Step-by-step guide to learn how to configure Citrix App Layering.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
In the previous post, we discussed how to install and upgrade Citrix App Layering. Now it is time to configure our Citrix Enterprise Layer Manager (ELM) appliance.
More from this Citrix App Layering series
- Introduction to Citrix App Layering
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
- Best Practices for Citrix App Layering
Requirements
For this lab, you need the following:
- ELM appliance up and running
- Active Directory configured and reachable from the appliance (SSL recommended)
- AD credentials for domain junction. You can use a shared account or have a dedicated AD account for authentication in ELM.
- AD group for ELM administrators
- A network share
- SSL Client (Ex: MobaXterm)
- A Certificate Authority to generate a certificate for the appliance
- OpenSSL for Windows
- Virtual Infrastructure (Ex: VMware vSphere or Microsoft Hyper-V)
- Optional: PVS infrastructure
Best practices to configure Citrix App Layering
- Multiple Network Adapters is not supported
- Configure AD authentication
- Configure HTTPS and Disable HTTP
- Increase Cache Size if you have a lot of layers
- Increase Cache Size if Hit Rate is too low
- Configure a different Storage Location for User Layers
Configure Citrix App Layering
Connect to the web console with the default credentials administrator and Unidesk1 (CTX223712 –
What is the Default Password for App Layering?)
License agreement
Accept the license agreement.
Change default password
You will be prompted to change the default passwords.
Note: we will the root account later in this post to configure HTTPS.
Click on Change credentials to validate.
Done.
Here is the ELM web console dashboard.
Configure Citrix App Layering console timeout
Go to System > System and Configuration. Scroll down to Security Settings.
First configuration is to increase the console timeout (default 15 minutes).
Enter 60 or 90 minutes.
Create Active Directory domain junction
Go to Users > Directory Services > Create Directory Junction.
- Directory Junction Name: CitrixGuru.lab
- Server Address: 192.168.1.57
- Port: 638 (or 389 for non-SSL)
- Use SSL (recommended)
Click on Test Connection to validate the configuration.
Next step is to configure the Bind account used for authentication:
- Bind Distinguished Name: CN=elmadaccount,CN=users,DC=citrixguru,DC=lab
- Bind Password: Password
Click on Test Authentication to validate credentials.
Now we need to configure the starting point for the directory:
- Base Distinguished Name: DC=citrixguru,DC=lab
Leave all attribute mapping settings by default:
Select Create Directory Junction to create it.
Add AD group ad Administrators
Go to the ELM web console > Users > Directory. Search for your ELM admin group in Active Directory (Ex: CITRIXGURU\ELM_ADMINS).
Select the group and click on Edit Properties. Navigate to Roles.
Click on Update Group to confirm.
You can now logon with domain accounts part of this AD group.
Add Storage Location
Note: This share will be used by ELM to store User Layers.
Go to System > Storage Locations > and Add Storage Location.
Add the share path.
Click on Add Storage Location to confirm the creation of the storage location.
Once configured, you can take a look at the configuration in System > Storage Locations.
Click on Test SMB File Share to validate that ELM can access it.
Configure Network File Share for Citrix App Layering
Note: This share will be used by ELM to store Elastic Layers configuration files, system upgrades, etc.
Go to System > Settings and Configuration > and scroll down to Network File Shares.
Click Edit and enter the network location allocated to ELM and credentials to access it.
Click on Test SMB File Share to validate that ELM can access it.
Once configured, you can take a look at the files created in the share.
Elastic configuration in stored in the json files located in the layer repository:
- ElasticLayerAssignments.json -> This file contains the information about user and group mapping to individual application layers. This file will contain and entry for each group or user ID that has assigned applications.
- Layers.json -> This file defines the Layers in the repository and metadata about the layers used by the Citrix Elastic Layering Filter Driver.
- MachineAssociations.json -> This file defines machine associations – You can use a computer name pattern containing wildcards to associate a set of computers with any AD group.
- ShareAssignments.json -> This file contains the information about storage location assignments.
- Shares.json -> This file contains the information about storage locations.
Configure HTTPS for Citrix App Layering
Note: Carl Webster published an article about how to import a public SSL certificate (digicert).
Connect to the appliance via SSH using the root account. We configured the password at the beginning of this post.
Then type the following command:
|
1 |
openssl req -new -newkey rsa:2048 -nodes -out elm.csr -keyout elm.key -subj "/C=US/ST=NewYork/L=NYC/O=CitrixGuru/OU=IT/CN=elmserver.citrixguru.lab" |
OpenSSL will create the private key and the certificate request files.
Connect via WinSCP to the appliance and go in to /root/ folder. The highlighted items have been generated properly.
Here is the content of the .csr (Certificate Request) file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
-----BEGIN CERTIFICATE REQUEST----- MIICtzCCAZ8CAQAwcjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB05ld1lvcmsxDDAK BgNVBAcTA05ZQzETMBEGA1UEChMKQ2l0cml4R3VydTELMAkGA1UECxMCSVQxITAf BgNVBAMTGGVsbXNlcnZlci5jaXRyaXhndXJ1LmxhYjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANUGvST59rseo6VU8mGq9RclrOc6BTDiPg12r93XArxe NI07ii9hdK6BBIF99KjU1pk3qCF75Qqxmw8QIuP5q6e0KX6zVBF/EJPvbrrq0i2O /Uq1EUQuwqp6ZVpIbCSr33Wn/1JhhNoVHVdul5+TapY2FF//BBvNVcK7Rlkals+t cuIvhembJnHDwYISpWWiGlC9WJEfX+E2iD3gJV+154+V76Z0hUzlNVPYNTYHcedr XZCcwmgSvugR6hD6oVfODKvwsJyGLZKm87OZ5kVIF5k+BjSMvwW6JiHnRVwHX+HZ fEBBH4xROlmaj+KZ8KCn8itf+kF5O0EcNpaUX3Ci8+UCAwEAAaAAMA0GCSqGSIb3 DQEBBQUAA4IBAQDOscCOQbj+hmI1YBRcLgmBBk6zcVs02Xs6NLo0oJlDhzHbLx74 +KWvzzyMR3Bsf0fT6RsRabqoI5k1alc/tukRT/UoajdfypahFv0FchXiBQwLIniB AJoZHPtcSP9ySIa690z7XGAecOxDzMerqtq8cjMVxx1fmFCeB2+tsDSKUzHdw1Ce jFkQygK+Qxe76jp7HKNGDVOXNMDKQJfqpKqIrK2z0MdUdQ8dbdl4qMpFBYsdaXBQ EsKcXAkP6eAKb0vRj3xmwXepFgEpJlkMxiuQfdm9bj0PsyTotBbxBymV3zyp+vU1 yglG889CIn/0G7iDpkOtblcCVwkkozP3uqBp -----END CERTIFICATE REQUEST----- |
And here is the content of the .key (private key) file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDVBr0k+fa7HqOl VPJhqvUXJaznOgUw4j4Ndq/d1wK8XjSNO4ovYXSugQSBffSo1NaZN6ghe+UKsZsP ECLj+auntCl+s1QRfxCT72666tItjv1KtRFELsKqemVaSGwkq991p/9SYYTaFR1X bpefk2qWNhRf/wQbzVXCu0ZZGpbPrXLiL4XpmyZxw8GCEqVlohpQvViRH1/hNog9 4CVfteePle+mdIVM5TVT2DU2B3Hna12QnMJoEr7oEeoQ+qFXzgyr8LCchi2SpvOz meZFSBeZPgY0jL8FuiYh50VcB1/h2XxAQR+MUTpZmo/imfCgp/IrX/pBeTtBHDaW lF9wovPlAgMBAAECggEABGyEZw0t24ryWQ+fjPmw508n/RFOZEp+gWcSlefOLb1D GB/BaeR7ONiDEHFeMFdjMYFfY3qgMg2oK7LpFpTrxKrQJcpxl39tB7V0NjuEK+AJ UJDcD+9sqX+rNSnF3SkYlefsPHi7+o9vsY4hZfX4w6/R0oCIRE+KVWXwOw97TErD GZ3FFOVdyfOCXCvtmfbjZgQgSSMljMUmV2x+wh3L1P//hu+72k+D+xxFcWPGD+wU n1aR3T/7cH68oYdP7ajzx/FWga4fcXd7DwtmnLzlUkRIORmDOFJzWJYSCkeHdrCr gVrT98kDP4IkP/NyiCDXrG9c7qSFDVNnlqlxwfTmwQKBgQD9eJbFmW4gRO6m9hzV aQvvkTZw7mv9tSEM9U5rVfOwoEgBmvwJHrirTYNn+I8sA0ijiWmT3mbJStVnZM8w 0StLwi+tJr5wpH+AlHmp9xvhSu6PV3957bz7K0pp9b8OvUxedJj4vFY5TFf+njC+ GPeCrIkILrY45XPvwDN9WG0ZtQKBgQDXJtjC0kE1tDTJWU7TNFv6DIxNiNmgQoYh dAzlX51bdsQkyxenn1bOX9Fn62s1lXv4ZcbMwuHQR/7KecU3iaryZwER8K1hl6TP wS3X1eIXPUSmkXyQLO3+kMYe3EzhLw8+JMCLJBBAt/qSYN7a9Oc1gmgWX/wPXaP3 cq5M27UPcQKBgQCaqF22q+uaHPVRQpJNVQ9HWd9SAOg7oa1M7tCuhX9vohzNffeS yP/85grsAam6PTaxMkMNSoKFB/g2YjhZnQdB7naQvDcvG/AAUJf7sR990+7D36uU hg7tYnjBNoUhRTe32oUMID6sL3zxiyxKkYlUXloud/IPvVGEVE4WiUHokQKBgEyD wTTP52b89oTg4PqVtVwg2Ei+sX6gCemdxvRP47tianEXVQtEzG9KfkNx4sfEqLj3 IRMy/3G+GOvTEIMmz4ezgBrsOAzsDC3iarZGl0hifqaqON1hTSZqQDs7Z4/x137n PR5+rdUGWPNzxe2iiRNrlC7Y5eBlEenve/NTc3nRAoGBAPFXEhaHkKPgl06/bhED b4wmQem+ACMKF6WP7DqniUjTcymeuaLINsD2weHgNulEg7J/OlVxH+j1Siq4p7tl XH/0OW6GUTUXN7zvY/yP0EPghVIkJZW6BC5Qz/btFdXoKFif1EBPNHVtdDwmsroG xcMbzswke1B/bDF1bNBF0RV8 -----END PRIVATE KEY----- |
Now take the .csr file and give it to your TLS certificate issuer.
In my case, I am using Microsoft Certificate Authority and its web enrollment.
Copy the content of the .csr file into the webpage and click submit.
Select DER and click on download the certificate.
Then use OpenSSL to convert the certificate to the .pem format.
|
1 |
openssl x509 -inform der -in c:\elm.cer -out c:\elm.pem |
Here is the content of the .pem file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
-----BEGIN CERTIFICATE----- MIIFuTCCBKGgAwIBAgITJgAAAUy+Luln05g9kQADAAABTDANBgkqhkiG9w0BAQUF ADBQMRMwEQYKCZImiZPyLGQBGRYDbGFiMRowGAYKCZImiZPyLGQBGRYKY2l0cml4 Z3VydTEdMBsGA1UEAxMUY2l0cml4Z3VydS1Jc3N1aW5nQ0EwHhcNMTgxMjIxMDAx MDI3WhcNMTkwNjI3MTQwNTU1WjByMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3 WW9yazEMMAoGA1UEBxMDTllDMRMwEQYDVQQKEwpDaXRyaXhHdXJ1MQswCQYDVQQL EwJJVDEhMB8GA1UEAxMYZWxtc2VydmVyLmNpdHJpeGd1cnUubGFiMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Qa9JPn2ux6jpVTyYar1FyWs5zoFMOI+ DXav3dcCvF40jTuKL2F0roEEgX30qNTWmTeoIXvlCrGbDxAi4/mrp7QpfrNUEX8Q k+9uuurSLY79SrURRC7CqnplWkhsJKvfdaf/UmGE2hUdV26Xn5NqljYUX/8EG81V wrtGWRqWz61y4i+F6ZsmccPBghKlZaIaUL1YkR9f4TaIPeAlX7Xnj5XvpnSFTOU1 U9g1Ngdx52tdkJzCaBK+6BHqEPqhV84Mq/CwnIYtkqbzs5nmRUgXmT4GNIy/Bbom IedFXAdf4dl8QEEfjFE6WZqP4pnwoKfyK1/6QXk7QRw2lpRfcKLz5QIDAQABo4IC aDCCAmQwHQYDVR0OBBYEFPl9IEkSPCGFqsA2QFV39Zlz4bK+MB8GA1UdIwQYMBaA FGK+B4G64Vc1DVvRqdXXfmf0wxZAMIHTBgNVHR8EgcswgcgwgcWggcKggb+Ggbxs ZGFwOi8vL0NOPWNpdHJpeGd1cnUtSXNzdWluZ0NBKDMpLENOPURDLENOPUNEUCxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPWNpdHJpeGd1cnUsREM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlv bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCByQYI KwYBBQUHAQEEgbwwgbkwgbYGCCsGAQUFBzAChoGpbGRhcDovLy9DTj1jaXRyaXhn dXJ1LUlzc3VpbmdDQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jaXRyaXhndXJ1LERDPWxh Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1 dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGC NxUIhMm7KIH8jkOG5Z86g4SpZ4SdgGmBc4P1ny+FrP8BAgFkAgEDMBMGA1UdJQQM MAoGCCsGAQUFBwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZI hvcNAQEFBQADggEBAB/Oj0c4u1VGVMIgr0hEke1tI91zIKjUnYRzFHMd8aozIkPS HPKO5eN+0vOKHrE510rnaopc2of27hzd+t5oF2oLcf+h/aC2fnlCnq+VbJ+oQkEj z50ziBfL9Y0Lf1rJc+Ef0z3ZnX76ihlNyykhSU808W853bMk98bJVT5ANxI5pfut xjPxI4Fjv+MAh61mVJtTY5o6IafG5SLOazFEUhKDuITp+qm15THK07cq9T/MilaJ kJcaigarTYw4NIFGvztzUPQOGJf5GkceqQot9u2QzwedLzXBqgokzQD5wZRdRGsd mM7hLuSW3sIMoN17rO9ytMr05u/+bTwNsqQDDZA= -----END CERTIFICATE----- |
To be able to import the certificate in ELM, we need to concatenate the .pem file with the .key file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
-----BEGIN CERTIFICATE----- MIIFuTCCBKGgAwIBAgITJgAAAUy+Luln05g9kQADAAABTDANBgkqhkiG9w0BAQUF ADBQMRMwEQYKCZImiZPyLGQBGRYDbGFiMRowGAYKCZImiZPyLGQBGRYKY2l0cml4 Z3VydTEdMBsGA1UEAxMUY2l0cml4Z3VydS1Jc3N1aW5nQ0EwHhcNMTgxMjIxMDAx MDI3WhcNMTkwNjI3MTQwNTU1WjByMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3 WW9yazEMMAoGA1UEBxMDTllDMRMwEQYDVQQKEwpDaXRyaXhHdXJ1MQswCQYDVQQL EwJJVDEhMB8GA1UEAxMYZWxtc2VydmVyLmNpdHJpeGd1cnUubGFiMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Qa9JPn2ux6jpVTyYar1FyWs5zoFMOI+ DXav3dcCvF40jTuKL2F0roEEgX30qNTWmTeoIXvlCrGbDxAi4/mrp7QpfrNUEX8Q k+9uuurSLY79SrURRC7CqnplWkhsJKvfdaf/UmGE2hUdV26Xn5NqljYUX/8EG81V wrtGWRqWz61y4i+F6ZsmccPBghKlZaIaUL1YkR9f4TaIPeAlX7Xnj5XvpnSFTOU1 U9g1Ngdx52tdkJzCaBK+6BHqEPqhV84Mq/CwnIYtkqbzs5nmRUgXmT4GNIy/Bbom IedFXAdf4dl8QEEfjFE6WZqP4pnwoKfyK1/6QXk7QRw2lpRfcKLz5QIDAQABo4IC aDCCAmQwHQYDVR0OBBYEFPl9IEkSPCGFqsA2QFV39Zlz4bK+MB8GA1UdIwQYMBaA FGK+B4G64Vc1DVvRqdXXfmf0wxZAMIHTBgNVHR8EgcswgcgwgcWggcKggb+Ggbxs ZGFwOi8vL0NOPWNpdHJpeGd1cnUtSXNzdWluZ0NBKDMpLENOPURDLENOPUNEUCxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPWNpdHJpeGd1cnUsREM9bGFiP2NlcnRpZmljYXRlUmV2b2NhdGlv bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCByQYI KwYBBQUHAQEEgbwwgbkwgbYGCCsGAQUFBzAChoGpbGRhcDovLy9DTj1jaXRyaXhn dXJ1LUlzc3VpbmdDQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jaXRyaXhndXJ1LERDPWxh Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1 dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGC NxUIhMm7KIH8jkOG5Z86g4SpZ4SdgGmBc4P1ny+FrP8BAgFkAgEDMBMGA1UdJQQM MAoGCCsGAQUFBwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZI hvcNAQEFBQADggEBAB/Oj0c4u1VGVMIgr0hEke1tI91zIKjUnYRzFHMd8aozIkPS HPKO5eN+0vOKHrE510rnaopc2of27hzd+t5oF2oLcf+h/aC2fnlCnq+VbJ+oQkEj z50ziBfL9Y0Lf1rJc+Ef0z3ZnX76ihlNyykhSU808W853bMk98bJVT5ANxI5pfut xjPxI4Fjv+MAh61mVJtTY5o6IafG5SLOazFEUhKDuITp+qm15THK07cq9T/MilaJ kJcaigarTYw4NIFGvztzUPQOGJf5GkceqQot9u2QzwedLzXBqgokzQD5wZRdRGsd mM7hLuSW3sIMoN17rO9ytMr05u/+bTwNsqQDDZA= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDVBr0k+fa7HqOl VPJhqvUXJaznOgUw4j4Ndq/d1wK8XjSNO4ovYXSugQSBffSo1NaZN6ghe+UKsZsP ECLj+auntCl+s1QRfxCT72666tItjv1KtRFELsKqemVaSGwkq991p/9SYYTaFR1X bpefk2qWNhRf/wQbzVXCu0ZZGpbPrXLiL4XpmyZxw8GCEqVlohpQvViRH1/hNog9 4CVfteePle+mdIVM5TVT2DU2B3Hna12QnMJoEr7oEeoQ+qFXzgyr8LCchi2SpvOz meZFSBeZPgY0jL8FuiYh50VcB1/h2XxAQR+MUTpZmo/imfCgp/IrX/pBeTtBHDaW lF9wovPlAgMBAAECggEABGyEZw0t24ryWQ+fjPmw508n/RFOZEp+gWcSlefOLb1D GB/BaeR7ONiDEHFeMFdjMYFfY3qgMg2oK7LpFpTrxKrQJcpxl39tB7V0NjuEK+AJ UJDcD+9sqX+rNSnF3SkYlefsPHi7+o9vsY4hZfX4w6/R0oCIRE+KVWXwOw97TErD GZ3FFOVdyfOCXCvtmfbjZgQgSSMljMUmV2x+wh3L1P//hu+72k+D+xxFcWPGD+wU n1aR3T/7cH68oYdP7ajzx/FWga4fcXd7DwtmnLzlUkRIORmDOFJzWJYSCkeHdrCr gVrT98kDP4IkP/NyiCDXrG9c7qSFDVNnlqlxwfTmwQKBgQD9eJbFmW4gRO6m9hzV aQvvkTZw7mv9tSEM9U5rVfOwoEgBmvwJHrirTYNn+I8sA0ijiWmT3mbJStVnZM8w 0StLwi+tJr5wpH+AlHmp9xvhSu6PV3957bz7K0pp9b8OvUxedJj4vFY5TFf+njC+ GPeCrIkILrY45XPvwDN9WG0ZtQKBgQDXJtjC0kE1tDTJWU7TNFv6DIxNiNmgQoYh dAzlX51bdsQkyxenn1bOX9Fn62s1lXv4ZcbMwuHQR/7KecU3iaryZwER8K1hl6TP wS3X1eIXPUSmkXyQLO3+kMYe3EzhLw8+JMCLJBBAt/qSYN7a9Oc1gmgWX/wPXaP3 cq5M27UPcQKBgQCaqF22q+uaHPVRQpJNVQ9HWd9SAOg7oa1M7tCuhX9vohzNffeS yP/85grsAam6PTaxMkMNSoKFB/g2YjhZnQdB7naQvDcvG/AAUJf7sR990+7D36uU hg7tYnjBNoUhRTe32oUMID6sL3zxiyxKkYlUXloud/IPvVGEVE4WiUHokQKBgEyD wTTP52b89oTg4PqVtVwg2Ei+sX6gCemdxvRP47tianEXVQtEzG9KfkNx4sfEqLj3 IRMy/3G+GOvTEIMmz4ezgBrsOAzsDC3iarZGl0hifqaqON1hTSZqQDs7Z4/x137n PR5+rdUGWPNzxe2iiRNrlC7Y5eBlEenve/NTc3nRAoGBAPFXEhaHkKPgl06/bhED b4wmQem+ACMKF6WP7DqniUjTcymeuaLINsD2weHgNulEg7J/OlVxH+j1Siq4p7tl XH/0OW6GUTUXN7zvY/yP0EPghVIkJZW6BC5Qz/btFdXoKFif1EBPNHVtdDwmsroG xcMbzswke1B/bDF1bNBF0RV8 -----END PRIVATE KEY----- |
Go to ELM console > System > Settings and Configuration and scroll down to HTTP Certificate settings.
Select Edit and upload the .pem file generated by OpenSSL and concatenated with the private key.
Click on Save to validate the import.
Select Yes to reboot.
Once the appliance has rebooted, navigate to the URL using HTTPS.
The SSL/TLS certificate is applied and the management console is secured.
Disable HTTP
We can now disable HTTP for the apache server running on the ELM appliance (CentOS).
Connect to the appliance via SSH with the root credentials.
Navigate to /root/httpd.
And open httpd.conf file with nano.
Navigate to Listen 80 in the second page and change it to Listen 443.
CTRL + O to save.
Then ENTER to erase the file
CTRL + X to exit the nano editor. Then type service httpd restart to restart Apache.
That’s it. HTTP is disabled on the management console.
Expand App Layering repository
By default, ELM is delivered with a 300GB repository for layers. The disk is thin provisioned.
To expand the disk here are few requirements:
- Disk must use the .vhdx format (default for ELM)
- Need to be attached to the virtual SCSI controller. By default ELM is configured with IDE. You will have to shutdown the virtual machine in that case.
In Hyper-V, the process is simple. Go to the Hyper-V console and Edit Disk. Select the repository disk.
Select Expand.
Enter the new size for the disk.
Validate to increase the size of the disk.
Go back to the ELM console. Go to System > Manage appliance.
Select Expand Storage.
The new increased disk should be available.
Select Expand Storage to confirm.
After few minutes, the configuration should be updated.
Install Citrix App Layering agent
If you need the App Layering agent, you then install it on the servers where is needed, depending on your specific needs for the agent.
The App Layering agent is required if you want to do any of the following:
- Publish layered images to PVS.
- Use connector configurations. to launch a script.
- Run App Layering in Microsoft Hyper-V.
If you are not using any of the above functionality, you do not need the agent.
Note: No need to install an agent for VMware vSphere but it is required for Microsoft Hyper-V, Citrix PVS, etc.
Open the ELM package downloaded from Citrix website.
You should have citrix_app_layering_agent_installer.exe in it.
Install it on servers that need to communicate with ELM.
For example, if you plan to publish vDisks directly to PVS. Install the agent on 1 of your pvs servers.
See below the process to install the agent.
Accept license agreement.
Enter agent port (default 8016).
Click on install.
To register the agent in ELM, you need to specify the ELM server IP and credentials.
If you do not register the agent during installation, you can manually register it later. However, remember that the PowerShell scripts do not run until the agent is registered with the appliance. See Manual registration.
Click on Register.
The installation is completed.
Add Microsoft Hyper-v connector in Citrix ELM
Go to System > Connectors > Add Connector Config.
Select the connector that applies to your configuration (Ex: Microsoft Hyper-V).
This will open a new page with the connector wizard.
First step is to add a new name for the connector.
Then let’s move to the connector configuration.
You should be able to find the agent where you did the installation earlier.
Add the proper credentials and click on Check Credentials to validate them.
Next, configure Virtual Machine settings (default 4vCPU and 8GB) and select the network card to assign the virtual machines used for layering.
You also need to configure where you will store the disks of the virtual machines used for layering.
Make sure to click on Test to validate that ELM can access the location.
Then click on Save and close the window.
In ELM, you should see the new connector.
The Cache Size and Cache hit Rate are very important for performances. Here is the default configuration for Cache Size:
- vSphere: 250GB
- XenServer: 480GB
- Hyper-V: 200GB
- Nutanix: 480GB
If you decide to disable caching (not recommended) for a connector configuration, set the cache size to zero (0). If you need to re-enable it, simply increase the Packaging cache size.
The Cache Hit Rate is the percentage of times the appliance has found a disk in the cache.
See more details in the documentation.
Add Citrix PVS connector in Citrix ELM
Note: Make sure to install Citrix App Layering agent on 1 PVS server part of your PVS farm.
Adding a connector for PVS will allow you to publish directly from the ELM console to PVS. The disk will be automatically added into the PVS store and configured. However you will still have to manually assign it the devices. Also if you have multiple PVS servers and no central repository, you will need to manage the synchronization of your vDisks between your servers (PowerShell, DFS-R, etc).
See Citrix Documentation for connectors.
Go to System > Connectors > Add Connector Config.
Select the connector that applies to your configuration (Ex: Citrix PVS).
This will open a new page with the connector wizard.
First step is to add a new name for the connector.
Then let’s move to the PVS connector configuration.
You should be able to find the PVS server where you installed the agent earlier.
Add the proper credentials and click on Check Credentials to validate them.
Note: you may need to register PVS PowerShell snapin on the server again. See https://support.citrix.com/article/CTX235079.
Next, configure vDisk settings. Select the PVS site and the PVS Store name in the dropdown list. Then You need to set the default configuration for the write cache, the size of the write cache and the type of license mode. You can also Enable AD machine account password management, load balancing and printer management if needed.
Make sure to click on Test to validate that the PVS connector is configured properly.
Then click on Save and close the window.
In ELM, you should see the new PVS connector.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
