FSLogix in a Citrix Provisioning environment

FSLogix in a Citrix Provisioning environment

You’ve probably heard of FSLogix. A great company recently acquired by Microsoft for their Windows Virtual Desktop strategy. FSLogix enables the WVD with Office 365 in the first place. Me and my team at S&L have been dealing with FSLogix for a long time. Maybe we were even one of the first to use FSLogix in customer projects, before the product became this famous?

A great news on March this year was, that FSLogix may not only be used for WVD, but also for customers with RDS CAL’s. Read the great blog post from James Rankin, to learn more about that. Don’t hesitate and use this great peace of software! You can get your copy of FSLogix from here. There is a license key included in the ZIP file.

We have been huge Citrix Provisioning fans for years and have many customers who still need to run their Citrix VDA’s on premises for a while for various reasons. Sure, they can at least use the Citrix Cloud to manage their environment and use Office 365, but the VDAs have to stay at home. Exactly for this scenario I would like to show you a best practice guide, because there is a lot to consider when using FSLogix profile container in a Citrix Virtual Apps (XenApp) PVS environment. But if you do it right, you will have a lot of added value and in the end, even a completely high available Citrix environment (I assume that your PVS and DDC servers are redundant and that you are using Citrix ADC as loadbalancer).

So, let’s start …

If you decide to use FSLogix (and you should), then do it right and use the full potential! So, we will design our user profiles redundantly. The magic feature for this is called FSLogix Cloud Cache (although that does not necessarily have anything to do with cloud). Do you like the idea to restart your profile server during operation or just for maintenance? Or do you want an always up to date backup of your user profiles? Here were go, but there are some challenges when using FSLogix Cloud Cache with Citrix PVS.

First, you need two shares, in our example hosted on two virtual Windows Server 2019 (you can also use one Windows Server on premises and a cloud storage for the redundancy). For the storage of the profiles I recommend a dedicated hard drive on both fileservers, formatted with ReFS filesystem, because we will store virtual disks (VHDX) here.

Be sure to pay attention to the right user permissions on the profile folder:

Administrators – Full control – This folder, subfolders and files

SYSTEM – Full control – This folder, subfolders and files

Creator Owner – Full control – Subfolders and files only

Authenticated users – Modify – This folder only

Also make sure, not to make the share available for offline usage!

To use Cloud Cache you have to configure the following policy setting, the first share will be the primary, the second is the backup share. VHDX files are automatically synchronized between the shares.

Think of two different locations (for example a disaster recovery data center) for your VDA’s, you could define the corresponding profile server as the primary server for the respective VDA’s. Don’t use the policy “VHD location” this is only needed if Cloud Cache feature is NOT used!

type=smb,connectionString=”\\ctxfslogix01.domain.de\fslogix$\profile”;type=smb,connectionString=”\\ctxfslogix02.domain.de\fslogix$\profile”

But here is the trap: with Cloud Cache, the VHDX is also cached locally on the VDA by any user who logs on to this VDA! You can’t avoid that! Default path is “C:\ProgramData\FSLogix\Cache”. So, what does that mean…?

Let’s assume the VDA uses “PVS cache to ram with overflow to hard disk”. In the worst case this means, that the VHDX of each user is stored in the PVS cache. If the PVS cache is set to 4 or maybe 6 GB, then it could be filled up after only a few logons. Bad idea…

So, we have to redirect the FSLogix cache to the respective VDA cache disk (fast SSD disks recommended), in addition we delete the cached profiles after logging off the user. There are corresponding policies for this (“Clear local cache on logoff” above). Another solution is, to configure enough cache to ram, so that the cached VHDX files fit into the PVS cache, this is also a very fast method. I would say: problem solved…

FSLogix profiles (VHDX) can become very, very large, which brings us to the next topic. You all know Citrix User Profile Manager and you know that certain folders can or even should be excluded from the profile so that the size is manageable. So, indeed this is an old topic. Now here comes the most important part: If you do not control the profile size, the VHDX gets huge, think of all the junk in the AppData folder. Assuming that the VHDX will be 5 GB per user, then each VDA with 20 users logged on, will need 100 GB of free space on the cache disk to outsource the FSLogix profile (the normal size of the cache disk would be about 20-30 GB). And keep in mind, that the profiles can also become more than 5 GB or the VDAs host more than 20 users.

It is best to set a limit for the profiles so that you can calculate the size of the cache disk or cache to ram. Let’s calculate with 2 GB per user (or just check out the average profile size of your current UPM profiles). With 20 users on a VDA we need 40 GB of free space on the cache disk. That is manageable. We also set this limit with a policy and ensure that a user can no longer log on to the VDA when the limit is exceeded. This can be done very well with FrxShell from FSLogix.

But how do we manage to keep the limit, so that the profiles stay as small as possible? Well, much like we did with the Citrix UPM. Without a special configuration, certain folders will be excluded from the profile by default but with the help of a configuration file we can achieve much more. The file is called “redirections.xml” and is best stored centrally in the network, for example the netlogon share. You can read more about it here. Please only enter the path in the policy, without the filename!

Sample “redirections.xml” file

<FrxProfileFolderRedirection ExcludeCommonFolders="###VALUE###">

<Excludes>
	<Exclude Copy="0">Videos</Exclude>
	<Exclude Copy="0">Saved Games</Exclude>
	<Exclude Copy="0">Contacts</Exclude>
	<Exclude Copy="0">Searches</Exclude>
	<Exclude Copy="0">Citrix</Exclude>
	<Exclude Copy="0">Tracing</Exclude>
	<Exclude Copy="0">Music</Exclude>
	<Exclude Copy="0">$Recycle.Bin</Exclude>
	<Exclude Copy="1">AppData\LocalLow</Exclude>
	<Exclude Copy="1">AppData\Local\Apps</Exclude>
	<Exclude Copy="1">AppData\Local\Downloaded Installations</Exclude>
	<Exclude Copy="1">AppData\Local\assembly</Exclude>
	<Exclude Copy="1">AppData\Local\CEF</Exclude>
	<Exclude Copy="1">AppData\Local\Google\</Exclude>
	<Exclude Copy="1">AppData\Local\Deployment</Exclude>
	<Exclude Copy="1">AppData\Local\FSLogix</Exclude>
	<Exclude Copy="1">AppData\Local\GroupPolicy</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft Help</Exclude>
	<Exclude Copy="1">AppData\Local\Packages</Exclude>
	<Exclude Copy="1">AppData\Local\Sun</Exclude>
        <Exclude Copy="1">AppData\Local\VirtualStore</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Notifications</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Internet Explorer\DOMStore</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Internet Explorer\Recovery</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\MSOIdentityCRL\Tracing</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Messenger</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Terminal Server Client</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\UEV</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\Application Shortcuts</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\Mail</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\WebCache.old</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\AppCache</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\Caches</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\Explorer</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\GameExplorer</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\DNTException</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\IECompatCache</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\iecompatuaCache</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\Notifications</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\PRICache</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\PrivacIE</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\RoamingTiles</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\SchCache</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\Temporary Internet Files</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\WebCache</Exclude>
	<Exclude Copy="1">AppData\Local\Microsoft\Windows\1031</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\BrowserMetrics</Exclude>
	<Exclude Copy="0">AppData\Roaming\GoogleChrome\UserData\Default\Code Cache\js</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\CertificateRevocation</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\CertificateTransparency</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\Crashpad</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\FileTypePolicies</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\InterventionPolicyDatabase</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\MEIPreload</Exclude>
	<Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\PepperFlash</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\pnacl</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\Safe Browsing</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\ShaderCache</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\SSLErrorAssistant</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\Subresource Filter</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\SwReporter</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\Default\JumpListIcons</Exclude>
        <Exclude Copy="1">AppData\Roaming\Google\Chrome\UserData\Default\JumpListIconsOld</Exclude>
        <Exclude Copy="1">AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat</Exclude>
	<Exclude Copy="1">AppData\Roaming\Adobe\Acrobat\DC</Exclude>
	<Exclude Copy="1">AppData\Roaming\Adobe\SLData</Exclude>
	<Exclude Copy="1">AppData\Roaming\Microsoft\Document Building Blocks</Exclude>
	<Exclude Copy="1">AppData\Roaming\Microsoft\Windows\Network Shortcuts</Exclude>
	<Exclude Copy="1">AppData\Roaming\Microsoft\Windows\Printer Shortcuts</Exclude>
	<Exclude Copy="1">AppData\Roaming\Sun\Java\Deployment\cache</Exclude>
	<Exclude Copy="1">AppData\Roaming\Sun\Java\Deployment\log</Exclude>
	<Exclude Copy="1">AppData\Roaming\Sun\Java\Deployment\tmp</Exclude>
	<Exclude Copy="1">AppData\Roaming\Sun\Java\Deployment\tmp</Exclude>
	<Exclude Copy="1">AppData\Roaming\Citrix\PNAgent\AppCache</Exclude>
	<Exclude Copy="1">AppData\Roaming\Citrix\PNAgent\IconCache</Exclude>
	<Exclude Copy="1">AppData\Roaming\Citrix\PNAgent\ResourceCache</Exclude>
	<Exclude Copy="1">AppData\Roaming\ICAClient\Cache</Exclude>
	<Exclude Copy="1">AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\</Exclude>
	<Exclude Copy="1">AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\flashplayer\#SharedObjects\</Exclude>
	</Excludes>

<Includes>
	<Include Copy="3">AppData\LocalLow\Sun\Java\Deployment\security</Include>
</Includes>
</FrxProfileFolderRedirection>

During the user logon, folders you exclude in the XML file are redirected to the folder “C: \ User\local_username”. Depending on the configuration, the folders are written back to the profile during logoff or simply discarded. You have to decide what you want to keep. That’s the key to not let the profiles grow too much. We managed to reach an average size of 450 MB, so we can even use PVS cache to ram to cache the VHDX files (with 12 GB for example).

Nevertheless, an important thing to consider is, that the use of the redirections.xml file can increase the logon time, this is because of the copy process to the local_username folder. If you add an exclusion of a folder, that already exists in the profile, the folder with maybe a huge content, will be copied during the logon process. You can check this in the FSLogix log file with frxtray located here: C:\ProgramFiles\FSLogix\Apps\frxtray.exe. You can easily recognize the time jump in the log.

Also consider redirecting folders like “Downloads” or “Desktop” (if your users store large files on it) with Citrix Workspace Environment Manager. You can better clean up these folders outside the VHDX. Google Chrome also needs special attention, certain folders have to be redirected and excluded, otherwise your profile disk explodes (the sample XML deals with this together with the redirection of user data and cache). The same may apply to other applications, you have to keep an eye on them! Once a bad application has been written garbage in the profile, the VHDX grows and stays with the size, even if you clean up the profile. But there is a solution for that: You can optimize and shrink your VHDX files with a great script written by David Ott or if you don’t have the Hyper-V role installed on a server (you need this for the script to work) you can also optimize the profile disk with diskpart.

diskpart

select vdisk FILE=”D:\FSLogix\Profiles\ctxtest\Profile_ctxtest.VHDX”

attach vdisk readonly

compact vdisk

detach vdisk

So, one more thing to say: If you don’t want your profiles to be redundant you don’t need the Cloud Cache feature, this also means that the profiles are not cached locally on the VDA cache disk. In this case, you should still use the xml, so that the profiles do not grow excessively.

Quick summary

  • Use FSLogix profiles, it’s free now!
  • Use FSLogix Cloud Cache to get redundant and consistent user profiles (last piece of the HA puzzle)
  • Keep you profiles small by redirecting certain folders
  • Always use VHDX type and dynamic disks
  • Calculate the size of the VDA cache disk or PVS cache to ram
  • Always check where new apps store data and if these data is needed
  • Limit the VHDX size
  • CleanUp profiles if they become too big (with Citrix WEM file system operations action)
  • Optimize and shrink profiles regularly

Complete FSLogix Group policy

Google Chrome settings (to match the settings in the redirections.xml):

I hope you enjoyed the post and I encouraged you to use FSLogix in Citrix PVS environments.

Next blog post is about FSLogix AppMasking with deviceTRUST (very cool stuff, look forward to it!), followed up by FSLogix Office Profile container.