1. How to setup your Citrix Netscaler (Access Gateway) and Web Interface for iPads and mobile devices that use Citrix Receiver

2. Quick way to brand Access Gateway and Web Interface 5.4 with company logo and colors

Now let’s throw a new scenario into the mix. You want to allow users from another domain access to resources through your Access Gateway and Web Interface. Here is what you need to do to accomplish this.

SETTING UP A DROPDOWN BOX TO PASS THE DOMAIN
On your Access Gateway, if you followed my “branding guide” article above you will have noticed on the themes available from the Citrix blogs there are 2 versions, one normal and one with a dropdown. If you chose Horizon to customize like I did, make sure to download Horizon2.gz which has the code for the dropdown already in it. You just need to add your domains in the code. This is found in these two files:

\Horizon2\ns_gui\vpn\index.html

\Horizon2\ns_gui\vpn\tmindex.html

If you have your own theme and just want to add the code, Citrix has an excellent CTX article here covering it:

How to Add a Drop-down Menu with Domain Names on the Logon Page for Access Gateway Enterprise Edition:
http://support.citrix.com/article/CTX118657

What’s happening here is that a dropdown box is created with pre-populated domain names that you specify in your code. The user selects the proper domain when logging in and then this domain name is inserted into the header and passed to the Netscaler Access Gateway vserver where the authentication policy examines it. Based on the name the Netscaler sees in the header, it forwards the request on to the correct authentication server. This works great with LDAP authentication servers. I have not tested it with TACACS or RADIUS yet.

SETTING UP ACTIVE DIRECTORY LDAP AUTHENTICATION
Now it’s time to setup your Active Directory authentication for each of your domains.

1. Download LDAP Browser 4.5 for free here: http://www.ldapbrowser.com/download.htm

2. Go to your Netscaler under System > Authentication > Servers tab and create a new LDAP server. Use port 636 for secure LDAP instead of 389. Use LDAP Browser to get the Base DN and Administrator Bind DN. I prefer to use the app so I don’t fat finger the distinguished name and spend an hour trying to figure out that I missed a comma. Using LDAP Browser is much quicker and less error prone. The Base DN can be your entire AD domain or you can lock it down to an OU. The Administrator Bind DN is the actual account name that is used to enumerate AD. So CN = the user name, OU= the OU it’s in, etc. Add the password for this service account.

Make sure to select “SSL” for security type near the bottom. Click the blue “Retrieve attributes” link and it should talk to AD. Then the drop down boxes in Other Settings will not be greyed out anymore. Set the following:

Server Logon Name Attribute = samAccountName
Group Attribute = memberOf
Sub Attribute Name = CN
SSO Name Attribute = UserPrincipalName

So everything should look like this so far:

3. Now expand the Netsted Group Extraction arrow near the bottom. You need to enable it and set the same Group Name Identifier as you did for Server Logon Name Atrribute. In this case samAccountName. Then press OK to create the server:

4. Now it’s time to create the policy and bind it to the server. Hit the tab for Policies and create a new policy. Choose the server you just created. For the Expression, you will want:

REQ.HTTP.HEADER Cookie CONTAINS domain1

where domain1 is the name of your first domain.

5. Now do steps 2 through 4 again but for your second domain, domain2.

6. Almost done. What we’ve done so far is create two authentication servers and two authentication policies. These two policies are good for web browser users (IE, Firefox, Chrome, Safari, etc.) but mobile devices using the Citrix Receiver native app like iPhones, iPads, Android phones, Android tablets, etc. will not work just yet. This is because they cannot pass cookie values. Nor do they pass the domain during authentication against the Access Gateway (a traffic capture can confirm it only passes user ID and password). You need to create a different set of authentication policies for these. So you will create one for each domain. You will bind to the same authentication server as the other policies but you’ll want to add the word “mobile” or something descriptive to the end of the policy name so you know what it is for. The expression should be:

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver

7. Now do the same for your other domain, domain2.

8. Now go to your Access Gateway vserver and add all 4 policies you created. Take a look at my example screenshot closely and the priority order.

Here is the logic behind this policy order:

100 – Domain1 user logs in via web browser and uses drop down/passes cookie for domain1 so authenticates against domain 1 DC.

110 – Domain2 logins via web browser and uses drop down/passes cookie for domain2 so authenticates against domain 2 DC

120 – Domain1 user logins via iPad so first two policies are automatically false since the native Citrix Receiver app can’t pass a cookie. Authentication policy is looking for CitrixReceiver in the header so it will try to authenticate against domain 1 DC. It will be successful and the user will see his apps.

130 – Domain2 user logins via iPad. The first two are false for the same reason as 120. The expression from policy 120 is true so the user will actually authenticate and fail against domain 1 DC. Then it moves on to the 130 policy and authenticates against the domain 2 DC. It will be successful and the user will see his apps. Note, if a user has the same account name on both domains, it will cause a rejected login attempt on domain 1 which depending on your Active Directory account lockout policy can eventually lead to an account lockout. Just be mindful of this and adjust your policy accordingly if you need to.

MODIFYING YOUR SESSION POLICIES
9. Now on to the session policies. If you followed my guide on How to setup your Citrix Netscaler (Access Gateway) and Web Interface for iPads and mobile devices that use Citrix Receiver you should have 2 policies. One for regular traffic and one for mobile/Citrix Receiver traffic. Should look something like this:

Go ahead and click on the blue profile link for the CitrixReceiver policy first.

10. Under the Published Applications tab, clear the Single Sign-on Domain, you don’t need it anymore. SSO is being handled by the authentication server now. Specifically the SSO Name Attribute setting for each server which you set as UserPrincipalName. So it is automatically passing the UPN formatted user credentials to the Web Interface as the same time the user is successfully authenticating against the Access Gateway using the SAM account name. Pretty cool right? Now do the same for your other policy that controls regular web traffic.

11. An extra step for your mobile traffic policy. Under the Client Experience tab, you can set the Clientless Access to Allow and the Plug-in Type to Java but it’s not necessary. It will still work but since it’s mobile traffic only, this won’t hurt.

SETTING UP ACTIVE DIRECTORY AUTHENTICATION GROUPS
12. Now let’s move on to setting up your authentication groups. Let’s say each domain has a security group that gives users access via the Access Gateway. Again, there are 2 well documented methods for group extraction:

How to Configure a NetScaler Appliance for Active Directory Group Extraction for LDAP:
http://support.citrix.com/article/CTX111079

How to Configure a NetScaler Appliance for Active Directory Group Extraction for LDAP Using the Groups Allowed To Login Feature:
http://support.citrix.com/article/CTX125797

I prefer the first method. It’s basically just one step in one place (the authentication server object) and goes into effect at the authentication level. No fooling around trying to control it via a session policy. So go back to your 2 authentication servers you created before and take a look at the Search Filter field. It should be blank at the moment.

13. Go to LDAP Browser and get the DN for for the security group you want to give access to for your first domain.

14. Go back to the Search Filter field and type memberOf= followed by the DN (distinguished name) for the security group. So it should look something like this:

That easy. Make sure to do it for the authentication server for domain 2 as well. Go ahead and test your login scenarios and everything should work perfectly.

ADDING REDUNDANCY FOR YOUR AUTHENTICATION SERVERS
I only covered how to add a single authentication profile (domain controller) for each of the 4 policies on the vserver. Most companies are going to have multiple DCs. There is no way to add multiple DCs per authentication policy. The solution is to create a Load Balanced vserver with all your DCs behind it per domain and then add the IP of the vserver to an authentication server that is bound to the authentication policy. So in the example I’ve been showing you, I would have to create 2 load balanced vservers since I am working with 2 domains.

15. Go to Load Balancing > Servers > and add all your servers here:

16. You guys know I prefer to create service groups vs. services and the reasons why if you’ve read my previous Netscaler articles so go to the Service Groups section and add a new services group. Select SSL_TCP for the protocol.

Specify the server based members and make sure to set the port to 636. You can weight the servers here if you want to. Under the Monitors tab, go ahead and add a ping monitor or whichever monitor you prefer. Do this for each group of your authentication servers. You might want to group them by city, datacenters, production vs. DR, or whatever makes sense in your environment.

17. Now create a load balanced virtual server for your first domain. Select SSL_TCP for the protocol, port 636, and give it an IP address. Under the Service Groups tabs, add the groups you need. Keep in mind you won’t be able to see the SSL_TCP service group you created until you set the vserver protocol to SSL_TCP. Under the Methods and Persistence tab, you can get creative if you like or just leave it the default Least Connection. It really depends on your environment and where you prefer traffic to go. Under the SSL Settings tab, bind the cert you use for your Access Gateway vserver. Do all of this for your other domain as well. Both load balanced vservers should be in the UP state at this point.

18. Now go to System > Authentication > Server tab and left click on one of the DCs. Then at the bottom click Add, this will copy all of the settings on the DC you had highlighted and allow you to create a new one based off of it. So you don’t have to put all your DNs and stuff in again. Just give it a unique name and for the IP, type in the IP of LB vserver you just created for that domain:

Now do the same for the other domain.

19. Now go to the Policies tab and edit each of your 4 policies. You can simply change the server in the drop down to the new one you created for each of your 4 policies and you’re done. All authentication traffic is now going through your load balanced vservers. Keep in mind that before, LDAP traffic was going from your NSIP to each DC. When you use LB vservers, traffic is going from the SNIP to each DC. So make sure you have your firewall ports open from the correct source IPs or you won’t be able to authenticate. Retest all your scenarios and everything should continue to work just as before.

TROUBLESHOOTING LOGINS
Once you’ve set everything up you might encounter issues and need to troubleshoot. There are a few ways to troubleshoot logins. I’ve covered this before here:

How to troubleshoot RADIUS or TACACS authentication issues on a Netscaler/Access Gateway

20. First you can troubleshoot the authentication layer but capturing of all authentication happening on the device. Open Putty and connect via SSH to your Netscaler. Enter the shell by typing

shell

and pressing enter. Then type:

cat /tmp/aaad.debug

and the cursor will go to the next screen and wait. Open up your web browser and attempt to login to the Access Gateway. Immediately you will see the request happen in your SSH window. You’ll see exactly what is happening line by line like this. You’ll even see the nested group extraction taking place:

The last line will show the accept or reject:

When you’re done, press Ctrl+Z to exit.

21. The next layer to troubleshoot is all the polices. All of them, authentication, session, etc. You want to see everything a user hits when he logs in. So type the following:

nsconmsg -s disptime=1 -d current -g pol_hits

and login to the Access Gateway again using a web browser. Immediately in your Putty window you’ll see what all policies were hit:

This will help troubleshoot your policy flow. We’ve built a lot of intelligence into the cascading authentication and session policies and based on the user’s device and domain, it will vary what all they hit. This is an excellent way to test each of those scenarios.

22. The last step is getting down to the packet layer and analyzing the traffic using Wireshark. I’ve covered this in my previous post but go to System > Diagnostics > Start New Trace and set the packet size to 0. Then press Start.

Login to your Access Gateway via web browser, stop the capture, and download it to your desktop. You will also want to WinSCP into the Netscaler and grab the SSL RSA key for the SSL cert you are using on your Access Gateway site so you can decode the SSL traffic. Then double click on the .cap packet capture file and it will open in Wireshark. Go to Edit > Preferences > Protocols > SSL > and click Edit in the RSA Keys field:

In the SSL Decrypt Window, hit New in the bottom right side and this window will popup. Type in the IP address of the Access Gateway vserver, port 443, protocol http, the exact path on your hard drive to the SSL RSA key file, and leave the password blank. Then press OK to add it:

Press okay and get back to your capture. Now in the Filter field, just type the following:

frame contains youruserID

because we want to find all the instances of your user ID being passed. You should be able to find your user ID and password in plain text. Follow the TCP stream if you need to to find out exactly what is happening.

Hope this helps. Please leave a comment if this post helped you or if you have any questions and I’ll try my best to help.

How to setup Citrix Netscaler (Access Gateway) with multiple domains for web browsers and mobile devices is a post from: JasonSamuel.com

Citrix has an excellent eDoc primer for understanding the intricacies of XenApp on PVS located here. I recommend skimming this before beginning:

http://support.citrix.com/proddocs/topic/xenapp65-install/ps-image-prep.html

Now on to the steps. This is just my way of doing it. It works well for me. There are a couple of different ways you can achieve the same thing so use what works for you:

1. I am assuming you already have a XenApp 6.5 farm created and at least one dedicated server for the role of the ZDC. All XenApp servers provisioned via XenApp will be member servers of this farm and you do not want them to become a ZDC. Just set the election preference in AppCenter under Zones. In this example, I have a Default Zone and have set one server as the ZDC but it is best practice to have at least a handful of servers that are not provisioned to be set as preferred. Just in case one goes down, you don’t want one your provisioned servers to become a ZDC:

2. Now go to your XenServer and create a new Server 2008 R2 VM

3. Install XenServer Tools

4. Make a copy of the VM and convert it to a template. This is your “clean” Server 2008 R2 image you can come back to later if you need to. You can spin up new VMs from it.

5. Now go back to the VM you were working on and install things that are needed on all servers like Symantec, Citrix Offline Plugin (if you intend to leverage app streaming), etc. but try to keep it as clean as possible. Remember, you are building just the base right now. Don’t install any applications you plan to publish yet.

6. Add the server to the domain. Make sure the name is the first server in your naming scheme, example: “ServerName-100″ where 1 denotes the image number and 00 is the VM number. The next VM that gets spun up using this image will be ServerName-101 and so on.

7. Begin installation of XenApp 6.5 like normal and follow Approach 3 detailed here:

http://support.citrix.com/proddocs/topic/xenapp65-install/ps-image-prep.html

8. If you have multiple NICs in your PVS environment for streaming vs. regular network traffic there’s an extra step you have to perform in the VM. Make sure you go into ICA Listener properties and set it to PVS Adapter #1, the network NIC. Not the PVS streaming NIC which is #0. They may be labeled differently in your environment depending on the NIC order of your VM. Just remember, you want the network NIC to handle ICA, not the streaming NIC.

9. Now install the apps you intend to publish. Just install, don’t try publishing anything yet. If you plan on streaming apps to your XenApp servers via Citrix Offline Plugin or App-V, skip this step.

10. Install the PVS Target and reboot. Do not run Imaging Wizard yet.

11. You can choose to install the EdgeSight agent at this point if you use EdgeSight in your environment. There is an excellent guide from Citrix on how to install EdgeSight in a PVS environment below. Don’t worry, when it detects the PVS Target software is on the system and the image is in private mode being updated, it won’t start the EdgeSight service and start sending your EdgeSight server junk data:

http://support.citrix.com/proddocs/topic/edgesight54/es-agent-install-streamed.html

12. Log back in to the VM and in the XenCenter console, set the PVS boot disk to boot first (BDM). Then go to the PVS Console on the PVS server and create a new Device with the MAC address of this VM’s provisioning/streaming NIC. Call the device ServerName-101 so it’s separate from the ServerName-100 original but call the vDisk 100 so you know where the image came from later (i.e. image 1). Set device to Boot from Hard Disk. Now reboot the VM. You can let Imaging Wizard do this but if you really want to be hands on, you can choose to create and attach an empty vDisk of the same size as the c: drive of the VM now.

13. It should have booted from the BDM boot disk and be connected to the empty vDisk you created. Run Imaging Wizard and push the image across to the PVS Server vDisk (don’t forget to optimize the image). If you did not create a vDisk in the above steps, just create a new disk and run through the Wizard prompts to create it real quick. It will assign the device to this new vDisk. Reboot when you are asked to.

14. Log back in and immediately XenConvert will launch and begin pushing your image over to the newly created vDisk.

15. Now go to the PVS console and set your device to boot from vDisk and reboot your VM. It should now be booting from your vDisk.

16. Log back in and re-run XenApp configuration and unjoin from farm using the prep option. This is done by going to Start > Programs > Administrative Tools > Citrix > XenApp Server Role Manager > and then clicking on the XenApp Server Role Manager app. Click Edit Configuration. Then click Prepare this server for imaging and provisioning. You want to just leave the defaults checked which is to remove it from the farm and join on the next boot. Once it removes it, it will ask you to reboot. Just close and power down the VM, don’t reboot.

17. Go to your PVS server and change the vdisk from private to standard mode. Now spin up a few VMs using the “Streamed VM Setup Wizard” in the PVS console. You’re going to need a template and you’re going to want to setup your write cache. I’ve covered this very well in my PVS 6.1 on XenDesktop/Windows 7 guide so I’m not going to get into the details here. Wait until the VMs are created and powered on.

18. Go to your ZDC and open up AppCenter and run a Discovery. You should see the new member servers. At this point you can begin publishing or streaming apps to them.

TO MAKE CHANGES AND RESEAL THE IMAGE
1. Boot a device into maintenance mode after creating a maintenance version on the vDisk. Or you can choose to power down all your running VMs and put the disk into private mode. Your choice.

2. Make your changes.

3. Re-run XenApp configuration and unjoin from farm using the prep option.

4. Shut it down and promote the image to production if using versioning. Or put the disk back into standard mode if you used the other method.

5. Reboot all your devices so it gets the new vdisk

I hope this guide helps. Please feel free to leave a comment below if you have any questions. I’ll try and help as best as I can.

How to create a XenApp 6.5 Server 2008 R2 golden image for PVS 6.1 is a post from: JasonSamuel.com

• Your company uses Sharepoint and the URL is http:\\sharepoint.domain.com. It is part of the Local Intranet zone in IE.
• Your users are using Windows 7 VDI/XenDesktop VMs with Citrix Receiver Enterprise pulling published apps into the Start menu.
• You have Office 2010 products (Word 2010, Excel 2010, Visio 2010, etc) published via XenApp with content redirection enabled so .docx, .xlsx, .vsd files launched in the VDI session will open using the published Office app.
• Your users want to click on a Word, Excel, Visio, etc. document in a Sharepoint document library and click the Edit button to edit the document instead of just Read Only. They expect the published Office app to launch and allow them to edit the document.

THE PROBLEMS
In this scenario, when the user clicks on let’s say a Visio document in Sharepoint, the published app will launch but the document will not be sucked in. You’ll get a “File not found” error and if you look closely, the URL begins with “\\” as if it’s a UNC path instead of an HTTP path:

If you click OK, Visio will open but no diagram will open.

If you right click, Save As the Visio diagram to your C: drive and attempt to open it locally, it will launch the published Visio instance but will give you the following “File not found” error:

Again, look closely. It says “\\Client\” instead of your VM’s name.

THE FIXES
Well, really it’s 1 fix and 1 workaround for now. Let’s start with the fix first. We’re going to get local files and files residing on network shares launching right using the published app. I’m going to use Visio and a .vsd file again as the example:

1. On the Windows 7 VM, you must enabled Native Drive Mapping to be able to launch the .vsd file via published Visio. You can follow the CTX article here to make the registry change:

http://support.citrix.com/article/CTX130378

or you can enforce it via group policy. One thing though, on Windows 7 x64 the path is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Configuration\
Advanced\Modules\ClientDrive

NativeDriveMapping
Reg Type: REG_SZ
Add the Value: True

Once the value is set to TRUE, try launching the .vsd file you saved to your hard drive or on a network share. It will launch immediately. Then go to File – Save As in Visio and checkout the path bar. It will say “\\Client\C$\Users\xxxx\”. So now your system recognizes the word “Client”.

This is because you’re going through 2 virtualization layers. Citrix has an excellent article detailing how Client drives are passed through multiple sessions here:
http://support.citrix.com/article/CTX127872

You can also read more about the NativeDriveMapping key here:
http://support.citrix.com/article/CTX124389

Additionally here is a really good CTX article from Citrix that covers Client Drive Mapping troubleshooting that might be helpful to you:
http://support.citrix.com/article/CTX238200

And some info describing differences in Client drive mapping between the different versions of XenApp and Presentation Server here:
http://support.citrix.com/article/CTX127614

2. Now back to Visio diagrams in Sharepoint. First you need to verify content redirection is behaving correctly. In my case, I needed to make sure to change the published app location to include the “%**” switch. By default when you enable content direction, it will be:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%*"

with just one asterisk. You need to add two so it looks like this:

"D:\Program Files (x86)\Microsoft Office\Office14\VISIO.EXE" "%**"

The reason for this is documented in this CTX article:

http://support.citrix.com/article/CTX116887

This was written for Presentation Server 4.5 but it still applies to XenApp 6.5 just fine.

Once you get content redirection squared away on your XenApp server, things will still not work correctly unfortunately when opening docs in Sharepoint in your XenDesktop session. You can try right clicking and editing but you will still get the File not found error. This error has nothing to do with Client Drive Mapping. Being a Sharepoint Architect in a previous role long ago, my gut feeling was this is a WebDAV issue. Remember, Sharepoint uses WebDAV with document libraries though to the casual observer it might appear to be a UNC file share path. My gut was telling me Receiver was not handling WebDav paths correctly and was treating them like regular SMB file share paths. No proof this is the culprit just yet, only a hunch.

Let’s run an experiment. In your Sharepoint document library, click Actions > Open with Windows Explorer:

You’ll notice the path bar says “http://sharepoint.domain.com” when you open it here:

Go ahead and launch the Visio diagram in this document library. When you try and launch it, it will launch published Visio and give you the same File not Found error as before. In some scenarios even an Access Denied error though it never actually was able to find the file. Again, it is looking for “\\sharepoint.domain.com” instead of using WebDAV (or the DavWWWRoot keyword) which should be parsed like the HTTP protocol “http:\\sharepoint.domain.com”. Sharepoint Content Redirection is never going to work because Citrix Receiver doesn’t know how to get there. One work around is to tell your users to save locally, edit, then upload. But this is annoying and most users will complain.

I started thinking Mini Redirector (which is Microsoft’s WebDav client and part of the Windows 7 OS) was trying to hand-off the DavWWWRoot keyword in the URL to Receiver and Receiver didn’t know what to do with it. Looking at the URL though it didn’t even seem to be passing it through. It was as if it was passing a straight UNC path. Or maybe is was not talking to owssupp.dll which is required to interact with and edit docs in Sharepoint. Maybe somehow it wasn’t handing off through Receiver properly. Now I was really starting to go down the rabbit hole and before I dug further, I figured I’d give Citrix Support a call and see if they had any input.

I was able to talk to a XenApp support technician and a XenApp Developer who were both very knowledgeable. I explained my WebDav theory and we ran a little experiment. We ran Process Monitor from my Windows 7 workstation and attempted to edit a simple Word document in Sharepoint. The published version of Word launched as expected and failed to find the file. Here is the URL that was passed to the PNAgent when we used the Process Tree display:

You can see that it passed:

\\Client\\\sharepoint.domain.com\link\to\doc\repository\test jason.docx"

Looks a bit odd, doesn’t it? No wonder it can’t find the file.

Then we went to the XenApp server with Word 2010 installed locally, opened Internet Explorer, and navigated to the Sharepoint document library. When I clicked Edit on the Word document this time, this is what was passed to the locally installed Word:

And of course the Word document successfully launched. You can see it passed a nicely formatted HTTP URL:

http://sharepoint.domain.com/link/to/doc/repository/test%20jason.docx"

The XenApp Developer verified this was actually a bug and needed to be fixed. It may or may not be WebDav related, but he confirmed there is definitely a disconnect at the Content Redirection level via Sharepoint as I had suspected. It has been added to their bug queue to get taken care of.

In the mean time, his suggestion is to publish Sharepoint itself on the same server Office 2010 products are installed on (publish IE passing the Sharepoint URL during launch). This is a good workaround but may annoy a few users. I always hate publishing IE because of the stuff you have to do to lock down/harden the browser. People can get confused and start browsing to Youtube or other process intensive websites using this published instance of IE if you don’t completely lock down the allowed URLs. This can cause a severe impact on XenApp performance for all users on the box. If I limit tabs, then people start complaining they can’t open additional tabs and the helpdesk gets flooded with phone calls. So just keep that in mind if you use this workaround.

Another work around I found online is by Anthony Obi:

http://community.obilogic.co.uk/blogs/teamblog/archive/2011/10/25/sharepoint-2010-edit-document-via-citrix-xenapp.aspx

He has an issue where owssupp.dll was not being detected on the client system (because it wasn’t there) and added an extra menu item in his Sharepoint deployment to edit documents as a work around. He modified the new Edit action to launch some Javascript that talks to PNAgent.exe that then talks to the published Office instance and passes the correct URL. This might work as well for you but of course it requires a modification of your Sharepoint environment and end user training.

I will post here as I get updates from Citrix Support on this issue. It’s a fairly unique scenario but definitely not uncommon in the real world as application delivery and desktop virtualization continue to be separated through multiple layers.

Opening Sharepoint documents in a Windows 7 XenDesktop session using XenApp published Office products with content redirection is a post from: JasonSamuel.com

This is a pain to do manually when you have several hundred XenApp servers. You can do it through group policy but you may only want to change it on a subset of servers in an OU and not all of them. So I used PowerShell and PsExec to precisely target all my XenApp servers I wanted to change. It’s a very quick option when you are pressed for time.

You’ll need to create rds.bat and rds.ps1 and put them in "d:\rdsscript" on the server you plan to run the Powershell script from. You’ll want to share out your "d:\rdsscript" folder on the server you plan on running the script from, otherwise you might get Access Denied errors because the script references a UNC path. The contents of these two files is below.

rds.bat contents:

powershell.exe -executionPolicy unrestricted -command 
"\\yourserver\rdsscript\rds.ps1"

rds.ps1 contents:

Import-Module RemoteDesktopServices
cd RDS:\
cd .\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers
new-item –name newlicenseserver.yourdomain.fqdn
remove-item oldlicenseserver.yourdomain.fqdn -confirm:$false -recurse:$true

Modify the rds.ps1 script with the name(s) of the servers you want to add a the name(s) of the servers you want to remove. You can run rds.bat locally on a XenApp server as a test to see if it worked.

Now it’s time to run it on all your XenApp servers remotely. You can use any number of delivery methods. Again I chose to use PsExec because it’s quick and gets the job done. I highly recommend doing your dev, staging, etc. servers first before doing it in production.

Now copy PsExec.exe into the "d:\rdsscript" folder. You’ll also want to create psexec.bat and xenappserverlist.txt now. Here are the contents of the two files:

psexec.bat contents:

psexec -s @xenappserverlist.txt "\\yourserver\rdsscript\rds.bat" 
pause

xenappserverlist.txt contents:

XenAppServer01
XenAppServer02
XenAppServer03
XenAppServer04
XenAppServer05

So your shared directory on the server you plan on running the script from will look something like this:

Now just double click on psexec.bat and it will run the script on each of your XenApp servers in the list. The “-s” tells psexec to execute as the local system account so you don’t have to put your username and password in the script. I don’t like to put usernames and passwords in the script because doing that would send it across the network in plain text so it may be a security concern.

Hope this helps. Let me know if you have any other methods to accomplish an RDS license server migration quickly. I’m always looking for more options.

How to use PowerShell and PsExec to change the RDS license server name on all your XenApp servers is a post from: JasonSamuel.com

No client access credentials have been specified.  Please enter credentials before retrying to to Poll the client.

and under the Client Access Log, you can see more details on the error:

Could not use credential: "DOMAIN\UserID", error:  Password decryption failed, error: [Unable to access the Master Key on the server, error was Keyset does not exist.]

In a pinch, you can manually install the agents on the client and they will start checking in but you are still going to get these error messages in the Management Console:

When you go to “Client Access Credentials”, you will get prompted with the following error message:

DataAccessServices.CryptoManager+MasterKeyAccessException: Unable to access the Master Key on the server, error was Keyset does not exist

If you hit OK and attempt to enter the missing credentials, the AppSense Management Console will crash on you. As in the entire MMC will crash and disappear. Don’t worry, this is an easy fix.

1. Go to Start > All Programs > AppSense > Management Center > AppSense Management Server Configuration

2. The Encryption field will likely be red. Just click it and you will see the Encryption Key Status is “Not Valid”. The Transfer Key may also say “Not Present”:

3. Go ahead and click the “Regenerate” button. It will warn you asking “Are you sure that you want to replace the current master key hash? A new master key hash will be regenerated”. Go ahead and click OK:

4. Now click “Store” for the Transfer Key. It will ask you to enter a new Transfer Key Password. Go ahead and type it in and press OK. One thing to note, if you are load balancing the Management Server and it says the Transfer Key is “Present”, do not click Store and enter a new one. Instead just click Retrieve and type the password when prompted. If you are load balancing and it doesn’t have the Transfer Key present, use Store on the first server and when performing these steps on the second server, use Retrieve:

5. Now your Encryption settings should look something like this. Encryption key is “Valid” and Transfer Key is “Present”:

6. Now open up the Management Console again and you should should be able to add credentials under Client Access Credentials. You might even see the old user name and password in there. You will have to re-enter the password on it though:

7. Now go back to your Deployment Group and find your client machine. Click “Poll Now” and it should successfully poll impersonating using the credential you entered.

AppSense Management Console crashes when trying to add Client Access Credentials is a post from: JasonSamuel.com

Capturing AAA authentication traffic in real-time
1. SSH into the Netscaler, login with your admin credentials, then enter shell by typing:

shell

2. Now you want to capture the authentication in real time and see exactly what the error looks like. This is handled by the AAA (Authentication, Authorization, and Auditing) on the Netscaler. So type the following:

cat /tmp/aaad.debug

A successful authentication against the Access Gateway would look like this. The user is named User1:

usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[614]: 
process_kernel_socket call to authenticate
user :User1, vsid :414
Tue Feb  5 09:53:53 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[138]: 
start_radius_auth attempting to auth User1 @ xxx.xxx.xxx.xxx
Tue Feb  5 09:53:53 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[741]:
 process_radius radius accepts : User1
Tue Feb  5 09:53:53 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[743]:
 process_radius extracted group string :(null)
Tue Feb  5 09:53:53 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1466]: 
send_accept sending accept to kernel for : User1

and an unsuccessful authentication would look like this. The user is named User2:

Tue Feb  5 09:50:11 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[614]: 
process_kernel_socket call to authenticate
user :User2, vsid :414
Tue Feb  5 09:50:11 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[138]:
 start_radius_auth attempting to auth User2 @ xxx.xxx.xxx.xxx
Tue Feb  5 09:50:11 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[788]:
 process_radius radius rejects : User2
Tue Feb  5 09:50:11 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[138]:
 start_radius_auth attempting to auth User2 @ xxx.xxx.xxx.xxx
Tue Feb  5 09:50:14 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[731]:
 process_radius retransmit radius packet
Tue Feb  5 09:50:17 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[731]:
 process_radius retransmit radius packet
Tue Feb  5 09:50:20 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[778]: 
process_radius rad_continue_send_request:No valid RADIUS responses received
Tue Feb  5 09:50:20 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[785]:
 process_radius unknown return value from rad_continue_send_request :-1
Tue Feb  5 09:50:20 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/radius_drv.c[788]:
 process_radius radius rejects : User2
Tue Feb  5 09:50:20 2013
/usr/home/build/rs_93/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1562]:
 send_reject sending reject to kernel for : User2
Tue Feb  5 09:50:23 2013
lwagent.c[1107]: main EV_DEBUG: handle time out

you can see very clearly that the authentication server has denied access. This points to an issue on the authentication server. To stop the capture, just hit Ctrl + Z.

Viewing the ns.log using Syslog Viewer
1. You can look at all the failed logins in the ns.log. In the Netscaler admin console/GUI, go to System > Auditing and click the “Syslog messages” button:

2. Select the AAA module and then double click each ns.log file. You will immediately see all the “LOGIN_FAILED” event types as you go through each ns.log (these are the logs stored at /var/log on the Netscaler). Pay attention to the message, it will tell you why the authentication attempt failed. As you can see in this example, the authentication server is the problem and is denying access:

Running a Trace
1. Lastly you can run a network capture/trace when users are experiencing the issue. You can do this via the console/GUI easily by going to System > Diagnostics and clicking on “Start new trace”:

2. Set the packet size to 0 and hit Start:

3. Stop the trace once you feel you have enough traffic captured:

4. Download the nstrace .cap file and you can open it in Wireshark for further analysis:

Hope this helps some of you. Let me know if you have any other methods of troubleshooting authentication issues you would like to share. LDAP troubleshooting is easier since the Netscaler can give you a lot more detail as to what is failing. RADIUS and TACACS is a little trickier since you have something in the middle to troubleshoot but the steps above should give you enough to tell you if the problem resides on the Netscaler or on the authentication server.

How to troubleshoot RADIUS or TACACS authentication issues on a Netscaler/Access Gateway is a post from: JasonSamuel.com

1. Verify the app is set to allow multiple sessions. By default “Allow only one instance of application for each user” is unchecked. Leave it like that.

2. Log into your Web Interfaces and right click on your XenApp Web Site. Then click Workspace Control. Make sure the Reconnect Button is set to “Allow users to customize”. This allows the select users who need concurrent application sessions to modify their settings without having to impact the rest of your users.

3. Verify Remote Desktop Session Host on your XenApp servers is set to allow more than 1 session. Most people forget this one since it’s not really a Citrix setting. Go to Start > All Programs > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration. Double click on “Restrict each user to a single session”:

and under the “General” tab, uncheck “Restrict each user to a single session”:

4. Have the user login to the Web Interface. Have them click Settings in the top right and uncheck the “Reconnect” option. Then hit Save:

5. Now have the user try to launch 2 sessions of the same app one right after another. You should have 2 sessions launch now. Here is an example with Notepad:

How to launch multiple sessions of a XenApp 6.5 application without stealing the original session is a post from: JasonSamuel.com

http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx

I did a little custom BGInfo configuration to capture just the important pieces of info for my Windows 7 PVS XenDesktop environment. Of course this might differ for your environment and you might need more fields but this is a good starting point:

1. A Title – let’s the user know they are on a Windows 7 VM and not a workstation. Users can get confused when switching back and forth.

2. Host name – for when the help desk asks the user the name of their VM

3. IP addresses – both the streaming NIC and LAN NIC IPs. Not really necessary in a PVS environment obviously, but nice to have it displayed.

4. User Name – good to know what account the user is logging in with

5. Boot Time – very important to know in a PVS environment. You know those calls you get saying a person’s desktop looks completely different from everyone else and after you investigate a bit you figure out they’re on an old version of the image because they haven’t rebooted in forever. Yeah, this will help with that.

6. Write Cache free disk space left – another very important piece of info in a PVS environment. Once the write cache gets filled up, the VM is done and users start calling in. Good to know how much the user has left. Also a good way to gauge if your allocated write cache is truly enough for your environment or if you need to think about growing it.

So here’s how my desktop looks, very simple and clean:

I like to bake BGInfo into my images. I just create a folder called c:\BGInfo and copy Bginfo.exe in there. I’ll get to the other 2 files in a second.

Run Bginfo.exe and you get all the default stuff, delete it all and start clean adding just the stuff you need. Here’s how mine looks:

Don’t forget to set your settings under Position > Multiple Monitor Configuration for people with more than 1 monitor. I like mine to just be on the primary screen:

And under Desktops, you’ll want to change it for pretty much anyone that hits the VM using any method. I set mine to “Update this wallpaper” for all scenarios and prompt if it has an issue setting it (so I can investigate if anyone reports an issue):

Then go to File > Save As and save your configuration file. It will be saved with the .bgi extension.

That’s it for the implementation side. For PVS though, you’re going to have a lot of different NICs and you don’t want a bunch of “0.0.0.0″ IPs being displayed. I just wanted my streaming IP and LAN IP displayed. So under Fields click Custom:

and then click New. You will need to create a new field called “IP Addresses” and do a WMI query to pull the IPs of only the active NICs. I used the following query:

SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE

Which will look like this when you are entering and Evaluating it:

Make sure to name the Identifier when you are saving it:

Then just add the field and hit apply and you should see both IPs appear.

Now the last part is the Write Cache free disk space percentage. I could not find a way to do it from just a simple WMI Query. So I wrote this little .vbs script and stuck it in c:\BGInfo. As you can see, my write cache drive is the Z: so you will need to change the code to whatever drive letter you are using:

' Display Write Cache percentage free (z:)
' Written by Jason Samuel (www.jasonsamuel.com) for use with BGInfo 

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set colDisks = objWMIService.ExecQuery _
    ("Select * From Win32_LogicalDisk Where DeviceID = 'z:'")

For Each objDisk in colDisks
    intFreeSpace = objDisk.FreeSpace
    intTotalSpace = objDisk.Size
    pctFreeSpace = intFreeSpace / intTotalSpace
    Echo FormatPercent(pctFreeSpace)
Next

Then just create a new Field and set the VB Script for it:

Add the field to your config and hit Apply and it should show the percentage free on your desktop. Now just create a group policy to run it every 5 min. Or you can schedule a task to run it every 5 minutes in the VM itself. I like to use these switches:

/accepteula /timer:0 /log:"C:\BGInfo\BGInfo.log"

If you want BGInfo to run just once, it is very easy to do via scheduled task, GPO, login script, registry, or even adding it as a shortcut under Startup. Just Google it, tons of ways out there. But if you want it to run every 5 minutes and refresh the info, the only way to do it is via GPO. If you bake in into a local scheduled task in the image like I mentioned above, it will not work in a provisioned environment. It will attempt to run under the Administrator account of the maintenance image. So if you baked it in as “VM0001\Administrator”, a provisioned VM named VM0054 will not have this account. This will cause the scheduled task to fail. It won’t run under the System account either. The System account won’t run interactively. The task will start but stay running indefinitely and you will get an error like this in the BGInfo log:

An error occured while attempting to set the new desktop settings.
Please ensure the current user has rights to change desktop settings:
This operation requires an interactive window station.

To get around all this, use group policy. By default group policy will run the scheduled task under “%LogonDomain%\%LogonUser%” which is exactly what you want. Here is how my group policy looks:

Notice I have 2 triggers. The first trigger is to run BGInfo at login and update the wallpaper. But when opening a VDI session from a Win 7 host, it may open in Desktop Viewer but not in full screen. When the user goes full screen, the desktop wallpaper will not resize automatically and instead appear as tiled. So to get around this, I have a second trigger that runs BGInfo again 30 seconds into the session and runs every 5 min from then on. Hopefully within that 30 seconds, the user will have gone full screen and BGInfo will get a chance to run at the resolution the user will use throughout their session. One thing to note, I suggest adding a 3rd trigger that runs BGInfo on workstation unlock like this:

This is very useful in VDI when you go from a Desktop to an iPad for example. Upon login, it will immediately update the wallpaper resolution and run indefinitely every 5 minutes. This is a lot of triggers but it covers all your bases. I really wish BGInfo had a “Fit” setting for the wallpaper like Windows 7 has by default. It would avoid this whole resize mess. Right now BGInfo 4.16 only supports Center, Tile, and Stretch for the wallpaper.

Also if you decide to store the Bitmap BGInfo creates in a central place like c:\BGInfo, make sure Users and/or Authenticated Users have Full Control to c:\BGInfo and all child objects and change the location the .bmp is stored to under this folder. Othwerwise the background may not change for users that are not admins on the VMs:

Lastly, you might get an error like below, but the wallpaper does in fact update.

An error occured opening the Default Desktop registry key.
Please ensure the current user has rights to change Logon Desktop settings:
Access is denied.

This is because the user is not an admin and does not have rights to change the Logon Desktop settings. Either give permissions to do this or go back into your .bgi and uncheck the “Display an error when user permissions prevent a Logon Desktop from being modified” option that you had set before for troubleshooting purposes under the Desktops settings in BGInfo. Then the popup will stop.

One thing I’ve been trying to do is brand BGInfo with my company logo. But I don’t want a big white box around it like when you use a jpg. I want to use a transparent gif. BGInfo does not support this from all the things I’ve tried so far. For example, here is the Amazon logo as a transparent gif:

Looks great on a white background but I want to use it with the standard Windows 7 wallpaper which has a gradient. It looks pretty awful because BGInfo flattens it somehow when creating the bmp causing there to be a black background around the logo:

But if your company chooses to use a standard wallpaper with no gradient, like a solid white background for example, just edit the background of your logo to match the color of the background and save it as a jpg. Add it to BGInfo and it will look perfect. Here is the Amazon logo (jpg with white background) with BGInfo set to white for the background wallpaper:

Hope this helps. Let me know if you have any questions or suggestions for custom fields to add that might be handy in a PVS XenDesktop environment.

BGInfo for Windows 7 VMs running in Citrix PVS XenDesktop environments is a post from: JasonSamuel.com

So to build a clean mandatory profile:

1. Login to your Windows 7 or Server 2008 R2 box with a local admin account or an domain administrator account, doesn’t matter. I’m going to use Server 2008 R2 for these screenshots.

2. Start > Control Panel > click User Accounts > click Configure advanced user profile properties

3. Click the Default Profile and hit Copy Too…

4. Copy the profile anywhere you like, I chose “c:\mandatoryprofile.v2”. Usually you want your mandatory profile on a file server or DFS share where it is easily accessible but I am just leaving it local for this example. I specified v2 since I am creating a profile for Server 2008 R2. I changed the “Permitted to use” to “Everyone” so all users get NTFS rights to use it.

5. Navigate to c:\mandatoryprofile.v2 and go to Folder and search options

6. Uncheck “Hide protected operating system files”

7. Now you will 5 temp files you do not need in the mandatory profile. Delete them.

8. The ntuser.dat should be around 512 KB on a clean Server 2008 R2 box

9. Now rename ntuser.dat to ntuser.man

10. From here, you would normally setup a domain level group policy and apply it to the OU that has the servers or desktops you want to use the mandatory profile on. Since this is an example, I am going to edit the local group policy instead.

Go to Start > Run > and type gpedit.msc.

Then navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles

There will be 3 items we need to change to “Enabled”:

-Delete cached copies of roaming profiles
-Set roaming profile path for all users logging on this computer
-Prevent Roaming Profile changes from propagating to the server

11. For “Set roaming profile path for all users logging on this computer”, you need to put a UNC path to the share that holds your mandatory profile. So since it’s on the local server in this example, I will do:

\\servername\mandatoryprofile

Notice I did not add “.v2″ at the end. Windows will automatically look for it as the users login.

12. Once you’ve made your changes, it should look like this:

13. Now navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles

There will be 2 items we need to change to “Enabled”:

-Use mandatory profiles on the RD Session Host server
-Set path for Remote Desktop Services Roaming User Profile

14. For “Set path for Remote Desktop Services Roaming User Profile”, you need toy need to put a UNC path to the share that holds your mandatory profile just like the previous setting.

\\servername\mandatoryprofile

Notice again I did not add “.v2″ at the end. Windows will automatically look for it as the users login.

15. Once you’ve made your changes, it should look like this:

16. Now navigate to the mandatory profiles desktop and add a text file. So in this example “c:\mandatoryprofile.v2\Desktop”. I’ve created a file called “This is a mandatory profile in action.txt”.

17. Now right click on the mandatoryprofile.v2 folder and share it out. Make sure “Everyone” has access:

18. Now RDP into the server using any account you like. You will get the mandatory profile and you will see the text file we had created earlier on the desktop.

How to create a Windows 7 or Server 2008 R2 mandatory profile for AppSense is a post from: JasonSamuel.com

NETSCALER ACCESS GATEWAY
Just download one of these available themes Jeff Sani posted:

http://blogs.citrix.com/2011/04/11/horizon-theme-for-citrix-netscaler/
http://blogs.citrix.com/2012/06/19/symphony-theme-for-citrix-netscaler/
http://blogs.citrix.com/2012/04/19/green-bubble-theme-for-citrix-netscaler/

I chose the Horizon theme because it matches WI 5.4 the closest. Here’s what you need to do to implement it. I did this on a Netscaler running NS 9.3 but 10.x will work too:

1. Download the Horizon.txt script and rename it to Horizon1.sh like Jeff says. Then download Horizon1.gz.
2. Now use WinSCP to copy both to your primary Netscaler to /var/vpn/themes
3. Putty/SSH into the primary Netscaler, enter shell, and navigate to /var/vpn/themes
4. Type:

sh Horizon1.sh

This script by Andre Perry does all the stuff Jeff says in the posts above. Very nice Andre! At this point you have deployed the theme. Now to customize for your company.

5. Just change 3 files on the Netscaler:

/var/vpn/themes/Horizon1/ns_gui/vpn/images/Background.png – your company colors in the background. I usually use 2 colors here. Just play with the height of the colors in Photoshop to adjust and make them line up with the login box the way you want.

logo.jpg – Create it from scratch and drop it in /var/vpn/themes/Horizon1/ns_gui/vpn/images/

index.html – change the following:

<table cellspacing="0" cellpadding="0" class="logonBoxWidth">
<tr><td colspan="3" class='headertop'><span class='headerLabel'>NetScaler Access Gateway</span><span class='headertm'><sup>TM</sup></span></td></tr>

TO

  <td>
          <img src="/vpn/images/logo.jpg">
      </td>
<table cellspacing="0" cellpadding="0" class="logonBoxWidth">

6. Now make sure to copy all 3 of these files to the flash (where everything is currently running from) here:

/netscaler/ns_gui/vpn/images/Background.png
/netscaler/ns_gui/vpn/images/logo.jpg
/netscaler/ns_gui/vpn/index.html

7. Refresh the Access Gateway page and your changes should appear there. Sometimes you may need to clear your cache. I use FireFox which is pretty good about it and I didn’t have to clear anything. If you need to adjust anything, go ahead and do so now. Just remember, after a reboot of your Netscaler anything you put in Flash at the paths in step 6 above will revert. Stuff gets copied over from the /var folder in step 5 above. So make sure you put your files there as well to prevent this.

8. Now login to your secondary Netscaler and perform all the same steps. None of this stuff gets synched between devices.

Here is how my final product looks:

WEB INTERFACE
Andrew Morgan has an excellent post here that goes pretty in depth:

http://andrewmorgan.ie/2011/08/30/decrapifying-the-citrix-web-interface-5-4/

I needed something quick so I just modified 4 things under c:\inetpub\wwwroot\Citrix\XenApp\media:

1. CitrixXenApp.png and CitrixXenApp.gif – I changed this to my company logo
2. HorizonBgTop.png – I went with solid white in Photoshop with this one
3. HorizonBgBottom.png – I went with solid blue in Photoshop with this one
4. HeaderGradient.png – Did a gradient in Photoshop using two of my company’s colors. This appears once you login along the top.

This located under c:\inetpub\wwwroot\Citrix\XenApp\app_data\include:
5. fullStyle.inc – I changed this to rip out that ugly HDX logo:

.horizonPage #hdxLogo {
display: none;
}

and this to give me a solid white background along the bottom:

.horizonPage {
    background: #ffffff url("../media/HorizonBgBottom.png") repeat-x left 325px;
}

And this under c:\Program Files (x86)\Citrix\Web Interface\5.4.0\languages:
6. accessplatform_strings.properties – I customized the text in this. While playing with it I noticed it does support HTML just fine so I did this:

HorizonTagline=Your Windows 7 desktop and company apps on demand - from any PC, Mac, smartphone or tablet.<br><font size="2">FOR SUPPORT: Help Desk at xxx-xxx-xxxx, Option 1 (toll free: xxx-xxx-xxxx) or xxxxxxx@xxxxx.com.</f>

Done, upload all your files and you have a pretty nice simple company branded Web Interface. You should change the “loggedoff” images that are greyed over to match when you get some time or you’ll see the default images there greyed over instead.

Here is how my final product looks:

Quick way to brand Access Gateway and Web Interface 5.4 with company logo and colors is a post from: JasonSamuel.com