Netscaler Express Gateway VPX & Web Interface

As many of you know, Web Interface is dying the true death in 2015. That doesn’t stop people from asking me to set up their netscalers in front of it.

You think given how long both of these things have been around that there would be pretty comprehensive guides on how to do this.
You’d be wrong.

If you have your netscaler in 2 arm mode this becomes even more complicated. I’ll outline the issues I went through, and how to resolve them.

The biggest issue you’ll likely face is that once you think you’ve got everything set up you’ll log in and all will look fine, the LDAP auth will complete but then you’ll get a 401 unauthorized error. This is coming from the internal web interface. The reason for this is probably because you can’t resolve the FQDN of the gateway. Or if you can, it resolves to the internet facing IP and for whatever reason (firewalls, etc) the traffic doesn’t make it’s way back to you.
The way around this is to create another gateway with an internal IP, and either create a hosts file or update your internal DNS to point internally.
Check your XenApp server application event logs for any errors, the main one will probably be due to SSL certificates. Make sure your intermediate certs are in the chain, this is the most common mistake that will break things. You’ll see an error saying that you can’t establish a trusted link. Once you get all this working you’ll probably come across another poorly documented error.

You’ll now be able to see the internal web interface with the published app icons, but clicking on them won’t do anything. You’ll never get an ica file and the client won’t launch.
The reason for this is because by default when you create a new site in Web Interface it will bind the Handler Mappings to the latest version of .Net. What we need to do is bind it to .Net2. This is outlined in the following citrix support article:
Don’t forget to set your servers to trust XML requests, as these will now be coming from your netscaler gateway.

Once you change this you should have get an ica file and your client should then launch.
Congrats, you’ve now replaced your relatively simple secure gateway box with a far more complicated netscaler express gateway VPX!



PNAgent URL Value location for Receiver 3.4

For Receiver 3.4, Citrix in their infinite wisdom have taken away the abilty to change the PNAgent URL Value location with a registry string value and have now stored it as a binary key inside HKCUSoftwareCitrixPNAgent “Configuration Model 000″.
You can use a script to read and edit it,
or the citrix tool to just read it.

The easiest way is to set it up on a clean machine and just export the key. The easier way would have been for Citrix not to make your old GPOs that edited the registry useless.




Hardware Reserved RAM inside a Virtual Machine?

At a client site I came across something that I hadn’t seen before whereby Server 2008 R2 would reserve almost half of the available RAM for system devices and call it Hardware Reserved RAM.
Out of 46 Gig available, 20 was assigned to system devices of which 10 GB was assigned to a block of PCI-e ports.

Windows Server 2008 System Reserved RAMHaving never come across this before I decided to dig around a bit deeper.

Opening up the Device Manager and changing the view to be Resources by connection, it was then possible to see the different memory blocks that were allocated.

From this screenshot we can see the PCI bus has about 10GB of RAM allocated.

Device Manager RAM usageExactly why it’s doing this or how to fix it is something I’ve yet to work out.

This article goes into detail about how to see what’s using your memory, but doesn’t explain why this would happen on a 64bit operating system. More research is required, I’ll post back any findings.

Export a list of XenDesktop VDIs to CSV with PowerShell

Export a list of XenDesktop VDIs to CSV with PowerShell
Have you ever wanted to export a list of XenDesktop VDIs to CSV with PowerShell?

I wanted to do this just recently but had trouble finding the relevant info, so hopefully this helps someone out.

Make sure you have the Citrix Powershell SDK installed. The PowerShell SDK is installed by default on XenDesktop 5 Controllers.

From the Citrix Knowledge Center article Getting Started with PowerShell in XenDesktop 5

Begin a PowerShell session by clicking the blue icon on the taskbar or browsing to Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell (On 64-bit systems, this starts the 64-bit version. Either the 32-bit or 64-bit versions will work fine though.)

Type Asnp Citrix.* and press Enter. This loads the Citrix-specific PowerShell modules. (Asnp is short for Add-PSSnapin).
Run the Citrix cmdlets.
To list all of the ones available, run Get-Command –Module Citrix.*

Help might be obtained on any cmdlet by running Get-Help <cmdlet> such as Get-Help Get-BrokerDesktop (additional details might be obtained by adding on the –examples, -detailed, or –full switches)

The command you want to export a list of XenDesktop VDIs to CSV with PowerShell is as follows:

Get-BrokerDesktop -AdminAddress servername -MaxRecordCount 1000 -DesktopKind Private | sort desktopgroupname | export-csv “outputfile.csv

Items in bold can be changed to required values.

Hope this saves you some time searching!

Troubleshoot problematic sessions using Citrix UPM

stuck session
Did you know you can Troubleshoot problematic sessions using Citrix UPM?

You can! Citrix User Profile Manager keeps useful logs on lots of things but wht you may not realise is that it also keeps a log of the last servers a user successfully logged in to.
This info can be useful for troubleshooting stuck sessions and profile issues, especially when your Citrix Delivery Services Console isn’t forthcoming in showing the session that is stuck.

When you get users calling and reporting they can’t log in or are having issues with their profile just have a look inside the users citrix upm profile at their PMCompatibility.ini file.
This will show you the last server the user logged in to, and from there you can see if their session quit properly or if there is a lock on any files in their profile on that server that stopped it unloading.



Hacking Citrix Licensing Server password files

Hacking Citrix Licensing Server password files is fairly trivial…

Hacking Citrix Licensing Server password files

Open up C:Program Files (x86)CitrixLicensingLSconfserver.xml in your editor of choice and you’ll see several entries such as

<user firstName=”-N/A-” id=”DOMAINUser” lastName=”-N/A-” password=”(ENC-01)longencryptedstring” passwordExpired=”false” privileges=”admin” type=”domain-admin”/>

It’s pretty easy to just to add in new accounts here or change the password field of an existing account.
Delete everything in the password field between the “” and replace it with a palintext password. (you’ll be promted to change it, just keep it simple)
Change passwordExpired= to “true”
Restart the licensing service.
Log in with your account and password you created. It should ask you to change it. This new password gets encrypted and stored in place of the old plaintext one you put in.

Don’t add extra line breaks in this file or it won’t work.

Some older versions of licensing server used to leave the plaintext passwords in there, yet another reason to upgrade to 11.11.1

Citrix XenApp 6.5 Links

I’ve been doing a heap of work with a new Citrix XenApp 6.5 deployment using single sign on, here are a bunch of links that helped me get everything up and running.

Citrix XenApp 6.5 from HiMikeBrown.comConfigure Pass-through Authentication for Citrix XenApp 6.5

Citrix Profile Management and VDI – Doing it Right!
Some useful stuff about getting folder redirection working.
Configure URLs for online plugin

A Field Guide to XenApp 6.5 Session Pre-Launch
This gives a great explination of what pre-launch is too.

XenApp applications won’t launch in a PVS environment with multiple network interfaces

Removing hidden or ghosted devices from a Windows virtual machine (2010145)
Useful if you’ve cloned or P2Ved a machine.

How to Set Up Session Sharing Precedence Over Load Balancing in a XenApp Farm
Useful for prelaunch and when you have non concurrent licensing.

Automatic creation of user folders for home, roaming profile and redirected folders
Why you would try to do this manually I don’t know.

Security Recommendations for Roaming User Profiles Shared Folders

Load balance XML brokers through Netscaler
How to fix the latency issue with load balanced XML Brokers through netscaler (TL;DR enable UDP 137 to your virtual server IP)

Understanding Citrix XML Broker
A good overview of how all the XML bits work

How to Use the Command Line to Install the Version 11.2 Plug-in or Later
Pretty much required to get SSO working (unless you’re running the Enterprise version)

Why You Shouldn’t Install Citrix Receiver on Citrix XenApp
Only true if you don’t use session pre-launch!

Reduce application launch time with Session Pre Launch

XenApp 6/6.5 Profile Optimization

Customize the default local user profile when preparing an image of Windows
This seems like way more of a pain in the ass than it needs to be.

To specify a template or mandatory profile for Citrix User Profile Manager

UPMConfigCheck Tool