Auto-Launching Citrix XenApp Applications

Review the following:

• Verify that the Citrix XenApp environment is functioning normally, independent of Imprivata, before installing and configuring Imprivata components.

• Review the Imprivata Enterprise Access Management with SSO Supported Components to confirm that your environment meets all of the minimum or recommended Citrix requirements.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Virtual Desktop Access. If your virtual environment is configured correctly for session persistence, Imprivata Virtual Desktop Access seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

Imprivata Virtual Desktop Access reconnects to any existing application sessions, including those that:

• You have configured the user policy to automatically launch.

• Users have launched manually.

Session Persistence Using COOKIEINSERT

Session persistence maintains the connection between an endpoint and the Citrix Storefront after load balancing is performed. A common way to maintain session persistence is to use the endpoint source IP address. However, customers who use Network Address Translation (NAT) in front of a NetScaler load balancer cannot use this persistence method, because endpoints appear to have the same IP address at the load balancer.

Those customers must use the NetScaler COOKIEINSERT session persistence method. This method causes the NetScaler to insert a cookie into client requests, which the NetScaler uses to track the server to which the connection belongs.

To enable session persistence using COOKIEINSERT, perform this procedure after you have completed all steps in the main Installation Sequence section further below.

1. Configure the Citrix NetScaler’s Persistence type to be COOKIEINSERT and specify a cookie name to use, for example, persistcookie.

2. Specify the same cookie name in your endpoints using either method a or b.

   In both methods, VALUE is the cookie name you specified in the Citrix NetScaler:

   1. For Imprivata ProveID Embedded Linux endpoints:

      Add a new configuration option to the imprivata.conf configuration file on the endpoints, using one of two methods:

      • Add this new section to the imprivata.conf file:

        [citrix]

        cookie-insert = VALUE

      • Or run this command from the endpoint system prompt:

        /usr/lib/imprivata/runtime/bin/configuration-editor citrix --cookie-insert VALUE

   2. For Windows endpoints:

      Configure the cookie name using this Registry key:

      HKLM\Software\SSOProvider\VDI\CookieInsertName String VALUE;

3. Reboot the endpoints.

Troubleshooting

An Imprivata agent log file entry that indicates a problem with this session persistence method is:

Failed to get COOKIEINSERT token – The Imprivata agent failed to get the cookie from the header.

Make sure that the cookie names are the same on the NetScaler and the endpoints.

After installing Citrix Workspace app, additional configuration is required to support Enterprise Access Management.

If you have not completed the configuration, see Configuring Citrix Workspace App for Imprivata Enterprise Access Management.

Stores that are configured with a XenApp Services URL must be enabled for pass-through authentication. See this Citrix Documentation topic for configuration details.

Imprivata agents communicate with known Citrix stores. The URL required to configure the Imprivata agent connection to Citrix depends on how the Citrix store is configured:

• Store URL – If the store is configured with a Store URL, the Imprivata agent communicates with Citrix using the respective Web Site URL.

  Example: If the store is configured with https://example.com/Citrix/SalesStore, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStoreWeb.

• XenApp Services URL – If the store is configured with a XenApp Services URL (the Storefront legacy URL or the Storefront URL), the Imprivata agent communicates with Citrix using the same XenApp Services URL.

  Example: If the store is configured with https://example.com/Citrix/SalesStore/PNAgent/config.xml, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStore/PNAgent/config.xml.

Note the exact name for each XenApp application you want to auto-launch, as they appear in the Citrix Web Interface or Citrix StoreFront. If you do not have access to the same applications as the end user, this information can be found in Citrix Studio under the Application Settings > Identification > Application name (for user): field. Configuring the Imprivata connection to the Citrix environment requires that you enter each name with the same spelling, spacing, and capitalization.

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Enterprise Access Management:

• User name and password

• Domain pass-through

• HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

1. Open Citrix Studio.

2. Go to Citrix StoreFront > Receiver for Web.

3. Select the store you want to manage.

4. In the Store Web Receiver pane, click Choose Authentication Methods.

5. Click Add/Remove Methods and enable the required methods.

Before you install the Imprivata agent on endpoint computers, perform the following steps to ensure your Citrix XenApp environment is installed and configured correctly.

1. Install the Citrix XenApp Server software.

2. Install Citrix Web Interface software or Citrix Storefront.

3. Install a supported version of Citrix Workspace app on all endpoint computers where you plan to install the Imprivata agent.

4. Install and configure the XenApp published applications to be used.

5. Verify the Citrix XenApp store settings and note the respective store URLs (Web Site or XenApp Services URL). Consult the Citrix user documentation for more details.

To install the Imprivata agent on the Citrix Server, follow the directions for installing a Imprivata Citrix or Terminal Server Agent in Deploying the Imprivata Citrix or Terminal Server Agent.

See Deploying the Imprivata Agent for instructions on installing agents. Choose the method that suits your environment.

Configuring the Imprivata agent connection to Citrix requires:

• One or more Citrix store URLs

• The names of the published applications

To configure the connection:

1. In the Imprivata Admin Console, go to the Computers menu > Virtual Desktops page > Citrix XenApp section.

2. In the first field, enter a Web Site URL or a XenApp Services URL.

3. From Authenticate using, select the type of credentials that apply to the applications on the specified server.

   BEST PRACTICE: To configure applications to auto-launch and roam, select Imprivata user credentials or External domain credentials. To auto-launch without application roaming, you can select any credential type.

4. In the second field, enter the exact name of the XenApp application that you want to auto-launch. Enter the name with the same spelling, spacing and capitalization as it appears in the Citrix Web Interface or Citrix StoreFront. Click Add to configure more applications.

5. Optional — For externally hosted XenApp servers, enter the domain name for external domain credentials (such as mycompany.com) .

6. Optional — If some XenApp applications are hosted on a second server, click Add another server and repeat the steps above.

7. Select Allow authentication from XenApp-enabled devices.

8. Click Save.

After you configure the Imprivata connection to Citrix XenApp, create and apply a user policy to auto-launch published applications. You can set up multiple policies that launch different sets of applications.

Step 5a: Create a User Policy

To create a user policy:

1. In the Imprivata Admin Console, go to the Users menu > User policies page.

   You can select an existing user policy from the list, or make a copy of the Default User Policy as a starting point. If you want to edit an existing user policy, click the existing user policy name, and skip to step 5.

2. To copy the Default User Policy, select Default User Policy, then click Copy.

3. Click Default User Policy (2).

4. Rename the user policy in the Policy Name field.

5. Click the Virtual Desktops tab.

6. Select Enable virtual desktop automation.

7. Select Automate access to applications or published desktops. The list of XenApp applications that you configured in Step 4: Configure the Imprivata Connection to XenApp are listed in two panes.

8. Select a roaming option:

   • Roam open applications — Select this option to roam all applications with an active session. This includes applications that are configured to automatically launch, as well as those that a user has manually launched.

   • Roam automatically launched applications — Select this option to roam applications that are configured to automatically launch:

     • If an application session is present, only the automatically launched application is roamed.

     • If an application session is not present, the application is automatically launched again.

   NOTE: Under certain circumstances, applications that users manually launch are also roamed. This typical happens when the session is present, and the application is hosted on the same Citrix server as the applications that are configured to automatically launch.

9. In the left pane, select the Citrix XenApp applications to be launched automatically at login. Make no selections in the right pane.

10. Click Save.

Step 5b: Apply a User Policy

To apply the user policy:

1. In the Imprivata Admin Console, go to the Users menu > Users page.

2. Select the users to which you want to apply the user policy.

   You can view additional pages of the Users list without losing your selections. Imprivata keeps track of all the users you have selected and displays a counter at the top of the page.

   BEST PRACTICE: To select multiple users more efficiently, use the Search for Users tool at the top of the Users page. Search for Users offers several search parameters for refining your results.

3. Click Apply Policy.

4. Choose the policy from the drop-down list, then click OK.

Create a computer policy for the endpoint computers that are supporting published applications.

Step 6a: Create a Computer Policy for Endpoint Computers

To create the computer policy:

1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

   You can select an existing computer policy from the list, or make a copy of the Default Computer Policy as a starting point. If you want to edit an existing computer policy, click the existing computer policy name, and skip to step 5.

2. To copy the Default Computer Policy, select Default Computer Policy, then click Copy.

3. Click Default Computer Policy (2).

4. Rename the computer policy in the Name field.

5. Go to the Virtual Desktops tab > Citrix XenApp section.

6. Select Automate access to Citrix XenApp to have Imprivata automatically handle login behavior for Citrix XenApp.

7. You can control the behavior when an endpoint computer is locked. Under When a XenDesktop endpoint is locked, choose one of the following:

   • Keep the XenApp client and user session active — Preserves the user session. When a user logs back in to this endpoint computer (or another endpoint computer with XenApp enabled), their XenApp applications are preserved just as they were when this endpoint computer was locked.

   • Shutdown the XenApp client and disconnect the user session — Helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled), their XenApp applications relaunch.

8. Optional — For ProveID Embedded devices, select Enable Published Applications to enable automatically-launched published applications.

9. Select the servers that the endpoint computers should use.

10. Click Save.

Step 6b: Apply a Computer Policy to Endpoint Computers

Apply the computer policy you just created to endpoint computers.

Manually Assigning the Computer Policy

To assign the computer policy:

1. In the Imprivata Admin Console, go to the Computers menu > Computers page.

2. Select the computers to which you want to apply the computer policy. You can use Search for Computers to enter search criteria.

3. Select Apply Policy.

4. Select Choose a policy for selected computers, select the policy from the list, and then click Apply Policy.

Automatically Assigning the Computer Policy

Computer policy assignment rules let you assign a policy to existing endpoint computers and make sure that the policy is automatically assigned to endpoint computers that are added later.

To automatically assign the computer policy:

1. In the Imprivata Admin Console, go to the Computers menu > Computer Policy Assignment page.

2. Click Add New Rule.

3. Name the rule and select the assignment criteria.

4. Select the policy you created and click Save.

In this implementation, if the user manually closes every open Citrix XenApp application, the local desktop will lock automatically, even if the user has applications in use on the local endpoint computer. This behavior is dependent on application state being "disconnected".

To prevent this behavior, create the DisableLocking registry key with a Data Type of DWORD and a Value of 1 in one of the following locations:

• 64—bit computers: HKLM\Software\SSOProvider\VDI