Archive
Synergy 2015 – A condensed recap of everything you need to know – via @gkuruvilla, #Citrix, #CitrixSynergy
This is a great summary recap that George Kuruvill has done of Citrix Synergy 2015! Great work and enjoy this blog post!
For those of you who were not able to attend Citrix Synergy this year & dont have the time to sit through the key note recordings, I decided to put together a condensed version of some of the key announcements. So here goes!
Citrix Workspace Cloud
- Citrix hosted control plane that enables customers to deliver a comprehensive mobile workspace to end users.
- Gives customers the flexibility to host workloads on premises, in public or private clouds.
- Control plane also provides end to end monitoring of user connections.
- Evergreen infrastructure since Citrix maintains all core infrastructure components.
- Workspace Cloud Connector installed on premises on a Win 2k12 server that establishes SSL communication between control plane and customer environment. Used to talk to infrastructure components like Active Directory and hypervisors hosting workload
I wrote a blog on CWC and the value proposition a month back that you can find here.
SYN 217 – Workspace Cloud – Technical Overview [Video]
Citrix Lifecycle Management
- Comprehensive cloud based service that can be used to design, deploy and manage both Citrix and other enterprise applications.
- Based on the ScaleXtreme technology.
- Lifecycle Management enables customers/partners to deploy infrastructure not only on premises but also public/private clouds (resource locations)
- Customers/Partners have the ability to create blueprints to automate infrastructure deployments end to end. Examples of blueprints include a XD deployment for instance where you could not only install all the XD infrastructure but also automate the installation of all supporting infrastructure like Active Directory, SQL etc.
- Vendors have the ability to create blueprints as well that can then be consumed by customers and partners alike.
- Customers/Partners also have the ability to incorporate scripts (new/existing) into the deployment.
- Once a blueprint is developed, its added to a library. Any resource within the library can then be deployed to a resource location (on premises, public/private cloud)
- Another key benefit of the Lifecycle Management technology is the ability to automate application upgrades.
XenApp/XenDesktop
- Xenapp 6.5 maintenance extended till end of 2017, EOL extended till 06/2018. Details here
- New Feature Pack for XA 6.5 (enhance storage performance, Lync support enhancements, UPM enhancements, Director “Help Desk” troubleshooting”, Storefront 3.0, Receiver.next)
- XenApp/XenDesktop 7.6 FP2 (End of Q2)
- New Receiver X1
- Lync 2013 on Mac
- Touch ID Support
- HDX with Framehawk
- Native Receiver for Linux
- Linux Apps and Desktops (Redhat and SUSE support)
- Desktop Player for Mac 2.0 (June)
- Desktop Player for Windows (Tech Preview)
SYN 233 – Whats new in XenApp and XenDesktop [Video]
SYN 319 – Tech Update for XenApp and XenDesktop [Video]
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! 😉
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to “pass first time” without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I won’t cover StoreFront in this post.
Of course technically “bad guys” can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that “Secure access only” is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that won’t be used for management and untick “Enable management access”
- Change the default nsroot password to something long (obvious you’d think but you’d be amazed how many Netscalers I’ve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they won’t be able to make any changes, it’s still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
Performance tuning #Citrix #Storefront – via @msandbu
Great article by Marius!
Read it and also have a look here at my previous post related to this: #Citrix #StoreFront Slowness, Join and Replication issue – check list!
This is something I wanted to write about for some time now, after the release of XenDesktop 7 but there are only 24 hours in one day so therefore I didn’t have the time before now 
But the purpose of this post is to really say that Storefront is slow…..
Don’t get me wrong it not about Citrix but the combination of Storefront and IIS that makes it a bit complex and therefore this makes it a bit slow.
Now there are a couple of tricks that can tune the perfomance.
Socket Pooling
In Web Interface you could enable it from the console, but in StoreFront we have to change it in the store config. By enabling socket pooling, Storefront maintaines a pool of sockets instead of creating a socket each time a new user connects, this will give a better performance for SSL based traffic.
You can enable this by opening the web.config file under C:\inetpub\wwwroot\Citrix\storename\
pooledSockets="off"
And Change this to “on” after that you have to do an IIS reset.
Application Initialization
(NOTE: Make sure you backup the config files before making alterations)
With Windows Server 2012 we have a new feature in IIS called always running on the application pools, this allowed for IIS to make everything ready after an application pool has restarted, before this the previous IIS was set to start loading after the first user tried to login after a restart. This caused the first user to login after an application pool has restarted to take loooong time to login. With Server 2012 IIS we can change the application pool to always running.
With 2008 R2 not so easy. But we can make it happen
First we need to download the application initialization feature from Microsoft
http://www.iis.net/downloads/microsoft/application-initialization
After that is done and installed…
Continue reading here!
//Richard
Choose your #Citrix #NetScaler … wisely… – via @hlouwers
This is a question I get a lot and I must say that Henny Louwers did answer it well in this blog post!
I spend a lot of my time breaking down the different models of Citrix NetScaler appliances and different Software Editions within the Citrix NetScaler portfolio.
I decided to set up a blog about this since the path is usually pretty much (lengthy but) the same. This does not mean the answer is always easy because there are a lot of questions that need to be answered.
The first thing I would like to get off my chest is the following: Stop seeing/selling the Citrix NetScaler as a replacement for Secure Gateway. It is so much more than that. I often have discussions with various engineers and consultants telling me that Citrix NetScaler is so expensive for a Remote Access solution because Secure Gateway always used to be free. No offense but a Citrix NetScaler solution belongs to the networking department, not the Citrix XenApp sys admin department. Or maybe limited.
That leads me to the first difficult thing of a Citrix NetScaler project. The adoption of the Citrix NetScaler appliances to the networking guys of an organization. They need to embrace the solution to make this a success. For some reason they too see it as a ‘’Citrix’’ solution. For that reason one of the most important meetings to setup is usually with the networking guys to try to explain the L3-L7 functionality of the Citrix NetScaler solution. When they realize it competes with F5, Juniper, Cisco, etc then we are on the right track.
NetScaler Gateway or NetScaler Standard Edition
Usually the first question of a customer is regarding something simple like replacing the Remote Access solution. Since the NetScaler is going to be the main platform for publishing Citrix publications a NetScaler Gateway can be considered as a valid option. This is when I tell a customer it would be wise to spend a little extra on the NetScaler Standard Edition since this would leverage the solution be having full load balancing capabilities (among others). When you compare prices between the NetScaler Gateway and NetScaler Standard Edition you will see that the Standard Edition will be somewhat more expensive but I for one think that it is worth the difference given the feature set that come with the Standard Edition. Of course the NetScaler Gateway can always be upgraded to a NetScaler Standard Edition (or higher) if you will.
Another feature of Citrix NetScaler Standard Edition is the ability to run Citrix Web Interface on the appliance. Honestly, I do think is not really that important anymore….
Continue reading here!
//Richard
#Citrix #NetScaler 10 on Amazon Web Services – #AWS
Yes, it’s here! 🙂
Mainstream IT is fast embracing the enterprise cloud transformation and selecting the right cloud networking technologies has thus quickly emerged to be an imperative. As mainstream IT adopts IaaS (Internet as a service) cloud services, they will require a combination of the elasticity and flexibility, expected of cloud offerings and the powerful advanced networking services used within emerging enterprise cloud datacenters.
Citrix® NetScaler® 10 delivers elasticity, simplicity and expandability of the cloud to enterprise cloud datacenters and already powers the largest and most successful public clouds in the world. With NetScaler 10, Citrix delivers a comprehensive cloud network platform that mainstream enterprises can leverage to fully embrace a cloud-first network design.
Citrix and Amazon Web Services (AWS) have come together to deliver industry-leading application delivery controller technology. NetScaler on AWS delivers the same services used to ensure the availability, scalability and security of the largest public and private clouds for AWS environments. Whether the need is to optimize, secure or control delivery of enterprise and cloud services, NetScaler for AWS can help accomplish these initiatives economically, and according to business demands.
The full suite of NetScaler capabilities such as availability, acceleration, offload and security functionality is available in AWS, enabling users to leverage tried-and-true NetScaler functionality such as rewrites and redirects, content caching, Citrix Access Gateway™ Enterprise SSL VPN, and application firewall within their AWS deployments. Additional benefits include usage of Citrix CloudBridge™ and Citrix Branch Repeater™ as a joint solution.
Citrix NetScaler transforms the cloud into an extension of the datacenter by eliminating the barriers to enterprise-class cloud deployments. Together, NetScaler and AWS delivers a broad set of capabilities for the Enterprise IT:
Hybrid Cloud Environment
Hybrid clouds that span enterprise datacenters and extend into AWS can benefit from the same cloud networking platform, significantly easing…
Continue reading here!
//Richard
Heads Up – issues with Access Gateway Plug-in for Mac OS X Version 2.1.4 – #Citrix, #NetScaler
Well, I guess that you’ve already read all the good things about the new capabilities of the newer Access Gateway plug-in, Receiver and Access Gateway Enterprise that together with StoreFront will add additional features and functions that haven’t existed before. It’s now built to work together with the Receiver on the Windows and Mac OS X platforms and promises a lot by various blog posts from Citrix and others (incl. myself).
Here is an example of what it can (should) do: What’s new with Access Gateway MAC Plug-in release 2.1.4
But is the Access Gateway Plug-in that great? Well, before you plan to implement version 2.1.4 on OS X and especially if you want to leverage the SSL VPN functionality and host checks (EPA) then read the Important notes and Known issues for this release:
Important Notes About This Release:
- The Access Gateway Plug-in for Mac OS X Version 2.1.4 supports Citrix Receiver Version 11.7
- Import the secure certificate for Access Gateway into the Keychain on the Mac OS X computer.
- The Access Gateway Plug-in for Mac OS X Version 2.1.2 and earlier versions are not supported on Mac OS X Version 10.8.
- Endpoint analysis scans for antivirus, personal firewalls, antispam, Internet security, and EPAFactory scans are not supported for Mac OS X.
- Client certificate authentication is not supported for Mac OS X.
First of all I’d say that these notes are not that great if you ask me! Why do I have to add the cert into the Mac Keychain? Why doesn’t the plug-in support the more “advanced” host checks like personal firewalls, certificates etc.?
Wait, it get even worse!! And before you go to the whole list I’d highlight these top ones that I’m kind of surprised about:
- It doesn’t support LAN access
- Upgrading doesn’t work
- Doesn’t apply proxy settings configured in session profile
- It doesn’t support SAN certificates
- Users cannot start the Access Gateway plug-in if the Receiver is already started, you first have to shut down the Receiver
Here you see the full Known Issues list for this release:
- When users disable wireless on a Mac OS X computer and connect by using a 3G card, the Access Gateway Plug-in does not upgrade automatically through Citrix Receiver. If users select Check for Updates to upgrade the plug-in, the upgrade fails and users receive the error message “Updates are currently not available.” [#45881]
- If you run stress traffic for HTTP, HTTPS, and DNS simultaneously, the Access Gateway Plug-in fails. [#46348]
- When users disable wireless on a Mac OS X computer and connect by using a Vodafone Mobile Broadband Model K3570-Z HSDPA USB 3G stick, the Access Gateway plug-in does not tunnel traffic. [#256441]
- If you configure an endpoint analysis policy and also enable the client choices page and proxy servers in a session profile, occasionally a blank choices page appears after users log on. When you disable the choices page in the session profile, the choices page appears correctly. [#316331]
- If users connect to Access Gateway with the Access Gateway Plug-in for Mac OS X and then run ping with a payload of 1450 bytes, the plug-in fails to receive the ICMP reply. [#321486] Read more…
#Citrix #NetScaler, #AGEE and Macbook OS X… bad start of the evening session!
Ok, I was just going to log in and play around and setup another AppController to verify some thoughts around a customer case in our EnvokeIT environment. And what did I do? I just opened my lovely Macbook Air (no one will ever take that one from me!!) and thought I would connect into our internal EnvokeIT lab environment and decided for some reason to connect over SSL VPN this time rather than running everything on the internally published desktop.
So I opened the browser and connected to our AGEE vip that presented me with the rather ok-looking login page as you can see here that my colleague modified to make it a bit more aligned with the StoreFront/Receiver for Web that we use in this little environment (otherwise you get that black ugly NetScaler login prompt, please get your product look & feel in synch Citrix!).
But then after I logged in I though that why not try out the SSL VPN client for my Mac! So I choose Network Access here;
And then I realised that the modifications weren’t really all ok as you can see here when I was prompted to download the Access Gateway Plugin for OS X (SSL VPN client)…
The IT Melting Pot! 