XenApp 7.14.1 Zones

[Nino Krugel]

need some help / advice on configuring zones please.

we currently have xendesktop 7.14.1 installed with a primary zone in South Africa and a Satellite Zone in the UK.

 

Primary Zone is configured with two Delivery Controllers, Machine Catalog and Storefront

Satellite zone is configured the in the same way, 2 x DDCs, StoreFront and machine Catalog.

 

each location has its own netscaler gateway as well, and each netscaler is configured with an internal and external gateway, the reason we did this is because we enforce two factor for both internal and external users.

the issue with this is on optimal hdx routing i now cant specify a zone as you are only allowed to assign one zone to a gateway, so if i set the SA zone to the external AG i cant set it on the internal AG

 

i have a single delivery group set up which contains both machine catalogs, one is for SA and one is for UK.

 

In my mind this is the only way i can use zones and split the VDAs so they register with their local DDCs, based on documentation i have read .

 

Problem i am having is with this setup when a user who resides locally in the SA zone launches an app its luanching on the VDA in UK.

 

can someone please advise what i am doing wrong and the correct way to setup zones is.

 

i do not want to use multiple delivery groups as we publish the same apps for both zones and dont want to end up with duplicate apps being published

 

 

any help or feedback would be appreciated

 

[Russ HARGROVE]

just spitballing here but if you have SA and UK users split up into two regional AD groups.. you could add the correct group to the correct zone

 

you could also use tags to manage who goes where but for that you'd likely be better off with 2 delivery groups... 1 delivery group has the SA tag, the other the UK tag... 

[Nino Krugel]

think i did that but maybe did it wrong as when i had to delivery group i was doubling up on apps i could see in receiver as had access to both delivery groups, is there a way to force one delivery group only to show apps when you come via that storefront server, also would this not take away my ability for users to launch an app in the SA zone when a delivery controller in their site goes down

[Nino Krugel]

ok so have created separate delivery groups and so far so good, how ever we have an issue where a user in SA zone launches and app but instead of launching on local zone it launches on IOM zone and i cant figure out why, 

 

any ideas anyone

[Deepanshu Soni]

Hello Nino,

 

I believe your scenario is similar to the following blog, I suggest you to refer to the blog, it could be the answer to your problem.

https://www.citrix.com/blogs/2017/04/17/zone-preference-internals/

 

Also, see this http://www.carlstalhood.com/catalogs-delivery-groups/#zones

 

Please let me know, if this fix you issue or if any further assistance is required.

 

-Deepanshu 

[Katrina Cruz]

We have a similar issue here.

 

We have 2 Zones, one Primary (default) and one Secondary. When the Citrix VDAs in the primary zone goes down, we want to failover to the secondary zone. If there are no issues in the primary zone, then users should not be allowed to connect to the VDAs in the secondary zone - as the secondary zone is on a slower WAN link. We basically want an Active Passive setup.

 

- There are 2 delivery controllers in each zone, a total of 4.
- There is a host connection in each zone.
- There is a machine catalog for each zone. Each machine catalog belongs to the same Delivery Group.
- In the secondary zone, there is an AD user group assigned. Only users that are part of this AD group can have access the secondary zone resources.
- The delivery group has the "Sessions must launch in a user's home zone, if configured" option enabled.
- There are 2 MCS (machine creation services) nodes in the machine catalog for the primary zone. The MCS master image is replicated to the secondary zone by Veeam. The replica is then used to create MCS nodes for the machine catalog in the secondary zone. They are able to talk to the delivery controllers in the secondary zone just fine, however, they also pickup the delivery controllers from the primary zone as well (unsure if this is an issue or not).

 

If a user is part of the AD group, then they can only connect to the VDAs in the secondary zone. This works fine. If the user is NOT part of the AD group, then you would expect them to only be able to connect to the VDAs in the primary zone. However, this isn't the case. They are still able to connect to the VDAs in the secondary zone and that is the problem we're trying to solve here. Every time we perform a test, we make sure to logout and login of storefront.

Anyone have any ideas what the issue could be?

 

We're using 7.15 LTSR