Category Archives: Citrix Technology Advocates

Citrix Innovation Award Finalists for #CitrixSynergy 2018

Its that time of the year where you Citrix customers, partners can vote for your favourite Citrix Innovation Award Finalist.

This year see’s a great mixture of customers in different markets all leveraging Citrix technologies as the enabler for transformation within there organisations to embrace a new way of working or #ThisIsHowTheFutureWorks powered by Citrix Networking, Workspace and Security & Platform Analytics from https://www.cloud.com/.

I would encourage you to watch all three videos describing there journey before casting your vote as there is some really great innovation happening within these Citrix customers and if you want to get started visit https://www.citrix.com or https://www.cloud.com/ today.

Beazley from the UK – Insurance

Quote “A new mindset to work wherever I am, because I have the tools that Citrix provides and Beazley…” – @dalesteggles

Health Choice Network, US – Healthcare

WAGO, Germany – Engineering

All the very best to this years Finalists.

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Citrix Ready WorkspaceHub Tech Preview (TP) Getting Started?

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy the Tech Preview of the Citrix Ready WorkspaceHub using an Android Receiver on a mobile smart phone (April 2018) with XenApp & XenDesktop 7.6+ LTSR. The views, opinions, and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY – sec
NETSCALER – ns
NETSCALER GATEWAY SERVICE – nsg service
WINDOWS – win
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
WORKSPACEHUB – wh

Introduction
Citrix has recently announced the availability of the Tech Preview of the Citrix Ready WorkspaceHub at – https://www.citrix.com/blogs/2018/04/04/its-here-download-the-citrix-ready-workspace-hub-tech-preview-today/. So what exactly is it? Its a Raspberry Pi 3 platform at its core with Citrix technology + innovation built into it to provide a number of innovative capabilities for the Digital Workplace #thisishowthefutureworks. For me seeing is believing so the below embedded Tweet by Bas Stapelbroek – @hapster84 or https://twitter.com/hapster84 is a short video clip that demonstrates just one of the many powerful capabilities (sign-on to a thin client using a QR code while your virtual desktop still runs on your smart phone smooth roaming +++++ I like to say) available as part of the Citrix Ready Workspace Hub.

Full credit of the above goes out to Bas Stapelbroek – @hapster84 and thank you for allowing me to include it in my blog post.

You’re probably asking yourself how do you manage them you ask? You leverage Stratodesk NoTouch – https://www.stratodesk.com/products/workspace-hub/ whom work with our supported Citrix Ready Partners that provide the Citrix Ready WorkspaceHub for Internal or external you can use Citrix XenMobile+.

Please visit the StratoDesk webpages for nComputing – https://www.stratodesk.com/products/workspace-hub/ncomputing-rx-hdx-citrix/ and ViewSonic – https://www.stratodesk.com/products/workspace-hub/viewsonic-sc-t25-citrix-hdx-ready-pi/ for more details around the capabilities, specifications e.t.c of each platform.

You can put the device down and lock it but be sure to refer to *page 14 for helpful tips.

Pre-requitstes & System Requirements
You’ll need to sign-up to the Tech Preview program at – https://podio.com/webforms/20685654/1419376 however I urge you to please please please read through this Citrix Forum Discussions post at – https://discussions.citrix.com/topic/394304-welcome-to-the-tech-preview-of-the-citrix-ready-workspace-hub/ and finally you should before you get started once you have your h/w and have been accepted into the program read through the the TP documentation available at – * https://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/current-release/downloads/workspace-hub-preview-2018.pdf which is the below in more detail.

– Your require at a bare minimum XenApp 7.6 LTSR environment running 7.6 VDA for Windows Server (remember this is a Tech Preview ONLY as of April 2018)
– You require a physical Citrix Ready WorkspaceHub device – http://citrixreadyprogram.com/workspace-hub/ which currently includes thin client vendors in alphabetical order nComputing and ViewSonic. If you have had it for a while e.g 2017 firmware please read pages 2 (end)-3(top) for instructions on where to obtain the firmware updates. See page 2 for full h/w details.
– TP only supports Android Receiver 3.13.5 or later for Mobile devices + Bluetooth for
– Networking persecutive your require Android smart phone and WorkspaceHub to be on the same Wi-Fi network with the following open ports 55555, 55556 (default port for SSL connections) and ports 1494 and 8500 must not be blocked for Citrix Casting to work between the Android Receiver on Mobile Device <-> Citrix WorkspaceHub.
– Internal centralised management utilises Stratodesk https://www.stratodesk.com/kb/Main_Page to get started or for external management you can use XenMobile+ also on page 3.
– If you’re looking for Skype for Business support check out page 5
– Recommended HDX Graphics Mode and policy for the TP is to set and enable H.264 for fullscreen the policy is “Use video codec for compression” setting to “For the entire screen
– Setting up Receiver page 7 ensuring that you DO NOT SELECT e.g UNTICK “Add account type as Web Interface” and during the setup you’ve need to complete the Touch-Free mode for proximity authentication enabled vs. disabled page 8-9. Now test the proximity referring to page 10.
– Setting up the session roaming with a QR code, TLS/SSL (requires SHA256is covered in pages 11-15 with Stratodesk NoTouch
– Please please please read through thoroughly the known limitations within the TP on page 16 and finally there is Citrix Discussions Forum available for support during the TP at https://discussions.citrix.com/forum/1726-citrix-ready-workspace-hub-preview/.

In Closing
I hope you found this blog post useful as I have written it due to the number of people contacting me via social platforms, Slack and of course traditional communications like telephone calls, text/sms and yes email. A final thought, be sure to check out a short demonstration + talk on Citrix Casting and a lot more detail at – https://www.citrix.com/products/citrix-workspace/iot.html.

Disclaimer
Please read the “Citrix Ready Workspace Hub PreviewDisclaimerCitrix Ready Workspace Hub Preview Citrix Ready Workspace Hub Preview” on page 1* and a note to Citrix Investors is listed at the bottom of the blog post announcement of the TP program of the Citrix Ready WorkspaceHub at – https://www.citrix.com/blogs/2018/04/04/its-here-download-the-citrix-ready-workspace-hub-tech-preview-today/.

Session Watermarking for App & Desktop Security by Citrix XenApp & XenDesktop 7.17 or #CitrixCloud

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Session Watermark policy feature with the XenApp & XenDesktop Service (April 2018) or XenApp & XenDesktop 7.17 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SECURITY – sec
NETSCALER – ns
NETSCALER GATEWAY SERVICE – nsg service
WINDOWS – win
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad

Introduction to “Session Watermark”
The latest release of the XenApp & XenDesktop Service powered by Citrix Cloud or if you are performing a private cloud (on-premises) upgrade or net new installation of XenApp & XenDesktop 7.17 has some NEW features (another post brewing) and one that I have been waiting on for quiet sometime now has not finally arrived (WAHOO!) and its VERY VERY simple to configure and aids in improving your security posture (I believe) for delivery of apps & desktops powered by Citrix against e.g IP theft. In the below tweet can you see it?

The above is from my initial tests using a Windows Server 2016 VM hosted in Azure Northern Europe region running the 7.17 VDA configured to my Citrite #CitrixCloud XenApp & XenDesktop Service so I did not need to upgrade anything to get this new SHINY cool feature yes I said it SHINY. All I was required to do was deploy a new Windows Server 2016 VM from the Azure marketplace, domain join it, install the VDA and connect it to my Cloud Connector and I was ready in less than 25 minutes from initially deploying the VM from the marketplace.

Finally on a personal note for me Citrix SysAdmins enabling the “Session Watermark” feature obviously initally tested in a safe environment e.g UAT with a few users from a couple of departments and then rolling it out into production (as when/how your ready) will be making IT the modern “App & Desktop Security Heroes“. IT can apply and configure these new policies to be the most right vs. relevant for your organisations security needs while not hindering the end-users Rich HD eXperience.

Session Watermark Policies
You have 8 watermarking policies to apply with the 9th one enabling this security capability or feature set with the following list of quirks, suggested policy configuration and more available at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/policies/reference/ica-policy-settings/session-watermark-policy-setting.html.

Before we get started it is worth mentioning that this feature does add an overhead to the compute on the backend (VDA side) and therefore it is suggested to enable up to two water marking features or items. In my overview of this feature I will wont cover off the cost of implementing this security policy as there are multiple variables to consider e.g HDX Graphics Mode and associated policies to provide the right vs. relevant end-user experience vs. how many watermark items do I apply? I have begun testing so bare with me and I’ll publish my findings either on my personal blog here or on https://www.mycugc.org under the “Expert Insights” area.

Enable session watermark
By default this feature is DISABLED as the default behaviour which I believe is the right approach considering its Citrix’s initial release of this #security feature (in my personal view) and secondly online documentation at eDocs suggested recommendations it to enable NOT more than two watermark text items. Finally * indicates that this policy is DISABLED by default when Session Watermark is enabled.

Include client IP address
* This is the IP addr of the device connecting to the virtual app & desktop.

Include connection time
* Utilises the following format yyyy/mm/dd hh:mm to display the users initial connection time to there virtual app or desktop.

Include logon user name
ENABLED by default when you enable Session Watermark as a policy and uses the following format USERNAME@DOMAINNAME is most optimise for 20 characters or less otherwise truncation might occur of the users logon username.

Include VDA host name
ENABLED by default when you enable Session Watermark as a policy and provides the VDA hostname e.g ne1vad01

Include VDA IP address
* Provides the internal IP addr that corresponding the VDA’s hostname e.g ne1vad01 = 10.1.0.7

Session watermark style
ENABLED by default using “Multiple e.g displays five watermark labels” when you enable Session Watermark as a policy or you can configure “Single e.g displays a single watermark label in the centre of the session“. TIP switching to SINGLE and sticking to two watermark text items for me in my initial tests is a good starting policy however time will tell as I continue to test out this new feature and its capabilities with different HDX Graphics Modes and associated tweaks.

Watermark custom text
* A unicode maximum of 25 characters is supported if you exceed this limit it will be truncated.

Watermark transparency
ENABLED by default set to “17 out of 100” when you enable Session Watermark as a policy, personally I think setting it to just 1 is fine in my initial tests as you want it to be not so in your face to the end-users to be bluntly honest.

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER – ns
XENMOBILE DEVICE MANAGER – xdm
XENMOBILR APPCONTROLLER – xac
XENMOBILE NETSCALER CONNECTOR – xnc
XENMOBILE MAIL MANAGER – xmm
WINDOWS – win
MOBILE DEVICE EXPERIENCE – mdx
REAL-TIME – r-t
MICRO VIRTUAL PRIVATE NETWORK – mvpn
FIREWALL – f/w
ACCESS CONTROL LISTS – acl
APPLE PUSH NOTIFICATION SERVICE – apns
UNIFIED ENDPOINT MANAGEMEMNT – uem
MOBILE DEVICE MANAGEMENT – mdm
MOBILE APPLICATION MANAGEMENT – mam
MOBILE CONTENT MANAGEMENT – mcm
CUSTOMER EXPERIENCE IMPROVEMENT PROGRAM – ceip
ACTIVE DIRECTORY – ad
TRUSTED NETWORK – tru
FIRST TIME USER EXPERIENCE – FTU

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

Introduction
This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – https://citrix.cloud.com/ in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via https://twitter.com/JJVLebon (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xenmobile-security-understanding-the-technology-used-by-xenmobile.pdf. This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – https://developer.apple.com/programs/enterprise/ and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 – https://docs.citrix.com/en-us/xenmobile/server/system-requirements.html.

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – http://store.citrix.com/store/citrix/en_US/cat/ThemeID.33753000/categoryID.63401700 if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices
https://docs.citrix.com/en-us/xenmobile/server/system-requirements/supported-device-platforms.html

Certificates
– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

AD/LDAP
– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g uem.axendatacentre.com with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g mam.axendatacentre.com with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP 10.1.0.5
SNIP 10.1.0.100
uem.axendatacentre.com <-> 81.x.x.1 10.1.0.20 <-> UEM Listener on XMS
mam.axendatacentre.com <-> 81.x.x.2 10.1.0.21 + *10.1.0.22 <-> MAM Listener on XMS
uem.axendatacentre.com (XMS V/A) <-> 10.1.0.99

SUMMARY
Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple
Apple’s APNs Certificates portal is accessible at – https://identity.apple.com/pushcert, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1 its quiet extensive and in-depth.

1. Create an organisation Apple ID at – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
2. Generate your a CSR on NetScaler – https://support.citrix.com/article/CTX211887 or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to https://xenmobiletools.citrix.com/ and sign in where prompted with your Citrix.com partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – https://identity.apple.com/pushcert/ by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – http://www.apple.com/certificateauthority/ also see http://support.apple.com/kb/ht5012
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at – https://docs.citrix.com/en-us/xenmobile/server/authentication/apns.html.

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM https://firebase.google.com/docs/cloud-messaging/ is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at – https://console.firebase.google.com/?pli=1, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at – https://docs.citrix.com/en-us/xenmobile/server/provision-devices/google-cloud-messaging.html.
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – *https://docs.citrix.com/en-us/xenmobile/server/install-configure.html which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from – https://www.citrix.com/downloads/.
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g 10.1.0.99 as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to https://docs.citrix.com/en-us/xenmobile/server/install-configure/fips.html#par_anchortitle_8dcb for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.

TIP:

9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g uem.axendatacentre.com, what does this mean? It means that if your where to type in uem.axendatacentre.com on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for uem.axendatacentre.com to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.

TIP:

14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC – https://docs.citrix.com/en-us/xenmobile/server/users/rbac-roles-and-permissions.html.

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g https://10.1.0.99:4443/ this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for uem.axendatacentre.com <-> 81.x.x.1 <-> 10.1.0.20 when they should be accessing the direct IP addr of the XMS v/a <-> 10.1.0.99. Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g https://uem.axendatacentre.com:4443 either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> 10.1.0.99 IP addr on https://10.1.0.9:4443. Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to https://docs.citrix.com/en-us/xenmobile/server/system-requirements/licensing.html. I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g uem.axendatacentre.com to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – https://docs.citrix.com/en-us/xenmobile/server/authentication/client-certificate.html which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL: https://mam.axendatacentre.com
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: 10.1.0.21 (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
FQDN: ldap.axendatacentre.com
Port: 389 (Leave defaults unless changed within high security environments)
Domain name: axendatacentre.com
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g xms@axendatacentre.com
Password: *****
Domain Alias: axendatacentre.com (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – https://docs.citrix.com/en-us/xenmobile/server/users/notifications.html which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN https://uem.axendatacentre.com or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with https://docs.citrix.com/en-us/xenmobile/server/authentication/netscaler-gateway-and-xenmobile.html.

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – https://xenmobiletools.citrix.com and also be sure to please refer to XenMobile compatibility documentation – https://docs.citrix.com/en-us/xenmobile/server/system-requirements/compatibility.html for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – https://www.digicert.com/util/ on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

What’s New with HDX (3D Pro) Technologies in XenApp & XenDesktop 7.16

The following content is a brief and unofficial prerequisites guide to setup, configure and test accessing secure by design virtual apps and desktops powered by XenApp & XenDesktop 7.15 prior to deploying a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
SESSION REABILITY – sr
HIGH DEFINITION EXPERIENCE – hdx
XENAPP/XENDESKTOP – xad
SESSION REABILITY – sr
CURRENT RELEASE – cr
LONG TERM SERVICE RELEASE – ltsr

Introduction what is HDX?
High Definition eXperience (HDX) is a set of technologies that provides a near to HD local like experience of a remoted virtual app, desktop or both to users anywhere in the world on any device even without installing anything on that device all you need is a modern widely used (supported) HTML5 compliant internet browser e.g Chrome, Safari (try it on your iOS devices :-)), Firefox, Internet Explorer you get the picture.

HDX is simple yet so powerful and has three founding principles which are intelligent redirection, adaptive compression, and data de-duplication like wise it has three principles it performs when you connect to there virtual resources which is Inspect the VM (Server vs. Desktop) what does it have e.g vGPU, Inspect the network what its like and can I use UDP for adaptive transport or should I fallback to TCP to remote the display + multimedia and finally it inspects the end-point what is there and can I use it? An example is the HDX Optimisation Pack available to offload audio/video for my Skype for Business sessions or shall I utilise generic HDX fallbacks?

I’m not going in great detail in this introduction so if your new to HDX or even an HDX Xen Master I’d still encourage you read the white paper published by Citrix on HDX Technologies at –
https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/citrix-hdx-technologies.pdf. Also be sure to check out the HDX resources page on Citrix.com at – https://www.citrix.co.uk/products/xenapp-xendesktop/hdx-technologies.html.

Finally you can find all the latest about XAD 7.16 and not just whats new with HDX in this release at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/whats-new.html and you’ll notice that it’s not a 7.16 URL but refers to current release or CR.

HDX RealTime
Skype for Business to Teams “We are committed…” read all about it in Dereks blog post on Citrix.com – https://www.citrix.com/blogs/2017/11/08/the-big-news-about-microsoft-teams. The big announcement is that HDX RealTime Optimisation Pack now has an LTSR release version 2.4 which is available and you can learn more product lifecycle information at – https://docs.citrix.com/en-us/hdx-optimization/2-4-ltsr.html. Its also worth noting that this LTSR does NOT support any version of Microsofts Teams only Skype for Business 2015, 2016 you can learn more by reviewing the System Requirements for the client vs. server side at – https://docs.citrix.com/en-us/hdx-optimization/2-4-ltsr/system-requirements.html.

– HDX RealTime Media Engine for the Citrix Ready workspace hub (formerly known as HDX Ready Pi) is only supported for ViewSonic – https://citrixready.citrix.com/viewsonic/viewsonic-sc-t25.html or NComputing – https://citrixready.citrix.com/ncomputing/ncomputing-rx-hdx-thin-client.html Pi’s only. You can also get management of these devices from Stratodesk check out – https://www.stratodesk.com/products/raspberry-pi-thin-client.
– Behavioural changes in the way audio is handled in fallback mode when CPU is busy is to disable Echo Cancellation via the RTME as the generic HDX RealTime will handle this capability until returning to expected behaviour and lower CPU load.
– Enhancements to the microphone to provide better insights into whom is speaking.

The full list of what’s new in this LTSR is available at – https://docs.citrix.com/en-us/hdx-optimization/2-4-ltsr/whats-new.html.

HDX Broadcast
– The release of XAD 7.16 introduces a great new VDA installation behaviour change 🙂 whereby it will automatic set the HDX mode to be standard (Server OS) vs. HDX 3DPro mode (Desktop OS if it meets the requirements for HDX 3DPro e.g the Desktop OS includes a vGPU or GPU) which I believe is setup in the right direction and simplifying overall CTX Admin overhead e.g another syntax option to remember vs. I forget to configure the correct parameter.
– Now by default the new HDX Graphics mode is enabled is adaptive transport or EDT and is set to Preferred. Don’t worry if your a Citrix Admin as you’ve maybe already realised I didn’t enable UDP for this to work! Remember is an adaptive remote display protocol so it will fallback to TCP by default using the default Citrix HDX ports. Its also worth mentioning that when (Preferred) is set then SR is enabled for both UDP vs. TCP connections and client connections (Receiver check supported versions e.g Win min 4.10; Mac 12.8) are attempted in parallel during the initial connection, for SR reconnections and finally auto client reconnects aswell.
– Browser Content Redirection – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/multimedia/browser-content-redirection.html redirects the contents to the local device running an embedded browser within the HDX session which allows for offloading of content, network traffic, graphics from the VDA running in the resource location to the users end-point enhancing the UX significantly.
– Not strictly something new but HTML5 Redirection – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/policies/reference/ica-policy-settings/multimedia-policy-settings.html which is still currently only available for internal usage as you’ll read from the eDocs article but this is 100% something an Citrix Admin & Architects should begin testing today as HTML5 begins in my personal view to supersede Flash based websites as we move forward towards 2020.
– Auto DI Scaling for Multi-Monitor
– H.265 encoding support running on the latest end-points which supported a GPU that supports H.265 decoding and if its not available it will by default fall-back to H.264 decoding. The net result of moving to H.265 from H.264 which is a Platinum only feature results in significant bandwidth savings and much better UX. I have seen the net results with a few of our engineering customers that develop vehicles with teams spread out across the world and the results as awesome!
– Strictly speaking this is not agnostic or exclusive to the HDX technology stack but the Windows Continuum is quiet important for a great user experience and its powered by primarily at a the hypervisor level and its currently only supported on Citrix XenServer. Visit – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/technical-overview/hdx.html for how-to configure it today if your running XenServer.

– High definition webcam streaming for Windows Server with resolutions up to 1920×1080 – https://docs.citrix.com/en-us/xenapp-and-xendesktop/current-release/technical-overview/hdx.html#hd-webcam
– “Session Watermark” with custom text which you learn to setup and configure using the following CTX article – https://support.citrix.com/article/CTX230054 and was originally part of the XenApp Secure Browser and its deployment guide is available at – https://docs.citrix.com/content/dam/docs/en-us/workspace-cloud/downloads/Secure%20Browser%20-%20Deployment%20Guide.pdf.

In Closing
I be covering off some HDX topics in more detail in up and coming blog posts either here or in “Expert Insights” at myCUGC website at – https://www.mycugc.org/. Finally if you want to take part in my challenge for 2018 you can learn more about it at – https://www.mycugc.org/blog/a-2018-challenge-for-the-mycugc-community.

Understanding What’s New with the latest XenApp & XenDesktop 7.15 LTSR

The following content is a brief and unofficial prerequisites guide to setup, configure and test accessing secure by design virtual apps and desktops powered by XenApp & XenDesktop 7.15 prior to deploying a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
WEB INTERFACE – wif
LONG TERM SERVICE RELEASE – ltsr
CURRENT RELEASE – cr
FEDERATED AUTHENTICATION SERVICE – fas
SECURITY ASSERTION MARKUP LANGUAGE – saml
IDENTITY PROVIDER – idp
NETSCALER UNIFIED GATEWAY – nug
XENAPP – xa
PROVISIONING SERVICES – pvs
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
STOREFRONT – sf

What is the difference between LTSR vs. CR for XenApp & XenDesktop 7.x?
The Long Term Service Release (LTSR) program for XenApp and XenDesktop provides stability and long-term support for XenApp/XenDesktop releases while the Current Release (CR) provides customers with the very latest version of XenApp and XenDesktop which includes the latest innovations e.g EDT v2

XenApp & XenDesktop 7.15 LTSR Feature Summary Comparison with 7.6 LTSR
The following is a simple one PDF page document that lists all the feature capabilities from initial first LTSR which was XenApp & XenDesktop 7.6 Feature Pack (FP) 1-3 through to the current LTSR XAD 7.15 including the CR releases in-between so its absolutely worth booking marking in your browser or better yet download it to keep it to hand for customer conversations – https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/xenapp-xendesktop-715-ltsr-feature-summary-comparison-to-76-ltsr.pdf.

Noteworthy Points What’s New vs. Excluded
I’d very strongly recommend that your read the following CTX article – https://support.citrix.com/article/CTX205549 entitled “CTX205549 FAQ: XenApp, XenDesktop, and XenServer Servicing Options (LTSR)” and to ensure that you remain compliant post your update/migration to 7.15 LSTR you should download the “CTX209577 Citrix LTSR Assistanthttps://support.citrix.com/article/CTX209577

Its also worth noting the following that are classed as “Excluded Features/Components/OSes” from the XAD 7.15 LTSR but I’d like to stress PLEASE PLEASE refer for eDocs for full caveats vs. supporting statements at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/whats-new/7-15-ltsr-initial-release-.html+ and these listed notes are based upon the initial release however there is now a Cumulative Update 1 (CU1) already available so be sure to read through it as well at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/whats-new/cumulative-update-1.html.

OSes+
– Windows 2008 32-bit (for Universal Print Server)

Behavioural Changes
– Upgrading a XA 6.5 worker to a new 7.15 VDA is now slightly different and the detailed process is listed at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/upgrade-migrate/upgrade/upgrade-xenapp-6-5-to-vda.html and also be sure to review the XenApp 6.x Migration Tool at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/upgrade-migrate/xenapp-worker-upgrade.html and you review the migration tool by watching the embedded YouTube video below.

Finally while your planning your migration to XA 7.15 (FMA) from 6.5 (IMA) you will mostly likely be upgrading vs. migrating away from WIF so please be sure to read and how to migrate features to StoreFront from your WIF environment at – https://docs.citrix.com/en-us/storefront/3-12/migrate-wi-to-storefront.html. Equally I’d encourage any organisation reading this to review how-to setup and configure the “unified user experience” for Citrix Receiver vs. the Green Bubbles which will provide a much better experience for users you can enable it by quiet easily once you’ve read through the following article in eDocs at – https://docs.citrix.com/en-us/storefront/3-12/manage-citrix-receiver-for-web-site/unified-receiver-experience.html.
– Follow the supported leading best practises for upgrading the 7.15 LTSR by reviewing the following node within Citrix’s eDocs – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/upgrade-migrate/upgrade.html
– VDA installation failures for Win 10 N Editions that don’t include Microsoft Media Foundation can now be acknowledged via the installation GUI of the VDA vs. automated deployed (unattended) there is a new option “/no_mediafoundation_ack“.

Excluded Features & Compoments+
– HDX Graphics Mode – Framehawk
– StoreFront Citrix Online Integration
– AppDisks
– Personal vDisk is excl for Win 7, 10
– Load balancing of Session Recording which was an experimental feature in 7.14

What’s Deprecated in the 7.15 LSTR
A full list of what is deprecated is available at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/whats-new/removed-features.html and I am only going to list a few points that I believe of most interest to those whom read my blogs or if your just a Citrix SysAdmin vs. Consultant reading this blog post.

No VDA installations on Windows XP will be supported
– Flash Redirection ++Hello HTML5 GOODBYE Flash wahoo!
– Citrix Receiver for Web classic experience (“green bubbles” user interface) ++Oh YES double wahoo!
– VDAs on Desktop – Windows 10 version 1511 & Windows 7, 8.1 and for Server – Windows Server 2008 R2 and Windows Server 2012
Legacy Thinwire + DirectX Command Remoting (DCR) switch to Thinwire ECM or Adaptive Display v2 see – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/graphics/thinwire.html
– In-place upgrades of certain XAD infrastructure components aren’t supported!
– Studio on Windows 7
– Azure Classic support

++ Personal comment vs. note from the author of the post

XenApp and XenDesktop 7.15 LTSR baseline components
VDA for Desktop OS 7.15
VDA for Server OS 7.15
Delivery Controller 7.15
Citrix Studio 7.15
Citrix Director 7.15
Group Policy Management Experience 3.12
StoreFront 3.12
Provisioning Services (PVS) 7.15
Universal Print Server 7.15
Session Recording 7.15 (Platinum Edition only)
Linux VDA 7.15 (See the Linux VDA documentation for supported platforms)
Profile Management 7.15
Federated Authentication Service 7.15

7.15 LTSR Compatible Components and Platforms
AppDNA 7.15
Citrix SCOM Management Pack for License Server 1.2
Citrix SCOM Management Pack for Provisioning Services 1.19
Citrix SCOM Management Pack for StoreFront 1.12
Citrix SCOM Management Pack for XenApp and XenDesktop 3.13
HDX RealTime Optimization Pack 2.3
License Server 11.14.0 Build 21103
Workspace Environment Management 4.4
App Layering 4.3
Self-Service Password Reset 1.1

What’s New
– Machine Catalog’s functional level within your Site from 7.9 do not require an upgrade
– Machine Creation Services (MSC) now supports generation 2 VMs with Microsoft System Center Virtual Machine Manager SCVMM
– The FMA or 7.x version of Local Host Cache (LHC) is now enabled by default BUT note that if it was disabled from a prior release of the XAD 7.x then you need to enable it and disable Connection Leasing (CL) https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-9/manage-deployment/connection-leasing.html which was initially introduced into the 7.x platform to provide a fallback if your SQL database connection was lost or unavailable until LHC was re-introduced in XAD 7.12 – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/manage-deployment/local-host-cache.html but was not enabled by default in the 7.12 release CL was primarily utilised.
– Director App Failure Monitoring – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/reference/virtual-delivery-agent-policy-settings/monitoring-policy-settings.html#App_Failure_Policy_Settings

Security Leading Best Practises
– General Overview https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/best-practices.html.
– Securing your StoreFront 3.12 environment – https://docs.citrix.com/en-us/storefront/3-12/secure.html
– Standardise on a single organisation user identity platform e.g AAD by leveraging NetScaler + + StoreFront + FAS which can convert SAML vs. OAuth tokens into virtual smartcards per configured Store within StoreFront to then SSO a user onto there intended virtual apps & desktops without requiring to re-enter his/her in a directory username + password for that resource location (What’s this? Read – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations.html).
– Slightly obvious to an Citrix expert vs. Citrix Partner but its worth highlighting for newbies to Citrix virtualisation technologies is that XAD management provides Delegated Administration to manage just enough access for different members of the IT vs. compliance departments/business units to have just enough access to complete there daily vs. weekly vs. monthly activities vs. tasks – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/delegated-administration.html and for remote secure access to virtual apps & desktops you will need implement NetScaler Unified Gateway – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/storefront-netscaler.html which can also enable and allow your organisation to control authentication at the edge of your network e.g 2FA vs. MFA vs. using Biometrics with supported 3rd Citrix Ready solutions so check out – https://citrixready.citrix.com. Finally you can also engage with SmartAccess capabilties when fronting XAD for R/A with NUG so check out the following resources for NS 11.x.n – https://docs.citrix.com/en-us/netscaler-gateway/11/integrate-web-interface-apps/ng-smartaccess-wrapper-con/ng-smartaccess-xd-config-con.html and NS 12.x.n – https://docs.citrix.com/en-us/netscaler-gateway/12/integrate-web-interface-apps/ng-smartaccess-wrapper-con/ng-smartaccess-xd-config-con.html and there is also a CTX article entitled “CTX227055 Smart Access Guide for NetScaler Gateway, StoreFront and XenDesktop” to review at – https://support.citrix.com/article/CTX227055 and finally you can configure Pre-Authentication scans to check that the connecting end-point is compliant (Refer to VDI Handbook section below).
Enabling TLS or Transport Layer Security for ICA/HDX Session – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/tls.html for a detailed how-to from the first LTSR check out the following blog article at – https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/ or download the white paper entitled “Citrix XenApp and XenDesktop 7.6 LTSR FIPS 140-2 Sample Deployments” from – https://www.citrix.com/content/dam/citrix/en_us/documents/about/citrix-xenapp-and-xendesktop-76-fips-140-2-sample-deployments.pdf. During some research I also came across the following CTX article to disable TLS 1.0 for XAD 7.6 LTSR which may or may not be useful to you check out – https://support.citrix.com/article/CTX215447.
– How do I assign the right vs. relevant security or UX policy? Refer to the built-in policy templates which you can read at – https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/policies/policies-templates.html which include the same policy type for modern vs. legacy OSes.

Citrix VDI Handbook for the 7.15 LTSR
Recommended pages of interest to read from “Citrix VDI Best Practices for XenApp and XenDesktop 7.15 LTSR” – https://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/7-15-ltsr/downloads/Citrix%20VDI%20Handbook%207.15%20LTSR.pdf which I am commonly asked about so I thought it makes sense with the current LTSR to list them out here for everyone to focus on what is right vs. relevant for PoC’s e.t.c

– Page 11 which focus on CCS Methodology
– Page 32 Five-Layer Design Model and Conceptual Architectures for XAD environments
– Page 35-37 Site topology covering latency, bandwidth vs. number of users
– Page 50-52 covers StoreFront keywords to the behaviour of the delivery of virtual resoucres
– Page 52 Scaling vs. sizing of your StoreFront cluster
– Page 54 Calculate what NetScaler required SSL through-put however i’d strong recommended engage with your Citrix rep for leading best practise vs. guidance as this can/may differ dependant upon your choose appliance vs. firmware version.
– Page 58 Implement GSLB with HDX Optimised routing to ensure connecting users in a regional vs. global deployment connect to better NUG by proximity.
– Page 63 HDX Display Protocol
– Page 66- User Profile types for Local, Roaming, Mandatory & Hybrid vs. virtual apps & desktop chooses model
– Page 79 Built-in Policy templates to optimise the UX based upon your organisational requirements
– Page 88-93 vCPU/RAM/Storage I/O vs. User workload types light, medium and heavy
– Page 94-97 SQL database sizing vs. scaling 5K up to 15K including expected database growth
– Page 98-99 PVS SQL database guidance for suggested sizing
– Page 104 XAD Controller sizing vs. scaling per 5K users which also includes a calculation
– Page 105 LHC considerations if enabled to re-size your control infrastructure for XAD
– Page 107 Citrix Cloud connector sizing for 5K users in private vs. public cloud
– Page 113-116 SQL Database sizing
– Page 121-129 PVS Accelerator with XenServer
– Page 132-140 Hardware Formulas for sizing vs. scaling including GPU(s)

Deploying a XAD 7.15 LSTR PoC
Coming…

What Citrix Receiver & HDX Optimisation Pack should I deploy?
You should consider reviewing and if fit for purpose for your organisation implement the Windows 4.9 LTSR Citrix Receiver version – https://docs.citrix.com/en-us/receiver/windows/4-9.html along with if you utilise Skype for Business for UC the LTSR of the HDX Optimisations Pack – https://docs.citrix.com/en-us/hdx-optimization/2-4-ltsr.html and you can find out more information about the lifecycle at – https://support.citrix.com/article/CTX200466.

Deploying a Hyper Responsive Web Service with(out) NetScaler?

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
CONTENT DELIVERY NETWORK – cdn
SECURITY ASSERTION MARKUP LANGUAGE – saml
FEDERATED AUTHENTICATION SERVICE – fas
LOAD-BALANCING – l/b
NETSCALER UNIFIED GATEWAY – nug or netscaler ug
NETSCALER – ns
XENAPP – xa
XENDESKTOP – xd
XENAPP/XENDESKTOP – xad
INTERNET SERVICE PROVIDER – isp
MANAGED SERVICE PROVIDER – msp

Introduction
Yes I will be talking about Citrix NetScaler only here as I am a Citrite, this blog post is more about methods vs. technical guidance so lets begin. In a previous life prior to my current role at Citrix I worked for a managed Internet Service Provider (mISP) or MSP where the customers I used to manage where required to deploy app, database & web servers (infrastructure) to service + support customer transactions at a massive scale but also ensuring a fast vs. efficient user experience at scale vs. normal usage. Today I am go explore how to optimise the delivery of web-based service fronted with(out) a Citrix NetScaler from startup to a global organisation we all can’t live without!

My scenario will focus on taking a web based service that you’ve developed as a start-up running on a single VM at instance type of any size running LAMP to be a continually hyper responsive web service as the load increases or popularity of the web service by first implementing simple but very effecting SysAdmin techniques. Your company is now born you’ve found a niche in a market segment/vertical and you’ve adopted a framework for development to build your web service platform on and you’ve identified where to host vs. run your web service from.

Optimising your Web Service to be Hyper Responsive with(out) NetScaler

You can deploy a successful vs. highly available web service without any ADC yes that is right, however there does come a point when its right vs. relevant and you will need to implement an ADC like Citrix NetScaler. So how can you? Well it comes down to thinking like a SysAdmin sometimes how can I optimise by removing stuff vs. consolidating roles or migrating them to alternative platforms.

Lets examine your Web Service that we’ve just launched its currently a single VM instance for argument sake its hosted in a public cloud like AWS vs. Azure vs. GCP or even a private cloud perhaps running on a XenServer host :-). You’re happy and believe your ready to begin your journey with your new startup so you begin promoting it socially on Twitter, LinkedIn, Instagram e.t.c and slowly over a few weeks the demand for the web service begins to grow steadily and you notice that the responsiveness isn’t 100% what it was a the time of launch so you schedule a maintenance window at say 04:00 GMT and scale up the VM instances compute resources to 4vCPU and 24GB of RAM including attaching another SSD HDD and you shift the content e.g images, CCS style sheets and JQuery files onto this HDD to improve performance by shifting I/O Reads for content onto another HDD.

Customers
EDGE
Web, Database & Content Roles running on a single Web Server

Happy days your web service is now back to that 100% (Initial launch experience) but now fast forward a few more weeks vs. months and your web services popularity increases organically vs. social and traditional marketing campaigns so your back to its not quiet as responsiveness anymore vs. isn’t 100% what it was a the time of launch so you schedule a maintenance window to perform some careful real-time investigation work to understand where are the bottle neck(s)? Each Web Service today in my personal opinion will have difference bottle neck(s) this is down to how its developed to run (standard alone vs. h/a cluster vs. globally distributed) vs. coded (framework vs. ground up framework) so careful monitoring of your web service platform from inception to the current date and the future is critical to help you continually truly scale your web service.

After reviewing the gathered insights from various tool(s)* you can see that the number of Reads to the HDD is quiet high and all to often I have seen decisions made to shift the database away from the web service onto another VM instance without checking what service is responsible for all those Reads and what location on the HDD the Reads are occurring from!? In my personal experience its mostly like not the database BUT the content e.g images, scripts, stylesheets that cause the high I/O Reads on the HDD when serving up content to load the web pages for customers on there end-points however with proper coding of your web service you can reduce this by caching the content on the users device (Laptop, PC, Mac, Smartphone, Tablet, Thin client) so when they change web pages there isn’t a hit on the web server (look at NetScalers HTTP Compression technology aswell) for the exact same content BUT only for what has changed perhaps image(s) of items they you want to acquire including its price + title + description collected from the database e.g change of search or click on the next/back buttons of there found vs. filtered results.

At this point you can do one of three things (1) you can migrate the database to an external VM instance and change the web service to connect to the database on now a remote server which is most commonly down without proper investigative work (2) if your in a public cloud you could choose to utilise a PaaS database service this option is not for everyone in my personal opinion just yet and its not necessarily a technology vs. security adoption blocker but I believe its a analytics blocker if the public cloud provider chooses to come into my market and also its way to NEW for me most common theme (3) keep the database exactly where is it and begin to or shift to delivering your Content via a CDN model or sometimes referred to as an Image Farm i.e the bits that make your website look good and the way it looks e.g images, logo, CCS style sheets, JQuery scripts that provide functionality + experience. This approach will help improve the users overhaul experience at any stage because the content is delivered via CDN model or method – https://en.wikipedia.org/wiki/Content_delivery_network (Example www.youtube.com) and not via the web server servicing up the webpage(s) from the web service anymore and typically the responsiveness of web service leads to a better experience for customers and there satisfaction goes up using your web service! This approach free’s up vital compute + I/O resources on your web server running your web service. Visit your favourite online retailer, ISV e.t.c and view the HTML source you’ll see what I mean! Most organisations typically don’t implement this earlier enough and often will implement this strategy after the ADC is deployed as the right vs. relevant skillset for managing your web service at scale simply is not available within the business yet.

Customers
EDGE
Web & Content Roles on single Web Server
Database Role on separate remote Server

Happy days! Your developer suggests to implement lets just keep it simple Round-robin DNS https://en.wikipedia.org/wiki/Round-robin_DNS so that he can make the web service multi web server enlightened e.g clustering so after some tests he/she deploys the new code onto the PROD web server and deploys 1-2 more web servers completes his tests and implements and deploys Round-robin DNS. Personally this is NOT something I would ever implement as if you don’t manage your DNS correctly with someone who knows what they are doing you could fall victim to DNS cache poisoning – https://en.wikipedia.org/wiki/DNS_spoofing or worse and bye bye web service = bye bye business! In a previously life prior to Citrix working at a mSP DNS management was taken very seriously for customers as without it your business would not be available online and the net outcome is simple you cannot transaction business to turn a profit and keep shareholders happy! Back to the blog so you know have a cluster enlightened web service platform to give you scale although its not prefect in my personal opinion with this strategy.

Customers
DNS
Round-robin DNS
EDGE
Web & Content Roles on Web Server
■ ■ ■
Database Role on separate remote Server

Happier Days lie ahead as more bottle necks in your web service have been resolved and the web service is becoming even more and more popular with customers in the particular City vs. County that you initially launched the web service from BUT now as more time passes and the business continues to growth from strength to strength, month on month you once again notice that the responsiveness isn’t 100% what it was a the time of launch vs. the last architectural change(s) that where made to enlightening web service platform and that you choose to switch the database to a remote VM instance, and I also am going to assume you did not implement the CDN concept for content (images, CCS, scripts e.t.c). So your business is now profitable and at a level where you have on-boarded the right vs. relevant skillset within the business to help take your web service to the next level i.e regional vs. GEO vs. global scale or you hire in external but experienced ADC professionals to help with the re-architecture of your web service platform or your go Serverless (Follow-up article!) but we’ll leave that one for todays post as its another blog post all on its own.

Upon investigation utilising various *tools (Network, Cacti, SmokePing, TOP e.t.c.), reviewing historical data points vs. graphs the decision is made that your web service platform now needs to adopt an (NetScaler) Application Delivery Controller (ADC) to scale smarter, intelligently and more efficently on-demand as the business grows while also ensuring high-availability 99.xxxxx% (You choose your 9’s) uptime 24/7/365 and to also maintain that initial customer experience during your startup phase or day 1 trading of business. In my view when implementing an ADC correctly the responsiveness should equal at scale if not be better than that first time you deployed your web service. At this stage most likely dependant upon the web service (What is it? game platform vs. online store e.t.c) you’ll potentially implement the following architecture to easily support a GEO or a region(s) within a GEO e.g EMEA or global scale and remove that Round-robin DNS method!

Content via CDN
Customers
EDGE
NetScaler ADC
□ □
Web/App Servers
■ ■ ■ ■ ■
Database Servers
■ ■
Content Servers
■ ■

What is NetScaler?
It’s a Layer 4-7 networking appliance https://www.citrix.com/networking/ that allows for securing and acceleration of workspace, web and app workloads while remaining transparent to customers. It comes in many different flavours vs. roles from providing secure BUT contextual remote access for SaaS, Web apps, virtual apps & desktops, R/A VPN with end-point scanning, microVPN e.g XenMobile apps e.t.c to virtualising your WAN by bonding multiple internet uplinks together through to supporting and monitoring a deployed web service(s) at local, regional, GEO or global scales all the while also providing deep insight and analytics into your organisation see the below video and much much more.

So Why Implement a NetScaler?
Implementing an NetScaler has many benefits it allows for offloading of TLS or HTTPS traffic https://docs.citrix.com/en-us/netscaler/12/ssl.html freeing up vital compute resources or cycles spent on decrypting the traffic where as now the web servers running your web service can have greater scale as they are now free to get on process transactions, monitor the health – https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-builtin-monitors.html of each web server that is load-balanced (l/b) – https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-how-it-works.html by NetScaler and if one or more web server(s) are performing poorly it will receive less transactions until it becomes more responsive, Datastream – https://docs.citrix.com/en-us/netscaler/12/datastream.html enables connection multiplexing to your database servers e.g more efficient writes + reads means faster transactions which means better performance of the web service with a net outcome of better user experience for customers, if don’t use the CDN concept for content take a look at the integrated cache feature – https://docs.citrix.com/en-us/netscaler/12/optimization/integrated-caching.html which allows the NetScaler to store and serve specific content saving a request to the server holding the desired content this further improving the responsiveness of your web service, support for Googles SPDY (Speedy) https://docs.citrix.com/en-us/netscaler/12/optimization/spdy.html and or implement HTTP Compression – https://docs.citrix.com/en-us/netscaler/12/optimization/http-compression.html which compresses responses from servers to compression aware-browsers example – https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/optimize-encoding-and-transfer even enable and allow SAML and OAuth – https://docs.citrix.com/en-us/netscaler/12/aaa-tm/oauth-authentication.html logins to now only SaaS apps but also Windows apps used inline with FAS within XAD 7.9+. The list goes on and on so be sure to check out the NetScaler online documentation at – https://docs.citrix.com/en-us/netscaler/12.html and remember NetScaler is an advanced ADC but can also do the following Secure Web Gateway, Web AppFirewall, Unified Gateway and SD-WAN.

myCUGC announces Citrix Technology Advocates (CTA) class of 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Today Citrix community leader Stephanie Roper – https://twitter.com/Roperjs announced the class of “Community Champions: Citrix Technology Advocates (CTA) for 2017” at – https://www.mycugc.org/blog/community-champions-cta which I have been honoured and humbled to become part of with a few other fellow Citrites whom consistently like our fellow CTA’s and CTP’s for that matter advocate and more often than not eat, sleep and breathe Citrix technologies daily. Finally thank you to, Stephanie Roper for leading the CTA programme, the #myCUGC team https://www.mycugc.org/ and of course the great company that I work for which is of course https://www.citrix.com.