Ok … I know, it’s 2015 and XenDesktop/XenApp 7.6 is out. And I know we are on Windows 2012 R2 and XenApp 6.5 on 2008 R2 is “a thing of the past”… … Not!

In reality many of you are still using XenApp 6.5. It works fine, it’s flexible, full of possibilities… And… To be honest… The old PS4.x farm took a while to get rid of… So now that you’re done with it, you are expecting the “new” environment to last for a while. If you must deploy a new environment today, we’d recommend to go with 7.6, but if you’ve just moved to 6.5 in the last year or two… No need to rush for the latest and gr… well… the latest!!! It works fine… right?
Ok so you run XenApp 6.5, with the use of PVS or not, Citrix Profile Manager, the AppCenter… what could be missing? Well… Shadowing was removed… Because it’s based on RDS “Remote Control” and RC is just not working well with multi-screen and some screen resolution. So we were told to use “Remote Assistance”. Ok… it does work… but when you are used to “Right click / Shadow”…It’s something else to : Start Remote Assistance, use the AppCenter to know where the user is, browse the right server, find the user, send a request…. Not exactly as simple as it used to be.
But recently (Q4 2014), Director 7.6 was released. And it is “officially” compatible with XenApp 6.5. So if you are still using Remote Assistance… you want this.
Steps:
1- Login
2- Search for a user
3- Click “Shadow”… and you’ll get a pre-configured Remote Assistance file that goes directly to the user’s session.

D_UserSearch
Director XenApp 6.5 User Searche

 

 

 

 

 

 

 

 

 

*Note: Director 7.6 supports XenApp 6.5 only with “User based search”.
Really good tool for one farm or multiple farms in the same domain…
Thanks to Citrix… they really did it.

But what happens in an environment where you have multiple domains… and multiple farms to support? Do you have to use multiple Director Servers and login on the right one depending where your users are? Wouldn’t it be cool to be able to support multiple environments with the same Director Web interface?

Well it’s possible… One Director, Multiple Farms, Multiple Domains.

However, one restriction applies, your support users and admins must be allowed to log on to all servers and are added to the “Remote Assistance users” (usually using GPO).
So, in other words you must have Domain trusts that allow your support team to login on any farm with the same user account.

Step 1 : Setting up Director…
The basic installation:

1- Install Director
2- Make sure “Citrix Command Remoting Service” is running on all XenApp Servers.

– If it’s not, the CRL (Certificate Revocation List) might be the cause.. Create a CitrixXenAppCommandsRemoting.exe.config file in the same folder as the CitrixXenAppCommandsRemoting.exe (which is the .exe of the service).
(See the “exe.config” further down on this page for details).

3- Add the XenApp 6.5 servers (ZDC) to the “Service.AutoDiscoveryAddressesXA” in Director’s IIS Site.

– ZdcServer1.domaine1.local,ZdcServer2.domaine2.local,ZdcServer3…

4- Modify the “Connector.WinRM.Ports” to only “5985” (remove 80)
5- Change “UI.EnableSslCheck” to “False”
6- Install the “DirectorWindows Managemetn Intrumentation Provider” Service from the Director Installation files.

– If the installation fails at “Starting service” Don’t Cancel, go to the installation folder and create “DirectorWMIProviderHost.exe.config”.
(See the “exe.config” further down on this page for details)

7- Run the following command on all XenApp servers to add your support users to the WinRM Authorized users (ConfigRemoteMgmt.exe is available with the Director’s source files) :

– ConfigRemoteMgmt.exe /ConfigWinRMUser DomaineGroupeName /all

These first points are documented… but it only works for the same domain. When you have multiple domains, you get “WinRM Access Denied” or “Server not available” when poling servers that are not in the same domain as your Director server.

So let’s fix it.

 

Adding additional farms/domains to Director:

*Note: I did not include the Firewall rules… it’ll be up to you to open the ports.
1- Add all “ZDC Servers” to the “WinRM Trusted Hosts” on the Director Server.
(*Note: “WinRM Trusted Hosts” allow you to send remote command to those hosts and needs to be configured on the Director server. You do not need to add “WinRM Trusted Hosts” on the XenApp Server.)

– Using GPO :
Adm. Templates/Windows Components/Windows Remote Management (WinRM)/WinRMClient

Or

– Using Powershell :
Set-Item wsman:localhostclienttrustedhosts ComputerName1,ComputerName2 -force
Or
Set-Item wsman:localhostclienttrustedhosts * -force

*Note: Using “*”as a wildcard instead of Host Names will allow any Target Server but might represent a security risk.

2- Change IIS default behaviour so it forwards the user name instead of using “Anonymous”

– Go to the “Application Pool” and enable “Form Authentication”

3- If you have Change the Director Option to enable “User Search” in the different domains.

– Add the extra domains by changing following Director Option : “Connector.ActiveDirectory.Domains” to “ (user),(server),Domain2.local”

That’s it!
Multiple farms, different domains and one portal for your tech team to support.
If you search a user… it should look something like this…

D_User

 

 

 

 

 

 

 

 

.exe.config (Disabling CRL)

Files:
– CitrixXenAppCommandsRemoting.exe.config
– DirectorWMIProviderHost.exe.config

*Note : Both files contain the same thing. Disabling CRL for all .Net applications on the server is also possible but might be a security risk.
<?xml version= »1.0″ encoding= »utf-8″?>
<configuration>
<runtime>
<generatePublisherEvidence enabled= »false » />
</runtime>
</configuration>

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s