Tag Archives: xendesktop

Microsoft Certificate Authority for XenApp, XenDesktop, XenMobile and NetScaler


My lab is very XenApp and XenDesktop focused, but I need to expand the functionality to include secure access with NetScaler Gateway and incorporate mobile device management/mobile app management (MDM/MAM) with XenMobile.

From what I understand, in order to do this, I really need to install certificates. D’oh!

Every time I have to deal with certificates I know I will run into issues. I’m not spending money on certificates for my lab. I want to use Microsoft Certification Authority. Unfortunately, most documentation I read simply states “Get a certificate from your public authority”. That is not very helpful.

And I suspect many XenApp and XenDesktop admins have similar challenges, so I decided to document the process (minus all of the mistakes).

This will be a multi-part blog focusing on the following topics:

  1. Certificates
  2. Integrate XenMobile with XenApp and XenDesktop
  3. Integrate NetScaler with XenMobile, XenApp and XenDesktop

My Environment

First, some details about my starting environment (in case you are using this to guide your buildout).

  1. I have a XenDesktop and StoreFront environment built and operational for local user access
    1. NetScaler Gateway is NOT currently used
    2. All connections are using HTTP
  2. XenMobile Server
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, without configuring any optional settings. I did not configure certificates, LDAP, or NetScaler configs.
  3. NetScaler
    1. VM installed
    2. First time use wizard (CLI) completed
    3. First time use wizard (GUI) completed, including licenses

My environment specifics are as follows:

Server Name Roles Version IP Addresses
DDC01.snpp.local XenDesktop Controller 7.14 172.16.0.117
SF01.snpp.local StoreFront Server 3.8 172.16.0.119
XM01.snpp.local XenMobile Server 10.4 172.16.0.13
NG01.snpp.local NetScaler Gateway 12 MIP: 172.16.0.14

SNIP: 172.16.0.15

Gateway: 172.16.0.16

DC1.snpp.local Domain Controller

Certification Authority

DNS

DHCP

2016 172.16.0.10

My DNS:

Add the following addresses to DNS based on the defined IP addresses

  1. XM01.snpp.local
  2. Gateway.snpp.local
  3. StoreFront.snpp.local is an alias for SF01.snpp.local. StoreFront.snpp.local is the base URL for the StoreFront store

My Certificates:

Certificates are often the most confusing part of the configuration, especially when you are trying to use your own Certificate Authority (CA), like I am with Microsoft Certification Authority in Windows Server 2016. In order to successfully create a deployment, we need the following certificates

  1. Wildcard certificate (*.SNPP.local)
  2. Root certificate for my CA

Note: You can opt to use FQDN server certs instead of the wildcard, but you will need one for each server. The process is the same.

Create Certificate
1.
Launch Internet Information Services (IIS) Manager from the StoreFront Server


2.
Within IIS Manager, select the server in the left pane. Then double-click Server Certificates in the middle pane.
3.
Select Create Domain Certificate from the right pane


4.
Fill in the appropriate information with the common name being the wildcard cert name. In my example *.snpp.local


5.
Hit Select to select the CA. Enter in a friendly name. Select Finish

6. The wildcard certificate should now appear in the window

 Export Certificates

The certificate is installed on the local StoreFront server. We need to export the certificate and private key so we can install it on our other servers.

1 Launch MMC
2. Select File – Add/Remove Snapin
3.
Double-click Certificates
4. Select Computer Account
5. Finish the add/remove dialogs
6. Navigate to Personal – Certificates. The wildcard certificate should be visible. Right-click the cert and select Export


7.
Do NOT export the private key
8. Select Base-64 encoded X.509

9. Give the certificate file a name like WildcardCert.cer and save

We need to export the certificate AGAIN

  1. Right-click the wildcard cert and select Export
  2. This time, include the private key
  3. Select the following

    a. Personal Information Exchange PKCS #12
    b.
    Include all certificates in the certification path if possible
    c.
    Export all extended properties


4. Add a password to the key file
5.
Save the file with a name like WildcardCertKey

We need one more certificate, the Root Certificate so all of our devices will trust the certificates from our private CA.

  1. Open a browser and navigate to http://172.16.0.10/certsrv (This is the IP of the domain controller running certification authority)


2.
Select Download a CA Certificate, certificate chain, or CRL
3.
Select Base 64.


4.
Select Download CA Certificate. Give it a name like SNPPRootCA

Install Certificates

We need to install the certs on the StoreFront server, delivery controller, XenMobile server and NetScaler. Because we created a domain certificate request on the StoreFront server, the certificate is already installed. But if you have multiple StoreFront servers, this must be done on the remaining ones.

Install Certificates on StoreFront and Delivery Controller Servers

  1. On the storefront server, double-click on the SNPPRootCA.cer file.
  2. Select Install Certificate


3.
Select Local Machine
4.
Select Place all certificates in the following store, and select Trusted Root Certification Authorities
5.
The Root CA is now installed on the host.

To install the wildcard certificate,

  1. Double-click the certificate containing the private key: WildcardCertKey.pfx
  2. Select Local Machine

3. The file name should be filled in automatically
4. Enter in the certificate’s password
5. Place all certificates in the following store: Personal

Repeat on all remaining Windows-based delivery controllers and StoreFront servers

Install Certificates on XenMobile Server

Install the root certificate

  1. From your browser, navigate to https://172.16.0.13:4443. This is the IP Address of the XenMobile Server
  1. Select the Gear icon in the upper right to go into the configuration menu
  2. Select Certificates
  3. Select Import
  4. Make the following selections

    a. Import: Certificate
    b.
    Use as: Server
    c.
    Certificate Import: SNPPRootCA.cer


5.
Select Import
6.
The Root CA should not be installed

Install the wildcard certificate

  1. Select Import
  2. Make the following selections

    a. Import: keystore
    b.
    Keystore Type: PKCS#12
    c.
    Use as: SSL Listener
    d.
    Keystore file: WildcardCertKey.pfx
    e.
    Password: this is the password used when exporting the wildcard certificate’s private key


3.
Select Import
4.
Select OK in the import message warning
5.
Reboot the XenMobile server for the certificate to take effect

To test the certificate, launch a browser to https://xm01.snpp.local:4443. If the certificate works, there should be no untrusted certificate warning message. Make sure your endpoint has the following the root certificate installed in the local machine store.

If using Firefox (browser I used), you have to add the Root CA cert directly into the browser.
1.
In Firefox, select Options
2.
Select Advanced
3.
Select Certificates


4. Select View Certificates
5.
Under Authorities, select Import.


6.
Select the SNPPRootCA.cer file

 Install Certificates on NetScaler

First, we need to create a PEM file from the PKCS#12 file (certificate export with private key)

  1. Launch a browser to http://172.16.0.14 and log in.
  2. Navigate to Traffic Management – SSL

3. Select Import PKCS#12. Use the following information

a. Output File Name: wildcard-snpp-local.key
b.
Choose File: WildcardCertKey.pfx (This is the local certificate file we exported with the private key)
c.
Input Password: enter in the password used for the export
d.
Encoding Format: 3DES
f.
PEM Passphrase: Enter in a password


Now, we need to upload our certificate

  1. In the Traffic Management – SSL section, select Manage Certificates / Keys / CSRs


2.
Select Upload
3.
Select WildcardCert.cer
4.
Select Upload
5.
Select SNPPRootCA.cer
6.
Select WildcardCertKey.pfx
7.
Select Delete. We don’t need that file anymore as it was used to create our keyfile

We install our server certificate

  1. Navigate to Traffic Management – SSL – Certificates – Server Certificates


  1. Select Install
  2. Enter in the following

    a. Certificate-Key Pair Name: Wildcard-SNPP-Local
    b.
    Certificate File Name: WildcardCert.cer
    c.
    Key File Name: wildcard-snpp-local.key
    d.
    Password: the PEM passphrase used earlier


Finally, we install our root certificate

  1. Navigate to Traffic Management – SSL – Certificates – CA Certificates
  2. Select Install
  3. Enter in the following

    a. Certificate-Key Pair Name: SNPPRootCert
    b.
    Certificate File Name: SNPPRootCA.cer


We are done with Certificates!!!!!!!!!

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Advertisements

Citrix Visio Stencils (June 2017)


Note: These stencils are old. Please visit the Tools section of this site for the latest Visio stencils.

Now that Citrix Synergy is over, I’ve got some new Visio stencils for Citrix architects.

First, I’ve got role-based stencils for NetScaler (based on a request from a Citrix architect and Visio user).

Second, I created a stencil for Citrix Cloud XenMobile Service to align with the Citrix Cloud XenApp and XenDesktop service.

I’m noticing these XenApp and XenDesktop stencils have started to grow beyond XenApp and XenDesktop.  I think it is time to rename these stencils to Citrix Visio Stencils.

And like before, I created a set of Visio stencils in the Visio 2010 format.

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Optimize VDI: Windows 10 User Interface and Runtime (Original, Anniversary and Creator Updates)


This is a multi-part blog series focused on optimizing Windows 10 VDI

As we saw in previous blogs, Microsoft added new default apps, services and scheduled tasks into the base operating system of the Windows 10 Build 1703 (Creator Update). These updates will have an impact on the user experience, especially in a VDI implementation.

Continue reading Optimize VDI: Windows 10 User Interface and Runtime (Original, Anniversary and Creator Updates)

Optimize VDI: Windows 10 Scheduled Tasks (Original, Anniversary and Creator Updates)


This is a multi-part blog series focused on optimizing Windows 10 VDI

As we saw in previous blogs, Microsoft added new default apps and services into the base operating system of the Windows 10 Build 1703 (Creator Update). These updates will have an impact on the user experience, especially in a VDI implementation.

Scheduled Tasks

Many of the new capabilities within the latest builds of Windows 10 also implements new scheduled tasks. Although the tasks do not run continuously, they will impact density when executing and many are irrelevant in a non-persistent VDI environment.

  • Build 1507: 130 Tasks
  • Build 1607: 166 Tasks
  • Build 1703: 165 Tasks

History has shown that optimizing Windows scheduled tasks can improve logon time and server density. It is recommended to review the list of scheduled tasks and disable those that are not necessary for the users.

To see a list of Windows services, run the following PowerShell command:
Get-ScheduledTasks

Color Code:

  • Green: Customer experience program tasks
  • Orange: Maintenance tasks
  • Blue: Tasks for applications
  • Purple: General system tasks
  • Red: Safety and security tasks

Continue reading Optimize VDI: Windows 10 Scheduled Tasks (Original, Anniversary and Creator Updates)

Achieving fast logon times


Wow! That’s fast.  That is the reaction users should have when they log onto their virtual desktop.

I’ve heard many talk about how slow or fast their logons are, but many times we tend to exaggerate.  I’ve discussed this topic before in two recent blogs:

So I thought it might be interesting to see the difference Workspace Environment Management has on the logon experience with VDI.

Note: Both of these examples mapped 5 drives, mapped 3 printers, used a 500MB roaming profile and executed a single logon script that queried a single AD Group.

Improving logon time is a fun topic because the experience is oftentimes so bad.  I heard (and I’ve complained) about the horrible experience.  On the opposite side, I’ve also heard many others bragging about how fast their logon times are.  What’s your logon time?  Excited to share or afraid to say?

Daniel (Follow on Twitter @djfeller)
Citrix XenApp and XenDesktop 7.6 VDI Handbook
XenApp Best Practices
XenApp Video

Optimize VDI: Windows 10 Services (Original, Anniversary and Creator Updates)


This is a multi-part blog series focused on optimizing Windows 10 VDI

As we saw in a previous blog, Microsoft added new default apps into the base operating system of the Windows 10 Build 1703 (Creator Update). These updates will have an impact on the user experience, especially in a VDI implementation.

Windows Services

Many of the new capabilities with the latest builds of Windows 10 also implements new Windows services. With each release, the number of services has steadily increased.

  • Build 1507: 196 Services
  • Build 1607: 212 Services
  • Build 1703: 223 Services

History has shown that optimizing Windows services can improve logon time and server density. It is recommended to review the list of services and disable those that are not necessary for the users.

To see a list of Windows services, run the following PowerShell command:
Get-Services

The table below shows the state of each service (Stoppped or Running).  Only services with a green, orange and red shading should be considered for disabling.

Color Code:

  • Green: A currently running service; consider disabling
  • Orange: A stopped service that will run when requested; consider disabling
  • Red: Disable IF an alternative approach is used

Continue reading Optimize VDI: Windows 10 Services (Original, Anniversary and Creator Updates)

Optimize VDI: Windows 10 Default Apps (Original, Anniversary and Creator Updates)


This is a multi-part blog series focused on optimizing Windows 10 VDI

With the release of Windows 10 Build 1703 (Creator Update), Microsoft added new capabilities into the base operating system that will have an impact on the user experience in a VDI implementation.

Default Apps

Microsoft expanded the list of default applications that come pre-installed within the base OS.

With each release, the number of default apps increased.

  • Build 1507: 24 Apps
  • Build 1607: 26 Apps
  • Build 1703: 31 Apps

As shown in previous tests, leaving these apps part of the base operating system directly impact user logon time and overall system density. It is generally recommended to review the list of apps and uninstall those that are not necessary for the users.

To see a list of default Windows apps, run the following PowerShell command:
Get-ProvisionedAppXPackage -Online|Select DisplayName

Color Code:

  • Green: Remove
  • Orange: Consider removing
  • Red: Keep
  • Black: App does not exist on build

Continue reading Optimize VDI: Windows 10 Default Apps (Original, Anniversary and Creator Updates)