Category: Citrix

Text-based session watermarks

Citrix recently introduced a new feature to track data theft by giving administrators the ability to enable watermarks in their user sessions. This feature is supported for both Server and Desktop OS and requires a minimum of Virtual Delivery Agent version 7.17.

Citrix also offers the possibility to customize your sessions watermarks. The following parameters can be included or configured in the watermark:

  • Client IP Address
  • Connection Time
  • Logon user name
  • VDA host name
  • VDA IP Address
  • Style (Single or multiple)
  • Custom text
  • Transparency

    Sessions watermark with a custom text, connection time and a transparency of 10

And I bet you’re now wondering, just as I did, whether there are any exceptions. There is and they cover a few, great scenarios!

  • When using Session Recording, the recorded session does not present the watermark.
  • When using Windows remote assistance, the watermark does not present the watermark to the remote user.
  • When pressing Print Screen key to capture the screen, the screen captured at the VDA side does not include the watermark. This also works with third party applications that triggers by pressing the Print Screen button, for an example, Greenshot.

More information regarding session watermarking and its limitations can be found on the link below:
https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/graphics/session-watermark.html

If you have any questions regarding session watermarks, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Citrix replaces Smart Scale with Autoscale

A while ago Citrix announced the deprecation of Smart Scale but its replacement has been in the dark, and has finally been uncovered.

Smart Scale will reach end of life on May 31, 2019 and Autoscale will be the replacement for Cloud platforms. Autoscale is considered a new feature but it delivers all the functionality that are currently available in Smart Scale, such as:

  • Load based scaling
  • Schedule based scaling
  • Cost saving statistics

Note: Autoscale will only be available for customers with Citrix Virtual Apps and Desktop service. This means that customers with on-premise platforms are advised to use the Studio power management feature (Which earlier had the possibility to use Smart Scale).

Autoscale can be enabled and configured per Delivery Group in Studio and will replace the current Power management tab.

One of the new functionalities delivered with Autoscale is its integration with Director where savings and machine usage will be presented.

For a quick walk through of Autoscale, see this link.

If you have any questions regarding Autoscale, feel free to email me at robert.skyllberg@xenit.se or comment down below.



Keep your FSLogix VHD-files optimized

Background

When using either or both of FSLogix products Office 365 Containers and Profile containers you will have quite large VHD-files. However you could for example in Office 365 Container limit the size when specifying the Outlook cache limit but non the less it will require quite large storage space. Since the standard and recommended way of creating these VHD-files is setting Dynamic it will make it complicated for you when and if you run out of space, let me explain:

A dynamic disk will automatically expand when needed ensuring each disk will reserve only the actual size of the content of the disk, which is good, but it will however not shrink automatically. This means the disk will have the size of when the it contained the most, but not actually represent the actual size inside. Over time this this might be an issue, if not else, waste of disk-space.

To create a script that will shrink the disk is complicated and there is a risk that the disk will be corrupt, instead I we will focus on how to maintain an efficient use of the stored data to minimize the disk of growing in size.

Solution

There is however no solution from FSLogix to tackle this yet, so you we would need to focus on what we can do with the VHD-files witch is essentially standard virtual disks. When searching for a good long time solution to this problem I found a great script created by David Ott that Optimize the disks that is available at the given time you run the script.

How it works

The script will check the VHD-files if they are available (if the user is logged on the disk is locked), it will then proceed with the one´s available and mount them, run a Optimization Job, close them and mail a complete report of the result. The best way of using this script would be to Schedule it to run after office hours (preferably after the Session hosts has restarted) to maintain the most efficient size of the disk. This will minimize the growths of the disk and in the long run save you some space.

Where to find it

As mentioned above I found the script from the creator David Ott and you can find the original post with script here!

If you have want to know more about FSLogix you can email me at jonas.agblad@xenit.se or check out my earlier posts here:

Convert Citrix UPM to FSLogix Profile Containers

Teams in your mulit-user environment done right!

Outlook Search index with FSLogix – Swedish

FSLogix Profile Container – Easy and fast Profile management – Swedish

Office 365 with FSLogix in a Multi-user environment – Swedish



TLS 1.0 and 1.1 will be blocked, so update your Citrix Receiver!

Background

As most of the things around us constantly gets updates and improvements, the enhancements regarding flaws in vulnerabilities of security are for most people the most critical. Since cryptographic protocols like TLS 1.0 has been used since 1999, with an update to TLS 1.1 in 2006, these protocols have been vulnerable to attacks like POODLE and BEAST. The best way to prevent similar attacks from happening again is to have people to stop using the outdated protocols and having them to be forced to use the more enhanced 1.2 version.

Last year, some of the largest IT-companies in the world (Microsoft, Google, Apple & Mozilla) announced that TLS 1.0 and TLS 1.1 protocols will be deprecated from their respective web browser in 2020. After this, other companies adapted and cleverly joined the train.

As of the 15th of Mars, 2019, Citrix will no longer support communication over TLS 1.0 and 1.1 to Citrix Cloud Services.

Which cases will be affected?

The standard way of TLS negotiation is to have the latest version be the first negotiator, and if that one fails go to the next one, and so on. This means that if you are running an old version of Receiver that only supports TLS 1.0 / 1.1, you will not be able to connect to Citrix Cloud with an old Receiver. On-prem StoreFront implementations that still support TLS 1.0 / 1.1 will be unaffected by the change.

How will this affect you?

Listed below is the minimum required version of Citrix Receiver. If you have an earlier version, you will be prohibited trying to connect.

Receiver Version
Windows 4.2.1000
Mac 12.0
Linux 13.2
Android 3.7
iOS 7.0

 

What can you do to prevent this?

As of last May, at Synergy, Citrix announced that the Receiver would join the Workspace family. So don’t go looking for any version of Citrix Receiver, go look for the latest version of Citrix Workspace, which can be downloaded here. All the Workspace applications has been stripped from the TLS 1.0 and 1.1 protocol.

The full statement from Citrix can be found in this link



Citrix brings back Local Text Echo

Have you ever experienced the frustration of working on a bad connection resulting in tremendous amount of latency when typing?

Past releases of Citrix Virtual Apps and Desktops (Formerly XenApp & XenDesktop) have included many interesting news and functions, especially regarding HDX innovations and ICA improvements. One of the “new” features that caught my eye in the Citrix Virtual Apps and Desktops 1811 release notes is Local text echo, which I will shortly cover in this post.



Teams keeps crashing in Citrix

A while ago I installed Teams in a client Citrix environment, I solved the large profile issue (Microsoft recommends 3 GB of free data for each user) with FSLogix, you can read more about that in my earlier blog-post here!

While testing Teams in the client test-environment it all worked flawlessly, I then proceeded to implement it in the production environment, it all worked great, Teams installed and worked as expected. Or so I thought…

The Problem

Next day I received multiple complaints about Teams hanging and restarting only to resume in a hanging state. In summary, it DID NOT WORK. Puzzled on why, since it still worked as expected in the test-environment I started to investigate. I started to check the Event viewer for any clues, there was none. I then proceeded to check the Teams install log (you can find it here: “C:\Users\USERNAME\AppData\Local\SquirrelTemp\SquirrelSetup.log“, nothing to find here. I scavenged the internet for answers but always got the same solution: delete Teams and reinstall it. That did not work in my scenario. We also have 2 customers running this exact setup but without any issues. What I then started to suspect was the platform Citrix was running on, specifically virtual vs physical servers. All the installations on a virtual server worked, but on our physical server it did not.

Eventually I did a deep-dive to see what actually happens when it crashes and I discovered the following:

  1. When checking the Details tab in Task Manger I discovered that when Teams begins to be unresponsive a Werfault.exe (Windows Error Reporting) process starts and takes a lot o CPU resources but never quite finish.
  2. After investigating the Procmon I found something suspicious:
CtxGraphicHelper.dll

This is a Citrix Hook, used by Citrix to make program do stuff it was not programmed to do. Basically it’s used to make application work in a Citrix environment. If you want to know more on the subject please read this article explaining how it works!

3. After recovering this information I found a discussion on Reddit explaining my exact scenario, and a workaround for this specific issue. See below on how to apply the workaround.

Workaround

To get Teams to work on your Citrix environment if you experience this specific issue you need to exclude all Citrix Hooks from Teams.exe, you perform this by editing/adding the following registry value:

32-bit version:
HKLM\SOFTWARE\citrix\CtxHook\
String Value: ExcludedImageNames
Value: Teams.exe

64-bit version:
HKLM\SOFTWARE\WOW6432Node\citrix\CtxHook\
String Value: ExcludedImageNames
Value: Teams.exe

Note: The server need to restart for the changes to take affect!

Summary

This workaround is far from ideal, disabling the Citrix hooks is not recommended and can result in other issues with Teams. Please test it properly before making any organization-wide changes. And be aware that Teams has not yet been implemented in the HDX Optimazation pack, meaning it will not offload sound and video to your client. I’m sure Citrix is working hard to implement this as soon as possible.

I have not found the exact reason to why this is an issue and why it only seams to affect physical servers and not virtual. I suspect it’s the CtxGraphicHelper hook I discovered in the Procmon that might be the source to the problem. But it seams this workaround will get Teams to work just fine in your Citrix environment.

Please let me know if you have any questions or have anything to add!



“Outlook cannot perform your search” on Windows Server 2016 running Remote Desktop Services

INTRODUCTION

Speaking on behalf of all IT technicians, it is with no doubt that we all have had our hand in cases related to Outlook. Oftentimes I experience them to be quite understandable in order to be resolved. However, that was until I encountered a particularly obscure issue with Outlook’s search engine, nonetheless its very same obscure resolution.



PVS-Accelerator

Introduction

PVS-Accelerator is a feature for Citrix Hypervisor (previously named XenServer). The feature utilizes the local storage and RAM on Dom0 on each Citrix Hypervisor and caches read requests from a provisioned target device. It saves network, CPU and Provisioning host disk I/O resources, effectively improving performance. Overall your storage and network should see an improvement if they are under heavy load today. [1]

Network Bandwidth Utilization
Network Bandwidth Utilization [2]

PVS-Accelerator helps with improved end-user experience, accelerated VM boots and boot storm, simplified scale-out by adding more hypervisor hosts and fewer provisioning servers are needed.

Prerequisites

  • XenServer PVS-Accelerator feature is only available in Citrix Hypervisor 7.1 and Provisioning 7.13 or later
  • PVS-Accelerator is available for customer with XenServer Enterprise Edition or if you have XenDesktop/XenApp licenses
  • If you have a Citrix Hypervisor 7.1 <, Provisioning 7.13 < and XenApp/XenDesktop you should be able to utilize the feature without any extra license or upgrades in considerations [3]

Considerations

There is no need to reboot XS host to enable PVS-accelerator. Unless you have less than 4 GB on Dom0, which is required to enable the feature. Also notice that the recommended Cache Size on storage repository is 5 GB for every vDisk version actively provisioned.

PVS-Acceleration configuration
PVS-Acceleration configuration
  • PVS-Accelerator only caches reads from vDisk, but not writes or reads from a write cache. Support is for vDisks with any non-persistent write cache type, but not “Cache on Server, Persistent” or “Cache on device hard disk persisted” write cache type
  • If you have more than one virtual network interface (VIF), make sure that the first VIF of a VM is used for connecting to the Provisioning Server
  • If you have multiple Provisioning servers that are deployed with HA and the same VHD, but have different file system timestamps, data may be cached multiple times. Due to this limitation, Citrix recommends using VHDX format, rather than VHD for vDisks
  • If you are running a 10 GBe network or just a few streamed VMs you will probably not notice a big difference

Advantages

  • Lower network utilization
  • Faster VM Boot time (Around 60%)
  • Higher Provisioning server density
  • Improved logon time
  • Helps with a saturated network or branch office
Average VM Boot Time
Average VM Boot Time
Source: Virtualfeller.com [4]

How to install

Installation is pretty straight-forward. You can download the PVS-Accelerator Supplemental Pack at https://download.citrix.com (requires Citrix account).

  • Path: Downloads / Citrix Hypervisor (XenServer) / XenServer 7.1 LTSR or above (Any Edition) / Optional Components / PVS Accelerator Supplemental Pack
  • Download and install the .iso file from XenCenter
XenCenter - Install Update
XenCenter – Install Update
XenServer - Select updatre
XenServer – Select Update

A new tab will appear in XenCenter console. Select your Hypervisor pool and click the PVS tab. Configure the PVS-Accelerator by naming your site and cache configuration. [5]

Configure PVS Accelerator
Configure PVS-Accelerator

Next step is to go back to the Provisioning Console and create your VMs with PVS-Accelerator. You do this by right-clicking on your site and running the Setup Wizard. You cannot do this on your existing provisioned targets. The short explanation is that PVS-Accelerated VMs is tied to Provisioning servers with a UUID on the XenServer.

Note: If you were to re-install the XenServer where PVS-Accelerated VMs was enabled, Provisioning Services will become out of sync and you will need to delete previously configured VMs associated with the cache configuration, including host. And reconfigure PVS-Accelerator and setup the cache again. [6]

Provisioning Console - Streamed VM Setup Wizard
Provisioning Console – Streamed VM Setup Wizard

Be sure to select “Enable PVS-Accelerator for all Virtual Machines” when configuring the number of VMs and their resources.

Provisioning Console - Enable PVS-Accelerator
Provisioning Console – Enable PVS-Accelerator
Provisioning Console - Streamed VM Wizard
Provisioning Console – Streamed VM Wizard

Verify that the PVS-Accelerator status is Caching your VMs from the XenCenter > Pool > PVS tab.

XenCenter - PVS Tab
XenCenter – PVS Tab

References

[1] https://docs.citrix.com/en-us/xenserver/current-release/storage/pvs.html

[2] https://www.youtube.com/watch?v=l_vhMf3SFks

[3] https://support.citrix.com/article/CTX220746″>

[4] https://virtualfeller.com/2017/03/07/provisioning-services-accelerator

[5] https://support.citrix.com/article/CTX220735

[6] https://docs.citrix.com/en-us/provisioning/7-15/install/configure-accelerator.html



How to manually crash your VM on a XenServer

Sometimes you need to simulate or provoke a crash on a Virtual Machine to either verify a problem or get a Memory Dump to have a closer look at whats is happening with the Virtual Machine. The thing is, its quite tricky to do that manually. Lucky for you there is a quite simple way to achieve this on a XenServer and I will show every step of the way.

When your Virtual Machine (VM) is at the desired state you should do the following steps:

  1. Find out the VM ID the XenServer has provided the VM, this changes when rebooted so you need to make sure every time you do this, you cannot use the same ID again. First make note of the Virtual Machine UUID, you can find it under “General” for the specific VM.

2. Now we need to find out the ID the XenServer provided for this specific VM. Go the the XenServer Console (the host of the VM) and type the following: list_domains 

As you can see it lists all the VM on this XenServer, and you will also see the ID provided correlated to the UUID. Make sure you have the correct ID and type the following: xen-hvmcrash <ID> (without the brackets). 

Congratulations, You have now successfully crashed the Virtual Machine!



Manage your corporate devices using Citrix Endpoint Management

Let’s say you’ve bought in 50 new iPad devices that you want to deploy to your users, and you have acquired a new mobile application that you want your users to start using on these devices. This is a fairly common scenario for businesses and companies. But how do you do this in a fast and secure way?

By using Mobile Device Management (MDM), Mobile Application Management (MAM) and Citrix Endpoint Management (formerly XenMobile Services) in this case, we can configure these devices to fit our needs, without any end user interaction whatsoever.

For this scenario, we want the iPads configured in the following way:

  1. Automatically download and install the business application
  2. Restrictions, WiFi and application layout of the start screen configured
  3. Deployed into the system automatically

These requirements are easily configured using Endpoint Management. By using using polices and synchronization to Apples services we create a seamless experience for the end user.

1. Automatically download and install the business applications

First off, we need to do some configuration to get the application out to our devices. Using the Apple Volume Purchase Program (VPP), we can automatically install applications without any user interaction or Apple ID login. You enroll to the program on Apples web page, where you after enrollment download a token and upload it to your Endpoint Management console. It then automatically syncs down any applications you buy from the App Store into your Endpoint environment, ready to be pushed out to any devices automatically. So when the application is in your system and set as required, it automatically gets intalled on the devices. More information on Apples VPP program can be found here.

2. Configure the devices using device policies

With the use of Endpoint Management policies, we can configure the devices the way we want them. By creating a restriction policy and applying it to the devices, we can control what is and what isn’t allowed to do on the device. We can for example not allow applications to be downloaded, camera used or Siri activated, as shown in the screenshot below. There are many, many more restrictions that can be made. This is a good feature to use, when you don’t want the end users changing configuration and settings on the devices.

Restriction Policy

To get the devices automatically connected to the network, we make use of a WiFi policy. We pre-configure the device to automatically connect to a specific SSID using the configured WPA2 key:

WiFi Policy

By configuring a Home Screen Layout layout policy, we can control where the applications get placed on the device, as well as create folders for specifics applications to be placed in. This can be handy if we want the same look and layout on all the devices:

Layout Policy

3. Deployment

To enroll a large number of iOS devices, you can use Apples Device Enrollment Program (DEP). You submit the serial number of the devices purchased from Apple or an authorized seller to DEP to configure and enroll the devices. They are then automatically enrolled into your Endpoint Management and users can start using them right out of the box. More information on Apples DEP program can be found here

When the users now start the device for the first time, all the configurations and policies applied to the device will be configured automatically without any configuration requirements. By using MDM, MAM and Endpoint Management, we can really simplify the challenges that comes with administering mobile devices.