment.

In App Orchestration, datacenters are used for providing hosted apps and desktops to tenants in

distributed geographic locations and for failover. App Orchestration requires at least one datacenter in

the deployment. For more information about datacenters, refer to document Deploying a Multi-

Datacenter Environment in App Orchestration 2.5.

In general, network isolation should be enabled if you intend to provide offerings exclusively to specific

tenants. For more information about network isolation, refer to the document Isolation Methods in App

Orchestration 2.5.

Completed ()

Task Notes

Specify the name of the primary datacenter. Name:

Specify the external DNS suffix.

The external DNS suffix is the top-level domain

of your external-facing DNS server. This

influences the defaults for connection routing,

but can be overridden, if necessary.

Example: For a datacenter named

ag.us.mycompany.com, the suffix

“mycompany.com” results in the default routing

for user connections to a datacenter named

“us.”

Suffix:







Enable network isolation?

If you intend to enable network isolation, you

must create and label at least three virtual

networks on your compute resources. These

networks must exist before you configure the

global settings.

For instructions for creating and labeling these

networks, refer to the product documentation

for your server virtualization solution.

Important: The labels for the virtual networks

are case-sensitive. When entering the network

labels in App Orchestration, ensure they match

exactly the labels configured on your compute

resources.

Yes / No

Shared Controller Management Network

label:

Shared Delivery Group Management

Network label:

Private Management Network label:



First tenant

Completed ()

Task Notes

Specify the tenant name. Tenant Name:

Create at least one location group for the

tenant in the user domain. Each user group

can be a member of only one location group.

Location groups connect users with certain

datacenters, enabling users to access

applications and desktops based on

datacenter affinity.

User domain name:

OU Name:

Create user groups for the tenant in the user

domain.

These user groups will be used later for

creating subscriptions, so they should organize

users by the sets of apps and desktops that

you intend to deliver to those users.

User Group #1:

User Group #2:

User Group #3:

User Group #4:

Create user accounts for the tenant’s users

and add them to the appropriate user groups.

Documents

App Orchestration 2 - Citrix.com · App Orchestration 2.x Discussion Forum: Use this Citrix Discussions site to ask questions and contribute your knowledge about App Orchestration