As part of a PVS image issue discovery project, I was able to determine that WMI was not working on several gold images which was causing several memory leaks, as well as event viewer complaining just about every 30 seconds.

Problems escalated whenXenApp hosts would completely run our of virtual memory which would end up affecting the overall user experience.

Environment:

• Windows 2003 SP3
• Citrix XenApp 5.0
• PVS 6.1.16

Issue:

WMI not working on several Golden images.  My guess is this image was copied in a broken state and was replicated to many different images.

Fix:

Run the following in command line

• Regsvr32 %SystemRoot%\System32\wbem\wmidcprv.dll
• cd /d %windir%\system32\wbem
• for %i in (*.dll) do RegSvr32 -s %i
• for %i in (*.exe) do %i /RegServer

The Windows Management Instrumentation Tester window may appear, this is normal and we can go ahead to close it.

If it does not work, I also suggest you run the following commands to repair WMI namespace:

• net stop winmgmt
• wmic /NAMESPACE:\\root path “__namespace.name=’wmi’” delete
• mofcomp %windir%\system32\wbem\wmi.mof
• net start winmgmt

Restart the computer to check the result. If the issue persists, try the following steps:

• winmgmt /verifyrepository
• winmgmt /salvagerepository

Client Drive mappings is a great feature of XenApp / XenDesktop, although this presents a security concern depending on the environment, it is sometimes necessary to allow local file access for your XenApp and/or XenDesktop as part of the work flow.

While assisting an old coworker at my last company, he was presented with the challenge of allowing client drive mappings, however only allow to show specific drive.

Environment:

• Windows 2003 SP3/Windows 2008 R2
• Citrix XenApp 5.0 / 6.5
• PVS 6.1.16
• Citrix Receiver 13.x
• Web Interface 5.4

Issue:

Disable specific Client Drive Mappings from enumerating within an ICA session.

Solution:

Registry:

Web Interface Site

While working with a new AGEE site for a client (test2.mydomain.com), I was given the challenge to ensure that only a specific subnet is redirected to the new site while still connecting to the original url (test.mydomain.com), and ensure no one else is impacted by the redirector.

Luckily this can be achieved by setting up Responder Policies via the NetScaler

Environment

• MPX 7500 NetScaler 9.3 52.3nc
• AGEE

Goal:

Redirect an AGEE site based on a specific clients subnet

1. All users that go to AGEE1 http://test.mydomain.com site simply get redirected to AGEE1 site with SSL https://test.mydomain.com

2. All users from the 10.10.20.0/24 subnet that go to AGEE1 site http://test.mydomain.com get redirected to AGEE2 site https://test2.mydomain.com

Configuration:

1. First make sure the Responder feature is turned on by right clicking “Responder” and selecting “enable responder feature”

Once it is enabled, it will look like this

2.  Now lets create Actions.  This will tell policies what to do.

Lets create a redirect action for ALL users to be redirected to AGEE1 SSL site https://test.mydomain.com

Now lets create a redirect action for a specific subnet and redirect to AGEE2 SSL site https://test2.mydomain.com

Now that we have the actions defined, lets create the policies that will be assigned to your VIP

3. Create Responder polcies – The actions you created above will need to be binded to your Responder polcies

Create a policy to to match the URL (in this case http://test.mydomain.com) then bind your previous action to redirect them to https://test.mydomain.com

Expression:

HTTP.REQ.IS_VALID

Now create a policy that will match the url test.mydomain.com and will redirect users from the 10.10.20.0/24 to test2.mydomain.com

Expression:

HTTP.REQ.HOSTNAME.EQ(“test.mydomain.com”)&& CLIENT.IP.SRC.IN_SUBNET(10.10.20.0/24)

4. Now lets assign these Responder policies to your AGEE1 site http://test.mydomain.com

Notice on the screenshot below, I simply created a service name “Dummy” and gave it the NetSacalers localhost IP 127.0.0.1, this is simply to make sure the TCP 80 VIP is able to come up under the AGEE IP (Since AGEE ONLY runs under TCP 443).  Note that Responder actions will not work under down VIPs.

Head over to the “Polcies” tab, then click on”Responder” and assign the polcies you previously created.  A reminder that the lower the priority number, the higher the priority actually is.  In the case below “subnetet_users_pol” wins

Hope this helps!

Environment

• MPX 7500 NetScaler 9.3 52.3nc
• AGEE

Goal:

Apply a new AGEE license on your NetScaler without the need to modify your NetScaler’s host name.

Configuration:

First lets understand the AGEE licensing feature and assume that you downloaded the Access Gateway platform license from your MyCitrix.com portal.

AGEE can run under two modes “Basic Mode” and “SmartAccess Mode”

Basic Mode:

Several Access Gateway features, such as full VPN functionality, EPA, Clientless Access, and SmartAccess, are unavailable, which means you can use this configuration if you are only utilizing a Citrix Web Interface once you authenticate to your AGEE portal, meaning your AGEE Authentication and Session Policies must point to a Citrix Web Interface server, pretty much making AGEE act as your good old Citrix Secure Gateway.

If you go this route and don’t need any of the advanced features, you will need to make sure your AG Platform license contains the entries below, you can read more about it on this article which will show you how to configure an Access Gateway Enterprise Edition Appliance with Unlimited ICA Connections

INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

SmartAccess Mode:

This gives you features such as VPN functionality, EPA, Clientless Access, and SmartAccess control.

For example, in the environment I am working on now, I created two session policies, were I can filter specific AD groups and assign them to specific Session policies.

AD-GroupVPN which contains VPN SSL users, see both the Network Access icon for VPN SSL sessions, as well as the Citrix XenApp icon which redirects users to a Citrix Web Interface.  In addition I set up another group, lets call it AD-GroupWI which only redirects users to a Citrix Web Interface page once they authenticate.

Below is a screenshot where the modes are configured under your AGEE virtual server

License installation:

Lets license AGEE with a license file that contains a name other than the host name of the NetScaler

The traditional set up would look like this… you set your host and the license file to be the same

• Connect to the Access Gateway Enterprise Edition appliance by using the serial cable or a Secure Shell (SSH) utility.
• Log in to the appliance by using the nsroot credentials.
• Run the following commands to set the Fully Qualified Domain Name (FQDN) for the appliance:
• set ns hostName access.example.com
• save config
• shell
• echo hostname=\”access.example.com\” > /nsconfig/rc.conf
• Restart the appliance.

Now lets assume your license file is similar to the one below, and the hostname of your NetScaler is called NS

License File:

SERVER this_host HOSTNAME=anotherhost

VENDOR CITRIX
USE_SERVER
INCREMENT CAG_ICA_CCU CITRIX 2012.0922 permanent 10000 \

INCREMENT CAG_BASE_SERVER CITRIX 2012.0922 permanent 1 \

When you access the GUI or CLI (sh license) you will notice that the total number of Access Gateway Users Allowed has the default value of 5, meaning you can have no more than 5 SSL connections to your AGEE site, user number six will get an SSL Error 38 when launching applications.

Fix:

Edit the rc.conf file located under the /nsconfig/nsconf 

• shell
• echo hostname=\”anotherhost\” > /nsconfig/rc.conf

This will overwrite the rc.conf file with the hostname you have embedded in your license file

You can also do this with a program like FileZilla and edit the file directly over port 22

Once you are done, reboot the appliance… now if you are running nCore, you can do a Warm reboot vs a standard reboot

This new option, “-warm,” has been introduced for the “reboot” command. This option can be used only on NetScaler nCore appliances. When the “-warm” option is specified, the NetScaler restarts NetScaler specific functionality without restarting the appliance, reducing the time required to implement changes that would otherwise require a complete reboot of the NetScaler appliance.

Not sure how I missed this one during my last XenApp 6.5 implementation.

The option of “Make text and other items larger or smaller” while in a Windows 2008 RDS session is no longer available as it was in a Windows 2003 TS session. This option is now greyed out and displays “The display settings can’t be changed from a remote session”.

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5
• PVS 6.1.16
• Citrix Receiver 13.4

Fix:

If you want this option available during a session, download a hotfix from Microsoft that will re-enable this setting.

Note The DPI setting enables you to change the size of all fonts and other UI elements on the computer. For example, you change the setting to increase the legibility of the UI.

Many companies are switching to XenDesktop User/Device licenses vs. the traditional concurrent model.  The main reason… well they are are just about half the cost.  So it make sense from a budget perspective.

This does create a bit of additional administrative IT overhead. In theory the license server “takes care of” managing licensing”, etc… however,  Every now and then you’ll find that you might need to delete/release a few licenses on your XenDesktop installation, generally due to over usage, this will prevent a user getting “not enough licenses available” error.

Environment:

• Windows 7
• Citrix XenDesktop 5.6
• PVS 6.1.16
• Citrix Receiver 13.4

Differences between the two: (Detailed info @ CTX135501) 

Concurrent:

A concurrent XenDesktop license is tied to a XenDesktop session, not to a specific user or device. When a user launches a session, a license is checked out to that session

User / Device:

XenDesktop User/Device licenses provide customers with the maximum flexibility of assigning a single license to either a user or a device and supports both license types in the same environment.

Solution:

Head over to your license server

Run the following command from C:\Program Files (x86)\Citrix\Licensing\LS (default license location)

udadmin -list

This command displays who is currently using a license and when it is due to expire.

Find the user who you want to delete and then type the following command.

udadmin -f XDT_ENT_UD -user druiz -delete

Some other command examples

udadmin -list
Displays all the users and devices.

udadmin -list -a
Lists all features, versions, counts of licenses, and the users and devices for each feature.

udadmin -f XDT_ENT_UD -user druiz -delete
Releases one user from one feature.

udadmin -f XDT_ENT_UD -device druiz_xdwin7_64 -delete

Been working on yet another XenApp 6.5 upgrade.  I started noticing  issues with the ctxsta.conf file normally located under C:\Program Files (x86)\Citrix\system32\, where the unique STAID does not update when using Citrix Provisioning Services after the host is rebooted on a XenApp 6.5FP1 host.

This could result in issues with applications failing to open when launched via Access Gateway . Please note I only saw this behavior when using the affected servers as a STA on the Access Gateway (in my case AGEE on NetScaler)

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 FP1
• PVS 6.1.16
• Citrix Receiver 13.4

Fix:

Install this limited hotfix from Citrix (XA650R01W2K8R2X64094) which is now part of  Hotfix Rollup Pack 2 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

Once this the patch is applied, the and the STA will get configured correctly with your provisioned XenApp 6.5FP1 targets.

This issue does not seem to occur if you don’t utilize PVS

While working on another XenApp 6.5 upgrade, I noticed users were getting “Error number 2320” while opening legacy XenApp 5 (4.5 really) applications.

In addition, I was seeing a MSI repair popup when they connected via the internal Citrix Web Interface site.

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 FP1
• PVS 6.1.16
• Citrix Receiver 11.2 (Please read this article as to why I decided to go with 11.2 on the XenApp 6.5 image, vs Receiver 3.x)

Cause:

It seems the issue was caused by removing the 3.x client and installing 11.2 as an incorrect settings remained in the registry.

Fix: (In my case, I created a Computer policy to import the regkeys below)

Error 2320:

Open the Windows registry editor by going to START/Run/regedit.
Navigate to the HK Local Machine registry key below and see if the registry key ClientHostedApps exists; remove it if it is present.

• 64-Bit System (XenApp 6.5 image)

HKLM\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Control

• Navigate to the HK Current User registry key below and see if the registry key ClientHostedApps exists; remove it if present.

HKCU\SOFTWARE\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Control

Re-installing client issue: 64-Bit System (XenApp 6.5 image)

• Navigate to the HK Local Machine registry key below and create a REG_SZ key called ConnectionCenter

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

“ConnectionCenter”=”\”C:\\Program Files (x86)\\Citrix\\ICA Client\\concentr.exe\” /startup”

Ran into a problem while creating a XenApp 6.5 report, where some hosts did not show any hotfixes installed in AppCenter. 

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 Hotfix Rollup Pack 1
• PVS 6.1.16

Fix:

• Close AppCenter
• Open command line on the affected hosts (in my case, our XML brokers)
• Recreate the Local Host Cache by typing dsmaint recratelhc
• Reopen AppCenter

Running dsmaint recratelhc performs three actions:

• Sets the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\IMA\ RUNTIME\PSRequired to 1.
• Deletes the existing local host cache (Imalhc.mdb)
• Creates an empty local host cache (Imalhc.mdb) for the IMA Service on a server to synchronize correctly with the data store (XenApp DB)

Refreshing the Local Host Cache

You can also force a manual refresh of a server’s local host cache by executing dsmaint refreshlhc from a command prompt. This action forces the local host cache to read all changes immediately from the farm’s data store. Refreshing the local host cache is useful, for example, if the Citrix Independent Management Architecture (IMA) Service is running, but published applications do not appear correctly when users browse for application sets.

Let me start by saying you should not consider doing an in-place upgrade of StoreFront 1.2 to 2.0.  I suggest you start with a new deployment.

Although I was able to get the upgrade working as a personal challenge, I don’t think it is a clean way to go about it.  You can read more about some known issues on this Citrix StoreFront 2.0 upgrade and install issues article

Now after you have your StoreFront 2.0 “Web Interface” servers installed… lets make some changes.  Note that the changes below will be replicated to other StoreFront servers in your Server Group, so you don’t have to make changes on multiple hosts

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 Hotfix Rollup Pack 2
• PVS 6.1.16
• StoreFront 2.0

Remove “Activate”

If you are not using provisioning file to configure your Receiver, open the web.config in the C:\inetpub\wwwroot\[Store]Web\ directory

Locate the following:

<receiverConfiguration enabled=”false” downloadURL=”ServiceRecord/GetDocument/receiverconfig.cr” />

Change the value from “true” to “false”

Disable Desktop auto-launch

By default, a single XenDesktop or Full Desktop XenApp will auto-launch for the user

<userInterface frameOptions=”deny” autoLaunchDesktop=”false“>

Change the value from “true” to “false”

Show Apps as default instead of XenDesktops/Full Desktop XenApp

<uiViews showDesktopsView=”true” showAppsView=”true” defaultView=”apps” />

Change the value from “desktops” to “apps”

Change Logos

Receiver for Web provides a built-in support for customization through the contrib folder. This folder is located under the Receiver for Web site in the file system (default location is C:\inetpub\wwwroot\sites\Citrix\StoreWeb\contrib) and contains the built-in customization hooks.  It is recommended that all customization code and media are stored under this folder because the content of this folder will be preserved upon upgrade to the subsequent releases.

Using the contrib folder you can upload your logos and create syntax such as below.  You will need to change height, width and margin based on your logos

#credentialupdate-logonimage, #logonbox-logoimage {

background-image: url(“company_whiteTrans.png”);

height: 64px;

width: 353px;

}

#header-logo {

background-image: url(“company_whitetrans_small.png”);

height: 31px;

margin: 8px 0 0 22px;

width: 179px;

}

Set StoreFront as the Default Page within IIS

Now… Lets set that StoreFront site as you default site, as we recall with the legacy Web Interface component, each Web site had the option to be the default page for the IIS site. This option is not available in Storefront.

To make a Storefront Web site the default page within the IIS site, complete the following procedure:

You can read more info on this under this CTX article

While working on a new XenApp 6.5 implementation, we decided to deploy “XenApp Full Desktops” (AKA Poor Man’s VDI) with published apps, and XenDesktops all talking to a single XenApp Service Site (AKA PNAgent) -> behind multiple Services Site load balanced by the NetScaler that is

When you use single XenApp Services site to manage both XenApp and XenDesktop environments, or you’re providing published desktop and applications from your XenApp farm and XenDesktops, you’ve probably noticed that your users will get the Full Desktop icon and/or XenDesktop in their start menu.

Picture below shows me connected to a XA 6.5 Full Desktop running Citrix Receiver 3.4 Enterprise (I know 30MBs per user session).  The issue here is why should I see the XenApp Desktop icon when I am already connected to it?

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 Hotfix Rollup Pack 2 / XenDesktop 5.6 <- (I know, not XD 7 yet)
• PVS 6.1.16
• StoreFront 2.0 / Web Interface 5.4

Solution:

Follow the instructions on CTX123969  which shows how to hide Published Applications, however keep in mind the goal here is not to hide published apps, but rather hide desktops from both XenApp and XenDesktop.

Replace the code with the following:

java.util.ArrayList filtered = new java.util.ArrayList();

 for (int i=0; i<resources.length; i++) {
 if (!(resources[i] instanceof com.citrix.wing.webpn.DesktopInfo)) {
 filtered.add(resources[i]);
 }
 }
resources = (ResourceInfo[]) filtered.toArray( new ResourceInfo[0] );

 

Client side rendering is something that improves the overall user experience when working with XenApp and XenDesktop technologies.

However, many folks out there know that client side flash rendering on XenApp/XenDesktop can be a full time job… specially when you introduce Internet Explorer 9 into the environment.

The issue below is one of those, when “googling” you find only a few hints towards the same issue but with no solution .  After fighting this for a few days, I was able to get things to work on a new XenApp 6.5 with Internet Explorer 9 installed.  My thoughts are that It’s only the new Version 2 Flash Legacy that doesn’t support IE9.

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 Hotfix Rollup Pack 2
• PVS 6.1.16
• StoreFront 2.0 / Web Interface 5.4
• Internet Explorer 9

What is HDX MediaStream Flash Redirection:

Flash Redirection allows you to move the processing of most Adobe Flash content from Internet Explorer on the server to LAN- and WAN-connected users’ Windows and Linux devices.  This processing includes animations, videos, and applications.

By moving the processing to the user device, Flash Redirection helps reduce server and network load, resulting in greater scalability while ensuring a high definition user experience.

Important:

There are two types of Adobe Flash Players are required to use Flash Redirection.  One type is used with Windows Internet Explorer and is identified by Adobe as Flash Player for Windows Internet Explorer. This player is sometimes referred to as an ActiveX player.

The second type is used with non-Internet Explorer browsers and is identified by Adobe as Flash Player for Windows – Other Browsers. This player is sometimes referred to as an NPAPI (Netscape Plugin Application Programming Interface) Flash Player.

Second Generation Flash Redirection has been revised for use with

When you click on the Adobe Flash icon, you will notice that Internet Explorer 9 is not supported, and you will be redirected to install an HDX MediaStream Hotfix from http://support.citrix.com/article/CTX134426.  After this is installed, and you view a session in the HDX Monitor 2.0 tool, you will now see that it is supported.  But it still does not work.

The Fix:

• Install HDX MediaStream Hotfix (Version 5) HDXFlash200WX64005 – I had to call Citrix Support as this is not a public release as of today.
• Create the following registry keys – I suggest you do this as a GPO or inject them on your mandatory profile if you use one.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\HdxMediaStreamForFlash\Server\PseudoServer]
“IEBrowserMaximumMajorVersion”=dword:00000009
“UseFlashRemoting”=”Always”

• Disable the “Flash Intelligence Fallback” Computer policy

Once you have these settings are setup, go to YouTube or any flash based web site, and Receiver will prompt you if you want to optimize the content – That is a good sign.

Open the HDX Monitoring tool and you will now notice that both IE 9 is supported and Flash Redirection is Active … In addition, check your Windows Task Manager and look for the  PseudoContainer2.exe process.

Below is a screenshot of my “Flash Redirection” policies located under User\ICA\Adobe Flash Delivery\Flash Redirection\

While working on a new XenApp 6.5 Deployment with Citrix Provisioning Services, I noticed the Citrix PVS Target Tools icon in the system tray when connecting to a Full Desktop session, this could be confusing or useless information for users.

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 Hotfix Rollup Pack 2
• PVS 6.1.16
• StoreFront 2.0

After researching the web a bit, I came across this HKLM key from Jack Cobben described in his blog Hide Virtual Disk Tray Icon where it simply stated to add the reg hive below.

This however will disable to all users, even Admins, and I wanted to be able give administrators the option to see the icon.

Solution:

Apply the HKCU key below to your profile solution  based on Group membership

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Citrix\ProvisioningServices]
“StatusTray”=dword:00000000

Once that is in place the icon will go away.

I been working on a NetScaler 10.1 deployment/migration for the last few weeks, and noticed that I was running into issues with the Citrix NetScaler Java applets build in to the GUI.

After thinking it was just me (since I always have Java issues), I noticed other Citrix Admins were experiencing the same.

Open up the Windows Control Panel and start the Java Control panel.

1. Go to General -> Temporary Internet Files -> Settings and Unselect Keep temporary files on my computer.
2. Go to General -> Advanced and configure the following options
3. “Mixed code (sandboxed vs trusted) security verification” = “Disable verification”
4. “Perform certificate revocation checks on” = “Do not check”

Citrix has collaborated with HP to test select HP printers and their associated HP print drivers in Citrix environments up to and including Citrix XenApp  6.5 with Windows Server 2008 R2 Edition.

These tests were run to determine how HP printers and their associated printer drivers performed using the standard printer and printer-related features tests that Citrix uses to test its XenApp server and client software.

I was recently working in an environment where some local printers which were not showing in the list of “Supported in Citrix environment”, Of course those are the printers we go ahead and buy, and had an entire department calling requesting to get this fixed.

I strongly suggest you head over to http://support.citrix.com/servlet/KbServlet/download/10498-102-649930/HPprinters_CitrixXenApp_1053.pdf and verify ICA ready printers as this could save you a few gray hairs.

Environment:

Issue:

Users with local printers connect to XenApp Full Desktop and/or seamless applications. The printer maps and successfully shows under the user session(s), however when printing nothing seems to appear in the print job and nothing prints out.

Resolution:

• Head over to Citrix App Center and click on your User Policies.
• Under printing, select Drivers, and Edit the Universal driver preference
• Reconfigured the ‘Universal driver preference’ driver order to PS;XPS;EMF;PCL5c;PCL4

While migrating to Access Gateway on the NetScaler 10.1.  I noticed the rewrite policies I implemented on 9.3 did not work.

While this can be done with some HTML customization, etc, and/or creating your own NetScaler theme, I just wanted to change the logon page by NetScaler Rewrite Policies.

Below are the policies that will allow you to do this.

Environment

• MPX 8200 NetScaler 10.1: Build 122.17.nc
• Web Interface 5.3 (Can’t deploy StoreFront here due to custom code we use)

Issue:

When two factor authentication is configured on Access Gateway Enterprise Edition, the user is prompted for User name, Password 1, and Password 2

The issue  seems to be due to change in the ‘ns_showpwd’ function on login.js under /var/netscaler/gui/vpn/ as it has been updated from 9.3

ns_showpwd on Login.js

Solution:

1. Create the following actions under “Rewrite/Actions” with putty (no need to go under shell mode)

Rewrite Actions:

add rewrite action AD_agee_delete_rewrite_action delete_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” -pattern “document.write(\’&nbsp;1\’);” -bypassSafetyCheck YES

add rewrite action AD_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”AD Password\’\”” -pattern “\”Password\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re!e![ ]*\’[ ]*\+[ ]*_\(\”Password\”\)[ ]*!)/

add rewrite action RSA_agee_replace_rewrite_action replace_all “http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)” “\”RSA Code:\’\”” -pattern “\”Password2\”” -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*\’[ ]*\+[ ]*_\(\”Password2\”\)[ ]*!)/

Rewrite Policies:

add rewrite policy AD_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_replace_rewrite_action

add rewrite policy RSA_agee_rewrite_pol “http.req.url.path.endswith(\”vpn/login.js\”)” RSA_agee_replace_rewrite_action

add rewrite policy AD_agee_delete_pol “http.req.url.path.endswith(\”vpn/login.js\”)” AD_agee_delete_rewrite_action

Bind the policies:

bind rewrite global AD_agee_rewrite_pol 100 NEXT -type RES_OVERRIDE

bind rewrite global RSA_agee_rewrite_pol 110 NEXT -type RES_OVERRIDE

bind rewrite global AD_agee_delete_pol 120 NEXT -type RES_OVERRIDE

Result:

Responder Policy AGEE 10.1

I was recently working on a project to migrate a pair of NetScalers from FW 9.3 to a new set of MPX appliances running 10.1: Build 122.17.nc

I was very pleased to know that Citrix deployed a native way to load balance TFTP traffic via NetScaler 10.1, primarely to HA PVS TFTP traffic.  You can read on how to do this on this post by Adam Gamble.

Be cautious! Citrix confirmed this is an issue on 10.1, however it has been fixed in version 10.1 build 123.x or later. Their suggestion is to  upgrade it to the latest 10.1 version(build 128.8) (Did not test with 10.5 yet).  This occurs due to the Packet Process Engine crash when TFTP traffic is triggered through the Netscaler, which will cause your NetScaler to reboot, and in some cases corrupt the NetScaler config file  (ns.conf)

Below is a way to get the darn TFTP process to work via UDP load balancing using an RNAT and utilizing USIP mode

Environment

• MPX 8200 NetScaler 10.1: Build 122.17.nc

Solution:

In my case I created a new subnet for this.  Reason is because as you may already know, the source IP of traffic is usually your SNIP, however when using an RNAT you will see Source IP coming from the configured RNAT IP and not the SNIP.  So this is up to you.  Where I work now SourceIP is a big deal.

For this example lets use a random 172.16.88.0/24 Subnet

1. Create new NetScaler SNIP for the new Subnet 172.16.88.0/24 under NetScaler> System > Network > IPV4s

Then create your VIP that you will use for your DHCP Option 066 reservation.

SNIP: 172.16.88.99 

VIP: 172.16.88.35

2. Let create a new VLAN 999 (your VLAN TAG) for the 172.16.88.0/24 subnet (Yes you can shrink the subnet size, just using this as an example :))  and in my case TAG the interface 1/1 to save some ports.  You can do this under NetScaler> System > Network > VLAN (Interface 1/1 is set up with full Trunk)

3. To be safe I like to ensure a new DIRECT route is created for the new Subnet to utilize the new SNIP.  This is under  NetScaler> System > Network > Routes > Basic

In this case, it would be Network: 172.16.88.0 Netmask 255.255.255.0 Gateway (Your SNIP): 172.16.88.99

4. Create RNAT under NetScaler> System > Network > Routes > RNAT

set ns rnat <Host/ Subnet IP> <Host/Subnet Mask> -natip <VIP IP>

In this case Network: 172.16.88.0 Netmask: 255.255.255.0 NatIP (Your VIP that will load balance that TFTP process) 172.16.88.35

5. Ok the hard part is done.  Lets now create TFTP Servers under NetScaler > Traffic Management > Load Balancing > Servers

TFTP01 = 172.16.88.212

TFTP02 = 172.16.88.213

6. Create your Service Groups under NetScaler > Traffic Management > Load Balancing > Service Groups. Under Advanced ensure “User Proxy Port” is set to “No” and “USIP” mode is set.  If this is not set, your TFTP traffic will not function

7. Create VIP (172.16.88.35) under NetScaler > Traffic Management > Load Balancing > Virtual Servers

Bind Service Group previously created

8. Ok no more NetScaler work, since we are using “Use Source IP” we need to set the default gateway on the TFTP servers (TFTP01/02) to be set to the NetScaler SNIP 172.16.88.99

9. Lastly change your DHCP scope to include the Boot Server Host Name under option 066 to your VIP 172.16.88.35

Your are all set, now to update to 10.5 I guess :P

Here are my StoreFront customizations for Citrix StoreFront 2.6.  Many are similar to previous version of SF, however some of the syntax changed.

There are some good improvements/features SF 2.6 brings, one that I like and works best where I currently work is the Web Folder View, which in the past had to be done by running StoreFront in lock down mode.  This new view can certainly help your users feel more comfortable when moving from Web Interface.

Fist take a look at the new features of StoreFront which are listed under this link from Citrix.

Secondly I would like to thank Sam Jacobs which provided some of his code he presented at Citrix Synergy 2014.  You can view the presentation here 

Environment:

Customizations: (All custom files will need to be created under the contrib folder is located under the SF site in the file system (typical location is C:inetpubwwwrootsitesCitrixStoreWebNamecontrib

The following customizations include the following

• Pre-Login message page
• Front Page with custom logo and title header
• App/Desktop page with custom logo, user client IP (For NetScaler load balancing make sure to use X-Forwarded-For to load balance your StoreFront servers, utilizing CLIENT-IP for your VIP will return the SNIP of your NetScaler as the source IP for the user client IP module :P)
• Apps/Desktop Tab on top with Disable user multiclick
• Page footer

Back up the original files under C:inetpubwwwrootsitesCitrixStoreWebNamecontrib

Steps:

1. Overwrite the following files

• custom.wrstrings.en.js
• custom.script.js
• custom.style.css

2. Create new files

• GetServerData.aspx
• companylogo_whiteTrans.png
• companylogo_whitetrans_small.png

Code:

custom.wrstrings.en.js

(function ($) {
$.localization.customStringBundle(‘en’, {
Disclaimer: ‘Authorized Use Only’,
DisclaimerStatement: ‘You must be assigned an account to access this system.’
+ ‘ The information on this system and network is the property of this organization and is protected by intellectual property rights.’
+ ‘ By clicking the button below, you are consenting to the monitoring of your activities on the system’,
Continue: ‘Continue’
});
})(jQuery);

custom.script.js (You can certainly change the way I am working with $(document).ready(function() { and clean it up a bit

// StoreFront customizations

// Replace title
document.title = ‘Remote Access';

// Place Apps/Desktop Tab on top
$(document).ready(function() {
$(“#resources-switcher” ).detach().appendTo(“#resources-header” );
});

// Disable User Multi Click :P
$(document).ready(function() {
CTXS.Resources.multiClickTimeout = 10;
});

// Display client IP and StoreFront server
$.ajax({
url: ‘contrib/GetServerData.aspx?serverData=clientIPandServerName’,
success: function(data) {
var $markup = $(‘<div id=”server-info”>’ + data + ‘</div>’);
$markup.insertBefore(‘#header-userinfo’);
}
});

// Logon page footer text

// $(document).ready(function() {
// var $footercontent = $(‘<div id=”authentication-footer”><div id=”authentication-copyrightfooter”> <p id=”authentication-copyrightFooterText”></p></div></div>’);
// $footercontent.insertAfter(‘#logonbelt-bottomshadow’);
// });

// $(document).ready(function() {
// $(‘#authentication-copyrightfooter’)[0].innerHTML =
// ‘<p>&copy;2014&nbsp; Access restricted to authorized users.</p>';
// });

// application page footer text

$(document).ready(function() {
$(‘#copyrightfooter’)[0].innerHTML = ‘<p>&copy;2014&nbsp; Name of your company</p>';
});

// Prelogin page

$(document).ready(function() {
CTXS.Application.preLoginHook = function () {
var _dialogTitle = ‘<h1′
+ ‘ class=”messagebox-title _ctxstxt_Disclaimer”></h1>';
var _dialogBody = ‘<div class=”messagebox-body”>’ +
‘<p class=”_ctxstxt_DisclaimerStatement”></p></div>';
var _dialogButton = ‘<div class=”messagebox-buttons”>’ +
‘<a href=”#” class=”button _ctxstxt_Continue”></a></div>';
var dialog = _dialogTitle + _dialogBody + _dialogButton;
var $messagePane = CTXS.displayMessagePane(dialog).ctxsLocalize();
var $button = $messagePane.find(‘.button’);
$button.click(function () {
CTXS.Events.publish(CTXS.Events.preLogin.done);
return false;
}).ctxsHandleEscapeKeyInDialog().ctxsPlaceFocusOnFirstElement(
).ctxsBindFocusWithin();
};
});

custom.style.css

/*
StoreFront customizations
*/

#credentialupdate-logonimage, #logonbox-logoimage {
background-image: url(“companylogo_whiteTrans.png”);
height: 50px;
width: 283px;
}

#header-logo {
background-image: url(“companylogo_whitetrans_small.png”);
height: 31px;
margin: 8px 0 0 22px;
width: 179px;
}

#resources-header {
height: 84px;
}

#resources-switcher {
padding-top: 48px;
text-align: center;
}

/* Help Desk info */

/* Logon labels */
#logonbox-logonform label{
color:white;
display:table-cell;
font-size:14px;
height:20px;
vertical-align:bottom;
}

/* welcome message and username */
#resources-header #header-userinfo {
float:left;
margin-top:12px;
margin-right:100px;
vertical-align:middle;
color:white;
}

#header-username,
#header-userinfo A {
color:white;
font-size:12px;
}

/* for added server info */
#server-info {
color: white;
font-size:12px;
float: left;
margin-right: 40px;
margin-top: 12px;
position: relative;
vertical-align: middle;
}

/* EOF Help Desk info */

/* Logon page footer text
#copyrightfooter p,
#copyrightfooter a,
#authentication-copyrightfooter p,
#authentication-copyrightfooter a
{color:white;}

*/
/* turn off searchbox
#resources-searcharea {
display: none;
}
*/

GetServerData.aspx

<%@ Page Language=”C#” %>

<script runat=”server” language=”C#”>

private string GetClientIP()
{
string ips = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

if (!string.IsNullOrEmpty(ips))
{
return ips.Split(‘,’)[0];
}

return Request.ServerVariables["REMOTE_ADDR"];
}

private string GetServerName()
{
// for security purposes, only return the last 2 chars
string server = Environment.MachineName;
return server.Substring(server.Length-2);
}
</script>

<%
// what server data are we looking for?
string sData = Request["serverData"]+””;

switch (sData)
{
case “clientIP”:
Response.Write(GetClientIP());
break;

case “serverName”:
Response.Write(GetServerName());
break;

case “clientIPandServerName”:
Response.Write(“Client IP: ” + GetClientIP() +
“&nbsp;&nbsp;&nbsp;&nbsp; Server: ” + GetServerName());
break;

default:
break;
}
%>

Hope this helps you :)

Following up on my instructions on how to Customize the new version of Citrix StoreFront 2.6.  Below is how you can create your own Citrix NetScaler Gateway customization package , and ensure your changes are not lost when the appliance is rebooted.

Environment:

• Windows 2008 R2
• Citrix XenApp 6.5 Hotfix Rollup Pack 2
• PVS 6.1.16
• StoreFront 2.6
• Citrix NetsScaler 10.5: Build 53.9.nc
• RSA for dual factor

Now in my case, we are utilizing RADIUS for secondary authentication.  After creating the AGEE site, make sure the site is set to “Green Bubble” under “NetScaler” “Global Settings” Change Global Settings” , then head over to the “Client Experience” Tab, and select “Green Bubble” under the “UI Theme”

Once complete, your site will look something similar to the picture below.

Now lets customize the following

• Logo
• First Authentication box
• Second Authentication box
• Fix Compatibility issues with Internet Explorer 11

Solution: (Connect to your NetScaler via WinSCP)

1. Copy the vpn folder from /var/netscaler/gui/ to your local desktop

2.  Edit “login.js” under /var/netscaler/gui/vpn to fix the “Password 1” entry

Around line 93

Replace

if ( pwc == 2 ) { document.write(‘&nbsp;1′); }

With

if ( pwc == 2 ) { document.write(‘&nbsp;’); }

3. Upload your company logo under under /var/netscaler/gui/vpn/media

4. Update “ctxs.authentication.css” under /var/netscaler/gui/vpn/css to update your logo and height and width where the logo will be placed

In my case, our company logo was bigger than the logo provided by Citrix. So I needed to modify the height and the width.

Around line 210

#logonbox-logoimage
{
background-image: url(“../media/company_logo.png”);
border: 0 none;
float: right;
height: 48px;
position: absolute;
right: 71%;
top: 80px;
width: 273px;
}

5. Update “en.xml” under /var/netscaler/gui/vpn/resources  to change “Password 2:” for the secondary authentication box

Around line 83:

Replace

<String id=”Password2″>Password 2:</String>

With

<String id=”Password2″>RSA Code:</String>

6. Fix the Internet Explorer 11 compatibility issue, the quick fix is to tell IE11 to use  compatibility mode, however you can force the NetScaler page to emulate IE v.9, you can read more about this under http://stackoverflow.com/questions/6771258/whats-the-difference-if-meta-http-equiv-x-ua-compatible-content-ie-edge-e

Edit index.html under /var/netscaler/gui/vpn

Under line 4 place

<META http-equiv=”X-UA-Compatible” content=”IE=EmulateIE9″ />

7. Upload your modified files and logo

8. Head over to your site and make any corrections.  once you are happy with the results, create your custom package

Open Putty and log in as nsroot, then type (Note the name of the compressed file, this needs to match “customtheme.tar.gz“)

• shell
• mkdir /var/ns_gui_custom
• cd /netscaler
• tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

9. Now apply the package to your AGEE sites

• In the configuration utility, under the Configuration tab, expand “NetScaler Gateway” and then click “Global Settings“.
• In the details pane, under Settings, click Change global settings.
• In Global NetScaler Gateway Settings, click the Client Experience tab.
• Next to UI theme, click Custom and then click OK.

10. Reboot the NetScaler and you will notice your changes are intact.