Monthly archives: oktober, 2018

Migrate home directory to a new location

Recently, I have been involved in some larger XenApp projects where one of the objects have been to migrate home directories when users change environment. People tend to lock themselves to the idea that IT must help migrate home directory when the user is given access to the new environment. A better way to approach this is to publish a script to the start menu and inform users to run the script when first logging in to the new environment. In one of the projects it were a bit more complicated because the home directory structure was different from the structure in the new XenApp environment (see below).

 

Old structure

  • Links
  • Favorites
  • Downloads
  • Documents
    • My Music
    • My Videos
    • My Pictures
  • Desktop
  • Contacts
  • AppData

 

New structure

  • Downloads
  • Documents
  • Pictures
  • Music
  • Videos
  • Desktop

 

To solve this we had to create a PowerShell script with a bit more logic. Basically what we do is the following;

  1. Copy everything from old home directory to the new home directory, except the excluded folders and files
  2. Copy ”\Documents\Music” to ”\Music”
  3. Copy ”\Documents\Videos” to ”\Videos”
  4. Copy ”\Documents\Pictures” to ”\Pictures”
  5. Copy ”\Favorites” to ”\%USERPROFILE%\Favorites” (It’s bad practice to redirect Favorites. Read more here)
  6. Copy necessary items from ”\AppData\~” to ”\%USERPROFILE%\AppData\~” (We use Citrix Profile Management instead of redirecting AppData to the home share. Redirecting AppData to the home share is also bad practice. Same reason as why it’s bad practice to redirect Favorites.)

 

 

The end result looks like this;.

User runs ”Copy Home Directory” from Start Menu as instructed

Copy Home Directory

A box pops up

Popup - Copy the entire home directory from the old environment

Another box pops up when the script is finished copying the old home directory

Popup - Finished



Update Workspace Environment Management from 4.5 to 1808

The other day I tried to update Workspace Environment Management from 4.5 to 1808. I followed the guidelines provided from Citrix here. Everything went fine with the update of ”Infrastructure Services”, ”Database” and ”Administration Console”, but when I tried to connect to the ”Infrastructure Services” with the ”Administration Console” I faced the error ”Specified Infrastructure Server seems to be offline or have a wrong database configuration. Please check configuration and try again.”.

User-added image

I saw that the connection started to initialize to the database and everything went fine until WEM tried to read ”StorefrontSettings”, then the error came up. I started digging by enabling ”debug mode” in ”WEM Infrastructure Service Configuration”. This saves a log to ”C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Infrastructure Service Debug.log” with information and errors connecting to the ”Infrastructure Services”. Unfortunately I did not save the exact error message but it was something like ”Error reading dbo.VUEMStorefrontSettings”.

WEM Debug

I remembered that Citrix added the functionality to point to a StoreFront store in version 4.6.

WEM Storefront

To resolve the issue I restored the database and server to 4.5 and upgraded all the components and database to 4.6, then 4.7 and then finally 1808. After this everything worked as expected.

Seems to me that Citrix forgot to add to create ”dbo.VUEMStorefrontSettings” if not previously existing in 1808…



Create Azure Policy’s based on Resource Graph querys

If you have used Resource graph to query resources you might realized it comes very handy when creating Azure Policy’s, for example you might check the SKU of virtual machines before you create the policy to audit specific sizes of virtual machines or even prevent creation of them. (If you haven’t yet used Azure Resource Graph you can check my previous post out – https://tech.xenit.se/azure-resource-graph/)

Let’s take it further and actually create a Policy based on our Resource Graph query.

In my example below i query all storage accounts that allows connection from all Virtual Networks and the where environment is set to Prod.

Iam running all commands in Cloud Shell and CLI, but you could just aswell use Powershell.

CLI

The query is looking for below setting, it can be found under Firewalls and virtual networks under your storage accounts.

Creating the policy

To create the Policy, I am using the tool GraphToPolicy. The tool and instructions can be found here http://aka.ms/graph2policy

Follow the instructions for the tool and when you have the tool imported to your cloud shell environment you are ready to go.

Iam using the same query as before and creates a Policy to Audit all storage accounts that allows connections from all Virtual Networks and have the environment tag set to Prod.

CLI

Output:

CLI

Same policy as above but query in variable

After creation the policy is ready for assignment. I assigned it to my test subscription and as you can see in my example it shows that one of my storage accounts are non-compliant.

Summary

Resource Graph is a handy tool and as you might have understood its very useful when looking for specific properties or anomalies in your resources. Together with the GraphToPolicy it’s easy to create Azure Policys based on your Resource Graph Querys.

Credit for the tool goes to robinchapas https://github.com/robinchapas/ConvertToPolicy

If you have any questions you can reach me at tobias.vuorenmaa@xenit.se



OpenID Connect token validation in Citrix ADC

I’ve previously written about how to use OpenID Connect in NetScaler and a way to use callouts to validate tokens. You can also use the function JWT_VERIFY_CERTKEY() but that requires that you (for now) keep the issuing certificate updated locally.

Another way is to setup an OpenID Connect client (OAuth Action) on Citrix ADC and enable 401 authentication in the load balancing vserver. Below is an example where the NetScaler will validate that the token sent is valid and issued by the correct provider. (I’ve used Azure AD in my example)

The only thing you have to do is send traffic with tokens (HTTP.REQ.HEADER(”Authorization”).SET_TEXT_MODE(IGNORECASE).CONTAINS(”Bearer ”)) to this LB and a session will be created in NetScaler. In my case, I’m also verifying that the user exists using a second factor to LDAP.

Try it out and all feedback is welcome!



Citrix ADC and ADM automation using Ansible

I’ve been working with Ansible more and more and been learning a lot. It’s so much fun but I also think it can help others out there with their projects. I’ve published a few blog posts regarding a few different parts of how I automate Citrix ADC (NetScaler) and Citrix ADM (NetScaler MAS), and will be holding a presentation about it at Citrix User Group Norway (CUGTech Autumn 2018) – I hope to see you there!

The blog posts I’ve published regarding this (so far) are:

I’ve learnt so much creating these playbooks and will continue to work on and perfect them. Most likely will be undergoing continuous improvement from now on! It will be great to talk about all of this next week, something I’m really looking forward to!

I hope to see at least a few of you out there test these playbooks and maybe even contribute to them or collaborate with me making them even better.



Configure Stylebook configpacks using Ansible and Citrix ADM

I’ve created an Ansible playbook to deploy configpacks to Citrix ADC (previously Citrix NetScaler) using Ansible and Citrix ADM (previously Citrix NetScaler MAS). You add the configuration to the parameters and the playbook will add configpacks using the settings you’ve defined.

Still a lot to do with this one, for example updating the configpack when the parameters has changed in the playbook.

The playbook has been published to Azure DevOps and can be found here. The readme contains the latest information.

The playbook configures the following (as of this blog post):

  • Identifies the current primary/active Citrix ADC (NetScaler)
  • Locates the active nodes instanceId
  • Identifies all Stylebooks on Citrix ADM
  • Identifies what Stylebooks will be used
  • Creates configpack if it isn’t already created
  • Verifies that the configpack is deployed without any failures

Feel free to try it out and all feedback is welcome!



Deploy Citrix ADM Stylebooks using Ansible

I’ve created an Ansible playbook to deploy Citrix ADM (previously Citrix NetScaler MAS) Stylebooks. It will upload the latest version of the stylebook, migrate existing configpacks that are using the older version and then remove the old version from MAS.

There are still a lot to do with this playbook, for example handle parameters being added to a new version and delete Stylebooks if they’ve been removed from the playbook.

The playbook has been published to Azure DevOps and can be found here. The readme contains the latest information.

The playbook configures the following (as of this blog post):

  • Logs on to MAS
  • Locates all stylebooks in files/stylebooks
  • Identifies stylbook versions
  • Uploads stylebook if it that version doesn’t exist
  • Migrates configpacks to the new version
  • Removes the old version(s) of the stylebooks

Right now, there are four stylebooks:

  • xenit-srvobject.yml – Adds one or more server objects
  • xenit-svcgroup.yml – Adds a service groups with one or more server objects
  • xenit-csvserver.yml – Adds a cs vserver
  • xenit-lbvserver.yml – Adds an lb vserver using service group and binds it to a cs vserver

Feel free to try it out and any feedback is welcome! Or maybe even do a pull request?



Citrix ADC base configuration with Ansible and Citrix ADM

I’ve created an Ansible playbook to configure a base line on Citrix ADC (previously Citrix NetScaler) using Ansible and Citrix ADM (previously Citrix NetScaler MAS). The only thing you will have to do is change the parameters in the playbook and run it.

The playbook has been published to Azure DevOps and can be found here. The readme contains the latest information.

The playbook configures the following (as of this blog post):

  • NSIP parameters
  • HA Node parameters
  • SNIP parameters
  • VLANs
  • Policy Based Routing
  • Access Lists
  • SSL profiles
  • TCP Settings
  • HTTP Profile
  • NS Parameters
  • LB Parameters
  • SNMP Parameters
  • Cache parameters
  • Compression parameters
  • NetScaler modes
  • NetScaler features
  • NTP Configuration

I hope this can be of some help and feel free to give feedback or contribute to the playbook!



Configure Citrix ADC HA pair using Ansible and Citrix ADM

I’ve create an Ansible playbook to configure two Citrix ADCs (previously Citrix NetScaler) into an HA pair using Citrix ADM (previously NetScaler MAS). The only thing you will have to do is change the parameters in the playbook and run it with the credentials and IP-addresses as parameters and you’ll have an HA pair.

The playbook has been published to Azure DevOps and can be found here. The readme contains the latest information.

The playbook configures the following (as of this blog post):

  • Creates or updates a device profile
  • Creates or updates a datacenter (mps_datacenter)
  • Adds Citrix ADC instances to Citrix ADM
  • Creates an HA pair of the Citrix ADC instances using the ns_hapair_template maintenance job
  • Configures a new rpcNode password

I hope this can be of some help and feel free to reach out if you have any feedback or questions!



Configure Citrix ADM using Ansible

I’ve created an Ansible Playbook to configure Citrix ADM (previously Citrix NetScaler MAS). Instead of configuring all the different parts using the GUI, you can now change the parameters in a configuration file and the playbook will apply and update your configuration for you – making giving you Infrastructure as Code and documentation in one place!

The playbook has been published to Azure DevOps and can be found here. Read the readme for the latest information.

What the playbook configures (or at least at the time of writing this blogpost):

  • nsroot password
  • DNS servers
  • time zone
  • system settings
  • prune policy
  • syslog purge settings
  • backup policy
  • device backup policy
  • NTP sync and servers (reboots server if required)
  • LDAP servers and enables them as external authentication servers
  • Adds groups

Feel free to try it out and get back to me with any feedback! It’s a work in progress and I’ll try to keep the information up to date in the readme.