App Layering – Enterprise Layer Manager 4.6

Last Modified: Oct 31, 2017 @ 11:53 am

Navigation

These posts focus on VMware vSphere. For Hyper-V, see Installing and configuring Unidesk 4.x by George Spiers.

Licensing

From Citrix Blog Post A Breakdown of Citrix App Layering Features by Edition: Citrix App Layering is available in all editions with the exception of XenApp Secure Browser Edition. This means that you can do the following across any number of XenApp and XenDesktop sites in your environment:

  • Create an unlimited number of OS, platform and application layers
  • Create an unlimited number of layered images
  • Create an unlimited number of elastic layers

XenApp and XenDesktop Platinum Edition customers also benefit from:

  • Multiple hypervisors and/or cloud connections (e.g. XenServer and Azure or XenServer and Hyper-V). Non-Platinum sites are limited to one hypervisor or cloud connection type.
  • Multiple provisioning mechanisms (e.g. Machine Creation Services and Provisioning Services). Non-Platinum sites must select MCS or PVS and use it exclusively with Citrix App Layering.
  • Multiple broker types/platforms (e.g. XenApp and XenDesktop with VMware Horizon View). Non-Platinum sites can only use App Layering within their XenApp and XenDesktop sites
  • User Layers (currently available in Labs preview for Windows 7 and Windows 10)

For Citrix Cloud – Citrix App Layering is a cloud service offering for all customers. Those customers using the XenApp and XenDesktop Service are entitled to Platinum-level features including all Citrix App Layering capabilities. Citrix App Layering also allows you to access the management console within Citrix Cloud (currently in Labs/preview) making it even easier to get started with the technology.

Upgrade Enterprise Layer Manager

If you are deploying a new ELM appliance, skip to Import Enterprise Layer Manager.

To upgrade:

  1. When you login to the ELM, you might see a notification about Version 4.5 is now available. Click Start Upgrade.
  2. If you don’t see the upgrade notification, then download it manually:
    1. Download the App Layering 4.6 Appliance Upgrade Package from Citrix Cloud.
    2. Or download it from Citrix Downloads.
    3. In the App Layering file share, create an Upgrade folder.
    4. Unzip the Upgrade Package, and copy the citrix_app_layering_upgrade_4.6.0.vhd file to the Upgrade folder in the App Layering file share.
    5. Login to the App Layering management console.
    6. Switch to the System tab.
    7. On the right, click Upgrade.
    8. In the Upgrade Disk Details page, click Browse.
    9. Expand the Upgrade folder, select the citrix_app_layering_upgrade_4.6.0.vhd file, and click Choose.
  3. Click the down arrow (next).
  4. In the Confirm and Complete page, click Upgrade.
  5. The browser window changes to the upgrade progress page.
  6. It will eventually say that Upgrade Status is Complete. Refresh the browser.
  7. Login to the App Layering console.
  8. You might immediately see the upgrade notification. Click OK.
  9. Or, you might see some additional prompts:
    1. If the Citrix License Agreement window is displayed, check the box next to I accept the Terms and Conditions, and click Close.
    2. If the Setup Login Credentials wizard is displayed, in the About Your Credentials page, click the down arrow (next).
    3. In the Change Passwords page, enter passwords for the three accounts, and click the down arrow.
    4. In the Confirm and Complete page, click Change Credentials.
    5. Click OK when prompted that the passwords were changed successfully.
    6. Click OK when prompted that the ELM was upgraded.
  10. In the top right of the window, click About.
  11. Verify the ELM Software Version.

Upgrade OS Layer

  1. From Gunther Anderson at Upgrading machine tools to CitrixApp layer v.4.1 at unidesk.com: You do not uninstall or upgrade the Unidesk Image Preparation Tool – Setup_x64.exe. The current drivers are installed in the ELM, and every time the ELM produces an image for any purpose, it injects the current drivers into it. You do not need to touch your OS layer for that.
  2. You should download and run the OS Machine Tools to allow it to upgrade your system scripts, but you don’t need to do anything beyond that.
  3. Replace the existing files.

Upgrade Provisioning Services Agent

  1. If you are upgrading Provisioning Services server, you might have to re-register the snap-in:
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"
  2. On your Provisioning Services server, open Programs and Features. If it says Citrix App Layering Agent, there’s no need to uninstall.

    1. If it says Unidesk Agent, then uninstall it before upgrading.
  3. Run citrix_app_layering_agent_installer.exe.
  4. If upgrading from Agent 4.2 and newer:
    1. Click Yes to upgrade the agent.
    2. In the Welcome to the InstallShield Wizard for Citrix App Layering Agent page, click Next.
    3. In the InstallShield Wizard Completed page, click Finish.
  5. If reinstalling after uninstalling Agent 4.1 and older:
    1. In the Welcome to the InstallShield Wizard for Citrix App Layering Agent page, click Next.
    2. In the License Agreement page, select I accept the terms in the license agreement, and click Next.
    3. In the Agent Port page, click Next.
    4. In the Ready to Install the Program page, click Install.
    5. Enter the ELM FQDN, enter ELM credentials, and click Register.
    6. In the InstallShield Wizard Completed page, click Finish.

Import Enterprise Layer Manager Appliance

Download Appliance

  1. You can download App Layering 4.6 from Citrix Downloads, or from Citrix Cloud.
  2. To download from Citrix Cloud:
    1. Go to https://citrix.cloud.com and login. You can create a Cloud account.
    2. After logging in, find the App Layering service, and click Request Trial. Everybody sees this text.
    3. Once the trial is activated, in the My Services section, find App Layering, and click Manage.
    4. In the App Layering service, click the Getting Started tab.
    5. Select your hypervisor.
    6. In step 2, click Download for vSphere, or whatever your hypervisor is.
  3. After downloading, extract the .zip file.

Import ELM Appliance

ELM Notes:

  • ELM is not in the data plane. Once an image is published to a platform, ELM is no longer involved, and thus High Availability for ELM is not necessary.
  • OS, App, and Platform Layers are stored inside the ELM appliance. It currently is not possible to export/import these appliances. The only exception is Elastic Layers.

To import the ELM appliance:

  1. In vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  2. In the Select an OVF template page, browse to the vmware_4.6.0.14.ova file, and click Next.
  3. In the Select name and location page, give the machine a name, and click Next.
  4. In the Select a resource page, select a cluster, and click Next.
  5. In the Review details page, click Next.
  6. In the Accept license agreements page, click Accept, and then click Next.
  7. In the Select storage page, select a datastore. The ELM appliance stores all master layers inside the appliance, so ensure there’s sufficient disk space (typically 300-500 GB) for the virtual appliance.
    1. You can view the appliance’s consumed disk space inside the ELM Management Console at System > Manage Appliance.
    2. To expand the storage, either increase the existing disk size, or add a disk to the VM. Then, on the right, is a link to Expand Storage.
  8. Select thin provision, or not. Then Click Next
  9. In the Select networks page, click Next.
  10. In the Ready to complete page, click Finish.
  11. See Firewall ports at Citrix Docs.
    1. ELM requires TCP 443 access to every ESXi host. Source = Citrix CTX228486 Unable to import App Layering OS Layer to ELM from vSphere  💡

Configure ELM IP Address

  1. Once imported, power on the ELM appliance.
  2. After the RUN_ONCE commands are complete, login to the console as administrator with a password of Unidesk1. You might have to press enter before the logon prompt appears.
  3. Enter c to configure networking.
  4. Enter s to assign a static network.
  5. Enter a new IP address for this appliance. Then enter y to save settings and restart networking.
  6. Press <Enter> to continue.
  7. While here, feel free to configure the time zone.
  8. Press / to search. For Central Time, search for chicago, and note the time zone number.
  9. Press Q to quit the display.
  10. Enter the time zone number to configure it.
  11. NTP is configured to use Internet servers. Feel free to change them.

Cloud Management of ELM

You are welcome to mange the ELM appliance locally by skipping ahead to the next section (Silverlight). Or, if you want manage the ELM appliance from Citrix Cloud, follow the instructions in this section.

  1. Go to https://layering.cloud.com and login. Or, after logging into Citrix Cloud, switch to the App Layering service.
  2. Switch to the Getting Started tab.
  3. In Step 1, click Get Cloud Connector.
  4. A new tab opens to the Resource Locations view. Click Download.
  5. From a dedicated server machine in your local network, right-click cwcconnector.exe, and Run as administrator. Don’t install this Connector on any machine that you don’t want to reboot without your knowledge.
  6. Click Sign In, and enter your Citrix Cloud credentials.

  7. The Connector will install.


  8. After installation, go back to your browser, and click Refresh.
  9. Your Resource Location should now have a connector. You can install a second connector. You can also rename the Resource Location.
  10. Go back to the App Layering service.
  11. In Step 4, click Log in to Appliance.
  12. Choose the Resource Location, and enter the IP address of your ELM appliance. Then click Connect.
  13. You can now login to the ELM as administrator and Unidesk1. One advantage of Citrix Cloud is no need to install Silverlight. Once logged in, skip to the First Login section.

Silverlight

  1. Use Internet Explorer to connect to the ELM IP address. Silverlight does not work in Chrome.
  2. If Silverlight is not installed, click the button to install it.
  3. Uncheck the two boxes, and then click Install now.
  4. Click Close.
  5. When you go to the ELM console, the screen will be white for a few seconds. Be patient.
  6. You can login as administrator with Unidesk1 as the default password.

First Login

  1. The first time you logon you are prompted with the End User License Agreement. Check the box next to I accept the Terms and Conditions, and then click Close.
  2. If the Setup Login Credentials wizard is displayed, in the About Your Credentials page, click the down arrow (next).
  3. In the Change Passwords page, enter passwords for the three accounts, and click the down arrow.
  4. In the Confirm and Complete page, click Change Credentials.
  5. Click OK when prompted that the passwords were changed successfully.
  6. Feel free to close the welcome wizard.

Appliance Certificate

  1. In the ELM Management Console, go to System > Settings and Configuration.
  2. Scroll down until you see the HTTP Certificate Settings section. Click the Edit button.
  3. Scroll down, and click Upload.
  4. Browse to a PEM file that contains an unencrypted RSA key, and one certificate (no chain). You can use OpenSSL to convert a .pfx file to a PEM file.
  5. If you scroll up, it should show you the Common Name of the certificate you uploaded. If it’s the root certificate, then you need to remove the extra certificate from the PEM file.
  6. Scroll down and click Save.
  7. Click Yes to restart the web server.

  8. It might take a few minutes to apply. Eventually, you should be able to point your browser to the https URL and not see any certificate errors.
  9. At System > Settings and Configuration, you can scroll down to the Security Settings section to edit the Management Console idle timeout.

File Share

  1. On a Windows file server, create a new share that will store the Elastic Layers. Only SMB shares are supported with Elastic Layers. NFS shares will not work with Elastic Layers.
  2. For High Availability, you can use any file server High Availability technology like File Server Scale-out Clustering, DFS, etc. For local high availability, Citrix recommends clustering over DFS Replication since DFS failure requires reboot of Elastic Layered Machines. See DFS path and Elastic Layers at Citrix Discussions.
  3. For DR Elastic Layer machines, the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Unidesk\ULayer:RepositoryPath can be configured to point to a file share in a DR site. See DFS path and Elastic Layers at Citrix Discussions, and CTX222107 You can change the Elastic Layer repository in the registry without reimaging (4.x).
  4. Give Everyone (or equivalent) Full Control to the share.
  5. On the Security tab, make sure the Users groups only have Read access (no Modify/Write).
  6. Add a service account to the share, and give it Modify access. ELM uses this service account to upload elastic layers to the share.
  7. Back in the ELM, go to System > Settings and Configuration.
  8. Scroll down until you get to the Network File Shares section. Click Edit.
  9. Make sure Windows share is selected. Elastic Layers don’t work on NFS.
  10. Enter the file share path, the service account credentials.
  11. Click Test Network File Share.
  12. Click Save.
  1. Go to Users > Directory Service.
  2. On the right, click Create Directory Junction.
  3. Give the “junction” a friendly name (e.g. domain name).
  4. Enter one domain controller address. LDAP Load balancing is recommended.
  5. Change the port to 636 (assuming you have certificates on your domain controllers).
  6. Click Test Connection.
  7. When prompted with a certificate error, click OK.
  8. Check the box next to Ignore Certificate Errors, and then click Next.
  9. You’ll need a bind account. Get the full Distinguished Name (look in Active Directory Users & Computers > user > Attribute Editor) and enter it here in the Authentication Details page with the password. Click Test Authentication.
  10. After successful authentication, click the down arrow.
  11. In the Distinguished Name (DN) Details page, click the drop down to select the Base DN. Click Test Base DN. And then click the down arrow.
  12. In the Attribute Mapping page, leave them set to the defaults, and click the down arrow.
  13. In the Confirm and Complete page, click Create Directory Junction.

Role Based Access

  1. Go to Users > Directory.
  2. Search through the tree and find your ELM Admins group. Select it. On the right, click Edit Properties.
  3. In the Machine Association page, click the down arrow.
  4. In the Roles page, change it to Administrator, and click the down arrow.
  5. In the Confirm and Complete page, click Update Group.
  6. Logout of ELM.
  7. Log back in using an AD account that’s in your ELM Admins group.

Citrix Provisioning Services Publishing Agent

To publish to PvS, you install the Unidesk Agent on the PvS Servers. It’s only needed on one PvS server.

The installation of the Agent can be automated. See Dennis Span Citrix App Layering Agent unattended installation.

From Install the App Layering Agent (required for PVS and Connector Scripts) at Citrix Docs.

  1. Ensure the PvS services are running as a domain account. Network Service won’t work.
  2. Run the following command on the PvS 7.7 or newer Server. Note, if you upgrade PvS, you’ll have to run this command again.
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll"

    1. If PvS 7.6, then run the following command instead:
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "c:\program files\citrix\provisioning services console\MCliPSSnapIn.dll"
  3. Go to the App Layering files you downloaded from Citrix Cloud or Citrix Downloads, and run citrix_app_layering_agent_installer.exe.
  4. In the Welcome to the InstallShield Wizard for Citrix App Layering Agent page, click Next.
  5. In the License Agreement page, select I accept the terms in the license agreement, and click Next.
  6. In the Agent Port page, click Next.
  7. In the Ready to Install the Program page, click Install.
  8. Enter the ELM FQDN, enter ELM credentials, and click Register.
  9. Registration logs can be found at C:\Program Files (x86)\Citrix\Agent\Logs.
  10. In the InstallShield Wizard Completed page, click Finish.
  11. When an image is published to PvS, ELM can run a script. Citrix has a sample Versioning and Convert VHD to VHDX script at Unidesk.com that converts the VHD file to VHDX, and/or adds the published image as a version. The script files can be installed on the PvS server at this time. Later, you specify the path to the script when you create the PvS Connector in ELM while creating an image template.
  12. Citrix also has a BootPrivate script that modifies the vDisk mode to Private, boots the vDisk on a pre-defined target so that it can run pre-defined layer scripts, shuts down the target, waits for that shutdown, and then switches the mode back to standard.

Next Steps

37 thoughts on “App Layering – Enterprise Layer Manager 4.6”

  1. You don’t have to put Imprivata in the platform layer if you don’t want to. I don’t like doing this as you start to stack layer and then you go back to having multiple images/layer to update. If you crate a platform layer that is used for updating other layers and add that platform layer as a prerequisites when creating the App layer for Imprivata, it will see the VDA installed and do all the hooks it needs for it to work. This platform layer will also apply to other as you start to build out the rest of the environment.

  2. CTX226062 breaks Office KMS activation in private image mode boot.  I would suggest adding something similar to this…

    type c:\Personality.ini | find /I “$WriteCacheType=0” && exit

    in the C:\Windows\Setup\Scripts\kmsdir\kmssetup.cmd to bypass the script when running in private image mode.

  3. Hi Carl,

    When I login to a VDI that configured with cache on ram with overflow and application layer is attached, the cache on the ram is getting full and then the cache disk is getting full.

    I think it’s not supposed to be like this, no?

    Tanks!

    Avi.

  4. Hi Carl,

    Just got an issue after PVS upgrade from 7.13 to 7.14. Were not able to publish new images to PVS. It gave me this error:

    “Error: Cannot load Windows PowerShell snap-in Citrix.PVS.Snapin because of the following error: The Windows PowerShell snap-in module c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll does not have the required Windows PowerShell snap-in strong name Citrix.PVS.SnapIn, Version=7.13.0.13008”

    Until re-registered the snapin on PVS:

    “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe” “c:\program files\citrix\provisioning services console\Citrix.PVS.snapin.dll”

  5. Hi Carl, I have a clustered Server 2016 File Server and I am trying to configure my share folder in the latest App Layer 4.3 but keep getting an error saying “The folder cannot be mounted”, mind you I have configured AD in it already.

  6. When installing the app layering agent on my pvs server (7.13 on Server 2016), it errors out:

    msi log:

    InstallShield 11:18:08: Invoking script function AddCertificate
    1: Executable: C:\Program Files (x86)\Citrix\Agent\Citrix.AppLayering.Agent.Service.exe, args: addcert -port=8016 -errorFile=”AddCert.Error”

    1: Return Code: 1

    1: errorFile: AddCert.Error, resultCode: 1, hErrorFile: 2778, errorMessage: System.Security.Cryptography.CryptographicException: Bad Data.

    applayering.agent log:

    2017-06-27 11:18:09,594 INFO 1 Program: AddCert called with port: ‘8016’, deleteOldCert: ‘True’, force: ‘False’, errorFile: ‘AddCert.Error’
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC:
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC: SSL Certificate bindings:
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC: ————————-
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC:
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC: The system cannot find the file specified.
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC:
    2017-06-27 11:18:09,954 INFO 3 Shell: EXEC:
    2017-06-27 11:18:09,970 INFO 1 Shell: EXEC: Done – Exit Code: 1
    2017-06-27 11:18:16,175 ERROR 1 Program: Exception occured while attempting to add the certificate.
    System.Security.Cryptography.CryptographicException: Bad Data.

    at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
    at System.Security.Cryptography.Utils._ImportKey(SafeProvHandle hCSP, Int32 keyNumber, CspProviderFlags flags, Object cspObject, SafeKeyHandle& hKey)
    at System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(RSAParameters parameters)
    at Uni.Core.Services.CertificateManagement.CertificateService.GenerateCertificate(SecureRandom seed, X509Name subjectName, AsymmetricCipherKeyPair subjectKeyPair, X509Name issuerName, AsymmetricKeyParameter issuerPrivKey, String password, IEnumerable`1 extensions, Nullable`1 expiration, Nullable`1 storeLocation, Nullable`1 storeName)
    at Uni.Core.Services.CertificateManagement.CertificateService.GenerateCACertificate(String name, String password, Nullable`1 storeLocation, Nullable`1 storeName, Nullable`1 expiration)
    at Citrix.AppLayering.Agent.Service.Program.CommandLineArgsHandler.GenSelfSignedCert(Nullable`1 port, Boolean deleteOldCert, Boolean force, String errorFile)
    2017-06-27 11:18:16,191 INFO 1 Program: Creating error file AddCert.Error.

    I didn’t see anywhere in the install or guide where I could point it to a cert, am I missing something? I know I could use Orca to edit the MSI and skip that step, but what would you recommend?

  7. Where do I get a head-start on getting to know and use Unidesk in my environment?. I love what it can do so if you could provide some links, this will be appreciated. Also with a shared server desktop non persistent, what do you recommend in regards to deploying unidesk in such an environment?

    1. The article you’re reading contains step-by-step instructions on deploying it. 🙂 Unless something is missing?

      Citrix App Layering is the new name for Unidesk.

      Unidesk is most beneficial if you have the same applications installed on multiple master images. For maximum compatibility, Unidesk can merge the layers into a single image before the machine even boots. Or, Unidesk can dynamically load layers as users log in, allowing different users to have different layers.

      1. Does App Layer help any if you are stuck working with servers without PVS or MCS? Still VMs just don’t have access to the hypervisor level. Thanks.

  8. Hi Carl,

    shouldn’t it be possible to add a DFS path as a proper network file share for the Enterprise Layer Manager?
    At the moment I’m getting a “Failed to mount network file share path” when I try to add a DFS based file share (\\mydomain.local\dfsnamespace\sharetarget).
    However, a standard file share to the same server and share (\\fileserver\share) seems to work fine.
    Also accessing the DFS share with the Windows Explorer works fine so far.
    Do you have a hint for me there?

    Best Regards

    Ewald

    1. Hi Ewald,
      A DFS share is working on my end, so it should work fine.
      I would suggest to check your DNS settings on the ELM appliance.

  9. Hi Carl, would you be able to tell me if i start with setting up the ELM under VMware and then later deside to use Hyper-V as the host for my ELM , would i be able to migrate my layers from one ELM to another ?

    Thanks
    R

    1. There currently is no export/import option for layers. You might have to V2V the ELM to preserve the layers.

  10. Hi Carl,

    I’m quite new to Citrix App Layering.
    Therefore i’m a bit confused at the moment about how to license Citrix App Layering.
    I’m not sure if it is included within XenApp/XenDesktop (maybe Enterprise or Platinum) or if I need to license it separately.
    And do I need to purchase some kind of Cloud Services from Citrix in order to get it working?
    Thank you in advance for your reply!

    Best Regards

    Ewald

    1. You need to be on Customer Success Services (Select). Unidesk is included with all editions of XA/XD. But it’s downloaded from Citrix Cloud (just create an account).

      1. Thank you!
        That clarifies it for me.
        Just one question:
        How long does it usually take until a trial request for App Layering gets granted so that I can download the Software/Appliance?

        1. I got it.
          In the Download Section on the Citrix website for XenApp & XenDesktop 7.13.x there is a website linked for Citrix App Layering which directs you directly to https://layering.cloud.com.
          It seems that I have just missed that part somehow while reading the installation instructions.
          Sorry for that!

  11. hi! carl,
    I am lass from Paris
    could you show indications on connector for mcs and the port used please?
    I need to know if there are an agent to installe on xendesktop server or only app layering agent installed on master is ok

    1. For MCS, the template is published directly to the hypervisor. There’s no need for a separate Agent like PvS.

  12. Hi Carl ,

    It was not possible to download the agent from the link you supplied. Its only available on Unidesk website in the download section you register and login your account. But all new account have denied access to download it. I was able to get it only by talking to the unidesk support. I have a copy of the installer in my onedrive if you allow me to share it. https://1drv.ms/u/s!AuLfTH_M3TdArRvDVJeYSRIWhv1g

  13. Thanks for the reply, what about the os layer template creation , would that have to be created on the same hypervisor as the ELM sists on ?

  14. Hi Carl,
    if my Xendesktop environment runs on a xenserver hyper-visor , is it beneficiary to install the unidesk appliance also on the xenserver platform or is it completely independent and i could put it into our hyper-v cluster ?

    Thanks

    1. I can’t think of any reason why it has to run on XenSever since ELM can push layers to multiple hypervisors.

  15. Hi Carl,

    With the Unidesk acquisition by Citrix, what is the future for AppDisk ?
    I suppose I shouldn’t waste my time implementing Appdisk and focus myself on Unidesk.
    I read several blogs talking about “physical workstations support in a near-future”.
    Mounting VHDs on Windows OS is feasible since years now, why Unidesk could not be used with physical computers ? Maybe because of the necessary bandwidth between a workstation and the servers holding the VHDs repository ? Or maybe because the mount has to be carried out in the very early steps of the Windows boot ?

    Kind regards

    Yvan

    1. Unidesk will replace AppDisk.

      Physical is on the roadmap. But I suspect that Cloud is the primary reason for the Unidesk acquisition.

Leave a Reply