Configuring Citrix XenApp Published Desktops

This topic includes information about configuring Imprivata support for Citrix XenApp® published desktops.

Download a PDF of this guide

Before You Begin

Review the following:

  • Verify that the Citrix XenApp environment is functioning normally, independent of Imprivata, before installing and configuring Imprivata components.

  • Review the Imprivata Enterprise Access Managementwith SSO Supported Components matrix to confirm that your environment meets all of the minimum or recommended Citrix and endpoint device requirements.

Session persistence (roaming) is managed by your virtual environment, not Imprivata Virtual Desktop Access. If your virtual environment is configured correctly for session persistence, Imprivata Virtual Desktop Access seamlessly roams user sessions, on authentication, to the endpoint computers in your environment.

NOTE: For more information about configuring session persistence, see your vendor–specific documentation.

Imprivata Virtual Desktop Access reconnects to any existing application sessions, including those that:

  • You have configured the user policy to automatically launch.

  • Users have launched manually.

BEST PRACTICE: Limit the delivery of an application to one instance per user. If the application is distributed across multiple servers in the farm, limiting the instance ensures that the Citrix broker roams the session that the user was previously using. For more information about configuring application delivery, see the Citrix documentation.

Session persistence maintains the connection between an endpoint and the Citrix Storefront after load balancing is performed. A common way to maintain session persistence is to use the endpoint source IP address. However, customers who use Network Address Translation (NAT) in front of a NetScaler load balancer cannot use this persistence method, because endpoints appear to have the same IP address at the load balancer.

Those customers must use the NetScaler COOKIEINSERT session persistence method. This method causes the NetScaler to insert a cookie into client requests, which the NetScaler uses to track the server to which the connection belongs.

To enable session persistence using COOKIEINSERT, perform this procedure after you have completed all steps in the main Installation Sequence section further below.

  1. Configure the Citrix NetScaler’s Persistence type to be COOKIEINSERT and specify a cookie name to use, for example, persistcookie.

  2. Specify the same cookie name in your endpoints using either method a or b.

    In both methods, VALUE is the cookie name you specified in the Citrix NetScaler:

    1. For Imprivata ProveID Embedded Linux endpoints:

      Add a new configuration option to the imprivata.conf configuration file on the endpoints, using one of two methods:

      • Add this new section to the imprivata.conf file:

        [citrix]

        cookie-insert = VALUE

      • Or run this command from the endpoint system prompt:

        /usr/lib/imprivata/runtime/bin/configuration-editor citrix --cookie-insert VALUE

    2. For Windows endpoints:

      Configure the cookie name using this Registry key:

      HKLM\Software\SSOProvider\VDI\CookieInsertName String VALUE;

  3. Reboot the endpoints.

Troubleshooting

An Imprivata agent log file entry that indicates a problem with this session persistence method is:

Failed to get COOKIEINSERT token – The Imprivata agent failed to get the cookie from the header.

Make sure that the cookie names are the same on the NetScaler and the endpoints.

After installing Citrix Workspace app, additional configuration is required to support Enterprise Access Management.

If you have not completed the configuration, see Configuring Citrix Workspace App for Imprivata Enterprise Access Management.

Stores that are configured with a XenApp Services URL must be enabled for prompt authentication. See this Citrix Documentation topic for configuration details.

Imprivata agents communicate with known Citrix stores. The URL required to configure the Imprivata agent connection to Citrix depends on how the Citrix store is configured:

  • Store URL – If the store is configured with a Store URL, the Imprivata agent communicates with Citrix using the respective Web Site URL.

    Example: If the store is configured with https://example.com/Citrix/SalesStore, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStoreWeb.

  • XenApp Services URL – If the store is configured with a XenApp Services URL (the Storefront legacy URL or the Storefront URL), the Imprivata agent communicates with Citrix using the same XenApp Services URL.

    Example: If the store is configured with https://example.com/Citrix/SalesStore/PNAgent/config.xml, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStore/PNAgent/config.xml.

Note the exact name, as it appears in the Citrix Web Interface or Citrix StoreFront, for each XenApp published desktop and application you want to auto-launch. Configuring the Imprivata connection to the Citrix environment requires that you enter each name with the same spelling, spacing, and capitalization.

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Enterprise Access Management:

  • User name and password

  • Domain pass-through

  • HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

  1. Open Citrix Studio.

  2. Go to Citrix StoreFront > Receiver for Web.

  3. Select the store you want to manage.

  4. In the Store Web Receiver pane, click Choose Authentication Methods.

  5. Click Add/Remove Methods and enable the required methods.

Review the Expected User Workflow

The following diagram illustrates the expected workflow when the Enterprise Access Management environment is configured to automatically launch a desktop.

Installation Sequence

Before you install the Imprivata agent on endpoint computers, verify that the Citrix XenApp environment is installed and configured correctly:

  1. Install the Citrix XenApp Server software.

  2. Install the Citrix Web Interface software or Citrix Storefront.

  3. Install a supported version of Citrix Workspace app on all endpoint computers where you plan to install the Imprivata agent.

  4. Install and configure the XenApp published applications to be used.

  5. Verify the Citrix XenApp store settings and note the respective store URLs (Web Site or XenApp Services URL). See the Citrix user documentation for more details.

To install the Imprivata agent on the Citrix Server, follow the directions for installing a Imprivata Citrix or Terminal Server Agent in Deploying the Imprivata Citrix or Terminal Server Agent.

See Deploying the Imprivata Agent for instructions on installing agents. Choose the method that suits your environment.

NOTE: To configure Imprivata for ProveID Embedded Linux thin clients, skip this step and see the following topic: Configuring ProveID Embedded on Linux Thin Clients.

Configuring the Imprivata agent connection to XenApp requires:

  • One or more Citrix store URLs.

  • The names of the desktops and published applications to be available for auto-launch.

To configure the connection:

  1. In the Imprivata Admin Console, go to the Computers menu > Virtual Desktops page > Citrix XenApp section.

  2. In the first field, enter a Web Site URL or XenApp Services URL.

  3. In the second field, enter the exact name of the XenApp published desktop application. Enter the name with the same spelling, spacing, and capitalization as it appears in the Citrix Web Interface or Citrix StoreFront.

  4. Optional — Click Add to configure more published applications. For example, you can add applications to launch on the published desktop.

  5. From Authenticate using, select the type of credentials that apply to the applications on the specified server.

    BEST PRACTICE: To configure applications to auto-launch and roam, select Imprivata user credentials or External domain credentials. To auto-launch without application roaming, you can select any credential type.

  6. Optional — For externally hosted XenApp servers, enter the domain name for external domain credentials (such as mycompany.com) .

  7. Optional — If some XenApp applications are hosted on a second server, click Add another server and repeat the steps above.

  8. Select Allow authentication from XenApp-enabled devices.

  9. Click Save.

After you configure the Imprivata connection to Citrix XenApp, create and apply a user policy to auto-launch the published desktop application. You can set up multiple policies to launch different desktops.

Step 5a: Create a User Policy

To create a user policy:

  1. In the Imprivata Admin Console, go to the Users menu > User policies page.

    You can select an existing user policy from the list, or make a copy of the Default User Policy as a starting point. If you want to edit an existing user policy, click the existing user policy name, and skip to step 5.

  2. To copy the Default User Policy, select Default User Policy, then click Copy.

  3. Click Default User Policy (2).

  4. Rename the user policy in the Policy Name field.

  5. Click the Virtual Desktops tab.

  6. Select Enable virtual desktop automation.

  7. Select Automate access to apps or published desktops.

  8. Select a roaming option:

    • Roam open applications — Select this option to roam all applications with an active session. This includes applications that are configured to automatically launch, as well as those that a user has manually launched.

    • Roam automatically launched applications — Select this option to roam applications that are configured to automatically launch:

      • If an application session is present, only the automatically launched application is roamed.

      • If an application session is not present, the application is automatically launched again.

    NOTE: Under certain circumstances, applications that users manually launch are also roamed. This typical happens when the session is present, and the application is hosted on the same Citrix server as the applications that are configured to automatically launch.

  9. To enable the published desktop application:

    • In the left pane, select only the full desktop application.

    • To enable XenApp applications to launch on the published desktop, select applications in the right pane:

  10. Click Save.

Step 5b: Apply a User Policy

To apply the user policy:

  1. In the Imprivata Admin Console, go to the Usersmenu > Users page.

  2. Select the users to which you want to apply the user policy.

    You can view additional pages of the Users list without losing your selections. Imprivata keeps track of all the users you have selected and displays a counter at the top of the page.

    BEST PRACTICE: To select multiple users more efficiently, use the Search for Users tool at the top of the Users page. Search for Users offers several search parameters for refining your results.

  3. Click Apply Policy.

  4. Choose the policy from the drop-down list and click OK.

Create and apply a computer policy for endpoint computers that are supporting the published desktop application.

Step 6a: Create a Computer Policy for Endpoint Computers

To create the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

    You can select an existing computer policy from the list, or make a copy of the Default Computer Policy as a starting point. If you want to edit an existing computer policy, click the existing computer policy name, and skip to step 5.

  2. To copy the Default Computer Policy, select Default Computer Policy, then click Copy.

  3. Click Default Computer Policy (2).

  4. Rename the computer policy in the Name field.

  5. Go to the Virtual Desktops tab > Citrix XenApp section.

  6. Select Automate access to Citrix XenApp to have Imprivata automatically handle login behavior for Citrix XenApp.

  7. You can control the behavior when an endpoint computer is locked. Under When a XenDesktop endpoint is locked, choose one of the following:

    • Keep the XenApp client and user session active — Preserves the user session. When a user logs back in to this endpoint computer (or another endpoint computer with XenApp enabled), their XenApp applications are preserved just as they were when this endpoint computer was locked.

    • Shutdown the XenApp client and disconnect the user session — Helps optimize resource consumption and minimizes the total number of active sessions in use in the enterprise. When a user logs back into this endpoint computer (or another endpoint computer with XenApp enabled), their XenApp applications relaunch.

  8. Optional — For ProveID Embedded devices, select Enable Published Applications to enable manually-launched XenApp published applications.

  9. Select the Citrix XenApp servers for this computer policy.

  10. Click Save.

Step 6b: Apply a Computer Policy to Endpoint Computers

Apply the computer policy you just created to endpoint computers.

Manually Assigning the Computer Policy

To manually assign the computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computers page.

  2. Select the computers to which you want to apply the computer policy. You can use Search for Computers to enter search criteria.

  3. Click Apply Policy.

  4. Select Choose a policy for the selected computers, select the policy from the list, and click Apply Policy.

Automatically Assigning the Computer Policy

Computer policy assignment rules let you assign a policy to existing endpoint computers and make sure that the policy is automatically assigned to endpoint computers that are added later.

To automatically assign a computer policy:

  1. In the Imprivata Admin Console, go to the Computers menu > Computer Policy Assignment page.

  2. Click Add New Rule.

  3. Name the rule and select the assignment criteria.

  4. Select the policy you created and click Save.

BEST PRACTICE: When assigning a computer policy to ProveID Embedded thin clients only, select Imprivata agent type > ProveID Embedded.

In this implementation, if the user manually closes every open Citrix XenApp application, the local desktop will lock automatically, even if the user has applications in use on the local endpoint computer. This behavior is dependent on the application state being "disconnected".

To prevent this behavior, create the DisableLocking registry key with a Data Type of DWORD and a Value of 1 in one of the following locations:

  • 64—bit computers: HKLM\Software\SSOProvider\VDI

NOTE: With the value set to 1, if the user leaves Workstation 1 without securing the desktop, then logs into Workstation 2, his XenApp published applications will roam with him to Workstation 2, but Workstation 1's desktop will remain open and unsecured.

Troubleshooting

Optimizing Citrix XenApp Session Sharing

In certain network environments, session sharing does not occur when users start multiple XenApp applications at the same time.

To optimize resource consumption, you can minimize this behavior by extending the period Citrix waits for an application to start before it starts the second application in a second session. The default time-out value is 20 seconds.

To extend the time-out period, add the registry key SucConnTimeout to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\WFClient\ with a Data Type of REG_STRING and a Value of <20 or more seconds>.