Using One Citrix Web Interface Site with Multiple XenApp Farms

I frequent Experts Exchange (http://www.experts-exchange.com/) and because of my status there, I often receive questions. Some of the questions have a common theme. Such as:

  • “How do I show published applications to my users when I have multiple XenApp farms?”
  • “How can I use Web Interface to migrate users to a new XenApp farm while using both farms?”
  • “If I have the same application published in multiple farms, how can I control which farm the application is run from?”

In this article, you will learn how to configure Web Interface 5.4 and Citrix Secure Gateway 3.3 for multiple XenApp farms.

There are several potential reasons for using multiple XenApp farms:

  • XenApp 6.0 and XenApp 6.5 require new farms
  • Distinct farms for 32-bit applications and 64-bit applications
  • Organizational security requirements
  • Business mergers and acquisitions
  • Multiple internal environments

XenApp 6.x cannot be integrated into the farm of an earlier version of XenApp or Presentation Server. Similarly, XenApp 6.5 cannot be mixed with a XenApp 6.0 farm. Attempting to join a XenApp 6.x server into an earlier farm will damage the data store.

Deploying a 32-bit application on a 64-bit server will install the application, by default, in the C:\Program Files (x86)\ folder tree. Deploying a 32-bit application on a 32-bit server will install the application, by default, in the C:\Program Files\ directory. This means that the default application location used when publishing the application is different for 32-bit and 64-bit versions of Windows Server when installing a 32-bit application.

An enterprise may have applications that are required to be separated from other applications for security or business requirements. Installing the applications to XenApp servers that are in different farms can allow for segregated farm administration and more granular user access.

When one business merges with or acquires another business, it is possible that both businesses may have pre-existing XenApp farms. Business requirements, during the transition phase, may necessitate the need to keep the XenApp farms separate temporarily or permanently.

A highly structured environment with strict change management controls may require different farms for different environments. For example, an organization may have Development, Test, QA, Training and Production environments. An application may be installed into the Development farm until network and systems administration procedures are documented. Once documented, the settings for the application can be moved into the Test farm. The Test farm can then be used for user acceptance testing. Once user testing has been completed, the settings for the application can be moved into the next farm. And so on, until the application is put into the production farm.

For this article, the following Virtual Machines (VMs) will be used:

  • Domain Controller: TrainingDC
    • The VM will be assigned two virtual CPUs (vCPUs), 2GB of RAM and 24GB of Hard Drive space
    • Windows Server 2008 R2 SP1
    • Domain Controller for the WebstersLab.com Active Directory domain
    • Remote Desktop Services License server and Citrix Licensing server
    • Static IP Address 192.168.1.100
  • SQL Server: TrainingSQL
    • The VM will be assigned two vCPUs, 2GB of RAM and 24GB of Hard Drive space
    • Hosts the SQL Server data stores for all four XenApp farms
    • Microsoft SQL Server 2008 R2 SP1 on Windows Server 2008 R2 SP1
    • Static IP Address 192.168.1.101
  • XenApp 5 #1: XA520031
    • The VM will be assigned two vCPUs, 4GB of RAM and 32GB of Hard Drive space
    • XenApp 5 for Server 2003 Hotfix Rollup Pack 7 on Windows Server 2003 SP2 32-bit
    • Static IP Address 192.168.1.102
    • Default XML port of 80
    • Farm name XA52003
  • XenApp 5 #3: XA520081
    • The VM will be assigned two vCPUs, 4GB of RAM and 32GB of Hard Drive space
    • XenApp 5 for Server 2008 Hotfix Rollup Pack 1 on Windows Server 2008 SP2 32-bit
    • Static IP Address 192.168.1.104
    • Default XML port of 80
    • Farm name XA52008
  • Web Interface and Citrix Secure Gateway: CitrixWI
    • The VM will be assigned two vCPUs, 2GB of RAM and 24GB of Hard Drive space
    • Windows Server 2003 SP2 32-bit
    • Web Interface 5.4 with Hotfix WI540MSI002 and Citrix Secure Gateway 3.3
    • Not a member of the WebstersLab.com domain
    • Static IP Address 192.168.1.105
  • XenApp 6.0: XENAPP60
    • The VM will be assigned two vCPUs, 4GB of RAM and 40GB of Hard Drive space
    • XenApp 6.0 Hotfix Rollup Pack 1 on Windows Server 2008 R2 SP1
    • Static IP Address 192.168.1.106
    • XML port 8060
    • Farm name XA60Farm
  • XenApp 6.5: XENAPP65
    • The VM will be assigned two vCPUs, 4GB of RAM and 40GB of Hard Drive space
    • XenApp 6.5 on Windows Server 2008 R2 SP1
    • Static IP Address 192.168.1.107
    • XML port 8065
    • Farm name XA65Farm

In addition to the Administrator account, five accounts were created in the WebstersLab.com domain:

  • User03, who has access to only the XA52003 farm
  • User08, who has access to only the XA52008 farm
  • User60, who has access to only the XA60Farm farm
  • User65, who has access to only the XA65Farm farm
  • UserAll, who has access to all four farms

Each farm has two resources published.

  • XA52003
    • Notepad
    • Word 2010
  • XA52008
    • Paint
    • Word 2010
  • XA60Farm
    • Calculator
    • Word 2010
  • XA65Farm
    • WordPad
    • Word 2010
, , , ,

About Carl Webster

Webster is an independent consultant in the Nashville, TN area and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

21 Responses to “Using One Citrix Web Interface Site with Multiple XenApp Farms”

  1. Andrew Taylor Says:

    Thank you for the article on citrix web interface. From your article i know how can i use once one citrix web interface site with multiple xenapp. I have bookmark your website for the latest post about this topic just because you have creative ideas about this topic. Keep writing on.

    Reply

  2. Alexis Says:

    Dear Mr Webster,

    At first thank you for your amazing work. It let me think maybe you will know how to deal with a problem related to my mutli farm WI (1 Xenapp 6.5 + 3 PS 4.5 farms.
    2 of those PS4 farms are developement farms, not very important and with only a few access.
    Sometimes the Esxi of those 2 farms has a problem and does not yet work, so the xml brokers are unreacheable.
    Then, our “production users” are connecting to WI and get a significant delay before launching any application. I understand that the enumeration process still tries to contact each XML broker sequentially, even for a lost farm, wasting time to get to the “production farm” (http://support.citrix.com/article/CTX125558)
    Do you know is there is a way to reduce this delay for a lost(s) farm(s), or how get rid out of this?
    Excuse me for my bad english, and thank you for your time.

    Reply

  3. cubeover Says:

    Thanks for sharing.
    However I have an additional question:
    What if those four farms were in separate domains?
    What are the requirements to collect them all under one roof of Web Interface?
    I have two farms: one in TMN and one in domain COR.
    TMN trusts COR, hence users from COR can logon to resources in TMN, including the Web Interface.
    I would like to use WI in TMN only for accessing both farms.
    I have added the COR’s farm into TMN’s WI as you describe but the apps in TMN just aren’t popping up in the view on COR’s WebIF.
    I am logging as COR\user and seeing no resources.
    Logging as the same user in COR’s WI shows all resources.
    What am I doing wrong?
    How does WI access a farm, under what security context?

    Reply

    • cubeover Says:

      Edit:
      “I have added the COR’s farm into TMN’s WI as you describe but the apps in COR farm just aren’t popping up in the view on TMN’s WebIF.”

      Reply

    • Carl Webster Says:

      So I can lab and document the procedure, give me some more info:

      What domain level and what OS?
      What version(s) of XenApp?
      What version of WI?
      What is in front of WI? i.e. CSG, CAG, NetScaler

      WI accesses the XenApp Farm under the context of the user account who successfully authenticated.

      Thanks

      Webster

      Reply

  4. venkat Says:

    very good articals ……..post more for new learners of citrix..

    Reply

  5. Jesi Says:

    hey carl, great article. i’ve followed it to the letter but strugling to display resources from multiple domains. we got 3 domains each with own citrix farm, for example:
    domain A runs xa4.5 (XML 80)
    domain B runs xa5 (XML 8020)
    domain C runs xa6 (XML 80)
    i’ve configured WI and made sure correct XML ports are entered but when i launch WI only resources from domain A and C are showing but not from domain B. telnet to domain b citrix servers on 8020 runs fine. dont know what could be wrong.

    any suggestions?
    ta

    Reply

  6. mike Says:

    Has anyone with a similar setup experience any slowness issues as more farms are added to the WI and CSG? Now that I have 8 farms, it is significantly slower to authenticate than when I had a single farm. Authentication is slow and actually launching the published apps as well. This is for XA 6.5 farms, WI 5.4, CSG 3.3.1, all farms XML on 8080, 1-2 servers per farm, and each server is listed as an STA.

    Reply

    • Carl Webster Says:

      Citrix does not recommend more than 5 XenApp Farms and or XenDesktop Sites in one Web Interface site.

      Reply

      • mike Says:

        Carl – thank you for the reply and also for writing up this post. I wish I came across it when I first setup our CST+WI as it would have been a lot easier and quicker. One last thing, do you think it would be better to create a new WI site on the existing servers and maybe split the farms so each site servers 5 or under or would it be more ideal to jump on and go with an access gateway based solution.

      • Carl Webster Says:

        The 5 farm limit is a Web Interface limitation. It has nothing to do with what is in front of Web Interface: CSG, CAG, AGEE, NetScaler. I have no idea if StoreFront will have the same performance degradation with more than 5 farms. I would probably have multiple WI Sites.

      • mike Says:

        I would just like to update for anyone who is interested that we ended up ditching the CSG+WI approach and went with a netscaler VPX with the Access Gateway and WI features enabled. Provisioned one VIP per farm/customer and configured authentication policies along with session profiles to present the appropriate resources when a connection attempt is made on that VIP.

  7. Timo Says:

    Hi Carl, great article!

    One question though: how about if all those different XenApp farms would be located in different continents?

    Let’s say we have three farms: one in New York, one in London, and one in Beijing. The Web Interface and Secure Gateway are in New York. Beijing and London have read only domain controllers. How about if a user in London wants to launch an application published from Beijing XenApp farm, isn’t it so that all Citrix traffic traverses via New York Secure Gateway, instead of going directly from London to Beijing?

    Reply

    • Carl Webster Says:

      XenApp has issues if you only have read-only domain controllers in the remote sites.

      http://support.citrix.com/article/CTX133873

      CSG and Web Interface are only used for the authentication and presenting your icons. Once you launch a published resource, CSG & WI are no longer in play.

      Once you start running a published resource, you could power off the WI server and the user will not be impacted (for that published resource).
      Of course, they wouldn’t be able to launch another published resource but this is just an example for you.

      Thanks

      Webster

      Reply

  8. madhu Says:

    Hi Carl,

    Applications are fine while using PNAagent but not from Webinterface, what is the reason and how to find where i did wrong?

    Regards,
    Madhu.

    Reply

    • Carl Webster Says:

      EVERYONE who reports this issue to me ALWAYS makes the same mistake. At Figure 80, don’t forget to put the correct XML port in the URL.

      Thanks

      Webster

      Reply

  9. martin_ffm Says:

    thanks a lot, Carl, it works superb!

    Reply

  10. vijaya reddy Says:

    Very good article. Because of this you have #rank 1 in Experts-Exchange

    Reply

  11. Dennis Says:

    is it possible to publish 2 WI’s on the same computer that use different authentication methods? One with plain user/password and one with RSA tokens?

    Reply

Leave a Reply

Current month ye@r day *