Category Archives: Workspaces

How-to Deploy Citrix XenMobile Server 10.7

The following content is a brief and unofficial prerequisites guide to setup, configure and deploy Citrix XenMobile Server (XMS) 10.7 on-premises prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

Author Note
Please be aware that I published this article today 19/02/2018 but it should be considered evergreen until I remove this section thank you.

This is going to be one of the longest posts that I am about to write so come back from the moment its published over Feb/March/April 2018 as I will most likely be making adds/moves/changes. This blog post serves to provide the most right vs. relevant information to help you better understand how-to deploy the current Citrix XenMobile on-premises server which is 10.7.x.n as of February 2018. I will be writing a follow-up blog post on deploying the XenMobile Service powered by Citrix Cloud – in due course.

What is XenMobile?
XenMobile is a complete UEM or MEM via (mobility) solution for managing apps, data, and devices from a single unified platform with MDM & MAM (mobile apps cut, copy & paste) policies, automated actions for enrolled (supported platforms) devices that will keep employees safe, secure and productive on vs. offline enabling them to work on there own terms.

Preparation & Initial Guidance
I was one of the first set of individuals to pass the very first Citrix Certified Professional – Mobility (CCP-M) exam for XenMobile 9.x.n while at Citrix Summit in Jan 2014. Now that was one very tough exam as you needed to know Citrix NetScaler, XenMobile NetScaler Connector, (ZenPrise) XenMobile Device Manager, StoreFront, Citrix Mail Manager, Citrix AppController, ShareFile Control Plane and of course StorageZones. Its Fen 2018 and its still equally a tough exam to pass even though the XDM + XAC where merged into a virtual appliance now called the XenMobile Server (XMS).

If you have not deployed a mobility solution in the past or your an expert you’ll agree most likely that mobility or UEM/MEM is complex and is consistency changing with new devices, OS upgrades along with new vs. deprecated vs. behavioural changes to MDM APIs, app updates, push API’s vs. MDM platform + vendor signing of certificates and finally oh yes all those MDM ports that you need configured correctly through-out your organisations Wi-Fi network and so the list continues on and on….

In principle when preparing to deploy any mobility solution regardless of vendor, preparation is of paramount important to be successfully. The below is list of how I personally prepare for a mobility PoC for XenMobile on-premises (yes we at Citrix are cloud first and I live IaaS so I’ll be writing another post on deploy a XenMobile Service PoC in the future):

– Start by reading the XenMobile Security Whitepaper – This will provide a great insight into our XenMobile, FIPS compliance, how SSL VPN or mVPN for MDX enabled apps behaviour and so much more, that is definitely worth your time!
Configure the XMS with a public routable FQDN and NOT an IP addr if you intend to manage devices externally via the internet vs. internally over corporate Wi-Fi and if your enabling the self-help portal for personal management.
– Utilise the PostgreSQL database option for a PoC’s (up to 100 devices) however this will mean that you need to redeploy the XMS using a remote SQL database for PROD environments as you’ll most likely want to have your XMS v/a in a cluster for high-avaiability. NOTE: Do not pre-create a MS SQL database allow the XMS v/a to create your MS SQL database against the SQL server during the initial setup process when performing the initial FTU within the XMS CLI.
– Utilise local v6 licensing on the XMS v/a for a PoC’s but again for PROD utilise a remote Citrix licensing server which is 100% required to support a XMS Cluster as the XMS v/a are stateless with all the configuration held within the remote Microsoft SQL database.

TIP: You’ll need to active your XenMobile licenses from the available list when configuring the remote v6 license server prior to continuing!

– Create separate mobility admin mailboxes to then be used to create accounts with Apple, Google & Microsoft so that everyone has access to create, sign and revoke MDM push certificates vs. push API’s like FireBase.
– Deciding where to generate all of CSRs for all of your mobility + XMS + NS certs is quiet important not just for the initial PoC but thinking 12 months out when the cert begin to expire where did I generate those certs from now to begin the re-signing process hmmm….??? I prefer in my home lab to generate and renew all my certs on WDC but many SE’s I know will use NetScaler for this and the point I am making is that it does not matter BUT centralise and document the process, passwords e.t.c
– Setup a calendar invite vs. trigger in your choosen support platform to notify the mobility admin mailbox to alert you every 11 months to renew all your certs otherwise you’ll break your MDM deployment e.g no devices under mgmt anymore this applies to ANY MDM vendor to be 100% clear!
– Dont assume that one individual should be deploying the XenMobile (any mobility) PoC themselves as in my experience unless your 100% comfortable with networking, ACLs, SQL DBs, gateways. To be honest most often its 3 people from within the IT team for high security organisation its double I find. Typically the 3 people are the Citrix Admin whom will require help & support from a networking (f/w dude:-)) or netscaler admin and then the SQL guru.
– I typically advise partners and customers to focus and agree on 2x mobile devices and a defined list of UEM policies to configure for testing in the PoC against there use case(s).
– Ensure that all your required ports are opened up correctly in vs. outbound (internet <-> edge <-> dmx <-> tru).
– DO NOT USE A PROD NetScaler deploy a new and fresh NetScaler VPX for your XenMobile (Service) PoC on-premsies vs. your chosen resource location.
If you are intending to MDX wrap or enlighten your iOS – and Android mobile apps then I’d suggest that you sign-up for the required developer accounts well in advance as some customers & partners have experienced delays up to 1-8 weeks. You have been warned and also ensure that you understand the rules around these dev accounts!
– Disable the ability to perform a Full Wipe of the enrolled devices (in particular for BYO scenarios you don’t want a lawsuit!) or if your not bothered and you would like to test this capability then I’d suggest that you only use new mobile devices that contain no corporate vs. personal content + data during the PoC. Finally my own personal leading best practise is to setup RBAC for mobility admins and remove the full wipe capability completely! 🙂
– Screen record the PoC deployment e.g GoToMeeting so if you make a mistake you can review the recording to understand what you misconfigured and most importantly where on the NetScaler vs. XMS e.t.c is was that the mistake occurred.
– If your not going to utilise a public CA signed certificates (Strongly Preferred) as your deploying the XMS v/a in your home lab only, then when exporting your cert from your Enterprise CA export using the Base64 format and then export as a full chained PFX format cert.
– Deploy the XMS v/a first and attempt to enrol your chosen mobile device(s) and remember those MDM ports you’ll need to make sure they are available over your corporate wifi including the over air enrolment port especially for Apple iOS devices otherwise your MDM enrolment will fail so you’ll be defaulted to only been able to enrol your device for MAM only e.g Secure MDX enlighten mobile apps
– The XMS mgmt. Web UI for administration is restricted from the internet as the mgmt. web UI is only accessible over https://XMS:4443 which is not part of the XM 10 wizard as of e.g NSG 10.5-55.8+ for security harden purposes (double check eDocs to be safe!). This often leads to Mobility/Citrix Admins thinking that they have misconfigured the wizard on the NetScaler when in fact it most likely is your connecting connection on https://XMS-vip:4443 via the VIP owned by the NetScaler but if you connect directly to the XMS’s configured IP addr via https://XMS-direct:4443 you’ll be able to access the XMS Admin Web UI.
– SuGgEsTeD personal tip utilise Mozilla Firefox for configuring and managing your XMS v/a for me it works the best!
– Ensure that all users/admins have first, last name & e-mail addr fields populated in AD prior to any enrolment otherwise they will receive an error e.g “Invalid user for SSO” when users attempt to sign-on.

Pre-requisites & System Requirements
The currently available XMS v/a as of writing this blog article is 10.7.x.n which is where these system requirements have been obtained from dated Feb 2018 –

Trial Licensing for On-Premsies Only
Citrix Customer Evaluation licenses can be obtained at – if you are having trouble please contact your local Citrix representative vs. partner for assistance and guidance.

Supported Devices

– APNs see below
– SSL Listener used for HTTPS traffic communication e.g like securing your web server with https

– Open up 389 between the XMS v/a(s) and your AD server in your trusted network, you can optionally configure secure AD/LDAP on 636 but you will required extra certs for this configuration and its well documented in Citrix eDocs vs. obviously I believe.
– Windows service account for XMS v/a(s) to query AD/LDAP

NetScaler (Unified) Gateway
– Versions 10.5.x.n, 11.0.x.n, 11.1.x.n and 12.x.n (My current preferred firmware release now)
– 2vGPU, 4GB of RAM and 20GB available storage for HDD
– On-premises Hypervisors include XenServer 6.5 or 7.x.n; VMware ESXi 4.1, ESXi 5.1, ESXi 5.5, ESXi 6.0; Hyper-V Windows Server 2008 R2/2012/2012 R2
– Cloud Hypervisors include Azure (ARM is preferred); AWS EC2 not supported for XenMobile.
– NetScaler service account I’d advise against the default which is nsroot:nsroot slightly obvious but I see this time and again can you believe it!!!!
– AD/LDAP service account that is utilised to check validate and authenticate users against your organisations AD/LDAP.
– IP addressing (Please please please pay attention)

1x private static IP addr that is used for the NetScalers IP Addr (NSIP)

1x private static routable IP addr between your DMZ <-> TRU which is referred to a the NetScalers Subnet IP Addr (SNIP)

1x private static IP addr that is used for the XMS

1x public internet routable FQDN e.g with 1x public static internet routable IP addr that resolves to 1x private static IP addr in your DMZ that are owned by the NetScaler.

1x public internet routable FQDN e.g with 1x public static internet routable IP addr that resolves to 2x private static IP addrs in your DMZ that are owned by the NetScaler one for direct NAT and the other one is for *L/B of the MAM traffic.

Internet DMZ – NetScaler + XMS TRU
nug01 (NetScaler V/A) <-> NSIP
SNIP <-> 81.x.x.1 <-> UEM Listener on XMS <-> 81.x.x.2 + * <-> MAM Listener on XMS (XMS V/A) <->

Total private IP addrs required are 6x.
Total public static internet routable IP addrs required are 2x.
Total public internet routable FQDNs 2x.

MDM Certificates for Apple and Firebase Cloud Messaging (FGM) with Android for Mobile Notification Service Capabilities

Apple’s APNs Certificates portal is accessible at –, if you like a technical overview of how APNs works check out Apples developer documentation on the subject at – its quiet extensive and in-depth.

1. Create an organisation Apple ID at –
2. Generate your a CSR on NetScaler – or on a Windows Server e.g WDC using e.g IIS NOTE: Please use 2048 cipher encryption for the cert.
3. Navigate to and sign in where prompted with your partner access details.
4. Follow the onscreen process for signing your XenMobile APNS CSR which will return a *.plist file.
5. Login to and upload your CSR to the APNS portal at – by following the onscreen process.
6. Download the generated *.pem file from the APNS portal to the Windows server that you initially created the CSR on.
7. Import the *.pem file into IIS using the complete a CSR response and specfic a friendly name. NOTE: Optional Import Apples Certificates (*.cer, *.crl) from – also see
8. Export the imported certifcate as a *.pfx and specifiying a password. Note: DO NOT FORGET the password.
9. When prompted during the XMS configuration of the WebUI rememeber to enter the your chosen password and import it’s a keystore -> pfx format and select aPNS as the cert type.

Citrix provides a more detailed how-to and overview at –

Firebase Cloud Messaging (FCM)
Google or FireBase Cloud Messaging (GCM or FCM) enables push capabilities for Android vs. implement during enrolment an “Active poll period policy” for the Android handset to check back into the XMS to receive new policies, apps, check compliance e.t.c. Finally note that if you do any research FCM is the natural evolution of GCM platform, so think FireBase first for Android :-).

1. Create a organisation Google Developer account at –, if your keen to understand how it works visit the XenMobile eDocs web page for Firebase at –
2. The process to create the push capabilities is in my personal view way easier than APNs as all you need to do is generate an “API Key” and “Sender ID” which is then stored on the XMS at “Settings – > Google Cloud Messaging“. Visit the above URL to learn how to implement Firebase.
3. Please pay attention to the Firebase XenMobile diagram in the above eDocs link which includes the following Firebase ports 5228, 5229 and 5230 between the enrolled XenMobile handset and the GCM platform. Why is this important well these ports will beed to made available from the corporate network outbound like APNs to enable enrolment from within the corporate enterprise or high security environments otherwise you will need to enrol over 3/4G or via home/guest Wi-Fi.

Deploying the XMS v/a
Before you even attempt to begin I’d strongly advise you to read and or print out the following webpage via Citrix eDocs – * which contains a Preinstallation checklist and deployment flowchart. My goal in this section to provide some context with some of the deployment options during the initial configuration of the XMS v/a, you can refer to * for full installation instructions.

1. Download the current XMS 10.7.x.n+ v/a from –
2. Unzip the v/a and upload it to e.g Citrix XenServer 7.1 LTSR via XenCenter or you could use any other Citrix supported on-premises hypervisor. Once successfully uploaded check that your v/a has the minimum required computed requirements 2-4vCPU and 4-8GB of RAM assigned (increase to MAX if 10 or more users in the PoC as its all about the experience but for home lab purposes I utilise 2vCPU and 4GB of RAM as I only have 3 devices connected.
3. Start the XMS v/a via XenCenter it will take longer to boot-up if you have assigned the bare min compute resources and if your underlying storage is (shared) HDD based.
4. Once the XMS v/a has started decide if you are intending to create a XMS h/a cluster this is so that you select the correct options during there FTU, otherwise you will need to redeploy the XMS v/a and start all over. Notes:

4.1 – The CLI uses admin while the Admin account used for the Web UI uses administrator, also be aware they are LOWER CASE!
4.2 – Nothing appears when typing in select inputs.

5. Enter in a strong suitable passwd
6. Next you are promoted for network settings the IP addr will be e.g as per my text diagram above.
7. Next your asked about an “Encrypting Phrase” most people select “y” to randomise it however you’ll never know what it is, nor can you obtain file to read it! If you are considering deploying a cluster of XMS v/a for H/A then most individuals will select “n” and create there own “encryption passphrase“.
8. I currently at the moment will not provide any context on FIPS so I will differ to for configuration options otherwise this blog will get out of hand. I will do a follow-up or adjustment to this post in the future to cover FIPS in greater detail.
9. Next your asked about configuring a database for the v/a to store configuration information. The “l – Local” option will enable PostgreSQL which is now only supported for customer PoC’s while historically prior to Citrix acquiring ZenPrise is was a supported configuration but that was 5+ years ago under XDM, so be 100% clear PostgreSQL is for PoCs ONLY with a XMS v/a! It is also NOT supported with XMS clusters as the v/a’s are stateless relying on the SQL database for configuration information e.g users, policies, delivery groups e.t.c so you require a “r – Remote” SQL database.


9.1 – Let the first XMS v/a that you configure as part of the your XMS cluster create the required XM database itself DO NOT pre-populate a database name on your MS SQL database cluster vs. server!
9.2 – If you select to enable XMS clustering you will need to enable port 80 within the XMS f/w ACL and do this BEFORE performing a clone to create your XMS cluster. Also in high security environments remember to include in your submitted ACL to allow the XMS v/a’s to communicate over TCP port 80 to enable R-T comms between all v/a members within the cluster.
9.3 – Finally Citrix does NOT support DB migration e.g PoC to UAT-PROD environments.

10. The most important step that I often see vs. hear vs. receive requests about is what do I type in for the “XenMobile hostname”? Please type in the fully qualified and internet routable FQDN e.g, what does this mean? It means that if your where to type in on your device that you reading this blog post inside the corporate file or at home it is reachable. Please do not type in e.g xms01 and then internal vs. external DNS entries are entered in for to xms01 this will NOT work properly and devices will NOT enrolling you have been warned! If you do this you will beed to START all over with a fresh XMS v/a!
11. For the XMS comm port requirements i.e the v/a communicates with the users (SHP) and devices (UEM or MDM/MAM) it is perfecting fine to accept the defaults ports here unless you a high security organisation + e.g Bank, Government agency e.t.c and want to further harden yourself however remember the most complexity you add e.g changing ports here will mean that you will need to adjust the auto defined ports on the NetScaler if you do the XenMobile Wizard on the NetScaler v/a.
12. Skip the upgrading from a previous XMS version as its a PoC
13. Next we get to the Public Key Infrastructure (PKI) which I’d prefer to configure configure all the certs with the same passwd or pass phrase or you can define a different passwd or pass phrase for each of the four certs (root, intermediate for device enrolment, intermediate for SSL cert and finally an SSL for your connectors +. Finally you’ll require the eXaCt passwd(s) for an XMS v/a within your h/a cluster.
14. Finally now create a passwd for the default “administrator” account. I would personally as my own leading best practise make the CLI admin vs. Web UI administrator passwords different for security purposes as one member of the team maybe the hypervisor admin whom does all the CLI stuff aswell while the Mobility admin handles all the logical configuration via the Web UI administrator account.


14.1 – Make both admin, administrator passwords random and securely store them BUT separately from one another. Setup and assign AD domain admins security group as FULL Administrators of the XMS v/a via RBAC –

15. Once you select “Return” to above set the initial configuration is stored and you are prompted to upgrade from a previous release please select “n” which is also the default! The XMS v/a will stop and start the app and once its completed the you see a FQDN e.g this now indicates that you can complete the Web UI part of the XMS v/a setup and configuration. Note this can take up to 5-7 mins dependant upon how much vCPU, RAM that you assigned to the v/a and if your on SSD vs. HDD storage this will speed up the process naturally.
16. The biggest mistake Mobility/Citrix Admins makes with XenMobile is that when they attempt to access and configure the Web UI part of the setup they will typically access it via the NetScaler owned VIP for <-> 81.x.x.1 <-> when they should be accessing the direct IP addr of the XMS v/a <-> Most individual do this to test there NetScaler setup, please DO NOT setup the NetScaler do it after you have setup the XMS v/a. Finally the reason you can’t connect to the Web Admin UI via the NS VIP e.g either internally or externally is that the NS disables 4443 via the VIP to harden and protect the Web Admin UI from the Internet so you’ll need to connect to the direct XMS v/a <-> IP addr on Once your at the login prompt of the Web UI type username “administrator” and your chosen passwd and “Sign-in” and the “Get Started page” appears only once to complete the Admin Web UI part of the XMS v/a setup and configuration.
17. The first web page provides an overview of the available licensing configuration options, for a PoC or if its your first time using XenMobile then I’d suggest that you utilise the built-in 30 day evaluation license to give you time better understand how to configure XenMobile so that you can enforce the required UEM policies against devices vs. (MDX) apps. If you intend to deploy a XMS h/a cluster then like the XMS database you’ll need to setup or make use of your existing remote v6 Citrix licensing server however IMPORTANT make sure that this lic server version meets the minimum release requirements of 11.12 for 10.7.x.n XMS firmware/release version. If you choose to use the 30 day trial LOCAL license servers on XMS and now wish to use a REMOTE lic server then please refer to I would also suggest to test from each XMS v/a(s) within your cluster that you can successful connect to the remote v6 lic server which is available under the Wrench icon -> Licensing.
18. Next its cert mgmt. and a word of caution as this catches everyone out is that after uploading any certs reboot the XMS v/a(s) is required in order for the new certs to bound to the SSL listener interfaces and the existing ones to be unbind! You’ll need at this point your APNs and SSL certs for e.g to upload the XMS v/a when importing your certs follow:

SSL Listener
Import: Keystore
Keystore Type: PKCS#12
Use as: APNs and or SSL Listener
Keystore file: Password: *********
Description: Date uploaded and what is it? APNs vs. SSL listener?

For in-depth information on Cert types and how-to’s for XenMobile check out – which includes guides on configuring PKI Entities, certificate-based authentication for SecureMai and finally NS cert delivery in XenMobile.
19. NUG

Wrench icon -> NetScaler Gateway
Authentication: ON (default)
Deliver user certificate for authentication: OFF (default)
Credential Provider: (default)

Select “Add”

Name: NUG
Alias: (default)
External URL:
Logon Type: Domain only (default)
Password Required: OFF (default)
Export Configuration Script: Allows you to download conf bundle to upload to NUG to configure XenMobile. I prefer to do this manually myself.

Select “Save”

Next add the following to your NetScaler Gateway configuration on the XMS.

^Callback URL: FQDN to verify that the request originated from NetScaler Gateway BUT make sure the callback URL resolves to an IP addr that is reachable by the XMS v/a(s)
^Virtual IP: (See text diagram above in HTML table format)

^ These settings are optional.

20. Next your promoted to setup your AD binding I always prefer using an FQDN vs. IP Addr here as IP addr’s can change however FQDN’s typically don’t otherwise a lot of things in your environment will break.

AD Binding
Port: 389 (Leave defaults unless changed within high security environments)
Domain name:
User Base DN: ou=Users,dc=axendatacentre,dc=com (I am just using the AD default location of the Users OU here when you would have setup AD so configure to meet your organisations default OU location of Users)
Group Base DN: cn=Users,dc=axendatacentre,dc=com
User ID: XMS AD service account used to query your AD e.g
Password: *****
Domain Alias: (yours maybe different)
XenMobile Lockout Limit: 0 (default)
XenMobile Lockout Time: 1 (default)
Global Catalog TCP Port: 3268 (default)
Global Catalog Root Context: (default)
User search by: userPrincipalName (preferred for the modern world)
Use secure connection: (default)

21. Final configuration you’ll need to do is to setup XMS notifications – which is required for things like bulk enrolment (users e-mail addr must be in AD field), communicating with users when automated actions are configured and users have violated your organisations UEM strategy.
22. Now please logout of the Web Admin UI and log back into the XMS CLI via your chosen hypervisor and follow the below instructions to reboot your XMS v/a

Reboot XMS v/a
– Select “[2] System”
– Select “[10] Restart server”
– Select “Y”

Your XMS v/a will begin to restart and once it is successfully rebooted navigate to the XMS v/a direct FQDN or IP addr and check that the HTTPS cert status in your internet browser to ensure that it is no longer self-assigned by the XMS v/a but matches your uploaded SSL cert bound the SSL Listener.

Fronting your XMS with a NetScaler v/a

1. Coming… but in the interim start with

Troubleshooting & Leading Best Practises
1. Citrix provides a XenMobile tools platform available at – and also be sure to please refer to XenMobile compatibility documentation – for compatibility of devices vs. MDX apps + release versions.
2. Users receive Profile Installation Failed The server certificate for “https://XM-FQDN:8443” is invalid when enrolling a device against XenMobile when using iOS devices. I have personally have not seen this issue occur again for quiet some time but I thought its worth including encase it reappears in the future. So what causes this issue? It is to do with the private key of your *.p12 or *.pfx full chained SSL/TLS cert and appears to only occur when exporting your cert from a new CSR on a Windows OS. To resolve the issue I’d suggest that you download, extract and run the DigiCert Certificate Utility available at – on the originating windows server that you generated your CSR on for tier XMS v/a for your SSL Listener cert e.g HTTPS. Next follow the guide available from Digicert at – to help you find and export your XMS v/a HTTPS cert correctly (advise to use TEST feature button before export) and re-upload it to the XMS v/a and remember to REBOOT the XMS v/a(s) when you change any certs on the XMS v/a(s)!!! You should now be able to begin re-enrolling your devices BUT I would strongly advise to remove any MDM certs via Settings in iOS and then delete SecureHub and re-download it and now the enrolment error messages should no longer appear to your users while enrolling there iOS devices.

What’s New with HDX (3D Pro) Technologies in XenApp & XenDesktop 7.16

The following content is a brief and unofficial prerequisites guide to setup, configure and test accessing secure by design virtual apps and desktops powered by XenApp & XenDesktop 7.15 prior to deploying a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or leading best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

Introduction what is HDX?
High Definition eXperience (HDX) is a set of technologies that provides a near to HD local like experience of a remoted virtual app, desktop or both to users anywhere in the world on any device even without installing anything on that device all you need is a modern widely used (supported) HTML5 compliant internet browser e.g Chrome, Safari (try it on your iOS devices :-)), Firefox, Internet Explorer you get the picture.

HDX is simple yet so powerful and has three founding principles which are intelligent redirection, adaptive compression, and data de-duplication like wise it has three principles it performs when you connect to there virtual resources which is Inspect the VM (Server vs. Desktop) what does it have e.g vGPU, Inspect the network what its like and can I use UDP for adaptive transport or should I fallback to TCP to remote the display + multimedia and finally it inspects the end-point what is there and can I use it? An example is the HDX Optimisation Pack available to offload audio/video for my Skype for Business sessions or shall I utilise generic HDX fallbacks?

I’m not going in great detail in this introduction so if your new to HDX or even an HDX Xen Master I’d still encourage you read the white paper published by Citrix on HDX Technologies at – Also be sure to check out the HDX resources page on at –

Finally you can find all the latest about XAD 7.16 and not just whats new with HDX in this release at – and you’ll notice that it’s not a 7.16 URL but refers to current release or CR.

HDX RealTime
Skype for Business to Teams “We are committed…” read all about it in Dereks blog post on – The big announcement is that HDX RealTime Optimisation Pack now has an LTSR release version 2.4 which is available and you can learn more product lifecycle information at – Its also worth noting that this LTSR does NOT support any version of Microsofts Teams only Skype for Business 2015, 2016 you can learn more by reviewing the System Requirements for the client vs. server side at –

– HDX RealTime Media Engine for the Citrix Ready workspace hub (formerly known as HDX Ready Pi) is only supported for ViewSonic – or NComputing – Pi’s only. You can also get management of these devices from Stratodesk check out –
– Behavioural changes in the way audio is handled in fallback mode when CPU is busy is to disable Echo Cancellation via the RTME as the generic HDX RealTime will handle this capability until returning to expected behaviour and lower CPU load.
– Enhancements to the microphone to provide better insights into whom is speaking.

The full list of what’s new in this LTSR is available at –

HDX Broadcast
– The release of XAD 7.16 introduces a great new VDA installation behaviour change 🙂 whereby it will automatic set the HDX mode to be standard (Server OS) vs. HDX 3DPro mode (Desktop OS if it meets the requirements for HDX 3DPro e.g the Desktop OS includes a vGPU or GPU) which I believe is setup in the right direction and simplifying overall CTX Admin overhead e.g another syntax option to remember vs. I forget to configure the correct parameter.
– Now by default the new HDX Graphics mode is enabled is adaptive transport or EDT and is set to Preferred. Don’t worry if your a Citrix Admin as you’ve maybe already realised I didn’t enable UDP for this to work! Remember is an adaptive remote display protocol so it will fallback to TCP by default using the default Citrix HDX ports. Its also worth mentioning that when (Preferred) is set then SR is enabled for both UDP vs. TCP connections and client connections (Receiver check supported versions e.g Win min 4.10; Mac 12.8) are attempted in parallel during the initial connection, for SR reconnections and finally auto client reconnects aswell.
– Browser Content Redirection – redirects the contents to the local device running an embedded browser within the HDX session which allows for offloading of content, network traffic, graphics from the VDA running in the resource location to the users end-point enhancing the UX significantly.
– Not strictly something new but HTML5 Redirection – which is still currently only available for internal usage as you’ll read from the eDocs article but this is 100% something an Citrix Admin & Architects should begin testing today as HTML5 begins in my personal view to supersede Flash based websites as we move forward towards 2020.
– Auto DI Scaling for Multi-Monitor
– H.265 encoding support running on the latest end-points which supported a GPU that supports H.265 decoding and if its not available it will by default fall-back to H.264 decoding. The net result of moving to H.265 from H.264 which is a Platinum only feature results in significant bandwidth savings and much better UX. I have seen the net results with a few of our engineering customers that develop vehicles with teams spread out across the world and the results as awesome!
– Strictly speaking this is not agnostic or exclusive to the HDX technology stack but the Windows Continuum is quiet important for a great user experience and its powered by primarily at a the hypervisor level and its currently only supported on Citrix XenServer. Visit – for how-to configure it today if your running XenServer.

– High definition webcam streaming for Windows Server with resolutions up to 1920×1080 –
– “Session Watermark” with custom text which you learn to setup and configure using the following CTX article – and was originally part of the XenApp Secure Browser and its deployment guide is available at –

In Closing
I be covering off some HDX topics in more detail in up and coming blog posts either here or in “Expert Insights” at myCUGC website at – Finally if you want to take part in my challenge for 2018 you can learn more about it at –

My 30 Days of Citrix SecureNotes

The views expressed here are my own and do not necessarily reflect the views of Citrix.

The past 30 days I thought I’d try a XenMobile secure app I’d honestly never really used before as I store my notes within a secure app which is only accessible from my Citrite Windows 7-10 virtual desktop. This blog is a summary of my views about using Citrix Secure Notes why I am now going to switch to Secure notes from my primary note taking app and its NOT a traditional noting taking app at all!. It is also worth mentioning that before I begin discussing Secure Notes I personally have never really found a note taking app that meets my personal requirements vs. DEMANDS maybe that is because I been doing personal/business web development with languages such as PHP, HTML(5), CSS, Javascript in my personal time since I was a teenage so prehaps I’m looking for something that looks vs. feels like something i’d develop one day? Who knows! For now I’ll leave this thought as it stands and back to Secure Notes!

I thought i first start off with a tour of Secure Notes followed on by my personal views and thoughts of using Citrix’s Secure Notes thereafter.

Tour of Secure Notes

1. You can login from a web browser at and if you want to sign-in via your organisations IdP select “Log in with my company credentials
2.Enter in your organisations ShareFile subdomain e.g MyOrgName
3. It will redirect you to you’re organisations IdP login where you will be prompted for a username + password and potentially another form of authentication like a receiving a telephone call, virtual token or asked to verify yourself using your biometric authentication.
4. Once you are signed in your can begin creating a note (secure website version of Secure Notes) by providing it a heading and then in the body text your notes or drag and drop pictures, tag your notes and assign it to a notebook (collection of notes perhaps by project vs. organisation vs. team meetings e.t.c), delete unwanted or irrelevant notes, set a reminder against a note, favourite the note or search of other notes that you’ve created.
5. Now you can see in this image that I have been using for sometime now its still less than 30 days but I’m using notebooks to assign my notes by partner, customer vs. major events and i’ve tagged selective notes that require a follow-up and then I remove tags once its completed.
6. I have switched to the Notebooks view from theAll Notes which organises your notes based upon your created notebooks in my case by customer, partner & events and then I assign my notes to these notebooks so i can easily navigate notes for example by a partner or just use the search filter (whats right vs. relevant to you).
7. All your notes are stored securely within your ShareFile personal folder, and if your using Drive Mapper with your Citrix virtual apps & desktops the path to see your notes is at – “S:\Personal Folders\WorxNotes.root” and it does not matter whether your creating your notes using the website version of Secure Notes at – or even if you create your notes using the secure XenMobile enabled app called “Secure Notes” which is available from the public app store for iOS – and Android – and controlled by XenMobile MDX technology to stop cut, copy and paste. You can learn more about MDX by reading the XenMobile security white paper available at –
8. If I now switch to a mobile world and I mean using a smart phone or tablet and for convenience sake I’ll be using the Secure Notes app I can see that I have the similar same capabilities and functionality vs. the secure website versions.
9. I can insert a picture, tag it, favourite it, set a reminder e.t.c but now I can record audio.
10. I can create my notes offline and when your back online it will sync your note(s) back up to ShareFile and you’ll notice the red cloud icon disappear.
11. Send your notes as an embedded message within Secure Mail body vs. PDF file attachment by selecting your preferred choice.

My Personal Views

Lite Tech Overview of Secure Notes
Review all the features and caveat at –

1. Currently only iOS 9-10, Android 5-8 phones BUT its not supported on Tablets!*
2. Selecting a storage location for your notes upon setting up the app your asked if your prefer to store your notes in Microsoft Exchange Server or for your Secure Notes + within a ShareFile StorageZone. You can provide users with a choice of both upon on-boarding within the Secure Notes app.
3. Once users have been setup the XenMobile Secure Hub agent can handle SSO or push the app to users whom have enrolled into XenMobile’s MDM.
4. Supported file formats include – *.M4A, *.JPEG, *.PNG, *.BMP, *.GIF, *.WebP for rich editing experience.

2017 UKI #CitrixPartnerLove Challenge #8 Find My Location

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at to print.

2017 UKI #CitrixPartnerLove Challenge #7 Stop the Difference

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at to print.

2017 UKI #CitrixPartnerLove Challenge #6 Traffic Flows

The views expressed here are my own and do not necessarily reflect the views of Citrix.

You can download the image at to print.

Why You’ll Love ShareFiles Workflows and eSignature Features

The following content is a brief and unofficial guide to testing and using ShareFile Workflows prior to implmenting it for a PoC. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names
CITRIX – ctx

Understanding what is ShareFile?
Its a cloud-based file sharing service that enables users to easily and securely exchange documents from any cloud to any device or location around the global securely (HTTPS) with auditing, eSignature, document workflow, check in/out, multi-factor auth capabilties and so much more! For a good overview visit

I love this why ShareFile video its simply brilliant! A good 2 minutes well spent that leaves you felling happy and understanding why ShareFile?

What are ShareFile Workflows?
It’s about wrapping a collaborative workflow around the actual document to acheive an outcome more efficently at a faster pace that before as all invited parties are able to collobrate on the same document by annotating with comments in any area and start a conversational thread with the ability to finally mark the annotated comment(s) as “Resolved” and the initiator of the Workflow can “Agree” to comment(s) using a simple thumbs up. Finally the invited party(s) have the ability to approve the workflow.

Approving the Workflow disables any further collaborating capabilities and therefore allows the initiator and most likely the document author to begin making necessary changes to the documents via a traditional installed, web or virtual Office app.

You can read more about –

A Sample Workflow Explained

High resolutions image available at –

1. Login into https://* or .com from your favourite internet browser.
2. Once logged into select to Upload a sample Word or PowerPoint document with a screenshot of your organisations website and some text from a different webpage beneath it. If you’re already using ShareFile Drive Mapper drop it into a folder within your “Personal Folder” and if you have no idea what I am talking about you should def 100% STOP download it now from – and then read this CTX article before continuing to read further –
3.Once you’ve upload or synced the sample document refresh your internet browser and under “Recent Files” select the file and your see a preview (powered by MS Office365 Preview) of the document on the left and some actions on the right hand side look for “Initiate Approval” and select it which will open up a new browser tab with the following URL e.g where xxxxxxxx represents the ID of this workflow.
4. You’ll see a preview of your document on the right hand-side and on the left hand side your see a three workflow types (a) Get Approval (b) Collect Feedback (c) Create Request List
5. For this sample workflow we’ll going with option (a) Get Approval so select it
6. Select a due date e.g the next days date or a date within 7 days from the date of initiating the workflow so your approvers have time to respond if you aren’t able to view there calendar(s) so they can provide annotate and provide feedback on the sample document.
7. Add Approver(s) (Add people who are required to approve this document) E-mail address and Name (optional but preferred) and you can require that they have to login and I love this check box feature “Every approver must re-approve newly uploaded versions”!
8. My next favourite feature “CC’s” allows you to include any individual(s) whom can access the workflow workspace and comment, BUT they cannot approve the document workflow 🙂 !
9. You can also add message that the recipients will receive when you start the workflow.
10. Review your approvers, CC’s and message and then select to “Start Workflow”.
11. You can begin to annotate the document in your chosen area(s) including starting a conversation with all participant(s), while ShareFile e-mails them.
12. Approvers and CC’s receive an e-mail notification with a secure link too join the ShareFile workflow workspace that you have already started to work on.
13. You’ll receive notifications that participant(s) are commenting on your annotations, replying to your activity thread.
14. The Approver in this case has now agreed to all my annotations and has chosen to “Approve” the document approval workflow as he/she agrees with the suggested document changes, which the author can now begin to edit the way he/she would like to e.g online directly from ShareFile provided that you have the correct Office 365 subscription for more info check out “CTX208340 ShareFile Office Online Editing” –
15. You’ll also receive an e-mail notifying you that the workflow has been approved!.

There is also a simple overview of the Feedback and Approvals Workflow by Citrix ShareFile available at – or watch the embedded video below.

In summary ShareFile Workflows helps you and your organisation collaborate on documents more efficiently to acheive outcomes at pace with better results!

Workflow API’s
Quiet often I’m asked are there any available APIs for ShareFile Workflows? Yes! Its accessible at the following URL at –

eSignature ShareFile RightSignature
The eSignature capabilities within Citrix ShareFile is powered by the acquisition of RightSignature with more details available at and

I’ll be providing a tour of eSignatures in due course…

My Best of #CitrixSynergy 2017

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

Its my 5th #CitrixSynergy and this is def one of the best Synergy’s I have ever had the privilege of watching virtually from London, England. Why not in person? I prefer to watch virtually as I am to consume more content faster and translate that into content to update Citrix partners/customers in a timely manner at high level and tech deep dive where required in particular areas or topics. Finally this blog post will most likely change over the next 2-3 weeks as I consume all of the Synergy 2017 content as when/how I can.

My Highlights of the Key Notes
Vision Keynote

– 4:45 Citrix User Group Community – THANK YOU! Join the community today its powered by some of the most passionate Citrix and Technology advocates from around the global!
– 11:00 Red Bull Racing I’m not going to say anything you need to watch it!
– 21:45 Cloud powers the world
– 27:00 Digital Frontier Companies
– 39:00 Citrix Secure Digital Workspace with a software-defined preimeter
– 40:57 Citrix Workspace Services and a brief demonstration by Citrix’s CEO
– 42:25 SD-WAN / Gateway / WebApp Firewall / DDoS (NS 12+) as a Service
– 47:35 Citrix Analytics Service
– 1:01:00 “Better Together” and video message from Microsoft CEO Satya Nadella
– 1:12:25 Citrix + Google Chromebook (Skype for Business, Office365 and much more…)
– 1:18:00 Healthcare customer story “Partners Healthcare”

Technology Keynote

– 22:00 Unified Workspace (its Adaptive and Contextual by device/location and it changes the users published resources and its access type!) which brings together some of the most crucial aspects of todays modern apps, desktops, data & your location in a single view with casting capabilities but not demoed as instead instead*
– 29:00 *Workspace IoT (SmartSpaces) demonstration with a users own mobile phone enables an auto login to a Win 10 VD at guest location including welcoming the user based upon his/her smart phone used as there identity. Security people feel free or you will be going nuts right now!
– 32:30 Its all about layering you guessed it Citrix App Layer enabling IT to say YES! Note demo was demoed using a Samsung DEX check it out –
– 39:40 Workspace Appliance Program e.g HCI
– 42:35 Protect against Zero day attacks with XenServer and BitDefender which is available but is something which Citrix announced on 21/06/2016 yes thats right 2016 entitled “A Revolutionary Approach to Advanced Malware Protection” – 21/06/2016 yes 2016!
– 47:00 Brad Anderson Corporate Vice President of the Enterprise Client & Mobility @Microsoft discusses shortly and then prefers to demonstrates our joint Citrix + Microsoft “Better Together” capabilities in Mobility, Virtualisation delivery from Azure and more.
– 1:01:38 Digital Jungle discussion its def worth your time if you about security and managing the experiences of your users workspace!
– 1:47:25 Vision of how the Digital Workspace is going to evolve

Citrix Synergy TV Breakout Sessions
The following are my current top sessions to watch in no particular order that I believe you’ll gain a lot of value out of watching BUT note that this may change as I continue to consume more of the on-demand content from Synergy 2017.

– SYN318 A to Z: best practices for delivering XenApp, XenDesktop –

– SYN111 – What’s new with Citrix Cloud and what’s to come –

– SYN120 – NetScaler SD-WAN updates –

– SYN103 – Citrix App Layering –

– SYN118 – What’s new with NetScaler ADC –

– SYN121 – What’s new with NetScaler Unified Gateway –

– SYN115 – Why should I use ShareFile if I already have Office 365? –

Innovation Super Session
Awaiting for the on-demand video publication but for now I will leave you with the following Tweet as a thought or rather a reminder to make sure that you watch it if you missed it!

Synergy 2017 Advocates Blog Posts
Citrix Synergy 2017 – It’s a Wrap – See all the most important announcements listed here! By Christiaan Brinkhoff. –

My New Secure Workspace Ready in less than 15 min the #CitrixLife

The views expressed here are my own and do not necessarily reflect the views of Citrix.

Today I received my new Mac, yes I’ve decided to move from a PC to a Mac for various reasons (those whom know me are probably going really!?) but I still have a Windows 10 tablet PC which I use regually at home, but most importantly my Windows 10 Citrix issued virtual desktop powered by XenDesktop (Citrix on Citrix) follows me anywhere with Citrix Receiver or the HTML5 Citrix Receiver!

I didn’t even turn on my old PC I just started working within less than 15 min from my new MacBook connected to my Win10 VD via Receiver and i’ll just sort out what I need locally like Reflector, NAMP e.t.c over the weekend as its a busy week post our local partner event Citrix Partner Accelerator.

What Did I Do?
1. Unboxed my new Macbook
2. Plugged in the power and pushed the power button its been a while since I’ve heard that CHIME 🙂
3. Completed Apples on-boarding process including setting up iCloud including connecting to the Citrix employee Wi-Fi from our London, Paddington offices check it out at –
4. Next I opened Safari and navigated to and it auto detected for me that I am connecting from a Mac and presented me with a download link to Receiver for Mac 12.4.
5. Once downloaded I installed it simple!
6. Opened Citrix Receiver and i entered in my addr which then prompted me for my Citrix employee username, passwd and 2FA Token
7. BOOM Receiver synced all my virtual apps & desktops that I had previously selected on other device(s) within a few moments of signing in
8. I clicked on my Windows 10 Virtual Desktop powered by XenDesktop and my new mobile #SecureWorkspace is ready to go within less than 15 minutes!

Understanding XenApp & XenDesktop 7.12 and What’s New

The following content is a brief and unofficial prerequisites guide to setup, configure and test delivering virtual apps and desktops powered by XenApp & XenDesktop 7.12 prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessarily conform to industry descriptions or best practises. The views expressed here are my own and do not necessarily reflect the views of Citrix.

Shortened Names

What’s New XenApp/XenDesktop 7.12
1. Yes it’s now avaiable & back “Local Host Cache” or LHC as it was most commonly reffered to previously and its back now within XAD 7.x Flexcast Mangagment Architecture (FMA) platform and everything you need to know is avaiable at –* & but a few note worth points to mention below followed by an overview of LHC vs. Connection Leasing by a Citrix XenApp & XenDesktop PM Craig. I have also embedded a how-to enable below along with a basic and brief architectural overview of LHC in XAD 7.12 which is powered by FMA and not IMA which is for anything XA 6.5 and below.

N.B LHC is disabled by default to enable it open up PowerShell in Admin mode or launching a PowerShell session using Studio and enter in the following “Set-BrokerSite -LocalHostCacheEnabled $true -ConnectionLeasingEnabled $false” once the command completes execute the following cmdlet “Get-BrokerSite” and check that the following value of “LocalHostCacheEnabled” is set to “True“. Note that CL is now also disabled and both CL and LHC should not be running simultaneously together as this is not supported.
– VDAs re-register with the elected XAD controller (broker)
– Support for up to 5K VDA’s
– LHC services “High Availability Service” performs shadow copy of the control info that the XAD Controller requires and the “Configuration Sync Service” will sync control info/data.
– Adequately size your XAD controllers correctly to account for the compute load required during an outage, please ref to the “RAM size” and “CPU core and socket configuration” sections under “Design considerations and requirements” at LHC documentation at – *.
– LHC utilises Microsoft SQL Server Express LocalDB and is auto installed when you install the XAD 7.12 controller and is installed regardless of weather LHC it enabled or not.
– Local Host Cache is enabled if connection leasing was disabled before the upgrade vs. Local Host Cache is disabled if connection leasing was enabled before the upgrade.
– To force an outage to test LHC in your home lab or organisations test/uat environment on the XAD controller open regedit as a Admin navigate to HKLM\Software\Citrix\DesktopServer\LHC” thereafter create a registry key “OutageModeForced” and set the value to 1 to force an outage mode once you have completed your tests then revert the value to 0. I would suggest prior to attempting to perform this test place a load with a few test by active users for Server VDA based workloads (XenApp) to best understand how LHC works in a failure scenario.

2. Thinwire Compatible Mode 8-bit color depth support (7.12 VDA only otherwise fallback to 24-bit by default) which is configured by select the following HDX policies.

– “ Use video codec for compression” and ref to for a list of avaiable configurations please note that if configured for the entire screen then 8-bit is NOT SUPPORTED!
– “Preferred color depth for simple graphics” and select the “8-bit” value

3. HTML5 video redirection is now available for INT web sites (disabled by default) and can be enabled by configuring the “Windows Media Redirection” by referring to and you also need require to add the following “JavaScript files are located in %Program Files%/Citrix/ICA Service/HTML5 Video of the VDA installer to your website” a sample external test web page can be found at the “HDX HTML5 video redirection test page at –
4. Azure Hybrid Use Benefits support e.g enable or disable support for the Azure Hybrid Use Benefits (HUB).
5. Record sessions based on client IP addr or range, TLS 1.2 encryption during data transfer and finally highlight idle periods in Player
6. NetScaler UG now supports H/A of HDX Framehawk – with supported NS firmware builds for Framehawk which include 11.0.62 & (+ preffered).
7. HDX Enlightened Data Transport (for evaluation only) or “EDT” –

Very High Level Overview*

Adaptive Display
(Evaluation Only)
High Defintion eXperience (HDX 

– Only VDA’s configured with IPv4 addressing is supported
– Requirements XAD +VDA 7.12, StoreFront 3.8
UDP setup on 1494 and 2598 on the VDA remember this is typically TCP but now must also be for UDP
– Enable policy setting “HDX Enlightened Data Transport“. Remember its DISABLED by default and you can setup 3x values “Preferred” UDP data transport is used where possible with a fallback to TCP, “Diagnostic mode” forces a UDP data transports with a fallback to TCP & “Off meaning TCP is used & does’nt affect HDX RealTime”
– If you are evaluating this then please refer to the “Tech Preview of New Adaptive Transport in 7.12” forum at –
– Note when testing directly from eDoc’s “the new data transport layer (“EDT”) is allowed by default in Citrix Receiver for Windows, however, by default, it will only attempt to use EDT if the setting in the ICA file for HDXoverUDP is Preferred or On” also please ref to the notes relating to Receiver on Mac’s

You can learn more about this evaluation by reading the following blog posts –* and by Citrix’s HDX PM Derek.

8. You can very easily setup and try XenApp 7.12 in Microsoft Azure today via Azure Marketplace by searching for “XenApp 7.12” or click the following link – after signing into the Azure Portal at –
9. Tagging with “App Groups” now provides the ability to a tag a VM(s) so that when published virtual apps in Application Group or virtual desktops in a Delivery Group are restricted to launch from VM(s) that have been tagged.

10. Advanced Reboot Schedules

11. In StoreFront 3.8 you can create multiple IIS sites and thereafter use the following PoSH cmdlet below to create a StoreFront deployment within your own IIS sites – What does this actually mean? You can host multiple RfW sites (stores) with each having its own domain name. In order to create your custom websites in IIS for your Stores and ReceiverforWeb firstly open up PowerShell using Studio (Simple way) then close Studio. Next you MUST ensure that NO other StoreFront MMC snap-in consoles are open within your StoreFront cluster and also on the individual Windows server (minimised) that you are setting up IIS sites. StoreFront will disable the mgmt console and displays a message. TIP: To learn how-to setup IIS sites/website please visit –

– From your open PowerShell window enter in the following which will create a custom IIS site/website for virtual apps and one for virtual desktops
– Type “Add-STFDeployment -SiteID 1 -HostBaseURL “”” (Virtual apps)
– Type “Add-STFDeployment -SiteID 2 -HostBaseURL “”” (Virtual desktops)
– Type exit and close the Powershell window prior to opening up Studio or a StoreFront MMC snap-in on any server in the StoreFront cluster

12. Although this one is not strictly new to StoreFront 3.8 and XenApp/XenDesktop 7.12 its often an overlooked feature (For CTX SysAdmins) which is the ability to securely export and then re-import your entire StoreFront configuration including using PoSH credentials for (de)encryption of the backup configuration. To learn more please check out – and use the feature prior to any StoreFront upgrades or migrations.

Deprecation Forecast
I would strongly recommend that you review and understand the Deprecation forecast announcements made during the XenApp/XenDesktop 7.12 release which is avaiable at –