Category: Citrix

How to manually crash your VM on a XenServer

Sometimes you need to simulate or provoke a crash on a Virtual Machine to either verify a problem or get a Memory Dump to have a closer look at whats is happening with the Virtual Machine. The thing is, its quite tricky to do that manually. Lucky for you there is a quite simple way to achieve this on a XenServer and I will show every step of the way.

When your Virtual Machine (VM) is at the desired state you should do the following steps:

  1. Find out the VM ID the XenServer has provided the VM, this changes when rebooted so you need to make sure every time you do this, you cannot use the same ID again. First make note of the Virtual Machine UUID, you can find it under “General” for the specific VM.

2. Now we need to find out the ID the XenServer provided for this specific VM. Go the the XenServer Console (the host of the VM) and type the following: list_domains 

As you can see it lists all the VM on this XenServer, and you will also see the ID provided correlated to the UUID. Make sure you have the correct ID and type the following: xen-hvmcrash <ID> (without the brackets). 

Congratulations, You have now successfully crashed the Virtual Machine!



Manage your corporate devices using Citrix Endpoint Management

Let’s say you’ve bought in 50 new iPad devices that you want to deploy to your users, and you have acquired a new mobile application that you want your users to start using on these devices. This is a fairly common scenario for businesses and companies. But how do you do this in a fast and secure way?

By using Mobile Device Management (MDM), Mobile Application Management (MAM) and Citrix Endpoint Management (formerly XenMobile Services) in this case, we can configure these devices to fit our needs, without any end user interaction whatsoever.

For this scenario, we want the iPads configured in the following way:

  1. Automatically download and install the business application
  2. Restrictions, WiFi and application layout of the start screen configured
  3. Deployed into the system automatically

These requirements are easily configured using Endpoint Management. By using using polices and synchronization to Apples services we create a seamless experience for the end user.

1. Automatically download and install the business applications

First off, we need to do some configuration to get the application out to our devices. Using the Apple Volume Purchase Program (VPP), we can automatically install applications without any user interaction or Apple ID login. You enroll to the program on Apples web page, where you after enrollment download a token and upload it to your Endpoint Management console. It then automatically syncs down any applications you buy from the App Store into your Endpoint environment, ready to be pushed out to any devices automatically. So when the application is in your system and set as required, it automatically gets intalled on the devices. More information on Apples VPP program can be found here.

2. Configure the devices using device policies

With the use of Endpoint Management policies, we can configure the devices the way we want them. By creating a restriction policy and applying it to the devices, we can control what is and what isn’t allowed to do on the device. We can for example not allow applications to be downloaded, camera used or Siri activated, as shown in the screenshot below. There are many, many more restrictions that can be made. This is a good feature to use, when you don’t want the end users changing configuration and settings on the devices.

Restriction Policy

To get the devices automatically connected to the network, we make use of a WiFi policy. We pre-configure the device to automatically connect to a specific SSID using the configured WPA2 key:

WiFi Policy

By configuring a Home Screen Layout layout policy, we can control where the applications get placed on the device, as well as create folders for specifics applications to be placed in. This can be handy if we want the same look and layout on all the devices:

Layout Policy

3. Deployment

To enroll a large number of iOS devices, you can use Apples Device Enrollment Program (DEP). You submit the serial number of the devices purchased from Apple or an authorized seller to DEP to configure and enroll the devices. They are then automatically enrolled into your Endpoint Management and users can start using them right out of the box. More information on Apples DEP program can be found here

When the users now start the device for the first time, all the configurations and policies applied to the device will be configured automatically without any configuration requirements. By using MDM, MAM and Endpoint Management, we can really simplify the challenges that comes with administering mobile devices.



Smart Check – Monitor Your Citrix Sites

Citrix Smart Check is a software and a service that installs on a Citrix Delivery Controller and collects diagnostic data, sends it to the Citrix Cloud account, where it gets analyzed and presented on the Citrix Cloud website. The information helps Citrix administrators to prevent and resolve issues before they happen or impact the users, give recommendations on fixes and to keep the Citrix environment stable.

The Smart service helps Citrix administrators that do not have their own monitoring setup or are unable to monitor their sites for other reasons and presents it on a webpage overview. The administrators can also get scheduled summarized mail reports regarding errors, warnings and information regarding the state of the different sites.

Citrix Cloud Smart Tools

Smart Check – Sites Overview

What Smart Check provides

  • Overview of the Citrix sites and products used, site-by-site
  • An extensive diagnostic and health checks for the different sites and services
  • Scheduled health controls of Delivery Groups, StoreFronts, Delivery Controllers, Machine Catalogs, Provisioning and License Servers
  • Give recommendations what administrators should do with the site to keep it up-to-date and stable
  • Help with simplified troubleshooting and pin down where the issue may be impacting users
  • Upload diagnostic data to Citrix Insight Services (CIS)

Smart Check - Overview

Smart Check – Overview

How to get started

First, you need a Citrix Cloud account. Register an account at https://smart.cloud.com. After you have created an account you can login, click Add Site and download the Smart Check software. The software should be installed on a Delivery Controller on the site and comes with a one-time signed JSON Web Token (JWT) that is used to connect your site to the Citrix Cloud – Smart Tools service.

Smart Tools - Add Site

Smart Check – Steps to take

Add Site - CitrixSmartToolsagent.exe

Add Site – CitrixSmartToolsagent.exe

Once the Smart Check agent is installed it will show up on the Citrix Cloud – Smart Check webpage as Site Discovered. You will need to click on Complete Setup and provide a domain user account that is a member of the local Administrator group of the Delivery Controller and full administrator role in Citrix Studio. PowerShell 3.0 or greater needs to be installed on the Delivery Controllers and outbound internet access on port 443 enabled to be able to upload to Citrix Cloud.

Smart Check - Site Discovered

Smart Check – Site Discovered

Smart Check - Enter Credentials

Smart Check – Enter Credentials

For VDA the following must be enabled:

  • File and Printer Sharing
  • Windows Remote Management (WinRM)
  • Windows Management Instrumentation (WMI)

For a full list of requirements and supported site components, visit Citrix Product Documentation – Smart Check requirements.

Smart Checks

Below is a list of the checks that are available as of this post. There are probably more to come:

  • Site Health
  • Citrix Optimizer
  • Citrix Provisioning
  • Delivery Controller Configuration
  • License Server
  • LTSR Compliance
  • Product LifeCycle
  • StoreFront
  • VDA Health

Each category contains several checks. You can read an excerpt of the different checks performed below.

Site Health Checks

Site Health Checks provide a comprehensive evaluation of all the FMA services including their database connectivity on your Delivery Controllers. Citrix recommends you run these checks at least once daily. Site Health Checks verify the following conditions:

  • A recent site database backup exists
  • Citrix broker client is running for environment test
  • Citrix Monitor Service can access its historical database
  • Database connection of each FMA service is configured
  • Database can be reached by each FMA service
  • Database is compatible and working properly for each FMA service
  • Endpoints for each FMA service are registered in the Central Configuration service
  • Configuration Service instances match for each FMA service
  • Configuration Service instances are not missing for each FMA service
  • No extra Configuration Services instance exists for each FMA service
  • Service instance published by each FMA Service matches the service instance registered with the Configuration service
  • Database version matches the expected version for each FMA service
  • Each FMA service can connect to Configuration Logging Service
  • Each FMA service can connect to Configuration Service

Citrix Provisioning Checks

Citrix Provisioning Checks verifies Citrix Provisioning status and configuration.The following checks are performed:

  • Installation of Provisioning Server and Console
  • Inventory executable is running
  • Notifier executable is running
  • MgmtDaemon executable is running
  • StreamProcess executable is running
  • Stream service is running
  • Soap Server service is running
  • TFTP Service is running
  • PowerShell minimum version check
  • Database and Provisioning server availability
  • License Server connectivity
  • Provisioning Update Check
  • PXE service is running
  • TSB service is running

StoreFront Checks

StoreFront Check validates the services status, connectivity to Active Directory, Base URL setting, IIS Application Pool version and the SSL certificates for Storefront, and verifies the following conditions:

  • Citrix Default Domain Services is running
  • Citrix Credential Wallet services is running
  • The connectivity from the StoreFront server to port 88 of AD
  • The connectivity from the StoreFront server to port 389 of AD
  • Base URL has a valid FQDN
  • Can retrieve the correct IP address from the Base URL
  • IIS application pool is using .NET 4.0
  • Certificate is bound to the SSL port for the host URL
  • Whether or not the certificate chain is incomplete
  • Whether or not certificates have expired
  • Whether or not certificate(s) will expire within one month

VDA Health Checks

VDA Health Checks help Citrix administrators troubleshoot VDA configuration issues. This check automates a series of health checks to identify possible root causes for common VDA registration and session launch issues.

  • VDA software installation
  • VDA machine domain membership
  • VDA communication ports availability
  • VDA services status
  • VDA Windows firewall configuration
  • VDA communication with each Controller
  • VDA registration status

For Session Launch:

  • Session launch communication ports availability
  • Session launch services status
  • Session launch Windows firewall configuration
  • Validity of Remote Desktop Server Client Access License

Closing words

You can run checks manually, but it is also possible to schedule (recommended) the different health checks and get a summarized report daily or every week at designated time of day. The summary gets mailed to the registered Citrix Cloud account and to view more information you need to logon to the Smart Cloud website.

It is possible to view previous reports of the Smart Check runs and hide alerts that has been previously acknowledged:

Smart Check Health Alerts

Smart Check – Health Check Runs History

Under Site Details you can view components or add new ones. If needed it is also possible to Edit Site Credentials, Sync Site Data or Delete the Site:

Smart Check - Site Details

Smart Check – Site Details

Smart Check is supported both on-prem and in the Citrix Cloud environment.
It is easy to setup and brings a great deal of value. You should try it out! Let me know how it went in the comments down below.

Smart Tools contains Smart Checks and Smart Scale. Smart scale helps reduce your XenApp and XenDesktop on Azure Cloud resource costs. But this will be in covered another post.

Source: https://docs.citrix.com/en-us/smart-tools/whats-new.html



VDA stuck when updating

Sometimes (no idea why, seems random to me) the VDA update is stuck after prompted to reboot in the middle of the update like below.

VDA Update Stuck

After going through the logs (Get-content “$env:LOCALAPPDATA\Temp\Citrix\XenDesktop Installer\XenDesktop Installation.log” -wait) I noticed that the VDA setup creates a RunOnce key just before the restart.

VDA Update Powershell Log

After checking the registry path “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce” there was indeed a key created with the name “!XenDesktopSetup”.

VDA Update Stuck Registry

After deleting this key the update proceeded immediately.

VDA Update Proceed

I guess the registry key should delete it self after a reboot, but for whatever reason it doesn’t. This update was from 7.18 to 1808, but have happened to me in all different versions from 7.15 and later.



Teams in your Multi-user environment done right!

Microsoft Teams is on the rise, more and more businesses is seeing the potential of Teams and want a piece of the action.

Unfortunately Microsoft Teams is not ideally designed to work on a Multi-user environment like Citrix Xenapp or Microsoft Remote Desktop services. It is entirely installed in the users profile, and its quite big. A clean installation of teams is roughly 600 MB and will quickly grow, and you know what that means… You guessed it: Super long logon time, since logging on to the Multi-user environment often means the profile would be downloaded to Session Host before you are properly logged on, the users will not be happy! And on top of that, the latest recommendation in size per Teams installation is 3 GB…

There is however some rumors indicating there will be releasing a business version soon addressing this very issue! But if you are anything like me, and cant simply wait, there is a solution if you are willing to pay a small price, and you will at the same time have access to tons of other great stuff.

FSLogix Profile Container

FSLogix Profile Container is a great product that basically removes the profile size entirely, is an little agent you install on your Session Hosts and configure with an ADMX, you also need a file share with enough space for some big profiles. FSLogix is in the business of so called filter-drivers, what it does is simply put, lying to Windows. For example, when you install a 32-bit application to your 64-bit Windows System, Windows will use its own filter-driver to get it to work, its the same technology, its efficient and simple. In FSLogix case it is lying to the windows about the profiles, Windows thinks its a local profile, it does not know that in fact, the entire profile is contained in a vhd-file, mounted to the server. Because its a virtual disk that attaches to the server, there is only one SMB handle. It will therefor not be a huge load on the network, which you often sees when you for example roam your profiles.

Install Teams

When you have FSLogix Profile Container in place you can now install teams on your environment.  In early October Microsoft released a new version of Teams with some new features when deploying Teams to all the users in an organization, we are going to use parts of that to install Teams on to our environment!

 

  1. Download the latest version of Teams MSI-file (x64) file here!
  2. If you like to disable Auto-start of Teams use the following install string (otherwise just install without the option):

    This will put an Install file under “C:\Program Files”, and when a user logon it will automatically install Teams to this user.
  3. You do not need to update the MSI to the latest version, Teams will automatically download and install pending updates on the next logon of the user.

There you go, now your users can benefit from the full experience of Teams in your Multi-user environment, with one exception: if you are using Citrix, you have “Skype for Business Optimization Pack” to utilize local client resources for best quality of Skype meetings and calls. There is no support for Teams as of for now. It will soon be available though. With that said, I wouldn’t uninstall Skype for business just yet.

Other Great stuff

As mentioned above, there is a lot of benefits using FSLogix Profile Container. For a great period of time, Citrix User Profile Manager has been the best way to reduce the size of the profiles while still have the most important settings saved in your profile. But this is still just a trade-off, you trade off your caches and settings that impact your profile logon, but at the same time still trying to get the best experience for the user, this will sometimes collide and you have to choose between longer logon time or full functionality of a certain application.

With FSLogix Profile Container you no longer need to worry about large profiles, you don´t need to trade off! There are a lot of applications that saves a ton of settings and files in your profile that you now can install without impacting the user experience, this opens up a great deal of opportunities. You can for example install OneNote with it´s (potentially)  gigantic cache, CAD applications with thousands of files in the user profile and so much more.

 

If you find this interesting and would like a trial of FSLogix Profile Container to see if this fits your organizations needs, please contact us. It is easily installed and does not require additional servers or infrastructure!

 



Migrate home directory to a new location

Recently, I have been involved in some larger XenApp projects where one of the objects have been to migrate home directories when users change environment. People tend to lock themselves to the idea that IT must help migrate home directory when the user is given access to the new environment. A better way to approach this is to publish a script to the start menu and inform users to run the script when first logging in to the new environment. In one of the projects it were a bit more complicated because the home directory structure was different from the structure in the new XenApp environment (see below).

 

Old structure

  • Links
  • Favorites
  • Downloads
  • Documents
    • My Music
    • My Videos
    • My Pictures
  • Desktop
  • Contacts
  • AppData

 

New structure

  • Downloads
  • Documents
  • Pictures
  • Music
  • Videos
  • Desktop

 

To solve this we had to create a PowerShell script with a bit more logic. Basically what we do is the following;

  1. Copy everything from old home directory to the new home directory, except the excluded folders and files
  2. Copy “\Documents\Music” to “\Music”
  3. Copy “\Documents\Videos” to “\Videos”
  4. Copy “\Documents\Pictures” to “\Pictures”
  5. Copy “\Favorites” to “\%USERPROFILE%\Favorites” (It’s bad practice to redirect Favorites. Read more here)
  6. Copy necessary items from “\AppData\~” to “\%USERPROFILE%\AppData\~” (We use Citrix Profile Management instead of redirecting AppData to the home share. Redirecting AppData to the home share is also bad practice. Same reason as why it’s bad practice to redirect Favorites.)

 

 

The end result looks like this;.

User runs “Copy Home Directory” from Start Menu as instructed

Copy Home Directory

A box pops up

Popup - Copy the entire home directory from the old environment

Another box pops up when the script is finished copying the old home directory

Popup - Finished



Update Workspace Environment Management from 4.5 to 1808

The other day I tried to update Workspace Environment Management from 4.5 to 1808. I followed the guidelines provided from Citrix here. Everything went fine with the update of “Infrastructure Services”, “Database” and “Administration Console”, but when I tried to connect to the “Infrastructure Services” with the “Administration Console” I faced the error “Specified Infrastructure Server seems to be offline or have a wrong database configuration. Please check configuration and try again.”.

User-added image

I saw that the connection started to initialize to the database and everything went fine until WEM tried to read “StorefrontSettings”, then the error came up. I started digging by enabling “debug mode” in “WEM Infrastructure Service Configuration”. This saves a log to “C:\Program Files (x86)\Norskale\Norskale Infrastructure Services\Citrix WEM Infrastructure Service Debug.log” with information and errors connecting to the “Infrastructure Services”. Unfortunately I did not save the exact error message but it was something like “Error reading dbo.VUEMStorefrontSettings”.

WEM Debug

I remembered that Citrix added the functionality to point to a StoreFront store in version 4.6.

WEM Storefront

To resolve the issue I restored the database and server to 4.5 and upgraded all the components and database to 4.6, then 4.7 and then finally 1808. After this everything worked as expected.

Seems to me that Citrix forgot to add to create “dbo.VUEMStorefrontSettings” if not previously existing in 1808…



OpenID Connect token validation in Citrix ADC

I’ve previously written about how to use OpenID Connect in NetScaler and a way to use callouts to validate tokens. You can also use the function JWT_VERIFY_CERTKEY() but that requires that you (for now) keep the issuing certificate updated locally.

Another way is to setup an OpenID Connect client (OAuth Action) on Citrix ADC and enable 401 authentication in the load balancing vserver. Below is an example where the NetScaler will validate that the token sent is valid and issued by the correct provider. (I’ve used Azure AD in my example)

The only thing you have to do is send traffic with tokens (HTTP.REQ.HEADER(“Authorization”).SET_TEXT_MODE(IGNORECASE).CONTAINS(“Bearer “)) to this LB and a session will be created in NetScaler. In my case, I’m also verifying that the user exists using a second factor to LDAP.

Try it out and all feedback is welcome!



Citrix ADC and ADM automation using Ansible

I’ve been working with Ansible more and more and been learning a lot. It’s so much fun but I also think it can help others out there with their projects. I’ve published a few blog posts regarding a few different parts of how I automate Citrix ADC (NetScaler) and Citrix ADM (NetScaler MAS), and will be holding a presentation about it at Citrix User Group Norway (CUGTech Autumn 2018) – I hope to see you there!

The blog posts I’ve published regarding this (so far) are:

I’ve learnt so much creating these playbooks and will continue to work on and perfect them. Most likely will be undergoing continuous improvement from now on! It will be great to talk about all of this next week, something I’m really looking forward to!

I hope to see at least a few of you out there test these playbooks and maybe even contribute to them or collaborate with me making them even better.



Configure Stylebook configpacks using Ansible and Citrix ADM

I’ve created an Ansible playbook to deploy configpacks to Citrix ADC (previously Citrix NetScaler) using Ansible and Citrix ADM (previously Citrix NetScaler MAS). You add the configuration to the parameters and the playbook will add configpacks using the settings you’ve defined.

Still a lot to do with this one, for example updating the configpack when the parameters has changed in the playbook.

The playbook has been published to Azure DevOps and can be found here. The readme contains the latest information.

The playbook configures the following (as of this blog post):

  • Identifies the current primary/active Citrix ADC (NetScaler)
  • Locates the active nodes instanceId
  • Identifies all Stylebooks on Citrix ADM
  • Identifies what Stylebooks will be used
  • Creates configpack if it isn’t already created
  • Verifies that the configpack is deployed without any failures

Feel free to try it out and all feedback is welcome!