Deploy XenApp with the Secure Browser Service

Contents

Overview

As applications are ported to the web, users must rely on multiple browser vendors and versions to achieve compatibility with web-based apps. If the application is an internally hosted application, organizations are often required to install and configure complex VPN solutions to provide access to remote users. Typical VPN solutions require a client-side agent that must also be maintained across numerous operating systems. 

With the XenApp Secure Browser, users can have a seamless web-based application experience where a hosted web-based application simply appears within the user’s preferred local browser. For example, a user’s preferred browser is Mozilla Firefox but the application is only compatible with Microsoft Internet Explorer. XenApp Secure Browser displays the Internet Explorer-compatible application as a tab within the Firefox browser.

This document describes how to deploy XenApp with the Secure Browser service using the XenApp Secure Browser blueprint available in Citrix Smart Tools. 

Back to top

What does the blueprint do?

This blueprint includes scripts that perform the following tasks:

  1. Install XenApp, including Citrix Licensing Server and StoreFront.
  2. Create a XenApp Site and StoreFront cluster.
  3. Join the provisioned machines to your existing domain.
  4. Publish a web application.

Provisioned Machine Configurations

The blueprint includes recommended configurations for each machine that Smart Tools provisions to the deployment. The following recommendations are displayed when you configure the VM for each machine tier in the deployment. 

For all machines: 

  • Operating system: Windows Server 2012 R2 Datacenter Edition
  • Storage available in the resource location: 50 GB 
Machine Type Recommended vCPUs Recommended Memory (GB)
Staging Server 2 2
Citrix License Server 2 4
Delivery Controller 1 4 8
Delivery Controller 2 4 8
StoreFront 1 4 8
StoreFront 2 4 8
Browser VDA 4 16

Back to top

Which browsers are supported?

The blueprint supports publishing to Microsoft Internet Explorer and Google Chrome browsers.

Back to top

Which resource locations are supported?

You can deploy the blueprint on the following resource location types:

  • Citrix XenServer 6.2 and 6.5
  • VMware vSphere 5.1 and 5.5

Back to top

What do I need to use this blueprint?

To use this blueprint, you need the following items: 

  • An active Subscription Advantage agreement with Citrix.
  • Access to Citrix Cloud. To create an account, visit https://citrix.cloud.com and click Sign Up and Try It Free.   
  • Access to the Smart Tools service. To request access, log on to Citrix Cloud and click Request Trial from the Citrix Cloud home page. When your request is approved, return to the Citrix Cloud home page and click Manage to access Smart Tools.

Back to top

Prepare for deployment

Before you deploy the XenApp Secure Browser blueprint, use the following tasks to prepare your environment.

Prep Task 1: Identify the domain and disable Group Policy inheritance

Locate the Active Directory domain in your environment where the XenApp deployment will be created. You will need to supply this domain when you configure the blueprint during deployment.

Additionally, Citrix recommends temporarily disabling Group Policy inheritance on the root Organizational Unit (OU) that you will use to deploy these blueprints (specified in the blueprint's OU Path parameter) so that no policies interfere with the deployment process. After the deployment is finished and testing is complete, you can re-enable policy inheritance on the OU. 

Prep Task 2: Name your servers (optional)

When you deploy the blueprint, you can supply server names for the machines Smart Tools provisions or you can accept the default names that Smart Tools assigns. The following table lists the default server names that are assigned:

Machine Type Default server name
Staging Server CTX-Stage
Citrix License Server CTX-LIC-001
Delivery Controller 1 CTX-XDC-001
Delivery Controller 2 CTX-XDC-002
StoreFront 1 CTX-SFC-001
StoreFront 2 CTX-SFC-002
Browser VDA CTX-RDS-001

Prep Task 3: Set up service accounts

The general service account you use must allow you to perform installations, create AD objects, and execute scripts in your deployment. You can use different accounts for different server roles if you wish.

For more information about creating the general service account, refer to https://technet.microsoft.com/en-us/library/cc739458(v=ws.10).aspx on the Microsoft web site.

For more information about the database access permissions required for XenApp, see CTX127998 on the Citrix Support web site.

Important considerations for accounts

This blueprint supports deployment to a single Active Directory domain that you specify. Therefore, the accounts that you specify -- existing accounts as well as accounts that the blueprint creates -- must reside in this domain. 

All accounts must be specified in down-level format (NetBIOSDomainName\UserName); for example, contoso\BobS. If you are deploying the blueprint in a disjoint NetBIOS environment, provide the NetBIOS domain name which might be different from the DNS domain name. For more information about name requirements, see https://support.microsoft.com/en-us/kb/909264. 

Prep Task 4: Locate files

When you deploy this blueprint, you will need to supply the location of the XenApp 7.8 ISO that Smart Tools will use to install XenApp. During deployment, you will supply this location as a fully qualified UNC path or as a local file path. 

Prep Task 5: Prepare a VM template

When you deploy this blueprint, you can allow Smart Tools to provision new VMs to your resource location or you can select machines that exist already in your environment. If you elect to provision the new machines that are specified by the blueprint, Smart Tools uses a VM template that you prepare which resides in your hypervisor environment. For more information about preparing VM templates for use with XenServer and vSphere resource locations, see Prepare Windows Server templates for deploying blueprints

You can specify different VM templates for each machine tier that you configure. For example, you can specify a VM template for provisioning the Delivery Controller and a different VM template for the StoreFront server. The VM templates that you prepare for this blueprint must be running Windows 2012 R2 Datacenter Edition

To ensure a smooth deployment experience, Citrix recommends installing .NET 3.5 on the VM template you prepare for provisioning the database server. If .NET 3.5 is not present on the template, Smart Tools will attempt to download and install it during blueprint deployment. However, if Smart Tools cannot complete the download due to connectivity issues with Windows Update, the deployment will fail. 

About IP addresses

Citrix recommends deploying this blueprint to your resource location using static IP addresses. You can specify static IP addresses using one of the following methods:

  • If you are deploying the blueprints to a VMware vSphere resource location, you can specify static IP addresses when you configure each new VM that Smart Tools will provision.
  • If you have existing machines that are already configured with static IP addresses, you can specify these machines when you deploy the blueprint. 

Important: Existing machines must have the Smart Tools Agent installed so that Smart Tools can detect them in your resource location. For more information about installing the agent, see Install or remove the Citrix Smart Tools Agent. 

Prep Task 6: Add your resource location to Smart Tools

To deploy this blueprint, you need to add your hypervisor environment to Smart Tools as a resource location. You can add your resource location during the blueprint deployment process; however, Citrix recommends doing this before deployment to save time and ensure a smoother deployment experience.

To add a resource location to Smart Tools, you need to have a machine available in your host environment that can act as the connector between your host environment and Smart Tools. To be designated as a connector, the machine must have the Citrix Smart Tools Agent installed. 

For instructions for downloading and installing the Smart Tools Agent and adding your resource location, see the following Smart Tools topics:

Note: You can also add your resource location during the blueprint deployment process. However, adding it beforehand can save you some time and ensure a smoother deployment experience.

Back to top

Deploy the blueprint

Deploying these blueprints follows the same workflow that you follow for any blueprint in the Blueprint Catalog. For more information about this workflow, refer to the following topics in Deploy blueprints:

Save time by downloading configuration settings from the Pre-Deployment Checklist

When you deploy these blueprints, you will need to configure a number of blueprint settings such as service account and file locations. To save time and minimize errors during deployment, consider downloading these settings beforehand as a CSV file that you can update and import to the blueprint. The CSV file contains complete descriptions for each setting so you can enter the right information in the correct format. 

The CSV file is available from the blueprint's Pre-deployment Checklist. You can access the checklist by:

  • Viewing the blueprint in the Blueprint Designer. On the Overview tab, click Preview pre-deployment checklist.
  • Deploying the blueprint. The Pre-deployment Checklist displays automatically after you supply the resource location where you want to deploy the blueprint. 

On the Pre-deployment Checklist, scroll down to the bottom and click Export parameter list (.csv).

To update the parameters in the CSV file, open the file in a spreadsheet application or text editor. After you have updated the CSV file with the required values, you can import it at the Configuration step in the blueprint deployment process. 

Important: When you export the blueprint's CSV file, commas included in parameter entries are automatically converted to semicolons. So, when you update these values in the CSV file, be sure to use semicolons. When you import the CSV file, Smart Tools converts all semicolons back to commas. After you import the CSV file, carefully review your entries to ensure they are correctly formatted.

Back to top

Perform post-deployment tasks

This section describes the tasks you should perform after deploying the XenApp Secure Browser blueprint.

Secure your deployment

Securing your XenApp deployment is important. If you choose to do so using the Secure Sockets Layer (SSL) security protocol, you must generate, distribute, and install SSL certificates to secure the communication within the deployment. This may include the following tasks, none of which is implemented by the blueprint.

Secure this component... By establishing...
XML SSL communication between StoreFront servers and Delivery Controllers
Virtualization infrastructure SSL communication between the virtualization infrastructure and the Delivery Controller
Virtual desktops SSL communication between users’ endpoints and the Virtual Delivery Agent on virtual desktops
StoreFront SSL communication between users’ endpoints and StoreFront servers
Database SSL communication between the servers running the XenApp and XenDesktop databases and the Delivery Controller

Remove temporary objects

For security and good housekeeping, consider removing any objects such as media locations and reverting any temporary changes (for example, GPO policies and database permissions) that you created or put in place during blueprint design and deployment. Also, consider disabling the general service account for a period of time (for example, 1-2 weeks) before deleting. If no issues arise in your deployment during that time, you can delete the account. Additionally, if you disabled Group Policy inheritance to ensure unimpaired blueprint deployment, re-enable it after you have completed testing of the deployment. Finally, be sure to remove the Staging VM.

Add users to Active Directory security groups for the deployment

Before you can use Studio or Citrix License Server to administer your new Site, add the appropriate users to the XenApp and Licensing groups that the blueprint creates during deployment. When you deploy the blueprint, you can specify these group names or you can allow the blueprint to use the default group name. The following table shows the blueprint input parameters and the default names for each group.

Group Type Blueprint input parameter for specifying the group name Default group name created by blueprint
XenApp XA-XD-AdminGroup CTX_RES_XDC_Admins
Citrix Licensing LicenseServerAdminGroup CTX_RES_LIC_Admins

Refine application access behavior

After deploying the blueprint, you can log on to the machines Smart Tools deployed and verify the following items:

  • The VDA is created with browsers and plugins installed.
  • The stores that are available for StoreFront. 

At this stage, you can configure XenApp to refine the access, scope, and behavior of the applications using Machine Catalogs and Delivery Groups. You can use Machine Catalogs to power manage the machines and control users’ application experience. With Delivery Groups, you can control who can access the applications you make available. 

For more information about Machine Catalogs and Delivery Groups, see http://docs.citrix.com.

For additional configuration guidance for XenApp Secure Browser, see http://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/Secure%20Browser%20-%20Deployment%20Guide.pdf

Back to top

0 Comments