As stated in Part 1 of this 2-part blog series, both Citrix and Microsoft have defined SPLA programs that enable a Citrix Service Provider (CSP) to deliver hosted shared desktops from a cloud. Here are the remaining steps to make it happen in YOUR datacenter.

Step 3: Create a Worker Group of worker machines
XenApp 6 has a neat feature called Worker Groups, where a worker group is basically a collection of XenApp servers, with which you can associate objects like published apps, policies, etc. You can define a worker group using the Active Directory OU which contains the worker machines reserved for a specific tenant (created in step 1). To create the worker group, use the Delivery Services Console or use the XenApp cmdlet shown below, while registering a tenant.

New-XAWorkerGroup -WorkerGroupName Tenant1WG -Description <span class="code-quote">"WorkerGroup <span class="code-keyword">for</span> Tenant1"</span>
-OUs <span class="code-quote">"OU=Tenant1OU, DC=&lt;domain&gt;, DC=&lt;domain suffix&gt;"</span>

Step 4: Publish the desktop
The next step is to publish the desktop to the tenant’s end-users. To do this, you can either use the Delivery Services Console or you can use the New-XAApplication cmdlet as shown below (yes – in XenApp-speak even a desktop is a type of a published application ). While publishing the desktop, assign it to the global group account (created in step 1) that represents the users of a tenant and host it on the worker group (created above in the step 3).

New-XAApplication -DisplayName <span class="code-quote">"MyDesktop"</span> -ApplicationType ServerDesktop
-Accounts &lt;domain\group account&gt; -WorkerGroupNames <span class="code-quote">"Tenant1WG"</span>

Step 5: Configure the XenApp policies
The default XenApp policies are configured to deliver the best experience to an end-user without sacrificing performance or user-density on a server. However, there are a few user policies that you may want to consider tweaking – the table below shows a couple. For a full list of policies, please see the Policies node in the Delivery Services Console.

Policy Default value Recommended value Reason
UseLocalTimeOfClient Use Server Time Use Client Time If you want the time of the client device to be used within the session.
AllowDirectConnectToPrintServer True False To prevent the XenApp server in a CSP’s datacenter from attempting to directly connect to a print server that might be in the tenant’s office

You can configure these policies via an Active Directory GPO using GPEdit.exe or the script below. (For an excellent overview of XenApp policies as well as how to configure these using a script, see these blogs from Tom Kludy: XenApp 6: Group Policy Overview and XenApp 6: Group Policy Provider..)

<span class="code-keyword">import</span>-module grouppolicy

# Map a PowerShell drive to an existing GPO
New-PSDrive -Name GPODrive -PSProvider CitrixGroupPolicy -Root \
-DomainGpo  &lt;name of domain GPO&gt;

#Navigate to the <span class="code-quote">"User"</span> part of the policy
cd GPODrive:
cd user\

#Create a <span class="code-keyword">new</span> policy here
<span class="code-keyword">new</span>-item MyHDXPolicy

#Filter <span class="code-keyword">this</span> policy by a group account (that contains the tenant's users).
cd MyHDXPolicy
cd .\Filters
cd .\User
<span class="code-keyword">new</span>-item Tenant1Users &lt;name of group account&gt;

#Configure the settings shown in the table above.
cd GPODrive:\User\MyHDXPolicy\Settings\ICA\Printing\ClientPrinters\
Set-ItemProperty DirectConnectionsToPrintServers -Name State -Value Prohibited
cd GPODrive:\User\MyHDXPolicy\Settings\ICA\TimeZoneControl
Set-ItemProperty SessionTimeZone -Name Value -Value UseClientTimeZone

Once the GPO has been configured, you can assign it to the OU containing the tenant’s users.

Well, that’s it – pretty simple eh? When an end-user logs in using Web Interface, they will see a desktop icon and by clicking on it, they should get a hosted shared desktop delivered from a cloud that looks and feels like a Windows 7 desktop.

Some things to keep in mind:

  1. Citrix recommends reserving a collection of machines for each tenant – this avoids any security issues that may arise when end-users from multiple tenants are using desktops hosted on the same server. You can achieve this by following the steps described above to create a distinct OU and a worker group per tenant. The published desktop object can be shared across tenants as long as you configure a Load Balancing policy for Worker Group Preference that routes users from a specific tenant to a specific worker group. You can create this using the Delivery Services Console (under the Load Balancing Policies node) or by adding the following lines to your tenant registration script/workflow.
    #Create a <span class="code-keyword">new</span> load balancing policy
    New-XALoadBalancingPolicy -PolicyName <span class="code-quote">"Tenant1LBPolicy"</span>
    -Description <span class="code-quote">"Worker group preference policy <span class="code-keyword">for</span> Tenant1 users"</span>
    #Enable Worker group preference and specify the preferred worker group.
    Set-XALoadBalancingPolicyConfiguration -PolicyName <span class="code-quote">"Tenant1LBPolicy"</span>
    -WorkerGroupPreferenceAndFailoverState Enabled -WorkerGroupPreferences <span class="code-quote">"1=Tenant1WG"</span>
    # Specify the user accounts to which <span class="code-keyword">this</span> policy applies.
    Set-XALoadBalancingPolicyFilter -PolicyName <span class="code-quote">"Tenant1LBPolicy"</span>
    -AllowedAccounts &lt;name of group account&gt;

    Note: If a tenant has high security requirements, you may want to deploy a separate XenApp farm dedicated for that tenant.

  2. With this model,
    • If you need to increase capacity for a specific tenant, all you need to do is provision more worker machines and add them to the OU for that tenant. These new machines automatically become part of the worker group and become available for hosting desktops.
    • If you need to deliver a desktop to new users from an existing tenant, just create the new user accounts and add them to the global group created in step 1. Note: You may need to provision additional capacity for these new users as described in the bullet above.

That’s it for now.

For more information, please join us for a webinar on “How Citrix Service Providers can deliver DaaS (Desktop as a Service) with Citrix FlexCast” on September 29, 2010 which will be repeated at 3 convenient times.
Time: 9:00AM – 10:00AM EDT (Reserve your seat at:
Time: 2:00PM – 3:00PM EDT (Reserve your seat at:
Time: 8:00PM – 9:00PM EDT (Reserve your seat at: