Create and Install a SAN certificate (Subject Alternative Name) in Windows without third-party tools


There are times you would want to create a SAN (Subject Alternative Name) certificate for your deployments in the organization. This is a much more secure approach as compared to using a wildcard as it allows only a limited number of servers to send and receive traffic. Unless you specifically compromise one of the machines specified in the certificate, it’s too hard to impersonate and do any real harm.

In this blog post, I will show you how to create a CSR (Certificate Signing Request) using any Windows machine in the organization that’s domain joined and subsequently, use the request file to issue a certificate using the internal Certification Authority (CA) server.

Create a Certificate Signing Request (CSR)

The first step is to create a CSR file and you can use any domain joined Windows server in the organization. I have used the Citrix Storefront server in this example.

Open the MMC console and add the Certificate snap-in to it as Local Computer. Right Click Personal node on the left and Select All Tasks –> Advanced Operations –> Create Custom Request

Choose Proceed without enrollment policy and Click Next. Choose No Template Legacy Key for compatibility reasons. Use PKCS#10

Click Next and click Properties

Give a friendly name for the certificate and a description. Ensure that you hit Apply as soon as you are done with the tab.

Click on Subject tab and add all the hostnames under “Alternative Name

Under Subject Name, enter the Common Name (CN), Organizational Unit (OU), Organization (O), State (S) and Country (C) values. Click Apply

Under the Extensions tab, expand Extended Key Usage (application policies) and select Server Authentication and Client Authentication

Click Apply

Under the Private Key tab, set the Key size to 2048 under Key options

P.S – Using a key size of 4096 or above will cause issues with NetScaler monitors failing if VPXs are used. MPXs don’t have this issue.

Tick Make Private Key exportable

Select Exchange as the Key type

Click Apply. Click OK

Select a location to save the file. Choose the file format as Base 64

Click Finish

Send the Certificate Request

Now navigate to the URL of the internal Certificate Authority (CA) server. Replace your CA server name for the <certauthority> value.

https://certauthority/certsrv
  • Click the Request a Certificate link.
  • Click the Advanced certificate request link.
  • Click Submit a certificate.
  • Paste the contents of your CSR file into the Saved Request text box. (Open the CSR file (with a .req extension) in Notepad and copy the contents without any leading or trailing spaces.)
  • For the Certificate Template drop-down list, select Web Server.
  • Click Submit.

You get the below once you click submit.

Issue the Certificate

  • Connect to the server where the Certification Authority is installed, if necessary.
  • Select Start > Control Panel > Administrative Tools > Certification Authority.
  • In the Certification Authority (Local) tree, select Your Domain Name > Pending Requests.
  • Select the CSR in the right navigation pane.
  • In the Action menu, select the ID number of the request > Issue.
  • Close the Certification Authority window.

Download the Certificate

  • In your web browser address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv.
  • Click the View the status of a pending certificate request link.
  • Select the certificate request with the time and date you submitted.
  • Select the encoding format for the downloaded certificate, such as Base 64 for a PEM certificate.
  • Click Download CA certificate to save the certificate. The certificate will have .CER extension

Install the Certificate

  • Navigate to the server where the certificate needs to be installed.
  • Open a MMC console as Administrator and add Certificate snap-in under Local Computer
  • Expand Personal node and right click the Certificates node.
  • Select All Tasks –> Import
  • Click Next
  • Locate the downloaded certificate file
  • Click Next
  • Place it under Personal node
  • Click Next
  • Click Finish

Note – The installed certificate in Certificate MMC shows a little key symbol and a badge. You gotta see these 2 things for the certificate to work or show up in IIS Manager in later steps.

Export the certificate as a .PFX file

Now, you need to export the certificate as a PFX file so that this could be installed on all the other servers which doesn’t have any clue of the privaty key used while requesting the CSR. If you recall, we did the CSR from one of the Storefront servers. The PFX certificate files contains the private key which is paramount for SSL deployments.

  • Navigate to the server where the certificate has been already installed.
  • Open a MMC console as Administrator and add Certificate snap-in under Local Computer
  • Expand Personal node and right click the Certificates node.
  • Select All Tasks –> Export
  • Click Next
  • Export the private key
  • Click Next
  • Under the Personal Interchange Format, PKCS#12, Tick all except for “delete the private key after successful export”
  • Click Next
  • Give it a password of your choice (make sure that you remember this; This is required for installing the certs on other servers)
  • Specify a file name to save it in a location
  • Click Next
  • Click Finish

Bind the website in IIS

  • Open IIS Manager and expand the Server name and choose the Default Web Site
  • Under Actions, select Bindings
  • Add the https and select the newly installed certificate
  • Click OK

Install the exported PFX certificate on the other servers and change the binding to https following the steps above. That’s all to it folks.

If there is anything that’s unclear, please feel free to comment or provide feedback in the comment section below.

Find the Total Unique & Peak Licenses Usage in XenApp/XenDesktop


Okay, this is going to be a short one and I came across this while investigating an issue for a customer who runs a XenApp 7.15 LTSR farm. Well, “Citrix Virtual Apps” as it is called these days. Citrix, what’s up with changing product names every year? you gotta stop doing this for God’s sake. Peace.

Here is the command. Firstly, load the Citrix cmdlets by running

asnp Citrix*

Now, the actual command to find the information

Get-BrokerSite

The result will look like the below

Look for the parameters marked in Yellow above – PeakConcurrentLicensesUsers & TotalUniqueLicenseUsers

Extract/List the Applications from a Delivery Group – XenApp/XenDesktop 7.x


This is going to be a quick post to explain how you can extract all the AD groups that are currently being used for the various applications that you serve in XenApp/XenDesktop 7.x farms. This came very handy when I had a large number of applications that need to be migrated to a new XenApp 7.15 LTSR farm. This will also come very handy for documentation purposes.

First up, you will need to find the Delivery Group Name UUID that you need to extract the details from. If you have multiple delivery groups, you will need to find the UUIDs for all the Delivery groups.

To find the UUID, run the command below in a PowerShell window in admin mode

asnp Citrix*
Get-BrokerDesktopGroup

This returns the details of all the Delivery groups in the XenApp farm.

Take a note of the UUID value

Now run the below to show the application names and the assigned user AD groups

Get-BrokerApplication -AssociatedDesktopGroupUUID 918bd477-6848-4d27-b98d-28296e78d6a1 | select ApplicationName,AssociatedUserFullNames
27

You can get all sorts of results by changing the filters. I have listed all the available Application filters from XenApp 7.16 below

AdminFolderName
AdminFolderUid
AllAssociatedDesktopGroupUUIDs
AllAssociatedDesktopGroupUids
ApplicationName
ApplicationType
AssociatedApplicationGroupUUIDs
AssociatedApplicationGroupUids
AssociatedDesktopGroupPriorities
AssociatedDesktopGroupUUIDs
AssociatedDesktopGroupUids
AssociatedUserFullNames
AssociatedUserNames
AssociatedUserUPNs
BrowserName
ClientFolder
CommandLineArguments
CommandLineExecutable
ConfigurationSlotUids
CpuPriorityLevel
Description
Enabled
HomeZoneName
HomeZoneOnly
HomeZoneUid
IconFromClient
IconUid
IgnoreUserHomeZone
MachineConfigurationNames
MachineConfigurationUids
MaxPerUserInstances
MaxTotalInstances
MetadataKeys
MetadataMap
Name
PublishedName
SecureCmdLineArgumentsEnabled
ShortcutAddedToDesktop
ShortcutAddedToStartMenu
StartMenuFolder
Tags
UUID
Uid
UserFilterEnabled
Visible
WaitForPrinterCreation
WorkingDirectory

I wanted to get a bit more information so I ran the below to get what I need.

PS C:\Temp\Lal> Get-BrokerApplication -AssociatedDesktopGroupUUID d7dd0daa-6798-4a95-9264-33e2ed15ac2e | select ApplicationName, PublishedName, CommandLineExecutable, CommandLineArguments, WorkingDirectory, AssociatedUserFullNames

Or simply run the below which shows the various filters that you can use for a given application

Get-BrokerApplication

That’s it for now. I hope this helps someone with their PowerShell journey in Citrix

Storefront Load balancing using NetScaler


It’s been a while since I wrote on my blog so let’s get straight into the post without much mucking around. This time we will discuss how to go about setting up Storefront load balancing using NetScalers. This can be configured on a standalone NetScaler or a NetScaler pair in HA. The recommendation is obviously to get this setup on a HA NetScaler pair so that NetScaler outage wouldn’t result in Storefront also being unavailable.

My Storefront version is 3.11 and have a cluster with 2 Storefront servers. NetScaler version is 11.1 but the NS version shouldn’t matter much as the steps would be more or less the same for other NetScaler firmware versions – newer or older. (unless you are too far behind)

Pre-Requisites

To configure Storefront load balancing we need the following –

  • 2 or more Storefront servers
  • an IP address for the virtual server that hosts the LB configuration
  • SSL certificate that points to the intended load balanced URL of Storefront – the certificate can be a wild card or a named certificate

First Things First

Logon to your NetScaler and navigate to System — Settings — Configure Basic Features. Ensure that Load Balancing is selected, if not select it and click OK

1

NetScaler Configuration

Create Servers

Now, navigate to Traffic Management — Load Balancing — Servers. Click Add

2

Give the Storefront server a name and enter the IP address of the server. Ensure that “Enable after creating” is selected. Click Create

Add the second Storefront server following the above steps. If you have more than 2  servers, add all of them.

3

Create Monitors

New NetScaler version come with a built-in Storefront monitor so we are going to make use of it here. Go to Traffic Management –Load Balancing — Monitors and click Add

Here I am only going to create a single monitor to probe all my Storefront servers. You can choose to create multiple monitors depending upon the number of Storefront servers that you have. In my case, i will create just one.

Give a name to the monitor and select the type as STOREFRONT

5

Now select Special Parameters tab and provide the name of the Store that you have created in Storefront. Check the 2 entries – Storefront Account Service and Check Back End Services. 

4

If you had selected “Check Backend Services“, you will need to perform the steps in the Storefront Changes section later down in this post. Else, you could completely ignore it.

Click on the Standard Parameters tab. Ensure that Secure is selected as below. Click Create

6

Create Service Groups

Go to Traffic Management –Load Balancing — Service Groups

Give a name to the service group and select the protocol as SSL. Check the entries below

  • State
  • Health Monitoring
  • AppFlow Logging (only if you have NetScaler MAS in your environment)

Click OK

7

Under Service Group Members, add the server entities that we created earlier. Once done, they will look like the below

8

Under Settings, type the Header as X-Forwarded-For

9

Under Monitors, bind the monitor that we created before

10

Under SSL Parameters, setup the settings as below

11

Under Ciphers, setup the ciphers based on your company security policy.

12

Once done, Service Group for Storefront should look like this

13

Now, it’s time to create the Virtual Server

Virtual Server

As mentioned in the pre-requisites section , we need an IP address for this. If the NetScalers are sitting in the DMZ, a DMZ IP address is required. In my case, NetScalers are hosted internally so i will use an internal unused IP address.

We will also need the SSL certificate here.

Go to Traffic Management –Load Balancing — Virtual Servers

Click Add

Give a Name to the virtual server and select the protocol as SSL

Specify the IP address under IP Address field and specify the port # as 443

14

Click More and specify the settings as below (note, that AppFlow logging only needs to be enabled if you have a NetScaler MAS setup or other monitoring solutions that could make use of AppFlow logs)

15

Under Services and Service Groups, click on Load Balancing Virtual Server ServiceGroup Binding

Click Add Binding and select the Service Group that you created in the previous step. Click OK

Once completed, the page should look like the below. Click Close and click Done

16

It’s time to attach the certificate. Go to Traffic Management — SSL — Manage Certificates / Keys / CSRs

17

Click on Upload button and upload your certificate file to NetScaler

Go to Traffic Management — SSL — Certificates — Server certificates

Under Certificate, click on Server Certificate and then Install

Give a certificate key-pair name and choose the certificate that was just uploaded in the previous step. Click Install

Now, go back to Traffic Management –Load Balancing — Virtual Servers

Select the Virtual server created for Storefront and click Edit. Under Certificates, select Server Certificate and then Click Add Binding

Under SSL Ciphers, select the ciphers that you would like to be in place. I am going with the default one. This is not the most secure for a production setup so go with something that’s secure enough for your organization.

Under SSL Parameters, configure the settings as below. Click OK

18

Under Method, Select LEASTRESPONSETIME for the Load Balancing Method. Configure a Backup LB Method, I choose LEAST CONNECTION

You can read more about the LB Methods here

19

Click OK

Under Persistence, select COOKIEINSERT for Persistence with a time-out value of 0. You can also read why I selected the timeout value of 0 here

Under Backup persistence, select SOURCEIP with a timeout of 60. Fill in the Netmask as in the picture

20

Click OK and then Done

We have now completed almost 90% of the config. There are a couple of things left so hold on tight.

The configuration so far will ensure that load balancing will be performed between the Storefront servers ( I know, i know I haven’t setup the DNS entries for the load balanced VIP)

If someone type in the http URL of LB Storefront in their browser, it will not go anywhere. It will show them the IIS page instead. So how do we ensure that the users are redirected to the correct Storefront page (https version) every single time? We will setup another virtual server on port 80 with a redirect URL configured.

Let’s do that now.

Under Traffic Management –Load Balancing — Virtual Servers, Click Add

Under Basic Settings, give the virtual server a Name and select protocol as HTTP

Specify the same IP address as for the Storefront LB VIP and provide 80 for the Port #

Click OK/Create

Under Persistence, select SOURCEIP with a timeout of 2 mins

21

Click OK

Under Protection, type in the correct HTTPS URL that you would want the users to be redirected to under Redirect URL field

22

Click OK. Then click Done

You will notice that the virtual server will be marked as down

23

DNS Changes

Now head over to the DNS server and open the DNS Console

Create an A record pointing to the Storefront LB name with the IP address configured on the vServer for LB configuration.

Storefront Changes

This is the last step, I promise. Head over to the Storefront servers and it’s time now to run some Powershell commands

Now, the monitors that we created earlier will be marked as Down if we didn’t perform this step prior to creating them on the NetScaler. That’s because the monitor created was based on HTTPS and by default, Storefront monitoring is done on HTTP

To change this to HTTPS. We need to configure the monitor service to use HTTPS instead. On all the StoreFront 3.0 servers perform the following steps.

Run PowerShell as an administrator.

Navigate to the Scripts (C:\Program Files\Citrix\Receiver StoreFront\Scripts) folder via the Powershell on the Storefront server,

Run ImportModules.ps1

24

Run the below command

 Get-DSServiceMonitorFeature
25

Now, type the below to setup the Storefront Monitor on HTTPS

Set-DSServiceMonitorFeature -ServiceURL https://localhost:443/StoreFrontMonitor

Repeat the above steps on all the Storefront servers.

Now, head back to the NetScaler and you can see that the monitor will be in GREEN and showing a status of UP

That’s all we need to do to setup Storefront load balancing using NetScalers.