Citrix – Sida 2 – Xenit Technical

Category: Citrix

NetScaler HA heartbeats in Azure

When using NetScaler with multiple NICs in Azure, heartbeats will not be seen on other interfaces other than the one NSIP is configured on.

To resolve this, disable heartbeats on the other interfaces (in my case, NSIP is on 0/1 and disabling on 1/1 and 1/2):

 



Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)

I wrote a blog post for NetScaler active/passive HA in Azure with multiple NICs two days ago, and I’ve been trying to figure out if this was the best way to do it. In the other post, I was using IPPattern in NetScaler to set the vServers to a /31 – which does work but that’s just because of how the underlying Azure infrastrucuture works (where machines outside of the VM – for example Azure LB – can only access the IP that has been assigned to the VM).

There is another way of doing this, which doesn’t require you to use a /31. The key is in configuring DSR (Direct Server Return) in Azure LB (also known as Floating IP). This will make it possible to use the same VIP on the NetScalers as the Frontend IP of the Azure LB – which saves IP-addresses and is easier to configure. This is the way Citrix has documented it and this is how their HA template does it.



OneDrive with simulated Single Sign-On

Recently we have received numerous requests to implement OneDrive in multi-user environments. This is not an easy task given that Microsoft refuses to release and develop a client supporting multi-user environment. Citrix and Microsoft give the following recommendations:

  1. Use OneDrive for Business through the browser.
  2. Use ShareFile instead of OneDrive for Business.
  3. Continue using OneDrive for Business, but through ShareFile Desktop App or ShareFile Driver Mapper.


NetScaler Active/Passive HA in Azure with multiple NICs/IPs

Update:

I’ve found out that there’s a much easier way of doing the below in Azure – take a look at the updated blog post:

Updated: NetScaler Active/Passive HA in Azure with multiple NICs/IPs (DSR/Floating IP)

——

There are a lot of information out there about setting up NetScaler HA in Azure. One way is using a single NIC and a single IP for all traffic – which allows for active/passive but causes other limitations. Another way is to use multiple NICs/IPs and use active/active. Both cases uses Azure LB to provide high availability.



Nyheter från Microsoft i November

Fulla versionen av Citrix Receiver finns nu som applikation i Microsoft Store, perfekt för Windows 10 S.

Citrix Receiver är en produkt som gör det möjligt att ansluta till Citrix virtualiseringstjänster XenApp och XenDesktop. Detta öppnar upp för fler möjligheter om man tex använder Windows 10 S som är en nerlåst version av Windows 10 som först och främst konkurrerar med Googles motsvarighet, Chromebook. I Windows 10 S kan du endast installera applikationer från Microsoft Store, och S-versionen ska enligt Microsoft ge en 15 sekunder snabbare uppstart jämfört med en dator som kör Windows 10 Pro. Man antyder även att den ska fungera lika bra dag 1 som på dag 1000, antagligen då denna versionen är så pass nerlåst och onödiga filer kan inte installeras.



Citrix changing default ICA Protocol from TCP to UDP Q4 2017

For XenApp/XenDesktop versions released in Q4 2017 or later (version 7.16 or newer), the default protocol for ICA traffic will be changed from ICA TCP to Enlightened Data Transport (EDT). EDT is a recently-developed protocol from Citrix and is UDP based, unlike traditional ICA which is is TCP based. One of the reasons Citrix developed EDT is because TCP protocols have some drawbacks related to Congestion Control, leading to sub par performance in certain scenarios.

Citrix realizes however that UDP traffic is not always allowed, or configured, in Citrix environments, so they added a new feature called ‘Adaptive Transport’ which will try EDT protocol (UDP) first, and if that does not work it will fallback to using regular ICA over TCP.



FSLogix Profile Containers – Enkel och snabb profilhantering

FSLogix har en intressant produkt som heter Profile Containers, den tar hand om huvudvärken som profiler ofta skapar i fleranvändarmiljöer. Det är idag komplext att sätta upp en fleranvändarmiljö som erbjuder en bra upplevelse för användarna. En utav de stora utmaningarna är inloggningstiden för användaren eftersom storleken på profilen ofta är en stor faktor. Det krävs mycket tid till att exkludera så mycket som möjligt för att hålla nere användarens profilstorlek, vilket måste underhållas om t.ex. när nya applikationer introduceras i miljön. Det är dessutom väldigt standardiserad lösningar som inte tar hänsyn till varje persons unika behov vilket också försämrar upplevelsen.

Faktum är att Office 365 Containers som jag har skrivit om tidigare är en ”light-version” av Profiles Containers som löser några av de största problemen relaterade till Office 365 i en fleranvändarmiljö. Profile Containers fungerar nästan precis likadant som deras lite lättare produkt Office 365 Profile Containers som skapades just för att kunna nyttja några av de största fördelarna i Office 365 i en fleranvändarmiljö.

Precis som Office 365 Containers skapas en personlig VHD-fil för varje användare som lämpligtvis finns på en lagringsyta med hög tillgänglighet. VHD-filen kommer att anslutas till användarens session och hela profilen finns nu tillgänglig för systemet, ingenting behöver kopieras över, vilket är en mycket stor fördel. Det spelar ingen roll om profilen är 100 MB eller 5 GB, det kommer alltid ta samma tid för VHD-filen att ansluta till din session vilket innebär att inloggningstiden kommer ligga konstant, och det är runt ca 15 sek. Vi behöver alltså inte skapa komplexa regler för vad som ska finnas i profilen längre, användaren kan ha kvar allt och bibehåller då alla sina inställningar och data. Nedan kan du se skillnaden mellan FSLogix och andra metoder för att peka om profilen.

För att läsa mer om FSLogix Profile Containers och deras övriga produkter kan ni läsa mer på deras officiella sida www.fslogix.com

Vill ni veta mer om denna produkten tveka inte att kontakta oss för en mer detaljerad beskrivning om hur denna produkt kan hjälpa er!



Print drivers and Microsoft Update KB3170455

Typically users get their printers mapped by Group Policies or Group Policy Preferences. Especially in Citrix environments, users should not have the right to add their own printers or drivers that are not approved for multi-user environments. On July 12th 2016, Microsoft released a security update (KB3170455) to safeguard Man-in-the-Middle (MITM) attacks for clients and print servers. Then an updated version was released again September 12th 2017.

Users could encounter the dialog boxes below if the driver did not meet the requirements of Microsoft where the driver would be packaged and signed with a certificate:

Scenario 1

For non-package-aware v3 printer drivers, the following warning message may be displayed when users try to connect to point-and-print printers:

Do-you-trust-this-printer

Do you trust this printer?

Scenario 2

Package-aware drivers must be signed with a trusted certificate. The verification process checks whether all the files that are included in the driver are hashed in the catalog. If that verification fails, the driver is deemed untrustworthy. In this situation, driver installation is blocked, and the following warning message is displayed:

Connect-to-printer

Connect to Printer

Even if you enabled Point and Print restrictions in GPO and specified which server’s clients could get drivers from, users could encounter an installation prompt and request administrator privileges to install.

For most printers this is not an issue if there is an up-to-date driver which is compliant. Some manufacturers do not always provide printers drivers that is both packaged and signed. The first thing you should do is update the driver to one that both is signed and packaged. Usually the drivers from the manufacturer are signed according to Microsoft Windows Hardware Quality Labs (WHQL) but may not be packaged correctly and the users get prompted for administrator credentials when the printer is being added to the client computer or in the remote desktop session.

Since KB3170455 we need to enable point and print restrictions and specify our print servers in the GPO. For most printers there is no issues, however a couple of printers will not be pushed out by Group Policy Preferences since the update. Even though the print server was listed in the point and print GPO. Browsing the print share and trying to connect the printer manually would result in the ”Do you trust this printer” pop up which will then prompt for administrator credentials to install the driver. Looking at Print Management on the server in question shows that the problem printer drivers have a ”Packaged” status of false.

Workaround:

If you are pushing out printers via Group Policy or Group Policy Preferences and they are of Non-Packaged type you will always get a prompt to install, ignoring the point and print GPO, which will cause the install to fail. A workaround to this is a registry edit on the print server – test and verify this first before putting it into production:

  • HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\<…>\<Driver name>\PrinterDriverAttributes

Change the value from 0 to 1 and reboot the printspool service or/and server. The value for other print drivers may not be 1, but to make this work the value needs to be set to an odd number. For example, if the value is 4 change it to 5. Only do these changes if you have no other means of getting a valid driver or printer swapped. In RDS/Citrix environments you could pre-install the printer driver on the host if viable and you only have a few session-hosts.

Back in Print Management you will see the Packaged status is now changed to true, and the printer should deploy. If you can find packaged print drivers then use those, but some manufacturers have not bothered supplying them.

PrintManagement-packaged-true

PrintManagement – Packaged True

Source: https://support.microsoft.com/en-us/help/3170005/ms16-087-security-update-for-windows-print-spooler-components-july-12



RfWebUI idle timeout

There seems to be an issue with the idle timeout in RfWebUI (verified in NetScaler version 12.0) and I’ve created a workaround until it is solved.

It is all based on a JavaScript that checks if the user is logged on, if logged on it starts a timer and when the timer is reached logs the user out.

Change the parameter at the top ”var timeout = xyz” where xyz is the time out in seconds. Because I wasn’t able to only insert this script when the user is logged in (always had to refresh) I chose to create a check that checks every five seconds for the cookie NSC_AAAC which is created upon logon and removed during logout. In this case, we reset the timer if the mouse is moved, a page is loaded or a key is pressed. This can be changed based on your requirements (for example removing document.onclick = resetTimer; if you don’t want a click to reset the idle timer).

When using it in Netscaler, add it like this:

If you are using the NetScaler Web UI to create the rewrite, the action expression will look like this:

 



Remove ”Password 2” from RfWebUI

Update:

Seems like the first method actually removes a password field when changing password. This shouldn’t do that:


Original post:

Have you had an issue with RfWebUI where you need to remove the ”Password 2”-field when for example using RADIUS as primary authentication source (challenge based) and LDAP as secondary?

As always, the great Sam Jacobs has the answer on Citrix Discussions.

If you don’t want to edit any files yourself or not create a a new theme you can use a rewrite to do this for you: (I’m editing style.css and not theme.css)

It should now look as expected: