21 August 2012

Run as alternate user for XenApp and RDS applications

Generally it is preferred to have pass-through authentication for seamless applications published through Citrix Xenapp and Microsoft's Remote Desktop Services. On occasion you may want to run an application as another user account.
An example of this is to only allow user accounts to interactively log onto your host server, but requiring alternate credential for an application

This script will prompt the user for the username to use - it will combine it with the application path specified (in red) and ultimately request a password.

Copy the script and save it as a runalternate.vbs file. In RDS or Xenapp specify the applications as cscript runalternate.vbs
' #################################################
'
' This Script will use the runas command to execute
' the specified app as the specified username
'
' #################################################
' Specify the application path here - leave thequotation marks as is

apppath = " ""C:\Program Files\Windows Resource Kits\Tools\confdisk.exe"""

Dim Wshshell
Username = InputBox("Enter The admin Account domain\username", "Run App as")
command = "runas /noprofile /user:" & Username & apppath
Set Wshshell = WScript.CreateObject ("WSCript.shell")
Wshshell.run command
Set wshshell = Nothing



08 August 2012

IPv4 DNS records removed from DHCP clients with IPv6 Enabled

When client machines are configured to use a DHCP server that contains a IPv4 scope they are issues an IPv4 address and a DNS host record or A record is registeed.

If IPv6 is also enabled it will automatically assign an IPv6 address and a corresponding AAAA record is registered in DNS.

In an environment where both IPv4 and IPv6 is enabled on a client machine (dual stacked) you should see two DNS entries for that machine

  • The first would a a normal IPv4 host Record or A record
  • The second would be an IPv6 host record or AAAA record

The look as follows in DNS


When doing a name lookup on the host you will get the following response


When doing a ping to another machine you will notice that it now defaults to using IPv6 addressing and that you will have to execute ping -4  to force using IPv4 addressing


I ran into a problem where DHCP client machines would initially register both the A and AAAA records, but after a while the IPv4 A records disappeared or was removed or went missing from DNS.  The IPv4 address was of course still valid but could not be resolved with DNS since the record was no longer there.  This caused an issue for machines with no IPv6 enabled.

The cause of this was a configuration on the DHCP server

If "Always dynamically uupdate DNS A and PTR records" is the selected option it will only update one DNS record. If IPv6 is enable it will be that one only.

The image below where "Dynamically update DNS A and PTR record only if requested by the DHCP clients" is the selected option is the correct configuration.  This will not only initially register both record but it will update both.



06 August 2012

Customise Citrix XenApp Web Interface

This guide will take you through the process to customise and brand your Citrix XenApp web interface.  Not all of the changes might be required by your implementation, but at the very least it is important to put your company logo somewhere.  This is not just a vanity thing but it reassures your users that they have in fact arrived at the correct place.

There are 3 basic pages that will be seen by users.


  • Pre-Logon Screen (optional)
  • Logon Screen
  • Applications Screen


These pages are available in two variants.


  • Full graphics
  • Low graphics


The full graphic option is for use by desktop browsers.  The low graphic option is for mobile devices such as smart phones and tablets.  The default option is set to Automatic and as it implies the version is selected based on the client type.

Managing the site appearance 
Form the Citrix web Inteface Management console
Select the Site and click Web Site Appearance in the actions pane
This screen allows you to change all of the basic settings.
It also proves a way to preview the different screens that you have edited.  Note: this is only a representation - it does not actually render your changes.


Changing the Layout

From the site appearance sceen above click the Layout button.
On the Overall Layout section you can select to use the Full graphics, low graphics or both layout automatically.

Selecting either one explicitly will force it as the default on all devices.
You also have to option to allows users to override the default option.  this will initially take them to the appropriate layout but after setting their preference it will default to their choice.  The user nees to navigate to the setting section and there they can select the preferred layout.



Changing the Appearance
From the site appearance sceen above click the Appearance button

The logon section allows you to pick between a Minimal and Full option.  The full option provides and additional tool bar at the top of the screen.  This tool bar will show up on the application screen regardless of the option chosen.

Changin and adding Custom Content
From the site appearance sceen above click the Content button.

This is where you can define custom text fields to be included for the site.  You can include some or all of the following


  • Pre-Logon
  • Logon Screen Text
  • Application screen Text
  • Footer text


The show up on the screens as follows.

Pre-Logon Screen
This screen load before the actual logon page and is useful for things like legal notices.



Logon Screen
The Logon Screen has a number of options and field that can be changed.  Beside the specified ext fields, typical thing you would also want to change is the Citrix Branding on top and the  "Tagline" at the bottom.  I have listed the location of the files.

The CitrixXenApp image "CitrixXenApp.png"  is located in C:\inetpub\wwwroot\Citrix\XenApp\media

The "HirozonTagline" is a field in the accessplatform_strings.properties file that is located in c:\Program Files (x86)\Citrix\Web Interface\5.4.0\languages
You can specify a custom tag line or leave it blank after the =




Application Screen
The Applications screen will also contain some of the custom values as show here.


The application screen can also be configured to show the applications and desktops in different tabs.

If you go back to the layout options you can specify this behaviour there.  I have personally found that for most and all novice users using a single tab prevents a lot of confusion.



Conclusion
It does not take much time to customise the XennApp Web Interface, but it can make a big difference for your users.  The site by default also looks like and Ad for Citrix so best to change that a bit .  All of these changes can be made in 10 minutes, including testing.

You can take this a step further and edit the colours on the default images to more closely match your company colours.  This give a nice feel to the pages and does not require loads of work.

You can also take it even further and edit the style sheets and images directly, but you would have to way up the time and effort versus the reward.

01 August 2012

Citrix Secure Gateway Configuration Explained Step By Step

The Secure Gateway allows you to connect to your Citrix XenApp server over the internet via an HTTPS SSL Tunnel.  Because you are using this tunnel you don not need any additional ports opened directly to your XenApp servers.

The only problem with it is that despite having a configuration wizard it is tricky to set up since the requirements are not always clear.  You also need to configure half of the setting on the web interface console.

Server Layout
Depending on the requirement your Citrix XenAPP deployment will differ on the amount of servers and the Roles installed on them.  This example cover the steps to configure a 3 tier configuration where the XenApp, Gateway and Web Interface are installed on three seperate servers.  The Web interface is publish to the internet via a Reverse Proxy.  The Secure Gateway is published via a Non-Web Server rule.

Prerequisites
Before configuring the Secure gateway you will need a few things.
  • A XenApp server
  • A XenApp Web Interface server
  • A SSL Certificate


The XenApp server(s) will function as an STA (Secure Ticketing Authority)
The Web interface server will need to be referenced in the configuration and it itself will have to configured to use the Secure gateway.

The SSL certificate is used encrypt and authenticate everything.  I would suggest using a 3rd party certificate for this as it avoids a number of potential issues.   Request and install the certificate on the server to be used as the secure gateway before proceeding.

Secure Gateway Configuration Wizard


  • Launch the Wizard from - Start - All programs - Citrix - Administration Tools - Secure gateway Configuration wizard
  • Select Standard configuration type
  • Select the Certificate installed as a prerequisite 
  • Check Monitor all IPv4 Addresses
  • Select No outbound traffic restrictions
  • Click Add to enter the details of a server running the XenApp Role
  • Select Direct To access the web interface users enter the URL of the Web Interface
  • Select to log Warning, error and fatal events
  • Check Restart Secure Gateway and Finish




Once this is done the Secure Gateway is now able to route sessions.  The way to send a connection request to the Secure Gateway is to configure the Web Interface Secure Access settings to do so.

Web Interface Secure Access Configuration

By default the Web Interface is configured for Direct Access.  But what does this actually mean?  The little diagram they have tries to illustrate but I personally struggled to "get it" at first.

The diagram represent the client machine on the left.  On the right is the XenApp role servers.  (The Web Interface is not in the diagram at all)


The process flow is as follows:

  1. Client logs onto the web interface
  2. Client lauches an application
  3. Web interface determines the client connection and evaluate which secure access rule to use
  4. Web interface dynamically generates the .ica file
  5. Client downloads the .ica file
  6. The .ica file is automatically launched with the Citrix Receiver
  7. Citrix receiver reads the .ica file to determine where to and what to connect to
  8. Session is established


In the Direct case the file contains the actual IP address of the XenApp server.  The Client Establishes an ICA connection directly on port 1494

To route session through the Gateway we need to do two things.
We need to specify the criteria used by step 3 in the process flow.
We need to specify the what to connect to for step 7

For this example all request coming from the internet via a reverse proxy to the web interface should use the gateway. all other connection should connect directly. (The most common scenario)

  • Open the Citrix Web Interface Management Console
  • Select The XenApp Web Site
  • Click Secure Access in the Actions Pane
  • Click Add and add the Internal IP address of the reverse proxy server
  • the MASK should be 255.255.255.255 the only include the specified IP
  • Access method should be Gateway Direct
  • (Repeat if there is more than one IP)
  • Click Next



What this does is provide the criteria used on Step3 and sets the connection method to be specified in Step 4


  • Specify the Secure Gateway's external FQDN
  • Specify a server to use as the STA
  • Finish




Testing the connections
Once everything has been configured you can now test your connections to see if the sessions are routed through the gateway.  Internal should go direct and internet traffic should go via the Gateway

To see if a session is using the Gateway or not, you can use the Secure Gateway Management Console and check Session information.  If a session is working from the internet things are proably fine form that side.  If Clients connecting from the internal network are also gong through the gateway you need to recheck the Web Interface's Secure Access settings.

Conclusion
Once you understand how things fit together it is much simpler to configure even more complex deployment options.  This basic configuration will work for most small to medium environments.