Category: Okategoriserade

FSLogix and Microsoft – When and How!

Since Microsoft acquired FSLogix in November there has been some uncertainty regarding licenses and most importantly when it will be available through Microsoft.

Ever since Microsoft acquired FSLogix there has not been much information about whats happening. We know Microsoft had their eyes on Office 365 container solution and potentially Profile containers as well, but what will happened with the rest of the suite, such as App Masking and Java Redirection? Will they disappear or will they continue the support and development of the entire suite?

When Microsoft released their new Windows Virtual Desktop to Public Preview and at the same time their intention with the FSLogix Suite!

As you now probably are aware about, FSLogix will be a part of the Windows Virtual Desktop, but it does not stop there, see below on when you are entitled to use FSLogix suite.

Licensing

FSLogix will be available with no additional cost if you have one of the following Microsoft licenses:

  • F1, E3, är E5 Microsoft 365 licensing
  • A3 and above for educational and non-profit
  • Windows 10 Enterprise E3 or E5
  • or even If you have RDS CALs

 

Where and when can I use it?

The really good news here is that its not only available to Azure, you can use  wherever you want, even On-Prem! You cannot acquire the license for this just yet, it will be available in June, but you can however request a trial witch will give you all the functionality an features in the meantime. Don’t hesitate to contact me if you would like to get a trial to start benefit from this amazing product today!

Wich FSLogix apps is included?

  • Office 365 Containers
  • Profile Containers
  • Java Redirection
  • App Masking

 

This is really good news since this is a solid product solving head-aching problems, i’m looking forward for this implementation and so should you! If you are looking to implement this solution for your environment, don’t hesitate to contact me at Jonas.Agblad@Xenit.se or leave a comment.

 

Don’t miss my earlier posts about FSlogix for more information:

What is FSLogix Cloud Cache?

Keep your FSLogix VHD-files Optimized!

Convert Citrix UPM to FSLogix Profile Containers

Teams in your mulit-user environment done right!

Outlook Search index with FSLogix – Swedish

FSLogix Profile Container – Easy and fast Profile management – Swedish

Office 365 with FSLogix in a Multi-user environment – Swedish

 

 



mixed authentication methods added for Global Protect

In Palo Alto Networks latest release 9.0.0, a new feature was added that allows you to have mixed authentication methods to the same Global Protect portal and/or gateway.

When this feature is enabled it will basically allow your users to authenticate with user credentials and/or client certificates. The options are to either to require both user credentials and client certificates or you can allow user credentials or client certificates.

On top of this you can also set different requirements depending on what OS the user connects from. Below are the current list for available operating systems you can set policies on:

  • Andriod
  • Chrome
  • iOS
  • Linux
  • Mac
  • Satellite
  • Windows
  • WindowsUWP
  • X-Auth

With this you could create an authentication-profile that requires Windows-users to authenticate with both user credentials and client certificates.

Then create another that allows your Android-users to authenticate with either user credentials or client certificates.

This feature could be used in some different cases, for example if you already have two different portals and one of them only requires user credentials for authentication. In that case you could put the two configurations together and save the public IP that was used for the other portal/gateway.

More information can be found on: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/globalprotect-features/mixed-authentication-method-support-for-certificates-or-user-credentials.html 

If you have any questions, feel free to email me at petter.vikstrom@xenit.se or comment down below.



LACP-FALLBACK BETWEEN ARISTA AND NUTANIX

If you have LACP configured between your Arista-switches (or any other switches) and a Nutanix Cluster, you will run into an issue when using Nutanix Life Cycle Management (LCM).

LCM updates for BIOS, BMC and SATA DOM are currently not supported for Nutanix Clusters that use protocols such as LACP.

If you try to do a full update with LACP active, you will end up with your first node not coming back online and being stuck in maintenance-mode.

The reason behind a node becoming stuck, is because in some of the updates, the nodes boots into the Phoenix ISO and Phoenix does not support LACP at this time.

A work-around is to enable LACP-fallback on your switches. Below is an example with Arista and how quick it is to configure it:

You will need to configure LACP-fallback on all port-channels that are connected to your nodes.

When the upgrade is complete, and the node have booted up, LACP PDUs will be sent out.
LACP will automatically be activated on the port-channel again.

If you have any questions, feel free to email me at petter.vikstrom@xenit.se or comment down below.



BIND CERTIFICATES TO CAPTIVE PORTAL IN ARUBA CENTRAL

When creating a new Guest Splash Page with either Anonymous, Authenticated or Facebook WiFi the users will encounter an certificate-error after authentication to the Captive Portal.

This is because the users is redirected by standard to securelogin.arubanetworks.com or securelogin.hpe.com which uses the built-in certificate contained in Aruba Central.

Since you will most likely have external users connecting to your Guest Network you will be required to use a trusted 3rd party CA. I will not cover the steps to retrieve the certificates in this example.

Start by uploading you Server and CA certificate in Aruba Central by going to Global Settings > Certificates. Press + to upload the certificate

After the certificates are uploaded the list should look something like this

To bind the certificates to your Captive Portal go to Wireless Management (Choose the correct group you want to make the changes on) > Security > Certificate Usage. On Captive Portal – select your new Server Certificate and change the Certificate Authority to the CA certificate that you previously uploaded.

As a last step we need to change the Common Name in the Guest Splash Page. Go to Guest Access -> Splash Page and open your created page. Activate “Override Common Name” and enter the FQDN that matches your certificate’s CN.

When this is finished you are good to go, the certificate warning should now be gone!



How to manually crash your VM on a XenServer

Sometimes you need to simulate or provoke a crash on a Virtual Machine to either verify a problem or get a Memory Dump to have a closer look at whats is happening with the Virtual Machine. The thing is, its quite tricky to do that manually. Lucky for you there is a quite simple way to achieve this on a XenServer and I will show every step of the way.

When your Virtual Machine (VM) is at the desired state you should do the following steps:

  1. Find out the VM ID the XenServer has provided the VM, this changes when rebooted so you need to make sure every time you do this, you cannot use the same ID again. First make note of the Virtual Machine UUID, you can find it under “General” for the specific VM.

2. Now we need to find out the ID the XenServer provided for this specific VM. Go the the XenServer Console (the host of the VM) and type the following: list_domains 

As you can see it lists all the VM on this XenServer, and you will also see the ID provided correlated to the UUID. Make sure you have the correct ID and type the following: xen-hvmcrash <ID> (without the brackets). 

Congratulations, You have now successfully crashed the Virtual Machine!



How to handle pinned start menu apps in Windows 10

As I have been working with customizing Windows 10 for a while now, it has never worked against me this much. However, sometimes Windows do have its ways of working against you. With challenges like these you get the opportunity to spend a lot of time coming up with a solution. So this blog post is about my battle with the start menu of Windows 10 Professional. If you are here for the quick solution, skip to the bottom and the TL;DR section.

The Problem:

I have been able to customize the start menu of Windows 10 with ease since version 1511 with the Export / Import-StartLayout cmdlet. But this time I got a request to remove all the pinned apps on the right side of the start menu. A colleague discussed this and he told me he had done a similar solution inside a Citrix Virtual Desktop, and he spent quite the amount of time with this, I thought this would be much easier than it turned out to be. So the requested start menu should at the end look something like this upcoming picture, with the following demands:

  • No pinned apps on the right box or the start menu
  • In the task bar, have Chrome & Explorer pinned. 

This was the requested layout

To begin with, I created an XML file with just Chrome & Explorer pinned in the task bar, and having set the <DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”> . My thought was that this would give me a clean start menu, but this was my first failed attempt. The colleague of mine who preciously had a similar issue in a Citrix environment had during his research time come across this post containing a script called “Pin-Apps“. This script contained a Unpin function which turned out to be very helpful. So I started adapting my work after this script. But this is where I came across my second setback. First, I was not able to have this script and the Import-StartLayout-script in the same logon script, nor having one script on startup, and one on login, so I had to think of a way configure this in my isolated lab environment.

Luckily, I’ve been working a lot with OS-deployment, so I created a Task Sequence containing the Import-StartLayout-script, which managed to run successfully together with my login-script containing the Pin-Apps script. But here I came across my third setback, which by far had the most impact and was the one I spent the most time struggling with. For some reason I was not able to remove bloatware, such as Candy Crush, Minecraft etc. The script ran successfully, but every time, the outcome looked like this

Some applications would not be removed

I could not understand why these applications would not be removed. I have had to deal with bloat ware before, but then it was just to remove them with Appx-cmdlets. I checked Get-AppxPackage & Get-AppxProvisionedPackage, and ran Remove-AppxPackage and Remove-AppxProvisionedPackage several times, but these apps were not removable and did not show up until I manually selected them, and they started downloading (as shown on the application in the top right corner on the picture). So apparently they were either links or shortcuts to the Windows Store. This is works if you are using Windows 10 Enterprise. 

This is where I started going deep. The apps were all published in the Windows AppStore, so I started looking for any kind of possibilities, with help from Powershell, to by force download all apps in the Windows Store. I spent a lot of time with this, but without any success. So I had to rethink my plan. There was no way to have the bloat ware-applications to be downloaded by force, there was no way to remove them by removing them with Appx-cmdlets, and there was no way to have a clean start menu with a XML-file. This gave me the idea. If you can’t beat them, join them. There was no way to actively remove all the applications from the start menu of a Windows 10 Professional, but replacing them worked.

The solution:

As I have yet to find any other way of removing the superfluous applications, creating a new XML replacing the start menu with some random default applications was the only successful way for me. To list these applications, go to Shell:AppsFolder or shell:::{4234d49b-0245-)4df3-b780-3893943456e1} in file explorer.

Applications can be found here

I just chose to pin some of the applications which were default on my start menu, that I knew was very much removable, exported these to a new XML which turned out to it look like this:

From here I had to modify the Pin-Apps script to make it more suitable for a Swedish operating system, and added a register key so it would not run more than once on each user. If you want to lock down the right side of the start menu, you just set or create the LockedStartLayout registry key, located under both HKEY_Local_Machine & HKEY_Current_User\Software\Policies\Microsoft\Windows\Explorer, to 1

If you are running another OS language than Swedish or English, to find the verb for unpin, simply save an application name to the variable $appname (as an example I will use Windows Powershell) and run the following part: 

This will give you all the verbs which are applied to this application. In this case “Unpin from Start” is present.

After modifying the necessary bits I added it to a PowerShell logon script GPO with the parameter -UnpinAll, with the .ps1 file located inside the GPO repository, making sure it’s accessible for everyone.

 

TL;DR: 

If you are running Windows 10 Professional, you need to replace applications in the start menu before removing them, as a suggestion running in a Task Sequence of some kind setting the default start menu layout and then have a GPO to run the PowerShell script stated above.

If you are running Windows 10 Enterprise, just use the Logon script GPO and you will be fine. If you still have some unwanted applications, run a script removing built-in apps (for example this Invoke-RemoveBuiltinApps )

If you have any questions or thoughts about this post, feel free to email me at johan.nilsson@xenit.se



Netscaler: Resolve large http POST packets against AAA protected LB vServers

Recently while working with two customers and setting up load balancing and external access to some of their applications, I’ve encountered issues with large POST packets (either large form submits or file uploads in the web app) stop working when AAA is activated on the load balancing (LB) vServer. In these cases the backend web applications have all been quite old and not exactly well-written coding-wise.

By default when AAA is activated on Netscaler, any large POST packet sent to the LB vServer, and subsequently to the backend, will be split up into two packets with the first one having a Content-Length header value of 0 and the secondary packet containing the correct Content-Length header value and the actual POST body. The backend code in this case is unable to handle the initial 0 length POST packet, and therefore crashes or bugs out before processing the second, real packet. See picture below of the WireShark capture showing the two packets.

IP adress 10.200.40.159 is a SNIP and 10.200.41.131 is the backend server hosting the web application.

 

The solution is to either have the backend software rewritten to handle above case, or to run a special Netscaler command which will disable the split-post-packet-into-two-packets behaviour. Article https://support.citrix.com/article/CTX225681 contains the relevant info. To resolve this through Netscaler, run the following command in shell on Netscaler, nsapimgr_wr.sh -ys arg1=0 -ys arg2=1 -ys arg3=16 -ys call=”set_sso_post_data_handler”. You have to run the command on all Netscaler nodes (if HA/Cluster) and you also have to put this command line in the file /nsconfig/rc.netscaler, otherwise the change will be lost on the next Netscaler reboot. See https://support.citrix.com/article/CTX122271 for more info regarding the rc.netscaler file.

After the change, you can see how from below picture that only one packet is sent.

One interesting thing to note is that the article https://support.citrix.com/article/CTX225681 doesn’t mention Netscaler version 12.1 as affected, but my guess is that nothing has changes between 12.0 and 12.1 regarding above (ie you still need to run above command to resolve it).

Feel free to email me at rasmus.kindberg@xenit.se, or leave a message here on this blog post, if you have any questions or comments.



Teams in your Multi-user environment done right!

Microsoft Teams is on the rise, more and more businesses is seeing the potential of Teams and want a piece of the action.

Unfortunately Microsoft Teams is not ideally designed to work on a Multi-user environment like Citrix Xenapp or Microsoft Remote Desktop services. It is entirely installed in the users profile, and its quite big. A clean installation of teams is roughly 600 MB and will quickly grow, and you know what that means… You guessed it: Super long logon time, since logging on to the Multi-user environment often means the profile would be downloaded to Session Host before you are properly logged on, the users will not be happy! And on top of that, the latest recommendation in size per Teams installation is 3 GB…

There is however some rumors indicating there will be releasing a business version soon addressing this very issue! But if you are anything like me, and cant simply wait, there is a solution if you are willing to pay a small price, and you will at the same time have access to tons of other great stuff.

FSLogix Profile Container

FSLogix Profile Container is a great product that basically removes the profile size entirely, is an little agent you install on your Session Hosts and configure with an ADMX, you also need a file share with enough space for some big profiles. FSLogix is in the business of so called filter-drivers, what it does is simply put, lying to Windows. For example, when you install a 32-bit application to your 64-bit Windows System, Windows will use its own filter-driver to get it to work, its the same technology, its efficient and simple. In FSLogix case it is lying to the windows about the profiles, Windows thinks its a local profile, it does not know that in fact, the entire profile is contained in a vhd-file, mounted to the server. Because its a virtual disk that attaches to the server, there is only one SMB handle. It will therefor not be a huge load on the network, which you often sees when you for example roam your profiles.

Install Teams

When you have FSLogix Profile Container in place you can now install teams on your environment.  In early October Microsoft released a new version of Teams with some new features when deploying Teams to all the users in an organization, we are going to use parts of that to install Teams on to our environment!

 

  1. Download the latest version of Teams MSI-file (x64) file here!
  2. If you like to disable Auto-start of Teams use the following install string (otherwise just install without the option):

    This will put an Install file under “C:\Program Files”, and when a user logon it will automatically install Teams to this user.
  3. You do not need to update the MSI to the latest version, Teams will automatically download and install pending updates on the next logon of the user.

There you go, now your users can benefit from the full experience of Teams in your Multi-user environment, with one exception: if you are using Citrix, you have “Skype for Business Optimization Pack” to utilize local client resources for best quality of Skype meetings and calls. There is no support for Teams as of for now. It will soon be available though. With that said, I wouldn’t uninstall Skype for business just yet.

Other Great stuff

As mentioned above, there is a lot of benefits using FSLogix Profile Container. For a great period of time, Citrix User Profile Manager has been the best way to reduce the size of the profiles while still have the most important settings saved in your profile. But this is still just a trade-off, you trade off your caches and settings that impact your profile logon, but at the same time still trying to get the best experience for the user, this will sometimes collide and you have to choose between longer logon time or full functionality of a certain application.

With FSLogix Profile Container you no longer need to worry about large profiles, you don´t need to trade off! There are a lot of applications that saves a ton of settings and files in your profile that you now can install without impacting the user experience, this opens up a great deal of opportunities. You can for example install OneNote with it´s (potentially)  gigantic cache, CAD applications with thousands of files in the user profile and so much more.

 

If you find this interesting and would like a trial of FSLogix Profile Container to see if this fits your organizations needs, please contact us. It is easily installed and does not require additional servers or infrastructure!

 




Netscaler: ADFS protected by AAA – How to handle SAML POST requests

A limitation with Netscaler AAA is that it cannot handle FormData sent in a POST request to a Netscaler LB vServer that is protected by a AAA vServer. What happens is that the Form data in the POST will not be included when the user is redirected back to the LB vServer after AAA authentication. This becomes relevant in scenarios where you have a SAML ServiceProvider (SP) that is configured to do a login POST to an SAML IdentityProvider (IDP) and that IDP is protected by Netscaler AAA.

Below is the process flow:
1. User browses to the SAML SP address https://app1.somedomain.com/saml/login, which in this scenario is the URL that initiates the SAML logon process
2. The SP gives the user a SAML request and the user’s browser performs a POST against the IDP URL https://adfs.mycompany.com/adfs/ls/ with this SAML Request as the Form data.
3. The address https://adfs.mycompany.com points to a Netscaler LB vServer which is protected by AAA, so when Netscaler sees the incoming GET request above it will redirect the user to https://aaa.mycompany.com for AAA authentication (we assume the user has not authenticated against this AAA vServer this web session).
4. User performs AAA authentication, and is afterwards redirected back to the original URL https://adfs.mycompany.com/adfs/ls. HOWEVER, the SAML Request Form data is now missing.
5. User will land on https://adfs.mycompany.com/adfs/ls and receive an error message, because the ADFS server doesn’t know how to handle a request that doesn’t have any SAML form data.

 

Important notes:

  • Form Data passed along with a POST to a LB vServer, such as ADFS, that is protected by AAA will be ‘dropped’ when the user is redirected back to the LB vServer after successful AAA authentication. This only applies if the user has not authenticated against the AAA in the current web session (ie the user does not have a NSC_TMAS cookie). We will make use of this later on.
  • Query values included in a POST are not ‘dropped’, so this flaw is limited to Form data only.

 

Solution/work-around:
The easiest solution is to simply ask the SAML SP to use Redirect instead of POST for the SAML authentication process, but if that is not an option (the SAML SP’s backend code or configuration doesn’t support SAML Redirect) then below is a work-around I’ve been using. Basically what you do is that you store the original SP URL, https://app1.somedomain.com/saml/login, in a cookie in the user’s browser and in step 5 the user will be redirected back to this URL again.

Below is the process flow with a work-around implemented for POST:
1. User browses to https://app1.somedomain.com/saml/login, which in this scenario is the url that initiates the SAML logon process
2. The SP gives the user a SAML request and the user’s browser performs a POST against the IDP URL https://adfs.mycompany.com/adfs/ls/ with this SAML Request as the Form data.
3. The address adfs.mycompany.com points to a Netscaler LB vServer which is protected by AAA, so when Netscaler sees the incoming GET request above it will redirect the user to https://aaa.mycompany.com for AAA authentication.
3b. NEW: When the user is redirected to https://aaa.mycompany.com now, a Rewrite policy will trigger that will create a cookie “ADFSPostCookieURL” for the user, and this cookie will contain the value “https://app1.somedomain.com/saml/login“.
4. User performs AAA authentication, and is afterwards redirected back to the original URL https://adfs.mycompany.com/adfs/ls.
5. NEW: We have a Responder policy on our ADFS LB vServer that checks if the path is “/adfs/ls” and if the cookie “ADFSPostCookieURL” exists, and if both are true then we read the value in cookie “ADFSPostCookieURL” and Redirects the user to that URL.
6. User is redirected back to https://app1.somedomain.com/saml/login, which will restart the SAML logon process
7. The SP gives the user a new SAML request and the user’s browser again performs a POST against the IDP URL https://adfs.mycompany.com/adfs/ls/ with this SAML Request as the Form data.
8. A key difference now is that the user already has done AAA authentication this web session and thus has a valid AAA cookie, and won’t be redirected to https://aaa.mycompany.com for authentication. The POST against https://adfs.mycompany.com/adfs/ls/ will therefore happen successfully and the ADFS backend server will see the SAML Form data since that has not been dropped by AAA redirect.
9. Assuming the SAML Request ticket is valid, the ADFS server will give the user a SAML Response ticket and redirect the user to https://app1.somedomain.com/myApp and the user is now logged on to this 3rd party site successfully.

 

Takeaways:

  • Our workaround revolves around storing the original url (https://app1.somedomain.com/saml/login) in some way so we can access it later, and requesting a SAML Request ticket twice from our SAML SP because in the second round we will not be bothered by AAA authentication.
  • Above solution is a bit hacky and involves requesting double SAML tickets from the SP, and there are a lot of Redirects involved, but it works well from an end-user perspective and it enables us to support SAML Post in conjunction with AAA.

 

If you have any questions regarding above solution, or ideas on how to handle above scenario in a better way, please contact me at rasmus.kindberg@xenit.se.

 

 

Below is the Netscaler configuration: