Tag Archives: NetScaler

Citrix Workspace Visio Stencils

The latest Visio stencils for the Citrix Workspace, including XenApp, XenDesktop, NetScaler, XenMobile, XenServer, ShareFile and Citrix Cloud.

Daniel (Follow on Twitter @djfeller)

Change Log

January 5, 2018:

  • Citrix Visio 2013-2016 Stencils
  • Citrix Visio 2003-2010 Stencils
  • Visio:
    • Added logon process diagrams for cloud
    • Added NetScaler Service for Citrix Cloud
    • Added NetScaler Gateway Service for Citrix Cloud
    • Added NetScaler MAS Service for Citrix Cloud
    • Added App Layering Service for Citrix Cloud
    • Added SmartTools Service for Citrix Cloud

October 3, 2017:

  • Visio:
    • Added logon process diagram
    • Added app launch process diagram
    • Added on-premises port diagram
    • Added Citrix Cloud port diagram
    • Updated conceptual diagram for on-premises deployment
    • Updated conceptual diagram for hybrid-cloud deployment
    • Updated conceptual diagram for Citrix Cloud deployment

September 6, 2017

  • PowerPoint:
    • Added PowerPoint template with icons and Citrix Workspace diagrams

August 21, 2017

  • Visio

June 1, 2017

  • Visio
    • 7.14 Release: Added NetScaler MAS, NetScaler SD-WAN, NetScaler Gateway, and two Citrix Cloud services: XenApp & XenDesktop Service and XenMobile Service

February 28, 2017

  • Visio
    • 7.13 Release: Added Antivirus, PVS Accelerator. Updated XenServer, PVS, VM and Physical Server icons

December 7, 2016

  • Visio
    • 7.12 Release: Added Active Directory, Workspace Environment Management, Federated Authentication Service and Machine Catalog

February 23, 2016

  • Visio
    • 7.9 Release: Added Secure Browser, AppDisk, AppDNA and Provisioning Services

January 4, 2016

  • Visio
    • 7.7 Release: Added Personal and Shared Linux desktop, zone, App-V and Cloud Connector

June 24, 2015

  • Visio
    • 7.6 Release: Added Linux virtual desktop, receiver, GPU/vGPU and Driver icons

August 29, 2013

  • Visio
    • 7.5 Release: Updated entire stencil set with new style

January 23, 2013










Integrate NetScaler with XenApp, XenDesktop and XenMobile

In part 1, I created certificates for my environment with Microsoft Certification Authority

In part 2, I integrated XenMobile into my XenApp and XenDesktop environment

In part 3, I will provide secure remote access to XenMobile, XenApp and XenDesktop with NetScaler.

NetScaler and XenMobile

  1. In a browser, navigate to
  2. Go to the Configuration screen
  3. Select XenMobile at the bottom of the left pane

Select XenMobile 10 and Get Started
Select only the following: Access through NetScaler Gateway6. For NetScaler Gateway Settings, enter the following:

a. IP Address:
Port: 443
Virtual Server Name: XenMobileGateway

6. For the certificate, choose the file from the appliance: WildcardCert.cer
For the key file name, choose the file from the appliance: Wildcard-snpp-local.key
Enter in the private key password we used when we created the key
9. For Authentication, enter in Active Directory information:

a. Primary authentication method: Active Directory/LDAP
IP Address:
Base DN: DC=SNPP,DC=local
Service Account: Administrator@snpp.local
Password: password for service account
Test the connection
Server Logon Name Attribute: sAMAccountName (this matches with the LDAP items we used for XenMobile)

10. For XenMobile App Management Settings, enter the following:

a. XenMobile Server FWDN: xm01.snpp.local
Internal load balancing IP Address: (just an unused IP Address)
Communication with XenMobile Servers: HTTPS

11. XenMobile Server Certificate: Use existing certificate – WildcardCert.cer_CERT_KEY
XenMobile Server:

NetScaler and XenDesktop

  1. In the left pane, select NetScaler Gateway – Virtual Servers
  2. Select _XM_XenMobileGateway in the virtual servers screen

Scroll to the STA section and select

Select Add Binding
Enter in the following:

a. Secure Ticket Authority Server: https://ddc01.snpp.local
Secure Ticket Authority Server Address Type: IPv4

6. Once entered, revisit the STA list to verify the XenMobile and XenDesktop STAs are green. If not, you must fix before continuing.


In the XenMobile Console (https://XM01.SNPP.local:4443), we do the following

  1. Select the gear icon in the upper right corner
  2. Select NetScaler Gateway
  3. Select Add
  4. Enter the following:
    a. Name: Gateway

    b. External URL: https://Gateway.snpp.local
    Logon Type: Domain only
    Password required: Yes
    Set as Default: Yes

Enable authentication


In the StoreFront console, we do the following

  1. Navigate to Stores
  2. Select the appropriate store at the top

In the right pane, select Configure Remote Access Settings

a. Enable Remote Access
Allow users to access only resources delivered through StoreFront (no VPN tunnel)

5. Enter the following:

a. Display Name: Gateway
NetScaler Gateway URL: https://gateway.snpp.local
Usage or role: Authentication and HDX routing

6. For Secure Ticket Authority, add the following:

https://ddc01.snpp.local (this should be the same one added in the NetScaler Gateway configuration. You only need the XenApp/XenDesktop STA and not the XenMobile)

For Authentication Settings, leave default options

8. Verify the remote access settings for the store


On the Android phone used earlier, do the following:

  1. While logged into Citrix Secure Hub, select the menu in the upper left
  2. Select Preferences – Account – Delete Account (We need to reconfigure Secure Hub for our Gateway address. You can also uninstall/reinstall the app from the app store)
  3. Enter in the following: gateway.snpp.local

Enter in user ID and password

Select Add apps from Store

Launch a XenApp/XenDesktop resource

With the session running, launch Director from the delivery controller. Look at the detailed information for the session to verify the Connected via address is the SNIP address ( for the NetScaler.


Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Microsoft Certificate Authority for XenApp, XenDesktop, XenMobile and NetScaler

My lab is very XenApp and XenDesktop focused, but I need to expand the functionality to include secure access with NetScaler Gateway and incorporate mobile device management/mobile app management (MDM/MAM) with XenMobile.

From what I understand, in order to do this, I really need to install certificates. D’oh!

Every time I have to deal with certificates I know I will run into issues. I’m not spending money on certificates for my lab. I want to use Microsoft Certification Authority. Unfortunately, most documentation I read simply states “Get a certificate from your public authority”. That is not very helpful.

And I suspect many XenApp and XenDesktop admins have similar challenges, so I decided to document the process (minus all of the mistakes).

This will be a multi-part blog focusing on the following topics:

  1. Certificates
  2. Integrate XenMobile with XenApp and XenDesktop
  3. Integrate NetScaler with XenMobile, XenApp and XenDesktop

My Environment

First, some details about my starting environment (in case you are using this to guide your buildout).

  1. I have a XenDesktop and StoreFront environment built and operational for local user access
    1. NetScaler Gateway is NOT currently used
    2. All connections are using HTTP
  2. XenMobile Server
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, without configuring any optional settings. I did not configure certificates, LDAP, or NetScaler configs.
  3. NetScaler
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, including licenses

My environment specifics are as follows:

Server Name Roles Version IP Addresses
DDC01.snpp.local XenDesktop Controller 7.14
SF01.snpp.local StoreFront Server 3.8
XM01.snpp.local XenMobile Server 10.4
NG01.snpp.local NetScaler Gateway 12 MIP:



DC1.snpp.local Domain Controller

Certification Authority





Add the following addresses to DNS based on the defined IP addresses

  1. XM01.snpp.local
  2. Gateway.snpp.local
  3. StoreFront.snpp.local is an alias for SF01.snpp.local. StoreFront.snpp.local is the base URL for the StoreFront store

My Certificates:

Certificates are often the most confusing part of the configuration, especially when you are trying to use your own Certificate Authority (CA), like I am with Microsoft Certification Authority in Windows Server 2016. In order to successfully create a deployment, we need the following certificates

  1. Wildcard certificate (*.SNPP.local)
  2. Root certificate for my CA

Note: You can opt to use FQDN server certs instead of the wildcard, but you will need one for each server. The process is the same.

Create Certificate
Launch Internet Information Services (IIS) Manager from the StoreFront Server

Within IIS Manager, select the server in the left pane. Then double-click Server Certificates in the middle pane.
Select Create Domain Certificate from the right pane

Fill in the appropriate information with the common name being the wildcard cert name. In my example *.snpp.local

Hit Select to select the CA. Enter in a friendly name. Select Finish

6. The wildcard certificate should now appear in the window

 Export Certificates

The certificate is installed on the local StoreFront server. We need to export the certificate and private key so we can install it on our other servers.

1 Launch MMC
2. Select File – Add/Remove Snapin
Double-click Certificates
4. Select Computer Account
5. Finish the add/remove dialogs
6. Navigate to Personal – Certificates. The wildcard certificate should be visible. Right-click the cert and select Export

Do NOT export the private key
8. Select Base-64 encoded X.509

9. Give the certificate file a name like WildcardCert.cer and save

We need to export the certificate AGAIN

  1. Right-click the wildcard cert and select Export
  2. This time, include the private key
  3. Select the following

    a. Personal Information Exchange PKCS #12
    Include all certificates in the certification path if possible
    Export all extended properties

4. Add a password to the key file
Save the file with a name like WildcardCertKey

We need one more certificate, the Root Certificate so all of our devices will trust the certificates from our private CA.

  1. Open a browser and navigate to (This is the IP of the domain controller running certification authority)

Select Download a CA Certificate, certificate chain, or CRL
Select Base 64.

Select Download CA Certificate. Give it a name like SNPPRootCA

Install Certificates

We need to install the certs on the StoreFront server, delivery controller, XenMobile server and NetScaler. Because we created a domain certificate request on the StoreFront server, the certificate is already installed. But if you have multiple StoreFront servers, this must be done on the remaining ones.

Install Certificates on StoreFront and Delivery Controller Servers

  1. On the storefront server, double-click on the SNPPRootCA.cer file.
  2. Select Install Certificate

Select Local Machine
Select Place all certificates in the following store, and select Trusted Root Certification Authorities
The Root CA is now installed on the host.

To install the wildcard certificate,

  1. Double-click the certificate containing the private key: WildcardCertKey.pfx
  2. Select Local Machine

3. The file name should be filled in automatically
4. Enter in the certificate’s password
5. Place all certificates in the following store: Personal

Repeat on all remaining Windows-based delivery controllers and StoreFront servers

Install Certificates on XenMobile Server

Install the root certificate

  1. From your browser, navigate to This is the IP Address of the XenMobile Server
  1. Select the Gear icon in the upper right to go into the configuration menu
  2. Select Certificates
  3. Select Import
  4. Make the following selections

    a. Import: Certificate
    Use as: Server
    Certificate Import: SNPPRootCA.cer

Select Import
The Root CA should not be installed

Install the wildcard certificate

  1. Select Import
  2. Make the following selections

    a. Import: keystore
    Keystore Type: PKCS#12
    Use as: SSL Listener
    Keystore file: WildcardCertKey.pfx
    Password: this is the password used when exporting the wildcard certificate’s private key

Select Import
Select OK in the import message warning
Reboot the XenMobile server for the certificate to take effect

To test the certificate, launch a browser to https://xm01.snpp.local:4443. If the certificate works, there should be no untrusted certificate warning message. Make sure your endpoint has the following the root certificate installed in the local machine store.

If using Firefox (browser I used), you have to add the Root CA cert directly into the browser.
In Firefox, select Options
Select Advanced
Select Certificates

4. Select View Certificates
Under Authorities, select Import.

Select the SNPPRootCA.cer file

 Install Certificates on NetScaler

First, we need to create a PEM file from the PKCS#12 file (certificate export with private key)

  1. Launch a browser to and log in.
  2. Navigate to Traffic Management – SSL

3. Select Import PKCS#12. Use the following information

a. Output File Name: wildcard-snpp-local.key
Choose File: WildcardCertKey.pfx (This is the local certificate file we exported with the private key)
Input Password: enter in the password used for the export
Encoding Format: 3DES
PEM Passphrase: Enter in a password

Now, we need to upload our certificate

  1. In the Traffic Management – SSL section, select Manage Certificates / Keys / CSRs

Select Upload
Select WildcardCert.cer
Select Upload
Select SNPPRootCA.cer
Select WildcardCertKey.pfx
Select Delete. We don’t need that file anymore as it was used to create our keyfile

We install our server certificate

  1. Navigate to Traffic Management – SSL – Certificates – Server Certificates

  1. Select Install
  2. Enter in the following

    a. Certificate-Key Pair Name: Wildcard-SNPP-Local
    Certificate File Name: WildcardCert.cer
    Key File Name: wildcard-snpp-local.key
    Password: the PEM passphrase used earlier

Finally, we install our root certificate

  1. Navigate to Traffic Management – SSL – Certificates – CA Certificates
  2. Select Install
  3. Enter in the following

    a. Certificate-Key Pair Name: SNPPRootCert
    Certificate File Name: SNPPRootCA.cer

We are done with Certificates!!!!!!!!!

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

More to Availability than Live Migration

Anytime I’m in a discussion that deals with server or desktop virtualization, the topic usually heads to high availability. I usually get asked about live migration features like XenMotion. Honestly, there are many scenarios where it doesn’t make sense, but that is a discussion for later. What does matter is that your implementation continues to operate even if something has failed.

Let me give you an example of what I mean. When I design a XenDesktop environment, I typically recommend, at a minimum, two Provisioning Services server even if the environment is capable of running with a single server. We typically refer to this as N+1. The reason is that if one server fails, the other can take over the load. I’m hoping this isn’t a new idea for you as this is how many people deal with fault tolerance. However, how do we take this to the next level? How do we make our XenDesktop environment as bullet-proof as possible? Where do we need to focus our attention on?

Another example… I’ve seen many people do N+1 on their Web Interface servers. Again, this is a good practice. But now the question is how are those servers being load balanced? Are you using intelligent monitoring that checks not only availability but also that the service is functioning appropriately?

These are just two areas that will be covered in the Synergy Session “SYN208 Guaranteeing availability and scale for XenApp and XenDesktop deployments“.

  • When is this session? October 6, 17:30
  • Where is the session? Synergy Berlin
  • Why attend? Because it will be good

Looking forward to seeing you there

Daniel – Lead Architect


One of the big questions regarding virtual desktops is storage. In fact, I’ve discussed this numerous times (here and here and here). This has mostly been with a focus on IOPS. This time I want to focus on the high-availability aspect you get with shared storage, but with the focus of being on the SMB/SME space (small to medium business/enterprise). If you want to do live migration, you must have shared storage. So, let me get straight to the point… You don’t need it. You don’t need XenMotion, vMotion or live migration in a SMB hosted VM-based desktop model. Look at the XenDesktop architecture and let’s focus at the component-level.

  1. Virtual desktops: Desktops are not servers. They aren’t as critical and shouldn’t reflect a higher cost. If the physical server fails, users simply make a new desktop connection.
  2. XenDesktop controller: Always, always, always implement redundant controllers. XenDesktop is smart enough to use a second controller if the primary fails. Is also worthwhile to put intelligent load balancing in front to catch other types of issues that don’t result in complete failure.
  3. Web Interface: Again, use redundant servers, but you need to provide intelligent load balancing so if one fails or goes off into La La Land, you won’t be directed to a bad server.
  4. NetScaler VPX: This is providing our intelligent load balancing mentioned for XenDesktop controllers and Web Interface. Again, implement redundant VPX’s. If you configure these in HA mode, a failure in one means the other one takes over automatically.
  5. Data Store: You can function without the data store, but you can’t make changes. Why not simply create snapshots and revert if needed. Or backup the database and restore if needed. You can even automate this if you want.
  6. License Server: You can function without a license server for 30 days (grace period). If the server is blown up, just rebuild the server and download your licenses (I’d also suggest you figure out why your server is blowing up).
  7. Provisioning Services: If one server fails, the other one takes over the streams automatically. The target desktops might experience a delay during the failover, but they won’t lose anything.

So I ask you, why spend money on SAN storage for virtual desktops in the SMB world if it is just going to cost you more money? Keep it simple

Danger, Danger My Server Crashed

We all know the impact a server failure can have on a group of users, but what if that server was a core component of a desktop virtualization solution?  That’s a lot of unhappy users.  Before desktop virtualization, nobody gave a second thought about desktop availability. If a desktop failed, it only impacted a single user and chances are you wouldn’t hear much. However, if a certain server fails in a desktop virtualization environment, that one server could impact 50, 100 or 1,000 users.  I can guarantee one thing, you will hear that many users.
Continue reading Danger, Danger My Server Crashed