How to install and configure XenApp 7.5/XenDesktop 7.5 delivery controllers

April 16th, 2014 No comments

Today I want to cover the steps it takes to setup a XenApp 7.5 or XenDesktop 7.5 delivery controller for the first time. I want to demonstrate that it’s not all that different from previous versions of XenApp and XenDesktop from a management standpoint. I know a lot of Citrix Admins are hesitant to move to 7.x architecture because of the big changes like FMA but really, there is nothing keeping you from moving forward. I encourage everyone to at least be playing with 7.x architecture in a test lab if you don’t already have it in production or have plans to do so. If you’ve only used previous versions of XenApp in the past, there might be a slight learning curve to some of the concepts and terminology. If you’ve used XenDesktop in the past, this is a cakewalk for you. Download the media from http://www.citrix.com/downloads.html first. It’s a 2.8 GB ISO called “XenApp_and_XenDesktop7_5.iso”.

1. Extract the media and and click AutoSelect.exe. Make sure you are logged into the server using a service account that has rights to the SQL server you plan on installing the SQL database to.

1

2. Install .NET 3.5 SP1

2

3. Once done you get asked if it should deliver apps only (XenApp) or apps + desktops (XenDesktop). You’ll want to choose XenDesktop in most instances.

3

4. Click Delivery Controller under the “Get Started” heading. I am assuming you have the Citrix License Server and StoreFront on other dedicated servers.

4

5. Accept the EULA

5

6. Change the location to D: drive unless you want to let it install to the default C: and keep Delivery Controller, Studio, and Director checked. Again, I’m assuming you will have dedicated servers for the License Server and StoreFront roles.

6

7. Go ahead and leave Remote Assistance checked if you plan on using shadowing

7

8. Firewall ports 80 and 443 will be used by Delivery Controller and Director. Just leave it to configure the rules automatically on Windows Firewall.

8

9. Review the summary and hit Install

9

10. It will begin installing, come back in about 11 min

10

11. Once installed it will look like this, hit Finish to launch Desktop Studio

11

12. Click “Deliver applications and desktops to your users” under the Site Setup heading

12

13. For a brand new deployment, keep it checked on “A fully configured, production-ready Site (recommended for new users)” and give it a name

13

14. Type in a database server and database name. This is where things are a little different from older versions of XenApp such as XenApp 6.5. As long as the service account you are logged in with has SA and DBO rights to the database server, you can just type in the name, hit test connection, then press OK and it will create it for you. If your DBA team doesn’t want to give your service account temporary elevated rights then genreate the datbabase script and give it to them. There will be 2 scripts, one for the regular database and one for the mirror if you plan on mirroring.

14

15. Once it verifies the database is there or it has the ability to create the database using the logged in account it will come back and say “All database connection tests passed”.

15

16. Enter a license server name and select an existing license. It may warn you saying your license server is not trusted if you don’t have an SSL cert.

16

17

17. Enter your XenSever info if you plan on using PVS, MCS, etc. to spin up VMs. The full list of options here are:

-Citrix XenServer
-Microsoft System Center Virtual Machine Manager
-VMware vSphere
-Citrix CloudPlatform
-Amazon EC2
-Microsoft Configuration Manager Wake on LAN

18

18. If you have App-V (and you should or at least be considering it) put your App-V management server and publishing server info in.

19

19. Review the summary and hit Finish

20

20. Now it will create the database, install services, etc. Shouldn’t take very long at all.

21

21. Run the Test site configuration option to the right

22

22. It will run through tests and provide an .htm based report of all results.

23

23. You should hopefully have everything successful

24

24. Now you’re ready to setup your Machine Catalogs. Click “2 – Set up machines for desktops and applications for remote PC access”. Read over the intro so you have a good understanding of the types of machine catalogs.

25

25. Now you get your options for your first catalog:

-Windows Server OS = XenApp
-Windows Desktop OS = XenDesktop/VDI
-Remote PC Access = “Poor Man’s VDI”. For those wanting to get rid of SSL VPN + RDP to their office desktops and instead get users using ICA through SSL ICA proxy (Access Gateway). At least that’s one of the best arguments for it.

26

26. During setup I did not enter any XenServer info and skipped the option. So I’ve defaulted to “not power managed” as a result. In this example I’m going to choose “Another service of technology” and use an existing physical server to populate this catalog.

27

27. Enter the name of the server. For this example I have a brand new Server 2008 R2 server created. It is clean OS with nothing on it yet. Give the Catalog a name and description and hit Finish.

29

30

28. RDP into your the server you had added tot he catalog and navgiate to your install media and run AutoSelect.exe again. Choose the XenApp option this time and click the option to install the “Virtual Delivery Agent for Windows Server OS”.

33

29. Since this is a standalone physical box, I will choose the “Enable connections to a server machine option”:

34

30. I would leave Citrix Receiver checked. You can change the drive for the install if you need to.

35

31. Enter your DDC info. Remember, use the FQDN or it won’t work.

36

32. Leave Remote Assistance and Real Time Audio Transport checked and hit Next

37

33. Leave the firewall stuff as-is and hit Next

38

34. Confirm everything is correct and hit Install. You will likely need to reboot right after the first pre-req (RDSH) is installed. If you hit the Close button, it will immediately reboot the box so please be aware of that. I wish it would say Reboot Now instead since that is what it really does and you won’t be caught off guard. Hopefully you don’t have many other things open on the box when it reboots. :)

39

40

35. Once you’re logged back in it will pick right back up and take about 9 minutes to finish installing. Don’t expect to be able to multi-task and do something else on the box while you wait, the Start menu and desktop are all gone until it’s finished.

41

36. Hit Finish to restart one more time once it’s done.

42

37. Once you’re back in check the versions of what it has installed in Programs and Features and make a note in your documentation. Citrix Receiver is 4.1 (14.1.0.0) and the VDA is 7.5.0.4253. This info will come in handy later on when hotfixes and new releases need to be applied to the servers.

43

38. Go back to your DDC and you’ll see your server is now in a Registered state in your Machine Catalog:

44

39. Now click the Citrix Studio root and move on to step 3. You’re going to create and assign an app.

45

40. First you’ll need to create a Delivery Group

46

41. It sees my one and only Machine Catalog and I hit the + button to add just the single server to the Delivery Group

47

42. Since this server is going to be used exclusively for XenApp applications, I choose the Applications option

48

43. Add your user account for testing

49

44. The DDC will now enumerate all the apps on the server. I’m going to select trusty old Notepad to publish.

50

45. Now give the Delivery Group a name and description and hit Finish. For simplicity’s sake I called mine Notepad but follow whatever naming convention you normally use.

51

46. You’ll be redirected to Common Tasks and you’ll see the Notepad delivery group now. Your app is now published and should be available in StoreFront or Web Interface as long as your new farm is hooked up to it. To make it stand out easily among all your other apps you can even name it “Notepad XA 75″ and stick it right in the root.

52

47. We know StoreFront will work but I just wanted to post this screenshot on Web Interface 5.4 for those of you that really wanted to see XenApp 7.5 on Web Interface 5.4. Launch Notepad and you’ve successfully published your first app on XenApp 7.5! :) Go explore publishing XenDesktop and RemotePC catalogs too. It’s not much different than what you just did.

53

Hope this guide helps with those new to XenApp and XenDesktop 7.x architecture. It’s nothing to be afraid of, it’s the same trusty XenApp and XenDesktop with a new skin and more features.

| More

How to handle Citrix configuration changes for Citrix teams with many Citrix Admins

April 14th, 2014 No comments

When was this app published and who did it? We’ve all been in this situation before. We don’t know where the app came from or who published it and have to go through change tickets and emails to track down where it came from. In very large dynamic Citrix environments with many Citrix Admins working on things, this can become a challenge. Citrix change tracking is vital.

One sometimes overlooked feature of XenApp is that it has built in configuration logging. Any time a Citrix Admin makes a change it gets written to the database where it can be reported on. On XenApp 6.5 and older you have to create a separate database for this. With XenApp 7.5 you don’t, it will all get written to the same database that your delivery controller configuration is in.

Here’s a quick run down on how to get it working for XenApp 6.5 (with XenApp 7.5 it’s automatically turned on):

1. Go to AppCenter and right click your farm. Then hit Farm properties:

1

2. Click Configuration Logging in the properties bar and click “Configure Database”

2

3. Type in your SQL Server name and service account user credentials. And yup, you can use an Oracle database if you choose to.

3

4. Type in a database name. I am assuming you have had your DBA create an empty database for you already.

4

5. Leave all the advanced options default except for “Use encryption”. Set this to No. In most environments you are not going to be using SSL to connect to your SQL environment. If you leave it set to Yes you will get an error saying something like this later when you attempt to test the connection:

Failed to connect to the logging database.

The database returned the following error:

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 – The certificate chain was issued by an authority that is not trusted.)

5

6. Verify all your settings are correct and hit “Test Database Connection”

6

7. You should get a confirmation like this. Hit Finish.

7

8. Now you’ll be returned to the configuration logging setup box. Check “Log administrative tasks to Configuration Logging datbase” and “Require administrators to enter database credentials before clearing the log”. Hit Ok.

8

9. Now right click History (which is called Logging in XenApp 7.5 Citrix Studio) and click Get log.

9

10. It’s going to give you a warning saying you don’t have a filter applied, don’t worry just hit Yes to continue.

10

11. You’ll get a popup asking to enter your logging credentials again, the same credentials you used to setup the database. Type them in and hit OK.

12. Voila, there’s your first entry of you turning on configuration logging. From here on out any change a Citrix Admin makes will be logged.

11

13. You can set filters to return just the data you’re looking for.

12

14. This is great but what if you want to have a daily report emailed to you and other Citrix Admins at the end of the day with all the changes that happened on the Citrix farm? This is where Powershell comes in. You can get all this data pulled in via Powershell and emailed out very easily. I’m working on a script and will post it right here on my blog once it’s done.

| More

Adding a user or security group to every published application in your XenApp farm

March 28th, 2014 No comments

I had a need to add a certain security group to every single published application in a XenApp 6.5 farm today. Create a new file with the extension .ps1 and copy and paste this in:

Add-PSSnapin Citrix.Xenapp.Commands
foreach($application in Get-XAApplication) 
{
Add-XAApplicationAccount $application.DisplayName "domain\yoursecuritygroup"
}

Then run the PowerShell script. It will enumerate all apps in your farm and add the security group or user ID you specified to each app. Don’t worry, it won’t overwrite any existing users or groups for the apps, it will only add.

When you check the app properties now, you will see the new group added to all apps. Hope this helps!

1

| More

How to telnet from the Netscaler Access Gateway SNIP to your Citrix STA and verify the firewall port is open

February 7th, 2014 No comments

If you’re trying to troubleshoot a Citrix Netscaler Access Gateway and attempt to telnet from the Netscaler via a Putty session to an STA/XenApp server you’ll notice that more than likely nothing will connect and it will eventually timeout. This is because by default the NSIP is where telnet is being established from. Telnet is a management function and most all management functions are on the NSIP. You need to telnet from the SNIP instead.

The quick solution is to forgo telnet all together. Instead create a Service under Load Balancing on the STA port you are troubleshooting:

-Service Name = porttest
-Protocol = HTTP (but you can use TCP too)
-Port = the port you’re trying to test
-Server = the IP address of the server you’re trying to hit

For this article I’ve created 4 porttest services to test ports 80, 8080, 443, and 1494. I can see only 1494 is responding meaning there is likely a firewall blocking me on the other ports or a misconfiguration on the back end XenApp servers:

2

If you click on the Service, you can see more good troubleshooting info on the attempted connections:

A success -
3

vs. a fail -
4

If you realize your STA and XML port are failing, then it’s time to gather additional information to prove exactly what is going on. Putty into your Netscaler and enter the shell.

Then type:

nstcpdump.sh -ne host <server IP address> and tcp port <XML port>

Put your server IP and the XML port in where it needs to be above. In my case I’m testing port 8080 and as you can see from the result below, my SNIP keeps trying to talk to the XenApp/STA server on port 8080 but is never getting a response back. The carrot shows the direction of the communication. The IP to the left is all from the SNIP and the IP to the right on port 8080 is my STA:

1

Once you open up the firewall port, communication becomes bi-directional and it will look more like this. You can see the IPs will swap back and forth and port 8080 is moving from side to side (source to destination and destination to source) meaning they are talking now:

5

Once you check your Service again it should say UP now:
6

Hope this helps! :)

| More

Publishing IE via Citrix in full screen kiosk like mode and retaining the X button to close

January 13th, 2014 No comments

I’ve written about staying away from publishing IE via Citrix if you can help it in many articles before. It’s a pain to do all the hardening that comes with publishing a browser. If you don’t lock it down, users will go nuts opening up all sorts of tabs through it thinking it’s their desktop browser and your XenApp servers are going to be overloaded with runaway processes. All it takes is a handful of users streaming video on Youtube to see an impact on your CPUs. Or something more serious, how about the user that manages to browse to a site that’s injecting malware via the latest Java exploit? You have to do all sorts of hardening at the OS and network level to really lock it down. It’s much easier to just publish a URL as content and let the client browser take over so you don’t have to deal with the headache.

But in some instances, you have no choice but to publish a browser. One of the most common examples is a web application that uses a specific legacy version of Java. You don’t want your users to run old versions of Java on their PCs and be vulnerable and incompatible with newer web apps so you run it on a XenApp server instead minimizing your attack vectors. Lock down the server at the network level to just the websites you want to get out to. Use a web proxy. Stick it on a secure VLAN. Heck, edit the server’s local host file and create a DNS black hole if that’s all you can do in a pinch. Do whatever you can to prevent them from getting out to some malicious website looking for browser exploits and open up a world of trouble for you.

As far as the locking down the IE browser itself, one thing you can do is publish it in kiosk mode:

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -k http:\\www.google.com

This will launch IE in full screen with no buttons, tabs, status bar, address bar, title bar, etc. This is perfect for a kiosk but not so much when published to regular and mobile devices. Users want the ability to be able to hit an X button to close the browser. They’re not going to know they have to hit Alt+F4 to exit out of kiosk mode.

The solution is to write a little VBS script and control every aspect of the browser. Here is an example of one of my scripts:

Set objExplorer = CreateObject("InternetExplorer.Application")
objExplorer.Navigate "http://www.google.com"
objExplorer.ToolBar = 0
objExplorer.StatusBar = 1
objExplorer.Left = 0
objExplorer.Top = 0
objExplorer.Visible = 1

I just publish it as:

wscript.exe "D:\Citrix Published Website scripts\Google.vbs"

and it will work just fine as a published app. Just remember, on Server 2008 R2 this is going to launch the 64 bit version of Internet Explorer because you’re calling on the 64 bit version of the Windows Script Host. You will likely want the 32 bit version for Java and other Addons to work. So publish it like this for 32 bit IE using the 32 bit Windows Script Host:

C:\WINDOWS\SysWOW64\wscript.exe "D:\Citrix Published Website scripts\Google.vbs"

Leave the working directory as the location of your scripts:

D:\Citrix Published Website scripts

You’ll notice I only allow the the title bar and status bar with this script but you can do anything you like.

ie-locked-down-for-citrix-xenapp

You can even control the window size by just adding a couple of lines:

objExplorer.Width = 1024
objExplorer.Height = 768

Hope this helps someone!

| More