Citrix User Profile Manager (UPM) – Baseline Policies

August 6, 2018 by Lal Mohan

I always wanted to document this so that it will help for my next XenApp/XenDesktop deployments but I never did. As a result , I was always having to refer my previous customer environments or As-Built documents for this information which was quite a pain. Well, that’s gonna change today as I am going to put this up on my blog so that it becomes my quick and easy reference place.

As mentioned, this is going to be the baseline policy-set upon which you can build yours with any special policies pertaining to your environment, Also, all the settings that I have mentioned here may not be applicable or work for you due to parameters such as AV version, XenApp version etc etc.

Please note that some of the settings found in newer UPM versions aren’t listed here as well. I will continue to update it as Citrix releases new UPM versions but this should give you a good start nonetheless.

Exclusion List – Directories

$Recycle.Bin 
AppData\LocalLow 
!ctx_internetcache! 
!ctx_localappdata!\Microsoft\Windows\Burn 
!ctx_localappdata!\Microsoft\Windows\CD Burning 
!ctx_localappdata!\Microsoft\Windows Live 
!ctx_localappdata!\Microsoft\Windows Live Contacts 
!ctx_localappdata!\Microsoft\Terminal Server Client 
!ctx_localappdata!\Microsoft\Messenger 
!ctx_localappdata!\Microsoft\OneNote 
!ctx_localappdata!\Microsoft\Outlook 
!ctx_localappdata!\Microsoft\AppV 
!ctx_localappdata!\Windows Live 
!ctx_localappdata!\Sun 
!ctx_roamingappdata!\Sun\Java\Deployment\cache 
!ctx_roamingappdata!\Sun\Java\Deployment\log 
!ctx_roamingappdata!\Sun\Java\Deployment\tmp 
AppData\Local\Microsoft\Windows\INetCache 
AppData\Local 
AppData\Roaming\Citrix\PNAgent\AppCache 
AppData\Roaming\Citrix\PNAgent\Icon Cache 
AppData\Roaming\Citrix\PNAgent\ResourceCache 
AppData\Roaming\ICAClient\Cache 
AppData\Roaming\Sun\Java\Deployment\cache 
AppData\Roaming\Sun\Java\Deployment\log 
AppData\Roaming\Sun\Java\Deployment\tmp 
Citrix 
Java 
Local Settings 
Music 
My Pictures 
My Videos 
Pictures 
Videos 
AppData\Roaming\Macromedia\FlashPlayer\macromedia.com\support\flashplayer\sys 
AppData\Roaming\Macromedia\FlashPlayer\#SharedObject 
Downloads 
Saved Games 
Searches 
Application Data\Sun\Java\Deployment\cache 
Application Data\Sun\Java\Deployment\log 
Application Data\Sun\Java\Deployment\tmp 
Local Settings\Application Data\Microsoft\AppV 
Local Settings\Application Data\Microsoft\Messenger 
Local Settings\Application Data\Microsoft\OneNote 
Local Settings\Application Data\Microsoft\Outlook 
Local Settings\Application Data\Microsoft\Terminal Server Client 
Local Settings\Application Data\Microsoft\Windows Live 
Local Settings\Application Data\Microsoft\Windows Live Contacts 
Local Settings\Application Data\Microsoft\Windows\Burn 
Local Settings\Application Data\Microsoft\Windows\CD Burning 
Local Settings\Application Data\Sun 
Local Settings\Application Data\Windows Live 
Local Settings\Temporary Internet Files 
AppData\Local\Microsoft\AppV 
AppData\Local\Microsoft\Messenger 
AppData\Local\Microsoft\OneNote 
AppData\Local\Microsoft\Outlook 
AppData\Local\Microsoft\Terminal Server Client 
AppData\Local\Microsoft\Windows Live 
AppData\Local\Microsoft\Windows Live Contacts 
AppData\Local\Microsoft\Windows\Burn 
AppData\Local\Microsoft\Windows\CD Burning 
AppData\Local\Sun 
AppData\Local\Windows Live 
AppData\Local\microsoft\windows\Temporary Internet Files 
AppData\Local\Microsoft\Windows\INetCookies 
AppData\local\Google\Chrome\User Data\Default\Media Cache 
AppData\Local\Google\Chrome\User Data\Default\Cache 
AppData\local\Google

Exclusion List – Files

Application Data\VMware\hgfs.dat 
AppData\local\Google\Chrome\User Data\Default\ChromeDWriteFontCache 
AppData\*.tmp

Directories to Synchronize

AppData\Roaming\Microsoft\Credentials 
AppData\Roaming\Microsoft\Crypto 
AppData\Roaming\Microsoft\Protect 
AppData\Roaming\Microsoft\SystemCertificates 
AppData\Local\Microsoft\Credentials 
AppData\Roaming\Microsoft\Signatures 
AppData\Local\Microsoft\Vault 
%LOCALAPPDATA%\Microsoft\Credentials

Files to Synchronize

AppData\LocalLow\Sun\Java\Deployment\security\exception.sites 
AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs 
AppData\LocalLow\Sun\Java\Deployment\deployment.properties 
AppData\Local\Microsoft\Office\*.qat 
AppData\Local\Microsoft\Office\*.OfficeUI 
AppData\LocalLow\Google\GoogleEarth\*.kml 
AppData\Local\Citrix\PNAgent\Icon Cache\*.ico 
AppData\Local\Microsoft\Windows\INetCache\wpad.dat 
AppData\Local\Google\Chrome\User Data\First Run 
AppData\Local\Google\Chrome\User Data\Local State 
AppData\Local\Google\Chrome\User Data\Default\History 
AppData\Local\Google\Chrome\User Data\Default\Preferences 
AppData\Local\Google\Chrome\User Data\Default\Favicons 
AppData\Local\Google\Chrome\User Data\Default\Bookmarks

Folders to Mirror

AppData\Roaming\Microsoft\Windows\Cookies 
AppData\Local\Microsoft\Vault 
AppData\Local\Microsoft\Windows\WebCache

Log Settings

Define events or actions which Profile management logs in depth: 
Common warnings                                        Enabled 
Common information                                     Enabled 
File system notifications                              Enabled 
File system actions                                    Enabled 
Registry actions                                       Enabled 
Registry differences at logoff                         Enabled 
Active Directory actions                               Enabled 
Policy values at logon and logoff                      Enabled 
Logon                                                  Enabled 
Logoff                                                 Enabled 
Personalized user information                          Enabled

Log Settings Enabled

Enable Logging Enabled

Maximum size of the log file Enabled

Maximum size in bytes 10485760

Profile Handling

Delay before deleting cached profiles Enabled

Delay(Seconds) 0

Delete locally cached profiles on logoff Enabled

Local profile conflict handling Enabled

If both a local Windows user profile and a
Citrix user profile in the user store both exist: Delete local profile

Registry Exclusion List

Software\Microsoft\AppV 
Software\Microsoft\Windows\CurrentVersion\UFH\SHC 
Software\Microsoft\Installer\Products\4645D6EBF1B0CC6498379F56F16E4AA5

Streamed user profiles

Always cache Enabled

Cache files this size or larger (megabytes): 1

Profile streaming Enabled
Streamed user profile groups Disabled
Timeout for pending area lock files (days) Enabled

Timeout for pending area lock files (days) 1

Advanced settings

Disable automatic configuration Disabled
Number of retries when accessing locked files Enabled
Number of retries: 5
Process Internet cookie files on logoff Enabled

Profile Management

Active write back Enabled
Enable Profile management Enabled
Excluded groups Disabled
Path to user store Enabled

Process logons of local administrators Enabled
Processed groups Disabled

Extract the Application Groups from a Delivery Group – XenApp/XenDesktop 7.x

July 24, 2018 by Lal Mohan

This is going to be a quick post to explain how you can extract all the AD groups that are currently being used for the various applications that you serve in XenApp/XenDesktop 7.x farms. This came very handy when I had a large number of applications that need to be migrated to a new XenApp 7.15 LTSR farm. This will also come very handy for documentation purposes.

First up, you will need to find the Delivery Group Name UUID that you need to extract the details from. If you have multiple delivery groups, you will need to find the UUIDs for all the Delivery groups.

To find the UUID, run the command below in a PowerShell window in admin mode

asnp Citrix*
Get-BrokerDesktopGroup

This returns the details of all the Delivery groups in the XenApp farm.

Take a note of the UUID value

Now run the below to show the application names and the assigned user AD groups

Get-BrokerApplication -AssociatedDesktopGroupUUID 918bd477-6848-4d27-b98d-28296e78d6a1 | select ApplicationName,AssociatedUserFullNames

You can get all sorts of results by changing the filters. To know the available filters, please refer here

Or simply run the below which shows the various filters that you can use for a given application

Get-BrokerApplication

That’s it for now. I hope this helps someone with their PowerShell journey in Citrix

Storefront Load balancing using NetScaler

July 4, 2018 by Lal Mohan

It’s been a while since I wrote on my blog so let’s get straight into the post without much mucking around. This time we will discuss how to go about setting up Storefront load balancing using NetScalers. This can be configured on a standalone NetScaler or a NetScaler pair in HA. The recommendation is obviously to get this setup on a HA NetScaler pair so that NetScaler outage wouldn’t result in Storefront also being unavailable.

My Storefront version is 3.11 and have a cluster with 2 Storefront servers. NetScaler version is 11.1 but the NS version shouldn’t matter much as the steps would be more or less the same for other NetScaler firmware versions – newer or older. (unless you are too far behind)

Pre-Requisites

To configure Storefront load balancing we need the following –

2 or more Storefront servers
an IP address for the virtual server that hosts the LB configuration
SSL certificate that points to the intended load balanced URL of Storefront – the certificate can be a wild card or a named certificate

First Things First

Logon to your NetScaler and navigate to System — Settings — Configure Basic Features. Ensure that Load Balancing is selected, if not select it and click OK

NetScaler Configuration

Create Servers

Now, navigate to Traffic Management — Load Balancing — Servers. Click Add

Give the Storefront server a name and enter the IP address of the server. Ensure that “Enable after creating” is selected. Click Create

Add the second Storefront server following the above steps. If you have more than 2 servers, add all of them.

Create Monitors

New NetScaler version come with a built-in Storefront monitor so we are going to make use of it here. Go to Traffic Management –Load Balancing — Monitors and click Add

Here I am only going to create a single monitor to probe all my Storefront servers. You can choose to create multiple monitors depending upon the number of Storefront servers that you have. In my case, i will create just one.

Give a name to the monitor and select the type as STOREFRONT

Now select Special Parameters tab and provide the name of the Store that you have created in Storefront. Check the 2 entries – Storefront Account Service and Check Back End Services.

Click on the Standard Parameters tab. Ensure that Secure is selected as below. Click Create

Create Service Groups

Go to Traffic Management –Load Balancing — Service Groups

Give a name to the service group and select the protocol as SSL. Check the entries below

State
Health Monitoring
AppFlow Logging (only if you have NetScaler MAS in your environment)

Click OK

Under Service Group Members, add the server entities that we created earlier. Once done, they will look like the below

Under Settings, type the Header as X-Forwarded-For

Under Monitors, bind the monitor that we created before

Under SSL Parameters, setup the settings as below

Under Ciphers, setup the ciphers based on your company security policy.

Once done, Service Group for Storefront should look like this

Now, it’s time to create the Virtual Server

Virtual Server

As mentioned in the pre-requisites section , we need an IP address for this. If the NetScalers are sitting in the DMZ, a DMZ IP address is required. In my case, NetScalers are hosted internally so i will use an internal unused IP address.

We will also need the SSL certificate here.

Go to Traffic Management –Load Balancing — Virtual Servers

Click Add

Give a Name to the virtual server and select the protocol as SSL

Specify the IP address under IP Address field and specify the port # as 443

Click More and specify the settings as below (note, that AppFlow logging only needs to be enabled if you have a NetScaler MAS setup or other monitoring solutions that could make use of AppFlow logs)

Under Services and Service Groups, click on Load Balancing Virtual Server ServiceGroup Binding

Click Add Binding and select the Service Group that you created in the previous step. Click OK

Once completed, the page should look like the below. Click Close and click Done

It’s time to attach the certificate. Go to Traffic Management — SSL — Manage Certificates / Keys / CSRs

Click on Upload button and upload your certificate file to NetScaler

Go to Traffic Management — SSL — Certificates — Server certificates

Under Certificate, click on Server Certificate and then Install

Give a certificate key-pair name and choose the certificate that was just uploaded in the previous step. Click Install

Now, go back to Traffic Management –Load Balancing — Virtual Servers

Select the Virtual server created for Storefront and click Edit. Under Certificates, select Server Certificate and then Click Add Binding

Under SSL Ciphers, select the ciphers that you would like to be in place. I am going with the default one. This is not the most secure for a production setup so go with something that’s secure enough for your organization.

Under SSL Parameters, configure the settings as below. Click OK

Under Method, Select LEASTRESPONSETIME for the Load Balancing Method. Configure a Backup LB Method, I choose LEAST CONNECTION

You can read more about the LB Methods here

Click OK

Under Persistence, select COOKIEINSERT for Persistence with a time-out value of 0. You can also read why I selected the timeout value of 0 here

Under Backup persistence, select SOURCEIP with a timeout of 60. Fill in the Netmask as in the picture

Click OK and then Done

We have now completed almost 90% of the config. There are a couple of things left so hold on tight.

The configuration so far will ensure that load balancing will be performed between the Storefront servers ( I know, i know I haven’t setup the DNS entries for the load balanced VIP)

If someone type in the http URL of LB Storefront in their browser, it will not go anywhere. It will show them the IIS page instead. So how do we ensure that the users are redirected to the correct Storefront page (https version) every single time? We will setup another virtual server on port 80 with a redirect URL configured.

Let’s do that now.

Under Traffic Management –Load Balancing — Virtual Servers, Click Add

Under Basic Settings, give the virtual server a Name and select protocol as HTTP

Specify the same IP address as for the Storefront LB VIP and provide 80 for the Port #

Click OK/Create

Under Persistence, select SOURCEIP with a timeout of 2 mins

Click OK

Under Protection, type in the correct HTTPS URL that you would want the users to be redirected to under Redirect URL field

Click OK. Then click Done

You will notice that the virtual server will be marked as down

DNS Changes

Now head over to the DNS server and open the DNS Console

Create an A record pointing to the Storefront LB name with the IP address configured on the vServer for LB configuration.

Storefront Changes

This is the last step, I promise. Head over to the Storefront servers and it’s time now to run some Powershell commands

Now, the monitors that we created earlier will be marked as Down if we didn’t perform this step prior to creating them on the NetScaler. That’s because the monitor created was based on HTTPS and by default, Storefront monitoring is done on HTTP

To change this to HTTPS. We need to configure the monitor service to use HTTPS instead. On all the StoreFront 3.0 servers perform the following steps.

Run PowerShell as an administrator.

Navigate to the Scripts (C:\Program Files\Citrix\Receiver StoreFront\Scripts) folder via the Powershell on the Storefront server,

Run ImportModules.ps1

Run the below command

 Get-DSServiceMonitorFeature

Now, type the below to setup the Storefront Monitor on HTTPS

Set-DSServiceMonitorFeature -ServiceURL https://localhost:443/StoreFrontMonitor

Repeat the above steps on all the Storefront servers.

Now, head back to the NetScaler and you can see that the monitor will be in GREEN and showing a status of UP

That’s all we need to do to setup Storefront load balancing using NetScalers.

Don’t let your user-experience be a “Spectre” of itself after “Meltdown”

February 1, 2018 by bmartynowicz

Bust your ghosts not your user experience

The names Spectre and Meltdown invoke feelings of dread in even the most seasoned IT engineer. To those uninitiated, let me get you up-to-speed quickly.

Spectre is a vulnerability that takes advantage of “Intel Privilege Escalation and Speculative Execution”, and exposes user memory of an application to another malicious application. This can expose data such as passwords.

Meltdown is a vulnerability that takes advantage of “Branch prediction and Speculative Execution”, and exposes kernel memory. A compromised server or client OS running virtualized could gain access to kernel memory of the host exposing all guest data.

Both vulnerabilities take advantage of a 20-year-old method of increasing processor performance.

As a result, code will need to be updated to address these vulnerabilities at OS and OEM-manufacturer levels, at the expense of system performance.

On their part, Microsoft reluctantly admits that performance will suffer. “Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance,” wrote Terry Myerson, Executive Vice President for the Windows and Devices group.

According to Geek Wire, these two vulnerabilities which take advantage of a 20-year-old design flaw in modern processors can be “mitigated;” the word we’re apparently using to describe this new world in 2018, in which servers lose roughly 10 to 20% performance for several common workloads.

This affects not only workloads executed against local, on-site resources but even those utilizing services, such as AWS, Google Public Cloud or Azure.

Reader submission @ The Register showing CPU before / after patches

We’ve heard from some of our insiders who use Login VSI to validate system performance that they’re seeing a reduction of 5% in user-density after performing Microsoft recommendations. Knowing that the vulnerability wasn’t solved by OS updates alone we, at Login VSI, wanted the ability to test the impending hardware vendor firmware / BIOS changes.

Now is the time to capture your baseline performance

How do you know how much of an impact the fixes for Spectre and Meltdown will be if you don’t have anything to compare it to? Keep in mind that these patches will need to be installed on a number of systems in your solution including server hardware, operating systems, storage subsystems and so on.

Many of our customers perform tests where they compare a known good solution, or a baseline, with changes that have been made. This gives them the ability to accurately assess the performance impact of that change, which in turn allows them to compensate with more hardware, or further tuning of the applications and OS. The patented methods used by Login VSI provide a quantifiable result for determining the impact of a change in virtual desktop and published application environments.

Using Login VSI

If you wish to test the changes before pushing them into your production environment, then use Login VSI to put a load, representative of your production users, on the system. This will objectively show how much more CPU will be used as a result of the Spectre or Meltdown patches. It is expected that the end users will incur increased latency to their applications and desktops as a result of the higher CPU utilization.

Using Login PI

While it is not recommended, if you are planning on pushing the patches into your production environment to “see how it goes”, then install Login PI now to get an accurate representation of performance related to user experience. This will give you the ability to then compare to that same experience after the patches have been installed. We expect that you will see latency to the end user increase as a result of higher CPU utilization. If you already struggle with CPU utilization in your solution, there is a good chance you’ll be also using Login PI to test your availability.

As we complete our testing we will be sharing our findings in a series of articles.

“If your computer has a vulnerable processor and runs an unpatched operating system, it is NOT SAFE TO WORK WITH SENSITIVE INFORMATION”. – Security Experts who discovered Meltdown / Spectre

If sensitive data is part of your business (Such as ours!) patching is not a matter of if, but when.

Ask yourself:

How long can you afford to have your company’s data exposed to malicious intent? Do you want to be the next Equifax or Target?

In this article series, we will provide some insight from our lab environments. Be aware your results may vary based upon individual workload and configuration.

Microsoft has released a Security Advisory

The vulnerability affects both the client and server OSs of Windows. This is compounded when dealing with large-scale published application and desktops deployments. The advisor can be found at the following location:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

The specific details addressed in the security update and Windows KB are outlined in the Common Vulnerabilities and Exposures database.

Included are:

CVE-2017-5753 – Bounds check bypass
CVE-2017-5715 – Branch target injection
CVE-2017-5754 – Rogue data cache load

To completely protect yourself there are two phases of patching this vulnerability.

1 – Windows OS updates

2 – OEM device manufacturer firmware updates (not yet available)

Microsoft acknowledges addressing these vulnerabilities from a software perspective is limited, and therefore, without the OEMs providing updates the loop is not closed.

In the interim we can start measuring the impact of the Microsoft fixes.

They offer guidance for both Desktop and Server OSs:

Desktop – January 2018 Security Update. Security Advisory: Click Here!

Server – KB405690. Security Advisory: Click Here!

NOTE – Certain AV solutions are not compatible with the security update released by Microsoft. As such, unless an AV vendor has a registry flag, QualityCompat, they will not receive the January Security update and will still be vulnerable.

With the upcoming OEM hardware patch releases we expect to be able to produce a variety of interesting and informative results. Please stay tuned for the next articles!

Reference materials:

https://meltdownattack.com/

https://www.theregister.co.uk/2018/01/09/meltdown_spectre_slowdown/

https://www.geekwire.com/2018/microsoft-admits-meltdown-spectre-patches-will-hit-windows-server-performance/

AUTOMATION OF A XENDESKTOP/XENAPP DEPLOYMENT – PART 3

June 16, 2017 by bmartynowicz

This article will cover how to install the Citrix Studio component. For those of you who are unfamiliar this will act as your centralized point of control for your Citrix environment. You can also interact with it as you’ve seen in previous examples through command line operations as well.

In order to install the Studio for management the process is straight forward. Run the executable with a few switches –

[C:\Downloads – “Your download location”]\x64\XenDesktop Setup\XenDesktopServerSetup.exe /PASSIVE /NOREBOOT /CONFIGURE_FIREWALL /COMPONENTS DESKTOPSTUDIO

Once your Studio component is installed, you can validate the installed components by reviewing their accessibility form your server where the command was executed.

Next up would be installing your StoreFront component. This will provide front end access to your delivered applications and desktops.

The process is the same. Utilizing your Citrix installed, you will call the following executable with the following switches:

[C:\Downloads – “Your download location”]\x64\StoreFront\CitrixStoreFront-x64.exe -silent -logfile “%am_logpath%\StoreFrontSetup.log”

For adding additional Storefront servers to a load balanced group, you can utilize a variety of different scripts to determine if the server is already part of a group, and if not join it.

Creates a script to review if the Citrix services are running on the server where the scripts are executing, and if so join the new StoreFront sever to a group. If not create a group of its own.

Set a conditional statement to evaluate the value of this being returned, and execute one of the following scripts.

For Creating:

Set-DSInitialConfiguration -hostBaseUrl [Hostname]-farmName [FarmName] -port [ListeningPort] -transportType [TransferType] -sslRelayPort [RelayPortforSSL] -servers [ServerToAdd] -loadBalance [LoadBalancer] -farmType [FarmType] -clusterId [ID]

Or, For Joining an Already Existing:

Obtain the passcode and store value –

Start-DSClusterJoinService

$Passcode = (Get-DSClusterJoinServicePasscode).Response.Passcode

and finally join,

Start-DSClusterJoinService

Start-DSClusterMemberJoin -authorizerHostName $ExistingNode -authorizerPasscode $JoinPass

The final portion would really only be interesting if you were automating the same process over and over again. This is where a product like Login AM which organizes your scripts, and variables would become handy. If you are interested in any information about Login AM or automation of Citrix Deployments please reach out and let me know or drop and comment I would like to have meaningful conversations about automation, and increase my understanding of the products as well.

Citrixology

Category Archives: XenDesktop 7

Citrix User Profile Manager (UPM) – Baseline Policies

Extract the Application Groups from a Delivery Group – XenApp/XenDesktop 7.x

Storefront Load balancing using NetScaler

Pre-Requisites

First Things First

NetScaler Configuration

Create Servers

Create Monitors

Create Service Groups

Virtual Server

DNS Changes

Storefront Changes

Don’t let your user-experience be a “Spectre” of itself after “Meltdown”

Bust your ghosts not your user experience

Microsoft has released a Security Advisory

AUTOMATION OF A XENDESKTOP/XENAPP DEPLOYMENT – PART 3