How Citrix XenApp 6 Policies Work

  1. XenApp policies and settings are collected into similar categories in Active Directory: Computer and User.
    1. Computer policy settings pertain to XenApp servers and are applied when the server is rebooted.
    2. User policy settings pertain to user sessions and are applied for the duration of the session.
  2. Citrix XenApp 6 policies can be managed through the Group Policy Editor in Windows or the Delivery Services Console in XenApp.
  3. If you do NOT use Active Directory in your environment (or use a different directory service such as Novell Directory Services for Windows) or you are a Citrix administrator without permission to manage Group Policy, use the Delivery Services Console to create policies for your farm. The settings you configure are stored in a farm GPO in the data store.
  4. In the event policy settings conflict in Active Directory environments,
    1. AD GPOs take precedence over the farm GPOs and
    2. farm GPO takes precedence over the local GPO on the server
  5. If you create more than one policy in your environment, make sure that you prioritize the policies so that it is clear which policy should take precedence in the event of a conflict
  6. In general,
    1. Citrix policies override similar settings configured for the entire server farm, for specific servers, or on the client.
    2. The exception to this principle is security.
    3. The highest encryption setting in your environment, including the operating system and the most restrictive shadowing setting, always overrides other settings and policies.
    4. Citrix policies interact with policies you set in your operating system. Some Windows policies take precedence over Citrix policies.
    5. For some policy settings, such as Secure ICA, the settings in policies must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure ICA policy settings that you specify in the policy or when you are publishing an application can be overridden.
    6. For example, the encryption settings that you specify when you are publishing an application should be at the same level as the encryption settings you specified throughout your environment.
  7. Some policy settings can be in one of the following states:
    1. Allowed or Prohibited allows or prevents the action controlled by the setting.
    2. Enabled or Disabled turns the setting on or off.
    3. If you disable a setting, it is not enabled in lower ranked policies.
  8. In general,
    1. Computer policy setting changes go into effect when the server reboots.
    2. User policy setting changes go into effect the next time the relevant users establish a connection.
    3. Policy setting changes can also take effect when XenApp re-evaluates policies at 90 minute intervals.
  9. For some policy settings, you can limit configuration of the setting by selecting Use default value. Selecting this option disables configuration of the setting and allows only the setting’s default value to be used when the policy is enforced. This occurs regardless of the value that was entered before selecting Use default value.
  10. Default values for all Citrix policy settings are located in the Policy Settings Reference
  11. Best Practices for Policy Settings
    1. Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated automatically when you add or remove users from the group.
    2. Do not enable conflicting or overlapping settings in Remote Desktop Session Host Configuration. In some cases, Remote Desktop Session Host Configuration provides similar functionality to Citrix policy settings. When possible, keep all settings consistent (enabled or disabled) for ease of troubleshooting.
    3. Disable unused policies. Policies with no settings added create unnecessary processing.
  12. Policy settings can be enabled, disabled, or not configured. By default, policy settings are not configured, meaning they are not added to a policy. Settings can be applied only when they are added to a policy.
  13. When you modify a policy using the Settings tab on the console, the changes you make are applied to the policy immediately after you configure the selected setting.
  14. However, when you modify a policy using the Edit Policy dialog box, changes you make are applied to the policy only after you click OK on the Edit Policy dialog box.
  15. When you add a filter to a policy, the policy’s settings are applied to connections according to specific criteria or rules.
  16. If no filter is added, the policy is applied to all connections.
  17. You can add as many filters as you want to a policy, based on a combination of criteria. The availability of certain filters depends on whether you are applying a Computer policy or a User policy. The following table lists the available filters

    Filter Name

    Filter Description

    Policy Scope

    Access Control

    Applies a policy based on the access control conditions through which a client is connecting.

    User policies only

    Client IP Address

    Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session.

    User policies only

    Client Name

    Applies a policy based on the name of the user device from which the session is connected.

    User policies only

    User

    Applies a policy based on the user or group membership of the user connecting to the session.

    User policies only

    Worker Group

    Applies a policy based on the worker group membership of the server hosting the session.

    Computer policies and User policies

  18. The process XenApp uses to evaluate policies is as follows: When a user logs on,
    1. XenApp identifies the policies that match the filters for the connection.
    2. XenApp sorts the identified policies into priority order, compares multiple instances of any policy setting, and applies the policy setting according to the priority ranking
      of the policy.
    3. XenApp recalculates the policy every 90 minutes after the user logs on to the farm.
    4. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled.
    5. Policy settings that are not configured are ignored.
    6. You prioritize policies by giving them different priority numbers. By default, new policies are given the lowest priority (next highest number of the policies list).
    7. Settings are merged according to priority and the setting’s condition; for example, whether the setting is disabled or enabled.
    8. Any disabled setting overrides a lower-ranked (High Priority) setting that is enabled.
    9. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.
    10. To handle/allow exceptions, you can create a policy for those (sub-)group members and then rank the policy higher than the policy applied for that entire group
    11.   A filter with the mode set to Deny tells XenApp to apply the policy to connections that do not match the filter criteria.
    12. For example, a policy contains the following filters:
      1. Filter A is a Client IP address filter that specifies the range 208.77.88.* and the mode is set to Allow.
      2. Filter B is a User filter that specifies a particular user account and the mode is set to Deny.
        The policy is applied to all users who log on to the farm with IP addresses in the range specified in Filter A. However, the policy is not applied to the user logging on to the farm with the user account specified in Filter B, even though the user’s computer is assigned an IP address in the range specified in Filter A.
    13. f
    14. f
    15. g
  19. Unfiltered Policies:
    1. By default, XenApp provides Unfiltered policies for Computer and User policy settings.
    2. The settings added to this policy apply to all connections.
    3. If you use AD in your environment and use the Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all farm servers and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy.
    4. If you use the Delivery Services Console to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers and connections in the farm.
  20. In policies with two filters of the same type, one set to Allow and one set to Deny,
    1. the filter set to Deny takes precedence, provided the connection satisfies both filters.
  21. You must add at least one filter to a policy for that policy to be applied.
  22. The policy is applied the next time the relevant users establish a connection
  23. When managing policies through the Delivery Services Console, be aware that making frequent changes can adversely impact server performance. When you modify a policy, the XenApp server synchronizes its copy of the farm Group Policy Object (GPO) with the data store, propagating the change to other servers in the farm.
  24. For example, if you make changes to five policies, the server synchronizes the farm GPO five times. In a large farm with multiple policies, this frequent synchronization can result
    in delayed server responses to user requests. To ensure server performance is not  impacted by needed policy changes, arrange to make these changes during off-peak usage periods.
  25. fd

0 thoughts on “How Citrix XenApp 6 Policies Work

  1. I am now not certain where you’re getting your information, however good topic. I needs to spend some time learning more or figuring out more. Thank you for wonderful information I was in search of this info for my mission.

Leave a Reply

Your email address will not be published. Required fields are marked *