Citrix VDI Handbook for XenApp and XenDesktop 7.15

Almost one year ago, I announced the availability of the Citrix VDI Best Practices Handbook for XenApp and XenDesktop 7.6 (that’s a really long title).

Since then, I received many positive comments from many of you. Thank you.

One of the goals I set was to release an updated version of the handbook for upcoming Long Term Service Releases (LTSR). And with the release of XenApp and XenDesktop 7.15 LTSR, I’m happy to say that we achieved this goal.

Matthew Brooks, Jeff Qiu and I updated the handbook to include new capabilities and recommendations. We added 30 new sections and updated 15 other sections. For example, we have content related to

  1. Cloud
  2. App Layering
  3. Windows 2016
  4. Local Host Cache
  5. Machine Creation Services
  6. Provisioning Services Accelerator
  7. Adaptive Display & Adaptive Transport
  8. And much, much, much, much, much more

A complete list of updates can be found at the end of the paper in the Revisions Table.

So grab a drink, find a comfy chair, sit back, relax and enjoy the Citrix XenApp and XenDesktop 7.15 VDI Best Practices Handbook.

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.15 VDI Handbook
XenApp Best Practices
XenApp Videos



Sync the Windows 10 (1703) Start Menu in VDI

Even though it is still Windows 10, each release introduces changes that impacts our VDI deployment. We saw this with optimizing the operating system as we have different default apps, scheduled tasks and services.

But what about the Start Menu?

Synchronizing the Windows 10 Start Menu in VDI was the bane of many admin’s existence. And then we saw that we can use Citrix User Profile Management to capture the file at logoff.

I’ve now upgraded to Windows 10 (Creators Update 1703).

Guess what. Syncing the Start Menu just works with UPM. No special configuration except to turn UPM on.

Just make sure you upgrade UPM to version 5.8, which was included with the XenApp and XenDesktop 7.14 release. If you use an older version of UPM, your start menu throws out an error.

It looks like the Start Menu is captured in the registry at HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore.

Simply enabling UPM captures these registry value.

Now that is simple.

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video


Sync the Windows 10 Start Menu in VDI

NOTE: This is for Windows 10 builds before 1703.  Windows 10 1703 changes the storage location for the Start Menu. Learn more here

Windows 10 VDI. Of course it works. But one of the annoying things that really bothers me is not being able to customize my start menu.

My IT team created a standard start menu. It has 3 browsers,, Notepad, Windows Media Player, plus much more stuff I never use.  I really, really, really want to customize this thing

So why can’t we roam the start menu between VDI sessions? Continue reading Sync the Windows 10 Start Menu in VDI

Integrate NetScaler with XenApp, XenDesktop and XenMobile

In part 1, I created certificates for my environment with Microsoft Certification Authority

In part 2, I integrated XenMobile into my XenApp and XenDesktop environment

In part 3, I will provide secure remote access to XenMobile, XenApp and XenDesktop with NetScaler.

NetScaler and XenMobile

  1. In a browser, navigate to
  2. Go to the Configuration screen
  3. Select XenMobile at the bottom of the left pane

Select XenMobile 10 and Get Started
Select only the following: Access through NetScaler Gateway6. For NetScaler Gateway Settings, enter the following:

a. IP Address:
Port: 443
Virtual Server Name: XenMobileGateway

6. For the certificate, choose the file from the appliance: WildcardCert.cer
For the key file name, choose the file from the appliance: Wildcard-snpp-local.key
Enter in the private key password we used when we created the key
9. For Authentication, enter in Active Directory information:

a. Primary authentication method: Active Directory/LDAP
IP Address:
Base DN: DC=SNPP,DC=local
Service Account: Administrator@snpp.local
Password: password for service account
Test the connection
Server Logon Name Attribute: sAMAccountName (this matches with the LDAP items we used for XenMobile)

10. For XenMobile App Management Settings, enter the following:

a. XenMobile Server FWDN: xm01.snpp.local
Internal load balancing IP Address: (just an unused IP Address)
Communication with XenMobile Servers: HTTPS

11. XenMobile Server Certificate: Use existing certificate – WildcardCert.cer_CERT_KEY
XenMobile Server:

NetScaler and XenDesktop

  1. In the left pane, select NetScaler Gateway – Virtual Servers
  2. Select _XM_XenMobileGateway in the virtual servers screen

Scroll to the STA section and select

Select Add Binding
Enter in the following:

a. Secure Ticket Authority Server: https://ddc01.snpp.local
Secure Ticket Authority Server Address Type: IPv4

6. Once entered, revisit the STA list to verify the XenMobile and XenDesktop STAs are green. If not, you must fix before continuing.


In the XenMobile Console (https://XM01.SNPP.local:4443), we do the following

  1. Select the gear icon in the upper right corner
  2. Select NetScaler Gateway
  3. Select Add
  4. Enter the following:
    a. Name: Gateway

    b. External URL: https://Gateway.snpp.local
    Logon Type: Domain only
    Password required: Yes
    Set as Default: Yes

Enable authentication


In the StoreFront console, we do the following

  1. Navigate to Stores
  2. Select the appropriate store at the top

In the right pane, select Configure Remote Access Settings

a. Enable Remote Access
Allow users to access only resources delivered through StoreFront (no VPN tunnel)

5. Enter the following:

a. Display Name: Gateway
NetScaler Gateway URL: https://gateway.snpp.local
Usage or role: Authentication and HDX routing

6. For Secure Ticket Authority, add the following:

https://ddc01.snpp.local (this should be the same one added in the NetScaler Gateway configuration. You only need the XenApp/XenDesktop STA and not the XenMobile)

For Authentication Settings, leave default options

8. Verify the remote access settings for the store


On the Android phone used earlier, do the following:

  1. While logged into Citrix Secure Hub, select the menu in the upper left
  2. Select Preferences – Account – Delete Account (We need to reconfigure Secure Hub for our Gateway address. You can also uninstall/reinstall the app from the app store)
  3. Enter in the following: gateway.snpp.local

Enter in user ID and password

Select Add apps from Store

Launch a XenApp/XenDesktop resource

With the session running, launch Director from the delivery controller. Look at the detailed information for the session to verify the Connected via address is the SNIP address ( for the NetScaler.


Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Integrate XenMobile with XenApp and XenDesktop

I’m integrating XenMobile and NetScaler into my XenApp and XenDesktop lab. This is a multi-part blog focusing on the following topics:

With our certificates created and installed, we can now integrate XenMobile with XenApp and XenDesktop.

Encrypt XenApp, XenDesktop and StoreFront communication

With certificates added to our XenApp and XenDesktop environment, we need to modify a few settings so the communication will be encrypted

Configure StoreFront

In the StoreFront console

  1. Select Server Group
  2. Select Change Base URL
  3. Update the url for HTTPS

Select Stores
A message should say

StoreFront is using HTTPS
No certificate associated with this StoreFront server

We must bind the wildcard certificate to the StoreFront web site.

  1. Within IIS Manager, select Sites – Default Web Sites in the left pane.
  2. Select Bindings in the right pane

If https does NOT exist, select Add. If https does exist, select Edit

a. Set type to be https
Select the wildcard certificate in the SSL Certificate entry.

Return to the StoreFront console and refresh the Store. It should now only say StoreFront using HTTPS

We must also modify our delivery controller setup to use HTTPS

  1. In the StoreFront Console, select Stores
  2. Select Manage Delivery Controllers

Select Edit
Modify the Transport Type to HTTPS

Configure Delivery Controllers

We must bind the wildcard certificate to the IIS service so XML traffic is encrypted.  Most likely, the delivery controller will NOT have IIS Manager installed.  The configuration can be accomplished with PowerShell.

  1. Start PowerShell
  2. Run the following commands, modifying the red text as necessary for the domain name of the wildcard certificate:

New-WebBinding -Name “Default Web Site” -IP “*” -Port 443 -Protocol https

Get-ChildItem cert:\LocalMachine\my | where-object {$_.Subject -like “*snpp.local*”} | Select -first 1 | New-Item IIS:\SslBindings\!443

Test the connection by going to the StoreFront website URL via HTTPs and launch a resource

Configure XenMobile

First we will integrate XenMobile with StoreFront, which in turns gives us access to XenApp and XenDesktop Resoruces.

  1. In a browser, navigate to https://xm01.snpp.local:4443.
  2. Select the gear icon in the upper right corner
  3. Select XenApp and XenDesktop
  4. Enter in the following

    a. Host: storefront.snpp.local
    Port: 443
    Relative Path: /Citrix/SNPP/PNAgent/config.xml (Look in the StoreFront console for this information. It will be the XenApp Services URL for the store).
    Use HTTPS: On

Test connectivity

We also need to configure LDAP for XenMobile.

  1. In the XenMobile Console, select the gear icon in the upper right
  2. Select LDAP
  3. Select Add
  4. Enter in the following

    a. Directory Type: Active Directory
    Primary Server: (IP Address of domain controller)
    Port: 389
    Domain name: snpp.local
    User Base DN: Filled in automatically
    Group Base DN: Filled in automatically
    User ID: ID of admin account
    Password: Password of admin account
    Domain alias: snpp
    Group Catalog Root Context: dc=snpp,dc=local
    User search by: sAMACcountName


On my android phone (Note: you will need to install the root CA on the phone to trust the servers. The easiest way to get the cert onto the phone is email. Open the cert and the phone will install it)

  1. Connect to WiFi network hosting my lab
  2. Launch Play Store
  3. Download Secure Hub by Citrix
  4. Launch Secure Hub once download and installation completes
  5. Enter in the XenMobile address: xm01.snpp.local

Select Yes, enroll
Enter in username and password (just the user ID, no domain name or email address)

Select Activate
Select Add apps from Store
The XenApp and XenDestkop resources should be visible.

Select an app and launch (Citrix Receiver must be installed)
12. I
n the XenMobile console, in the Manage section, the user and the device should part of the inventory

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video


Microsoft Certificate Authority for XenApp, XenDesktop, XenMobile and NetScaler

My lab is very XenApp and XenDesktop focused, but I need to expand the functionality to include secure access with NetScaler Gateway and incorporate mobile device management/mobile app management (MDM/MAM) with XenMobile.

From what I understand, in order to do this, I really need to install certificates. D’oh!

Every time I have to deal with certificates I know I will run into issues. I’m not spending money on certificates for my lab. I want to use Microsoft Certification Authority. Unfortunately, most documentation I read simply states “Get a certificate from your public authority”. That is not very helpful.

And I suspect many XenApp and XenDesktop admins have similar challenges, so I decided to document the process (minus all of the mistakes).

This will be a multi-part blog focusing on the following topics:

  1. Certificates
  2. Integrate XenMobile with XenApp and XenDesktop
  3. Integrate NetScaler with XenMobile, XenApp and XenDesktop

My Environment

First, some details about my starting environment (in case you are using this to guide your buildout).

  1. I have a XenDesktop and StoreFront environment built and operational for local user access
    1. NetScaler Gateway is NOT currently used
    2. All connections are using HTTP
  2. XenMobile Server
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, without configuring any optional settings. I did not configure certificates, LDAP, or NetScaler configs.
  3. NetScaler
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, including licenses

My environment specifics are as follows:

Server Name Roles Version IP Addresses
DDC01.snpp.local XenDesktop Controller 7.14
SF01.snpp.local StoreFront Server 3.8
XM01.snpp.local XenMobile Server 10.4
NG01.snpp.local NetScaler Gateway 12 MIP:



DC1.snpp.local Domain Controller

Certification Authority





Add the following addresses to DNS based on the defined IP addresses

  1. XM01.snpp.local
  2. Gateway.snpp.local
  3. StoreFront.snpp.local is an alias for SF01.snpp.local. StoreFront.snpp.local is the base URL for the StoreFront store

My Certificates:

Certificates are often the most confusing part of the configuration, especially when you are trying to use your own Certificate Authority (CA), like I am with Microsoft Certification Authority in Windows Server 2016. In order to successfully create a deployment, we need the following certificates

  1. Wildcard certificate (*.SNPP.local)
  2. Root certificate for my CA

Note: You can opt to use FQDN server certs instead of the wildcard, but you will need one for each server. The process is the same.

Create Certificate
Launch Internet Information Services (IIS) Manager from the StoreFront Server

Within IIS Manager, select the server in the left pane. Then double-click Server Certificates in the middle pane.
Select Create Domain Certificate from the right pane

Fill in the appropriate information with the common name being the wildcard cert name. In my example *.snpp.local

Hit Select to select the CA. Enter in a friendly name. Select Finish

6. The wildcard certificate should now appear in the window

 Export Certificates

The certificate is installed on the local StoreFront server. We need to export the certificate and private key so we can install it on our other servers.

1 Launch MMC
2. Select File – Add/Remove Snapin
Double-click Certificates
4. Select Computer Account
5. Finish the add/remove dialogs
6. Navigate to Personal – Certificates. The wildcard certificate should be visible. Right-click the cert and select Export

Do NOT export the private key
8. Select Base-64 encoded X.509

9. Give the certificate file a name like WildcardCert.cer and save

We need to export the certificate AGAIN

  1. Right-click the wildcard cert and select Export
  2. This time, include the private key
  3. Select the following

    a. Personal Information Exchange PKCS #12
    Include all certificates in the certification path if possible
    Export all extended properties

4. Add a password to the key file
Save the file with a name like WildcardCertKey

We need one more certificate, the Root Certificate so all of our devices will trust the certificates from our private CA.

  1. Open a browser and navigate to (This is the IP of the domain controller running certification authority)

Select Download a CA Certificate, certificate chain, or CRL
Select Base 64.

Select Download CA Certificate. Give it a name like SNPPRootCA

Install Certificates

We need to install the certs on the StoreFront server, delivery controller, XenMobile server and NetScaler. Because we created a domain certificate request on the StoreFront server, the certificate is already installed. But if you have multiple StoreFront servers, this must be done on the remaining ones.

Install Certificates on StoreFront and Delivery Controller Servers

  1. On the storefront server, double-click on the SNPPRootCA.cer file.
  2. Select Install Certificate

Select Local Machine
Select Place all certificates in the following store, and select Trusted Root Certification Authorities
The Root CA is now installed on the host.

To install the wildcard certificate,

  1. Double-click the certificate containing the private key: WildcardCertKey.pfx
  2. Select Local Machine

3. The file name should be filled in automatically
4. Enter in the certificate’s password
5. Place all certificates in the following store: Personal

Repeat on all remaining Windows-based delivery controllers and StoreFront servers

Install Certificates on XenMobile Server

Install the root certificate

  1. From your browser, navigate to This is the IP Address of the XenMobile Server
  1. Select the Gear icon in the upper right to go into the configuration menu
  2. Select Certificates
  3. Select Import
  4. Make the following selections

    a. Import: Certificate
    Use as: Server
    Certificate Import: SNPPRootCA.cer

Select Import
The Root CA should not be installed

Install the wildcard certificate

  1. Select Import
  2. Make the following selections

    a. Import: keystore
    Keystore Type: PKCS#12
    Use as: SSL Listener
    Keystore file: WildcardCertKey.pfx
    Password: this is the password used when exporting the wildcard certificate’s private key

Select Import
Select OK in the import message warning
Reboot the XenMobile server for the certificate to take effect

To test the certificate, launch a browser to https://xm01.snpp.local:4443. If the certificate works, there should be no untrusted certificate warning message. Make sure your endpoint has the following the root certificate installed in the local machine store.

If using Firefox (browser I used), you have to add the Root CA cert directly into the browser.
In Firefox, select Options
Select Advanced
Select Certificates

4. Select View Certificates
Under Authorities, select Import.

Select the SNPPRootCA.cer file

 Install Certificates on NetScaler

First, we need to create a PEM file from the PKCS#12 file (certificate export with private key)

  1. Launch a browser to and log in.
  2. Navigate to Traffic Management – SSL

3. Select Import PKCS#12. Use the following information

a. Output File Name: wildcard-snpp-local.key
Choose File: WildcardCertKey.pfx (This is the local certificate file we exported with the private key)
Input Password: enter in the password used for the export
Encoding Format: 3DES
PEM Passphrase: Enter in a password

Now, we need to upload our certificate

  1. In the Traffic Management – SSL section, select Manage Certificates / Keys / CSRs

Select Upload
Select WildcardCert.cer
Select Upload
Select SNPPRootCA.cer
Select WildcardCertKey.pfx
Select Delete. We don’t need that file anymore as it was used to create our keyfile

We install our server certificate

  1. Navigate to Traffic Management – SSL – Certificates – Server Certificates

  1. Select Install
  2. Enter in the following

    a. Certificate-Key Pair Name: Wildcard-SNPP-Local
    Certificate File Name: WildcardCert.cer
    Key File Name: wildcard-snpp-local.key
    Password: the PEM passphrase used earlier

Finally, we install our root certificate

  1. Navigate to Traffic Management – SSL – Certificates – CA Certificates
  2. Select Install
  3. Enter in the following

    a. Certificate-Key Pair Name: SNPPRootCert
    Certificate File Name: SNPPRootCA.cer

We are done with Certificates!!!!!!!!!

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

XenApp Best Practice #6: You Will Fail

I love the outdoors. I love being able to completely disconnect from the rest of the digital world.

I want my kids to experience the same thing, which is why I often take them out on hikes. It is why I took my entire family on vacation to the Boundary Waters and Canoe Area in northern Minnesota. If you aren’t familiar with the BWCA, it is over 1,000,000 acres of complete wilderness. By complete wilderness I mean no roads, no electricity, no motors and no cell phone towers!!!

You paddle across a lake, then throw the canoe and your backpack onto your shoulders and portage to the next lake and repeat. As you would expect, you want to limit how much gear you bring in because someone has to carry it.

Taking a trip to the BWCA requires planning. You have to plan your meals. You have to plan your drinking water. You have to plan your shelter.

You also have to plan for potential issues. How will you protect your food from bears? What happens if the weather is bad?

However, no matter how much preparation and planning you do, there is the potential for something unforeseen happening that you didn’t plan for.

What happens if you flip a canoe? What if you can’t find a campsite? What if someone gets injured?

Of course, with enough time you can plan for all of these things and thoroughly prepare by bringing the appropriate gear, but your backpack would weigh hundreds of pounds.

If you plan for every potential issue, you will never succeed because you will spend all of your time planning. And even if you get to actually doing something, all of those contingencies plans will weigh you down and make for a very poor and costly experience, which fits into our latest best practice:

XenApp Best Practice #6: You can’t plan for every potential failure; focus some effort on recovery

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video


My virtual desktop journey