Office365 together with Citrix

So this is a blogpost based upon a session I had at Citrix User Group here in Norway this week, which is essentially about can Office365 work in conjunction with Citrix ? and what do we need to think about ?

There are multiple stuff we need to think / worry about. Might seem a bit negative, but that is not the idea just being realistic Smilefjes

So this blogpost will cover the following subjects

  • Federation and sync
  • Optimizing Office ProPlus for VDI/RDS
  • Office ProPlus optimal delivery
    • Performance
    • Shared Computer Support
  • Skype for Buisness
  • Outlook
  • OneDrive

So what is the main issue with using Citrix and Office365? The Distance….

This is the headline for a blogpost on Citrix blogs


So how to fix this when we have our clients on one side, the infrastructure in another and the Office365 in a different region ? Seperated with long miles and still try to deliver the best experience for the end-user


First of is, do we need to have federation or just plain password sync in place? Using password sync is easy and simple to setup and does not require any extra infrastructure.

NOTE: Now since I am above average interested in Netscaler I wanted to include another sentence here, for those that don’t know is that Netscaler with AAA can in essence replace ADFS since Netscaler now supports SAML iDP. Some important issues to note is that Netscaler does not support • Single Logout profile; • Identity Provider Discovery profile from the SAML profiles. We can also use Netscaler Unified Gateway with SSO to Office365 with SAML. The setup guide can be found here

Using ADFS gives alot of advantages that password hash does not.

  • True SSO (While password hash gives Same Sign-on)
  • If we have Audit policies in place
  • Disabled users get locked out immidietly instead of 3 hours wait time until the Azure AD connect syng engine starts replicating, and 5 minutes for password changes.
  • If we have on-premises two-factor authentication we can most likely integrate it with ADFS but not if we have only password hash sync
  • Other security policies, like time of the day restrictions and so on.
  • Some licensing stuff requires federation

So to sum it up, please use federation

Secondly, using the Office suite from Office365 uses something called Click-to-run, which is kinda an app-v wrapped Office package from Microsoft, which allows for easy updates from Microsoft directly instead of dabbling with the MSI installer.

In order to customize this installer we need to use the Office deployment toolkit which basically allows us to customize the deployment using an XML file.  We can then use Group Policy to manage the specific applications and how they behave. Another thing to think about is using Target Version group policy to manage which specific build we want to be on so we don’t have a new build each time Microsoft rolls-out a new version, because from experience I can tell that some new builds include new bugs –>


Office365 versions found here:

Another thing that if we want to use Office365 in conjunction with RDS/XenApp we need to have atleast E3/E4 plans which include that support. This is done using something called Shared Computer support, which allows us to install and run Office Click-to-run from a terminal server.

<Display Level="None" AcceptEULA="True" /> 
<Property Name="SharedComputerLicensing" Value="1" />

Another issue with this is that when a user starts an office app for the first time he/she needs to authenticate once, then a token will be stored locally on the %localappdata%\Microsoft\Office\15.0\Licensing folder, and will expire within a couple of days if the user is not active on the terminalserver. Think about it, if we have a XenApp farm with many servers that might be the case and if a user is redirected to another server he/she will need to authenticate again. If the user is going against one server, the token will automatically refresh.
NOTE: This requires Internet access to work.

And important to remember that the Shared Computer support token is bound to the machine, so we cannot roam that token around computers.

But a nice thing is that if we have ADFS setup, we can setup Office365 to automatically activate against Office365. This just requires that we configure some Office365 Group Policies to make that happen.

This is part of the ADMX template from Office2013


Add the ADFS domain site to trusted sites on Internet Explorer and define this settings as well


Which allows us to basically resolve the token issue with Shared Computer Support Smilefjes


We also need to add the ADFS site to Trusted Sites in Internet Explorer and specify that within the esecurity settings of trusted sites that usernames and password be automatically be used within.

Since we can’t use MKS or PVS for use with Office365 ProPlus, we need to use shared computer support. On VDI instances users can use their regular

We can also use the Office deployment toolkit to generate a package which we can deployment instead ( we can also use this only resource to create deployment files for us.

The use of App-V package allows for easier deployment and allows our IT guys to customize which applications that should be available to the end users. This also allows to deploy it using SCS or using the Configuration Manager Connector from Citrix. This also gives us the possbility to central manage updates and specify which applications should be visible to the endusers. And also allows us to control updates in a better fashion.

Another important thing to remember is that Office is quite fond of GPU, so if hardware acceleration is enabled and there is there is GPU present, it will to Software GPU which means that the CPU has more to do.


So by all means no gpu, disable hardware acceleration (NOTE that even thou by default it is disabled if no GPU is present) but some features might not function properly)
More info here –>

And another thing is that by default if we want to deploy Office within a VDI enviroment we should do some tuning on our Windows 10 machines. Did you know that by default in a VDI enviroment a Windows client OS behaves like it is communicating with Internet based devices all the time. Meaning that it is tuning the TCP accordingly. We have an PowerShell cmdlet called Get-NetTCPsetting which defines the TCP stack for a Windows client. For Windows Servers they are running the profile called datacenter, while clients even thou inside the datacenter are running using Internet. So in a VDI enviroment we can define the datacenter profile for our client computers using the cmdlet Set-NetTCPProfile

This also changes the TCP congestion algoritm to DCTCP instead of CTCP.

Microsoft also has an application called Office365 client analyzer, which can give us a baseline to see how our network is against Office365, such as DNS, Latency to Office365 and such. And DNS is quite important in Office365 because Microsoft uses proximity based load balancing and if your DNS server is located elsewhere then your clients you might be sent in the wrong direction. The client analyzer can give you that information.



Now for some reason (which will also appear later) we need to use the tradisional Office package (which is using volum license, which is not based upon a user license) we need to setup either using KMS or MAK.

So important to remember that Citrix supports use of KMS with PVS and MCS (While MAK is not supported)

So in regards to Skype for Buisness what options do we have in order to deliver a good user experience for it ? We have four options that I want to explore upon.

  • VDI plugin
  • HDX realtime
  • Local app access
  • HDX Optimization Pack

Now the issue with the first one (which is a Microsoft plugin is that it does not support Office365, it requires on-premises Lync/Skype) another issue that you cannot use VDI plugin and optimization pack at the same time, so if users are using VDI plugin and you want to switch to optimization pack you need to remove the VDI plugin

HDX realtime works with most endpoints, since its basically running everyone directly on the server/vdi so the issue here is that we get no server offloading. So if we have 100 users running a video conference we might have a issue Smilefjes If the two other options are not available try to setup HDX realtime using audio over UDP for better audio performance.

Local App access might be a viable option, which in essence means that a local application will be dragged into the receiver session, but this requires that the enduser has Lync/Skype installed. This also requires platinum licenses so not everyone has that + at it only supports Windows endpoints…

The last and most important piece is the HDX optimization pack which allows the use of server offloading using HDX media engine on the end user device


And the optimization pack supports Office365 with federated user and cloud only users. It also supports the latest clients (Skype for buisness) and can work in conjunction with Netscaler Gateway and Lync edge server for on-premises deployments. So means that we can get Mac/Linux/Windows users using server offloading, great…

Only issue is that it does not support Office Click-to-run and that it requires Enterprise licensing

Another important pieze is to remember that it requires the Lync UI (Not the Skype UI) because that is uses the Lync SDK.

Now for more of the this part, we also have Outlook. Which for many is quite the headache…. and that is most because of the OST files that is dropped in the %localappdata% folder for each user. Office ProPlus has a setting called fast access which means that Outlook will in most cases try to contact Office365 directly, but if the latency is becoming to high, the connection will drop and it will go and search trough the OST files.

(We could however buy ExpressRoute from Microsoft which would give us low-latency connections directly to their datacenters, but this is only suiteable for LARGER enterprises, since it costs HIGH amounts of $$)


But this is for the larger enterprises which allows them to overcome the basic limitations of TCP stack which allow for limited amount of external connection to about 4000 connections at the same time.

Because Microsoft recommands that in a online scenario that the clients does not have more then 110 MS latency to Office365, and in my case I have about 60 – 70 MS latency. If we combine that with some packet loss or adjusted MTU well you get the picture Smilefjes 

Using Outlook Online mode, we should have a MAX latency of 110 MS above that will decline the user experience. Another thing is that using online mode disables instant search. We can use the exchange traffic excel calculator from Microsoft to calculate the amount of bandwidth requirements.

In order to adjust this we can set something called cached mode, meaning that Outlook will store email for the last months (this is customizable) in the OST file, and the rest will need to be fetched online from Office365) We can also define that all users should go online always and have nothing cached locally but this might not give a good user experience.

This allows us to have a smaller OST file, but still have a good user experience. Now the last part is that we can’t have these OST files stored locally on each terminalserver, so we need to have good profile management solution in place in order to handle this properly. Important to note that Microsoft supports having OST files on a network share, IF! there is adequate bandwidth and low latency… and only if there is one OST file

NOTE: We can use other alternatives such as FSLogix, Unidesk to fix the Profile management in a better way.

Important to remember that Microsoft will not help troubleshoot if you are having performance related issues.

Some rule of thumbs, do some calculations!

Heavy online users generate about 20 MBps of network traffic (using online mode onoly)

Heave online users /with 3 months cached data will generate about 10 MBps of network traffic (This is only the bandwidth going directly to Office365 and does not count for the traffic that is going atainst the OST file locally)

And important to have Office Outlook over SP1 which gives MAPI over HTTP, instead of RCP over HTTP which does not consume that much bandwidth.

But we can use Profile Management to manage our OST files from a network share. Remember that the OST files in most cases are 50-80% larger then the mailbox itself because of the way it stores content, and it requires a huge deal of lantecy, plus that file locking is an issue. So for instnace if we are using Lync on one XenApp server which uses Outlook to save conversation, and then opens another connection and open Outlook there we might get errors because of the OST file locking yay!

In regardsa to OneDrive try to exclude that from XA/XD users, since the sync engine basically doesnt work very well and now that each user has 1 TB of storagee space, it will flood the storage quicker then anything else, if users are allowed to use it.

You can remove it from the Office365 configuration by adding this in the xml file

<ExcludeApp ID=»Groove» />

So anyhow, I had a great time at Citrix User Group, this year! and yet again I was part of the team that won the challenge!

XenDesktop 7.5 and Windows Azure Pack Gallery Image

Yesterday Citrix announced a Tech Preview of a XenDesktop 7.5 Gallery image for Azure Pack.
For those so not familiar with Azure Pack, this is a portal which builds upon System Center (and some other tools) do deliver an Azure-like portal where you can setup some of the features like Azure does. I’ve blogged about it before if you want to know more about it here –>

Now a Gallery Image is where a end-user want to provision a new-service, he can either choose custom create of choose a finished Image from the gallery.
(A copy from the Azure Gallery)

Now imaging giving customers the ability to provision XenDestkop resources as they need it. Or just for the IT-guys to have a streamlined process of doing it. This is where the XenDesktop gallery image comes in.

Now what do we need to setup this image ?

* Windows Azure Pack
* Server 2012 R2 image sysprepped
* XenDesktop 7.5 Media
* The XenDesktop Gallery Image

Then we need to do alot of changes, first we need to create a new VHD which will contain the setup files. First go into disk management and create a new VHD (Which needs to be 4GB) which is called XenDesktop.vhd


After you created the VHD, mount it using Explorer and copy the content from the 7.5 ISO to the VHD file.
When you are done with this, go into the Virtual Machine Manager console, the into the library node and then click import physical resources.


Then choose “add resources”, select the XenDesktop.vhd then select which library server and destionation to store the VHD file. After it is finished importing right-click on it and choose properties. The set Famility to CitrixXenDesktopMedia, and then set the release to and lastly set the operating system type to “none”


Then Click OK, after we are done with this we need to modify our operating system disk image. Does this need to be VHD ? YES! Azure Pack does not support VHDX. ) and it needs to be fixed)

Right-click on the sysprepped VHDX file and choose Properties, from there alter the Famility to which type of operating system it is running, in my case its
”Windows Server 2012 R2 Datacenter”

and set the release to and then of course change the Operating System to Windows Server 2012 R2 Datacenter as well.


Click OK after you are done. Next we need to “tag” the virtual disks so that the gallery item can use to find the vhds.

Open up Virtual Machine Manager PowerShell console. Run the following command,

$myVhd = Get-SCVirtualHardDisk | where {$_.Name -match ‘sysprepped’} “Make sure that the name matches the name of your VHD file)

$tags = $myvhd.tag
$tags += «WindowsServer2012»
Set-scvirtualharddisk -virtualharddisk $myVHD -Tag $tags

$myVhd.Tag (This spits out the info so you can see that the tag is applied)


Now we need to import the Gallery image extention to the Library share, this can either be done by using the GUI or the PowerShell.


$libraryShare = Get-SCLibraryShare | Where-Object {$_.Name -eq ‘MSSCVMMLibrary’}
$resextpkg = «C:\Users\administrator.CONTOSO\Downloads\XenDesktopRole.resextpkg» (Here the path needs to be changed to where the resextpkg is located)
Import-CloudResourceExtension -ResourceExtensionPath $resextpkg -SharePath $libraryShare


Next we need to enter Azure Pack – admin site. Go into VM Clounds and Gallery and choose Import.


From here add the XenDesktopRole.resdefpkg, and verifies that it actually imports.


Next we need to make this item, public and add it do some different plans.

Go into the item and choose Make Public, then assign to some plans. If you don’t have any plans you need to create some from the plans menu pane within the Admin site.

So what now ? Open the Azure Pack site as and tenant which is enabled for the plan and choose from Gallery and see for yourself.



Then click next (From here the OS “sysprepped” image should appear and you need to have a virtual network in place before you can continue on here .


Next we can define which role this VM should have, and we can setup a XenDeskTop Controller but we still need to create the site after VM creation. But we can also deploy StoreFront, LicenseServer, Session Host and Desktop Director


Pretty cool!

Citrix Connector for System Center Configuration manager 7.5 walkthrough

Earlier today, Citrix released their updated System Center Configuration Manager connector to XenDesktop 7.5. It can be downloaded from here –> note that it requires an mycitrix account in order to download it.

So what does it do ? well a couple of things. Mostly it’s about pushing software out to regular clients and servers including XenApp/XenDesktop servers where the clients might get the XD/XA version of an application. You can also use it to publish applications directly to XD/XA from Configuration Manager which makes it easy to maintain a consistant software library.

Now there are a couple of components here that are needed.

* Citrix Connector Service (This does the syncing, publishing and orchestration jobs between Configuration Manager site and the XA/XD site)

* Citrix DT handler (This component is needed on VDA servers/clients and on managed clients which you want to use the integration between) NOTE: There are different DT handlers for clients and VDA agents


So in my case I installed the Citrix Connector Service on my site server since it is a demo-enviroment. Now the installation is pretty straight forward.


Install both the service and the console extension


Enter a service account for the connector serivce


New in this release is the ability to define maintance windows, in case you want automated deployment to VDA agents.


Now after the installation is finished there are a few things which should be done first.

Make sure that Configuration Manager client is installed on the VDA agents you want to use with this deployment. Now you should create an application of the DT handler and deploy out to all VDA agents.

  • Using the following installation paramters msiexec /i «CitrixDTHandler_x64.msi» /q
  • Also all applications you want to publish should be pre-created and added to Configuration manager.

Now in my case, I have installed the DThandler on 1 VDA server, and have created 7-zip as an application in Configuration Manager. When we open Configuration Manager Console we have some new options. First of under Assets and Complliance we have the machine catalogs listed up


First of we need to deploy 7-zip to the machine catalog and VDA agents. After that Configuration Manager has gotten the info that the application has been installed


We can go ahead and do a publication action. Go into Software library and into Citrix Applications Publications andchoose Create Publication.


Then we run trough the wizard


Now the connector has been added a nifty new feature which check if all the prerequistes are in place.


So after we have done the wizard and the syncronization is complete the application will appear in the XenDesktop studio.


So now we have successfully installed 7-zip on a VDA agent and successfully published it from Configuration Manager. So this means that the application is available as an resource if the user starts up Citrix Receiver or logs into StoreFront.

Now onto the next option, what if we want users to get applications from Software Center or the Application Catalog (But they can start a citrix session if we want them to?) this is part of the DT handler on the managed clients.

Now let’s deploy 7-zip from Configuration Manager to some managed clients, first of we need to create a new deployment type which references the newly published applications. in the the deployment type choose XenApp


Under publishing you need to choose the existing Citrix deployment that was published earlier.


NOTE: Citrix DT handler needs to be installed on the clients.

Now go trough the wizard and after you are done with the wizard you need to give the XenApp deployment type a lower priority then the other option.

Now after you have created the deployment type and you want to deploy the appliaction you need to choose the clients or the users which are defined in the delivery groups


Now if you head over to the application portal on a managed client with a valid user, the application will appear.


Now if you click this application the configuration manager agent and the DT components will interact and publish the application in the receiver. If you have a valid single-sign-on deployment working on your Xendesktop enviroment you can see that 7-zip is published on the managed clients desktop


this is a quick walkthrough but it gives you the quick overview of what you can use this connector with. You can also integrate it with MCS and PVS, also we can integrate App-V applications. Also important to remember that with XenDesktop 7.5 you can integrate with Configuration Manager for Wake on lan functionality.

SCVMM and XenApp 6.5 + PVS = Trouble!

Having been involved in a case for a long time now where a partner wanted to use SCVMM with XenApp 6.5 and PVS 7.1 for a customer and it has not been quite as successfull.

Now I wanted to share some notes with PVS and Hyper-V and what the limitations are there at the moment.

  • First of it is important to note that PVS 7.1 is the only version of provisioning that supports SCVMM 2012 R2, as the support matrix lists.

  • Using PVS with Hyper-V is now functional with PVS 7.1 this requires Legacy adapters in Hyper-V since Legacy adapters are the only NICs in Hyper-V that support PXE boot


  • Citrix has implemented a failover mechanism between Legacy and Synthetic which means that the streaming traffic can start from the Legacy adapter and then switch to the synthetic.


  • Hyper-V 2012 R2 does support PXE with Sythentic devices with Generation 2 Virtual Machines, but THIS IS NOT SUPPORTED BY CITRIX YET.
  • If we for instance are using a VM with two Legacy adapters, Hyper-V will always boot from the last legacy NIC added to the virtual machine, if we are using “Stream VM wizard” in PXE it will add the first NIC in the virtual machine meaning that we get the wrong MAC address in the PVS database
    • Hyper-V creates a new NIC GUID when creating a machine from a tempalte unlike Vmware or XenServer which does not.
    • Stream VM wizard in PVS creates virtual machines from templates which means that NIC’s on the PVS virtual machines get reinitialized when booting and therefore service stop responding since it delays the network start.
    • The only solution to this is to clone machines and then add them manually to PVS like in this CTX article –>
    • XenDestkop setup wizard in PVS DOES NOT create virtual machines from template, but clones the virtual machine using a set of PowerShell cmdlets.

Hopefully 7.5 has support for Generation 2 Virtual Machines!

XenApp 7.5 the return of XenApp

So after the public announcement Citrix made earlier today, it was clear that they are going to bring back XenApp to life more or less. You can see more about the product here –>

Not quite, even thou it is called XenApp it is still running the XenDesktop FMA architecture beneath. The reason why they are bringing the XenApp name ? because of the brand, since many people are very familiar with the name and the concept it brings. Since many think of XenDesktop as an VDI solution.

It will again be available as the same versions that it was before, Advanced, Enterprise and platinum. Thus meaning the end of XenDesktop app edition (Since this is actually the XenApp functionality) Customers that have XenDesktop App edition have the same functionality as XenApp Enterprise 7.5

So what does XenApp 7.5 bring to the playing field ?

Hybrid Cloud provisioning  – To AWS and Cloudplatform (No Azure here! will come later) gives the ability to provision XenApp servers directly in to the cloud provider.

And for existing XenApp 6.5 customers you have more mobile HDX funcionality to provider an better application delivery to mobile devices.

So for those that were hoping for a full return of XenApp, well it just marketing group that is doing a name change to the existing productline to use its branding to its full potential Smilefjes

So the 7.5 product line is rumored to be released in the summer, is it going to be interesting to see what Project Merlin will bring besides the hybrid cloud provisioning Smilefjes


Also you can see what else is available here, it will be released in March

XenDesktop 7.1 TechPreview Service Template

Citrix released yesterday a tech preview of their Service Template for XenDesktop 7.1 for System Center Virtual Machine Manager.
This template allows for rapid and easy deployment of an entire XenDesktop 7 infrastructure, including setup of Director, License Server, Desktop Delivery Controller and Storefront.

It does not by default include Netscaler as part of the that template but that is something we can add to the “mix” later.
the Techpreview of the template can be downloaded from mycitrix here –> (This requires a valid mycitrix account) it has a template for XenDesktop and for PVS.

ill continue on with the XenDesktop template and show how it is deployed.
The template contains a bunch of PowerShell scripts, XenDesktop 7.1 ISO file and the template file itself, in order to fully setup the template it needs to VMM ISO file and a generalized 2012 VHD file.

After we have downloaded the template file open VMM –>
Then go into Library and Import Template –>


Then point to the extracted XenDesktop folder.
Then choose next, now we need to point the template to the different ISO files and generalized 2012 template.


After that is done and the mappings are correct we can contine on with the importing.


This will take some time since it needs to import the XenDesktop to the library. When we now go into Service Templates we can see XenDesktop listed as an option there. If we right click and choose “Open Designer” we can see how the layout will look like.


Now if we wanted to we could use the Netscaler integration as well to deploy multiple DCC and Storefronts and automatically setup a load balancing of these services as part of the deployment. Lets see how that can be done using the Service Template. (Note that this integration is still not support in 2012 R2) (UPDATED: IT WORKS) but for the purpose of demonstrating how it CAN be done ill show it anyways. So after we have installed the addon and created a VIP template for DCC and one for Storefront we can open the designer again.

Next we can connect the VIP profiles to the different components, one DCC VIP template for DCC and one for Storefront which has different load balancing mechanisms setup.


Now If I where to configure a deployment of this. I can configure the amount of each server I want in order to ensure scailability and redudancy.
When I start the deploy wizard I get a question to define what is my management network.


Here I can define what is the backend of the netscaler and what the VIP addres of the load balancing solution is going to be.


But since the integration between Netscaler and VMM is not functioning in R2 ill need to get back on that in a later post (UPDATE IT WORKS). But if I go into one of the servers I can see the application scripts that are run in order to setup a functional site.


If I for instance have ComTrade installed on Operations Manager in order to have monitoring of my Citrix enviroment I can add this as a Application Configuration in the last step to have a complete, XenDesktop 7 setup with load balanced Netscaler solution and have complete monitoring using Operations Manager.

This is the power of Citrix and Microsoft!

News from Citrix and Microsoft

Wow this has been a huge day for both Microsoft and Citrix.
First of Microsoft announced today publically that they are making RemoteFX clients for all mobile platforms (Maybe part of the Mohoro DaaS?) Which means that Microsoft VDI and with Storage dedup might make MIcrosoft a better alternative and gain some lost grounds there, because this has been one of Citrix’s best features broad platform support. So about time Microsoft came aboard as well!

Anyhow… Citrix also made an announcent today that they will release XenDesktop 7.1 as of 23th of October, this release will support all of the new platforms that Microsoft will release the 18th great news! That means VDA on Windows 8.1 and Windows Server 2012 R2, and that XenDesktop can leverage all of the SMB features and SCVMM 2012 R2 with MCS.

(Still eager to see the PVS features here)

So that means you can upgrade your infrastructure first and then Citrix later Smilefjes
Hopefully this means that we can use XenDesktop 7.1 against New gen VMs, and hopefully 7.1 also includes provisioning against Azure it might be….