Microsoft Teams Citrix Xenapp

01-05-2021 by



Average time to read:4minutes

Microsoft Teams enhancements 4. The VP9 video codec is now disabled by default. Enhancement to echo cancellation, auto gain control, noise suppression configurations - If Microsoft Teams configures these options, Citrix-redirected Teams honors the values as configured. Otherwise, these options are set to True by default. Introducing HDX optimization for Microsoft Teams. Now organizations can centrally deploy Microsoft Teams within their virtual environments and deliver a full. Citrix delivers optimization for desktop-based Microsoft Teams (1.2.00.31357 or higher) using Citrix Virtual Apps and Desktops and Citrix Workspace app. By default, we bundle all the necessary components into the Citrix Workspace app and the Virtual Delivery Agent (VDA).

The Microsoft Teams Preview program provides early access to unreleased features in Teams. Previews allow you to explore and test upcoming features. It is not the same as TAP, there is no need to sign up or be approved, and you can enable it for just select users. Find out more at https://aka.ms/TeamsPublicPreviewAdmin.

How I tricked the HdxBrowserCef.exe (Chrome Browser) process into presenting itself as an Edge Browser enabling the best of both worlds.

This is a guest post, written by Dennis Smith.

We needed to be able to make a Microsoft Teams video call via our VDI. But since the Citrix HDX optimization for Microsoft Teams is still not released, my chances of getting it to work were slim to say the least. But I’m one of those people who won’t take ‘no’ for an answer.

The situation

Our organization uses, like many production environments do, the Citrix Virtual Workspace 7.15 LTSR CU3. We host a VDI and make the VM’s available via a Netscaler.

We thought, maybe we can get it to work usingthe browser (teams.microsoft.com) and Citrix ‘Browser Content Redirection 2.0’,using Fernando Klurfan’s guide here;

We had set up the environment and contentredirection with YouTube worked.

Under the hood

A close inspection on how this system really works was needed to find a solution to our problem. Just like flash redirection a few years ago, I know that the URL that has to be displayed is passed on via the ICA client, ahhum, sorry, I mean the Workspace App, of course.

On the client side, Citrix uses theHdxBrowserCef.exe to render the pages locally.

This immediately raised some questions, whatdoes CEF stand for?

After setting the necessary policies/reg keysto enable redirection, as shown below;

And installing the Chrome extension;

We were able to successfully run teams locally, and everything worked…

Except video calling.

No video calling using Chrome, no Browser redirection using Edge

It seems that browser video calling is notpossible using Chrome, I don’t know why, because technically it’s not an issue,at all. I know that Microsoft Teams in-browser video conferencing on Edgeworks. Must be a political thing. Apparently, on the server side Microsoftchecks what browser you’re using and only allows Edge browsers to do videoconferencing. However, the issue remains, Edge does not support browserredirection.

After some tests, I found that Chrome could befooled into presenting itself as if it was Edge by setting the User Agent to aEdge identifier. Using shift-control i,and select, network conditions, User agent;

Now if I could only fool the local browser inpresenting itself with a Edge user agent. The local browser is in this case isthe ‘HdxBrowserCef.exe’, it comes with the Citrix Workspace App (Receiver).

Further inspection on the HdxBrowserCef.exerevealed that it uses the open source lib called Chromium Embedded Framework(CEF). It does not use the local Google Chrome. Now we know what CEF stands forin HdxBrowserCef.exe.

The question is, is it possible for CEF tochange the user agent, and does CEF support webcam access?

Yes, it is, and here’s how!

and;

(source https://ourcodeworld.com/articles/read/425/how-to-enable-webrtc-access-camera-and-microphone-for-cefsharp-in-winforms)

But to re-write the whole HdxBrowserCef.exe isa bridge too far, we only needed it to present itself as Edge.

I started searching for User Agent strings in the Citrix Workspace App folder that holds the HdxBrowserCef.exe. And found it in the ‘libcef.dll’. We dove into the file using a hex editor (https://hexed.it/), searched for ‘mozilla’, because that’s in all User Agent strings;

Changed this into;

Adding an Edge user string to the User Agentstring. Saved the .dll, and tested this using www.whatismybrowser.comto see if we successfully fooled the HdxBrowserCef.exe into presenting itselfas Edge. And it worked! Notice that strings are stored using &h00 as ‘endof string’, and &h20 as ‘space’.

The next test was, will in-browser Teams videocalling work?, the icon was there so it looked promising.

Microsoft Teams In Citrix Xenapp

After a few video calls, I concluded thiswork-around works. Please keep in mind that using this setup every redirectedweb-page, including youtube, will be requested as Edge.

Dennis Smith – Gourami.eu

Disclaimer: this article is intended as atechnical proof of concept. We do not recommend doing this yourself.

Bas van Kaam
Microsoft teams on citrix xenapp
Field CTO EMEA by day, community by night @ Nerdio
Father of three, IT professional, freelance/independent blogger/analyst, Co-author of the book Project Byte-Sized and author of the book: Inside Citrix – The FlexCast Management Architecture, over 400 blog posts and multiple (ultimate) cheat sheets/e-books. Public speaker, sport enthusiast­­­­­­­­: above-average runner (look me up on Strava) 3 x burpee-mile finisher and a former semiprofessional snooker player. IT community participant.

Teams is Microsoft’s new Skype and Slack-killer. But how well does it go on Citrix?

Citrix

Introduction

Citrix And Ms Teams

Oh come sweet asteroid of death. Yes, that’s exactly how I feel after digging through the mess that is the guts of Microsoft Teams.

Teams is new. Teams is everywhere. Teams is going to put a bullet in the head of Skype for Business, eat Slack’s lunch, and be the face that launched a thousand Microsoft 365 subscriptions. But for those of us who manage XenApp and XenDesktop in non-persistent environments, Teams is a hideous glimpse of an application that Microsoft is so determined to dump onto every user that it possibly can, that it simply bypasses all the norms we’ve become used to, in the same way that Chrome and DropBox both can.

Installation of Teams

Firstly, when you download the Teams MSI (or, to give it the proper name, the “Teams Machine-Wide Installer”), you don’t actually install Teams when you run it. When you run this, it creates a folder in C:Program Files (x86) called Teams Installer, and in there you will find two files only

This executable is auto-triggered at every user logon by an entry in the HKLMSoftwareWow643NodeMicrosoftWindowsCurrentVersionRun area of the Registry which is also dropped by the Machine-Wide Installer

So when any user logs on to the machine, the executable from the c:Program Files (x86)Teams Installer folder runs, which triggers some more actions, namely:-

It spits out the Teams install into the user’s local profile, rather than anywhere in system areas

A desktop shortcut is written to the user’s profile (%USERPROFILE%Desktop), with the target pointing to %LOCALAPPDATA%MicrosoftTeamsUpdate.exe –processStart “Teams.exe”

A Start Menu shortcut is written to the user’s profile (%USERPROFILE%MicrosoftWindowsStart MenuProgramsMicrosoft Corporation) which also points to %LOCALAPPDATA%MicrosoftTeamsUpdate.exe –processStart “Teams.exe” as the target

It also drops an auto-start entry into the Registry, at HKCUSoftwareMicrosoftWindowsCurrentVersionRun, which points to the same executable as above with some slightly different parameters

The install (which is around 400MB to start with, and rapidly increases) will now follow the user because it is installed fully into the user profile. So if I log on to another XenApp server – even one without the “Machine-Wide Installer” installed, Teams is still available for use.

So when we install the Teams “Machine-Wide Installer” stub, we get a) an auto-launching app for every user that impacts performance as it installs into the user profile and then launches itself, and b) half a gigabyte of files dumped into our profile management tool for each instance of it, which will only grow bigger. Is there any way we can mitigate this impact?

Dealing with Teams

Once I’d investigated the app’s behaviour a bit more, I came up with a set of things I wanted to configure:-

  1. Stop the auto-launch at every user logon – drop the shortcuts, yes, but remove the subsequent auto-run
  2. Configure Teams so once the user had “installed” it (loosest possible use of the word), that it always opens up minimized. This is to ensure that when the user logs onto another session (such as from a meeting room kiosk or something) Teams doesn’t open up full-screen and expose any information
  3. If possible, reduce the size of the profile load and allow Citrix User Profile Management to roam it successfully
  4. Address any performance issues (not surprisingly, this is a complete resource hog)
  5. Get rid of the splash screen when the application launches

So, let’s see what we managed to do. All of this was done using Citrix Virtual Apps 1811 and Citrix UPM 1811 on Windows Server 2016, fully patched.

Stopping the auto-launch

Once you’ve installed the Machine-Wide Installer on your XenApp server or gold image, run this PowerShell afterwards

(Get-Content ${ENV:ProgramFiles(x86)}’Teams Installersetup.json’).replace(‘false’,’true’) | Set-Content ${ENV:PROGRAMFILES(x86)}’Teams Installersetup.json’

This will remove the flag in the JSON file that says “noAutoStart=false” with “noAutoStart=true”. This means when the user logs in, it will create the two shortcuts, dump the install files into their profile, but it won’t then run the app afterwards and ask for login/start a sync.

Also (not related but maybe good to mention), you need to make sure IE Enhanced Security Configuration is disabled on your targets, otherwise the Teams modern authentication will fail

Open minimized

Now, once the user logs into Teams using their Office365 account, they have the option to set it to run minimized within the application options. However, for my purposes, I always want it to run minimized to the notification area. Unfortunately, there are not yet Group Policy Objects, InTune ADMX files or even Registry values that control Teams behaviour. Annoying, but not unexpected, given the dumpster fire that is the rest of the product from an admin perspective.

What holds user settings is a JSON file in %APPDATA%MicrosoftTeams called desktop-config.json. Rather than get gung-ho, the best option I could find was to edit the settings in this file at user logoff using a Group Policy logoff script (you could do it at logon as well, as long as it gets done at some point in the session then you’re good). A quick line of PowerShell will do the trick:-

(Get-Content $ENV:APPDATAMicrosoftTeamsdesktop-config.json).replace(‘”openAsHidden”:false’, ‘”openAsHidden”:true’) | Set-Content $ENV:APPDATAMicrosoftTeamsdesktop-config.json

Once this is done, a user logging in who already has the application “installed” will see it open minimized in the notification area, no matter what they configure in the GUI. Save the PowerShell as a .ps1 file and trigger it how you see fit (I chose a logoff script via GPO – pick your poison).

Reducing the bloat

Unfortunately this is a difficult matter, as everything that Teams needs to run – executables, libraries, modules, data – is all contained in the user profile. I managed to get UPM set so it only pulled about 200MB (!) instead of 400MB, but even so, that’s still awful.

Teams seems custom-designed for FSLogix, User Profile Disks, ProfileDisk or an Ivanti UWM VHD-Mount, and I’m wondering if the need to persist Teams data was a driving force in the FSLogix acquisition by Microsoft. Certainly, if you’re using one of these VHD solutions, then dealing with Teams data will be much less of a PITA.

If you are using Citrix UPM or similar, this is the best I could do without breaking the application:-

Exclusion list – files

!ctx_localappdata!MicrosoftTeams*.nupkg

Microsoft Teams Through Citrix

Exclusion list – directories

!ctx_localappdata!MicrosoftTeamsCurrentLocales
!ctx_roamingappdata!Microsoft TeamsLogs
!ctx_localappdata!SquirrelTemp
!ctx_roamingappdata!MicrosoftTeamsApplication Cache
!ctx_roamingappdata!MicrosoftTeamsCache
!ctx_localappdata!MicrosoftTeamsPackagesSquirrelTemp
!ctx_localappdata!MicrosoftTeamscurrentresourceslocales

Default exclusion list – directories – ENABLED (this is required if you are using Teams with Google Chrome)

Files to synchronize – note the first two lines here, this excludes all locales from being captured except English. If you need other locales, configure the exclusions to suit your environment.

!ctx_localappdata!MicrosoftTeamsCurrentLocalesen*.pak
!ctx_localappdata!MicrosoftTeamscurrentresourceslocaleslocale-en*
!ctx_localappdata!MicrosoftTeamscurrentresourceslocalesculture*

Also worth mentioning is that because this is (obviously) an Office 365 application, you need to roam the Office 365 licensing token correctly for the user’s logon details to persist. You can either capture this directly or use the GPO to redirect it to a different area and then grab it. There are a number of good articles on this already within the Citrix community.

Ms Teams On Citrix

Deal with performance issues

Teams is pretty atrocious performance-wise, once the user first logs in, it hammers the CPU pretty hard and will use a swathe of memory within its array of processes. From the point of view of the admin, there’s not a lot we can do without getting other tools involved. That’s why removing the “auto-install” flag is so handy, because it doesn’t start hammering the server until the user launches it for the first time. With “auto-install” on, a bunch of users logging on at the same time will bring the server to its knees. SO GET IT TURNED OFF!

Aside from that, there’s not much we can do, so using Workspace Environment Management or Ivanti Performance Manager or something similar might be a way to get it under control a bit. However – I haven’t tested doing anything like this. Once it is fully set up, it’s not as bad, but the initial launch and sync is definitely very stressful.

Remove the splash screen

I hate splash screens as a rule and like to get shot of them, waste of time and resources that they are.

Microsoft Teams And Citrix

Sadly this one appears to be here to stay. I can’t find any setting in any of the JSON files that seems to control the splash screen. If anyone finds out where it is, please let me know and I can update the article.

Summary

So if you want to use Microsoft Teams on XenApp or similar non-persistent:-

  • Install the Machine-Wide Installer
  • Turn off IE ESC for users
  • Run the PowerShell to edit the setup.json file after install
  • Configure a logon or logoff script to run it auto-hidden at logon using the PowerShell provided
  • If using UPM or similar, configure the inclusions and exclusions as listed
  • Ideally, use FSLogix or UPD or similar VHD tech to manage the profile
  • Make sure to roam the user’s Office 365 credentials
  • Pay attention to performance and address using tooling if necessary
  • Get used to the splash screen

There is another way, though – forget about the Teams application on XenApp and just use the web client until they fix the absolute mess of its behaviour and configuration. It might perform just as badly as the full-fat client, but you don’t have to drag 500MB+ around for every user. You have been warned!

Microsoft Teams Citrix Xenapp

441 total views, 441 views today





Amir Tsarfati Twitter
Deezer Hifi 24bit

Comments are closed.