So What's This All About

The purpose of this site

I started off my career in IT 25 years ago as a COBOL Programmer in South Africa and have progressed (or some may say regressed) to consulting on virtualization technologies. I created this site to share my experiences with virtualization and cloud computing, as well as the latest virtualization news, tips, tricks and tools from other experts in the field.



Online Training

Free XenApp 7.6 Training

This free, one-hour online course provides an introduction to Citrix XenApp 7.6. Students will explore key components required in a XenApp 7.6 implementation, the FMA-based architecture, as well as key use cases.

Click here for the course details



Keep Tabs on Me

Social media links

RSS Feed 2.0

 
Articles

XenApp/XenDesktop 7.6 Network Printing Considerations

An article by Frederic Serriere from Citrix Blogs

Printing is always a challenge in a XenApp/XenDesktop design, as so many different criteria come into consideration.

Note: I’ll use XenApp from now on, but from a printing design point of view, it does not change a lot between XenApp and XenDesktop, unless you are using RemotePC feature of XenDesktop (more on that at another time?)

On eDocs, some scenarios are covered, and there is one question that I’m often asked by customers when working on a XenApp design relates to the location of the print server. We always say that data should be close to the XenApp server. Is it the same for the Print Server location?

Different printing design possibilities

Often, in XenApp architectures, the Print Server is located in the datacenter, close to the XenApp server. With that setup, the important piece is the RAW bandwidth sent by the print server to the actual printer. It is also worth noting the use of SMB protocol between XenApp and the Print Server:

If you add Citrix Universal Print Server component to that configuration, HTTP will replace SMB, but the critical part remains the RAW bandwidth to the remote printer:

When the Print Server (here with UPS component) is located in the branch office, the focus switches from the RAW printer data to the traffic between XenApp and the Print Server as it’s the one being sent over the wire:

The goal today is to determine what print driver language offers lower bandwidth usage, where the location of a print server is best suited, based on the kind of documents and printing technology (Microsoft print server, Citrix UPS, Citrix UPS+UPD) used.

Of course, no one only prints a single type of document, however based on statistics that you can get within your company, these tests results might assist you in your decision.

Lab configuration

I have been using Citrix UPS 7.6 (on WS2008R2 SP1, as the WS2012R2 compatible release isn’t publicly available yet) with latest hotfixes and XenApp 7.6 on WS2012R2 with latest hotfixes (including UPS7.6 hotfixes) to connect to a published desktop. All is hosted on XenSerer. The printer is a Canon iRC2030, declared as IP printer on UPS VM with the UFRII, PS3, PCL5e and PCL6 drivers (all 14.02 release except the PS3 which is version 21.52).

Note: UFRII is a proprietary Page Description Language (PDL) developed by Canon. I recommended reviewing Canon’s website for more details about this technology.

The tests

Printers were defined as Session Printers in XenApp and 3 tests performed : UPS disabled, UPS with native driver and UPS with UPD driver.

Sample DOCX, XLSX, PPTX and PDF documents have been used (ShareFile link), all coming from the Citrix website. Microsoft Office 2010 and Adobe Acrobat Reader 10.1.4 were used. WireShark runs on the UPS VM to gather the amount of data sent to UPS and to the printer.

The tests performed without UPS are used as the reference, providing bytes and duration of the transmission to the endpoint (either UPS or printer). However, the duration to the printer does not include the actual print time, that is the amount of time required for the whole print job to be physically printed. Why? because I was far from the printer when I run my tests… :-)

Read More

 

Digging into PVS with PoolMon and WPA

An article by Nick Rintalan from Citrix Blogs

In case you missed it a couple weeks ago, Andrew Morgan (one of our CTPs), posted a great article on how to accurately determine the size of the new RAM Cache.

As Andrew pointed out in his article, we now use nonpaged pool memory, so it’s fairly easy to fire up PoolMon and investigate. But I wanted to clarify one thing since Andrew only commented on the key pooltag denoted by ‘VhdR’. (He said he reached out to Citrix for further insight, but received no response…so allow me to respond! ;) ) Andrew is spot-on that we use ‘VhdR’ for RAM cache allocation. But we also use ‘VhdL’ for internal metadata allocation, so that is the other pooltag to key on and grab for any scripting. It’s never going to be very large but I did want to point it out since it’s the other pooltag we use in case you want to incorporate it into any scripts.
 
Using WPA to Really Dig Into PVS

Working at Citrix has its benefits. One of those is being able to talk to the brilliant developers and product architects who write our code and get some “inside info.” In this case, I talked with Moso Lee, who really is the brains behind the new RAM Cache with Overflow to Disk technology (so we all have Moso to thank!)

We were talking about monitoring and debugging PVS and he quickly pointed out that we’ve always had an Event Provider for PVS (look for ‘VhdEtw.xml’ in the PVS installation directory). And if folks really want to go deep with PVS and identify performance bottlenecks, then you might consider using Windows Performance Analyzer (WPA). I’m not going to go into detail on how WPA or event tracking works, but I do want to provide a quick example on how to use this extremely powerful tool to truly understand and debug PVS. Because if you really want to understand how our PVS driver works, how we’re manipulating the storage stack or when we’re failing over and writing to the VHDX disk, for example, then this tool and article is for you! It’s certainly not for the average IT admin, but I know all the PVS geeks and filter driver gurus out there will love it.

Let’s get started.

As I mentioned earlier, PVS is an ETW provider for WPA. So, you’ll first want to grab the WPA which is part of the latest SDK for Windows 10. You can selectively install the Performance Toolkit as shown in the screenshot, which includes WPA and WPR.

Read More

 

Troubleshooting Slow Logons via PowerShell

An article by Sagnik Datta from Citrix Blogs

Guest post by Niron Koren, ControlUp CTO Team

Since we released ControlUp 4.1 we’ve received a lot of feedback regarding the Logon Duration monitoring feature.

One of the main requests was to better explain our “Logon Duration – Other” component (which included any delay not caused by Profile, GPO or the Desktop component) and provide an easy way to find the culprit for slow logons.

Based on this feedback we decided to write a PowerShell script that will enable any Citrix and Windows admin to troubleshoot a slow logon process without requiring any 3rd party tools. The same script can also be executed via the ControlUp Script-based Actions feature.

This post will describe how the script works, the major logon phases it covers, the script prerequisites and a short video showing how the script helps troubleshooting two slow logon scenarios.

Script Overview

Analyze_Logon_Duration.ps1 is a PowerShell script that displays all major sequential phases of the logon process and makes it easy to see which phase is slowing down the user logon. It is also possible to see if there is a delay between the end of one phase and the start of the next one.

Here is a screenshot of the script output showing the logon duration analysis for a user called cuupm logging on to a XenApp server:

Some notes on the script output:

  • Logon Time –based on the most recent logon event found in the security log for the specified user (Event ID 4624 with logon type 2, 10 or 11)
  • Logon Duration –calculation of the login time and the end time of the last logon phase (in this example – 10:15:47 – 10:16:57)
  • Interim Delay –between the end of the previous phase and the start of the current phase (in this example there was a delay of 1.7 seconds between the end of the Network Providers phase and the start of the Citrix Profile Management phase)
  • GP Scripts –output will show if Group Policy scripts were executed in synchronous or asynchronous mode

Script download link

Logon Phases

The following table summarizes the logon phases the script covers and the Windows events used for calculating the start and end time for each phase:

Logon Phase Name Logon Phase Description Start Event End Event
Network Providers A Network Provider is a DLL that is responsible for a certain type of connection protocol1. On each logon Winlogon notifies these Network Providers so they can collect credentials and authenticate the user for their network2. Citrix PnSson is a common network provider found on XenApp and XenDesktop VM’s. Log name: SecurityEvent Id: 4688 (mpnotify.exe start) Log name: SecurityEvent Id: 4689(mpnotify.exe end)
Citrix Profile Management During logon, Citrix UPM copies the users’ registry entries and files from the user store to the local profile folder. If a local profile cache exists, the two sets are synchronized3. Log name: ApplicationEvent Id: 10(User X path to the user store is…) Log name:User Profile Service Event Id: 1(Received user logon notification on session X.)
User Profile During logon, the system loads the user’s profile, and then other system components configure the user’s environment according to the information in the profile4. Log name:User Profile Service Event Id: 1(Received user logon notification on session X.) Log name:User Profile Service Event Id: 2(Finished processing user logon notification on session X.)
Group Policy**See also a detailed Group Policy load time script Enforce the domain policy and settings for the user session, in the case of synchronous processing the user will not see their desktop at logon until user GP processing is completed5. Log name: GroupPolicyEvent Id: 4001(Starting user logon Policy processing for X.) Log name: GroupPolicyEvent Id: 8001(Completed user logon policy processing for X.)
GP Scripts Running the logon scripts configured in the relevant GPO’s, in the case of synchronous logon scripts Windows Explorer does not start until the logon scripts have finished running6. Log name: GroupPolicyEvent Id: 4018(Starting Logon script for X.) Log name: GroupPolicyEvent Id: 5018(Completed Logon script for X.)
Pre-Shell (Userinit) Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface7. On RDSH sessions, Userinit.exe also executes the Appsetup8 entries such as cmstart.exe which in-turn calls wfshell.exe Log name: SecurityEvent Id: 4688(userinit.exe start) Log name: SecurityDesktop session:Event Id: 4688(explorer.exe start)Published Apps:Event Id: 4688

(icast.exe start)

Shell**Only available when running the script via ControlUp. The interval between the beginning of desktop initialization and the time the desktop became available to the user, also includes the Active Setup9 Phase. Log name: SecurityEvent Id: 4688(explorer.exe start) ControlUp argument – “Desktop Load Time”

 

Script Prerequisites

The following are the script prerequisites:

  • Enable the auditing of process tracking via GPO or local security policy (secpol.msc) on all relevant computers. This is required since some of the phases start and end events are determined by the creation or termination of a specific process.
  • Read More

     

Automating Citrix PVS Image Creation with MDT

An article by Trond Eirik Haavarstein from xenappblog

PVS and MCS are designed for delivery of the gold image, they are not a replacement for automating the creation of that image. What’s going to happen in those environments where the gold image has been built manually and it either needs to be recreated or the delivery mechanism needs to be changed? That manual image has become a black box that will be difficult to reverse engineer.

Aaron Parker

My Automation Framework 3.0 was released last week, but unfornatly it doesn’t have support for Windows 10. The reason is that Microsoft have not yet released Microsoft Deployment Toolkit 2013 Update 1 (ETA August 2015) which will fully support Windows 10 deployments.

Now, while I wait for that I have some time to test the upcoming Citrix Provisioning Services 7.7 Tech Preview and Base Image Script Framework (BIS-F).

I was tipped about BISF at Citrix Synergy / E2EVC 2015 by Jonathan Pitre which is a customer and a big fan of the Automation Framework.

Like the amazing App-V Scheduler replaced my custom App-V Powershell script, I wanted to support BIFS in my Automation Framework because it’s way more powerful, feature rich and has much better logging. Let’s get started!

First of, there’s a big bug with licensing so you need to install the Citrix Licensing Server on the Citrix Provisioning Server 7.7 itself. Thanks to Carl Webster for pointing that out.

Citrix PVS Server

Write-Verbose "Setting Arguments" -Verbose
$startDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "Provisioning Services"
$PackageName = "PVS_Server_x64"
$InstallerType = "exe"
$Version = "7.7"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $PackageName $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$UnattendedArgs = '/s /v"/qn'

Start-Transcript $LogPS

CD $VersionServer

Write-Verbose "Starting Installation of $Vendor $Product $PackageName $Version" -Verbose 
(Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode

CD..
CD Console

(Start-Process "PVS_Console_x64.exe" $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

Citrix PVS Target Device

Write-Verbose "Setting Arguments" -Verbose
$startDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "Provisioning Services"
$PackageName = "PVS_Device_x64"
$InstallerType = "exe"
$Version = "7.7"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $PackageName $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$UnattendedArgs = '/S /v/qn" ALLUSERS=TRUE REBOOT=SUPPRESS /l* $LogApp"'

Start-Transcript $LogPS

CD $VersionDevice

Write-Verbose "Starting Installation of $Vendor $Product $PackageName $Version" -Verbose
(Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

Citrix XenConvert

Write-Verbose "Setting Arguments" -Verbose
$startDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "XenConvert"
$PackageName = "Citrix_XenConvert_x64"
$InstallerType = "msi"
$Version = "2.5"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $PackageName $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$Destination = "${env:ChocoRepository}" + "$Vendor$Product$Version$packageName.$installerType"
$UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp"

Start-Transcript $LogPS

CD $Version

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
(Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

BIFS

There´s currently a bug in BIFS looking for XenConvert.exe in the Provisioning Services folder. Until this is fixed you simply copy the exe to that folder.

If you´re using the Windows 8 and Server 2012 Optimization Guide script you need to reenable some services required by XenConvert.

Automating Citrix PVS Image Creation with MDT 07

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$Vendor = "Misc"
$Product = "BISF"
$PackageName = "setup"
$Version = "5.0.1"
$InstallerType = "exe"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$Destination = "${env:ChocoRepository}" + "$Vendor$Product$Version$packageName.$installerType"
$UnattendedArgs = '/install /quiet /norestart'

Start-Transcript $LogPS

CD $Version

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
#(Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose
Format-Volume -DriveLetter E -FileSystem NTFS -NewFileSystemLabel "SYSTEM" -Confirm:$false
copy-item "C:Program FilesCitrixXenConvertXenConvert.exe" -Destination "C:Program FilesCitrixProvisioning ServicesXenConvert.exe" -Recurse
copy-item $PSScriptRoot* -Destination C:Scripts -Recurse
sc.exe config vss start= auto
cmd.exe /c "net start vss"
sc.exe config swprv start= auto
cmd.exe /c "net start swprv"

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

Edit PrepareBaseImage.cmd to configure silent mode.

PushD "%~dp0"
mode con: cols=190 lines=60
echo initialize script environment... please wait
SET Files.PT=%~dp0BISF_SCRIPTS
Powershell.exe -command "set-executionpolicy RemoteSigned" >NUL

REM Powershell.exe -file "%Files.PT%10_XA_MAIN_PrepBISF.ps1" -SuppressPndReboot
REM Example for CLI silentmode
Powershell.exe -file "%Files.PT%10_XA_MAIN_PrepBISF.ps1" -SuppressPndReboot -sDelete NO -defrag NO -AVFullScan NO -OSrearm NO -OFrearm NO -CtxPvd NO -CCleaner YES -VIEScan NO -RstPerfCnt YES
PopD

You also need to specify the path to your PVS Write Cache Disk. I prefer using Group Policy, simply set and forget.

Automating Citrix PVS Image Creation with MDT 08

Microsoft Deployment Toolkit Configuration

Now run a Command Line with Administrator permissions as per BIFS documentation.

Automating Citrix PVS Image Creation with MDT 05

Automating Citrix PVS Image Creation

For VMware select to Boot to BIOS.

Automating Citrix PVS Image Creation with MDT 02

Set the Boot Order to 1st CD-Rom and 2nd to Network Boot.

Automating Citrix PVS Image Creation with MDT 03

Grab the MAC address and add it to PVS.

Automating Citrix PVS Image Creation with MDT 09

Make sure it’s set to Boot from Hard Disk.

Automating Citrix PVS Image Creation with MDT 10

Start the VM on the MDT Boot Image and select your Task Sequence.

Automating Citrix PVS Image Creation with MDT 06

After the deployment starts you need to change the ISO from the MDT Boot Image to your Citrix Provisioning Services BDM image.

If you’re using PXE boot I guess you don’t need to do anything, but this haven´t been tested in my lab though.

I prefer to use BDM instead of interferring with other PXE services.

Automating Citrix PVS Image Creation with MDT 01

You can automated it even more by adding the MACAddress to CustomSettings.

[Settings]
Priority=MACAddress, ByVM, UUID, Default

[00:0C:29:FD:AF:DC]
SkipTaskSequence=YES
SkipComputerName=YES
TaskSequenceID=WS2012-045
SkipFinalSummary=YES
FinishAction=SHUTDOWN

That’s it.

 

System Test Automation at Citrix

An article by Chris Shepherd from Citrix Blogs

We automate for a reason.

At Citrix we seek to automate both the provisioning of complex product deployments and the execution of system and interoperability tests on those deployments. Automated provisioning of Citrix products preserves test engineer time for actual testing as opposed to routine set-up. Automated test execution allows routine regression testing to be done early and often. Both are valuable. Both help us achieve our goals of:

  • increasing product quality (through early, frequent and cheap regression testing, which in turn allows precious and valuable human effort to be directed towards more high-value testing)
  • increasing efficiency (by reducing the time and effort to get valuable quality feedback to engineers)

Over the years we have identified a number of critical success factors for this kind of test automation:

Accessibility

Automation capabilities or services must be self-service and available on-demand, via both GUI and API. This promotes take-up of automation services – we do not want to build expensive automation assets that nobody uses, or that only a handful of people in the test team use. Every engineer should have easy access to these productivity tools so that they can test their code or system integrations early and often.

Trustworthiness

Engineers will only use automation if they trust it to work. Engineers need repeatable test or repro deployments that are verified as working.

Reliability

Engineers will only use automation if it is reliable, highly-available and fault-tolerant.

Extensibility

If our automation assets are to remain useful then the ability for engineers to rapidly adapt them or extend them is key. The architecture of our automation and the APIs it offers are of paramount importance.

Case Study – Resiliency in Citrix Automated Hypervisor Provisioning

XenRT is a system widely used within Citrix for automated provisioning of hypervisors, VMs and CloudPlatform instances on internal hardware infrastructure. It has a GUI and rich APIs (accessibility and extensibility), it self-tests the deployments it makes (trustworthiness) and is architected for reliability.

The core of XenRT is a scheduler that maps job requests (think “Give me a XenServer 6.5 pool and a bunch of Windows VM’s”) onto available lab hardware. It books that hardware out, provisions the requested deployment onto the bare metal and passes the access details back to the requestor. It also allows the user to browse a huge library of automated test cases for Citrix products, and to select and run them. These valuable services, used by developers and testers alike, depend on the availability of physical machines. XenRT has hardware in three different geos, most of it split between a lab on the west-coast US and a lab in the UK. The user is abstracted from this hardware – he or she submits a job request, XenRT takes care of the rest. XenRT is a very widely used system – it recently ran its one millionth test job.

Read More

 

The Complete Guide to Citrix Session Recording

An article by Trond Eirik Haavarstein from xenappblog

With this week release of Feature Pack 2 for Citrix XenApp and XenDesktop 7.6 also comes Citrix Session Recording 7.6.100.

This piece of software was the missing part of my upcoming release of Automation Framework 3.0, so I went on a mission to get it automated.

I immediately stumbled upon this blog post from Citrix Virtualization SE Georg Kuruvilla, and as he says “the installation process was a little tedious“!

Add missing eDoc information to the mix and you get the picture. Let’s get started!

Session Recording Player

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "Session Recording Player"
$PackageName = "SessionRecordingPlayer"
$Version = "7.6.100"
$InstallerType = "msi"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp"

Start-Transcript $LogPS

CD $VersionPlayer

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
(Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

Session Recording Agent

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "Session Recording Agent"
$PackageName = "SessionRecordingAgentx64"
$Version = "7.6.100"
$InstallerType = "msi"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 sessionrecordingservername=csr-01.ctxlab.vmw sessionrecordingbrokerprotocol=https sessionrecordingbrokerport=443 /qn /liewa $LogApp"

Start-Transcript $LogPS

Write-Verbose "Installing Prerequisites"
Install-WindowsFeature -Name MSMQ
Install-WindowsFeature -Name MSMQ-HTTP-Support

CD $VersionAgent

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
(Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

Session Recording Administration

#1 Install Windows Features

powershell.exe Add-WindowsFeature Web-Windows-Auth,Web-Asp-Net,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Lgcy-Scripting,Web-Lgcy-Mgmt-Console,MSMQ,MSMQ-HTTP-Support,Web-Asp-Net45

#2 Download Microsoft SQL Server Express 2014

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$url = "http://download.microsoft.com/download/E/A/E/EAE6F7FC-767A-4038-A954-49B8B05D04EB/ExpressAndTools%2064BIT/SQLEXPRWT_x64_ENU.exe"
$output = "$PSScriptRootSQLEXPRWT_x64_ENU.exe"
$start_time = Get-Date

$Vendor = "Microsoft"
$Product = "SQL Server Express"
$Version = "2014"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $Version PS Wrapper.log"

Start-Transcript $LogPS

Write-Verbose "Start Downloading $Vendor $Product $Version" -Verbose

$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
#OR
(New-Object System.Net.WebClient).DownloadFile($url, $output)

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

#3 Install Microsoft SQL Express 2014

@echo off
REM Batch Wrapper for MDT, Standalone and Chocolatey Installation - (C)2015 xenappblog.com 

pushd %~dp0

SET AppName=Microsoft SQL Server Express 2014
SET Version=2014

SET OPTIONS=
SET OPTIONS=/Q
SET OPTIONS=%OPTIONS% /ACTION=Install
SET OPTIONS=%OPTIONS% /FEATURES=SQL,SSMS
SET OPTIONS=%OPTIONS% /INSTANCENAME=SQLEXPRESS
SET OPTIONS=%OPTIONS% /SQLSVCACCOUNT="NT AUTHORITYNETWORK SERVICE"
SET OPTIONS=%OPTIONS% /SQLSYSADMINACCOUNTS="CTXLABAdministrator" "BUILTINAdministrators"
SET OPTIONS=%OPTIONS% /AGTSVCACCOUNT="NT AUTHORITYNetwork Service"
SET OPTIONS=%OPTIONS% /IACCEPTSQLSERVERLICENSETERMS
SET OPTIONS=%OPTIONS% /BROWSERSVCSTARTUPTYPE="Automatic"

cls
echo.
echo Installing %AppName%
echo.

cd %Version%
start /wait SQLEXPRWT_x64_ENU.exe %OPTIONS%

popd
endlocal

#4 Import and Bind SSL Certificate

Install-WindowsFeature -Name Web-Server -IncludeManagementTools
copy-item "\mdt-01mdtproduction$ApplicationsScriptswildcard.pfx" -Destination C:WindowsTempwildcard.pfx 

import-module webadministration
$PFXPath="C:WindowsTempwildcard.pfx"
$PFXPassword="Password"
$strThumb="656D9BCE52970C48E235B5C071861f546A7ADBA8"
 
certutil -f -importpfx -p $PFXPassword $PFXPath

Remove-Item C:WindowsTemp*.pfx -Force

Push-Location IIS:
cd SslBindings
New-webBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
get-item cert:LocalMachineMY$strThumb | new-item 0.0.0.0!443
Pop-Location

Get all the details in the post Securing Citrix X1 StoreFront with Powershell.

#5 Install Session Recording Administration

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "Session Recording Administration"
$PackageName = "SessionRecordingAdministrationx64"
$Version = "7.6.100"
$InstallerType = "msi"
$LogPS = "${env:SystemRoot}" + "Temp$Vendor $Product $Version PS Wrapper.log"
$LogApp = "${env:SystemRoot}" + "Temp$PackageName.log"
$LogApp2 = "${env:SystemRoot}" + "TempBrokerPSSnapIn.log"
$Destination = "${env:ChocoRepository}" + "$Vendor$Product$Version$packageName.$installerType"
$UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 DATABASEINSTANCE=.SQLEXPRESS DATABASEUSER=localhost DATABASECREATERUSERNAME=CTXLABADMINISTRATOR DATABASECREATERPWD=Brasil2015 ADDLOCAL=PolicyConsole,SsRecServer,StorageDatabase,RequiredResources /qb /liewa $LogApp"
$UnattendedArgs2 = "/i Broker_PowerShellSnapIn_x64.msi /qn /liewa $LogApp2"

Start-Transcript $LogPS

CD $VersionAdministration

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
(Start-Process msiexec.exe -ArgumentList $UnattendedArgs2 -Wait -Passthru).ExitCode
(Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

The rest is straight forward. Since the certificate is already installed, you just need to select it.

Citrix Session Recording 02

Citrix Session Recording 03

Set Citrix Session Recording Player permissions.

Citrix Session Recording 04

Set the policy you prefer.

Citrix Session Recording 05

Test it out.

Citrix Session Recording 06

I think the best option is to use the “Do not record” policy and enable recording through Citrix Director when needed. Run this command to configure Director integration.

C:inetpubwwwrootDirectortoolsDirectorConfig.exe /configsessionrecording

Citrix Session Recording 07

Citrix Session Recording is super helpful and if you’re licensed you should get it implemented during your next maintenance window.

 

What’s New in StoreFront 3.0

An article by Feng Huang from Citrix Blogs

p>StoreFront 3.0 has just been released. By now, hopefully you have learned that the headline feature for this release is to provide the unified user experience across all receivers and improve customizability.

If you would like to learn more about this, please refer to Richard’s blog articles here.

But back to the release! Today I would like to call out all the other new features available in StoreFront 3.0.

Please note that you have to import the StoreFront PowerShell modules before you can run any PowerShell commands described in this article. The following code snippet does this for you:

$dsInstallProp = Get-ItemProperty -Path HKLM:\SOFTWARE\Citrix\DeliveryServicesManagement -Name InstallDir
$dsInstallDir = $dsInstallProp.InstallDir
& $dsInstallDir\..\Scripts\ImportModules.ps1

Classic Receiver Experience

In order to help you smooth the transition to the new unified Receiver experience, StoreFront 3.0 continues to support the existing green bubble UI (referred to as the classic Receiver experience). This enables you to take advantage of all the new features immediately, and upgrade the user experience when your users are ready.

If you perform an in-place upgrade from StoreFront 2.x to 3.0, the UI for the existing Receiver for Web sites will remain as the classic green bubble UI. When you create new Receiver for Web sites after the upgrade or a fresh installation, users will see the new unified UI.

You can enable the new unified UI for an upgraded site using the StoreFront Administration Console by selecting the Disable Classic Receiver Experience action in the right pane for your selected Receiver for Web site.

The above action alone will only enable the unified UI for your web users. In order to enable the unified experience for your users with latest native Receivers (such as Receiver for Windows 4.3 and Receiver for Mac 12.0), you also need to configure the Store.

  1. Select the Stores node from the left pane
  2. Select the Store you would like to configure in the middle pane
  3. Select the Set Unified Experience as Default action in the right pane
  4. Select Set the unified Receiver experience as the default for this store in the pop up dialog
  5. Select the Receiver for Web site to use for the native Receivers from the drop down list
  6. Select OK

 

Google Chrome Support without NPAPI

Google Chrome on Windows and Mac is fully supported without NPAPI out of the box in StoreFront 3.0. To take advantage of this, you have to upgrade both StoreFront and Receivers. Receiver for Windows 4.3 and Receiver for Mac 12.0 support this new technology. You can learn more details about the technology and user experience from my previous blog article here.

No More Editing of Hosts File

Previously, as stated here, Citrix recommends that you modify the hosts file on your StoreFront servers to ensure that Receiver for Web always talks to the local StoreFront server instead of the load balancer. In StoreFront 3.0, we leverage a new feature in the .NET Framework 4.5 to implement loopback communication between Receiver for Web and the rest of StoreFront Services. This is configurable using PowerShell cmdlet Set-DSLoopback, which syntax is

Set-DSLoopback [-SiteId] <Int64> [-VirtualPath] <String> `
[-Loopback] <String> [[-LoopbackPortUsingHttp] <Int32>]

The valid values for Loopback are:

  • On – This is the default value for new Receiver for Web sites. Receiver for Web uses the schema (HTTPS or HTTP) and port number from the base URL but replace the host part with the loopback IP address to communicate with StoreFront Services. This works for a single server deployment and a deployments with a non SSL-terminating load balancer.
  • OnUsingHttp – Receiver for Web uses HTTP and the loopback IP address to communicate with StoreFront Services. If you are using an SSL-terminating load balancer, you should select this value. You have to also specify the HTTP port if it is not the default port 80.
  • Off – This turns off loopback and Receiver for Web uses the StoreFront base URL to communicate with StoreFront Services. If you perform an in-place upgrade this is the default value to avoid disruption to your existing deployment.

For example, if you are using an SSL-terminating load balancer, your IIS is configured to use port 81 for HTTP and the path of your Receiver for Web site is /Citrix/StoreWeb, you can run the following command to configure the Receiver for Web site:

 

Read More

 

A Review of XenApp 6.5 Scalability

An article by James Denne from Citrix Blogs

As a Technical Relationship Manager, I spend a lot of time researching the more complex questions asked by customers that do not fit into the traditional Break-Fix reactive support model. One that I was asked recently sparked a good bit of thought, research and a debate within the TRM Team at Citrix and I wanted to share my findings.

The customer question was: What is Citrix’s recommendation for the maximum number of servers, users etc for a XenApp 6.5 Farm?

There are some published documents that discuss XenApp 6.5 Farm scalability which you can read here:

Planning Server Functions: http://support.citrix.com/proddocs/topic/XenApp 6.565-planning/ps-planning-infrastructure-servers-v2.html

XenApp 6.5Enterprise Scalable XenApp 6.5 Deployments: http://support.citrix.com/article/CTX131102

Speeding up Farm Deployments with XenApp 6.5– Part 3: http://blogs.citrix.com/2011/09/23/speeding-up-Farm-deployments-with-XenApp 6.5-6-5-part-3/

Pedal to the Metal: Bare Metal Scaling of XenApp 6.5 Hosted Shared Desktops: http://blogs.citrix.com/2013/03/28/pedal-to-the-metal-bare-metal-scaling-of-XenApp 6.5-6-5-hosted-shared-desktops/

After reading these documents I drew a these conclusions:

  1. The largest XenApp 6.5 deployment we have tested internally was 1000 servers in a single Farm.
  2. Memory consumption of the IMA Service on the Zone Data Collector is going to be a critical bottleneck as Farm size increases.
  3. It is the fine detail of how the Farm has been deployed and how it is used that will determine overall scalability.

GENERAL FARM LIMITS

Zones

We recommend no more than 5 zones per Farm due to the mesh network nature of Zone Data Collector communications – adding zones exponentially increases the network chatter and bandwidth required to maintain inter-zone communications. I wrote about this a couple of years ago here: http://blogs.citrix.com/2012/11/26/some-XenApp 6.5-6-5-Zone Data Collector-replication-calculations/.

 

Read More

 

Bulletproof Guide to Citrix Receiver Start Menu Integration

An article by Trond Eirik Haavarstein from xenappblog

In this post I’m going to show you how to setup Citrix Receiver Start Menu Integration and troubleshoot in case it doesn’t work.

First off, to get this working you NEED to use HTTPS. Check out my previous posts Securing Citrix X1 StoreFront with Powershell and Citrix StoreFront Complete Automation.

I’m using Citrix Receiver 4.3 TP and Citrix Storefront 3.0 TP. Let’s install Citrix Receiver using the following Powershell code:

Write-Verbose "Setting Arguments" -Verbose
$StartDTM = (Get-Date)

$Vendor = "Citrix"
$Product = "Receiver"
$PackageName = "CitrixReceiver4.3TP"
$InstallerType = "exe"
$Version = "4.3TP"
$LogPS = "C:WindowsTemp$Vendor $Product $Version PS Wrapper.log"
$LogApp = "C:WindowsTemp$Product.log"
$Destination = "${env:ChocoRepository}" + "$Vendor$Product$Version$packageName.$installerType"
$UnattendedArgs = '/silent /includeSSON'

Start-Transcript $LogPS

CD $Version

Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose
(Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode

Write-Verbose "Customization" -Verbose
copy-item "C:ProgramDataMicrosoftWindowsStart MenuProgramsCitrix Receiver.lnk" -Destination "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupCitrix Receiver.lnk" -Recurse

Write-Verbose "Stop logging" -Verbose
$EndDTM = (Get-Date)
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose
Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose
Stop-Transcript

This will install Citrix Receiver with Single Sign On and copy the icon to the Startup folder.

Please be aware that if you install 4.3 Technical Preview you need to do some manual clicks. This will go away when it’s official.

Bulletproof Guide to Citrix Receiver Start Menu Integration 06

One of the most common mistakes is forgetting to add your Storefront URL to the Trusted Zone List. You’ll find the GPO in Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page.

Bulletproof Guide to Citrix Receiver Start Menu Integration 04

Let’s create a Group Policy for Citrix Single Sign On with Storefront Configuration. You need to import the ADM templates.

I’m keeping the ADM templates with the binaries. You’ll find these under C:Program Files (x86)CitrixICA ClientConfiguration.

Bulletproof Guide to Citrix Receiver Start Menu Integration 05

Bulletproof Guide to Citrix Receiver Start Menu Integration 09

Navigate to Administrative Templates – Classic Administrative Templates – Citrix Components – Citrix Receiver – User Authentication – Local username and password. Set the following:

Bulletproof Guide to Citrix Receiver Start Menu Integration 10

Navigate to Administrative Templates – Classic Administrative Templates – Citrix Components – Citrix Receiver – Storefront – Storefront Accounts List. Enable the policy and define your Store.

Store;https://sf-01.ctxlab.vmw/Citrix/Store/discovery;On;SF01

Bulletproof Guide to Citrix Receiver Start Menu Integration 11

Navigate to Administrative Templates – Classic Administrative Templates – Citrix Components – Citrix Receiver – Self Service and enable the first 3 policies.

I prefer to enable SelfServiceMode and Add/Remove Account at this stage. This makes it much easier for troubleshooting.

Bulletproof Guide to Citrix Receiver Start Menu Integration 12

Bulletproof Guide to Citrix Receiver Start Menu Integration 13

This is how I link the Internet Explorer and Citrix Receiver SSON policies.

Bulletproof Guide to Citrix Receiver Start Menu Integration 14

Now restart the computer and make sure it belongs to the OU where you have linked the GPO.

Head over to Store and configure Domain Pass-through.

Bulletproof Guide to Citrix Receiver Start Menu Integration 02

Bulletproof Guide to Citrix Receiver Start Menu Integration 03

To add the application shortcut to the Start Menu you need to set KEYWORDS:auto.

Bulletproof Guide to Citrix Receiver Start Menu Integration 15

Logon to your test computer. If everything works it should look like this.

Bulletproof Guide to Citrix Receiver Start Menu Integration 16

When you disable SelfServiceMode you’ll get all applications populated via the Citrix Receiver Start Menu Integration.

Bulletproof Guide to Citrix Receiver Start Menu Integration 22

Troubleshooting

Single Sign On

The first step is to verify that the Single Sign On process ssonsvr.exe is running in Task Manager.

Bulletproof Guide to Citrix Receiver Start Menu Integration 17

Now open your browser and verify that you get Single Sign On to StoreWeb. Please note that this works with both HTTP and HTTPS.

Bulletproof Guide to Citrix Receiver Start Menu Integration 18

Add Account

The Store has not been configured in GPO.

Bulletproof Guide to Citrix Receiver Start Menu Integration 07

Your apps are not available at this time

Bulletproof Guide to Citrix Receiver Start Menu Integration 19

Your Store is not configured to use HTTPS.

Bulletproof Guide to Citrix Receiver Start Menu Integration 21

You can verify this by clicking Accounts. If you have the Store configured with HTTPS in GPO, but the account show HTTP, you have certification problems. Verify that HTTPS works with StoreWeb.

Bulletproof Guide to Citrix Receiver Start Menu Integration 20

Citrix Receiver Start Menu Integration not working

Make sure to go through the steps above. If you can manually add icons in Citrix Receiver / StoreWeb and they show up in the Start Menu there´s something wrong with your application keywords.

Resources

 

NetScaler Web-Based Authentication

An article by Sachin Gadhave from Citrix Blogs

In high security applications, the use of two-factor authentication (2FA) is often a hard requirement to provide enhanced security and meet more stringent compliance requirements.

With 2FA, users are required to provide two means of identification credentials for authentication. The most common example of 2FA is the use of traditional user name and password credentials in combination with a personal identification number (PIN) or token.

2FA can be implemented using RADIUS, which is an industry-standard protocol for providing authentication, authorization, and accounting services. The RADIUS server matches data from the authentication/authorization request with information in a trusted database, such as RSA SecurID, SQL or LDAP. If a match is found and the user’s credentials are correct, the RADIUS server sends a “success” response to the client, which is then allowed access to a corporate resource. A similar solution can be deployed using a Web Authentication server, which connects to a trusted backend database with user security information, where user credentials are sent through HTTP headers.

NetScaler version 10.5 and later with the AAA-TM feature can now authenticate users to a Web Authentication server, providing the credentials that the web server requires in an HTTP request and subsequently analyzing the web server response to determine that user authentication was successful.

Previously, a similar exercise would be done using the HTTP Callout feature, where a client would send the user name and password through HTTP headers in the request. A typical implementation of an HTTP callout would include creating an HTTP callout on the appliance and configuring it with details about the external server and other required parameters, configuring a responder policy to analyze the response and then creating a callout agent on the remote server.

The new Web Authentication feature now simplifies this process, where configuration is similar to creating a standard authentication server and a policy that can be bound to a virtual server for single FA or 2FA.

As with other types of authentication policies, a Web authentication policy is comprised of an expression and an action. After creating an authentication policy, you bind it to an authentication virtual server and assign a priority to it. When binding it, you also designate it as either a primary or a secondary policy.

To set up web-based authentication with a specific web server, first you create an Authentication WEB Server that contains the following items:

  • Name—Name for the Web Authentication action.
  • Web Server IP Address— The IP address of the authentication Web server.
  • Port— The port of the authentication Web server.
  • Protocol—HTTP (for unencrypted web authentication) or HTTPS (for encrypted web authentication).
  • HTTP Request Expression— An expression in NetScaler default syntax that contains the user’s credentials in the format that the Web server expects.
  • Expression to validate the Authentication—An expression in NetScaler default syntax that matches the web server response string that signifies that the user authenticated successfully.

Authentication Rule & Expression to validate the Authentication are the most important items in the list above, which have to be formatted precisely to ensure the NetScaler request and response matches the exact POST expression that the Web server expects. In this example we will use a sample POST request and response to configure Web authentication on NetScaler 10.5. At high level we need to complete following 5 steps:

  1. Create a Netscaler Gateway VIP or AAA-TM Virtual Server and associated configuration.
  2. Create Web authentication server “HTTP Request Expression” & “Expression to validate the Authentication”
  3. Create Web authentication server and tie in the details from step 2.
  4. Create Web authentication policy and associate it with the Web Authentication Server.
  5. Bind the Web Authentication Policy to the Netscaler Gateway or AAA-TM VIP in question.

We will assume, at this point, that you are implementing this solution because of a specific requirement where the credentials from Netscaler Gateway or AAA-TM needs to be sent to a specific server in a specific manner that requires this approach.

At this point, one should also validate that the basic Netscaler Gateway ICA proxy functionality is working with standard LDAP based authentication. Once done, it’s now time to get to the exciting stuff!

 

Read More