Citrix licenses locked in use on your license server, how to release them …

So after the test phase in your XenDesktop project you move from test environment to a new Production Farm keeping your license server.  If you used a lot of test-accounts during this initial phase you might want to release the licenses so real users can start using them.  Below the procedure on how to do this :

• Logon to your Citrix License server (RDP)
• Open a command prompt and “cd” to “C:\Program Files (x86)\Citrix\Licensing\LS”
• If you type : “udadmin -list” you get a list of all checked out licenses
  
• Next you need to release the license with next command :
  “udadmin -f  <Xendesktop Platinum/Enterprise, …>> -user  <<username>> -delete”
  So in our example this wil be :
  ” udadmin -f XDT_PLT_UD -user jerry -delete”
  
• Each user license assignment needs to be released separately.

Citrix XenApp 6 and Belgian eID

Belgian eID is used in more and more web applications nowadays.
And of course we want to use it on XenApp 6 with Windows 2008 R2 64bit too.  If we follow the “workstation” procedure to install the Belgian eID Middleware Software it seems we can’t authenticate to a webserver with eID.
However after installation we see that the eID tool launches correctly in a XenApp Session and also shows the eID together with the certificates correctly.  There is also no issue in importing the client certificates.

But when you try to logon to a webserver with your eID (for example : http://www.my.belgium.be ) after selecting the certificate and providing the pincode a “Page can not be displayed”-error message appears.

Temporary solution for now is to install  a limited hotfix for XenApp 6 : http://support.citrix.com/article/CTX128762 and use an older version of the eID software; version 3.5.3.6295 appears to be working.
It’s not available for download anymore, you might need to contact the eID helpdesk to get it :

Service Desk van Fedict: 078 15 03 11 - servicedesk@fedict.be

Import and/or replace Certificates on Netscaler

Importing and Replacing certificates on a Netscaler is not always that smooth because of different types and formats of the certificates and private keys.

Let’s say we received a public/private key combination from an official CA in .pfx format.  How to import it into your Netscaler.

• If not already present on your system install OpenSSL for Windows (there is also a Linux version if preferred)
• Export the private key file from the pfx file (you wil need to give the pfx-password)
  openssl pkcs12 -in filename.pfx -nocerts -out key.pem
• Export the certificate file from the pfx file (you will need to give the pfx-password & create a new password for the key-file)
  openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
• Remove the passphrase from the private key (you will need to enter the generated password from step 3)
  openssl rsa -in key.pem -out server.key
• Login to the Netscaler GUI
• Navigate in the left pane to “SSL”
• In the right pane click “Manage Certificates / Keys / CSRs”
• Upload the files server.key and cert.pem (make sure not to overwrite files, if needed rename the files and keep the extensions)
• Click “Close”
• In the right pane click “Certificate Wizard”
• Click “Next” and 3 times “Skip”
• Enter a Friendly Display Name
• For Certificate File Name select cert.pem
• For Private Key File Name select server.key
• Leave the rest default and click “Next”, “Finish” and “Exit”
• If everything went fine it should state that the operation was successful
• The certificate is now installed on the Netscaler but not yet bound to a VIP or CAG – VIP.  In this example we will show how to replace a certificate on a CAG – VIP
• In the left pane navigate to “Access Gateway” – “Virtual Servers”
• Open the “virtual server” which need to have the new certificate
• Select the new certificate in the left list and click “Add”, select the old certificate on right list and click “Remove”
• Click “OK”, changes are active immediately
• Check the functionality of your CAG
• If everything works fine, navigate in the left pane to : “SSL” – “Certificates”
• Right click the old certificate and click “Remove”
• Click “Save” in the GUI.
• Logoff
• Done!

If your IIS runs multiple WebInterfaces on 1 IP address on the same TCP-port, using host headers we have some problems on the CAGEE part of the Netscaler. Below an “Insert HTTP-header” configuration to fix this issue.

If your IIS runs multiple WebInterfaces on 1 IP-address on the same TCP-port,  IIS uses host headers to distinguish which site to present.  However a CAGEE configuration will not include a host header name in the GET request to the webserver.

In this article we try to explain how to create a load balancer service on top of the WI/IIS which adds the needed host header using a request rewrite. (Netscaler Standard feature).

• First configure a Load balancer for your Web Interface
  
• Go to “Policies” and click “Rewrite (Request)”
• Click “Policy Name” and click “New Policy …”
  
• At level”Action” click “New …”
  
• Click “Create”
• Click “Close”
• To test the “Rewrite” click “Evaluate”, in the new windows click “Sample” and “Evaluate”
  
• Click “Close”
• Add Expression “TRUE”
  
• Click “Close”
• Select the just created policy and select “NEXT” in the column “Goto Expression”
  
• Click “Insert Policy” and click “New …”- rewrite actio
• Add “TRUE” in the expression field
  
• Click “Evaluate” to test the rewrite policy
  
• Click “Close” and click “Create”
• Make sure the order of the policies is correct
  
• Now go to your CAG configuration and point your WebInterface entry to this load balanced service. The LB will inject the hostheader required by IIS.

XenDesktop 5 Virtual Machine Creation Services on vSphere 4.1

Linking XD5 to your vSphere environment consists of a few simple steps :

1. Create a template VM on you vSphere environment.
   This step is quite easy you just install your guest OS and the apps you want to have integrated in the image. Make sure your desktop is member of the domain and then you install the XD5 Virtual Desktop Agent which also optionally includes an installation of the Citrix Online/Offline Plugin. Power Off the Template Virtual Machine.
2. Link vCenter to your XenDesktop 5 Delivery Controller.
   According to XD5 documentation you can choose between HTTP and HTTPs access from you DDCs to your vCenters, however quite some forum articles mark that it only works using HTTPS. I must admit I experienced the same thing so I went for the more secure HTTPS linking method : 
   1. If you want this to work you will need to import the SSL certificates from your vCenter(s) onto all your DDC’s.  The easy way is launching IE as an Administrator and browse to your vCenter servers using HTTPS, double-click the certificate and install it. Make sure you choose the Certificate Store location manually and select “Local Computer” .
   2. After installing this certificate on your DDCs you can create a “host” (in combination with vSphere this means linking to https://FQDN/sdk after which you select a host or cluster and the storage that can be used by your XD5farm)
   3. The storage can be local or shared storage but you should remain with 1 type within 1 “Resource Pool”, you can add multiple “Resources” afterwards using the same vCenter connection.
3. Next we already can consider creating Virtual Machines. The nice thing is that VMCS will automatically make a snapshot and a copy of the initial template so it is free to be updated at a later time without influencing the existing Desktop Virtual Machines directly. When using shared storage 1 master copy vmdk will be shared across all the VMs you create. If you use local storage the master will be copied to each local data store and this will be the base image for all the Desktop VMs that will run on that server. So for the storage side of things it really looks good this way. Offloading IO to local disks is manageable thanks to this function.
4. If you need additional Virtual Machines for the same Catalog it’s very easy just right-click and select “Add Machines”, present master image will be re-used so this process is very fast.

Using XD5 and vCenter over HTTP : http://forums.citrix.com/message.jspa?messageID=1519524

Or in more detail what to do for HTTPS : http://jariangibson.com/2010/12/21/using-xendesktop-5-with-vmware/

iPad and Citrix Access Gateway, get it to work !

Recently we had the present surprise to have Arrow ECS to play for Santa and provide us with nice 3G enabled iPADs. The goal was to demo and show of as much as we can using these nice devices.

So first step integrate with our Citrix Demofarm.

The basic steps are pretty easy :

• XenApp farm newer then 5 (or 4.5 with Rollup pack 6)
• XenDesktop 4 or newer
• preferably Web Interface 5.3 with a XenApp Services Site configured pointing to your Citrix Access Gateway

And yes that’s it … nothing more … although it didn’t work …
First error we received on the Ipad was Server Certificate not trusted.
That was an easy one just like with other CAG implementations we just have to make sure the private root public certificate is present on the iPad.  You can do this by mail or use the Iphone Configuration Utility to make a nice profile (you can add and preconfigure your wireless networks in there too if you like).
You can find this util here : http://www.apple.com/support/ipad/enterprise/ (the util exists in a Windows version as well)

So Root Certificate imported but still errors :

“Can not make a secure server connection” or if you try to reach a Web Interface Site on the same server you get “Safari cannot open the page because it could not establish a secure connection to the server”.

So I enabled syslogging on our demo Netscaler VPX / CAG Enterprise, and there was nothing to see.
So the iPad couldn’t even reach the CAG it seems.  So after further investigation, did a little wireshark, I came with the idea to reducing the number of “Ciphers” that are offered by the CAG or Netscaler VPX.
The configured Ciphers are all the various encryption algorithms  the Netscaler supports and it might be that the list is too long for the iPad to choose from and so getting a secure connection failure.

So in the CAG VIP properties on the Netscaler VPX, I clicked the button “Ciphers” removed all of them and just added the group “Medium”.

I saved the settings and yes it works !   So now we are happy iPad – Citrix Receiver users.
One nice other thing about iPad and Citrix Receiver is try to tab with 3 fingers on the screen while connected, it’s a handy shortcut to the keyboard.

See also : http://www.arrowecs.be/news/news.php?id_news=866

Repeater 5.x & VPX Workshop …

Today we had a Citrix Branch Repeater Workshop.
The presentation used can be downloaded here : Workshop BR Citrix

Other links about Citrix Branch Repeater :

• Citrix Success Kits – Branch Repeater (mycitrix login required)
  http://community.citrix.com/kits/#/kit/316001
• Citrix Success Kits – Full Catalog (mycitrix login required)
  http://community.citrix.com/kits/brand/sk-products

• Try Branch Repeater
  http://deliver.citrix.com/go/citrix/trybranchrepeater

• Branch Repeater Download Region
  http://citrix.com/English/ss/downloads/results.asp?productID=1350184

Citrix Netscaler Web Application Firewall Demo

In this demo we do some webserver hacking attempts, and see the different results before and after the activation of the Netscaler Web Application Firewall.
This demo was recorded using Citrix GoView and submitted to the Citrix Virtual Computing Demo Contest 2010.

Link to the demo :
 http://goview.com/?id=6f717b67-932e-4c3d-9da9-c9c19bffa384

GoView : Nice tool to record demos …

I made an account on Citrix GoView which is a nice and easy tool to record demonstrations, …   I directly made some little demonstrations on Netscaler :

• Citrix Netscaler Web Application Firewall (WAF) creating dynamic exception rules
• How Citrix Netscaler forwards Browser’s source-ip to back-end web servers

Citrix Netscaler VPX : from Express Edition to Platinum Workshop …

Recently Mokrane Hellal and I hosted a workshop on Netscaler VPX.   The workshop was intended to give a brief overview of some popular Netscaler capabilities. In the labs we covered Outlook Web Access SSL-Offload, a little bit of CAG and also a little bit about Web Application Firewall. I say a little bit because every day I work on this product line I’m amazed of its features, capabilities and especially in the endless possibilities in how you can combine the build in sub-components to fit your needs. 
Our presentation and workshop documents are available for download.

If you like the content consider registering for our next free technical workshops : http://www.arrowecs.be/news/news.php?id_news=704