Send Android domain users to ActiveSync Gateway

Recently we added the Citrix Gateway connector for Exchange ActiveSync (formerly XenMobile NetScaler Connector) to a customer environment, with the intention of giving only known smartphones access to ActiveSync. The definition of known in this case, is a smartphone enrolled within Citrix Endpoint Management (formerly XenMobile). After some testing, we switched on “Blocking Mode” on the Gateway connector for Exchange ActiveSync and indeed all the ActiveSync traffic was nicely regulated. Only connections from device which existed in the Endpoint Management database were allowed access to ActiveSync. The check if a email client is allowed access is done based on the ActiveSync ID, which should be unique for every device.

Just to clarify, a short explanation how the Gateway connector for Exchange ActiveSync works. The Citrix Gateway connector for Exchange ActiveSync is connected to the Endpoint Management server(s) and periodically graps all ActiveSync ID’s. All the grapped ActiveSync ID’s are stored locally on the Gateway connector for Exchange server, in a .xml file. Depending you installation folder and provider name it’s stored on the Gateway connector for Exchange Server in : “%InstallFolder%\XenMobile NetScaler Connector\config\%ProviderName%.xml”

Depending your Endpoint Management ActiveSync Gateway configuration devices can be allowed or denied access based on several rules.

Read more

Citrix Gateway connector for Exchange ActiveSync with RegEx support

Recently I was asked to increase the security for a public reachable ActiveSync url. Although the customer was using Citrix Endpoint Management (XenMobile) and Citrix Secure Mail was available in their Enterprise AppStore, employees were also allowed to use their native “un-secure” mail client, which made use of a public reachable ActiveSync URL.

A big advantage they had, was that almost all mobile devices were already enrolled within Citrix Endpoint Management, so we knew which ActiveSync ID’s where legit and allowed to access ActiveSync.

Cause we were already making use of Citrix Endpoint Management, we decided to use the “Citrix Gateway connector for Exchange ActiveSync” (formerly XenMobile NetScaler Connector), to add an extra layer of security to the public reachable ActiveSync url.

The configuration was pretty straightforward and was running in no time. Although in this article I will not go into the architecture in more detail, you can find more information about this at Citrix.

We were only faced with one big challenge, the customer was still servicing a department, which consisted of several hundred users, who were in the process migrating their email to a different site. The mobile devices from this department where not enrolled in Citrix Endpoint Management and therefore being blocked by the Citrix Gateway connector for Exchange ActiveSync. Cause the Citrix Gateway connector for Exchange ActiveSync was configured with the policy “Static + PepperByte: Block Mode”, we had the opportunity to add “Static Rules”. A “Static Rule” was created to allow all users within the domain “PepperByte” access to ActiveSync. Unfortunately the “Static Rule” wasn’t working and the complete department was blocked

We contacted Citrix Support about this issue, after which we were informed the public version of XNC didn’t support RegEx expression, although you are able to enter them. They did however had a private version, in which RegEx expressions were working. We were given two new executables, which needed to be replaced within the Citrix Gateway Connector folder.

The private version has an additional option “Is Regex”, which allowed us to whitelist a complete AD domain, making us of a RegEx expression.
The “Static Rule” above allowed all users, within the AD Domain “PepperByte”, to access the ActiveSync URL, without being blocked by the Citrix Gateway connector for Exchange ActiveSync

Upgrading NetScaler through GUI is not working

A customer asked me to upgrade a couple of High Available NetScaler pairs. If you’re familiar with
NetScalers and the upgrade process, you know that an upgrade trough the GUI is the easiest way to go. So after all the preparation (saving running config, backup config, snapshot. Blablabla…) I was ready to go.

The steps are very clear. Navigate to System – System Upgrade, choose the new firmware file and press Upgrade. After this a screen pops up saying “Uploading build…” (see below)

After the upload completes, normally the system upgrade window is coming up (see below)

But what if the system upgrade window is not coming up?? Is it spinning up the upgrade process, but not showing me the window?? Or is the operating system crashing?? Can I upload the new firmware again without braking something??
All those question where running through my head when this was happening to me. If you’re in the same situation like I was at that moment, don’t worry!

It seems like this is a bug and Citrix never fixed it. Some people say that it exists since version 10.x. You can try whatever browser you want, it won’t work. I’ve tested it on 2 more standalone NetScalers and 1 of them had the same bug. Normally after the upload the GUI triggers the “./installns” file, but in my case not. Also the “uploaded” firmware is nowhere to find on the appliance with WINSCP. With that in mind, for me, it’s not possible that the NetScaler is upgrading without notifying. So what now?

Citrix also made it possible to upgrade the NetScaler trough the CLI. Although this way isn’t efficient and is not adding anymore functionality for the upgrade process, it’s a good alternative in this case.

In a nutshell

  1. Use PuTTy to set up a SSH connection to your appliance.
  2. Type “shell” to go into the shell mode.
  3. Create a folder with the following command: “mkdir /var/nsinstall/<foldername>”
  4. Browse to that folder with the following command: “cd /var/nsinstall/<foldername>”
  5. With WINSCP, browse to that folder and upload the firmware update in that folder.
  6. Extract the firmware update with the following command: “tar –xvzf <filename>”
  7. Start the upgrade process with the following command: “./installns”
  8. When it’s finished press “Y” to reboot the appliance and you’re done.

For the Citrix version click here. Keep in mind that the GUI is way more efficient than the CLI. So if you ever want to upgrade from version 12.x to a higher version, first check if the luck is on your side by not having a buggy GUI.

Good Luck!

Blank WebInterface screen after updating SSL certificate on NetScaler

Since I’ve replaced a SSL certificate on the NetScaler of a virtual server, external users complained that after they logged in on the NetScaler, they see a blank screen and that’s it. The only change was the SSL certificate, and it was a valid certificate. The fact that users are able to see the login page of the NetScaler and are able to log in confirms that.

Rebooting at that moment was not an option because the NetScaler was doing a lot more than just acting as an access gateway. Removing and adding the particular SSL certificate on the virtual server did not fix the issue either. With no actual error message I quickly ran out of options.

After reproducing the login steps I noticed that after logging in, I was able to see the webpage of Web Interface with my available apps/desktops for less than a second–too short to start a session with a published app/desktop. But long enough to think that there was something wrong with the Web Interface.

I just opened the Web Interface Wizard to check if there was some option I could reconfigure, but just walking through the wizard was enough to repair the blank screen issue (see screenshots below).

  1. Introduction screen of the Web Interface Wizard.

  1. Web Interface Site settings. Should already be filled in. In case its not, switch
    the “Default Access Method” to the appropriate method.

  1. Customization screen of the Web Interface Site. Should already be filled in.

  1. This screen refers to the chosen default access method (screenshot 2). It should
    already be filled in.

  1. Give the XenApp/XenDesktop farm a name and add the IP address of the XML server.

  1. Summary.

After finishing the wizard, the Web Interface webpage should work correctly. The fix is that the newly uploaded SSL certificate binds to the virtual server of XenApp.

Citrix Service Provider (CSP) Portal and Citrix Licensing

One of our partners is using the CSP program from Citrix for their customers. Now, every month a CSP usage report must be made manually for all the customers and reported to Citrix.

With the Citrix Cloud Licensing Portal, that step is simplified. There are however a few guidelines for the Citrix Licensing servers that are hosted at the customer(s):

  • Naming convention

It is common to have a default name for a licensing server at the customers, for example “LIC01”. So if this name is used for all the customers, there is no way to differentiate in the new Licensing Portal.
So when you create the license, choose the FQDN of the license server as Hostname.

  • Minimum License Server version

Next is the version of the license server. This has to be Citrix Licensing 11.13.1 Build 16002
In this build the “Call Home” capabilities have been extended to detect CSP–licenses and report product usage to Citrix. This version is part of the Long Term Service Release (LTSR) version (XenApp 7.6)

  • Licensing Model

Now the confusing part. As part of the CSP Program, XenApp is required to be configured to use a usage-based licensing model. Therefore you cannot use concurrent licenses as part of the CSP program. But in the Licensing Model in Citrix Studio it is not possible to choose the User/Device Licensing option if you use XenApp as Edition. So you have to switch to XenDesktop and choose the edition that fits the need.

  • License Types

There are two types of licenses in the CSP Model, those are Premium and Base:

  • CSP Premium SKU – You can utilize XenApp Platinum components
  • CSP Base SKU – You are limited to utilizing XenApp Advanced components

In our case, the customers use “Base Licenses“ which means XenApp Advanced. The licenses that are created from the portal and based on the SKU’s already contain the XenDesktop license.

Next step is to change the Licensing Model matching license.
But wait, that is not possible from the GUI!

Powershell to the rescue!

  • Open a powershell window with the appropriate privilege and load the Citrix Snappin. Note that the Powershell SDK must be installed.
  • Here is the code:
    • Add-PSSnapinn Citrix*
    • Set-ConfigSite –ProductCode XDT –ProductEdition ADV –LicensingModel UserDevice

After these three steps the Citrix Licensing Server is reporting the correct usage to the new Cloud Portal and in an orderly fashion.

Where did QFARM go in Xenapp 7.5, 7.6?

During the management of a xenapp 7 x environment I wanted a qfarm overview. I found out that this command no longer works. Why not?

This is because Xenapp 7.x uses the FMA protocol instead of the old IMA protocol.

How do I go to my qfarm overview?

Read more

RES VDX 2014 with Citrix XenApp 6.5

res-vdx For a customer I’ve been asked to design a workstation with RES Virtual Desktop Extender (RES VDX) installed to deliver some problem applications in a proof of concept.

I am going to use RES VDX 2014 for my POC.

This customer is using Citrix XenApp 6.5 to deliver a published desktop. The user start menu is managed by the Citrix Program Neighborhood Agent. So all the start menu items are published applications.

Read more

Create a PowerShell Profile ready for XenDesktop Management

PowerShell_Logo Today I want to show you how to create a PowerShell instance that is all ready for managing a Citrix XenDesktop 7.1 environment.

We’ve all been there you want to check something quickly in your environment. You start up PowerShell, enter a command and you are presented with an error message that the command you just entered is not recognized by PowerShell.

Screenshot 2014-05-06 21.34.56

We get this error message not because of a typo but because the Citrix Snap-ins are not loaded in this PowerShell session.

Read more

Dutch Citrix User Group (DuCUG) 2014 Experience



The atmosphere


This year the DuCUG Took place at the Dell Office in Amsterdam. The weather was great, the lunch was well cared for and the tickets were sold out. So it couldn’t be better. I experienced it as a tremendous day with a lot of informative sessions. In this article I will share my highlights of the day.

GPU-accelerated high-end graphics performance in Citrix XenServer / XenDesktop environments by Benny Tritch

GPU-accelerated high-end graphics performance in Citrix XenServer / XenDesktop environments This session was presented by Benny Tritsch (Chief Technology Officer with bluecue consulting). Benny has been working closely with Shaw Bass on testing the new GPU support of Citrix XenServer. Benny presented the possibilities between using different GPU Accelerating solutions on VDI environments. He showed us different example-movies and unbelievable results with these various examples. Some examples even showed better performance on your virtual desktop then a local computer. Read more at Benny’s own website.

Read more

Citrix NetScaler 10.1: Where did the Configuration Wizard go?

Configuration WizardA vanilla Citrix NetScaler shows the configuration wizard right after a users authenticates using the GUI. The configuration wizard enables basic configuration like the NetScaler IP (NSIP), Subnet IP (SNIP), hostname, DNS, Time Zone and Administrator Password.

Sometimes it’s useful to open the configuration wizard after it is closed (for instance if you want to change the host name via the GUI). up to NetScaler 10.0 there was a Setup Wizard button on the System > System Information page.

Read more