• Using One Citrix Web Interface Site with Multiple XenApp Farms

    How Does Web Interface Work

    In a Microsoft Windows environment, Web Interface works with Internet Information Services (IIS) to provide users with access to published resources. Users will use a standards-based Internet browser or the Citrix Receiver to access their resources.

    A Web Interface (WI) server will have one or more XenApp Web sites or XenApp Services sites configured. Each site will be configured for one or more XenApp farms. Each XenApp farm will have one or more XML Brokers listed to handle user authentication and resource enumeration. Once a user has been authenticated and selects a published resource, the Zone Data Collector (DC) is contacted. The DC determine s if the user has an existing session on the server hosting the published resource and if a session exists, that session is reused (called Session Sharing). If the user does not have an existing session, a session is created and the published resource is started.

    The XML Broker will also request a session ticket from the Secure Ticket Authority (STA). The STA is responsible for issuing session tickets in response to the request to connect to the published resources. These session tickets form the basis of authentication and authorization for access to the published resources.

    A Web Interface server is normally placed in a DMZ; however, it may be placed inside the corporate network. Web Interface requires no XenApp components to be installed. A Web Interface server is not typically a member of a XenApp farm, nor is it typically a member of an Active Directory domain. However, in the smallest of networks, it is possible and common for Web Interface to be deployed on a XenApp farm member and/or on a member of an Active Directory domain.

    First, let’s stop, take a step back and review some basics.

    What is a XenApp farm? A XenApp farm is a group of XenApp servers that can be managed as a unit, enabling the administrator to configure features and settings for the entire XenApp farm rather than being required to configure each server individually. All the servers in a farm share a single data store.What is a data store? The data store provides a repository of persistent information about the farm that each server can reference, including the following:

    • Farm configuration information,
    • Published resource configurations,
    • Server configurations,
    • XenApp administrator accounts,
    • Printers,
    • Printer drivers,
    • Policies,
    • Load Evaluators, and
    • Folders.

    What is a Zone? A Zone is a logical grouping of XenApp servers that share a common zone data collector. Zones allow the efficient collection of dynamic farm information. Each zone in a farm has exactly one data collector. All of the member servers in a particular zone communicate their dynamic information to the data collector for their zone.

    What is a zone data collector? A zone data collector is a server that stores and manages dynamic information about the XenApp servers in a zone, including:

    • Published resource usage,
    • Server load,
    • User sessions,
    • Online servers,
    • Connected sessions,
    • Disconnected sessions, and
    • Load balancing information.

    The data collector shares this information with all other data collectors in the XenApp farm.

    All XenApp servers in the farm use the Independent Management Architecture (IMA) service and protocol in server-to-server communication. IMA also is used by the Access Management Console or the Delivery Services Console or AppCenter (depending on the version of XenApp used) to allow XenApp farm administrators to manage and configure various XenApp farm and server settings.

    What is an XML Broker? The Citrix XML Broker functions as an intermediary between the XenApp servers in the XenApp farm and the Web Interface. When a user authenticates to the Web Interface, the XML Broker:

    • Receives the user’s credentials from the Web Interface and queries the XenApp farm for a list of published resources that the user has permission to access. The XML Broker retrieves this application set from the IMA system and returns it to the Web Interface.
    • Upon receiving the user’s request to launch a resource, the DC locates the servers in the farm that host this application and identifies which of these is the optimal server to service this connection based on several factors. The DC returns the address of this server to the Web Interface.

    The XML Broker is a function of the Citrix XML Service. By default, the XML Service is installed on every server during the XenApp installation process. Multiple XenApp servers can have their XML Service specified in Web Interface to allow those servers to function as an XML Broker. The XML Service on the other farm servers still runs but is not used for servicing end-user connections.

    The Secure Ticket Authority is also installed on every XenApp server.

    For most small to medium sized XenApp farms, one XenApp server is dedicated to being the Zone Data Collector, XML Broker and STA server. In some large XenApp farms, it may be necessary to dedicate a XenApp server for each of the three roles.

    Dedicating a XenApp server for each role is easy to do. You would have three XenApp servers with no end-user applications installed. In the Zone settings for the farm, you would configure one of the servers as the Most Preferred data collector and the other two as Preferred data collectors. The server to be dedicated as the XML Broker would only be used when an XML Broker needs to be entered. The server to be dedicated as the STA server would only be used when an STA server needs to be entered.

    Figure 1 illustrates the interaction between Web Interface and other servers in a XenApp farm.

    Figure 1
    Figure 1

    Figure 2 shows some of the steps involved in the Web Interface process.

    Figure 2

    Step Action Graphic
    1 A user connects to a Web Interface server from any device that has Citrix client software installed.
    2 The user enters their credentials on the login page.
    3 The web server reads the user’s credentials and forwards the credentials to the Citrix XML Service on the servers listed in the server farms.
    4 If the user’s credentials are not valid, return to Step 2. If the user’s credentials are valid, the Citrix XML Service retrieves a list of resources from the XenApp servers the user has permission to access. This list of resources is called the user’s resource set. The Citrix XML Services returns the resource list back to the Web Interface server.
    5 The Web Interface server builds a custom HTML web page consisting of the resources the user has permissions to run.
    6 The user clicks one of the published resource icons.
    7 The Citrix XML Service locates a server in the required farm that has an existing session for the user and the settings for the resource being launched match the settings for the resources running in the existing session. If those conditions match, the Citrix XML Service requests a session ticket and returns the server’s IP address and session ticket to the Web Interface server. If those conditions are not met, the Citrix XML Service requests a session ticket from the least-busy server and returns the server’s IP address and session ticket to the Web Interface server.
    8 Web Interface creates a custom launch.ica file and sends the file to the user’s Citrix client.
    9 The Citrix client software receives the file and initiates a session with the server specified in the file.
    10 The published resource runs on the XenApp server and is displayed on the end-user device.
    , , , ,





    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    25 Responses to “Using One Citrix Web Interface Site with Multiple XenApp Farms”

    1. Bojan s Says:

      Carl,

      I have several different farms ranging between 6.5, 6 and 5. Is it possible to use 1 console and connect to all the farms with powershell? I would like to be able to run a command like get apps and be able to pull it from all the farms instead of having to run it from each one individually.

      Reply

      • Carl Webster Says:

        Not possible with any Citrix console I am aware of. Each XenApp farm has a separate database and they are all different. You would need to build your own console or maybe there is a 3rd party management console I am not aware of that allows you to manage different XenApp farms from a single console.

        Webster

        Reply

        • Bojan s Says:

          Not even possible with powershell remoting?

          Reply

          • Carl Webster Says:

            The XenApp 5 and XenApp 6 PoSH cmdlets do not support remoting. You might be able to get it to work with nothing but PoSH but I never could get it working. The XenApp 6.x Group Policy module also does not support remoting.

            If you get it working, write it up and you can publish your article here.

            Thanks

            Webster

            Reply

    2. Andrew Taylor Says:

      Thank you for the article on citrix web interface. From your article i know how can i use once one citrix web interface site with multiple xenapp. I have bookmark your website for the latest post about this topic just because you have creative ideas about this topic. Keep writing on.

      Reply

    3. Alexis Says:

      Dear Mr Webster,

      At first thank you for your amazing work. It let me think maybe you will know how to deal with a problem related to my mutli farm WI (1 Xenapp 6.5 + 3 PS 4.5 farms.
      2 of those PS4 farms are developement farms, not very important and with only a few access.
      Sometimes the Esxi of those 2 farms has a problem and does not yet work, so the xml brokers are unreacheable.
      Then, our “production users” are connecting to WI and get a significant delay before launching any application. I understand that the enumeration process still tries to contact each XML broker sequentially, even for a lost farm, wasting time to get to the “production farm” (http://support.citrix.com/article/CTX125558)
      Do you know is there is a way to reduce this delay for a lost(s) farm(s), or how get rid out of this?
      Excuse me for my bad english, and thank you for your time.

      Reply

    4. cubeover Says:

      Thanks for sharing.
      However I have an additional question:
      What if those four farms were in separate domains?
      What are the requirements to collect them all under one roof of Web Interface?
      I have two farms: one in TMN and one in domain COR.
      TMN trusts COR, hence users from COR can logon to resources in TMN, including the Web Interface.
      I would like to use WI in TMN only for accessing both farms.
      I have added the COR’s farm into TMN’s WI as you describe but the apps in TMN just aren’t popping up in the view on COR’s WebIF.
      I am logging as COR\user and seeing no resources.
      Logging as the same user in COR’s WI shows all resources.
      What am I doing wrong?
      How does WI access a farm, under what security context?

      Reply

      • cubeover Says:

        Edit:
        “I have added the COR’s farm into TMN’s WI as you describe but the apps in COR farm just aren’t popping up in the view on TMN’s WebIF.”

        Reply

      • Carl Webster Says:

        So I can lab and document the procedure, give me some more info:

        What domain level and what OS?
        What version(s) of XenApp?
        What version of WI?
        What is in front of WI? i.e. CSG, CAG, NetScaler

        WI accesses the XenApp Farm under the context of the user account who successfully authenticated.

        Thanks

        Webster

        Reply

    5. venkat Says:

      very good articals ……..post more for new learners of citrix..

      Reply

    6. Jesi Says:

      hey carl, great article. i’ve followed it to the letter but strugling to display resources from multiple domains. we got 3 domains each with own citrix farm, for example:
      domain A runs xa4.5 (XML 80)
      domain B runs xa5 (XML 8020)
      domain C runs xa6 (XML 80)
      i’ve configured WI and made sure correct XML ports are entered but when i launch WI only resources from domain A and C are showing but not from domain B. telnet to domain b citrix servers on 8020 runs fine. dont know what could be wrong.

      any suggestions?
      ta

      Reply

    7. mike Says:

      Has anyone with a similar setup experience any slowness issues as more farms are added to the WI and CSG? Now that I have 8 farms, it is significantly slower to authenticate than when I had a single farm. Authentication is slow and actually launching the published apps as well. This is for XA 6.5 farms, WI 5.4, CSG 3.3.1, all farms XML on 8080, 1-2 servers per farm, and each server is listed as an STA.

      Reply

      • Carl Webster Says:

        Citrix does not recommend more than 5 XenApp Farms and or XenDesktop Sites in one Web Interface site.

        Reply

        • mike Says:

          Carl – thank you for the reply and also for writing up this post. I wish I came across it when I first setup our CST+WI as it would have been a lot easier and quicker. One last thing, do you think it would be better to create a new WI site on the existing servers and maybe split the farms so each site servers 5 or under or would it be more ideal to jump on and go with an access gateway based solution.

          Reply

          • Carl Webster Says:

            The 5 farm limit is a Web Interface limitation. It has nothing to do with what is in front of Web Interface: CSG, CAG, AGEE, NetScaler. I have no idea if StoreFront will have the same performance degradation with more than 5 farms. I would probably have multiple WI Sites.

            Reply

        • mike Says:

          I would just like to update for anyone who is interested that we ended up ditching the CSG+WI approach and went with a netscaler VPX with the Access Gateway and WI features enabled. Provisioned one VIP per farm/customer and configured authentication policies along with session profiles to present the appropriate resources when a connection attempt is made on that VIP.

          Reply

    8. Timo Says:

      Hi Carl, great article!

      One question though: how about if all those different XenApp farms would be located in different continents?

      Let’s say we have three farms: one in New York, one in London, and one in Beijing. The Web Interface and Secure Gateway are in New York. Beijing and London have read only domain controllers. How about if a user in London wants to launch an application published from Beijing XenApp farm, isn’t it so that all Citrix traffic traverses via New York Secure Gateway, instead of going directly from London to Beijing?

      Reply

      • Carl Webster Says:

        XenApp has issues if you only have read-only domain controllers in the remote sites.

        http://support.citrix.com/article/CTX133873

        CSG and Web Interface are only used for the authentication and presenting your icons. Once you launch a published resource, CSG & WI are no longer in play.

        Once you start running a published resource, you could power off the WI server and the user will not be impacted (for that published resource).
        Of course, they wouldn’t be able to launch another published resource but this is just an example for you.

        Thanks

        Webster

        Reply

    9. madhu Says:

      Hi Carl,

      Applications are fine while using PNAagent but not from Webinterface, what is the reason and how to find where i did wrong?

      Regards,
      Madhu.

      Reply

      • Carl Webster Says:

        EVERYONE who reports this issue to me ALWAYS makes the same mistake. At Figure 80, don’t forget to put the correct XML port in the URL.

        Thanks

        Webster

        Reply

    10. martin_ffm Says:

      thanks a lot, Carl, it works superb!

      Reply

    11. vijaya reddy Says:

      Very good article. Because of this you have #rank 1 in Experts-Exchange

      Reply

    12. Dennis Says:

      is it possible to publish 2 WI’s on the same computer that use different authentication methods? One with plain user/password and one with RSA tokens?

      Reply

    Leave a Reply