Receiver 4.2 desktop shortcuts

Yeah yeah, long time no blog.  I know.  Life gets in the way.  Work gets in the way.  I have a list of things I need to blog about, and I’ll get to a few of them here shortly.  For now, though, this one really needs to get out there, so I’m shortcutting said list, and getting it out there for you.  You’re welcome.  🙂

There seems to be very little information out there on this topic.  I Googled for hours.  I read the Citrix eDocs.  I read everything I could find.  Sure, lots of other people have blogged about it, but all they did was parrot Citrix’s announcement of the fact that the feature is back.  I highly doubt that even one of them has tried to implement the feature.  Or at least, if they did, they found out how big of a pain in the ass it is, and how the behavior of it is so strange that maybe they are best served by not telling the public about it.

As an anonymous blogger, I don’t have those same worries – making Citrix mad at me.

So, here I am to give you the “straight dope”, as it were.

 

First – the ADM template that is referenced to be used – I tried it.  I verified that it was applying properly by using GPRESULT /H.  It was working fine to apply the SSO settings.  GPRESULT showed all the shortcut settings I had configured.  Except there were no shortcuts.  It wasn’t doing what it was supposed to do.  The registry entries below were not configured.  NO idea what the deal is with that, but in the environment I was working in, it didn’t get the job done.  Now, maybe there was an environmental issue causing it?  I don’t know.  What I DO know is that I had to find a way to make it work, and so I’ll share that here with you just in case the ADM template doesn’t work for you, either.

HKLM\Software\Wow6432Node\Citrix\Dazzle

PutShortcutsInStartMenu  REG_SZ  true
PutShortcutsOnDesktop    REG_SZ  true
StartMenuDir  REG_SZ  <whatever the directory you want apps to go into in the start menu – leave blank to put them directly in start>
DesktopDir  REG_SZ  <whatever the directory you want apps to go into on the desktop – leave blank to put them directly on the desktop>

 

SO – What’s this weird behavior?  Well, for starters, it actually has to do with Storefront, not Receiver.  But since Storefront and Receiver function more or less as a pair, and the issue is manifest in Receiver, I’m still blaming that.  Mostly because I’m stubborn, as the issue DOES lie with Storefront.  For the record, this environment was using SF2.6.

The problem is that when Storefront remembers the application subscriptions, apparently a flag is set BY RECEIVER that tells Storefront whether or not it should create the desktop shortcuts.  Thus, if you have Receiver 4.0 or 4.1, and have a bunch of applications subscribed, THEN you upgrade to 4.2 – NOTHING HAPPENS.  No desktop shortcuts, no start menu folder like you specified – NOTHING.  How to fix this?  The official answer from Citrix (that doesn’t seem to be documented ANYWHERE that I can find) is “unsubscribe and resubscribe to all your applications”.  Well isn’t that just peachy.

Ok, fine.  So you’ve done that.

But then – you log into another workstation, and that one isn’t configured for desktop shortcuts.  Then you log back into one that is, and lo and behold – NO SHORTCUTS!

This is just ridiculous.  Why is the data about whether or not to publish an application shortcut stored in Storefront to begin with?  What are the implications for people who use XenDesktop, and access that environment using the HTML5 client?  What then?  I didn’t test this, but I’d imagine it will create a problem as well since naturally the HTML5 client relies on Storefront subscriptions, and is incapable of publishing a shortcut to the desktop on the client machine the browser is being run on.

IMO, the way this SHOULD work is Storefront just keeps track of the subscribed apps, and the Receiver handles creating and publishing shortcuts for any subscribed app.  That way moving amongst machines with different Receiver versions and/or configurations won’t create a problem.  I mean really, Citrix.  You bill yourself as a mobility company, and yet when the rubber meets the road, now you’re saying that “Sure, you can be mobile – as long as all your access devices have the exact same version of Receiver configured the exact same way.”

 

Doesn’t sound very mobile to me.

 

Good luck,

CG1

Advertisements

Client Drive Mapping irritations

So I have a customer using XD5.6 with Win7 VMs, and XA6.5.  Everything was patched current on both the Microsoft and Citrix side.  The Receiver client in the VDAs was Receiver 3.4 Enterprise, the physical client-side receiver version didn’t matter, everything was tried (even Macs!).

The issue?  The customer needed to be able to map in USB thumb drives from the physical client.  Then, within the XD session, there were network drives mapped in (home drive, etc).  The customer needed to pass in BOTH the physical USB thumb drive as well as the mapped network drives so that content redirection would work properly and seamlessly from all sources within the XD VM.

Citrix doesn’t seem to support this.  I read CTX after CTX, and forum post after forum post.  I could only find one other person trying to do this, and their question was asked in an active thread with several Citrix employees commenting on it, and as soon as they asked how to map in BOTH, there was nothing but crickets.  Since June.

Well shitty!  What now?  The lack of information out there on the topic certainly doesn’t help my customer, and I’ll be damned if I’m going to give them some half-assed answer.  That’s just not my style.  After hours of messing with the registry, and confirming that the registry key referenced in CTX127872 was an either/or proposition (meaning one way you get the drives from the physical client passed into the XA session, the other way you get the drives from the XD VM passed into the XA session), I realized something had to give.  More investigation eventually brought me to the revelation that “one way, it maps everything WITH a drive letter, and the other way, it maps everything WITHOUT a drive letter”.

Ok, super.  So how to get the physical drives assigned a letter?  AH!  Legacy drive mapping!  It says it’s a XenApp solution, but I figured what the hell, why not give it a shot on XD anyway?  Yeah, no love.  For once, the CTX was actually correct in the scope of products it pertained to.  Go figure.

So I manually mapped one of the devices with net use at the command-line.  Then I opened that mapped drive and double-clicked a Word doc.  Success!  It opened in Word!  Now…  How to get all the drives to automatically map every time a user logs in?

Disclaimer:  I’m NORMALLY a VBScript guy.  Like, HARDCORE.  But, I didn’t have the time to properly write and debug some code, and this worked.  Yeah, yeah, go ahead and give me crap about not being a PowerShell guy.   Call me old, I just haven’t yet FULLY gotten on that bandwagon.  Feel free to re-write this in PS and post it in the comments.  🙂

In any event, what I wrote was this:

@echo off
if exist \\client\c$ net use * \\client\c$
if exist \\client\d$ net use * \\client\d$
if exist \\client\e$ net use * \\client\e$
if exist \\client\f$ net use * \\client\f$
if exist \\client\g$ net use * \\client\g$
if exist \\client\h$ net use * \\client\h$

I deployed it using a login script via GPO.  Again, no love.  The login script processed before CDM had a chance to finish bringing in the drives, so only the fixed disk mapped, not the USB removable drive.  The solution?  Put it in the startup folder in the default profile.

Viola!  Client drives are now mapped from both the end point AND the VDI VM.  Sure, it might be a touch ugly, but if you can get your users to match up something as simple as E: and E$, they should be able to figure it out.

Happy mapping,
CG1

Configuring the Citrix Universal Printer

I might be a bit late to the party on this, but I just haven’t had a chance to play with this until just recently so here is a quick walk through on setting up the Citrix Universal Print Server.  It is not difficult but there are a few things you might find here to save you some time.  You can read about the details of the UPS all over the place but the short story is, the UPS will allow you to have session printers without the need to install drivers directly on the XA servers.  And we all know what a potential pain that can be.

If you haven’t done so already, I’d suggest installing HotFix Rollup Pack 2.  This rollup fixes many general printing issue.

Download the Universal Print Server from your MyCitrix account in the XenApp 6.5 Feature Pack 1 Components section.

NOTE: If anything is listening on port 8080 of your print server, this installation will fail and give you very little information as to why it failed, other than “Citrix Universal Print Server Installation failed.”  

Installing the software:

a.       Install UPClient on the XenApp server(s) following the on-screen instructions.

The spooler restarts automatically at the end of the UPClient installation, and the new Universal printer driver is installed.

b.       On the computer where you use the Citrix Group Policy Management Console, install the Group Policy Management software by double-clicking the CitrixGroupPolicyManagement MSI and following the on-screen instructions.

c.      On the Print Server, install UPServer by double-clicking CitrixUPServer_SelfExtractor.exe and following the on-screen instructions.

The UPServer component installs the following services:

  • XTE Service – Installed under the Network Service account and configured for automatic start (dependent on the Citrix Print Service).
  • Citrix Print Service – Installed under the Local Service account and configured for automatic start. After starting, the Citrix Print Service configures the XTE Service, which then starts.

d.      Enable the Citrix Universal Print Server through Citrix Policies.  This can be done in the Citrix App Center or via Group Policy.

  • Drill down on the Policies node under the XenApp65 farm
  • Citrix Computer Policies > Unfiltered (or create a new policy if you so choose)> Edit
  • Edit Policy > Settings
  • Select Printing > Universal Print ServerUniversal Print Server enable > Add > Enabled with fallback to Windows’ native remote printing (This will fall back the client printing and allow for them to print outside the virtual print channel direct to the print server.)

e.      You can confirm if the print server client loaded correctly by checking for the UpProv.dll file.

  • On the XA server, pull up the command prompt.
  • Type:  tasklist /m /fi “imagename eq spoolsv.exe” > c:\CitrixUPS.txt.  (This will pipe the contents of the command to a text file in the root of the C: drive.)
  • Open this file with your favorite text editor and search for UpProv.dll.
  • Locating this file confirms the UPS has loaded.

Testing

To test if the Universal Print Server is working, create a session printer as normal using a Citrix policy.  Point the policy to the UNC path of the printer on the print server.   Do not load any drivers on the XA server.  Launch a Citrix published app like Notepad.  You should see your session printer.

In Notepad, select File | Print, right click on the session printer, Properties, Advanced and check the driver.  It should show the driver as the Citrix Universal Printer.

SQL mirroring for Citrix

So, you’re building a XenDesktop environment and you want to mirror the database for it.  while you’re at it, why not mirror PVS and XenApp, too?  They both support it.  But how do you do it?  You’re a Citrix admin, not a database admin!

Start by installing SQL Standard (or Enterprise) on two different servers.  Do NOT put the databases on the system drive!  Otherwise, just a vanilla install is fine (make sure to install SQL management studio).

For XD – create an empty database on the first SQL Server and call it whatever you want (XenDesktop is nice, but whatever).  The collation needs to be LATIN1_GENERAL_CI_AS_KS , and the recovery model needs to be set to full.  Also, make sure you have configured the proper permissions for your XenDesktop service account to access the database.  Then – create a new query and enter the following:

BACKUP DATABASE [XenDesktop] TO  DISK = N'C:\temp\XenDesktop.bak' WITH NOFORMAT, NOINIT,  NAME = N'XenDesktop-Full Backup', SKIP, NOREWIND, NOUNLOAD,  STATS = 10
GO

Then right click in the query window and select execute.  Copy the file XenDesktop.bak to the second SQL server.  Right click Databases and select Restore Database.  Enter XenDesktop as the database name, then select From Device, and browse to the file.  Then, check the box in the display next to the file name.  Then click Options in the left pane, and then make sure to select “without recovery”.

Now, go back to the first SQL Server and right click the database and then in the left pane, click Mirroring.  Click Configure Security.  Make sure the box for Witness Server is unchecked (if you want a witness, you can read more about it on MSDN, but this is a Citrix blog, not a SQL blog, so we’re keeping it simple).  Then enter the information for both the SQL servers.  Then for the account, use your SQL service account for each server (your SQL Servers do use a service account, right?  If not, go change it now – because if you want to use local system or network service, you need to use certificates, and I HATE certificates!).  Since the SQL servers in my deployments are generally dedicated to Citrix databases, I like to use the same service account for both servers.  If you use a different one for each server, just make sure you enter the correct one for each server.  After the wizard completes, click start mirroring.  That’s it.

Repeat the process for XenApp and PVS, changing the database names and .bak file names appropriately.  PVS and XenApp don’t much care about the database collation type like XenDesktop does.  For XenApp, though, you need to download the Native SQL client for the version of SQL Server you are using (2008 R2 is still the easiest with all the additional restrictions imposed by 2012).  After it’s downloaded, stop the IMA service, install the new client, and then open MF20.dsn and modify it thusly:

The Driver line should read

DRIVER={SQL Server Native Client 10.0}

Then, under the line beginning SERVER=, add the following line:

Failover_Partner=MYSECONDSQLSERVER

Obviously, put the name of your SQL Server in there.

Then just start the IMA service back up.

Nothing special should need to be done with PVS, provided the databases are correct.

 

Redundantly,
-CG1

Restricting access to the Web Interface and PNAgent/Services sites

So you have Web Interface publicly available, and a Services site publicly available.  Users love it because now they can use their Citrix apps on their iPad/DROID/Whatever with just an internet connection.  Management, however, is slightly less than thrilled.  It seems your company employs a large number of low-wage workers that are not necessarily trusted, and now they all have access as well.  As a result, PHB has given the ultimatum that you either find a way to restrict access to it, or you must take it down.  Further, they aren’t willing to spend money on a Secure Gateway or a NetScaler.  You must use the tools you have, and that’s it.

What to do?

The good news is, it CAN be done!  You need to have different sites internally and externally, however..  If you want to use the same server, it can be done.  Just create a second IIS site that listens on 8080 or something, and forward traffic from SG to that second site.  Then, make these changes on THAT site, NOT the regular internal site.  Otherwise, your users will be restricted inside the network as well, and I’m sure PHB would not be too happy about that!

To restrict the Web Interface, start by downloading ResGroups here.  The instructions are fairly simple to follow.  Add the files included, and edit two existing files.  Create an AD group to use to control access to the Web Interface, and you’re finished.  With Web Interface at least…

But what about the PNAgent/Services site?  You can’t use ResGroups because the PNA site doesn’t have all the same files the WI does, so there are things you need to modify that are “missing”.  Have no fear, you can still do it.  Mostly.

Before proceeding, you need to know that users will still be able to AUTHENTICATE, they just won’t have any applications show up.  If this is an issue, well, then I guess this solution won’t work for you.  For many companies, simply being able to prevent users from launching apps is good enough, especially for a FREE solution.  Here’s how to do it:

Browse to the webinterface.conf file in the PNA site on your webserver.  Open it up, and look for “Farm1”.  Depending on the number of farms you have configured, you may also see “Farm2” and “Farm3”, etc.  NOTE:  When you make this change, you’ll need to assign groups to ALL FARMS in the site!

The feature we are going to bastardize for this is called Web Interface Roaming.  It is designed such that if you have two farms, for exapmle one in the US and one in Japan, each hosting applications in their regional language, and a US user goes to Japan, you don’t want them to launch Japanese applications, right?  So, you add both farms to the WI servers.  Then you create two AD groups – one for US users, and one for Japanese users.  If Farm1 is the US and Farm2 is Japan, you would add two lines to the file, like this:

Farm1Groups=mydomain\USUsers
Farm2Groups=mydomain\JapaneseUsers

Then, the US users will only see the US apps, and the Japanese users will only see the Japanese apps.  So you’re thinking “I could just not assign the US users to the Japanese apps, problem solved”.  Absolutely.  But for some reason, Citrix decided to build this in.  I’m sure there’s a more applicable reason you’d want to configure this, but play along.  I was only trying to illustrate the functionality of it, not the reasons Citrix chose to build it.

Anyhow.. Basically, what happens is that if the logged-on user is not a member of one of the groups above, they will see NO APPS.  If they are a member of USUsers, they’ll see the apps from Farm1.  If they are a member of JapaneseUsers, they’ll see the apps from Farm2.  So how can we use this to restrict who can see any apps with just one farm?  Do the exact same thing.

Create an AD group called “ExternalAllowed” or something similar.  Then, edit the file to add this line right after the line that starts with “Farm1”

Farm1Groups=mydomain\ExternalAllowed

If you aren’t a member of that group, you see NO APPS.  But, you CAN still authenticate.

Should be good enough to make PHB happy.

Enjoy,
CG1

Force Deletion of Desktop Group

I recently ran into an issue where the the desktops did not accurately reflect their status in Desktop Studio. In other words, the machines were powered down in VMware but showed as being still powered on in Desk Studio. Why this might have happened is another story. Perhaps the config in Vmware changed, don’t know but that is certainly worth investigating.

In this case, I didn’t care. I just wanted to power off the machines so I could delete the group and start over. The problem is, the GUI won’t let you delete the catalog if it thinks the machines are power up. Even putting them in maintenance mode wouldn’t work.

If you want to forcibly remove the Desktop group, open PowerShell. You can list the Desktop groups by typing: Get-BrokerDesktopGroup. To get a more concise list of just the names of the group: Get-BrokerDesktopGroup | ft name

Find the name of the group you want to remove and type: Remove-BrokerDesktopGroup -Name “groupname” -Force.

That’s it. No warning. No “are you really sure you want to do this”. Just Poof and gone. Enjoy.
-CG2

Comments Off on Force Deletion of Desktop Group Posted in General

Project Avalon Excalibur Release

“When will XenApp support Server 2012?”  “When will XenDesktop support Windows 8?”

The answer is finally upon us.  They won’t.

Before you blow a gasket, the reason they won’t is that XenApp and XenDesktop are in their last versions, at least as we know them.  The new product, which is yet to be named, and is known only as “Excalibur” at this time, combines both XenApp functionality AND XenDesktop functionality into a single package, managed from a single pane of glass.  Big news?

  • No more web interface.  Interviews with Citrix staff hint that it “should still work”, but officially only StoreFront will be supported.
  • No more IMA.  Everything will be FlexCast.

The Tech Preview of Excalibur will be avaialble for download November 1.  Since I’m currently in the middle of a certification crunch, I don’t know how soon I’ll get ahold of it and start blogging about it, but I’m sure I’ll be behind the curve. Perhaps Geek2 or Geek3 will grab it and write something up for you loyal followers.  Otherwise, I’m sure Brian Madden or one of the guys who blogs for a living will beat me to it by a long shot.  Oh well.  Such is the life of a consultant who blogs for free….

Read the official PR from Citrix here.

-CG1