For XenApp and XenDesktop, Citrix policy (and Windows Group Policy) are fundamental in crafting the user experience, giving users access to the resources they need such as local drives and ports, Flash and Windows Media content, etc. in a way that is appropriate for their connection speed, and aligned with corporate security requirements. The challenge with policies is creating a policy structure that provides users with the best possible user experience while aligning with security standards, and at the same time is easy to understand from a resultant set of policies perspective.
Have a look at your own environment. How are your policies created and configured. From a policy perspective, quite often what we see is a form of “organic growth” where policies have been created to meet specific needs, and then layered repeatedly to achieve specific goals. The result, while it may provide the required functionality, becomes very difficult to read and troubleshoot, and the resultant set of policy for specific users or groups can vary wildly. If this is what your environment feels like, or if you’re creating a new XenApp 6.5 or XenDesktop 5.6 environment, it’s time to take a look at how you can reorganize your policies.
Start by creating a baseline policy for your organization. This is where the most common policy configuration settings will live, and apply to the majority of your user population. Within the baseline configuration, you should include the most common settings for user experience, security and network conditions, as well as taking into consideration mobile users (remote users, tablet/smart phone, etc) as appropriate for your organization. Once this policy is created, it should be assigned the lowest priority (in Citrix terms, the highest priority number) so that it is applied first, and exception policy sets can override as required.
When creating the baseline policy, there are a number of general factors that need to be considered:
- AD Group Policy vs Citrix Policy. Where will you configure your Citrix policy settings? XenApp and XenDesktop now offer the ability to use AD Group Policy or to continue to use the Citrix policy engine. Using Group Policy allows administrators to manage both Windows and Citrix policies through the same engine, which can simplify the configuration and management of policies. The challenge is that many organizations don’t allow Citrix admins access to configure these policies. The more traditional Citrix policy engine is used in this case, or if more advanced filtering mechanisms such as Smart Access are required. The key is to be consistent. Use one or the other to avoid confusion on policy configuration.
- Policy Integration. Which policy sets do I use? In most cases, some mix of AD Group Policy and Citrix policy is required. Administrators and Architects need to understand the implication of Windows policies on Citrix policies, particularly Remote Desktop Services policies. In some cases, disabling a setting in RDS policy will affect the ability to configure a Citrix policy, so care must be taken to align both policy sets.
- Policy Filtering. How do I apply policies? Both Citrix and Windows policies allow policies to be filtered on a number of criteria. The baseline policy should be applied to the broadest possible configuration of users; generally all users who access the Citrix environment. After that, filtering is used to align policy exceptions with specific sets of users, computers or virtual desktop/application configurations and requirements
- Policy Precedence. How are the policies applied? With multiple policy configurations; AD policies applied to general user and computer requirements, as well as the specific policies applied to Citrix environments, and Citrix policies applied to users and computers (both XenApp servers and virtual desktops), it is important to understand the order policies are applied. This will determine what the resultant set of policies are for users accessing desktops and applications through XenDesktop and XenApp. Policies are created in the following order:
- Local Computer policies
- Citrix policies created using the Citrix policy engine
- Site level AD policies
- Domain level AD policies
- OU based AD policies, starting at the highest level OU and proceeding to the lowest level OU
Finally, you need to consider the specific settings that you will set in your baseline policy. This can be a daunting task, there are hundreds of Citrix policy settings, and thousands of Windows group policy settings to choose from. To help, Citrix Consulting has created a baseline policy configuration, as well as considerations for high and low security, high and low bandwidth (LAN and WAN) as well as mobile devices (tablets) and user profile management. The configuration includes Citrix and Windows policies that constitute a starting point for your baseline configuration. All this and more detail on the factors listed above can be found in the XenApp and XenDesktop Policy Planning Guide, CTX134081. In this reference, many of the default settings have been explicitly configured in order to provide visibility when generating a resultant set of policy report, as well as to provide a consistent configuration should defaults change. Remember this is a starting point, your baseline configuration will need to be modified based on the specific needs of your organization. I hope you find it useful, and look forward to your feedback.