Archive
#Citrix #StoreFront Planning Guide
Ok, this product has caused some headache since it was released. And I must say that this guide is something that Citrix should have release a long time ago… there are so many companies out there struggling with how to deal with Web Interface being faced out and how/what to do with StoreFront!
So enjoy!
Download StoreFront Planning Guide!
//Richard
SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront
Single Sign-On from Access Gateway to StoreFront not working in CVPN mode
There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!
It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!
After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!
So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…
The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…
The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).
But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.
This picture just shows the login to the NetScaler ADC Access Gateway vServer:
#Citrix VDI-in-a-Box 5.2, now supports CloudGateway etc. – @VDIinaBox, @CitrixCG
Ok, now VDI-in-a-Box is becoming more and more “complete”! This release delivers some of the features many have wanted for a while! For instance the support of the latest hypervisors as well as CloudGateway!
Read more below taken from the Citrix blog post:
Version V5.2 is now ready for prime time. The focus of this release was to support the latest hypervisors and Citrix components. Actually we did a lot more because we added a few features that our users have been clamoring for.
Support for the latest hypervisors:
As always we need to stay current and so version 5.2 supports vSphere 5.1, XenServer 6.1 and Microsoft Hyper-V Server 2012. The latter should increase desktop density quite a bit. We’d love to hear your experiences along those lines. Please post on the forum what sort of density increases you are experiencing.
Unified access to VDI-in-a-Box desktops and your applications and data:
Version 5.2 now supports Citrix’s Cloud Gateway and allows you to access VDI-in-a-Box through it. Cloud Gateway provides a unified application and data store allowing you to access Windows, web, SaaS and Mobile applications seamlessly and so we felt it important that VDI-in-a-Box work with this application and data aggregation service.
Real-time collaboration with Microsoft Lync:
In addition, we support Microsoft Lync via the Citrix HDX RealTime Optimization Pack for Microsoft Lync. Now users can seamlessly participate in audio-video or audio-only calls to and from other HDX RealtTime users and other standards-based video desktop and conference room systems. This is especially good for call centers and the like who want wide ranging soft phone functionality with their virtual desktops.
Highly available Personal Desktops with PVD:
Many had asked that we provide some form of high availability for Personal (PVD) desktops. We provide this by allowing you to place PVD desktops on shared storage. Here’s how it works. You specify a third datastore which resides on shared storage and VDI-in-a-Box will honor this request and store all Personal desktops using PVD on it.
Turn old desktops into locked down thin clients:
Kids will be kids and so many school lab administrators have asked that we provide a way to lock down the devices used in their labs. Now, you can download the Desktop Lock from the VDI-in-a-Box download page on the Citrix web site. It will allow you to lock down the physical device and essentially turn your old desktops and workstations into a thin client that connects directly to VDI-in-a-Box and keeps the kids from doing any mischief.
Fully automated software update with our Touchless DTagent:
And since we’re always looking for ways to make things simpler, with V5.2, we now have a fully automated way for you to upgrade the VDI-in-a-Box software. We had two issues in the past. First, you had to manually install the VDI-in-a-Box desktop agent on a golden image (that is then used to stamp out multiple desktop instances). Second, when you upgraded the VDI-in-a-Box software, you had to manually update the agent on each existing golden image. In Version 5.1, we automatically install the agent on all new images. With V5.2, we now provide you a list of existing golden images whose agents need to be updated and once you click yes, we walk you through a wizard to automatically upgrade the agent and test the golden image. For more details on this, see the blog by David Liu: http://blogs.citrix.com/2013/01/22/viab-5-2-makes-updating-desktop-agents-easier/.
Continue reading here!
//Richard
Great UI Theme improvement setting – #AccessGateway, #NetScaler, #Citrix
I must say finally! It’s not a 100% yet for everyone out there but it’s a step in the right direction. The NetScaler, Access Gateway, Web Interface, StoreFront and Receiver has not really been in synch when it comes to UI and end-user experience…. But now Citrix has improved it!
Access Gateway is a secure remote access product and hence tends to be the entry point for corporate users, wanting to access their enterprise applications and desktops. Given this, it makes sense for corporates, to try and customize the logon experience on Access Gateway, to match their corporate look and feel.
Access Gateway has always allowed for this customization, though, it’s been somewhat of a tedious process. With the new 10.0.71.6014.e release, we are making an attempt to simplify this experience.
UI Customization on Access Gateway is a multi-step process:
- Access the built in theme web pages and customize them, to match the corporate requirements
- Apply the modified theme (collection of web pages) at the right location
- Modify certain scripts to make this change persistent
- Every time the firmware has to be upgraded, take a backup of the customized pages and scripts and re-apply the same after the upgrade.
A quick Google search will give you a number of helpful and very accurate blogs/articles, on how to tweak the web pages to customize and create your corporate look and feel. Some of my favorites are:
- http://blogs.citrix.com/2012/04/19/green-bubble-theme-for-citrix-netscaler/
- http://jariangibson.com/2012/04/16/apply-citrix-receiver-theme-to-netscaleraccess-gateway-10/
With this new release, we have automated all the other steps (i.e. 2-4) for you. Instead of having to worry about how to apply this theme, or having to take backups every time you upgrade, the new release will automatically handle this for you.
To see the new offering in this r…
Continue reading here!
//Richard
New Citrix Access Gateway Release – #AG, #SmartAccess, #Receiver, #Citrix
Ok, just as we expected there is now a new release of Access Gateway that goes hand in hand with the new Receivers as I wrote about in the following posts:
Receiver for Windows 3.4 released
Receiver for Mac 11.7 Released
And of course as you could read in the first post above there are great improvements of the end-user experience when accessing resources, now you have ONE login for both the Receiver and to the Access Gateway plugin. And as that posts also highlights is the support for host check (EPA scans) on Receiver use cases as well! Finally! 😉
More info on the new Access Gateway release 10.0.71.6014.e below:
With the release of Citrix CloudGateway 2.5, comes the release of Citrix Access Gateway 10.0.71.6014.e. Citrix CloudGateway as you are aware, is the Citrix Enterprise Mobility offering, complete with Citrix Receiver running enterprise applications on the end point, Citrix Storefront running your enterprise app store, Citrix AppController running your mobile policy management and Citrix Access Gateway providing remote access to all this infrastructure.
With every CloudGateway release, Access Gateway continues to build incredible integration and smart abilities, which makes it the de-facto remote access solution for your CloudGateway deployments. Access Gateway is the only remote access solution today, which can offer seamless Receiver configuration using Email based discovery and provide intelligent integration with Storefront and AppController, to provide single sign-on to all your enterprise applications.
With this new release, Citrix Access Gateway will be able to provide the following value additions in your CloudGateway deployments:
- Seamless Desktop Receiver experience: With this release of Access Gateway, end users will no longer have to sign into their Access Gateway plug-ins as a manual step, to access apps / sites that require a full SSL tunnel. Receivers automatically launch a SSL VPN session via Access Gateway as needed. Result is – end user just deals with Citrix Receiver and Receiver internally (and automatically) deals with Access Gateway on user’s behalf.
- EPA with ICAProxy / CVPN: Receivers can now seamlessly launch AG plug-ins to connect to an Access Gateway vServer configured with End Point Analysis policies, in ICAProxy and CVPN modes as well. Earlier, this was supported only for Full Tunnel access.
- Session Sharing: Receiver and AG plug-in have always been two separate entities, and because of that, they establish two parallel sessions with Access Gateway. With this release, we have added the smarts in our Receiver and Access Gateway integration, to understand each other, and be able to share the same session with Access Gateway appliance. Good News – this now leads to simplified access from end user perspective, and optimal session/license consumption from Administrator perspective.
- Device Wipe/Lock support for AppController: With CloudGateway 2.5, AppController is launching the ability to register and track mobile devices via AppController. These registered mobile devices can then be locked / wiped, if the..
Continue reading here!
//Richard
#Zenprise is now a part of #Citrix
Zenprise is now officially a part of Citrix! For a press release and additional info read here.
I am really excited about this!! But my initial question about this acquisition is how the offerings will be bundled together. Right now you can purchase CloudGateway to get the MAM capabilities for mobile apps and data, and of course then also deliver XenApp, XenDesktop plus SaaS and internal web services. And that’s a nice offering but now with the more capable MDM parts from Zenprise, what will the license model look like and what will in the end a “Platinum” license provide?
My hope is of course that the whole license model is changed to be aligned with all acquisitions from the past years so that you could purchase a “Platinum” license that truly covers all the capabilities and products to make life easier for everyone….
My fear though is that Zenprise will be added as a separate MDM capability on top of CloudGateway as the “Diamond” edition! 😉 and it will probably exist in both CCU and named user/device models to make life even harder…
Please Citrix: surprise us with a new price and license model that spans the whole product/service stack! 🙂
//Richard
#Citrix #Receiver 3.4 and 11.7 = is the #SmartAccess story more real now? – #CloudGateway, #AGEE, #NetScaler, #StoreFront
Citrix has now released version 3.4 of the Receiver for Mac and Windows, but what is the main added value with this release?
First of I’d like to ask you to review my previous post where I questioned the Citrix SmartAccess story that I believe is not there end-to-end and that really is a lacking feature for scenarios where you’d for instance want to support more BYOD models etc. You need to determine the person accessing the service and also what what type of device it is, trusted or not etc. And I in the previous post I argued that Citrix doesn’t deliver according to their SmartAccess story;
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
And for you that haven’t read about the new Receiver 11.7 or OS X and 3.4 for Windows check these posts:
Receiver for Windows 3.4 released
Receiver for Mac 11.7 Released
The table below is from the previous SmartAccess post and my theoretical review right now is that the SmartAccess story for Windows and Mac OS X clients have improved. As you can see in the two rows for Receiver 3.3 and 11.6 where you would access through a Receiver through an AGEE you would NOT be able to perform host checks using the EPA scans.
This was just not possible though the native Receiver didn’t have that capability to trigger the EPA scans. And the EPA plugin itself was not available in the native Receiver on the OS X, it was bundled into the Access Gateway plugin.
| Client | Access method | EPA/Host-check possible on AGEE | Comment |
| Windows with Citrix Receiver for Windows 3.3 | Receiver 3.3 | NO | You’ll never be able to do host-checks on this device if Receiver access is used due to that the Receiver does not have EPA scan capabilities. |
| Windows with Citrix Receiver for Windows 3.4 | Receiver 3.4 | YES | Now when the Receiver is communicating with the Access Gateway plugin and shares login credentials then you can leverage the AGEE plugin to perform EPA scans and then allow different session policies and profiles depending on the EPA scan result, and at the same time of course also pass that through to StoreFront/WI and into XenApp/XenDesktop.It does however then require that you get the AGEE plugin installed on the devices, which may be another dilemma… |
| OS X with Citrix Receiver for Mac 11.6 | Receiver 11.6 | NO | You’ll never be able to do host-checks on this device if Receiver access is used due to that the Receiver does not have EPA scan capabilities. |
| OS X with Citrix Receiver for Mac 11.7 | Receiver 11.7 | YES | Now when the Receiver is communicating with the Access Gateway plugin and shares login credentials then you can leverage the AGEE plugin to perform EPA scans and then allow different session policies and profiles depending on the EPA scan result, and at the same time of course also pass that through to StoreFront/WI and into XenApp/XenDesktop.It does however then require that you get the AGEE plugin installed on the devices, which may be another dilemma… |
Receiver for Windows 3.4 released
About Receiver for Windows 3.4
Citrix Receiver for Windows provides users with self-service access to resources published on XenApp or XenDesktop servers. Receiver combines ease of deployment and use, and offers quick, secure access to hosted applications, desktops, and data. Receiver also provides on-demand access to Windows, Web, and Software as a Service (SaaS) applications. You can use it for Web access or configure it for use with Citrix CloudGateway.
What’s new
Citrix Receiver for Windows 3.4 (CitrixReceiver.exe) provides the following new features and enhancements.
- Single authentication to the Access Gateway:
- Use of a single session for both VPN and clientless access so that a Receiver user logs on once for both types of access and consumes only one license. This feature requires StoreFront.
- Automatic routing of ICA traffic through the Access Gateway ICA proxy for optimal user experience.
- Automatic start-up of a VPN tunnel when a user logs on. This feature requires that you disable the Single Sign-On with Windows setting on the Access Gateway.
- Support for Access Gateway SmartAccess controls.
- Improved logon and logoff operations:
- Users are prompted to log on to Receiver only when a logon is required. Actions that require a log on include starting an app from Receiver or the Start menu, using the Refresh Apps command, viewing or searching for apps, or adding an account. A user is logged on only to the account associated with the requested resource.
- Users remain logged on until choosing to log off or exit Receiver, roam from the internal network to an external network, or delete passwords.
- A VPN tunnel is established when a remote user performs an action that results in a logon. Internal users are logged on to StoreFront.
- Support for Windows 8. You can use Receiver for Windows 3.4 on Intel-based Windows 8 devices. (Receiver for Windows 8/RT is available on the Windows App Store for ARM-based Windows 8 devices.)
- Support for Windows Server 2012 R2, 64-bit edition.
- Support for Project Thor Technical Preview (XenApp Connector). Receiver for Windows 3.4 can be used with Project Thor Technical Preview to deliver apps with Microsoft System Center 2012 Configuration Manager.
- Usability improvements, including:
- App and desktop Start menu shortcuts are no longer copied to other devices, enabling users to control the location of shortcuts on each of their devices.
- The Request button is removed. Users can now simply click to add an app and, if a request for permission to add the app is required, a dialog box appears.
- Arrow keys can be used to navigate search results.
- Users will experience fewer dialog boxes when adding and removing apps.
- Error messages and certificate warnings are clearer.
- Users can reset Receiver to factory defaults. For information of preventing user resets, see http://support.citrix.com/article/CTX135941 in the Citrix Knowledge Center.
- Support for session pre-launch. The session pre-launch feature reduces launch times for applications delivered through Web Interface sites.
- Support for ShareFile StorageZones. Receiver for Windows supports both ShareFile-managed cloud storage and on-premises StorageZones.
- Upgraded FIPS support. Receiver for Windows 3.4 supports certificates with a minimum public key of 2,048-bit RSA and a SHA256 signature hash algorithm.
Receiver for Windows Enterprise
The Receiver for Windows Enterprise 3.4 package (CitrixReceiverEnterprise.exe) provides the following enhancements:
- Support for smart card single sign-on for Windows 7 devices. When used with Web Interface, Receiver for Windows Enterprise 3.4 enables smart card pass-through authentication from Windows 7 devices.
- Support for Fast Connect. Fast Connect provides the necessary technology for partners to rapidly authenticate users to Citrix sessions or desktops.
For information about Receiver for Windows Enterprise, including compatible systems, refer to the Receiver for Windows 3.2 documentation in Citrix eDocs.
Heads up – Potential #StoreFront and .NET Security update KB2729452 issue – #Citrix, #StoreFront, #CloudGateway
Heads up out there! I’ve not verified this myself but it’s worth ensuring that you plan for an uninstallation in the event it’s true!
#Citrix #NetScaler, #AGEE and Macbook OS X… bad start of the evening session!
Ok, I was just going to log in and play around and setup another AppController to verify some thoughts around a customer case in our EnvokeIT environment. And what did I do? I just opened my lovely Macbook Air (no one will ever take that one from me!!) and thought I would connect into our internal EnvokeIT lab environment and decided for some reason to connect over SSL VPN this time rather than running everything on the internally published desktop.
So I opened the browser and connected to our AGEE vip that presented me with the rather ok-looking login page as you can see here that my colleague modified to make it a bit more aligned with the StoreFront/Receiver for Web that we use in this little environment (otherwise you get that black ugly NetScaler login prompt, please get your product look & feel in synch Citrix!).
But then after I logged in I though that why not try out the SSL VPN client for my Mac! So I choose Network Access here;
And then I realised that the modifications weren’t really all ok as you can see here when I was prompted to download the Access Gateway Plugin for OS X (SSL VPN client)…
The IT Melting Pot! 