If you have implemented DirectAccess for your users so that they could connect to corporate network whilst they work from home, you might have come across this issue while using Citrix. Users would be able to connect to Storefront portal and authenticate themselves but when they try to launch applications it fail. Users will also notice the below Citrix Receiver dialog with no apparent error messages.
The users who connect directly to Storefront without DirectAccess have no issues to launch applications.
The Cause
When you have DirectAccess enabled on user PCs, it expects hostname/FQDN values for initiating traffic between the client and the DA gateway. By default, Citrix XenApp tries to connect on IP addresses to bypass the infrastructure reliance on DNS. So, we will need to find a way to switch that behaviour to an FQDN based connection initiation.
Let’s look at the .ICA files to see what’s in there. The below screenshot is of an ICA file that shows IP addresses. This setup will NOT work for DirectAccess connections.
The Fix
To fix this, you will need to change a DNS parameter in XenApp/XenDesktop 7.x farms.
asnp citrix*
Get-BrokerSite
You will need to change the value from False to True
Set-BrokerSite -DnsResolutionEnabled $True
Running a Get-BrokerSite after that will show that the value has been changed from False to True
Now, let’s inspect the ICA file again. You can find the ICA files from your User profile folder. I had mine under
I have done numerous Citrix Workspace Environment Manager (WEM) deployments in the past but never did I think about once doing a blog post on it yet. So, we are doing it this time. For the uninformed, Citrix WEM is a resource management and user persona management tool and is a must-have in every Citrix environment for the following reasons.
It’s FREE for all the Enterprise and Platinum customers that have a valid Citrix Customer Success Services (CSS) agreement.
It’s super impressive if you have applications that consumes large amounts of memory, which most of the modern apps are.
WEM has the following simplified architecture (courtesy of Citrix.com)
There are 3 key pieces for a WEM deployment
Infrastructure Services – It is the brain of the whole solution. It helps synchronizing the agent and admin console with the SQL server and Active Directory. This role CANNOT be installed on a Domain Controller and Desktop Delivery Controller according to Citrix.
Administration Console – Console is used to configure and manage WEM. This could be installed on any standard Windows machine.
Agent – The Workspace Environment Management agent connects to the Workspace Environment Management infrastructure services and is responsible for enforcing the settings you configure by using the administration console. The agent can either be deployed on VDAs or on physical Windows devices (for Transformer use cases). It can be installed on a Windows client (to manage client environments) or on a Windows Server (to manage server environments, or to manage published desktops and applications).
Installation
Pre-Requisites
domain service account
sysadmin access for the service account on the SQL server(s)
an AD group that contains all the WEM admins in the organization
Add the service account to local administrator group on the WEM servers
Install WEM Infrastructure Services
Download the installer binaries and run the .exe for Infrastructure Services
Click Install
Click Next
Accept the EULA
Enter the Customer and Organization Name
Click Next
Click Install
Click Finish. The database management utility will start
Click Create Database
The database creation wizard will start.
Click Next
Tick the box for “Use Integrated Connection” if the account that has been used is a sysadmin on the SQL server. if that’s not the case, use another account that has sysadmin rights
Click Next
Add the WEM Administrator AD group
select the domain service account. This is the broker service account under which the Infra services will be run
set a password for the SQL vuemUser
Click Next
You get the database information summary as below
Click OK
Click Finish
Close the Database Management Utility
WEM Infrastructure Services Configuration
On the server where WEM is installed, run the WEM Infrastructure Service Configuration Utility as an administrator.
On the Database settings tab, enter the Database server name and Database Name that was created in the previous step
If there is a failover server, give the secondary SQL server name and instance
On the Network settings tab, leave everything as default
On the Advanced Settings tab, enter the Infrastructure Service account and the vuemUser SQL password.
Enable the Performance Tuning – Tick that
Decide if you want to enable Google Analytics or not
Enable Scheduled Database Maintenance as below
On the Licensing Tab, tick the box for Global license Server override
Click Save Configuration
This will restart the broker service
Click Yes
Close the WEM Infrastructure Service Configuration utility.
Click Yes
Ensure that the Infrastructure service account has full permissions to the DBSync folder. The installation of the Infrastructure service role should set this up correctly but if that isn’t the case, ensure that the permissions are setup like the below. Else, your WEM upgrades will most likely fail in the future.
If you have multiple WEM infrastructure services servers and you are planning to load balance them, you will need to set up a Kerberos SPN. Follow the command below to set it. Service account name is the account used for WEM Infrastructure Service. No need to add the domain name before the service account name
Run the Citrix Workspace Environment Management Infrastructure Services Setup on the rest of the WEM servers.
Once the installation is complete, do NOT run the Database Management Utility but run the WEM Infrastructure Service Configuration utility instead.
Setup the Kerberos SPN (it is case sensitive so be mindful of how you use the service account on the previous servers)
Citrix WEM Console Install
Run the console install on the WEM servers or any other server of your choice
Accept the EULA
Enter the Customer Name and Organization and Click Next
Select Complete and click Next
Click Install
Click Finish
WEM Agent Install
Once the Infra services and console is installed, you can now install WEM agents on the machines that you need to manage via WEM. In our case, they are Citrix VDAs themselves.
Run the installer binaries for Citrix Workspace Environment Management Agent Setup
Click Install
Click Next
Click Next
Select On-Premises deployment
Select Skip Configuration. These settings will be pushed down via GPOs.
Click Next
You can choose to leave the WEM Cache on the C drive but when using PVS or MCS , its is often good practice to move the cache folder to the persistent drives. I have selected to use the MCS Write Cache disk in the example above.
Click Next
Click Install
Click Finish
Click Close
WEM Initial Configuration
Once the console and WEM services roles are installed, a Configuration Set is required to be created so that it could be applied to the machines that you intend to. They are previously called Sites so don’t freak out if you are used to that terminology in the past.
If you already have a backup of the Configuration set, you can now browse to that and select it and import it.
Else, create a new Configuration set
Click Create
Give it a Name and a description
Click OK
Now it’s time to import default recommended settings. You can find them in the WEM download package.
Click Restore
Restore Wizard will open
Select Settings
Click Next
Click Next
Click Browse and pick the Default Recommended Settings
Click OK
Check all the boxes as shown in the picture below
Click Next
Click RestoreSettings
Say Yes to the warning above
Wait until the restore is finished
Click Finish
To add the agents in WEM console, Click “Active Directory Objects” and then click Machines
Under Actions pane at the bottom, select Add Object
Pick the computer account that you want the policies to be pushed using the WEM agent. You can also choose to add the whole OU to make things a bit more automated.
The basic config is now there. Now if you want to get a bit more deeper into the WEM or understand the concepts a bit more, please feel free to read the blog I wrote a while ago. It has explanations and best practices that you can follow for your environment and customize it according to your needs. It is a good read, I promise!
There are times you would want to create a SAN (Subject Alternative Name) certificate for your deployments in the organization. This is a much more secure approach as compared to using a wildcard as it allows only a limited number of servers to send and receive traffic. Unless you specifically compromise one of the machines specified in the certificate, it’s too hard to impersonate and do any real harm.
In this blog post, I will show you how to create a CSR (Certificate Signing Request) using any Windows machine in the organization that’s domain joined and subsequently, use the request file to issue a certificate using the internal Certification Authority (CA) server.
Create a Certificate Signing Request (CSR)
The first step is to create a CSR file and you can use any domain joined Windows server in the organization. I have used the Citrix Storefront server in this example.
Open the MMC console and add the Certificate snap-in to it as Local Computer. Right Click Personal node on the left and Select All Tasks–>Advanced Operations–>Create Custom Request
Choose Proceed without enrollment policy and Click Next. Choose No Template Legacy Key for compatibility reasons. Use PKCS#10
Click Next and click Properties
Give a friendly name for the certificate and a description. Ensure that you hit Apply as soon as you are done with the tab.
Click on Subject tab and add all the hostnames under “Alternative Name“
Under Subject Name, enter the Common Name (CN), Organizational Unit (OU), Organization (O), State (S) and Country (C) values. Click Apply
Under the Extensions tab, expand Extended Key Usage (application policies) and select Server Authentication and Client Authentication
Click Apply
Under the Private Key tab, set the Key size to 2048 under Key options
P.S – Using a key size of 4096 or above will cause issues with NetScaler monitors failing if VPXs are used. MPXs don’t have this issue.
Tick Make Private Key exportable
Select Exchange as the Key type
Click Apply. Click OK
Select a location to save the file. Choose the file format as Base 64
Click Finish
Send the Certificate Request
Now navigate to the URL of the internal Certificate Authority (CA) server. Replace your CA server name for the <certauthority> value.
https://certauthority/certsrv
Click the Request a Certificate link.
Click the Advanced certificate request link.
Click Submit a certificate.
Paste the contents of your CSR file into the Saved Request text box. (Open the CSR file (with a .req extension) in Notepad and copy the contents without any leading or trailing spaces.)
For the Certificate Template drop-down list, select Web Server.
Click Submit.
You get the below once you click submit.
Issue the Certificate
Connect to the server where the Certification Authority is installed, if necessary.
In the Certification Authority (Local) tree, select Your Domain Name > Pending Requests.
Select the CSR in the right navigation pane.
In the Action menu, select the ID number of the request > Issue.
Close the Certification Authority window.
Download the Certificate
In your web browser address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv.
Click the View the status of a pending certificate request link.
Select the certificate request with the time and date you submitted.
Select the encoding format for the downloaded certificate, such as Base 64 for a PEM certificate.
Click Download CA certificate to save the certificate. The certificate will have .CER extension
Install the Certificate
Navigate to the server where the certificate needs to be installed.
Open a MMC console as Administrator and add Certificate snap-in under Local Computer
Expand Personal node and right click the Certificates node.
Select All Tasks –> Import
Click Next
Locate the downloaded certificate file
Click Next
Place it under Personal node
Click Next
Click Finish
Note – The installed certificate in Certificate MMC shows a little key symbol and a badge. You gotta see these 2 things for the certificate to work or show up in IIS Manager in later steps.
Export the certificate as a .PFX file
Now, you need to export the certificate as a PFX file so that this could be installed on all the other servers which doesn’t have any clue of the privaty key used while requesting the CSR. If you recall, we did the CSR from one of the Storefront servers. The PFX certificate files contains the private key which is paramount for SSL deployments.
Navigate to the server where the certificate has been already installed.
Open a MMC console as Administrator and add Certificate snap-in under Local Computer
Expand Personal node and right click the Certificates node.
Select All Tasks –> Export
Click Next
Export the private key
Click Next
Under the Personal Interchange Format, PKCS#12, Tick all except for “delete the private key after successful export”
Click Next
Give it a password of your choice (make sure that you remember this; This is required for installing the certs on other servers)
Specify a file name to save it in a location
Click Next
Click Finish
Bind the website in IIS
Open IIS Manager and expand the Server name and choose the Default Web Site
Under Actions, select Bindings
Add the https and select the newly installed certificate
Click OK
Install the exported PFX certificate on the other servers and change the binding to https following the steps above. That’s all to it folks.
If there is anything that’s unclear, please feel free to comment or provide feedback in the comment section below.
Okay, this is going to be a short one and I came across this while investigating an issue for a customer who runs a XenApp 7.15 LTSR farm. Well, “Citrix Virtual Apps” as it is called these days. Citrix, what’s up with changing product names every year? you gotta stop doing this for God’s sake. Peace.
Here is the command. Firstly, load the Citrix cmdlets by running
asnp Citrix*
Now, the actual command to find the information
Get-BrokerSite
The result will look like the below
Look for the parameters marked in Yellow above – PeakConcurrentLicensesUsers & TotalUniqueLicenseUsers
I always wanted to document this so it would help me for my next assignment, but I never did. As a result, I was always having to refer my previous customer environments or As-Built documents for this information which was quite a pain. Well, that’s gonna change today as I am going to put this up on my blog so that it can becomes my quick and easy reference place.
As mentioned in the title, this is going to be the baseline policy set upon which you can build yours with any specific policies pertaining to your environment, Also, all the settings that I have mentioned here may not be applicable or work for you or you may even not see all of them due to older UPM version, XenApp version etc etc.
Please note that some of the settings found in newer UPM versions aren’t listed here as well. I will continue to update it as Citrix releases new UPM versions but this should give you a good start nonetheless.
Exclusion List – Directories
$Recycle.Bin
AppData\LocalLow
!ctx_internetcache!
!ctx_localappdata!\Microsoft\Windows\Burn
!ctx_localappdata!\Microsoft\Windows\CD Burning
!ctx_localappdata!\Microsoft\Windows Live
!ctx_localappdata!\Microsoft\Windows Live Contacts
!ctx_localappdata!\Microsoft\Terminal Server Client
!ctx_localappdata!\Microsoft\Messenger
!ctx_localappdata!\Microsoft\OneNote
!ctx_localappdata!\Microsoft\Outlook
!ctx_localappdata!\Microsoft\AppV
!ctx_localappdata!\Windows Live
!ctx_localappdata!\Sun
!ctx_roamingappdata!\Sun\Java\Deployment\cache
!ctx_roamingappdata!\Sun\Java\Deployment\log
!ctx_roamingappdata!\Sun\Java\Deployment\tmp
AppData\Local\Microsoft\Windows\INetCache
AppData\Local
AppData\Roaming\Citrix\PNAgent\AppCache
AppData\Roaming\Citrix\PNAgent\Icon Cache
AppData\Roaming\Citrix\PNAgent\ResourceCache
AppData\Roaming\ICAClient\Cache
AppData\Roaming\Sun\Java\Deployment\cache
AppData\Roaming\Sun\Java\Deployment\log
AppData\Roaming\Sun\Java\Deployment\tmp
Citrix
Java
Local Settings
Music
My Pictures
My Videos
Pictures
Videos
AppData\Roaming\Macromedia\FlashPlayer\macromedia.com\support\flashplayer\sys
AppData\Roaming\Macromedia\FlashPlayer\#SharedObject
Downloads
Saved Games
Searches
Application Data\Sun\Java\Deployment\cache
Application Data\Sun\Java\Deployment\log
Application Data\Sun\Java\Deployment\tmp
Local Settings\Application Data\Microsoft\AppV
Local Settings\Application Data\Microsoft\Messenger
Local Settings\Application Data\Microsoft\OneNote
Local Settings\Application Data\Microsoft\Outlook
Local Settings\Application Data\Microsoft\Terminal Server Client
Local Settings\Application Data\Microsoft\Windows Live
Local Settings\Application Data\Microsoft\Windows Live Contacts
Local Settings\Application Data\Microsoft\Windows\Burn
Local Settings\Application Data\Microsoft\Windows\CD Burning
Local Settings\Application Data\Sun
Local Settings\Application Data\Windows Live
Local Settings\Temporary Internet Files
AppData\Local\Microsoft\AppV
AppData\Local\Microsoft\Messenger
AppData\Local\Microsoft\OneNote
AppData\Local\Microsoft\Outlook
AppData\Local\Microsoft\Terminal Server Client
AppData\Local\Microsoft\Windows Live
AppData\Local\Microsoft\Windows Live Contacts
AppData\Local\Microsoft\Windows\Burn
AppData\Local\Microsoft\Windows\CD Burning
AppData\Local\Sun
AppData\Local\Windows Live
AppData\Local\microsoft\windows\Temporary Internet Files
AppData\Local\Microsoft\Windows\INetCookies
AppData\local\Google\Chrome\User Data\Default\Media Cache
AppData\Local\Google\Chrome\User Data\Default\Cache
AppData\local\Google
Define events or actions which Profile management logs in depth:
Common warnings Enabled
Common information Enabled
File system notifications Enabled
File system actions Enabled
Registry actions Enabled
Registry differences at logoff Enabled
Active Directory actions Enabled
Policy values at logon and logoff Enabled
Logon Enabled
Logoff Enabled
Personalized user information Enabled
Log Settings Enabled
Enable Logging Enabled
Maximum size of the log file Enabled
Maximum size in bytes 10485760
Profile Handling
Delay before deleting cached profiles Enabled
Delay(Seconds) 0
Delete locally cached profiles on logoff Enabled
Local profile conflict handling Enabled
If both a local Windows user profile and a Citrix user profile in the user store both exist: Delete local profile
Profile streaming Enabled Streamed user profile groups Disabled Timeout for pending area lock files (days) Enabled
Timeout for pending area lock files (days) 1
Advanced settings
Disable automatic configuration Disabled Number of retries when accessing locked files Enabled Number of retries: 5 Process Internet cookie files on logoff Enabled
Profile Management
Active write back Enabled Enable Profile management Enabled Excluded groups Disabled Path to user store Enabled
Process logons of local administrators Enabled Processed groups Disabled
