The new Long Term Service Release of Citrix Virtual Apps and Desktops is now available. It contains many new features compared to the last Current Release and of course more regarding the last LTSR.
The following new features have been added compared to the last current release.
User Personalization Layer
This function replaces Personal vDisk, which has been discontinued for some time. When installing or upgrading a single session VDA, you can now include the User Personalization Layer component. This function is provided by Citrix App Layering and ensures that on non-persistent machines, the personal data and locally installed applications of the user can be stored and made available across sessions in a VHD. Like PvD, the User Personalization Layer also works with Citrix Provisioning and Machine Creation Services (MCS).
To enable the mounting of user layers within the virtual delivery agents, use the configuration parameters in the Citrix policies:
- User Layer Repository Path
- Enter a path in the format “\\Servername\Sharename”
- User Layer Size GB
- Changes the default value from 0 to the maximum size (in GB), the user layer can grow to. If the default value is used, the maximum size of the user layer is 10 GB.
Changing the size of the user layer in the policy does not change the size of the existing layers.
SQL Server Express Version
When installing the first Delivery Controller, you can select whether Microsoft SQL Server Express should be installed or not. This is used for the site database. This release uses SQL Server Express 2017 with Cumulative Update 16. Upgrades from existing farms will not install the newer version of SQL Server Express.
For the LocalDB (Local Host Cache) of a new controller, the new version of Microsoft SQL Server Express 2017 is automatically installed. This installation is separate from the SQL Server Express used for the site database. Here the SQL Express Server is also not updated for existing controllers.
Support Windows 10 x86
Windows 10 32-bit (x86) and 64-bit (x64) operating systems are supported. The 32-bit Windows 10 operating system is not supported in Current Release 1909 and there are currently no plans to support it in future releases. For Windows 10, Citrix recommends 64-bit (x64).
Local Security Authority (LSA)
Now the use of the Local Security Authority (LSA) on a multi-session server and single-session desktop operating system is supported. On Windows, you can now configure additional protection for the LSA process to increase security for the credentials, it stored and managed.
In environments using the Citrix Gateway Service, the Rendezvous Protocol allows HDX sessions to bypass the Citrix Cloud Connector and connect directly and securely to the Citrix Gateway Service.
- Navigate to the Citrix Workspace
- Enter credentials into Citrix Workspace
- When Active Directory on Prem is used, the Citrix Virtual Apps and Desktops Service authenticates the credentials with Active Directory via the Cloud Connector
- Citrix Workspace displays assigned resources from the Citrix Virtual Apps and the Desktops Service
- Resource from the Citrix Workspace is selected. The Citrix Virtual Apps and Desktops Service sends a message to the VDA to prepare for an incoming session
- Citrix Workspace sends an ICA file to the endpoint containing a STA ticket generated by Citrix Cloud
- The endpoint connects to the Citrix Gateway Service, provides the ticket for connection to the VDA and the Citrix Cloud validates the ticket
- The Citrix Gateway Service sends connection information to the Cloud Connector. The Cloud Connector determines whether the connection should be a rendezvous connection and sends the information to the VDA
- The VDA establishes a direct connection to the Citrix Gateway Service
- If a direct connection between the VDA and the Citrix Gateway Service is not possible, the VDA establishes its connection to the Cloud Connector
- The Citrix Gateway Service establishes a connection between the end device and the VDA
- The VDA verifies the license for the Citrix Virtual Apps and Desktops Service via the Cloud Connector
- The Citrix Virtual Apps and Desktops Service sends session policies to the VDA via the Cloud Connector
- Access to the environment via Citrix Workspace and Citrix Gateway Service
- Citrix Virtual Apps and Desktops Service (Citrix Cloud) as Control Plane
- VDA version 1912 or higher
- Enabling the Rendezvous Protocol in the Citrix Policy
- Virtual Apps and Desktops Machines must have access to the Citrix Cloud Websites
- DNS reverse lookup zone with PTR entries for Virtual Apps and Desktops machines
- Configure the SSL Cipher Suite Order in the VDA
- Start the Group Policy
- Go to Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order
- Select this order:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
The Rendezvous protocol does not support transparent or explicit proxies. To use proxies, continue to use the Cloud Connector for ICA traffic.
If rendezvous is enabled and the VDA cannot directly reach the gateway service, the VDA performs a fallback to the cloud connector.
If all requirements are met, perform the following steps to verify that the rendezvous protocol is being used:
- Starts a PowerShell or CMD within the HDX session
- Executes the
- If the rendezvous is used, the local address is
0.0.0.0.0.0followed by a 5-digit port number (e.g. 0.0.0.0.0.0:50345)
Linux machines under AWS
Citrix Studio now supports the use of Machine Creation Services (MCS) to deploy Linux machines to Amazon Web Services (AWS).
StoreFront App Protection Policies
StoreFront 1912 supports App Protection Policies as long as the other Citrix components such as Workspace App and Delivery Controller (version 1912 or higher) also support it. App Protection Policies can be activated at the Delivery Group level. When StoreFront receives requests from a Workspace App where the HTTP header contains X-Citrix-AppProtection-Capable, it automatically sends a smart access tag to CVAD indicating that it supports the App Protection Policies. It is not necessary to manually enable the App Protection Policies in StoreFront.
Use the PowerShell SDK to enable the following properties for the App Protection Delivery Group:
- AppProtectionKeyLoggingRequired: True
- AppProtectionScreenCaptureRequired: True
Set-BrokerDesktopGroup -Name <Delivery Group Name> -AppProtectionKeyLoggingRequired $true - AppProtectionScreenCaptureRequired $true
To check this, run the following cmdlet:
Get-BrokerDesktopGroup -Property Name,AppProtectionKeyLoggingRequired,AppProtectionScreenCaptureRequired
In addition, XML Trust must be activated:
Set-BrokerSite –TrustRequestsSentToTheXmlServicePort $true
If an older version of the Citrix Workspace App or Citrix Receiver is used, these policies will not be activated.
Support Desktop Appliance Sites
From this release, Desktop Appliance Sites are no longer supported, and it is recommended to use Citrix Workspace App Desktop Lock for all non-domain-joined use cases.
When upgraded to StoreFront 1912, all Desktop Appliance Sites in the Citrix farm are automatically removed.
Important note on upgrading VDAs.
If the Personal vDisk (PvD) component has ever been installed on the VDA, this VDA cannot be upgraded to version 1912 LTSR or higher by inplace upgrade. To use the new VDA, uninstall the current VDA and then install the new VDA. This also applies if the PvD component was only installed and has never been used before.
If it is not known whether the VDA has installed PvD, start the installation program for the new VDA on the machine.
When PvD is installed, a message appears indicating that there is an incompatible component.
If PvD is not or was not installed, the upgrade will continue.