Posts tagged Citrix

Running the Citrix License Server Virtual Appliance in Vmware

I thought it was cool when I found that Citrix had a Citrix License Virtual Appliance.

To me, it was one less server to “manage” plus it would allow add it to my VMWare environment to make it highly available.  Well, i was disappointed to find out it was only for xenserver, so I set out to use it with VMware (because I dont like when a company tells me i cant)

 

This is going to take some time, and you will need to download a few things, so pay attention

You need:

Citrix License Server XVA from the Citrix Website

VirtualBox 4 from Oracle

CentOS 5 x64 Live CD ISO

XenServer ISO

XenConvert

 

How to Proceed:

Create a VM in VMWare and install XenServer (give it at least a 30GB disk)

Note the new IP of your XenServer and connect to it via your browser and follow the link to Install XenCenter

From XenCenter Load up the Citrix Licensing XVA file

Boot the VM once and then shut it down (dont configure it)

Export the License server again to an XVA (C:\Temp)

 

Right now you are wondering WHY we are going back to XVA, let me explain.  Citrix “mangled” the header of the XVA file so only XenServer could import it.  If you try to convert it directly with XenConvert you will get an error.

 

Install and Run XenConvert

Choose to Convert from “Xen Virtual Appliance” to “Open Virtualization Package” and just accept all the default options

When the Converter finishes, you will be left with a VHD and an OVF file.

 

Install and Run VirtualBox

Create a new VM called “Citrix License Server Virtual Appliance”

Choose Redhat 64-bit as the OS

Give it 512mb of RAM

Remove / Disable the Sound Card

Choose the previously created VHD (from XenConvert) as the harddisk

Boot it once, you will get an error “Error 13: Invalid or unsupported executable format”

Shut down the machine and from the menu choose “export appliance” and export it as an “OVF” <–THIS IS IMPORTANT

 

Open up the newly created OVF XML file with your trust text editor and change the line that read

Note: I take ABSOLUTELY NO CREDIT FOR THE FOLLOWING, this was a post from an excellent blog called IT Secure Net and you can find the post here

<vssd:VirtualSystemType>virtualbox-2.2</vssd:VirtualSystemType>

with

<vssd:VirtualSystemType>vmx-07</vssd:VirtualSystemType>

 

 

and also

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>sataController0</rasd:Caption>
<rasd:Description>SATA Controller</rasd:Description>
<rasd:ElementName>sataController0</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
<rasd:ResourceType>20</rasd:ResourceType>
</Item>

to

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>SCSIController</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:ElementName>SCSIController</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>

Now deploy the OVF to your ESX Server.  You will get a couple of warnings about the OS and asking you to continue, just hit YES

Once it finishes, start up your new VM, which should bring you back to the familiar “Error 13: Invalid or unsupported executable format” we saw earlier.

 

This whole time we spent it just converting the Appliance.  Now we need to get it to run on VMWare.

Find that CentOS 5 X64 and Attach it to the new VM

Boot the VM and when prompted hit F5 “Linux Rescue”

Enable the Network Interface when prompted (you will need Internet Access)

From the shell, run the following commands

now view your /boot/grub/menu.lst, if it already has an entry for the new kernel (2.6.18-348.6.1.el5) then you are good to go, otherwise lets use grubby to add it

Now reboot (dont forget to disconnect the CentOS 5 ISO) and configure your new license server and Enjoy

If for whatever reason you get the “Error 13” screen again, re-load the linux rescue and delete the old entries for the el5xen kernel and img from the /boot/grub/grub.conf file

There you go Citrix, I just did your work for you!!

Facebook Twitter Email Linkedin Digg Delicious

Unable to Connect Via RDP

I dont know why this happens,

but on some of my Citrix Servers you sometimes cannot connect via RDP

and guess what, a reboot doesn’t fix it.

Well, this handy little script will help solve your issue, not only with RDP, but also with ICA

 

RDP / ICA Reset Script

I dont remember exactly where I got this script but its been in my toolbox for a while, credit to the originator whomever you may be

Facebook Twitter Email Linkedin Digg Delicious

Check which Policy is being hit on the Citrix NetScaler

Want to know which policy is being hit on the netscaler.  In real time!!

  1. From the Command line of the netscaler type
  2. issue the command
  3. What to check for a specific Policy, just add the “grep” command

    where “Citrix” is the Policy you are looking to trace

 

Facebook Twitter Email Linkedin Digg Delicious
nomore

Something Funny I found today on my NetScaler

When I went to kick off a user from my production netscaler, this is the message that popped up:

No more logged in? Really? Citrix? Really? lolz for all!!

 

 

Facebook Twitter Email Linkedin Digg Delicious
nspol4

How to Grant your HelpDesk Limited Access to your NetScaler CLI Shell

If you ever needed to troubleshoot login issues with the Netscaler, you know that you have to drop down to the Command Line Interface (shell) in order to trace the aaad.debug log.

But what if you need to give your helpdesk access to the same logs so that they can troubleshoot login issues?  Well, that requires that you give them shell access.

But, as per Citrix, “If a user goes to the shell,  that user is already a root user”, and we sure wouldnt want our helpdesk techs having root access to our Netscalers.  So how do we give them enough access to troubleshoot but not have root, we can create a “Command Policy”

A “Command Policy” is what tells the Netscaler what a user can and cant do, for example, the command policy for “superuser” is “ALLOW .*” (that’s a period and  an asterisk which is Regular Expression for “Any Character”), that means the user with the command policy of superuser can execute any command.

Now to create the command policy for the Helpdesk

  1. Log in to our NetScaler using a superuser account
  2. Under the System Folder, select “Command Policies”
  3. Click the “Add” button and name your new policy “HelpDesk”, make sure that the “Action” is set to “Allow” and enter the following expression under “Command Spec”

    When you are done, it should look like this (you dont need to put text in test command, I only put that there as an example)

 

Now we have to assign our new policy to our Helpdesk group.  Since my NetScaler is “LDAP enabled” for login in, all I have to do is create a group, assign my new policy, and done. (If your Netscaler is not LDAP enabled, then you will have to go and create users manually and assigning them to the group we are going to create bellow)

  1. Under the same “System” folder, Select “Groups”
  2. Click the “Add” button and name your new group “NetScaler-HelpDesk” (It has to match exactly what your helpdesk group is called in LDAP, in my case I have a group called “NetScaler-HelpDesk”)
  3. Under the “command policies” window, pick your newly created “HelpDesk” Policy, then hit the “Create” and then the “Close” button
  4. Now Fire up putty and try to login with one of your HelpDesk user ID’s, you will see that you can only trace “log” or “debug” files and only in the “/var/log” and “/tmp” directories

    Thats all there is to it.  Now your Helpdesk can troubleshoot NetScaler log in issues while you concentrate on fixing other things

 

Facebook Twitter Email Linkedin Digg Delicious
nsldap9

How to Enable Active Directory Logon into Citrix NetScalers GUI

When using the Citrix Netscalers, you can find yourself login in to the management gui a few times a week to do some sort of maintenance task or just to monitor whats going on.  I dont know about everyone else, but to me it is pretty annoying having to remember a different password for every appliance that I have running, so here is how to use LDAP to login to the management gui of the netscalers.

 

  1. Log in to thet NetScaler GUI with local Root credentials (preferably nsroot)
  2. Expand the “System” Folder and click on “Authentication”
  3. Click on the “Servers” tab and click the “Add” button
  4. Enter your Authentication server settings and Click “Create” then “Close”
  5. Now click on the “Policies” tab and click the “Add” button
  6. Enter a simple expression of “ns_true” (you must choose “Advanced Free-form” from the dropdown) and click”Create” then “Close”
  7. Right click your Newly created LDAP Authentication Policy and choose “Global Bindings”
  8. Click the “Insert Policy” button and from the drop down pick your LDAP authentication policy.
  9. Click OK and once you return to the Authentication Screen, you should see a green check mark under the column “Globally Bound?”

Now we have to let the NetScaler know whos going to be login in, and in order to do that we must create either a user account or a group, so lets create a group called “NetScaler-Admins”

  1. In “Active Directory Users and Computers” make sure that there is a group called “NetScaler-Admins”
  2. In the Netscaler gui, expand the “System” folder and pick “Groups”
  3. Click “Add” and type in a name for the group, the name must be exactly the same as the group in AD so we call this group “NetScaler-Admins”
  4. Assign the privileges that you want to give this group, in this case “superuser” and click the “Create” Button then the “Close” button
  5. Thats all there is to it, now have someone who is a member of the AD group “NetScaler-Admins” attempt to login to the NetScaler gui with their AD credentials, and it should let you right in

If you find that the login is not working, putty into the NetScaler and tail the /tmp/aaad.debug log, alot of times the issue is as simple as not being a member of the correct AD group, or our LDAP Policy/Server config not being setup correctly.

Also, these same procudures can be done for Individual user accounts as well, so if your user in ldap is jsmith, then create the user jsmith under the “Users” page instead (the password wont matter, just make it hard enough so no one will be able to guess it)

Facebook Twitter Email Linkedin Digg Delicious
nsvm4

Running NetScaler VPX in VMWare Desktop 7

I have production NetScalers, but I also wanted to have a NetScaler on my desktop that I could quickly jump into, make changes, and not worry about breaking something.

Citrix offers a NetScaler Image for ESX, the problem is that the image wont work / load correctly in VMWare Desktop 7, but with a few steps you can have NetScaler running on VMware Desktop in no time.

 

Before I begin, I’m assuming that you have VMWare Desktop 7 already Installed, and that you have a login to Citrix.com, also, I’m working with NSVPX-ESX-9.2-50.4

 

  1. Go to Citrix.com and Download the NetScaler VPX for ESX (If you dont see any downloads, you must login first)
  2. Unzip the file using your favorite utility, Once done you should be left with 3 files (.vmdk, .mf, and .ovf)
  3. Create another folder where your “Converted” VM will go
  4. Open up the command prompt (Start -> Run -> CMD) and CD over to the OVFtool folder (for me located at C:\Program Files\VMware\VMware OVF Tool)
  5. Run this command

  6. Now that the command completed, look in your “converted” folder and you should see 2 files (.vmx, .vmdk)
  7. Using your favorite editor, open up the .VMX file and find the line that reads

    Replace that line with
  8. Save the .VMX file, and Move your newly created “converted” folder to wherever it is that you keep your VM machines
  9. Open VMWare Desktop 7, click on File -> Open, find your “converted” folder and select the .VMX file (its probably the only file you can see in the folder)
  10. Now click the Green Start button and off you go, you should end up in a prompt for  asking you for the NetScalers IPv4 address.
  11. Make sure to setup your IP based on the type of Networking you have setup for your VM, if you are using bridged, pick an IP from your routers range, if using NAT assing a 192.168.26.x IP (VMWare Default Range for NAT) and forward port 80 to that IP, if using host only, you dont need to forward port 80 but just make sure you know which IP range it uses
  12. Setup your IP’s any way you want, point your browser over to “http://ipyouchosetouse” and enjoy using your NetScaler on VMWare Desktop 7
Facebook Twitter Email Linkedin Digg Delicious
ctxdomain

Show Domain and Username On Citrix Web Interface 5.4

I have a few domains I log in to for Citrix, but the Web Interface only shows you the username that you are logged into, not the domain.  With this hack that I came up with, you will be able to show the domain and username of the logged in user in the “Domain\Username” format with Citrix Web Interface 5.4, it may work on other versions, but I haven’t tested it, so I dont know.

 

  1. Navigate to your Inetpub folder, and under the folder for your web interface search for the file “StandardLayout.java”, for me it was located at “Inetpub\wwwroot\Citrix\XenApp\app_code\PagesJava\com\citrix\wi\pages”
  2. Open the file “StandardLayout.java” and find the line that shows

    Comment out the line, so it looks like
  3. Under our commented line above paste this code
  4. Now find the line that shows

    This is the function above that we just commented out
  5. Right bellow that function, paste this function
  6. That’s all there is to it, now when you log in to your web interface, instead of just showing the user name, it will show the domain as well

 

 

Facebook Twitter Email Linkedin Digg Delicious
ns1

Replace Default NetScaler Certificate for the Management GUI

If you have a Citrix Netscaler and you need to manage it, you have to connect to the NetScaler IP (NIP) with a browser.  But if you try to connect to it via HTTPS either with IE or Firefox you will get an “Invalid Certificate” Error.

 

Trying to follow the instructions in the Citrix Article (CTX122521) “How to Replace the Default Certificate of a NetScaler Appliance with a Trusted CA Certificate that Matches the Hostname of the Appliance” is just too cumbersome, and I knew there had to be an easier way to do it via the GUI, and there is:

Note:
Before we start I am assuming you already have a certificate installed in the NetScaler, either a cert that matches the host name of the NetScaler or a Wild Card cert

If you dont know how to install a certificate on the NetScalers, I suggest you read these article
How to Generate and Install a Public SSL Certificate on a NetScaler Appliance (CTX109260)
– How to Transfer Certificates from IIS to the NetScaler(CTX109031)
 

 

  1.  Log into your NetScaler using an account with “superuser” powers (nsroot, etc)
  2. Expand the “Load Balancing” Tab and click on “Services”
  3. On the right side under services click the “Internal Services” tab
  4. Highlight the “nshttps-127.0.0.1-443” service and click the “Open” button
  5. In the “Configure Service” window, click the “SSL Settings” tab
  6. Under the “Configured” certificates you will see the default “ns-server-certificate”, highlight it and click the “Remove” button
  7. Under the “Available” certificates, highlight the certificate you want to use and click the “Add” button (in my case, the “Pinchii Wildcard SSL Cert” from Godaddy)
  8. Hit “Ok” and close out of that window
  9. Repeat the same procedure for “nsrpcs-127.0.0.1-3008” and “nsrpcs-127.0.0.1-3009” as these are the “services” used when you configure the NetScalers using the “Web Start Client” Java App
  10. Hit “Save” and then “Refresh All” to save your new configuration to the NetScalers

 

Thats it, now next time you try to login to your NetScalers with a HTTPS connection you will have a valid SSL cert and you should have no warnings or problems with IE or Firefox

Facebook Twitter Email Linkedin Digg Delicious

Citrix Web Interface 5.4 Installation ended prematurely

So I was trying to upgrade our Citrix Web Interface. 

I was trying to go from version 4.6 to 5.4 but every time I try to install 5.4 I got an error that said “Installation ended prematurely”.  Looking at the even viewer did not help either, all the event viewer recorded was: 

Um, What?

If you run the loggin option on the web interface installer “webinterface.exe -v “logfile.txt” an interesting error came up in the log, the portion of the log where the installation failed was this:

and you sit there wondering what the heck “CheckOnFat” is, well, that function is part of the a Citrix VB Script that checks the File system of the drive were the Web insterface is being installed.  Its looking to make sure you “DONT” have FAT FS.

And the reason why the check fails?

scrrun.dll

somehow this dll is not registered properly causing the installation of the Web Interface to fail.

in order to fix it

  1. Open up a CMD window
  2. CD to %Windir%\SysWOW64\
  3. run regsvr32 /u scrrun.dll to UNregister (this will probably fail)
  4. run regsvr32 scrrun.dll to register it (this will work)
  5. run the unregister again, just to make sure that the registration worked the last time
  6. re-register agian
  7. Install the Web Interface

And then you can go on with your day!!

Facebook Twitter Email Linkedin Digg Delicious
Go to Top