Month: August 2012

Citrix have released a tech preview of Project Thor. Project Thor is a XenApp connector for Microsoft SCCM 2012.

The Project Thor Tech Preview enables administrators to orchestrate the tasks required to deliver applications both to end-users and XenApp Servers seamlessly with Microsoft System Center 2012 Configuration Manager.  With the Project Thor Connector, administrators can:

  • Extend the Configuration Manager 2012 user-centric and rules-based application delivery capabilities to deliver applications to users in the most appropriate manner for the device they are using: MSI, App-V, CAB, or XenApp
  • Orchestrate the process of deploying applications to XenApp servers, farms, and worker groups from within the Configuration Manager console, both directly, for traditionally managed farms, as well as for streamed farms when used in conjunction with Provisioning Services

The Project Thor Connector ensures high availability by optionally leveraging the Power and Capacity Management Concentrator to gracefully orchestrate the deployment of applications and software updates without any downtime for users.

The Thor Connector also enables user self-service access to applications delivered by XenApp from the Configuration Manager Application Catalog as well as Citrix Receiver.

In addition to these features Thor Technology Preview incorporates numerous improvements over the XenApp Connector for Configuration Manager 2007 R2, including:

  • Improved integration with Microsoft App-V 4.6
  • Numerous supportability improvements to improve overall administrator experience
    • Extensive environment checks and diagnostics in the configuration setup wizard
    • Improved logging information using the SCCM standard trace formats (SMSTrace)
    • Seamless propagation of remote exceptions into local log files


Download Project Thor – XenApp connector for Microsoft SCCM 2012 here (Require MyCitrix ID)

Citrix have released a larger new hotfix, (109MB) XS602E007 for XenServer 6.0.2 that i recommend that you look at if you are using XenServer 6.0.2

The hotfix replaces XS602E001, XS602E003, XS602E005, and there is 6 new Driver Disk for XenServer that you can download here, which is critical for XS602E007.

Issues Resolved In XS602E007

This hotfix resolves the following issues:

  1. Restarting XAPI in a pool consisting of a large number of VDIs can cause the pool slaves to enter maintenance mode indefinitely.
  2. Attaching an SR, containing a large number of VDIs to a pool slave, can fail.
  3. Copying multiple Virtual Disk Images (VDIs) concurrently across Storage Repositories (SRs) can cause a pool master to slow down and it may sometimes become unresponsive.
  4. An error message is triggered after a failed attempt to unplug a Virtual Block Device (VBD) connected to a mounted VDI. However, any subsequent attempts to unplug the VBD, will not trigger the expected error message, and instead a time out error message will be displayed after 1200 seconds (20 minutes).
  5. Creating a NIC bond can result in loss of network connectivity when VLANs are present when using the Linux bridge.
  6. Users can now specify the TimeStamp Counter (TSC) mode for a Virtual Machine (VM) by running the command, xe vm-param-set uuid= platform:tsc_mode=<0,1,2,3>.
  7. Constant transmission of low data rate Ethernet traffic through the netback interface can saturate a dom0 CPU.
  8. When creating an SR or a VDI, predefined XML entities, such as “&” entered in the Name and Description fields are written directly into the SR metadata. Any subsequent actions such as creating an SR or a VDI will fail with an error message, as the XML parser will fail to parse metadata which contains predefined entities.
  9. If there is a failure or a change in the number of paths to storage, attempts to create or destroy a VDI on an LVM-based SR may fail.



This Citrix article explains how to configure Citrix Universal Print Server with Citrix VDI-in-box 5.1 and the goal is make your VDI be able to print from on any printer device.


Printing with VDI-in-a-Box


Requirements for completing the task. This includes specific knowledge and/or hardware and software requirements:

• VDI-in-a-Box 5.1 (or later) grid

• Citrix Universal Print Server 1.0 (or later)

• At least one network or local printer, depending on use case.

• Windows 2008R2 Server with domain and printing services, depending on use case.


This document is intended to provide information regarding different printing concepts with VDI-in-a-Box. We will cover the different methods of installing print drivers in the virtual desktops, printer redirection, and location-based printing. Depending on the deployment environment, checking one box can configure printing, or it can be more complicated where different printers and drivers need to be used.


Printer Redirection

This section describes the simplest method available: enabling printer redirection. Enabling this feature will connect all the printers available on the client device into the virtual desktop. This works for all types of printers including local, network, or even wireless. Since these printers are already configured on the client device there is no need to configure or install drivers on the virtual desktops.

Printer Redirection is a great feature but does not resolve all customer’s needs, hence the need for other types of printing options described in this document. In many cases there will be thin clients, mobile devices, or personal computers that do not have the ability to use required printers. An administrator can always combine the Printer Redirection method with any of the other methods described later in this document.

How to configure Printer Redirection in VDI-in-a-Box:

Printer Drivers

This section describes the two methods available to use print drivers within VDI-in-a-Box: The Citrix Universal Print Server (Citrix UPS) or vendor/native print drivers. Depending on how HDX print policies are configured it is possible to use a combination of native drivers and Citrix UPS. This might be necessary when Citrix UPS is used by a majority of printers, while some specialty printers may require native print drivers. Any combination of these print drivers can be used with the deployment methods described later in this document.

Citrix Universal Print Server

The Citrix UPS can be used to reduce print driver clutter and to improve bandwidth consumption during print jobs. This allows for a single “generic” driver called the Citrix Universal Print Driver to be used on the VDI-in-a-Box virtual desktops. With the exception of some specialty printers, this solution will work with almost all printers (local, network, wireless). Citrix UPS has several components that work together to accomplish this:

• Citrix UPS Server running on a Windows Server with the Print and Document Services role.

• Citrix HDX Group Policy Management running on a Windows domain controller.

• Citrix UPS Client agent running on the VDI-in-a-Box golden image(s).

Please reference for specific installation instructions. These may change with updates to the Citrix UPS product but we will discuss the basic workflow to get it working with VDI-in-a-Box. The instructions below assume the same Windows 2008R2 Server will be used to be a domain controller and print server:

1. Download the latest Citrix UPS package from

2. Unzip the contents and place on a network share for easy access.

3. Install the Citrix HDX Group Policy Management package onto the Windows 2008R2 Server.

4. Install the Citrix UPS Server package onto the same Windows 2008R2 Server. This will also enable the Printing and Document Services role.

5. Create or Edit a VDI-in-a-Box golden image.

6. Log into the draft image as an administrator.

7. Connect to the network share to access the Citrix UPS package.

8. Install the Citrix UPS Client package onto the desktop.

9. Log out of the golden image.

10. Configure a Citrix HDX Printing Group Policy.

11. Test and publish the golden image.

Complete the following steps if the Citrix Print Manager service does not start on the VDI-in-a-Box desktops after being published. This can be verified by logging into a desktop, opening services.msc, and confirming the Citrix Print Manager Service is started. The following instructions will use Windows Task Scheduler to start the Citrix Print Manager service on the desktops, but Group Policy and logon scripts can be used instead.

12. Edit the golden image.

13. Log into the draft image using as an administrator.

14. Create a new batch file containing the file command:

net start cpsvc

15. Save the batch file into a location such as the C:\ drive (not in the administrator’s profile).

16. Open Windows Task Scheduler.

17. Create a New Task and give it a name such as Citrix Print Service.

a. General Tab: For Security options change the User or Group to include all domain users and to run whether user is logged on or not. Select the correct operating system in the Configure for dropdown menu.

b. Triggers Tab: Select the option to begin the task at startup.

c. Action Tab: Select the option to start a program. Click Browse and select the batch file created in the earlier step.

18. Save the Citrix Print Service Task.

19. Save/Publish the Golden Image and verify the task runs as scheduled.

20. Once logged into a published desktop, open services.msc from the Windows Start menu and confirm the Citrix Print Manager Service is started.

Vendor Drivers

This method is typically used if the Citrix UPS is not used or if there is a specialty printing device which the Citrix universal print driver does not work with. If the only option is to install the vendor drivers it would be done in the same manner as on physical computer. Another reason for native vendor drivers is when deploying VDI-in-a-Box in workgroup mode and no Active Directory exists in the environment. This will work with local, network, and wireless printers.

In most cases to reduce the need for end-user interaction, it is possible to install the print drivers on the VDI-in-a-Box golden image. If using a print server it is also possible to deploy the drivers (discussed later in this document) from the server. In a print server scenario it is not necessary to always install the drivers in the golden image as the drivers will be installed during user sessions when a printer is connected. However, this can consume additional bandwidth and there could be permission issues if the user is not able to install software/drivers onto the virtual desktop.

The primary benefit of installing vendor-specific drivers is full support and functionality of printer features. There are some printers that have advanced functionality that may not work if using a generic driver, thus, the vendor driver should be used instead. It is recommended to stay with Citrix UPS and only fallback to native drivers if certain printing functionality is desired.

Location-Based Printing

There are several methods available to assign printers to specific computers or users in Active Directory. The methods described in this document usually require a Windows Server with the Print and Documents Services role in combination with any sort of print driver (vendor or Citrix Universal Printing) and HDX Group Policy Management.

Location-Based Printing, also known as Proximity printing, allows an administrator to ease the burden of printer deployments in VDI. In many cases the user will need to access a different printer, typically based on the client’s physical location or possibly Active Directory membership. 3rd party print management software can also handle location-based printing but will not be discussed in this document.

Windows Server Printer Deployments

Active Directory and Group Policy allow administrators to configure location-based printing without the need for 3rd party solutions. The methods described in this document may not work well in all environments but administrators can take this information and apply it using other means. There are two basic requirements for deploying printers using these methods: (1) Windows Server domain controller, (2) Windows Server with Print and Documents Services role. These roles do not have to reside on the same Windows Server but there is not technical limitation preventing one from doing so.

The first step is to decide what type of drivers to use for the VDI-in-a-Box virtual desktops. Review the Print Drivers section earlier in this document to decide if vendor drivers or the Citrix Universal Print Service will be a better choice. In most cases it is recommended to use Citrix UPS to reduce print driver clutter and reduce bandwidth consumption when print jobs are in progress. The steps describes in this section will be the same regardless of the type of print driver one decides to use.

The next step in the process is deciding how printers will be assigned. If all VDI-in-a-Box golden images are joined to the same OU within Active Directory, most likely you will filter printing policies based on group membership. For the time being, OU assignments are configured at the golden image level within VDI-in-a-Box. Until this is changed to the template level, an administrator would be required to create a new golden image for each OU if filtering policies based on this requirement. This is not sustainable until VDI-in-a-Box allows OU assignment to be at the template level instead.

For smaller VDI-in-a-Box deployments it might make sense to filter group policy based on OU. For example, take a customer who has 3 distinct user types requiring 3 golden images (each image having vastly difference types of installed applications). The VDI-in-a-Box administrator can create a parent called VDI-Desktops, and 3 child OUs such as Finance, Sales, Engineering. The 3 golden images would be joined to the respective OU’s within Active Directory and printing group policies can be assigned to each OU.

For most VDI-in-a-Box deployments it is easier to assign printing group policies on group membership. In many cases there might only be a single (or a few) golden images, all joined to the same OU. The administrator can create a GPO for each set of printers to be used by specific groups of users. This is a good solution when network printers are already deployed by location based on group membership. An example would when printers are deployed by department because those users typically sit near each other. In such a case the administrator would create a GPO with an assigned printer and then filter it based on group membership. This way each member of the group will have access to the printer(s) from the VDI-in-a-Box virtual desktop.

The following section describes a VDI-in-a-Box deployment where Windows Server 2008R2 is used as a domain controller and print server. The Citrix Universal Print Server has been installed and configured to reduce print driver clutter, and the administrator has decided to deploy network printers to the virtual desktops based on Active Directory group membership. Each department already has their own network printer(s) configured on the Windows Server using the Printer and Documents Services role.

1. Create an OU called VDI-Desktops. The DN is OU=VDI-Desktops,DC=company,DC=com.

2. Install the Citrix Universal Print Server components onto the Windows Server. This includes the HDX Group Policy Management component.

3. Install and configure VDI-in-a-Box with one golden image.

• Install the Citrix Universal Print Server Client agent.

• Prepare the image and join it to the VDI-Desktops OU.

4. Create templates for the three departments that will use ViaB desktops. Ensure the Printer Redirection item is disabled.

• Finance Desktop template.

• Marketing Desktop template.

• Inside Sales Desktop template.

5. Open Group Policy Management Editor on the domain controller.

6. Create a new GPO assigned to the VDI-Desktops OU and configure Citrix policy to use the Citrix Universal Print Server. Please refer to specific instructions found in the Citrix UPS section of this document.

7. Create a new GPO for each department in the VDI-Desktops OU and use a naming convention that is easy to understand, such as Finance – Citrix Printers.

8. Select each departmental printing GPO and adjust the Security Filtering to only include the respective groups. For example, remove Authenticated Users and add the Finance Security Group to the Finance – Citrix Printers GPO. Do this for all the departments.

9. Open the Print Management tool on the Windows Server.

10. Drill down to the Print Servers > Server Name > Printers section.

11. Right-click the printer used by the Finance department and select Deploy with Group Policy.

12. Click Browse in the Group Policy Object > GPO name section and select the Finance – Citrix Printer GPO found in the VDI-Desktops OU.

13. Select the option to deploy this printer to computers this GPO applies to and click Add.

14. Click OK and repeat steps 11-13 for each department.

15. Spin up desktops for each VDI-in-a-Box template.

16. Log into each of the departmental desktops to confirm the printer(s) have been installed and can be used by printing a test page.

This example can be used as a basis if such policies do not already exist, but can be altered to fit the needs of any particular environment. Aside from the Citrix HDX Printing GPO describes later in this document, deploying prints via Active Directory is one of the best methods available. It allows for central management of all network printers and the ability to make policy changes without much effort.

Assigning printers based on group or computer membership can be more reliable than basing the policies on client IP addresses. Why? Let’s say an organization only has one subnet for client devices and is using DHCP without reservations. The client IP addresses will change consistently so it will not be possibly to apply policies based on client IP addresses. Assigning printers based on client IP address is most useful if using Static IP addresses, segmented DHCP scopes (or Static/reserved IP addresses) for specific locations or departments, or in kiosk-type situations. In most cases a library or school lab will have static IP addresses for the client, thus it is possible to assign these types of policies.

Windows Logon Scripts

It is possible to write custom logon scripts to connect network printers based on client location. This document does not describe the type of script to use as this will greatly vary amongst deployments. VDI-in-a-Box writes the client device IP address into the registry, allowing an administrator to use a script to assign a network printer based on this registry key. This solution can be used with most typical network print server deployments or the Citrix Universal Print Server.

The client IP address is written to the following registry location:


The data field for endPointAddress can be extracted and used by a script. An example would be a school with Computer Science and Biology labs where students are able to bring their own laptops. Each lab has its own DHCP scope, allowing the administrator to write a script that assigns the Computer Science network printer to VDI-in-a-Box desktops only when students are connected from the Computer Science network. The same will happen for the Biology lab, even if a student disconnects from the Computer Science lab and reconnects to the VDI-in-a-Box desktop from the Biology lab.

Citrix HDX Printing Group Policies

VDI-in-a-Box does not currently support the HDX polices to assign default printers, session printers, or assign printers based on client IP address. Other policies, including Citrix Universal Print Server polices, are supported by VDI-in-a-Box.



Citrix have released a new version of VDI-in-a-box 5.1 and this guide makes it possible to access you VDI internal and external with Microsoft Remote Desktop Gateway.

I recommend that you use Citrix Netscaler Access Gateway.


This article describes how to access VDI-in-a-Box 5.1 desktops through Microsoft Remote Desktop Gateway.


  • VDI-in-a-Box 5.1 grid
  • Windows 2008 R2 Service Pack 1 server with access to internet and intranet.


Citrix Access Gateway Enterprise Edition lets the users access VDI-in-a-Box desktops using HDX remote protocol. In certain scenarios when the customers want their users to access VDI-in-a-Box desktops from internet using RDP remote protocol, the users must use Microsoft Remote Desktop Gateway. This article details the steps they need to take to configure RD Gateway and VDI-in-a-Box so that the users can access their desktops using RDP remote protocol.


  • Configure Windows 2008 R2 server. The server should be in the same domain as the VIAB desktops.
  • Configure Remote Desktop Gateway service in the Remote Desktop Services role.
  • Configure IIS and RD Gateway services by accessing the Server Manager UI. Then select Roles, and click Add Roles, as displayed in the following screen shot:
  • Select Remote Desktop Services and Web Server (IIS) roles and click Next on this as well as the subsequent two screens, as displayed in the following screen shots:
  • Select Remote Desktop Gateway service and click Next:
  • Click Add Required Role Services on the Add Roles Wizard screen:
  • Select a Certification Authority (CA) issued or self-signed SSL certificate for SSL encryption and click Next:
  • Select Now on the Create Authorization Policies for RD Gateway screen and click Next, as displayed in the following screen shot:
  • Click Add to add the user groups that can connect remotely through RD Gateway and the click Next:
  • Click Next on the Create an RD CAP for RD Gateway screen:
  • Select Allow users to connect to any computer… and click Next, as displayed in the following screen shot:
  • Click Next:
  • Do not clear Network Policy Server. Click Next on this and the subsequent two screens:
  • Click Install to start the installation, as displayed in the following screen shots:
  • Once the installation is complete, click Close:
  • Click I Accept to agree to the license terms:
  • Click Finish:
  • Select the application for installation and click Install, as displayed in the following screen shot:
  • Restart the Windows 2008 server.
  • Re-logon to Windows 2008 server and start Server Manager.
  • Navigate to Roles > Web Server (IIS) > Internet Information Services (IIS) Manager in the left panel and click on URL Rewrite in the right panel to start URL Rewrite configuration manager, as displayed in the following screen shot:
  • Click Add Rule(s)… to start the Add Rule(s) dialog, as displayed in the following screen shot:
  • Select Reverse Proxy and click OK twice, as displayed in the following screen shots:
  • Enter IP address of a vdiManager in the grid or the grid IP address, select Enable SSL Offloading, and click OK, as displayed in the following screen shot:
  • Click Edit… to edit the inbound rule, as displayed in the following screen shot:
  • Enter dt/(.*) in the Pattern field, as displayed in the following screen shot:
  • Enter the IP in the pattern http://<IP address of a vdiManager or grid>/{R:0} in Rewrite URL field. Select Append query string and clickApply, as displayed in the following screen shot:

Configuring vdiManager

  • Navigate to the Admin tab.
  • Click on Advanced Properties link.
  • Configure RDP Gateway properties and click OK:



Citrix have released a new version of VDI-in-a-box 5.1. Citrix have created this article that describes how you get access to you VDI external with Netscaler Access Gateway 10 & VDI-in-a-box 5.1

It cant be more easy to configure with this guide.. so go get your netscaler access gateway 10 and configure it with VDI-in-a-box.

Enjoy /Poppelgaard


Configure VDI-in-a-Box 5.1 Remote Access with NetScaler Access Gateway 10


• VDI-in-a-Box 5.1 grid

• NetScaler 10 build 69.4 or later (VPX, MPX, SDX)

o NetScaler Platform License


This document provides instructions to configuring remote access to VDI-in-a-Box virtual desktops. The latest NetScaler versions (build 69.4 or later) now include an Access Gateway wizard to allow for quick remote access setup. Configuring the VDI-in-a-Box will consist of adding HDX gateway information and adding a Grid IP address.


Configure the VDI-in-a-Box Grid IP Address:

1. Log into the VDI-in-a-Box web console as an administrator.

2. Go to the Admin > Advanced Properties menu.

3. Scroll down to the Grid section.

4. Enter an IP address to use in the Grid IP address.

Configure the VDI-in-a-Box HDX Gateway:

5. Log into the VDI-in-a-Box web console as an administrator.

6. Go to the Admin > Advanced Properties menu.

7. Scroll down to the Gateways section.

8. Enter the FQDN and port of the Access Gateway in the External HDX Gateway field.

9. Enter the NetScaler MIP or SNIP to be used by VDI-in-a-Box in the Internal HDX Gateway field.

  • Configure the NetScaler appliance:
  • Import to support hypervisor if using the NetScaler VPX (virtual appliance).
  • Configure NetScaler IP Address (NSIP) via the Console and restart.
  • Log into the NetScaler web console with default credentials: nsroot/nsroot.
  • Provide a Host Name and configure the type of IP address to use for communication with the VDI-in-a-Box servers and desktops.
  • More information about SNIPs and MIPs found in these links:

14. Complete the Setup Wizard using default values.

15. Click the Manage License link to upload a NetScaler Platform License.

16. Click Finish.

17. Save the configuration when prompted and restart the NetScaler.

Configure Access Gateway virtual server:

  • Log back into the NetScaler web console.
  • Select Access Gateway feature and then Create/Monitor Access Gateway to open the Access Gateway 10 Home page.
  • Click the Get Start button to open the Access Gateway Setup page.

21. Fill out the Access Gateway Setting section. The IP address is typically in a perimeter network or a public IP address that users connect to. Optionally, enable https redirection so the gateway will accept (and redirect) http requests to https.

22. Fill out the LDAP Authentication section. This is required when configuring the wizard, but the authentication policy can be disabled later.

• IP Address: Active Directory domain controller.

• Port: Usually 389 or 636.

• Base DN: Provide the Distinguished Name for the users in AD, such as OU=Users,OU=VDI,DC=domain,DC=com.

• Admin Base DN: Provide the Distinguished Name for a domain admin, such as CN=Administrator,CN=Users,DC=domain,DC=com.

• Logon Name: This should be SAMAccountName.

• Password: Provide the domain admin’s password.

23. Select one of the options from the Certificate section.

• Install Certificate: Select this option to upload the server certificate and private key that has already been generated (valid or self-signed). Certificates can be generated using the SSL feature of the NetScaler or any other certificate utility, such as OpenSSL or Java KeyTool.

• Use Test Certificate: Select this option if a self-signed test certificate is needed. Provide a name and FQDN for the certificate.

Important: Upon completion of this wizard the test certificate and root certificate must be exported from the NetScaler and installed on client devices. This is found in Configuration > SSL > Manage Certificates / Keys / CSRs section.

24. Check the box to show DNS and type the IP address of the DNS server to be used. For production environments this should be an external-facing DNS server that will be used to redirect http to https requests based on the FQDN, if enabled in the Access Gateway Settings section.

25. Select the Web Interface option in the CloudGateway/Web Interface section. The WI and STA fields must use https instead of http.

Note: VDI-in-a-Box 5.1 does not support CloudGateway.

• Web Interface Address: Provide the URL for the VDI-in-a-Box Grid IP Address, such as https://vdiGridIP.

• Single Sign-on Domain: Provide the Active Directory domain. This will be used for SSO with PNAgent used by the Citrix Receiver.

• Secure Ticket Authority: Provide the STA URL using the VDI-in-a-Box Grid IP, such as https://vdiGridIP/dt/sta.

• Leave both Single sign-on domain and ICA Proxy boxes enabled.

26. Click Done. This will create the Access Gateway virtual server using the settings and polices defined in this setup page.

27. Return to the NetScaler web console and click Save to ensure the running configuration is saved to disk in the event the NetScaler needs a restart.

More Information

Citrix Receiver Session Policy

A Citrix Receiver session policy needs to be configured on the Access Gateway that will help mobile devices connect to the VDI-in-a-Box grid. This will allow all supported mobile devices (iOS, Android, PlayBook, etc) to connect to VDI-in-a-Box desktops through the Access Gateway.

Please follow the instructions in the following article to create such a session policy:

• For the Web Interface Address field, use the VDI-in-a-Box Grid IP address in the following format (path is case-sensitive):https://vdiGridIP/dt/PNAgent/config.xml

• Type the AD domain into the Single Sign-On Domain field.

• No additional authentication policy needs to be created.