Citrix App Layering

It has been a short time since I wrote the Unidesk 3.x blog posts and a lot has changed with Unidesk in version 4. Firstly, the company itself has been bought by Citrix, which was announced at Summit in January 2017. The product is now called Citrix App Layering. At a software level, the main Unidesk infrastructure components have been simplified from 2.x and 3.x by merging them all in to one component. The deployment model has also been made easier, making Unidesk the layer composer and Provisioning Services or Machine Creation Services the deployer to the masses.

Recap on Unidesk 3.x:

http://www.jgspiers.com/installing-configuring-unidesk-3-4-hyperv/

http://www.jgspiers.com/unidesk-os-layer-creation-process/

http://www.jgspiers.com/creating-unidesk-desktops/

http://www.jgspiers.com/updating-unidesk-os-layer/

http://www.jgspiers.com/creating-unidesk-application-layers/

http://www.jgspiers.com/unidesk-maintenance-schedules/

http://www.jgspiers.com/unidesk-high-availability/

Back to Unidesk/Citrix App Layering 4.x.

♣ Unidesk Introduction
♣ What’s new and known issues – Unidesk 4.0.8
♣ What’s new and known issues – Citrix App Layering 4.1
♣ What’s new and known issues – Citrix App Layering 4.2
♣ What’s new and known issues – Citrix App Layering 4.3
♣ What’s new and known issues – Citrix App Layering 4.4
♣ What’s new and known issues – Citrix App Layering 4.5
♣ Additional known issues
♣ ELM Hypervisor Support
♣ File Share Support
♣ OS Support for OS Layers
♣ UMC Browser Support
♣ Storage Requirements
♣ Firewall Rules
♣ Unidesk Layers Explained
♣ Image Templates and Connectors Explained
♣ Installing Unidesk ELM
♣ ELM CLI Configuration
♣ Upload License
♣ Change GUI Password
♣ Integrate ULM with Active Directory
♣ Assign User Roles
♣ Configure HTTPS to UMC
♣ Create ELM Share and set permissions for User Layers folder
♣ Expand ELM Layering Service Storage
♣ Install Unidesk Agent on PVS
♣ Upgrade ELM Appliance – Citrix App Layering
♣ Manage ELM from Citrix Cloud

The Unidesk (now Citrix App Layering) software this post focuses on is version 4.0.8 which was released December 28th 2016. The current version is 4.2. The version 4 release of Unidesk has won Best of Citrix Synergy and Best of VMworld in the past year to no surprise as it is an excellent desktop and application image management platform and a great move by Citrix to bring it under their portfolio of products.

Citrix App Layering is available along with Elastic Layers for all versions of XenApp and XenDesktop so long as you have Customer Success Services (previously Software Maintenance). If you provision to more than one system i.e. PVS/MCS or vSphere/XenServer, you need a XenApp or XenDesktop Platinum license on top of Customer Success Services. When User Layers are released to production, that will also be a Platinum feature.

The XenApp and XenDesktop service from Citrix Cloud entitles you to all features of Citrix App Layering.

The Unidesk/Citrix App Layering software will replace Citrix AppDisks, as App Layering offers a lot more in terms of layering applications together to create a desktop. Unidesk 4.x also sees the release of a new feature currently called “Elastic Layering” that layers applications on to a VDI desktop or Session Host on-demand as a user logs on. This means applications that only a small amount of users need can be dynamically layered rather than creating specific desktops or Session Hosts for these users or layering the application to more users than needed. What’s even better is that when a layer is elastically added to a machine once, it doesn’t need added again. So if a XenApp RDSH host is used and User A logs on, they may receive Firefox elastically, and User B with the same Elastic Layer logs on, but Firefox is already available so does not need to be layered again. If User A and B both log off, the Elastic Layer is kept on the VDA until that VDA is restarted. This is to support any user or User A/B logging back on to the VDA again and preventing the need for the layer to be re-attached to the VDA. The support of XenApp and Session Hosts also means that some businesses may be able to reduce their persistent desktop farms saving on the extra compute needed to power persistent desktops. Many times a persistent desktop is required because users need a different set of applications and customisations than the rest of us. Now with Unidesk Elastic Layering and Citrix Workspace Environment Management XenApp shared desktops have more room to grow in the datacentre because of the way we can configure sessions to be more unique than ever before based on the user logging on.

This version of Unidesk is also hypervisor agnostic, allowing you to run Unidesk and deploy layers across different hypervisors at the same time without redeploying components or the layers. This is a package once and deploy to many approach with support for Nutanix and XenServer, Hyper-V, vSphere and more.

This guide will cover installing Unidesk 4.0.8 on Hyper-V. For a guide on VMware deployment of the ELM appliance, see Carl Stalhood’s Unidesk Enterprise Layer Manager post.

What’s new in Unidesk 4.0.8:


What’s new:

  • Full support for Nutanix Acropolis HV including MCS connector.
  • Windows Server 2016 support.
  • Ability to configure vSphere connector to cache boot and packaging disks and reuse them. Once these disks have been cached due to creating your first App Layer, subsequent App Layer creation times are cut in half.
  • Imprivata OneSign single sign-on support.
  • Unidesk Roles and the ability to assign Unidesk Roles to AD Groups. http://www.jgspiers.com/installing-configuring-unidesk-4/#User-Roles
  • Elastic Fit. The ability to check if a layer can be deployed elastically. This is based on factors such as if the application has drivers. It is up to you to fully test if it works elastically or not.
  • User Layers (Labs) support for Windows 7 x64.

Known issues:

  • Issues with Windows Search when using User Layer.
  • A The installer has insufficient privileges to modify this file error appears the first time Skype for Business that is delivered elastically is launched.
  • If using Elastic Layering with Windows 7 or Windows Server 2008, create a file share with a sector size of 512.
  • Persona Management for Horizon View is not supported elastically.
  • Shortcuts to Microsoft Office applications deployed elastically may be visible in the Start Menu for users who are not assigned the layer. The applications won’t work for those users.
  • When adding a version for upgrading your Windows 10 OS Layer, set the disk layer size as 60GB.
  • PVS does not support periods in the filename of a vDisk, even though the ELM Appliance allows periods in Image Template names.
  • When using Elastic Layering in Hyper-V, you must use unmanaged RDS pools.
  • Elastic Layers are only supported on floating desktop pools in Horizon View.
  • Pulishing layered images to the same Azure resource group simultaneuosly fails.
  • During a major upgrade in Windows 10, sometimes Windows 10 creates a Recovery Volume as a new partition on the same disk as the OS Layer. You must remove this volume before finalising the layer.

 

What’s new in Citrix App Layering 4.1:


What’s new:

  • Ability to manage the ELM via Citrix Cloud.
  • Ability to configure XenServer and Nutanix connectors to cache boot and packaging disks and reuse them. Once these disks have been cached due to creating your first App Layer, subsequent App Layer creation times are cut in half.
  • You can now import the gold OS Image directly to ELM during OS Layer creation when using vSphere or XenServer connectors.
  • User Layers can be stored in multiple file shares of your choice using the Storage Locations tab within ELM.
  • You can now search for Platform Layers that were created using a particular OS Layer.
  • Default passwords for ELM administrator accounts must be changed from the defaults.

Known issues:

  • Issues with Windows Search when using User Layer.
  • A The installer has insufficient privileges to modify this file error appears the first time Skype for Business that is delivered elastically is launched.
  • If using Elastic Layering with Windows 7 or Windows Server 2008, create a file share with a sector size of 512.
  • Persona Management for Horizon View is not supported elastically.
  • Shortcuts to Microsoft Office applications deployed elastically may be visible in the Start Menu for users who are not assigned the layer. The applications won’t work for those users.
  • When adding a version for upgrading your Windows 10 OS Layer, set the disk layer size as 60GB.
  • PVS does not support periods in the filename of a vDisk, even though the ELM Appliance allows periods in Image Template names.
  • When using Elastic Layering in Hyper-V, you must use unmanaged RDS pools.
  • Elastic Layers are only supported on floating desktop pools in Horizon View.
  • Pulishing layered images to the same Azure resource group simultaneuosly fails.
  • During a major upgrade in Windows 10, sometimes Windows 10 creates a Recovery Volume as a new partition on the same disk as the OS Layer. You must remove this volume before finalising the layer.

 

What’s new and known issues in Citrix App Layering 4.2:


What’s new:

  • User Layers (Labs) support for Windows 10 x64.
  • Notification to user if User Layer is unavailable (optional and error message is customisable).
  • Removal of support for NFS shares.
  • Automatic updates are now disabled when adding new versions to the OS Layer.

Known issues:

  • Issues with Windows Search when using User Layer.
  • Windows 10 Store Apps turned off by default.
  • Changes to Windows Indexing Options do not persist when User Layers are enabled on both Windows 7 and Windows 10.
  • A The installer has insufficient privileges to modify this file error appears the first time Skype for Business that is delivered elastically is launched.
  • If using Elastic Layering with Windows 7 or Windows Server 2008, create a file share with a sector size of 512.
  • Persona Management for Horizon View is not supported elastically.
  • Shortcuts to Microsoft Office applications deployed elastically may be visible in the Start Menu for users who are not assigned the layer. The applications won’t work for those users.
  • When adding a version for upgrading your Windows 10 OS Layer, set the disk layer size as 60GB.
  • PVS does not support periods in the filename of a vDisk, even though the ELM Appliance allows periods in Image Template names.
  • When using Elastic Layering in Hyper-V, you must use unmanaged RDS pools.
  • Elastic Layers are only supported on floating desktop pools in Horizon View.
  • Pulishing layered images to the same Azure resource group simultaneuosly fails.

What’s new and known issues in Citrix App Layering 4.3:


What’s new:

  • Ability to export all layers and import layers to other ELM appliances. For example, from a Proof of Concept/Testing ELM appliance to a Production appliance. Both appliances must run atleast version 4.3. This feature is currently in labs.
  • Appliance security improvements based upon Apache HTTP Server 2.4 benchmark.

Known issues:

  • Issues with Windows Search when using User Layer.
  • Windows 10 Store Apps turned off by default.
  • Changes to Windows Indexing Options do not persist when User Layers are enabled on both Windows 7 and Windows 10.
  • A The installer has insufficient privileges to modify this file error appears the first time Skype for Business that is delivered elastically is launched.
  • If using Elastic Layering with Windows 7 or Windows Server 2008, create a file share with a sector size of 512.
  • Persona Management for Horizon View is not supported elastically.
  • Shortcuts to Microsoft Office applications deployed elastically may be visible in the Start Menu for users who are not assigned the layer. The applications won’t work for those users.
  • When adding a version for upgrading your Windows 10 OS Layer, set the disk layer size as 60GB.
  • PVS does not support periods in the filename of a vDisk, even though the ELM Appliance allows periods in Image Template names.
  • When using Elastic Layering in Hyper-V, you must use unmanaged RDS pools.
  • Elastic Layers are only supported on floating desktop pools in Horizon View.
  • Pulishing layered images to the same Azure resource group simultaneuosly fails.

What’s new and known issues in Citrix App Layering 4.4:

What’s new:

  • Support for running the ELM Appliance on Windows Server 2016 Datacenter Edition.
  • Connector caches (if enabled) are cleared after an ELM upgrade. This prevents old boot disk and drivers being used on newly deployed images.
  • Registry caching improvements have been introduced for particular applications such as EPIC. This results in a variety of performance improvements in the environment.
  • When exporting or importing layers you can specifically select the Network File Share for export/import rather than being restricted to using the default SMB Network File Share. This feature is currently in labs.

Known issues:

  • Known issues with import/export:
    • Newly imported layers do not reain their Elastic Fit status. For a workaround re-run Elastic Fit on the layer.
  • Known Issues with User Layers:
    • Issues with Windows Search when using User Layers.
    • When using User Layers, make sure Microsoft Office is in the layered image and not Elastically Layered.
    • When using Windows 10 and User Layers, you can turn off Store Apps on Windows 10 Enterprise but not Professional edition. If you want to completely disable Windows 10 Store Apps, create a new OS Layer version and run RemoveStoreApps.cmd as an administrator from C:\Windows\Setup\Scripts\. Users will have access to Cortana and Edge only.
    • When upgrading the OS Layer to a new major version of Windows 10, for example version 1511 to 1607, existing users may experience Store Tile reconstruction on their initial logon follwing the upgrade. During this period, which is generally less than one hour, users may notice that they lack their proper icons or icons do not respond. These issues will resolve themselves once reconstruction is complete.
    • User Layers will not be compatible if you roll back Windows 10 from version 1607 to 1511 for example.
    • Changes to Windows Indexing Options do not persist when User Layers are enabled on both Windows 7 and Windows 10.
  • Known Issues across all platforms:
    • You may be asked to reset the App Layering administrative passwords when upgrading from App Layering 4.0.8 to 4.1 and above. This is a one-time task.
    • When accessing the App Layering management console via Internet Explorer running on Server OS, fonts for the console may not load correctly. As a workaround, add the ELM management console URL to the Trusted Sites zone.
    • When adding an OS Layer version, use the same Hypervisor that was originally used to create the OS Layer.
    • When logging in to a Packaging Machine, you must use the built-in administrator account or else RunOnce scripts will not be executed and the layer will be unable to finalise.
  • Known Issues with Elastic Layers:
    • A The installer has insufficient privileges to modify this file error appears the first time Skype for Business that is delivered elastically is launched.
    • If using Elastic Layering with Windows 7 or Windows Server 2008, create a file share with a sector size of 512.
    • Persona Management for Horizon View is not supported elastically.
    • Shortcuts to Microsoft Office applications deployed elastically may be visible in the Start Menu for users who are not assigned the layer. The applications won’t work for those users.
  • Known Issues with Windows 10:
    • When adding a version for upgrading your Windows 10 OS Layer, set the disk layer size as 60GB.
    • When upgrading Windows 10 for example from 1511 to 1607, sometimes a Recovery Volume is created by Windows 10. This volume must be removed before you finalise the OS Layer to avoid boot failures.
  • Known Issues with PVS:
    • PVS does not support periods in the filename of a vDisk, even though the ELM Appliance allows periods in Image Template names.
    • When using PVS, disable IPv6 in the OS Layer.
  • Known Issues with Hyper-V:
    • When using Elastic Layering in Hyper-V, you must use unmanaged RDS pools.
  • Known Issues with VMware Horizon View:
    • Elastic Layers are only supported on floating desktop pools in Horizon View.
  • Known Issues with Azure:
    • Pulishing layered images to the same Azure resource group simultaneuosly fails.
    • The Azure File Share feature is not supported.
    • Using a FQDN in Azure can fail if not entered in the format Azure expects.
  • Known Issues with Imprivata:
    • Imprivate Application Layers must be created with the appropriate broker Platform Layer as a prerequisite.

What’s new and known issues in Citrix App Layering 4.5:

What’s new:

  • You can now specifically select layers to export or import. (Labs Feature)
  • Elastic Fit now analyses layers that have been imported into the appliance.
  • Child Domains are supported.

Known issues:

  • Known Issues with User Layers:
    • When using Windows 10 and User Layers, you can turn off Store Apps on Windows 10 Enterprise but not Professional edition. If you want to completely disable Windows 10 Store Apps, create a new OS Layer version and run RemoveStoreApps.cmd as an administrator from C:\Windows\Setup\Scripts\. Users will have access to Cortana and Edge only.
    • When upgrading the OS Layer to a new major version of Windows 10, for example version 1511 to 1607, existing users may experience Store Tile reconstruction on their initial logon follwing the upgrade. During this period, which is generally less than one hour, users may notice that they lack their proper icons or icons do not respond. These issues will resolve themselves once reconstruction is complete.
    • User Layers will not be compatible if you roll back Windows 10 from version 1607 to 1511 for example.
    • Changes to Windows Indexing Options do not persist when User Layers are enabled on both Windows 7 and Windows 10.
  • Known Issues across all platforms:
    • You may be asked to reset the App Layering administrative passwords when upgrading from App Layering 4.0.8 to 4.1 and above. This is a one-time task.
    • When accessing the App Layering management console via Internet Explorer running on Server OS, fonts for the console may not load correctly. As a workaround, add the ELM management console URL to the Trusted Sites zone.
    • When adding an OS Layer version, use the same Hypervisor that was originally used to create the OS Layer.
    • When logging in to a Packaging Machine, you must use the built-in administrator account or else RunOnce scripts will not be executed and the layer will be unable to finalise.
  • Known Issues with Elastic Layers:
    • A The installer has insufficient privileges to modify this file error appears the first time Skype for Business that is delivered elastically is launched.
    • If using Elastic Layering with Windows 7 or Windows Server 2008, create a file share with a sector size of 512.
    • Persona Management for Horizon View is not supported elastically.
  • Known Issues with Windows 10:
    • When adding a version for upgrading your Windows 10 OS Layer, set the disk layer size as 60GB.
    • When upgrading Windows 10 for example from 1511 to 1607, sometimes a Recovery Volume is created by Windows 10. This volume must be removed before you finalise the OS Layer to avoid boot failures.
  • Known Issues with PVS:
    • PVS does not support periods in the filename of a vDisk, even though the ELM Appliance allows periods in Image Template names.
    • When using PVS, disable IPv6 in the OS Layer.
  • Known Issues with Hyper-V:
    • When using Elastic Layering in Hyper-V, you must use unmanaged RDS pools.
  • Known Issues with VMware Horizon View:
    • Elastic Layers are only supported on floating desktop pools in Horizon View.
  • Known Issues with Azure:
    • The Azure File Share feature is not supported.
    • Using a FQDN in Azure can fail if not entered in the format Azure expects.

Additional known issues:

  • When using App-V 5.x with Unidesk 4.0.8, VDAs may blue screen.
    • Upgrade to Citrix App Layering 4.1 or 4.4+.
      • If upgrading 4.0.8 to 4.4, you have to upgrade to 4.3 first as a hop.
  • When using App-V 5.x with App Layering 4.2 or 4.3, various issues exist including publishing errors.
    • Citrix released a private build (4.3.0.44) which could be obtained by contacting Citrix Support. The fix was then later built in to version 4.4.
  • When using PVS and Citrix Workspace Environment Management a conflict in layer priority deletes the Netlogon service dependency on the Norskale Agent Host Service.
  • If installing Citrix Receiver including Single Sign-On into an Application Layer, the Citrix Single Sign-on Network Provider will be lost after publishing the image. This is because the Platform Layer (which contains the VDA software) also writes to the Network Provider’s underlying registry REG_SZ key. For a workaround, manually edit the ProviderOrder REG_SZ key within the Platform Layer and insert a value of PnSson.
  • When using App Layering Elastic Layers, App-V, and Citrix Profile Management which is configured to delete profiles from the VDA after user logoff, the profiles are never fully deleted.
    • Upgrade to App Layering 4.5.


App Layering 4.x ELM hypervisor support:

  • Azure ARM.
  • Citrix XenServer 6.5, 7.0, 7.1, 7.2.
  • Windows Server 2008 R2, 2012 R2 and 2016.
  • vSphere vCenter 5.5.x, 6.0.x and 6.5.x.
  • Nutanix AHV.


Network File Share supported protocols:

  • SMB (Server Message Block) – Elastic Layers only supported on SMB file shares.
  • NFS (Network File System) – Elastic Layers not supported on NFS file shares.
    • Update: NFS is no longer supported at all starting Citrix App Layering 4.2. You can continue using existing NFS shares but they are not editable. It is recommended to switch to SMB going forward.

Note: A 10GB network connection between the ELM and file share is recommended.

Citrix App Layering 4.x can publish layers to:

  • Microsoft Azure.
    • Note: Citrix recommend a 10GB connection to the Azure publishing location.
  • Citrix MCS on XenServer, Nutanix (new in 4.0.8) and vSphere.
  • Citrix Provisioning Services 7.1+ up to 7.14.
    • Note: Citrix recommend a 10GB connection between ELM and the PVS store.
  • Citrix XenApp 6.5 and XenApp/XenDesktop 7.0 to 7.14.
  • VMware Horizon View 6.x & 7.x.
    • Note: View Persona Management is not supported with Elastic Layering.


Unidesk 4.x supports the following OS for OS Layer images:

  • Windows Server 2008 R2, Server 2012 R2 & Server 2016 (new in 4.0.8) Standard and Datacenter editions.
  • Windows 7 32 & 64bit.
  • Windows 10 64bit.

Unidesk Enterprise Layer Manager browser support:

  • Internet Explorer 11.
  • Firefox version 45-52. Firefox dropped NPAPI support starting Firefox 52 so you will have issues using UDMC with Firefox. There is a workaround, but recent versions disable this workaround.
  • Chrome does not work because NPAPI plugins are not supported.

Note: Browsers must have Silverlight 4 installed.

Note: Citrix Cloud allows connecting to your ELM running version 4.1+ through the Citrix Cloud Connector. The connection is made through a Citrix Cloud hosted browser and traffic is routed through the Cloud Connector installed within your Resource Location.

Storage requirements:

  • Network file share running SMB for Elastic Layering. This share is attached to the ELM appliance. Recommended 40-100GB. The size is dependant on how many Elastic Layers you create. This share is also used to convert VHDX disks in to OS Layers and I also use it to create Platform Layers.
  • Local storage attached to the ELM appliance used for temporary files and finalized layers. Recommended 300-500GB. The size is dependant on how many layers you create. The size can be expanded which I show later.

Firewall port requirements:

Source Destination Purpose Protocol & Port
UMC User/Administrator ELM/UMC Console Log on to and use UMC Console TCP 80 or 443
 ELM ELM ActiveMQ Console TCP 8161
ELM Log deliveries from Unidesk Agent TCP 8787
ELM Log deliveries from users TCP 8888
Unidesk Agent Communication TCP 8016
Unidesk Agent Log gathering TCP 14243
Active Directory LDAP TCP 389 or 636
Connector for Azure Communication TCP 3000 (HTTP) 3500 (HTTPS)
Connector for PVS Communication TCP 3009 (HTTP) 3509 (HTTPS)
Connector for vSphere Communication TCP 3004 (HTTP) 3504 (HTTPS)
Connector for XenServer Communication TCP 3022 (HTTP) 3502 (HTTPS)
 ELM api.unidesk.com Logs and Phone Home data TCP 443
 OS Image XenServer XenCenter Communications 5900

The layers that make up a complete image:

  • OS Layer – Contains the base OS image i.e. Windows 7, Windows 10, Windows Server 2012 R2, Windows Server 2016. The OS layer is read-only and shared between many different virtual machines. The OS Layer generally only contains the Operating System and any Windows patches whilst all applications are stored in separate Application Layers. Even applications with drivers and system services etc. are supported by Unidesk as Application Layers.
  • Platform Layer (NEW) – This new type of layer is what really makes Unidesk OS Layers hypervisor agnostic. You can build one OS Layer and deploy it to Hyper-V, vSphere and XenServer at the same time for example. This means the management of one single image across multiple hypervisors. This is achievable all by using Platform Layers. The Platform Layer holds the hypervisor tools, PVS tools and the VDA software. You could have a Platform Layer containing Hyper-V integration tools and a second Platform Layer containing VMware Tools. It doesn’t matter to the OS Layer, as using a Platform Layer dictates which environment an OS Layer will run under. There are also two types of Platform Layers:
    • Platform Layer for packaging layers and versions – If you are packaging layers on a Hypervisor different from the one used during the OS Layer creation, the Platform Layer is used to ensure that any hypervisor dependant software is available to you during the Application Layer creation process. This Platform Layer is only used during layer creation across different hypervisors and does not restrict the ability for the layer to be published across different hypervisors in production.
    • Platform Layer for publishing layered images – The publishing Platform Layer is always required when you publish layered images. The Platform Layer consists of the hypervisor tools and virtualization tools needed to run under a specific environment. If we want to deploy XenDesktop machines running on Hyper-V with PVS and XenDesktop, we would create a Platform Layer containing the PVS Target Device software, XenDesktop VDA and Hyper-V integration services tools.
  • Application Layer – Contains applications such as Adobe Reader, Office, Firefox etc. which is layered on top of the OS layer to achieve a complete desktop build. An Application Layer is basically made up of the file and registry entries created on a machine when an application is installed. Application layers are also read-only and shared between many different virtual machines. Apps can be bundled together or kept in separate layers depending on the requirements. An Application Layer is tied to an OS Layer, so you can’t use the same layer on a Windows 7 and Windows 10 OS Layer for example.
  • User Layer – The User Layer is a replacement for the Personalization Layer that was found in Unidesk 2.x and 3.x products. User Layers was introduced in App Layering for Windows 7 x64 originally and then on Windows 10 x64 once App Layering 4.2 was released. This layer is currently in Labs. The User Layer is the only read/write layer in an App Layering stack. Once a user logs on to a Desktop OS, the users layer is created and any changes they make to the VM during that time is captured in the User Layer. Once a user logs off a XenDesktop VDA, the User Layer is detached from the VM and will follow that user to the next desktop they log on to.

Other Unidesk components:

  • Connectors – Platform Connectors provide the connection to MCS or PVS, allowing you to publish layers out to your desired target platforms. Connectors can also connect to Azure etc.
  • Image Templates – An Image Template consists of an OS Layer, Platform Layer and any number of Application Layers. These templates allow you to publish layered images out to your desired destination platform such as PVS running on Hyper-V.

Installing Unidesk Enterprise Layer Manager:

Before we begin, Enterprise Layer Manager is the replacement of the Unidesk Management Appliance if you were familiar with earlier versions. The Unidesk Management Console built inside of ELM is simplified, so for those that used the Unidesk Management Console before you’ll notice it is easier to navigate and understand this iteration. Master and Secondary Cachepoints are also gone, handing that job over to MCS & PVS. With a single appliance, it is now easier than ever to configure Unidesk and backup and restore not just the Unidesk appliance but the layers that make up your VDA virtual desktops. Everything in 4.x is simplified and easier for the administrator.

The ULM install media can be downloaded direct from Unidesk’s website. This install shows ELM installed on Hyper-V Windows Server 2012 R2.

Once you’ve downloaded the media. Extract the unidesk_install_hyperv_pkg_4.0.8 folder.

Using the Hyper-V manager or SCVMM, right-click your Hyper-V server and select New -> Virtual Machine. Select Next. Enter a name and location for the ELM virtual machine and click Next. Specify the machine as Generation 1. Currently Generation 2 is not supported to run ELM. Specify 8GB RAM, a recommendation from Unidesk. Make sure Use Dynamic Memory for this virtual machine is left unticked. Specify a virtual switch and click Next. Select Use an existing virtual hard disk and browse for the unidesk_hyperv_system.vhdx VHDX file that comes with the Unidesk install media. This is your ELM operating system which is based on CentOS. You should have already moved this OS disk to shared/highly available production storage that your production cluster Hyper-V servers use. Click Next. Click Finish. Now that the virtual machine is created, right-click it and select Settings. Change the virtual processors to 4, a Unidesk recommendation. Click on IDE Controller 0 -> Hard Drive -> Add. Click Browse. Select the unidesk_hyperv-repository virtual hard disk. This disk is where temporary files and finalized layers reside. Remove the virtual DVD Drive by selecting it and choosing Remove. Click OK. Now power on the ELM VM. Once the ELM has started we need to perform some initial configuration. Log on to the console using default credentials administrator/Unidesk1. You can also shell on to the appliance using PuTTy.

Type C and press enter. This allows us to configure a network address.

Select S for a static IP setup.

Enter the IP address, gateway and DNS addresses that the ELM VM should be configured with.

Press Y to save the settings and restart networking.

Network services are restarting.

To change the CLI default username/password. Enter P and press enter.

Specify a new password. This is for the CLI administrator account. It is not for the UMC GUI administrator account whose password can be changed via GUI later.

To change the timezone, choose T followed by pressing enter to see a list of available timezones.

You can search for your timezone if preferred. Once you see your timezone, simply enter the associated number and press enter.

Press enter again.

To change NTP servers, select N. You can specify up to a maximum of 6 NTP servers. By default, 4 NTP servers from centos.pool.ntp.org are already configured. At this stage the basic configuration is complete and you can log onto the Unidesk Management Console.

Using the IP you specified for the ELM appliance, connect to the GUI. Your browser will need to support/have Silverlight 4. Enter the default credentials of administrator/Unidesk1.

Note: Unlike previous versions, you do not need to append /udmc to the end of the URL as it is now automatically inserted. Attention to detail!

Accept the Terms and Conditions.

At this stage you are prompted for a license key. You can upload one now or later.

You can upload a license file or automatically provision the license file using your Unidesk credentials that has a license associated. Enter credentials and press the down arrow.

A license all being well should be retrieved. Click Finish.

Click Close.

To change the default GUI administrator password using the UMC click on Users. Select Administrator and click Edit Properties.

Enter a password, then click the down arrow.

You can add some additional information such as phone, email address etc.

Roles cannot be assigned since this is the built-in administrator account.

Click Update User to update the administrator account with a new password.

Unidesk must be connected to your Active Directory domain in order to assign roles and desktops to users. To make the association, navigate to Users -> Directory Service -> Create Directory Junction.

Specify a name, server address and port. You can use ports 389 or 636 for secure LDAP. Under the server address enter your domain FQDN. This ensures Unidesk will use all available Domain Controllers in your domain and prevent a single point of failure. Click Test Connection.

The connection should succeed so long as the ELM appliance is allowed to contact Active Directory over 389 or 636.

Enter a service account to be used for Active Directory queries. Click Test Authentication and make sure you get a succeeded response.

Specify a search point Unidesk will use to discover users and groups. This search point should be the OU that contains users you want to receive Unidesk desktops. Avoid creating overlapping Directory Junctions. In this example I am using a high level users OU that contains all business user accounts. Click Test Base DN. The DN is valid so continue on.

User Attributes are automatically configured for Active Directory and should not be changed away from the default values unless you have a good reason. Click the down arrow to continue.

Click Create Directory Junction.

The Directory Junction now appears as below.

Now when you go to Users -> Directory you are shown the list of users and groups that are in Active Directory.

If you click on a user you can edit account properties by selecting Edit Properties.

Unidesk has a read-only connection to Active Directory so you cannot change any information from the UMC. You can however assign Unidesk roles to a user such as the Administrator role or more specific roles.

When a user is assigned a role or a desktop, the user icon turns green.

The user will also appear under the Users tab when configured with a desktop or role.

You can delete a user from Unidesk, which removes any desktops and roles. Note again that this does not affect Active Directory.

You can also edit groups, including associating machines with the group.

You can also specify roles at a group level.

When groups are configured with desktops or roles, they appear under the Groups tab. As you may have noticed, we connected to the UMC over HTTP. It is also possible to connect over HTTPS however you will need to install a certificate matching whichever host name you decide to use, to ensure you don’t get any certificate prompts. To upload a certificate which can be self-signed, navigate to System -> Settings and Configuration -> HTTP Certificate Settings -> Edit.

Click Upload.

Select the PEM certificate. The certificate must be in PEM format and the private key must not be password protected.

Click Save.

Click Yes.

The certificate install completes and the ELM appliance restarts.

Now we can connect to the console over HTTPS.

The next thing you need to do is create a share which will house your Elastic Layers and act as the staging area for new OS Layer creations. This share will typically be a DFS Namespace so that layers are replicated between file servers and kept highly available. It is recommended this share be on a 40-100GB disk. This is all dependant on how many Elastic Layers you will have. Create a service account and assign the account Full Control permissions to the share. All other users must have read permissions to the share.

Over in the UMC, navigate to System -> Settings and Configuration -> Network File Shares -> Edit. Enter the share location followed by the service account credentials. Click Test Network File Share followed by Save once the test is complete.

If you are using User Layers, lock down each User Layer folder with the following permissions:

User Permissions Apply to
Creator Owner Modify Subfolders and files only
Owner Rights Modify Subfolders and files only
Users or groups Create Folder/Append Data

Traverse Folder/Execute File

List Folder/Read Data

Read Attributes

This folder only
System Full Control This folder, subfolders and files
Domain Admins or directory admins Full Control This folder, subfolders and files

There are also some other settings you can configure under Settings and Configuration such as UMC session timeouts and log settings.

You can expand the ELM Layering Service storage upwards from 300GB by simply adding another virtual disk to the ELM appliance. Once the virtual disk is added, use the UMC and browse to System -> Manage Appliance -> Expand Storage.

The appliance will scan for any unformatted virtual disks. Select the virtual disk you want to add to the storage pool and click the down arrow.

Click Expand Storage.

A new task is created which you can view the status of.

After a few seconds the storage expansion task should complete and the Layering Service disk space size will reflect the expansion. It is recommended to reboot the ELM appliance once the storage expansion is complete.

To register ELM with Citrix Provisioning Services we need to install the Unidesk Agent on each PVS server, or a master PVS server.

Note: The Unidesk Agent requires .NET Framework 4.5 to be installed and the PVS Console must be installed on all the PVS servers that you are installing the agent on.

Before installing the agent you must install the PVS PowerShell snap-in.

If using PVS 7.1 – 7.6 – Run command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe McliPSSnapIn.dll from directory C:\Program Files\Citrix\Provisioning Services Console\

If using PVS 7.7+ – Run command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Citrix.PVS.snapin.dll from directory C:\Program Files\Citrix\Provisioning Services Console\

If your PVS server runs Server 2008 R2 OS then also run PowerShell command Enable-PSRemoting.

Note: If you upgrade PVS, your PVS Connectors may not work until you run these commands again.

We can now install the agent. Run unidesk_agent_installer.exe as an administrator.

Click Next.

Accept the License Agreement. Click Next.

Click Next. An inbound firewall rule is created for this port. You can change the port if desired.

Click Install.

Now enter the FQDN of the ELM appliance including Unidesk Administrator account credentials.

Click Finish.

At this stage you are ready to provision your first OS Layer and import it in to ELM. For that, see http://www.jgspiers.com/create-update-os-layer-unidesk-4/

Upgrade ELM Appliance – Citrix App Layering

To upgrade the appliance from Unidesk 4.0.8 to Citrix App Layering 4.x, download the Citrix App Layering 4 Upgrade Package currently available from the Unidesk website or Citrix Cloud.

Note: To upgrade 4.0.8 to 4.4, you must first upgrade to 4.3 and then upgrade to 4.4.

Since App Layering 4.2, the ELM appliance automatically checks for upgrades by sending a probe to api.unidesk.com. If an update is found, it is downloaded but not applied. You do however get a notification that an update is available. If the ELM appliance cannot reach api.unidesk.com then you will find the task fails with an error.

Note: If upgrading to 4.2 or later, download the upgrade or full package from Citrix Cloud or https://www.citrix.com/downloads/citrix-app-layering/

The package is around 715MB in size.

Once the package is extracted you’ll get the updated version of the Agent Installer (use to upgrade PVS agents if you have them), Image Tools and a citrix_app_layering_upgrade_4.1.0.vhdx disk.

Copy the upgrade VDH disk to your ELM Share.

Log on to the UMC, navigate to System -> Manage Appliance -> Upgrade.

Click Browse and select the upgrade disk from ELM Share. Click the down arrow.

Click Upgrade.

Note: If you have any outstanding running tasks, you’ll not be able to upgrade until these are completed.

The ELM upgrade will begin. As per the warning, don’t navigate away or refresh the page.

You’ll eventually be presented with an upgrade has finished page. Refresh the web page.

Log on to the Citrix App Layering appliance with your normal credentials.

Accept the Terms and Conditions and click Close.

Setup Login Credentials wizard will appear. This wizard makes sure the ELM Root User, Configuration Tool and Console Administrator accounts are secured with passwords other than the default. Click the down arrow.

Enter secure passwords for each account.

Click Change Credentials.

Click OK.

Click OK.

Now the About pane shows the new 4.1.0.45 version of ELM installed.

Manage ELM from Citrix Cloud

It is possible to manage ELM appliances that are on Citrix App Layering version 4.1.0 and above using the Citrix Cloud. This feature is currently in Labs. Instead of connecting to the EMC with your own internal web browser, you can connect via the Citrix Cloud portal which uses HDX to establish a secure connection to the appliance. It feels and looks like a Secure Browser session running back to the on-premise ELM appliance. Sign in to Citrix Cloud to access App Layering. Request a trial and on the Overview page click Get Started.

You can connect to an existing ELM appliance which is version 4.1.0+ if you already have one. At which stage you deploy a Resource Location, skip the Getting Started page and go straight to Manage. If you haven’t deployed an ELM appliance yet or worked with Citrix Cloud, you’ll need to set up a Resource Location first. Select the Hypervisor or Cloud you are using and click Get Cloud Connector.

Click Download. Download the Connector to your Resource Location.

Run the cwcconnector install media as an administrator. The Cloud Connector should be installed on a Windows Server 2012 R2+ domain joined server and in pairs for high availability.

Cloud Connector requirements:

  • .NET 4.5.1 or later.
  • AD Domain joined machine for install.
  • Active Directory schema version 2008 R2 or later.
  • Correct UTC time or else Cloud connection will fail.
  • 40GB of disk space and 4GB RAM.

Note: Turn off IE ESC (Enhanced Security Configuration) before installing the Connector.

Click Sign In.

Enter your Citrix Cloud credentials of an account with Full Access. Click Sign In.

The Connector will perform connectivity checks and install any prerequisites needed. All communication to Citrix Cloud is 443 outbound only from the Connector.

Another Connectivity Test will be performed.

Click Close.

Back over on the Citrix Cloud portal, click Refresh on the Resource Location screen.

As mentioned before, you should install a pair of connectors for high availability. Connector updates are handled by Citrix Cloud automatically with only one connector being upgraded at a time. Now that we have a Resource Location in place, navigate back to App Layering.

Select your preferred Hypervisor and click Download for Hyper-V. This initiates a download of the Citrix App Layering 4.1.0 ELM (Enterprise Layer Manager) appliance.

Save the media to your Resource Location.

The extracted media will contain an Agent installed, Gold Image Tools and in my case Hyper-V disks.

Both disks will be attached to a Virtual Machine.

To create a VM, run through the wizard using Hyper-V Manager or SCVMM. 

Make sure to select Generation 1.

Specify 8GB RAM and do not select to use Dynamic Memory.

Attach a Virtual Switch.

Browse and attach the system.vhdx disk.

Click Finish. Do not start the appliance at this stage.

Go in to the settings of the VM. Change the Virtual Processors to 4.

Click on IDE Controller 0 and attach the repository.vhdx disk. Click OK. Now boot the appliance and configure the network settings, timezones etc. See http://www.jgspiers.com/installing-configuring-unidesk-4/#CLI-Config for instructions.

Once the appliance is configured via CLI, navigate back to the Citrix Cloud – App Layering portal and click Log in to Appliance.

Select your Resource Location from the drop-down and enter the appliance IP address. Click Connect.

Initially you’ll see a mixture of white screens and Connecting messages.

Once the HDX connection is established, you’ll see the familiar ELM appliance log on screen.

There are some current limitations of using the ELM appliance through Citrix Cloud. See https://www.unidesk.com/support/learn/4.1.0/ms_hyper-v/configure_the_appliance/get_started_login_hv4#log_in_cloud


8 Comments

  • Pingback: Unidesk Enterprise Layer Manager – Carl Stalhood

  • Morufudeen

    February 2, 2017

    Hello George,

    Fantastic write up! Appreciate the time you take to write these blogs. I haven’t had much luck getting PVS to work with Unidesk so far. I get this message “Cannot find PowerShell Snapin ‘Citrix.PVS.SnapIn’ on server ‘pvs01.msl.pri’, ensure that it is installed” when I try the PVS connector. I am not sure what I’ve been doing wrong. I’m running Unidesk 4.0.8.52, PVS 7.12 and Windows Server 2012 R2. My hypervisor is vSphere 6.5. I’ve tried to register the Powershell snapins too on the PVS server prior to installing the agent as you advised in this blog.

    Many thanks,

    Deen

    Reply
    • George Spiers

      February 2, 2017

      From the PVS server, run command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe Citrix.PVS.snapin.dll from directory C:\Program Files\Citrix\Provisioning Services Console.

      Now install the PVS agent on the server
      Finally make sure the correct firewall rules are in place on the PVS server http://www.jgspiers.com/installing-configuring-unidesk-4/#Firewall

      Reply
  • Morufudeen

    February 3, 2017

    Many thanks George. I was just being silly. I was registering mcli as I’ve been used to doing that. I registered Citrix.PVS… as you’ve mentioned and straight through. Good to read the manual properly as they say. Thanks once again. I can continue with your latest post now for my testing.

    Reply
  • Adil

    August 7, 2017

    Thank you very much George for your usual help
    I follow this nice article, with a difference, that I work with vsphere, and I got to the creation of pvs connector
    I can not configure the pvs connector I installed the Citrix App Layering Agent on the pvs server During installation I get an error: “a failure occured whene executing ‘netsh'” Error Adding Certificate I put ok and the wizard finishes installation just after 1. I removed security on PowerShell 32 and 64 on the pvs server Set-ExecutionPolicy Unrestricted 2. I executed the EML registration command on the pvs server successfully Citrix.AppLayering.Agent.Service.exe register / i / e: IP_address_of_ELM / u: Domain \ Administrator 3. I also run the commands below: From a command prompt, go to: Cd “c: \ program files \ citrix \ provisioning services console” C: \ Windows \ Microsoft.NET \ Framework64 \ v4.0.30319 \ InstallUtil.exe McliPSSnapIn.dll C: \ Windows \ Microsoft.NET \ Framework64 \ v4.0.30319 \ InstallUtil.exe Citrix.PVS.snapin.dll 4. I activated the remote powershell on Powershell 32 and 64 Enable-PSRemoting When I create a new pvs connector, and I check the connection, the system returns the following error message: One or more the pvs configuration is invalid, please check your selections And set the field red: Console And the following message: Citrix App Layering Agent Error: Error: read ECONNRESET
    Your help please.

    Reply
  • Pingback: Citrix Application Layering “Failure Importing the OS Layer” - Zero To Hero

  • Pingback: Citrix App Layering Agent unattended installation - Dennis Span

Leave a Reply