Carl Stalhood – Page 60

NetScaler Gateway 11 Virtual Server

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

NetScaler Gateway Universal Licenses
Create NetScaler Gateway Virtual Server
Verify SSL Settings
Gateway Portal Theme
SSL Redirect
DNS SRV Records for Email-based discovery
Block Citrix VPN for iOS
View ICA sessions
Customize Logon Page
UDP Audio Through Gateway
Unified Gateway
StoreFront – Rewrite X-Citrix-Via

💡 = Recently Updated

NetScaler Gateway Universal Licenses

For basic ICA Proxy connectivity to XenApp/XenDesktop, you don’t need to install any NetScaler Gateway licenses on the NetScaler appliance. However, if you need SmartAccess features (e.g. EPA scans) or VPN then you must install NetScaler Gateway Universal licenses. These licenses are included with the Platinum editions of XenApp/XenDesktop, Advanced or Enterprise Edition of XenMobile, and the Platinum version of NetScaler.

When you create a NetScaler Gateway Virtual Server, the ICA Only setting determines if you need NetScaler Gateway Universal licenses or not. If the Virtual Server is set to ICA Only then you don’t need licenses. But if ICA Only is set to false then you need a NetScaler Gateway Universal license for every user that connects to this NetScaler Gateway Virtual Server. Enabling ICA Only disables all SmartAccess, SmartControl, and VPN features.

If you don’t need any non-ICA Proxy features, then you don’t need any Gateway Universal licenses, and you can skip to the next section.

The Gateway Universal licenses are allocated to the case sensitive hostname of each appliance. If you have an HA pair, and if each node has a different hostname, allocate the Gateway Universal licenses to the first hostname, and then reallocate the same licenses to the other hostname.

To see the hostname, click the version info on the top right.

To change the hostname, click the gear icon on the top right.

To upload the allocated Gateway Universal licenses to the appliance, go to System > Licenses. A reboot is required.

After NetScaler Gateway Universal licenses are installed on the appliance, they won’t necessarily be available for usage until you make a configuration change as detailed below:

On the left, expand System, and click Licenses.
On the right, in the Maximum NetScaler Gateway Users Allowed field is the number of licensed users for NetScaler Gateway Virtual Servers that are not set to ICA Only.
On the left, under NetScaler Gateway, click Global Settings.
In the right column of the right pane, click Change authentication AAA settings.
Change the Maximum Number of Users to your licensed limit. This field has a default value of 5, and administrators frequently forget to change it thus only allowing 5 users to connect.
If desired, check the box for Enable Enhanced Authentication Feedback. Click OK.
```
set aaa parameter -enableEnhancedAuthFeedback YES -maxAAAUsers 200
```
Then edit the NetScaler Gateway Virtual Server.
In the Basic Settings section, click the pencil icon near the top right.
Click More.
In the Max Users field, either enter 0 (for unlimited/maximum) or enter a number that is equal to or less than the number of licensed users. Click OK.
```
set vpn vserver gateway.corp.com -maxAAAUsers 0
```

Create Gateway Virtual Server

Create a certificate for the NetScaler Gateway Virtual Server. The certificate must match the name users will use to access the Gateway. For email discovery in Citrix Receiver, the certificate must have subject alternative names (SAN) for discoverReceiver.email.suffix (use your email suffix domain name). If you have multiple email domains then you’ll need a SAN for each one.
On the left, right-click NetScaler Gateway and click Enable Feature.
On the left, expand NetScaler Gateway and click Virtual Servers.
On the right, click Add.
Name it gateway.corp.com or similar.
Enter a new VIP that will be exposed to the Internet. Note: new to NetScaler 11.0 is the ability to set it to Non Addressable, which means you can place it behind a Content Switching Virtual Server.
Click More.
In the Max Users field enter 0.
In the Max Login Attempts field, enter your desired number. Then enter a timeout in the Failed Login Timeout field.
Check the box next to ICA Only. This option disables SmartAccess and VPN features but does not require any additional licenses.
Check the box next to DTLS and click OK. DTLS enables UDP Audio and Framehawk. Note: DTLS is not yet supported for double-hop ICA.
In the Certificates section, click where it says No Server Certificate.
Click the arrow next to Click to select.
Select a previously created certificate that matches the NetScaler Gateway DNS name, and click Select.
Click Bind.
If you see a warning about No usable ciphers, click OK.
Click Continue.
In the Authentication section, click the plus icon in the top right.
Note: it’s also possible to disable authentication on Gateway and make StoreFront do it instead as described in Citrix CTX200066 How to Log On to StoreFront When Authentication is Disabled on NetScaler Gateway VIP. However, it’s more secure to require Gateway to authenticate the users before the user can communicate with StoreFront.
Select LDAP, select Primary and click Continue.
If you used the authentication dashboard to create the LDAP server then you probably haven’t create the corresponding policy yet. Click the plus icon to create a new policy.
Use the Server drop-down to select the previously created LDAP server.
Give the policy a name. It can match the LDAP Server name.
In the Expression box, enter ns_true or select it from the Saved Policy Expressions drop-down. Click Create.
Click Bind.
Or for two-factor authentication, you will need to bind two policies to Primary and two polices to Secondary:
- Primary = LDAP for Browsers (User-Agent does not contain CitrixReceiver)
- Primary = RADIUS for Receiver Self-Service (User-Agent contains CitrixReceiver)
- Secondary = RADIUS for Browsers (User-Agent does not contain CitrixReceiver)
- Secondary = LDAP for Receiver Self-Service (User-Agent contains CitrixReceiver)
Click Continue.
Scroll down to the Profiles section and click the pencil icon.
In the TCP Profile drop-down select nstcp_default_XA_XD_profile and click OK.
In the Policies section, click the plus icon near the top right.
Select Session, select Request and click Continue.
Click the arrow next to Click to select.
Select one of the Receiver session policies and click Select. It doesn’t matter which order you bind them.
There’s no need to change the priority number. Click Bind.
Repeat these steps to bind the second policy. In the Policies section, click the plus icon near the top right.
Select Session, select Request and click Continue.
Click Add Binding.
Click the arrow next to Click to select.
Select the other Receiver session policy and click Select.
There’s no need to change the priority number. Click Bind.
The two policies are mutually exclusive so there’s no need to adjust priority. Click Close.
On the right, in the Advanced Settings section, click Published Applications.
Click where it says No STA Server.
Add a Controller in the https://<Controller_FQDN> or http://<Controller_FQDN> format, depending on if SSL is enabled on the XenApp Controller or not. This must be a FQDN or IP address. Short names don’t work.
For the Address Type, select IPV4. Click Bind.
To bind another Secure Ticket Authority server, on the left, in the Published Applications section, click where it says 1 STA Server.
Click Add Binding. Enter the URL for the second controller.
The State is probably down. Click Close.
In the Published Applications section, click STA Server.

Now they should be up and there should be a unique Auth ID for each server. Click OK.

add vpn vserver gateway.corp.com SSL 10.2.2.200 443 -icaOnly ON -dtls ON -tcpProfileName nstcp_default_XA_XD_profile

bind vpn vserver gateway.corp.com -policy "Receiver Self-Service" -priority 100

bind vpn vserver gateway.corp.com -policy "Receiver for Web" -priority 110

bind vpn vserver gateway.corp.com -policy Corp-Gateway -priority 100

bind vpn vserver gateway.corp.com -staServer "http://xdc01.corp.local"
bind vpn vserver gateway.corp.com -staServer "http://xdc02.corp.local"

bind vpn vserver gateway.corp.com -portaltheme X1

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.

bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

bind vpn vserver MyvServer -policy insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

Verify SSL Settings

After you’ve created the Gateway Virtual Server, run the following tests:

Citrix CTX200890 – Error: “1110” When Launching Desktop and “SSL Error” While Launching an Application Through NetScaler Gateway: You can use OpenSSL to verify the certificate. Run the command: openssl s_client -connect gateway.corp.com:443. Replace the FQDN with your FQDN. OpenSSL is installed on the NetScaler or you can download and install it on any machine.
Go to https://www.digicert.com/help/ to verify the certificate chain.
Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website. Citrix Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update

Gateway Portal Theme

Citrix Blog Post Branding your Deployment Part 2: Matching NetScaler to StoreFront explains NetScaler Gateway Portal Themes, how to edit the Portal Theme CSS, and warns about GUI changes overwriting CSS file changes.

If you want the logon page for NetScaler Gateway to look more like StoreFront 3.0, NetScaler 11.0 build 62 and newer have a built-in X1 theme:

Go to NetScaler Gateway > Virtual Servers and edit an existing Virtual Server.
On the right, in the Advanced Settings section, click Portal Themes.
On the left, click where it says No Portal Theme.
Click to select.
Select the built-in X1 theme and click Select.
Click Bind.

Click Done.

bind vpn vserver gateway.corp.com -portaltheme X1

When you access the NetScaler Gateway login page you’ll see the theme.

You can also create your own theme by starting from one of the built-in themes:

Go to NetScaler Gateway > Portal Themes.
On the right, click Add.
Give it a name and select X1 as the Template Theme.
In the Look and Feel section there are two sub-sections: one for Home Page and one for Other Pages. In each of these sections is an Attribute Legend link that shows you what you can edit.
The Home Page is for Unified Gateway (aka VPN Clientless Access).
If you want to modify the logon page, use the Other Pages sub-section.
Make changes as desired and click OK.
In the Locale section, select a language and click OK.
On the right, in the Advanced Settings section, click Login Page.
Make changes as desired (e.g. Password Field Titles) and click OK.
At the top of the screen, click the link to Click to bind and view configured theme.
Select a Gateway Virtual Server and click Preview.
The logon page is displayed.
You could go to /var/netscaler/logon/themes/StoreFront3/css and make more changes to custom.css but this file gets overwritten any time you make a change in the Portal Themes section of the NetScaler GUI.
Citrix CTX209526 NetScaler; How to Copy a Portal Theme from the Device running version 11.0 to another Device running 11.0. 💡

Jason Samuel – How to fix Green Bubble theme after upgrading to NetScaler 11 Unified Gateway details the following:

Change the NetScaler Unified Gateway logo to match the older Citrix Receiver logo.
Restore the older favicon.
And other observations regarding the Green Bubbles theme in NetScaler 11.0

SSL Redirect – Down vServer Method

This procedure details the Down vServer method of performing an SSL redirect. An alternative is to use the Responder method.

On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.
On the right, click Add.
Give it a name of Gateway-HTTP-SSLRedirect or similar.
Set the IP Address so it matches the VIP of the NetScaler Gateway vServer. Click OK.
Do not select any services. This redirect only works if the vServer is Down. Click Continue.
On the right, in the Advanced Settings column, click Protection.
Enter https://gateway.corp.com or similar into the Redirect URL Click Save.

Then click Done.

add lb vserver gateway.corp.com-HTTP-SSLRedirect HTTP 10.2.2.200 80 -redirectURL "https://gateway.corp.com"

All SSL Redirect Virtual Servers are supposed to be Down. They don’t work if they are not down. By contrast, the Responder method uses redirect Virtual Servers that are Up.

Public DNS SRV Records

For email-based discovery, add a SRV record to each public email suffix DNS zone. Here are sample instructions for a Windows DNS server:

In Server Manager, click Tools > DNS Manager
In the left pane of DNS Manager, select your DNS domain in the forward or reverse lookup zones. Right-click the domain and select Other New Records.
In the Resource Record Type dialog box, select Service Location (SRV) and then click Create Record.
In the New Resource Record dialog box, click in the Service box and enter the host value _citrixreceiver.
Click in the Protocol box and enter the value _tcp.
In the Port number box, enter 443.
In the Host offering this service box, specify the fully qualified domain name (FQDN) for your NetScaler Gateway Virtual Server in the form servername.domain (e.g. gateway.company.com)

Block Citrix VPN for iOS

Citrix CTX201129 Configuration for Controlled Access to Different VPN Plugin Through NetScaler Gateway for XenMobile Deployments: do one or both of the following:

Create an AppExpert > Responder > Policy with Action = DROP and Expression = HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver/NSGiOSplugin"). Either bind the Responder Policy Globally or bind it to the Gateway vServers.
In your Gateway Session Policies, do not set the Plugin type to Windows/Mac OS X.

View ICA Sessions

To view active ICA sessions, click the NetScaler Gateway node on the left and then click ICA Connections on the right.

show vpn icaconnection

Customize Logon Page

Logon Page Labels

When two factor authentication is configured on NetScaler Gateway, the user is prompted for User name, Password, and Password 2.

The Password field labels can be changed to something more descriptive, such as Active Directory or RSA:

To change the labels, edit a Portal Theme:

Go to NetScaler Gateway > Portal Themes and edit an existing theme. You can’t edit the built-in themes so you’ll have to create one if you haven’t already.
On the right, in the Advanced Settings column, click Login Page.
In the Login Page section, change the two Password fields to your desired text.
Click OK.
In the Portal Theme section you can Click to bind and view configured theme to Preview your changes.
On Platinum Edition appliances, you might have to invalidate the loginstaticobjects Content Group (Optimization > Integrated Caching > Content Groups) before the changes appear. This seems to be true even if Integrated Caching is disabled.

Logon Security Message (Disclaimer, EULA)

You can force users to agree to a EULA before they are allowed to login.

Clicking the Terms & Conditions link allows the user to view the EULA text that you have entered.

Do the following to configure the EULA:

Go to NetScaler Gateway > Resources > EULA.
On the right, click Add.
Give the EULA a name and enter some text. You can even enter HTML code. See the example posted by Chris Doran at Citrix Discussions.
Click Create.
Edit a Gateway Virtual Server.
On the right, in the Advanced Settings column click EULA.
Click where it says No EULA.
Click the arrow next to Click to select.
Select the EULA and click Select.
Click Bind.
Mike Roselli at Automatic EULA Acceptance by Cookie Rewrite Guide at Citrix Discussions details Rewrite policies that change the behavior so that users only have to accept the EULA once. It records acceptance in a cookie. 💡

Logon Page Links

Citrix CTX202444 How to Customize NetScaler Gateway 11 logon Page with Links shows how to add links to the NetScaler Gateway 11 logon page.

In WinSCP, go to /netscaler/ns_gui/vpn/js and edit the file gateway_login_form_view.js.
Scroll down to line 40 and insert the code copied from the article. Feel free to change the link.
Scroll down to line 140 and insert the line form.append(link_container);
Since this is an if block, insert the line in both the if section and the else section (line 148). Both should be after the append field_login line and before the append(form) line.
Save the file and verify your results.
If you reboot your appliance then your changes will be lost. To preserve your changes after a reboot, copy the modified file to /var.
Then edit /nsconfig/rc.netscaler and add a cp line to copy the modified file from /var to /netscaler/ns_gui/vpn/js. This is the same procedure as older NetScaler firmware. Feel free to reboot your appliance to confirm that the changes are still applied.

Other Customizations

Citrix CTX215817 NetScaler : How to Customize Footer of NetScaler Gateway Login Page. 💡

Mike Roselli at Netscaler 11 Theme Customization – How to Add Links and Verbiage at discussions.citrix.com has sample rewrite policies to customize the NetScaler Gateway logon page with additional HTML.

Craig Tolley Customising the NetScaler 11 User Interface – Adding Extra Content: add new sections to login page. These sections pull content from local HTML files.

Daniel Ruiz Set up a maintenance page on Netscaler Gateway: configure a Responder policy (see the blog post for sample HTML code). During maintenance, manually bind the Responder policy to the Gateway. Manually remove the policy after maintenance is complete. 💡

UDP Audio Through Gateway

From John Crawford at Citrix Discussions and Marius Sandbu Enabling Citrix Receiver audio over Netscaler Gateway with DTLS

Note: If you have NetScaler 11 build 62 or newer then enabling DTLS on the Gateway also enables Framehawk. See VDA > Framehawk for Framehawk configuration.

Requirements for UDP Audio:

Citrix Receiver 4.2 or newer
NetScaler Gateway 10.5.e (enhancement build) or NetScaler 11
UDP 443 allowed to NetScaler Gateway Virtual Server
UDP 16500-16509 allowed from NetScaler SNIP to VDAs

To enable UDP Audio through Gateway, make changes on both the NetScaler Gateway Virtual Server and in Receiver:

Edit the NetScaler Gateway Virtual Server. In the Basic Settings section click the edit (pencil) icon.
Click More.
Enable the DTLS option and click OK.
After enabling DTLS, it probably won’t work until you unbind the Gateway certificate and rebind it.

Client-side configuration

There are two methods of enabling RTP on the client side:

Edit default.ica on the StoreFront server
Use GPO to modify the client-side config

To edit the default.ica file on the StoreFront server (h/t Vipin Borkar): Edit the file C:\inetpub\wwwroot\Citrix\Store\App_Data\default.ica and add the following lines to the Application section:

EnableRtpAudio=true
EnableUDPThroughGateway=true
AudioBandwidthLimit=1

To use GPO to modify the client-side config:

Copy the receiver.admx (and .adml) policy template into PolicyDefinitions if you haven’t already.
Edit a GPO that applies to Receiver machines. You can also edit the local GPO on a Receiver machine.
Go to Computer Configuration > Policies > Administrative Templates > Citrix Components > Citrix Receiver.
Edit the setting Client audio settings.
Enable the setting.
Set audio quality as desired. Higher quality = higher bandwidth.
Check to Enable Real-Time Transport.
Check to Allow Real-Time Transport through Gateway. Click OK.

Next step

Configure StoreFront to use NetScaler Gateway

Unified Gateway

Unified Gateway FAQ at docs.citrix.com

The Unified Gateway wizard in NetScaler 11 relies on Clientless Access and the built-in portal. See Jens Trendelkamp NetScaler Gateway Single Sign-On to Storefront in Clientless Access Mode and Citrix CTX202890 How to Integrate StoreFront into Clientless Access Page from NetScaler When Using CVPN to learn how to enable iFrame in StoreFront so it can be embedded in the Clientless Access portal.

Unified Gateway means Content Switching for NetScaler Gateway. There are two methods of Content Switching:

Create a Content Switching Virtual Server that has a Content Switching policy that directs requests to a NetScaler Gateway
Create a NetScaler Gateway Virtual Server that has Content Switching policies that direct requests to Load Balancing Virtual Servers.

In either case you can only have one Gateway Virtual Server in the Content Switching configuration.

Content Switching vServer with Gateway as Target

When creating a Gateway Virtual Server, you can change the IP Address Type to Non Addressable. This means you can only access the Gateway through a Content Switching Virtual Server.
On the left, go to Traffic management > Content Switching > Policies.
On the right click Add.
Give the policy a name.
Click the plus icon next to the Action field.
Give the Action a name.
Change the selection to NetScaler Gateway Virtual Server.
Click the arrow to select a Gateway Virtual Server and click Create.
Back in the policy screen, enter an expression. There are several options for selecting traffic that should be directed to the Gateway:
- Hostname
- The built-in is_vpn_url expression
- Any path that starts with /Citrix/.
```
http.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ("mygateway.corp.com") && (is_vpn_url || http.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/Citrix/"))
```
Click Create when done.
Add or Edit a Content Switching Virtual Server.
Click where it says No Content Switching Policy Bound.
Click the arrow to select a Content Switching policy and click Bind.

Gateway vServer with Load Balancing vServer as Target

Another option is to bind Content Switching policies to a Gateway Virtual Server:

On the left, go to Traffic Management > NetScaler Gateway > Policies > Content Switching.
On the right, click Add to create a Content Switching Policy with an Action that points to a Load Balancing Virtual Server.
On the left, go to NetScaler Gateway > Virtual Servers.
On the right, edit an existing NetScaler Gateway Virtual Server.
On the right in the Advanced Settings section, click Content Switching Policies.
Click where it says No Content Switching Policies.
Select a Content Switching policy that sends traffic to a Load Balancing Virtual Server and click Bind.
Repeat for additional Content Switching policies that redirect to Load Balancing Virtual Servers. You cannot bind Content Switching policies that redirect to NetScaler Gateway Virtual Servers.

StoreFront – Rewrite X-Citrix-Via

When NetScaler Gateway communicates with StoreFront, it adds a header called X-Citrix-Via that contains the FQDN entered in the user’s address bar. StoreFront uses this header to find a matching Gateway object so StoreFront knows how to handle the authentication. In NetScaler 11.0 and newer, you can create a rewrite policy to change this header. This is useful when changing URLs or using DNS aliases for Gateways. See CTX202442 FAQ: Modify HTTP Header X-Citrix-Via on NetScaler for more details.

Here’s a sample rewrite policy for this header:

enable ns feature REWRITE

add rewrite action rwact_storefront replace "HTTP.REQ.HEADER(\"X-Citrix-Via\")" "\"mystorefront.mydomain.com\""

add rewrite policy rwpol_storefront "HTTP.REQ.HEADER(\"X-Citrix-Via\").NE(\"mystorefront.mydomain.com\")" rwact_storefront

bind vpn vserver mygateway-vs -policy rwpol_storefront -priority 100 -type REQUEST

Session Policies for StoreFront – NetScaler Gateway 11

Last Modified: Nov 7, 2020 @ 6:35 am

31 Comments

This page details creation of session profiles and policies for NetScaler Gateway 11 where ICA Only (formerly known as Basic Mode) is checked.

Partly based on Citrix Knowledgebase Article CTX139963 – How to Configure NetScaler Gateway with StoreFront

Session Profiles/Policies CLI Commands

The CLI commands are shown below:

add vpn sessionAction "Receiver Self-Service" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com" -ntDomain Corp -clientlessVpnMode OFF -storefronturl "https://storefront.corp.com"

add vpn sessionAction "Receiver for Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront.corp.com/Citrix/StoreWeb" -ntDomain Corp -clientlessVpnMode OFF

add vpn sessionPolicy "Receiver Self-Service" "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" "Receiver Self-Service"

add vpn sessionPolicy "Receiver for Web" "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" "Receiver for Web"

Session Profiles

Or use the GUI to create the policies/profiles:

On the left, expand NetScaler Gateway, expand Policies, and click Session.
On the right, switch to the Session Profiles tab, and click Add.
Name the first one ReceiverSelfService or similar. This is for Receiver Self-Service (not in a web browser).
Switch to the Client Experience tab.
Check the Override Global box next to Clientless Access and set it to Allow. Scroll down.
Check the Override Global box next to Plug-in Type and set it to Java.
Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.
If you need two-factor authentication, the session policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to PRIMARY.
On the Security tab, check the Override Global box next to Default Authorization Action and set it to Allow.
On the Published Applications tab, check the Override Global box next to ICA Proxy and set it to ON.
If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. StoreFront needs to accept this domain name (Configure Trusted Domains).
If you have multiple domains, then leave Single Sign-on Domain field blank, and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
For Account Services Address, enter the Base URL for StoreFront. NetScaler needs to be able to resolve this DNS name.
Highlight the existing session profile and click Add. This copies the settings from the existing profile into the new one.
Change the name of the second Session Profile to ReceiverForWeb or similar.
On the Client Experience tab, Clientless Access should be set to Allow. Scroll down.
Plug-in Type should still be set to Java.
Single Sign-on to Web Applications should be enabled.
If you need two-factor authentication, the session policy for Receiver for Web needs Credential Index set to PRIMARY. Only the Receiver Self-Service policy needs SECONDARY as detailed earlier.
On the Security tab, the Default Authorization Action should still be Allow.
On the Published Applications tab, for the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
Account Services Address only applies to Receiver Self-Service so you can leave it or clear it.
Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the NetBIOS name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
Account Services Address is not needed in this profile but there’s no harm in leaving it.
Click Create.

Session Policies

On the right, switch to the Session Policies tab, and click Add.
Name the Policy ReceiverSelfService or similar.
Change the Request Profile to ReceiverSelfService.
Either type in or use the Expression Editor link to build the following expression:
```
REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
```
Then click Create.
Add another policy, and name it ReceiverForWeb or similar.
Change the Action to ReceiverForWeb.
In the Expression box, either type in the following or use the Expression Editor. It’s the same as the previous expression, except it’s NOTCONTAINS instead of CONTAINS.
```
REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver
```
Click Create.

Next Step

Create NetScaler Gateway Virtual Server

NetScaler Gateway 11 LDAP Authentication

Last Modified: Nov 6, 2020 @ 7:30 am

78 Comments

Navigation

Verify Domain Controller Certificates
LDAP Load Balancing
Create LDAP Authentication Server
Authentication Feedback and Global Licenses
Multiple Active Directory Domains

Verify LDAPS

Use the tool ldp.exe to verify that the Domain Controllers have valid certificates installed and the service account is able to bind to the LDAP tree.

ldp.exe is included with the Remote Server Administration Tools (AD DS Snap-Ins and Command-Line Tools)
Run ldp.exe
Open the Connection menu and click Connect.
Check the box next to SSL. Change the port to 636. Then enter the FQDN of a Domain Controller and click OK.
If it connected successfully, you can then attempt a bind. If the connection was unsuccessful then there’s probably an issue with the certificate installed on the Domain Controller.
Open the Connection menu and click Bind.
Change the Bind type to Simple bind. Then enter the service account credentials. You can use DOMAIN\Username or you can use Username@Domain.com. Click OK.
Look on the right pane to verify a successful bind. If not, fix the credentials and try again.
Once you have successfully binded, you can view the directory tree by opening the View menu and click Tree.
Click the drop-down to view the directory partitions.
Repeat these steps to verify each Domain Controller and any load balanced LDAPS.

LDAP Load Balancing

Before you create an LDAP authentication policy, setup LDAPS load balancing:

You can create multiple load-balancing Virtual Servers to load balance multiple domains. These load-balancing Virtual Servers can share the same VIP if their port numbers are different. Or you can use a different VIP for each domain.

LDAP Server

To create the LDAP Authentication Server, do the following:

On the left, expand Authentication and click Dashboard.
On the right, click Add.
In the Choose Server Type drop-down, select LDAP.
Enter LDAP-Corp as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name.
Change the selection to Server IP. Enter the VIP of the load balancing vServer for LDAP.
Change the Security Type to SSL.
Enter 636 as the Port. Scroll down.
In the Connection Settings section, in the Base DN field, enter your Active Directory DNS domain name in LDAP format.
Enter the credentials of the LDAP bind account in userPrincipalName format. Domain\Username also works.
Check the box next to BindDN Password and enter the password. Scroll down.
In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
On the right, check the box next to Allow Password Change.
Note: there is a checkbox for Validate LDAP Server Certificate. If you want to do this, see Citrix Discussions for instructions for loading the root certificate to /nsconfig/truststore.
If you want to restrict access to only members of a specific group, in the Search Filter field, enter memberOf=<GroupDN>. See the example below:
memberOf=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local

You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.

memberOf:1.2.840.113556.1.4.1941:=CN=CitrixRemote,OU=Citrix,DC=corp,DC=local

Citrix CTX132802 How to Use the ldapsearch Utility on the NetScaler Gateway Enterprise Edition Appliance to Validate a Search Filter
1. An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
2. Or in Active Directory Users & Computers, enable Advanced view, browse to the object (don’t use Find), double-click the object, and switch to the Attribute Editor tab.
3. Scroll down to distinguishedName, double-click it and then copy it to the clipboard.
4. Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
Scroll down and click More.
For Nested Group Extraction, if desired, change the selection to Enabled.
Set the Group Name Identifier to samAccountName.
Set the Group Search Attribute to memberOf. Select << New >> first.
Set the Group Search Sub-Attribute to CN. Select << New >> first
For the Group Search Filter field, see CTX123795 Example of LDAP Nested Group Search Filter Syntax.

Scroll down and click Create.

add authentication ldapAction Corp-Gateway -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=Citrix Remote,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED

The status of the LDAP Server should be Up.
The Authentication Dashboard doesn’t allow you to create the LDAP Policy at this time. Instead the LDAP Policy will be created later when you bind the LDAP Server to the NetScaler Gateway vServer.

Authentication Feedback and Licenses

On the left, under NetScaler Gateway, click Global Settings.
On the right, in the right column, click Change authentication AAA settings.
If you are using Gateway features that require Gateway Universal licenses, then change the Maximum Number of Users to the number of Gateway Universal licenses you have installed on this appliance. This field has a default value of 5, and administrators frequently forget to change it, thus only allowing 5 users to connect.
If desired, check the box for Enable Enhanced Authentication Feedback. This feature provides a message to users if authentication fails. The message users receive include password errors, account disabled or locked, or the user is not found, to name a few. Click OK.
```
set aaa parameter -enableEnhancedAuthFeedback YES -maxAAAUsers 200
```

Next Step

For two-factor, configure RADIUS Authentication
Otherwise, Configure NetScaler Gateway Session Policies

Multiple Domains

To support multiple Active Directory domains on a NetScaler Gateway, you create multiple LDAP authentication policies, one for each Active Directory domain, and bind all of the LDAP policies to the NetScaler Gateway Virtual Server. When the user logs into NetScaler Gateway, only the username and password are entered. The NetScaler will then loop through each of the LDAP policies in priority order until it finds one that contains the entered username/password.

What if the same username is present in multiple domains? As NetScaler loops through the LDAP policies, as soon as it finds one with the specified username, it will try to authenticate with that particular LDAP policy. If the password doesn’t match the user account for the attempted domain then a failed logon attempt will be logged in that domain and NetScaler will try the next domain.

Unfortunately, the only way to enter a realm name during user authentication is to require users to login using userPrincipalNames. To use userPrincipalName, set the LDAP Policy/Server with the Server Logon Name Attribute set to userPrincipalName.

You can even do a combination of policies: some with samAccountName and some with userPrincipalName. The samAccountName policies would be searched in priority order and the userPrincipalName policies can be used to override the search order. Bind the userPrincipalName policies higher (lower priority number) than the samAccountName policies.

Note: NetScaler 11.0 build 64 supports adding a domain name drop-down list to the logon page. Then use Cookie expressions in the auth policies and session policies. However, this probably doesn’t work for Receivers. See CTX203873 How to Add Drop-Down Menu with Domain Names on Logon Page for NetScaler Gateway 11.0 64.x and later releases for details. 💡
User-added image

After authentication is complete, a Session Policy will be applied that has the StoreFront URL. The NetScaler Gateway will attempt to log into StoreFront using SSO so the user doesn’t have to login again. When logging into NetScaler Gateway, only two fields are required: username and password. However, when logging in to StoreFront, a third field is required: domain name. So how does NetScaler specify the domain name while logging in to StoreFront?

There are two methods of specifying the domain:

Configure multiple session policies with unique Single Sign-on Domains. Inside the Session Policy is a field called Single Sign-on Domain for specifying the domain name. If there is only one Active Directory domain then you can use the same Session Policy for all users. However, if there are multiple domains then you would need multiple Session Policies, one for each Active Directory domain. But as the NetScaler loops through the LDAP policies during authentication, once a successful LDAP policy is found, you need a method of linking an LDAP policy with a Session Policy that has the corresponding SSO Domain. This is typically done using AAA groups. This method is not detailed here but the general steps are: In the LDAP policy, specify a Default Authentication Group. Create a AAA group that matches it. Then bind the corresponding Session Policy to that AAA group.
Alternatively, configure the LDAP policy/server to extract the user’s UPN and then authenticate to StoreFront using UPN. This is the easiest method but some domains don’t have userPrincipalNames configured correctly.

This userPrincipalName method is detailed below:

In each of your NetScaler LDAP policies/servers, in the Other Settings section, in the SSO Name Attribute field, enter userPrincipalName (select –<< New >>– first). Make sure there are no spaces after this name. NetScaler will use this attribute to authenticate the user against StoreFront.
In StoreFront Console, right-click the Store, and click Manage Authentication Methods.
On the right, click the gear icon, and then click Configure Trusted Domains.
In the Trusted domains box, select Any domain.
Or add your domains in DNS format. The advantage of entering domain names is that you can select a default domain if internal users forget to enter a domain name during login. The DNS format is required for UPN logins (e.g. SSO from NetScaler Gateway).
On the NetScaler Gateway Virtual Server, bind LDAP authentication polices in priority order. It will search them in order until it finds a match.
In your session policies, make sure Single Sign-on Domain is not configured. Since NetScaler is using the userPrincipalName, there’s no need to specify a domain. If Single Sign-on Domain is configured, then Single Sign-on authentication will fail.

StoreFront Load Balancing – NetScaler 11

Last Modified: Nov 6, 2020 @ 7:05 am

53 Comments

Navigation

Monitor to verify that StoreFront is UP
Server Objects
Service Group
Virtual Server
SSL Redirect
StoreFront Base URL
Subscriptions/Favorites Replication Load Balancing

Monitor

Note: This is a Perl monitor, which uses the NSIP as the source IP.

On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
On the right, click Add.
Name it StoreFront or similar.
Change the Type drop-down to STOREFRONT.
If you will use SSL to communicate with the StoreFront servers, then scroll down, and check the box next to Secure.
Scroll up, and switch to the Special Parameters tab.
In the Store Name field, enter the name of your store (e.g. MyStore) without spaces.

Click Create.

add lb monitor StoreFront STOREFRONT -scriptName nssf.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -secure YES -storename Store

Servers

On the left, expand Traffic Management, expand Load Balancing, and click Servers.
On the right, click Add.
Enter a descriptive server name, usually it matches the actual server name.
Enter the IP address of the server.
Enter comments to describe the server. Click Create.

Continue adding StoreFront servers.

add server SF01 10.2.2.57
add server SF02 10.2.2.58

Service Group

On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
On the right, click Add.
Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SSL).
Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure that the StoreFront Monitor has Secure checked.
If the protocol is SSL, then from Netscaler 11 and Storefront 3.0 load balancing broken at discussions.citrix.com: “Uncheck TLS1.2 and then check it again on Service Group, then it work!”
Scroll down and click OK.
Click where it says No Service Group Member.
If you did not create server objects then enter the IP address of a StoreFront Server. If you previously created a server object then change the selection to Server Based and select the server objects.
Enter 80 or 443 as the port. Then click Create.
To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.
On the right, under Advanced Settings , click Monitors.
Click where it says says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select the StoreFront monitor and click Select.
Then click Bind.
To verify that the monitor is working, on the left, in the Service Group Members section, click the Service Group Members line.
Highlight a member and click Monitor Details.
The Last Reponse should be Success – Probe succeeded. Click Close twice.
On the right, under Advanced Settings, click Settings.
Check the box for Client IP and enter X-Forwarded-For as the Header. Then click OK.

Then click Done.

add serviceGroup svcgrp-StoreFront-SSL SSL -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For

bind serviceGroup svcgrp-StoreFront-SSL SF01 443
bind serviceGroup svcgrp-StoreFront-SSL SF02 443
bind serviceGroup svcgrp-StoreFront-SSL -monitorName StoreFront

If the Service Group is http and you don’t have certificates installed on your StoreFront servers (aka SSL Offload), then you’ll need to enable loopback in StoreFront.
1. In StoreFront 3.5, you enable it in the GUI console.
2. In StoreFront 3.0, run the following commands on the StoreFront 3.0 servers as detailed at Citrix Blog Post What’s New in StoreFront 3.0.
```
& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"

Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp
```

Load Balancing Virtual Server

Create or install a certificate that will be used by the SSL Offload Virtual Server. This certificate must match the DNS name for the load balanced StoreFront servers. For email discovery in Citrix Receiver, the certificate must either be a wildcard (*.corp.local) or have a subject alternative name for discoverReceiver.domain.com (domain.com = email address suffix)
On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right click Add.
Name it lbvip-StoreFront-SSL or similar.
Change the Protocol to SSL.
Specify a new internal VIP.
Enter 443 as the Port.

Click OK.

add lb vserver lbvip-StoreFront-SSL SSL 10.2.2.221 443 -persistenceType SOURCEIP -timeout 60

On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select your StoreFront Service Group, and click Select.

Click Bind.

bind lb vserver lbvip-StoreFront-SSL svcgrp-StoreFront-SSL

Click OK.
Click where it says No Server Certificate.
Click the arrow next to Click to select.
Select the certificate for this StoreFront Load Balancing Virtual Server, and click Select.

Click Bind.

bind ssl vserver lbvip-StoreFront-SSL -certkeyName WildCorpCom

Click Continue.
On the right, in the Advanced Settings column, click Persistence.
Select SOURCEIP. Do NOT use COOKIEINSERT persistence or Android devices will not function correctly.
Set the timeout to match the timeout of Receiver for Web.
The IPv4 Netmask should default to 32 bits.
Click OK.
If the NetScaler communicates with the StoreFront servers using HTTP (aka SSL Offload – 443 on client-side, 80 on server-side), and if you have enabled the Default SSL Profile, then you’ll either need to edit the default profile to include the SSL Redirect option or create a new SSL Profile with the SSL Redirect option enabled and bind the SSL Profile to this vServer.
If the default SSL Profile is not enabled then you’ll need to edit the SSL Parameters section here and at the top right, check the box next to SSL Redirect. Otherwise the Receiver for Web page will never display.
```
set ssl vserver lbvip-StoreFront-SSL -sslRedirect ENABLED -ssl3 DISABLED
```

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.

bind ssl vserver lbvip-StoreFront-SSL -certkeyName MyCert

set ssl vserver lbvip-StoreFront-SSL -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver lbvip-StoreFront-SSL -cipherName ALL

bind ssl vserver lbvip-StoreFront-SSL -cipherName Modern

bind ssl vserver lbvip-StoreFront-SSL -eccCurveName ALL

bind lb vserver lbvip-StoreFront-SSL -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

When connecting to StoreFront through load balancing, if you want to put the server name on the StoreFront webpage so you can identify the server, see Nicolas Ignoto Display server name with Citrix StoreFront 3.
Server name is displayed

SSL Redirect – Down vServer Method

If you created an SSL Offload Virtual Server that only listens on SSL 443, users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP that listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

This procedure details the Down vServer method of performing an SSL redirect. An alternative is to use the Responder method.

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
Change the name to indicate that this new Virtual Server is an SSL Redirect.
Change the Protocol to HTTP on Port 80.
The IP Address should already be filled in. It must match the original SSL Virtual Server.
Click OK.
Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
On the right, in the Advanced Settings column, click Protection.
In the Redirect URL field, enter the full URL including https://. For example: https://storefront.company.com/Citrix/StoreWeb. Click OK.

Click Done.

add lb vserver lbvip-storefront-HTTP-SSLRedirect HTTP 10.2.2.201 80 -redirectURL "https://storefront.corp.com"

When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

StoreFront Base URL

Create a DNS Host record that resolves to the new VIP.
The DNS name for StoreFront load balancing must be different than the DNS name for NetScaler Gateway. Unless you are following the Single FQDN procedure.
In the Citrix StoreFront console, right-click Server Group and click Change Base URL.
Enter the new Base URL in https://storefront.corp.com format. This must match the certificate that is installed on the load balancer. Click OK.

Subscription Replication Load Balancing

If you have multiple StoreFront clusters (separate datacenters), you might want to replicate subscriptions between them. StoreFront subscription replication uses TCP port 808. To provide High Availability for this service, load balance TCP port 808 on the StoreFront servers. See Configure subscription synchronization at Citrix Docs for more information.

On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
On the right, click Add.
Give the Service Group a descriptive name (e.g. svcgrp-StoreFront-SubRepl).
Change the Protocol to TCP.
Scroll down and click OK.
Click where it says No Service Group Member.
In the IP Address field, enter the IP address of a back-end StoreFront server.
Enter 808 as the port. Then click Create.
To add more members, on the left, in the Service Group Members section, click where it says 1 Service Group Member.
Click Add to add a member. Click Close when done.
On the right, under Advanced Settings, click Monitors.
Click where it says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select the tcp monitor, and click Select.

Then click Bind, and click Done.

add serviceGroup svcgrp-StoreFront-FavRepl TCP
bind serviceGroup svcgrp-StoreFront-FavRepl SF01 808
bind serviceGroup svcgrp-StoreFront-FavRepl SF02 808

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right click Add.
Name it lbvip-StoreFront-SubRepl or similar.
Change the Protocol to TCP.
Specify the same VIP that you used for SSL Load Balancing of StoreFront.
Enter 808 as the Port.
Click OK.
Click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select your StoreFront Subscription Replication Service Group, and click Select.
Click Bind.
Click Continue.

Then click Done.

add lb vserver lbvip-StoreFront-FavRepl TCP 10.2.2.201 808 -persistenceType SOURCEIP -timeout 5

bind lb vserver lbvip-StoreFront-FavRepl svcgrp-SF-FavRepl

SSL Virtual Servers – NetScaler 11

Last Modified: Nov 6, 2020 @ 7:10 am

86 Comments

This page contains generic instructions for all SSL Virtual Servers including: Load Balancing, NetScaler Gateway, and Content Switching.

Navigation

Cipher Group
Default SSL Profile
SSL vServer Configuration – Bind Cert, Ciphers, ECC, and STS
SSL Tests
SSL Redirect – Down vServer Method
SSL Redirect – Responder Method

💡 = Recently Updated

Cipher Group

References:

Citrix Blogs – Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update 💡
CJHarms Perfect Forward Secrecy and NetScaler MPX Revisited
Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated)
Citrix CTX201710 Cipher/Protocol Support Matrix of NetScaler Appliances:
- VPX 11.0 build 64 and older support fewer ciphers than MPX. This was corrected in 11.0 build 65.

Ryan Butler has a PowerShell script at Github that can automate NetScaler SSL configuration to get an A+. 💡
The easiest way to create a cipher group is from the CLI. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update for cipher group CLI commands.
Go to Traffic Management > SSL > Cipher Groups.
On the right, click Add.
Name it Modern or similar.
In the middle, click Add.
Use the search box to find a particular cipher.
Check the box next to one of the results and click the arrow to move it to the right. See Citrix Blogs Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update for recommended ciphers. The recommended ciphers vary based on the hardware platform and support for older clients.
Click Create when done.

Default SSL Profile

In NetScaler 11.0 build 64 and newer, SSL Profiles are much more functional. You can use SSL Profiles to disable SSLv3, bind ciphers, and bind ECC curves.

Note: the default SSL Profile affects all SSL Virtual Servers unless you create additional SSL Profiles and bind the additional SSL Profiles to individual SSL Virtual Servers.

Citrix CTX201710 Cipher/Protocol Support Matrix of NetScaler Appliances – VPX 11.0 build 64 and older supports fewer ciphers than MPX. This was corrected in 11.0 build 65.

NetScaler 11.0 build 65 adds TLS 1.2 for back-end connections from VPX appliances. However, it does not appear to be possible to enable TLS 1.2 on SSL Profiles on VPX. If you don’t enable the default SSL profiles then you can enable TLS 1.2 on each Service Group or Service. If you are using VPX, don’t enable Default SSL profile as detailed in this section. 💡

NetScaler 11.0 build 64 and older does not do a proper handshake with TLS 1.2 IIS servers. To work around this problem, disable TLS 1.2 on the load balancing services as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break. Or upgrade to 11.0 build 65.

Also see CTX205576 NetScaler to Back-End SSL Handshake Failure on Disabling SSL 3.0 on Back-End (Physical) Servers. These articles describe both SSL services and SSL_BRIDGE services.

Go to Traffic Management > SSL.
On the right, in the right column, click Change advanced SSL settings.
Near the bottom, check the box next to Enable Default Profile. Note: this will change SSL settings on all SSL Virtual Servers to match the default SSL profile. You might want to do this during a maintenance window. Click OK when done.
If you go back into Advanced SSL Settings, notice that the Default Profile is enabled and there’s no way to disable it.
To change the default SSL profile, on the left, go to System > Profiles.
On the right, switch to the SSL Profile tab.
Highlight the frontend or backend default profile and click Edit. Note: this is the same place where you can create more SSL profiles.
Notice that SSLv3 is disabled by default.
If you do any SSL Offload (SSL on the client side, HTTP on the server side) then you’ll need to edit the Basic Settings section and enable SSL Redirect. Or you can create a new SSL Profile with this option enabled. It’s near the bottom of the section. With this option enabled, any 301/302 redirects from the server with HTTP locations are rewritten to HTTPS locations. You might need this option for StoreFront load balancing if doing SSL Offload.
It’s currently not possible to bind user-defined cipher groups using the GUI but you can easily do this using the CLI. First unbind the DEFAULT cipher group and then bind the Modern cipher group.
```
unbind ssl profile ns_default_ssl_profile_frontend -cipherName DEFAULT
bind ssl profile ns_default_ssl_profile_frontend -cipherName Modern
```
If you edit one of your SSL Virtual Servers, there’s an SSL Profile section indicating that the default profile is being used. You can change the binding to a different SSL Profile.

Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

NetScaler 11.0 build 64 and older do not do a proper handshake with TLS 1.2 IIS servers. To work around this problem, disable TLS 1.2 on the load balancing services as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break. Also see CTX205576 NetScaler to Back-End SSL Handshake Failure on Disabling SSL 3.0 on Back-End (Physical) Servers. These articles describe both SSL services and SSL_BRIDGE services.

When creating the SSL Virtual Server, on the left, in the Certificates section, click where it says No Server Certificate.
Click where it says Click to select.
Select a certificate and click Select.

Click Bind.

bind ssl vserver MyvServer -certkeyName MyCert

If the SSL Parameters section isn’t added, on the right, in the Advanced Settings column, click SSL Parameters.
On the left, in the SSL Parameters section, click the pencil icon.
Uncheck the box next to SSLv3. This removes a security vulnerability. Make sure TLSv11 and TLSv12 are enabled. Click OK.
```
set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
```
On the right, in the Advanced Settings column, click SSL Ciphers.
On the left, in the SSL Ciphers section, select the previously created Modern Cipher Group and click OK.
```
unbind ssl vserver MyvServer -cipherName ALL
bind ssl vserver MyvServer -cipherName Modern
```
If you see a warning about No usable ciphers, click OK and ignore it.
SSL Virtual Servers created on newer versions of NetScaler will automatically have ECC Curves bound to them. However, if this appliance was upgraded from an older version then the ECC Curves might not be bound. On the right, in the Advanced Settings section, click ECC Curve.
On the left, in the ECC Curve section, click where it says No ECC Curve.
Click to select.

Choose ALL and click Select.

bind ssl vserver MyvServer -eccCurveName ALL

Click Bind.

Consider enabling Strict Transport Security by creating a rewrite policy and binding it to this SSL Virtual Server. See Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated). Also see CTX205221 How Do I Do HSTS on NetScaler?

enable ns feature rewrite

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite policy insert_STS_header true insert_STS_header

bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Tests

After you’ve created an SSL Virtual Server, run the following tests:

Go to https://www.digicert.com/help/ to verify the certificate chain.
Go to https://www.ssllabs.com/ssltest/ and check the security settings of the website.

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, then users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP but listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443.

The Down Virtual Server Method is easy but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect.

On the left, under Traffic Management > Load Balancing, click Virtual Servers.
On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
Change the name to indicate that this new Virtual Server is an SSL Redirect.
Change the Protocol to HTTP on Port 80.
The IP Address should already be filled in. It must match the original SSL Virtual Server. Click OK.
Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
On the right, in the Advanced Settings column, click Protection.
In the Redirect URL field, enter the full URL including https://. For example: https://storefront.company.com/Citrix/StoreWeb. Click OK.
Click Done.
When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

SSL Redirect – Responder Method

The Down Virtual Server Method is easy but the Redirect Virtual Server must be down in order for the redirect to take effect. Another option is to use Responder policies to perform the redirect. This method requires the Redirect Virtual Server to be UP.

Create a dummy Load Balancing service. This dummy service can be bound to multiple Redirect Virtual Servers.
Name it AlwaysUp or similar.
Use a loopback IP address (e.g. 127.0.0.1). After the service is created it changes to a NetScaler-owned IP.
Click the More link.
This dummy service must always be UP so uncheck the box next to Health Monitoring. Click OK and then click Done.
```
add server 127.0.0.1 127.0.0.1
add service AlwaysUp 127.0.0.1 HTTP 80 -healthMonitor NO
```
On the left, expand AppExpert and click Responder.
If Responder is not enabled, right-click Responder and click Enable Feature.
```
enable ns feature RESPONDER
```
Under Responder, click Actions.
On the right, click Add.
Give the action a name.
Change the Type to Redirect.

Enter an expression. The following expression can be used by multiple Redirect Virtual Servers. Or you can create a Responder Action with a more specific Target. Click Create.

"https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE

add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE" -responseStatusCode 302

On the left, under Responder, click Policies.
On the right, click Add.
Give the policy a name.
Select the previously created Responder action.

For the expression, enter the following. Then click Create.

HTTP.REQ.IS_VALID

add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact

Create a Load Balancing Virtual Server with Protocol HTTP and Port 80. The VIP should match an existing SSL Virtual Server or NetScaler Gateway Virtual Server.
Bind the Dummy (AlwaysUp) service, and click OK.
On the right, in the Advanced Settings column, click Policies.
Click the plus icon in the top right of the Policies box.
Select Responder and click Continue.

Select the Redirect Responder policy and click Bind. Then click Done.

add lb vserver MyvServer-HTTP-SSLRedirect HTTP 10.2.2.201 80

bind lb vserver storefront.corp.com-HTTP-SSLRedirect AlwaysUp

bind lb vserver storefront.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST

The primary advantage of this method is that the Redirect Virtual Server is UP.

Domain Controller (LDAPS) Load Balancing – NetScaler 11

Last Modified: Nov 7, 2020 @ 6:35 am

32 Comments

Navigation

Overview
Monitor to verify that LDAP server is UP
Server Objects
Service Groups
Virtual Server

Overview

If you plan to use LDAP (Active Directory) for NetScaler Gateway or NetScaler management authentication, load balance the Domain Controllers that are used for authentication.

An alternative to load balancing is to configure NetScaler Gateway and NetScaler management authentication with multiple authentication policies, each pointing to a single Domain Controller. However, NetScaler will try each authentication policy until it finds one that works. If the user enters a wrong password and if you have three authentication policies pointing to different Domain Controllers in the same domain then three different failure attempts will be recorded thus causing premature account lockout. Use Load Balancing to avoid this behavior.

This page details LDAPS, aka Secure LDAP. This protocol requires certificates to be installed on the Domain Controllers. When a user’s password expires, Active Directory does not allow password changes over clear text LDAP so LDAPS must be used instead. Make sure you have certificates installed on your Domain Controllers. The easiest way to accomplish that is to deploy a Microsoft Certificate Authority. Once that’s done the Domain Controllers will request certificates automatically.

An ldaps monitor can be used to verify that the Domain Controller is functional. The ldaps monitor will login as an account, perform an LDAP query, and look for a successful response. The ldaps monitor uses a service account to login. Make sure the service account’s password does not expire. Domain User permissions are sufficient. Since this monitor is a Perl script, it uses NSIP as the source IP.

If you have Domain Controllers in multiple datacenters, you can create multiple load balancing Virtual Servers and cascade them so that the local Domain Controllers are used first, and if they’re not available, then the Virtual Server fails over to Domain Controllers in remote datacenters.

The Load Balancing Virtual Server for LDAPS can be TCP or SSL_TCP:

If the protocol is TCP, then SSL-encrypted LDAP traffic is not terminated on the NetScaler, and is simply forwarded to the LDAP servers. If your LDAP client needs to verify the LDAP server certificate, then this Load Balancing configuration will not work, since each back-end LDAP server will have a different certificate.
If your Load Balancing Virtual Server is protocol SSL_TCP, then a certificate must be installed on the NetScaler and bound to the Load Balancing Virtual Server. SSL is terminated at the NetScaler and re-encrypted before sending it to the destination Domain Controller. The primary benefit of NetScaler SSL termination is that your LDAP clients can verify the Virtual Server SSL certificate.

When NetScaler uses a local (same appliance) load balanced Virtual Server for LDAPS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a Domain Controller without going through a local Load Balancing Virtual Server, or if NetScaler uses a remote (different appliance) Load Balancing VIP, then the traffic is sourced from the NetScaler NSIP (NetScaler IP). Adjust firewall rules accordingly.

LDAPS Monitor

Note: Perl monitor uses NSIP as the source IP.

In the NetScaler Configuration Utility, expand Traffic Management, expand Load Balancing, and click Monitors.
On the right, click Add.
Name the monitor ldaps-Corp or similar. The ldaps monitor logs into Active Directory, performs an LDAP query, and looks for a successful response. The monitor configuration has domain specific information, so if you have multiple Active Directory domains, then you will need multiple ldaps monitors. Include the domain name in the monitor name.
Change the Type to LDAP.
Scroll down and check the box next to Secure.
Scroll back up and switch to the Special Parameters tab.
On the Special Parameters tab, use the Script Name drop-down list to select the nsldap.pl file.
In the Base DN field, enter your domain name in LDAP format (e.g. dc=company,dc=com)
In the Bind DN field, enter the UPN login (e.g. ctxsvc@company.com) of a service account in the domain that can browse all objects. Any normal Domain User should be sufficient. Just make sure the password doesn’t expire.
In the Filter field, enter cn=builtin. This limits the search results.
In the Password field, enter the password for the service account. Make sure there is no semicolon in the password or the script will be unable to parse the parameters.

Click Create.

add lb monitor LDAP-Corp LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Passw0rd -secure YES -baseDN "dc=corp,dc=local" -bindDN "corp\\ctxsvc" -filter cn=builtin

If you have multiple domains, then create additional monitors: one for each domain.

Servers

On the left, expand Traffic Management, expand Load Balancing, and click Servers.
On the right, click Add.
Enter a descriptive server name, usually it matches the actual server name.
Enter the IP address of the server.

Enter comments to describe the server. Click Create.

add server AD01 10.2.2.11
add server AD01 10.2.2.12

Continue adding Domain Controllers.

Service Groups

On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.
On the right, click Add
.
You will create one Service Group per datacenter. Enter a name reflecting the name of the data center. Also, you will create a set of service groups per Active Directory domain so include the domain name.
Change the Protocol to SSL_TCP. Scroll down, and click Continue.
On the left, in the Service Group Members section, click where it says No Service Group Member.
If you did not create server objects then enter the IP address of a Domain Controller in this datacenter. If you previously created a server object then change the selection to Server Based, and select the server object. In the Port field, enter 636 (LDAPS).
Note: Any Domain Controller you add to this list must have an SSL certificate installed. The easiest way to install SSL certificates on the Domain Controllers is with Active Directory Certificate Services since it installs the certificates automatically.
To add more members, click where it says 1 Service Group Member, and then click Add. Click Close when done.
On the right, in the Advanced Settings column, click Monitors.
On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
Click the arrow next to Click to select.
Select your new LDAPS monitor and click Select.
Click Bind.
To verify the member is up, click in the Service Group Members section.
Highlight a member, and click Monitor Details.
It should say Probe successful. Click OK.
If the monitor doesn’t work, use ldp.exe to verify the Domain Controller certificate.

Click Done to finish creating the Service Group.

add serviceGroup svcgrp-LDAP-Corp SSL_TCP
bind serviceGroup svcgrp-LDAP-Corp AD01 636
bind serviceGroup svcgrp-LDAP-Corp AD02 636
bind serviceGroup svcgrp-LDAP-Corp -monitorName LDAP-Corp

The Service Group is displayed as UP. If not, click the refresh icon on the top right.
Add additional service groups for Domain Controllers in each data center.

Virtual Server

Create or import a certificate that matches the FQDN that resolves to the new Load Balancing VIP for LDAPS.
On the left, expand Traffic Management, expand Load Balancing, and click Virtual Servers.
On the right, click Add.
Name it lbvip-LDAPS-Corp-HQ or similar. You will create one Virtual Server per datacenter so include the datacenter name. Also, each domain has a separate set of Virtual Servers so include the domain name.
Change the Protocol drop-down to SSL_TCP.
Enter a Virtual IP. This VIP cannot conflict with any other IP/Port already being used. You can use an existing VIP that is not already listening on TCP 636.
Enter 636 as the Port. Click OK.
On the left, in the Service Group section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
Click the arrow next to Click to select.
Select the previously created Service Group, and click Select.
Click Bind.
Click Continue.
On the left, in the Certificates section, click where it says No Server Certificate.
Click the arrow next to Click to select.
Select a certificate that matches the FQDN that will resolve to this VIP. Click Select.
Click Bind.

Click Continue.

add lb vserver lbvip-LDAP-Corp SSL_TCP 10.2.2.210 636 -persistenceType NONE -cltTimeout 9000

bind lb vserver lbvip-LDAP-Corp svcgrp-LDAP-Corp

If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, and bind a Modern Cipher Group.

bind ssl vserver MyvServer -certkeyName MyCert

set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED

unbind ssl vserver MyvServer -cipherName ALL

bind ssl vserver MyvServer -cipherName Modern

bind ssl vserver MyvServer -eccCurveName ALL

Click Done to finish creating the Virtual Server.
The new Virtual Server should show as Up.
Create additional Virtual Servers for each datacenter. These additional Virtual Servers do not need a VIP so change the IP Address Type to Non Addressable. Only the first Virtual Server will be accessible.
```
add lb vserver lbvip-LDAP-Corp-Backup SSL_TCP 0.0.0.0 0
```
Notice that the additional datacenter Virtual Servers show up with an IP Address of 0.0.0.0 and port of 0.
After you are done creating a Virtual Server for each datacenter, right-click the primary datacenter’s Virtual Server, and click Edit.
On the right, in the Advanced Settings column, click Protection.
On the left, in the Protection section, change the Backup Virtual Server to one of the other datacenter Virtual Servers. If all of the services in this datacenter are DOWN, the backup Virtual Server will be used instead. You can cascade multiple Virtual Servers using this method. Click OK and Done.
```
set lb vserver lbvip-LDAP-Corp -backupVServer lbvip-LDAP-Corp-Backup
```

Clear Text LDAP

Citrix Command Center does not support Secure LDAP so you will need to do the following:

Create a regular LDAP monitor that does not have the secure box checked.
Create Service Groups of Protocol TCP and Port 389.
Create a Load Balancing Virtual Server of Protocol TCP on port 389. Bind the Service Groups to it.

Next Steps

You may now use this Virtual IP in your LDAP authentication policies for NetScaler Gateway or NetScaler management login.

NetScaler SDX 10.5

Last Modified: Nov 6, 2020 @ 7:09 am

55 Comments

Navigation

SDX IP Configuration
Service VM Firmware – Upgrade
XenServer – Upgrade
XenServer Supplemental Pack
XenServer Hotfixes
Service VM Hostname
Service VM Time Zone and NTP
Licensing
Service VM Alerting
Service VM nsroot Password and AAA
SSL Certificate and Encryption
XenServer LACP Channels
VPX Instances:
Service VM Monitoring
Service VM Backup

SDX IP Configuration

Default IP for Management Service VM is 192.168.100.1/16 bound to interface 0/1. Use laptop with crossover cable to reconfigure. Point browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Use the Management Service virtual machine to configure. XenServer and Management Service IPs must be on the same subnet.

When you first login to the SDX Service virtual machine, the Setup Wizard appears. In the Network Configuration page, configure the IP addresses. Management Service IP Address and XenServer IP Address must be different but on the same subnet. Scroll down.
In the System Settings page, select the time zone.
Check the box next to Change Password, enter the new password. Click Continue.
In the Manage Licenses section, allocate licenses normally. Click Continue when done.
Then click Done.

To modify the network configuration of the SDX appliance:

Switch to the Configuration tab.
In the navigation pane, click System.
In the System pane, under Setup Appliance, click Network Configuration.
In the Modify Network Configuration dialog box, specify values for the following parameters:
- Interface*—The interface through which clients connect to the Management Service. Possible values: 0/1, 0/2. Default: 0/1.
- XenServer IP Address*—The IP address of the XenServer.
- Management Service IP Address*—The IP address of the Management Service.
- Netmask*—The netmask for the subnet in which the SDX appliance is located.
- Gateway*—The default gateway for the network.
- DNS Server—The IP address of the DNS server.
Click OK.

Another way to login to the Management Service virtual machine is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label=”Management Service VM“

Then run /usr/lib/xen/bin/xenconsole <dom-id>.

Service VM Firmware – Upgrade

If the webpage says NetScaler SDX on top then you are connected to the Service VM.
Switch to the Configuration tab.
In the navigation pane, expand Management Service, and then click Software Images.
In the right pane, click Upload.
In the Upload Management Service Software Image dialog box, click Browse, navigate to the folder that contains the build-svm file, and then double-click the build file.
Click Upload.

To upgrade the Management Service:

In the navigation pane, click System.
In the System pane, under System Administration, click Upgrade Management Service.
In the Upgrade Management Service dialog box, in Build File, select the file of the build to which you want to upgrade the Management Service.
If you see a Documentation File field, ignore it.
Click OK.
Click Yes if asked to continue.
If desired, go back to the Software Images node and delete older firmware files.

XenServer – Upgrade

SDX Service VM 10.1 or newer requires XenServer 6.1 to be installed on the SDX appliance. Make sure you use the XenServer 6.1 media that is specific to SDX. It should be named XenServer-6.1.0-install-sdx.iso. Installing XenServer will cause the physical appliance (and all VPX instances) to reboot.

Switch to the Configuration tab.
In the navigation pane, expand Management Service, and then click XenServer Files.
In the right pane, in the ISO Images tab, click Upload.
In the Upload XenServer ISO Image File dialog box, click Browse, navigate to the folder that contains the build file, and then double-click the build file.
Click Upload.

To upgrade the XenServer software:

In the Configuration tab navigation pane, click System.
In the details pane, click Upgrade XenServer.
In the Upgrade XenServer section, select the Image file from the list. Then click OK.
Click Yes to confirm that a connection failure will occur.

XenServer Supplemental Pack

A full reboot of the physical appliance will occur.

Download the XenServer 6.1 Supplemental Pack from the same download page containing the SDX Service VM firmware. It’s in the Additional Components section.
On the Configuration page, on the left, expand Management Service and click XenServer Files.
On the right, switch to the Supplemental Packs tab and click Upload.
Browse to the Supplemental Pack and click Upload.
Select the Supplemental Pack and click Install.
Click Yes when prompted to reboot the appliance.

XenServer Hotfixes

A full reboot of the physical appliance will occur.

On the left, expand Management Service and click XenServer Files.
On the right, switch to the Hotfixes tab and click Upload.
Upload XenServer 6.1 Hotfix 44.
Also upload XenServer 6.1 Hotfix 45.
Also upload XenServer 6.1 Hotfix 48.
Highlight one of the hotfixes and click Apply.
Click Yes when asked to apply.
Apply the next hotfix.
Click Yes when asked to apply. Repeat for the remaining hotfixes.
On the left, click the System node.
On the right, in the right column, click Reboot Appliance.
Click Yes when asked to reboot.

Service VM Hostname

On the Configuration tab, click System.
In the right pane, click Change Hostname in the System Settings section.
Enter a new hostname and click OK.

Service VM Time Zone and NTP

Go to Configuration tab and click System on the left.
On the right, under System Settings click Change Time Zone.
Select the time zone. For Central time, look for UTC-0500 and Chicago.

To configure an NTP server:

On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
To add a new NTP server, in the right pane, click Add.
In the Create NTP Server dialog box, set the following parameters:
- Server Name/IP Address*—The domain name of the NTP server or the IP address of the NTP server. The name or IP address cannot be changed for an existing NTP server.
- Preferred—Synchronize with this server first. Applicable if more than one server is configured.
Click Add.
In the right pane click NTP Synchronization.
In theNTP Synchronization dialog box, select Enable NTP Sync. Click OK.

Licensing

To upload a license file to the SDX appliance:

Login to Citrix.com and go to Account.
Click Allocate Licenses, find a NetScaler SDX license, and allocate it. There is no need to specify a hostname. You can use the same license file on multiple SDX appliances.
On the Configuration tab, in the navigation pane, expand System, and then click Licenses.
In the right pane, click Manage Licenses.
In the Manage Licenses page, select Upload License Files and click Upload.
In the Upload License File dialog box, do the following:
1. Click Browse.
2. Navigate to the folder that contains the license file you want to upload, and then double-click the license file.
3. Click Upload.
In the License Files pane, click Apply Licenses.
In the Confirm message box, click Yes.

Service VM Alerting

Syslog:

On the Configuration tab, expand System > Notifications and click Syslog Servers.
In the right pane click the Add button.
Enter a name for the server.
Enter the IP address of the Syslog server.
Select log levels and click Add.

Mail Notification

On the Configuration tab, expand System > Notifications and click Email.
In the right pane, on the SMTP Server tab, click Add.
Enter the DNS name of the mail server and click Create.
In the right pane, switch to the Email Distribution List tab and click Add.
Enter a name for the mail profile.
Enter the destination email address and click Create.
The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
On the right, click Add.
Give the rule a name.
Select the Major and Critical severities and move them to the right. Scroll down.
For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them then only the configured entities will be alerted. Scroll down.
Click Save.
Select an Email Distribution List and click Done.

Service VM nsroot Password and AAA

To change the password of the default user account:

On the Configuration tab, in the navigation pane, expand System, and then click Users.
In the Users pane, click the default user account, and then click Edit.
In the Configure System User dialog box, in Password and Confirm Password, enter the password of your choice. Click OK.

To create a user account:

In the navigation pane, expand System, and then click Users. The Users pane displays a list of existing user accounts, with their permissions.
To create a user account, click Add.
In the Create System User or Modify System User dialog box, set the following parameters:
- Name*—The user name of the account. The following characters are allowed in the name: letters a through z and A through Z, numbers 0 through 9, period (.), space, and underscore (_). Maximum length: 128. You cannot change the name.
- Password*—The password for logging on to the appliance.
- Confirm Password*—The password.
- Session Timeout
- Groups —The user’s privileges on the appliance. Possible values:
  - owner—The user can perform all administration tasks related to the Management Service.
  - readonly—The user can only monitor the system and change the password of the account.
Click Create. The user that you created is listed in the Users pane.

AAA Authentication:

If you would like to enable LDAP authentication for the Service VM, do that under Configuration > System > Authentication > LDAP.
In the right pane, click Add.
Enter the LDAP settings. Change the port to 636 if using Secure LDAP (recommended). Enter the bind account. Scroll down.
Change the Security Type to SSL. Check the box next to Enable Change Password. Click Create.
Expand System, expand User Administration and click Groups.
Click Add.
Enter the case sensitive name of the Active Directory group.
Select the admin permission.
Configure the Session Timeout. Click Create.

SSL Certificate and Encryption

Replace SDX Service VM Certificate:

Before enabling secure access to the Service VM web console, you probably want to replace the Service VM certificate.

PEM format: The certificate must be in PEM format. The Service VM does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
On the Configuration tab, expand Management Service and click SSL Certificate Files.
On the right, click Upload.
Browse to the certificate PEM file and click Upload.
On the right, switch to the SSL Keys tab and click Upload.
Browse to the PEM key file. This could be the same file containing the certificate or a separate file. Click Upload.
On the left, click System.
On the right, click Install SSL Certificate.
Select the uploaded certificate and key files. If the key file is encrypted, enter the password. Then click OK. The Service VM will restart so there will be an interruption.
After the Service VM restarts, connect to it using HTTPS. You can’t make this change if you are connected using HTTP.
On the Configuration tab, click System.
On the right, click Change System Settings.
Check the box next to Secure Access Only and click OK. This forces you to use HTTPS to connect to the Service VM.

SSL Encrypt Management Service to NetScaler Communication:

From http://support.citrix.com/article/CTX134973: Communication from the Service Virtual Machine to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Service Virtual Machine and NetScaler VPX instances. If you do not secure the network traffic from the Service Virtual Machine configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

Log on to the Service Virtual Machine Graphical User Interface (GUI) management.
On the Configuration tab, click System.
On the right, click Change System Settings.
Change Communication with NetScaler Instance to https, as shown in the following screen shot:
Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -netmask netmask -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet ENABLED -ftp ENABLED -gui SECUREONLY -ssh ENABLED -snmp ENABLED - mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting ENABLED -ospf DISABLED -bgp DISABLED -rip DISABLED -hostRoute DISABLED -vrID 0

Or in the NetScaler instance management GUI go to Network > IPs, open the NSIP and then check the box next to Secure access only.

XenServer LACP Channels

To use LACP, configure Channels in the Service VM, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel. If you are instead using static port channels, you can configure them inside a VPX instance.

In the Service VM, on the Configuration tab, expand System and click Channels.
On the right, click Add.
Select a Channel ID.
For Type, select LACP or STATIC. The other two options are for switch independent load balancing.
In the Interfaces tab, click Add.
Move the Channel Member interfaces to the right by clicking the plus icon.
On the Settings tab, you can select Long or Short, depending on switch configuration. Long is the default.
Click Create when done.
Click Yes when asked to proceed.
The channel will then be created on XenServer.

VPX Instances – Provision

To create an admin profile:

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or the configuration utility.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
In the Admin Profiles pane, click Add.
In the Create Admin Profile dialog box, set the following parameters:
- Profile Name*—Name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
- User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
- Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
- Confirm Password*—The password used to log on to the NetScaler instance.
Click Create. The admin profile you created appears in the Admin Profiles pane.

To upload a NetScaler VPX .xva file:

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances.

On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Software Images.
On the right, switch to the XVA Files tab and then click Upload.
In the Upload NetScaler Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.

To provision a NetScaler instance:

On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.
In the NetScaler Instances pane, click Add.
In the Provision NetScaler Wizard follow the instructions in the wizard.
Click Create. The NetScaler instance you provisioned appears in the NetScaler Instances pane.

The wizard will ask for the following info:

Name* – The host name assigned to the NetScaler instance.
IP Address* – The NetScaler IP (NSIP) address at which you access a NetScaler instance for management purposes. A NetScaler instance can have only one NSIP. You cannot remove an NSIP address.
Netmask* – The subnet mask associated with the NSIP address.
Gateway* – The default gateway that you must add on the NetScaler instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
XVA File* – The .xva image file that you need to provision. This file is required only when you add a NetScaler instance.
Feature License* – Specifies the license you have procured for the NetScaler. The license could be Standard, Enterprise, and Platinum.
Admin Profile* – The profile you want to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the NetScaler instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the NetScaler instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Configuring Admin Profiles.
Total Memory (MB)* – The total memory allocated to the NetScaler instance.
#SSL Cores* – Number of SSL cores assigned to the NetScaler instance. SSL cores cannot be shared. The instance is restarted if you modify this value.
Throughput (Mbps)* – The total throughput allocated to the NetScaler instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
Packets per second* – The total number of packets received on the interface every second.
CPU – Assign a dedicated core or cores to the instance or the instance shares a core with other instance(s).
User Name* – The root user name for the NetScaler instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces. (List of non-accessible commands will be listed here in later versions of this document)
Password* – The password for the root user.
Shell/Sftp/Scp Access* – The access allowed to the NetScaler instance administrator.
Interface Settings – This specifies the network interfaces assigned to a NetScaler instance. You can assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
- Important:The interface ID numbers of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
- If a non-zero VLAN ID is specified for a NetScaler instance interface, all the packets transmitted from the NetScaler instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the NetScaler instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with the VLAN ID you want and ensure that the incoming packets specify the same VLAN ID.
- For an interface to receive packets with several VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the NetScaler instance interface.
NSVLAN ID – An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value: 4095.
Tagged – Designate all interfaces associated with the NSVLAN as 802.1q tagged interfaces.
Interfaces – Bind the selected interfaces to the NSVLAN.

Here are screenshots from the wizard:

On the Provision NetScaler page, enter a name for the instance.
Enter the NSIP, mask, and Gateway.
Select the XVA File with your desired firmware build.
Change the Feature License to Platinum.
Select an Admin Profile created earlier.
Enter a Description. Scroll down.
In the Resource Allocation section, change the Total Memory to
For SSL Chips, specify between 1 and 16.
For Throughput, partition your licensed bandwidth. If you are licensed for 8 Gbps, make sure the total of all VPX instances does not exceed that number.
For CPU, select one of the Dedicated options. Then scroll down.
In the Instance Administration section, enter a new local account that will be created on the VPX. This is in addition to the nsroot user. Note, not all functionality is available to this account. Scroll down.
In the Network Settings section, leave 0/1 selected and deselect 0/2.
Click Add to connect the VPX to more interfaces.
If you have Port Channels, select one of the LA interfaces.
Try not configure any VLAN settings here. If you do, XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add.
In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN. Click Done.
After a couple minutes the instance will be created. Click Close.
In your Instances list, click the IP address to launch the VPX management console. Do the following at a minimum (instructions in the NetScaler System Configuration section):
1. Create Policy Based Route for the NSIP – System > Settings > Network > PBRs
2. Add SNIPs for each VLAN – System > Network > IPs
3. Add VLANs and bind to SNIPs – System > Network > VLANs
4. Create Static Routes for internal networks – System > Network > Routes
5. Change default gateway – System > Network > Routes > 0.0.0.0
6. Create another instance on a different SDX and High Availability pair them together – System > High Availability

Applying the Administration Configuration

At the time of provisioning a NetScaler VPX instance, the Management Service creates some policies, instance administration (admin) profile, and other configuration on the VPX instance. If the Management Service fails to apply the admin configuration at this time due to any reason (for example, the Management Service and the NetScaler VPX instance are on different subnetworks and the router is down or if the Management Service and NetScaler VPX instance are on the same subnet but traffic has to pass through an external switch and one of the required links is down), you can explicitly push the admin configuration from the Management Service to the NetScaler VPX instance at any time.

On the Configuration tab, in the navigation pane, click NetScaler.
In the NetScaler Configuration pane, click Apply Admin Configuration.
In the Apply Admin Configuration dialog box, in Instance IP Address, select the IP address of the NetScaler VPX instance on which you want to apply the admin configuration.
Click OK.

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP address and SSL certificates from SDX rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates so it’s probably best to do that from within the VPX instance.

To view the console of a NetScaler instance:

Connect to the Service VM using https.
Viewing the console might not work unless you replace the Service VM certificate.
In the Service VM, go to Configuration > NetScaler > Instances.
On the right, right-click an instance and click Console.
The instance console then appears.
Another option is to use the Lights Out Module and the xl console command as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

To start, stop, delete, or restart a NetScaler instance:

On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
In the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
In the Confirm message box, click Yes.

Creating a Subnet IP Address on a NetScaler Instance:

You can create or delete a SNIP during runtime without restarting the NetScaler instance.

On the Configuration tab, in the navigation pane, click NetScaler.
In the NetScaler Configuration pane, click Create IP.
In the Create NetScaler IP dialog box, specify values for the following parameters.
- IP Address* – Specify the IP address assigned as the SNIP or the MIP address.
- Netmask* – Specify the subnet mask associated with the SNIP or MIP address.
- Type* – Specify the type of IP address. Possible values: SNIP.
- Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
- Instance IP Address* – Specify the IP address of the NetScaler instance.
Click Create.

To save the configuration on a NetScaler instance:

On the Configuration tab, in the navigation pane, click NetScaler.
In the NetScaler pane, click Save Configuration.
In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
Click OK.

Change NSIP of VPX Instance:

If you change NSIP inside of VPX instead of using the Modify Instance wizard in the Service VM, see article http://support.citrix.com/article/CTX139206 to adjust the XenServer settings.

Enable Call Home:

On the Configuration tab, in the navigation pane, click the NetScaler node.
On the right, click Call Home.
Enter an email address to receive communications regarding NetScaler Call Home.
Check the box next to Enable Call Home.
Select the instances to enable Call Home and click OK.

VPX Instance – Firmware Upgrade

Upload NetScaler Firmware Build Files:

To upgrade a VPX instance from the Service VM, first upload the firmware build file.

In the Configuration tab, on the left, expand NetScaler and click Software Images.
On the right, in the Software Images tab click Upload.
Browse to the build…tgz file and click Upload.

Upgrading Multiple NetScaler VPX Instances:

You can upgrade multiple instances at the same time.

To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
Click an instance to highlight it. Open the Action menu and click Upgrade.
In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Ignore the Documentation File. Click OK.

Service VM Monitoring

To view the audit log, in the navigation pane, expand System, and then click Audit Logs.
To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
To view events, on the Dashboard tab, in the System Health Events section on the bottom right, click Show All Events.

Service VM Backups

The SDX appliance automatically keeps three backups of the Service VM configuration that are taken daily at 12:30 am. Only configuration files and logs are backed up. This task does not backup the VPXs. You can go to Management Service > Backup Files to backup or restore the appliance’s configuration. And you can download the backup files.

Session Recording 7.13

Last Modified: Nov 7, 2020 @ 6:34 am

60 Comments

Navigation

This article applies to Session Recording 7.6 (including LTSR), 7.8, 7.11, 7.12, and 7.13. For 7.14 and newer, there’s a different article.

Planning
Server Installs:
Session Recording Server Configuration
- Authorization
- Policies
Session Recording Agent
Session Recording Player
Director Integration

💡 = Recently Updated

Planning

George Kuruvilla – An Introduction To Session Recording (XA/XD 7.6 Feature Pack 1) – Installation, Configuration and User Experience

Citrix links:

Citrix Docs – Session Recording
Citrix CTX200868 – Configuring Security Features of Session Recording
Citrix CTX200869 – Building a Highly Scalable Session Recording System

XenApp/XenDesktop Platinum Edition licensing is required.

Remote Desktop Session Host VDAs added in Session Recording 7.6. Virtual desktops added in Session Recording 7.8.

There is no relation between Session Recording and XenApp/XenDesktop farms. You can have Agents from multiple XenApp/XenDesktop farms recording to a common Session Recording server. Or you can split a XenApp/XenDesktop farm so that different Agents point to different Session Recording servers. An Agent can only point to one Session Recording server (Load Balancing is not supported).

The Session Recording server will need a hard drive to store the recordings. Disk access is primarily writes.

Offloaded content (e.g. HDX Flash, Lync webcam, MMR) is not recorded.

Session Recording server needs a certificate. The certificate must be trusted by Agents and Players. Internal Certificate Authority recommended.

SQL:

Supported Versions = SQL 2008 R2 Service Pack 3 through SQL 2016.
The SQL database is very small.
The database name is CitrixSessionRecording. Can be changed in only 7.13 and newer.
Temporary sysadmin permissions are needed to create the database and sysadmin can be revoked after installation.
SQL Browser Service must be running.
As of Session Recording 7.13, SQL Server High Availability (AlwaysOn Availability Groups, Clustering, Mirroring) is supported. See Install Session Recording with database high availability at Citrix Docs. And see Citrix Blog Post Session Recording 7.13 – New HA and Database Options

Download Session Recording 7.13 from XenApp 7.13 / XenDesktop 7.13, Platinum Edition Components:

Session Recording Server Installs

IIS and Message Queuing

If you are installing this on Windows Server 2008 R2 then see the prerequisites list at Citrix Docs.
You also can use scripts to install Windows roles and features prerequisites that are required for Session Recording to work properly. See Scripts to add Windows roles and features prerequisites at Citrix Docs.
In Server Manager, open the Manage menu, and click Add Roles and Features.
Skip to the Server Roles page.
In the Server Roles page, check the box next to Web Server (IIS), and click Next.
In the Features page, expand .NET Framework 4.5 Features, expand WCF services, and select HTTP Activation.
Expand Message Queuing, and expand Message Queuing Services.
Select Message Queuing Server and HTTP Support. Click Next.
In the Web Server Role > Select role services page, expand Security, and click Windows Authentication.
Expand Application Development, and select ASP.NET 4.5/4.6.
Expand IIS 6 Management Compatibility, and select all four boxes. Click Next through the rest of the wizard.
Use MMC Certificates snap-in or IIS, or similar, to request a machine certificate.
In IIS Manager, right-click the Default Web Site, and click Edit Bindings.
On the right, click Add.
Change the Type to https.
Select the certificate, and click OK.

Server Components

If you are installing this on Windows Server 2008 R2 then see the prerequisites list at Citrix Docs.
The person installing Session Recording needs to be a sysadmin on the remote SQL server.
In the SessionRecording7.13.0\Session Recording Administration folder, run Broker_PowerShellSnapIn_x64.msi.
In the Please read the Citrix Broker PowerShell Snap-In License Agreement page, check the box next to I accept the terms, and click Install.
In the Completed the Citrix Broker PowerShell Snap-In Setup Wizard page, click Finish.
Run SessionRecordingAdministrationx64.msi.
In the Welcome to the Citrix Session Recording Administration Installation Wizard page, click Next.
In the License Agreement page, select I accept the license agreement, and click Next.
In the Select Features page, click Next.
If you are installing Session Recording 7.12 or older, in the Database and Server Configuration page, enter the name of the SQL server, and click Test.
If you are installing Session Recording 7.13 or newer, enter the SQL server name, and enter a Database Name. Only 7.13 and newer lets you specify the Database Name.
Enter the name of the Session Recording server in domain\machine-name format, and click Next.
In the Administrator Logging Configuration page, if installing Session Recording 7.13 or newer, enter a name for the Logging Database, and then click Next.
If installing Session Recording 7.12 or older, just click Next.
In the Citrix Customer Experience Improvement Program page, make a choice, and click Next.
In the Citrix Session Recording Administration has been successfully installed page, click Finish.
In SQL Server Management Studio, notice the new CitrixSessionRecording and CitrixSessionRecordingLogging databases.

Upgrade

If you are upgrading from 7.8 or older, the logging feature won’t be installed.

In Server Manager > Add Roles and Features, on the Features page, expand .NET Framework 4.5 Features, expand WCF Services and select HTTP Activation. Finish the wizard.
In Programs and Features, right-click Citrix Session Recording Administration, and click Change.
In the Application Maintenance page, select Modify and click Next.
In the Select Features page, expand Session Recording Server.
Change the selection for Session Recording Administrator Logging to installed and click Next.
If you see a message about HTTP Activation, install the feature and restart the wizard.
In the Administrator Logging Configuration page, if installing Session Recording 7.13 or newer, enter a name for the Logging Database, and then click Next.
If installing Session Recording 7.12 or older, just click Next.
In the Ready to Modify the Application page, click Next.
In the Citrix Session Recording Administration has been successfully installed page, click Finish.

Session Recording Server Configuration

From Start Menu, run Session Recording Server Properties.
In the Storage tab, specify a path that has disk space to hold the recordings. UNC is supported, but strongly discouraged.
In the Signing page, select (Browse) a certificate to sign the recordings.
In the Playback tab, notice that Session Recording files are encrypted before transmit. Also, it’s possible to view live sessions but live sessions are not encrypted.
In the Notifications tab, you can change the message displayed to users before recording begins.
The CEIP tab lets you enable or disable the Customer Experience Improvement Program.
See https://www.carlstalhood.com/delivery-controller-7-13-and-licensing/#ceip for additional places where CEIP is enabled.
The Logging tab lets you configure Logging.
When you click OK you’ll be prompted to restart the service.
Session Recording relies on Message Queuing. In busy environments, it might be necessary to increase the Message Queuing storage limits. See CTX209252 Error: “Data lost while recording file…” on Citrix SmartAuditor.

David Ott Session Recording Cleanup Script: You may notice that the session recording entries/files don’t go away on their own. Here is how to clean them up. Just create a scheduled task to run the code below once per day (as system – elevated). See David’s blog post for details.

C:\Program Files\Citrix\SessionRecording\Server\Bin\icldb.exe remove /RETENTION:7 /DELETEFILES /F /S /L

Also see CTX134777 How to Remove Dormant Files From a SmartAuditor Database.

Authorization

From the Start Menu, run Session Recording Authorization Console.
In the PolicyAdministrator role, add your Citrix Admins group.
If you use Director to configure Session Recording, add the Director users to the PolicyAdministrator role.
In the Player role, add users that can view the recordings.
By default, nobody can see the Administration Log. Add auditing users to the LoggingReader role.
Session Recording 7.11 has a Session Recording Administrator Logging feature, which opens a webpage to https://SR01.corp.local/SessionRecordingLoggingWebApplication/. Only members of the LoggingReader role can see the data.

Policies

From the Start Menu, run Session Recording Policy Console.
Enter the hostname of the Session Recording server, and click OK.
Only one policy can be enabled at a time. By default, no recording occurs. To enable recording, right-click one of the other two built-in policies and click Activate Policy.
Or you can create your own policy by right-clicking Recording Policies, and clicking Add New Policy.
After the policy is created, right-click it, and click Add Rule.
Decide if you want notification or not, and click Next.
Click OK to acknowledge this message.
Choose the rule criteria. You can select more than one. Session Recording 7.12 and newer have an IP Address or IP Range rule.
Then click the links on the bottom specify the groups, applications, servers, and/or IP range for the rule. Click Next.
Give the rule a name, and click Finish.
Continue adding rules.
When done creating rules, right-click the policy, and click Activate Policy.
You can also rename the policy you created.

Session Recording Agent

Install the Agent on the VDAs. Platinum Licensing is required.

Install Message Queuing Server with HTTP Support. If RDSH, in Server Manager, open the Manage window, and click Add Roles and Features.
1. Skip to the Features page.
2. In the Features page, expand Message Queuing. Expand Message Queuing Services.
3. Check the box next to Message Queuing Server. Also check HTTP Support.
4. Click Add Features. Click Next.
5. In the Web Server Role > Select role services page, don’t change anything, and click Next.
6. In the Confirm installation selections page, click Install.
7. If install fails, try PowerShell instead.
```
Install-WindowsFeature msmq-server,msmq-http-support -IncludeAllSubFeature
```
If virtual desktop (Session Recording 7.8 and newer), go to Programs and Features.
1. Click Turn Windows features on or off.
2. Expand Microsoft Message Queue, expand Microsoft Message Queue, and select MSMQ HTTP Support. Click OK.
If the VDA is Windows 7, or Windows 2008 R2, install Microsoft hotfix 2554746 MSMQ service might not send or receive messages after you restart a computer. Or install the Convenience Rollup.
In the SessionRecording7.13.0\Session Recording Agent folder, run SessionRecordingAgentx64.msi.
In the Welcome to the Citrix Session Recording Agent Installation Wizard page, click Next.
In the License Agreement page, select I accept the license agreement and click Next.
In the Session Recording Agent Configuration page, enter the FQDN of the Session Recording Server, and click Test.
Click OK and then click Next.
In the Destination Folder page, click Next.
In the Ready to Install the Application page, click Next.
In the Citrix Session Recording Agent has been successfully installed page, click Finish.
Agent Installation can also be automated. See Automating installations at Citrix Docs.
In the Start Menu is Session Recording Agent Properties.
You can enable or disable session recording on this Agent.
For MCS and PVS VDAs, see the GenRandomQMID.ps1 script at XenApp/XenDesktop 7.13 Known Issues at Citrix Docs.
Session Recording Agent might cause MCS Image Prep to fail. To work around this, set the Citrix Session Recording Agent service to Automatic (Delayed Start). Source = Todd Dunwoodie at Session Recording causes Image preparation finalization Failed error at Citrix Discussions.

Session Recording Player

Install the Player on any Windows 7 through Windows 10 desktop machine. 32-bit color depth is required. Because of the graphics requirements, don’t run the Player as a published application.

In the SessionRecording7.13.0\Session Recording Player folder, run SessionRecordingPlayer.msi.
In the Welcome to the Citrix Session Recording Player Installation Wizard page, click Next.
In the License Agreement page, select I accept the license agreement, and click Next.
In the Destination Folder page, click Next.
In the Ready to Install the Application page, click Next.
In the Citrix Session Recording Player has been successfully installed page, click Finish.
From the Start Menu, run the Session Recording Player.
Open the Tools menu, and click Options.
On the Connections tab, click Add.
Enter the FQDN of the Session Recording server.
On the Cache tab you can adjust the client-side cache size. Click OK.
Use the Search box to find recordings.
Or you can go to Tools > Advanced Search.
Once you find a recording, double-click it to play it.
If you see a message about Citrix Client version incompatibility, see CTX206145 Error: “The Session Recording Player Cannot Play Back This File” to edit the Player’s SsRecPlayer.exe.config file to accept the newer version.
To skip spaces where no action occurred, open the Play menu, and click Fast Review Mode.
You can add bookmarks by right-clicking in the viewer pane. Then you can skip to a bookmark by clicking the bookmark in the Events and Bookmarks
pane.

Director Integration

On the Director server, run command prompt elevated (as Administrator).
Run C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe /configsessionrecording
Enter the Session Recording FQDN when prompted.
Enter 1 for HTTPS.
Enter 443 as the port.
In Director, when you view users or machines, you can change the Session Recording policy. These policy changes don’t apply until a new session is launched.
If the Session Recording menu says N/A then the Director user needs to be authorized in the Session Recording Authorization Console.
If you use Director to enable or disable recording for a user or machine, rules are added to the active policy on the Session Recording server. They only take effect at next logon.

Citrix Provisioning Master Device – Convert to vDisk

Last Modified: Dec 4, 2024 @ 3:56 am

153 Comments

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

Change Log
PXE Tester
Convert to vDisk – Imaging Wizard Method
- Boot from Network or ISO
Join Device to Domain
Boot from vDisk
Save Clean Image
KMS
Seal the vDisk
Defrag the vDisk
Standard Image Mode
vDisk High Availability
Create Cache Disk – vSphere
Create Cache Disk – Hyper-V
Verify Write Cache Location

💡 = Recently Updated

Change Log

2019 Jun 23 – KMS– new Accelerated Office Activation option in Provisioning 1906
2019 Jun 8 – vDisk HA – added link to Citrix Blog Post The vDisk Replicator Utility is finally finished!
2018 Sep 3 – renamed Provisioning Services to Citrix Provisioning
2018 June 9 – vDisk HA – added link to Citrix Blog Post vDisk Replicator Utility
2018 Jan 14 – in Defrag vDisk section, added note that ELM App Layering doesn’t need defrag. Source = Gunther Anderson at Performance considarations? at Citrix Discussions
2017 Dec 14 – in Imaging Wizard > Boot from PVS section, added P2PVS.exe

PXE Tester

If you will use PXE, download CTX217122 PXEChecker to the master machine.

The TFTP portion won’t work unless the client-side firewall is disabled.

To verify functioning PXE, run PXEChecker, and Run Test in Legacy BIOS mode. Or you can do a BDM Test (see the article for details).

Convert to vDisk – Imaging Wizard Method

The Imaging Wizard connects to a Citrix Provisioning server to create a vDisk (.vhdx file) and a device (database entry with device’s MAC address). Once that’s done, the machine reboots and the conversion process begins. You can also do all of these steps manually.

In the Citrix Provisioning Console, create a Store to hold the new vDisk.
In the Citrix Provisioning Console, create a Device Collection to hold the new Target Device. This could be a Device Collection for Updater machines.
The Imaging Wizard will ask you to enter a new machine name. You can’t use the existing machine name because Citrix Provisioning needs to create a new Active Directory account so Citrix Provisioning will know the new machine’s computer password.
If the Imaging Wizard is not already running, launch it from the Start Menu.
In the Welcome to the Imaging Wizard page, click Next.
In the Connect to Citrix Provisioning Site page, enter the name of a Citrix Provisioning server, and click Next.
In the Imaging Options page, click Next to create a new vDisk. Alternatively, you can select Create an image file.
In the Add Target Device page, enter a new unique name for the new Target Device.
Select a Collection name and click Next.
In the New vDisk page:
1. Enter a name for the vDisk.
2. Select an existing Store name.
3. Leave vDisk type set to Dynamic and VHDX.
Click Next
In the Microsoft Volume Licensing page, select None, and click Next. We’ll configure this later when switching to Standard Image mode.
In the What to Image page, leave it set to Image entire boot disk, and click Next.
In the Optimize Hard Disk for Citrix Provisioning page, click Next.
- Shown below are the optimizations it performs.
In the Summary page, click Create.
In the Restart Needed page, click Continue.
When asked to reboot, click No.
Then click Yes to shut down the machine. This gives you time to reconfigure the machine to boot from the network or ISO. The vDisk conversion process cannot continue until you are booted from Citrix Provisioning.
If you look in the Citrix Provisioning console, in the Store, you will see a new vDisk in Private Image mode. Currently there is nothing in this vDisk. The new vDisk is sized the same as the machine you ran Imaging Wizard from. You might have to Refresh the display to see the new vDisk.
In the chosen Device Collection, you will see a new Target Device record that is configured to boot from Hard Disk, and is assigned to the new vDisk. You might have to Refresh the display to see the new Device.

Boot from Network or ISO

Power off the Target Device.
If the Target Devices are on the same subnet as the Provisioning Servers, then you don’t need to configure DHCP Scope Options 66 or 67.
- EFI/UEFI devices require DHCP Scope Option 11 as described at CTX208519 Configuring PVS for High Availability with UEFI Booting and PXE service. DHCP Scope option 11 can have multiple PVS Server addresses.
If the Target Devices are on a different subnet than the Provisioning Servers, then machines can use a Boot ISO that has UEFI enabled. Or configure DHCP Scope Options 66 and 67.
1. For DHCP Scope option 66, you can only configure one TFTP Server address. For HA, you can enter a DNS name that does DNS round robin to multiple Citrix Provisioning servers. Or use Citrix ADC to load balance the TFTP service on the PVS servers.
2. Configure DHCP scope option 67 with the correct file name. For the EFI file name. See Unified Extensible Firmware Interface (UEFI) pre-boot environments at Citrix Docs.
For vSphere Client, edit the settings of the virtual machine.
Switch to the VM Options tab.
In the Boot Options section, check the box to Force EFI Setup, or Force BIOS Setup.
If vSphere, and booting from an ISO:
1. Switch to the Virtual Hardware tab.
2. Expand CD/DVD drive 1 and connect the virtual machine’s CD to the Datastore ISO File named PvSBoot.iso.
3. Make you check Connect At Power On.
4. Make sure the CD-ROM is IDE, and not SATA.
5. Also, remove any SATA controller.
6. Click OK to close the virtual machine settings.
If Hyper-V:
1. In VMM, edit the virtual machine properties
2. Switch to the Hardware Configuration page.
3. If booting from ISO, in the Virtual DVD drive page, assign the ISO from the library.
4. Switch to the Hardware Configuration > Firmware page
5. Move PXE Boot or IDE Hard Drive to the top.
6. Click OK to close the virtual machine properties.
Power on the virtual machine.
If vSphere EFI:
1. Boot the virtual machine.
2. In the Boot Manager, don’t select a boot option. Instead, go to Enter Setup.
3. Go to Configure boot options.
4. Go to Change boot order.
5. Press <Enter> on Change the order.
6. Use the plus icon on your number pad to move EFI Network to the top.
7. Commit changes and exit.
8. Exit the Boot Maintenance Manager.
9. Now boot from EFI Network.
If vSphere BIOS:
1. Boot the virtual machine.
2. In the Virtual Machine’s console, on the Boot tab, move Network boot or CD-ROM Drive to the top.
3. Press F10 to close the BIOS Setup Utility.
You should see the virtual machine boot from a Citrix Provisioning server and find the vDisk.
Once the machine has booted, login. If you see a Format Disk message, just ignore it, or click Cancel. The Imaging Wizard will format it for you.
The conversion wizard will commence. It will take several minutes to copy the files from C: drive (local hypervisor disk) to vDisk (Citrix Provisioning disk) so be patient.
1. If the Imaging Wizard does not successfully copy the local drives to the vDisk, first make sure the vDisk is mounted by opening the systray icon.
2. Then you can manually start the conversion by running C:\Program Files\Citrix\Provisioning Services\P2PVS.exe.
When done, click Done. It might prompt you to reboot. Reboot it, log in, and then shut it down.

Master Target Device – Join to Domain

Citrix Provisioning must learn the password of the Target Device’s Active Directory computer account. To achieve this, use the Citrix Provisioning Console to create or reset the computer account.

Do not use Active Directory Users & Computers to manage the Target Device computer account passwords. Creating, Resetting, and Deleting Target Device Active Directory computer objects must be done from inside the Citrix Provisioning Console so Citrix Provisioning will know the computer’s password. Citrix Provisioning will automatically handle periodic (default 7 days) changing of the computer passwords.

In the Citrix Provisioning Console, right-click the new Target Device, expand Active Directory, and click Create Machine Account.
Select the correct OU in which the Active Directory computer object will be placed, and click Create Account.
Then click Close.

Boot from vDisk

In the Citrix Provisioning Console, go to the Device Collection.
Right-click the new device, and click Properties.
On the General tab, set Boot from to vDisk.
Restart the Target Device.
At this point it should be booting from the vDisk. To confirm, in the systray by your clock is an icon that looks like a disk. Double-click it.
The General tab shows it Boot from = vDisk, and the Mode = Read/Write.

vDisk – Save Clean Image

If you have not yet installed applications on this image, you can copy the VHDX file and keep it as a clean base image for future vDisks.

If this vDisk is in Private Image mode, first power off any Target Devices that are accessing it.
Then you can simply copy the VHDX file and store it in a different location.

If you later need to create a new vDisk, here’s how to start from the clean base image:

Copy the clean base image VHDX file to a new folder.
Rename the file to match your new Image name.
In the Citrix Provisioning Console, create a new Store, and point it to the new folder.
Give the new Store a name.
On the Servers tab, select all Provisioning servers.
On the Paths tab, enter the path to the new folder. Click OK.
Click OK when asked to create the default write cache.
Right-click the new store and click Add or Import Existing vDisk.
Click Search.
Click OK if prompted that a new property file will be created with default values.
Click Add, click OK, and then click Close.
You can now assign the new vDisk to an Updater Target Device and install applications.

KMS

Skip this section if you are using Active Directory-based Activation instead of KMS Server.

This only needs to be done once. More information at CTX128276 Configuring KMS Licensing for Windows and Office.

Make sure the Citrix Provisioning services are running as an account that is a local administrator on the Provisioning Servers. Citrix Provisioning needs to mount the vDisk but only local administrators can mount VHDX files.
In the Citrix Provisioning Console, right-click on the virtual disk, and select Properties.
Click on the tab named Microsoft Volume Licensing, and set the licensing option to None. Click OK.
Boot an Updater device from the vDisk in Private Image mode.
Login to Windows and rearm the system for both Windows and Office, one after the other.
1. For Windows Vista, 7, 2008, and 2008R2: Run cscript.exe slmgr.vbs -rearm
2. For Office (for 64-bit client): C:\Program Files(x86)\Common Files\Microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
3. For Office (for 32-bit client): C:\Program Files\Common Files\Microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
A message is displayed to reboot the system, DO NOT REBOOT- Instead, run sealing tasks and then shut down the Target Device.
In the Citrix Provisioning Console, right-click on the virtual disk, and select Properties.
Click on the tab named Microsoft Volume Licensing, and set the licensing option to Key Management Services (KMS).
- In Citrix Provisioning 1906 and newer, also check the box next to Accelerated Office Activation.
Click OK.

Note: After streaming the vDisk to multiple Target Devices, Administrators can validate that the KMS configuration was successful by verifying that the CMID for each device is unique.

For Windows: Run cscript.exe slmgr.vbs –dlv
For Office: Run C:\Program Files\Microsoft Office\Office16\cscript ospp.vbs /dcmid

Also see Citrix Blog Post Demystifying KMS and Provisioning Services

vDisk – Seal

Do the following sealing steps every time you switch from Private Image mode to Standard Image mode, or promote a Maintenance Image to Test or Production.

Run antivirus sealing tasks. See VDA > Antivirus for links to various antivirus vendor articles.
Citrix Blog Post Sealing Steps After Updating a vDisk contains a list of commands to seal an image for Citrix Provisioning.
Citrix Blog Post PVS Target Devices & the “Blue Screen of Death!” Rest Easy. We Can Fix That has a reg file to clear out DHCP configuration.
Shut down the target device.
Note: Base Image Script Framework (BIS-F) automates many sealing tasks. The script is configurable using Group Policy.

Defrag the vDisk

In the Citrix Blog Post Size Matters: PVS RAM Cache Overflow Sizing, Citrix recommends defragmenting the vDisk.

If the vDisk was created by App Layering ELM, then Gunther Anderson at Performance considarations? at Citrix Discussions says there’s no point in doing a defrag.

While still in Private Image mode, right-click the vDisk, and click Mount vDisk.
In File Explorer, find the mounted disk, right-click it, and click Properties.
On the Tools tab, click Optimize.
Highlight the mounted drive and click Optimize.
When done, back in Citrix Provisioning Console, right-click the vDisk, and click Unmount vDisk.

Standard Image Mode

In the Citrix Provisioning Console, go to the vDisk store, right-click the vDisk, and click Properties.
On the General tab:
1. Change the Access Mode to Standard Image.
2. Set the Cache Type to Cache in device RAM with overflow on hard disk. Don’t leave it set to the default cache type or you will have performance problems. Also, every time you change the vDisk from Standard Image to Private Image and back again, you’ll have to select Cache in device RAM with overflow on hard disk.
3. Change the Maximum RAM size to a higher value. For virtual desktops, set it to 512 MB or larger. For Remote Desktop Session Hosts, set it to 4096 MB or lager. Make sure your Target Devices have extra RAM to accommodate the write cache.
4. On the bottom of the General tab is a new checkbox to disable cleanup of cached secrets. By default, Citrix Provisioning 7.12 and newer will delete any cached credentials. This behavior can be disabled by checking the box.
Click OK when done.

vDisk – High Availability

In the Citrix Provisioning Console, right-click the vDisk, and click Load Balancing.
Ensure Use the load balancing algorithm is selected. Check the box next to Rebalance Enabled. Click OK.
Go to the physical vDisk store location (e.g. D:\Win2016Common) and copy the .vhd and .pvp vDisk files for the new vDisk. Do not copy the .lok file.
Go to the same path on the other Provisioning Server and paste the files. You must keep both Provisioning Servers synchronized.

Another method of copying the vDisk files is by using Robocopy:

Robocopy D:\vDisks\ \\pvs2\d$\vDisks *.vhd *.avhd *.pvp *.vhdx *.avhdx /b /mir /xf *.lok /xd WriteCache /xo

Citrix Blog Post The vDisk Replicator Utility is finally finished! has a GUI utility script that can replicate vDisks between Citrix Provisioning Sites and between Citrix Provisioning Farms.
In the Citrix Provisioning Console, right-click the vDisk, and click Replication Status.
Blue indicates that the vDisk is identical on all servers. If they’re not identical then you probably need to restart the Citrix PVS Stream Service and the Citrix PVS SOAP Service. Click Done when done.

Cache Disk – vSphere

Here are vSphere instructions to remove the original C: drive from the Master Target Device, and instead add a blank cache disk.

In vSphere Client, right-click the Master Target Device, and click Edit Settings.
Select Hard disk 1, and click the x icon. Click OK.
Edit the Settings of the virtual machine again.
On the top right, click Add New device, and select Hard Disk.
This is your cache overflow disk. Size is based on the type of VDA.
- 40 GB is probably a good size for session hosts.
- For virtual desktops this can be a smaller disk (e.g. 5 GB).
- Note: the pagefile must be smaller than the cache disk.
Expand the newly added disk, and set Disk Provisioning to Thin provision if desired. Click OK when done.
Configure group policy to place the Event Logs on the cache disk.
Boot the Target Device and Verify the Write Cache Location.

Cache Disk – Hyper-V

Remove the original C: drive from the Target Device and instead add a cache disk.

Edit the settings of your Citrix Provisioning master virtual machine and remove the existing VHD.
Make a choice regarding deletion of the file.
Create a new Disk.
This is your cache overflow disk. 15-20 GB is probably a good size for session hosts. For virtual desktops this can be a smaller disk (e.g. 5 GB). Note: the pagefile must be smaller than the cache disk. Click OK when done.
Configure group policy to place the Event Logs on the cache disk.

Verify Write Cache Location

Boot the target device virtual machine.
Open the Virtual Disk Status window by clicking the Citrix Provisioning disk icon in the system tray by the clock.
Make sure Mode is set to Read Only and Cache type is set to device RAM with overflow on local hard drive.
If Cache type says server, then follow the next steps:
1. For the cache disk, if machine uses BIOS, then only MBR is supported. GPT only works with EFI/UEFI machines.
2. The cache disk must be a Basic disk, not Dynamic.
3. Format the cache disk with NTFS.
4. Make sure the pagefile is smaller than the cache disk. If not it will fail back to server caching.
After fixing the problem and rebooting, the Cache Type should be device RAM with overflow on local hard drive.
To view the files on the cache disk, go to Folder Options, and deselect Hide protected operating system files.
On the cache disk, you’ll see the pagefile, and the vdiskdiff.vhdx file, which is the overflow cache file.

Create Target Devices
Back to Citrix Provisioning

Citrix Provisioning Master Device – Preparation

Last Modified: Dec 4, 2024 @ 3:54 am

230 Comments

Navigation

This article applies to all 7.x versions of Citrix Provisioning, including 2411, 2402 LTSR, and 2203 LTSR.

Change Log
General Preparation
Pagefile
VMware ESXi/vSphere
Hyper-V
Antivirus
Boot ISO
Install Provisioning Target Device Software
Target Device Software Tweaks – prevent drive for cache, excessive retries, hide Provisioning icon

💡 = Recently Updated

Change Log

2024 Dec 4 – updated Target Device Software section for version 2411
2023 Dec 23 – Converting BIOS vDisks to UEFI at Citrix Docs.

General Preparation

In Provisioning 2311 and newer, make sure the VDA machine is UEFI instead of BIOS. If not, see Converting BIOS vDisks to UEFI at Citrix Docs.
Build the VDA like normal.
Update VMware Tools.
Join the machine to the domain.
Chrome and Edge – CTX212545 PVS 7.6 CU1: Write cache getting filled up automatically recommends disabling Google Chrome automatic updates.

Pagefile

Ensure the pagefile is smaller than the cache disk. For example, if you allocate 20 GB of RAM to your Remote Desktop Session Host, and if the cache disk is only 15 GB, then Windows will have a default pagefile size of 20 GB and Citrix Provisioning will be unable to move it to the cache disk. This causes Citrix Provisioning to cache to server instead of caching to your local cache disk (or RAM).

The cache disk size for a session host is typically 15-20 GB. The cache disk size for a virtual desktop is typically 5 GB.

Open System. In 2012 R2 and newer, you can right-click the Start button, and click System.
For older versions of Windows, you can click Start, right-click the Computer icon, and click Properties. Or find System in the Control Panel.
Click Advanced system settings.
On the Advanced tab, click the top Settings button.
On the Advanced tab, click Change.
Either turn off the pagefile or set the pagefile to be smaller than the cache disk. Don’t leave it set to System managed size. Don’t forget to click the Set button. Click OK several times.

VMware ESXi/vSphere

VMXNET3

E1000 is not supported – For VMware virtual machine, make sure the NIC is VMXNET3. E1000 is not supported and will affect performance.

View hidden adapters in Device Manager and delete any ghost VMXNET3 NICs.

At the command prompt, type the following lines, pressing ENTER after each line
```
set devmgr_show_nonpresent_devices=1
start devmgmt.msc
```
Open the View menu, and click Show hidden devices.
Expand Network adapters, and look for ghost NICs (grayed out). If you see any, remove them.

SATA Controller

Citrix Provisioning does not support the SATA Controller that became available in ESXi virtual machine hardware Version 10. Change the CD/DVD Drive to IDE instead of SATA.

Then remove the SATA Controller.

NTP

Ensure that the ESXi hosts have NTP enabled.

DHCP

After creating the vDisk, follow the instructions at Provisioning Services 6 Black Screen Issue to clear any DHCP address in the vDisk.

Slow Boot Times

Citrix Provisioning Target Devices in VMware ESX boot slow intermittently after upgrading the ESX hosts from 5.0 to 5.1.

Citrix CTX139498 Provisioning Services Target Devices Boot Slow in ESX 5.x: Use the following command to disable the NetQueue feature on the ESX hosts:

esxcli system settings kernel set -s netNetqueueEnabled -v FALSE

Hyper-V

Generation 2 support is available in Citrix Provisioning 7.8 and newer.
If Generation 1, each Hyper-V Citrix Provisioning Target Device must have a Legacy network adapter. Legacy NIC supports Network Boot, while the Synthetic NIC does not.
Give the Legacy Network Adapter a Static MAC address. If you leave it set to all zeros then VMM will generate one once the VM is deployed.
When you reopen the virtual machine properties there will be a Static MAC address.
Set the Action to take when the virtualization server stops to Turn off virtual machine. This prevents Hyper-V from creating a BIN file for each virtual machine.
To set a VLAN, either create a Logical Network and Network Site.
Or use Hyper-V Manager to set the VLAN on each virtual machine NIC.

Antivirus Best Practices

Citrix’s Recommended Antivirus Exclusions

Citrix Tech Zone: Endpoint Security, Antivirus, and Antimalware Best Practices.

Citrix Blog Post Citrix Recommended Antivirus Exclusions: the goal here is to provide you with a consolidated list of recommended antivirus exclusions for your Citrix virtualization environment focused on the key processes, folders, and files that we have seen cause issues in the field:

Set real-time scanning to scan local drives only and not network drives
Disable scan on boot
Remove any unnecessary antivirus related entries from the Run key
Exclude the pagefile(s) from being scanned
Exclude Windows event logs from being scanned
Exclude IIS log files from being scanned

See the Blog Post for exclusions for each Citrix component/product including StoreFront, VDA, Controller, and Provisioning. The Blog Post also has links to additional KB articles on antivirus.

Sophos

Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Kaspersky

CTX217997 BSOD Error: “STOP 0x0000007E CVhdMp.sys with Kaspersky antivirus: install Kaspersky Light Agent using the /pINSTALLONPVS=1 switch.

Boot ISO

You can create a Citrix Provisioning boot ISO for your Target Devices. This is an alternative to PXE.

On the Provisioning server, run Citrix Provisioning Boot Device Manager.
In the Specify the Login Server page, add the IP addresses of Provisioning servers.
Check the box next to Target device is UEFI firmware. Click Next.
In the Set Options page, check the box next to Verbose Mode, and click Next.
In the Burn the Boot Device page, do not click Burn. If you do, then you will have a very bad day. Instead, look in the Boot Device section, and change it to Citrix ISO Image Recorder. Then you can click Burn.
Save the iso and upload it to a datastore or VMM library.
You can now configure your Target Devices to boot from this ISO file.

Target Device Software Installation

The Target Device Software version must be the same or older than the Citrix Provisioning server version.

The install instructions for all Target Device versions 2411 and older are essentially the same.

Do the following on the master VDA you intend to convert to a vDisk. Try not to install this while connected using RDP or ICA since the installer will disconnect the NIC.

Ghost NICs – Your Target Device might have ghost NICs. This is very likely to occur on Windows 7 and Windows 2008 R2 VMs when using VMXNet3. Follow CTX133188 Event ID 7026 – The following boot-start or system-start driver(s) failed to load: Bnistack to view hidden devices and remove ghost NICs.
Go to the downloaded Citrix Provisioning and run PVS_Device_x64.exe.
If you see a requirements window, then click Install to install prerequisites.
In the Welcome to the Installation Wizard for Citrix Provisioning Target Device x64 page, click Next.
In the License Agreement page, select I accept, and click Next.
In the Customer Information page, click Next.
In the Destination Folder page, click Next.
In the Ready to Install the Program page, click Install.
In the Installation Wizard Completed page click Finish.
Click Yes if prompted to restart.
The Imaging Wizard launches. Review the following tweaks. Then proceed to converting the Master Image to a vDisk.

Target Device Software Tweaks

Asynchronous I/O

Prevent Drive for Write Cache

From Citrix Community PVS Target Device wrong drive letters: The driver that determines which partition to place the local cache searches for a file named: {9E9023A4-7674-41be-8D71-B6C9158313EF}.VDESK.VOL.GUID in the root directory. If the file is found it will not place the write cache on that disk.

Excessive Retries

If VMware vSphere, make sure the NIC is VMXNET3.

Hide Citrix Provisioning Systray Icon

From Citrix CTX572340 Hide “Virtual Disk status” icon from System tray on the endpoints: Add the reg value below:

HKLM\Software\Citrix\ProvisioningServices\StatusTray
- ShowIcon (DWORD) = 0

This however will disable to all users, even Admins. Solution: Apply the HKCU key below based on Group membership (Group Policy Preferences > Item Level Targeting):

HKEY_CURRENT_USER\SOFTWARE\Citrix\ProvisioningServices\StatusTray
- ShowIcon (DWORD) = 0

Once that is in place the icon will go away.

Convert Master Device to vDisk
Back to Citrix Provisioning

Navigation

NetScaler Gateway Universal Licenses

Create Gateway Virtual Server

Verify SSL Settings

Gateway Portal Theme

SSL Redirect – Down vServer Method

Public DNS SRV Records

Block Citrix VPN for iOS

View ICA Sessions

Customize Logon Page

Logon Page Labels

Logon Security Message (Disclaimer, EULA)

Logon Page Links

Other Customizations

UDP Audio Through Gateway

Next step

Unified Gateway

Content Switching vServer with Gateway as Target

Gateway vServer with Load Balancing vServer as Target

StoreFront – Rewrite X-Citrix-Via

Navigation

Session Profiles/Policies CLI Commands

Session Profiles

Session Policies

Next Step

Navigation

Verify LDAPS

LDAP Load Balancing

LDAP Server

Authentication Feedback and Licenses

Next Step

Multiple Domains

Navigation

Monitor

Servers

Service Group

Load Balancing Virtual Server

SSL Redirect – Down vServer Method

StoreFront Base URL

Subscription Replication Load Balancing

Related Posts

Navigation

Cipher Group

Default SSL Profile

Bind Certificate, Bind Cipher Group, Disable SSLv3, Enable STS

SSL Tests

SSL Redirect – Down vServer Method

SSL Redirect – Responder Method

Navigation

Overview

LDAPS Monitor

Servers

Service Groups

Virtual Server

Clear Text LDAP

Next Steps

Navigation

SDX IP Configuration

Service VM Firmware – Upgrade

XenServer – Upgrade

XenServer Supplemental Pack

XenServer Hotfixes

Service VM Hostname

Service VM Time Zone and NTP

Licensing

Service VM Alerting

Service VM nsroot Password and AAA

SSL Certificate and Encryption

XenServer LACP Channels

VPX Instances – Provision

VPX Instances – Manage

VPX Instance – Firmware Upgrade

Service VM Monitoring

Service VM Backups

Navigation

Planning

Session Recording Server Installs

IIS and Message Queuing

Server Components

Upgrade