Now If people see any wrong facts here please leave a comment below, I can’t cover everything but this post is written purely based on my opinions and my own knowledge and not everything may be correct.
The purpose of this post is to show capabilities and features that Citrix and Microsoft’s cloud solutions possess and how they can benefit each other. Let’s face it, Microsoft or Citrix (which are huge huge huge! in the cloud market)  for that matter can’t do everything themselves, they both have a solid solution around cloud, but each solution has their strengths and their weaknesses.

Now Cloud is a term that consists in 3 shapes. Private, Public or Hybrid.
And there are some common terms that describe a Public cloud solution
* Self-Service
* Elasticity
* Scalable
* Pooling of resources
(Some Public Cloud solutions: Amazon, Windows Azure)
With Private Cloud you have more control of the resources and it is easier to do customization. More are thinking of going with the Hybrid solution which gives you the advantages that a private cloud brings and the benefits of the low cost with a Public cloud. Both Citrix and Microsoft have the ability to support a Hybrid cloud approach. Then again there are may ways to offer a cloud solution for a customer, either it is an application, infrastructure or a platform.

Now Microsoft’s cloud solution consists of the following core components

* System Center
* Windows Server
* Windows Azure (Public Cloud)

Now what do you get with System Center ?
A brief overview
App Controller ( Self-service of their services & virtual machines for system owners, with support for on-premise and public cloud)
Operations Manager ( Monitoring capabilities, SLA monitoring with support for on-premise and also allows for Azure monitoring)
Data Protection Manager ( Backup solution for Windows and Windows Applications ( Physical and Virtual)
Service Manager (IT Service Management, Helpdesk solution, self-service for the users )
Virtual Machine Manager (Manages your virtual infrastructure, network and storage. With support for Citrix, VMware and Hyper-V of course with most capabilities with Hyper-V allows for creating of 1, 2 and 3 tier templates)
Configuration Manager ( MDM, client/server management, antivirus, patch management, can integrate with Azure as well)
Orchestrator (Automation with runbooks across all kinds of different products)
And of course the corner stone of this is Windows Server.

Now a problem with Microsoft’s as of now is that System Center 2012 does not support Windows Server 2012 until Service Pack 1 is released, this will most likely be released Q1 2013, which will close the “gap” that many are waiting for.
Microsoft has acknowledged that everyone isn’t running just Microsoft and has added much more support and functionality for Unix/Linux based servers.

 
And Citrix’s cloud solution consists of the following core components

Much of Citrix strategy on Cloud is based upon Project Avalon which has the key components (Any Cloud, Any Hypervisor, Any Device)
Which comes in this nice wrapping.

Citrix is part owner of the OpenStack solution that Apache has, and has made some changes to it and have their own solution called CloudPlatform
Which is very similar to virtual machine manager. It has support for multiple hypervisors such as
* XenServer
* KVM
* VMware
But their solution has more benefits against XenServer.
It also supports storage solutions and network. So this is the main product for administrating your “cloud”.
Then we have the other products such as
* Cloudbridge (Allows you to “bridge” your private and public cloud” this is actually an add-on to Netscaler which uses IPSEC)
* Cloudgateway (Which is the gateway in for end-users (Which again consists of Netscaler and Storefront )
* Netscaler ( A Network appliance which provides for ADC (Application Delivery Controller) features
* CloudPortal (Which allows for provisioning of users and services, control panel solution)

So depending on what kind of cloud and service you wish to offer your users, both companies provide a solid cloud solution. With automation and multiple hypervisor support.
Microsoft has made a solid improvement to Hyper-V in the latest release so it provides with more advanced features then XenServer it also has support for larger workloads and scalability. So if you choose Hyper-V you need to have VMM, if you choose the latest XenServer you would need CloudStack (VMM has XenServer support but not for the latest release and not for the more advanced features)
Citrix is building much of their solutions based upon XenServer (and some VMware) for instance the AppController that is part of the CloudGateway will not function in Hyper-V

Microsoft also offers a more complete monitoring solution with System Center (You have the capability to monitor all of Microsoft’s products, Network devices, Citrix Products + inlcuding Netscaler (With ComTrade MP) and Unix/Linux services)
And I don’t have enough insight on the automation part of CloudStack go give it a good overview but Orchestrator has also the ability to run commands against SSH devices which allows for running commands against Network devices it also has a broad support of hardware and storage vendors. You can also use it to run PowerShell commands which allow for automation of Citrix installation. (And more and more vendors are implementing PowerShell cmdlets with their products, PowerShell 3 also supports CIM which many vendors support)

But what Microsoft is missing is the network component that Citrix provides with it’s Netscaler product.
* Advanced load-balancing features for all applications running on TCP with or without SSL (With hardware acceleration on the hardware appliance)
* Protection against DDoS attack (SYN flood, ICMP floods) and can also provide with defense against application level attack (XSS, HTTP DoS)
* URL responders, rewrite, filtering
* Intelligent SQL load balancing
* GSLB
* Caching and compression
You can also integrate it with System Center to provide automation of new solutions that should be load balanced. You can also use Orchestrator to automate other options with the SSH options.

When regarding device access Citrix has provides a better solution with support for all types of Mobile devices, which makes it possible for full BYOD. Microsoft on the other hand also promises that you can bring your own (as long as it is running Windows) This solution  requires that you can Citrix on your terminal servers. Citrix also has more MDM capabilities then System Center has (as of today), and with the coming of MDX technology, Citrix is going to gain more ground there.
Microsoft also offers a VPN solution with allows you to connect with your Azure cloud, but this does not provide the same throughput that a dedicated Netscaler with Cloudbridge would provide (Cloudbridge again has limited support against Azure )

And I forgot to mention that Citrix has also their own monitoring and helpdesk tools which are part of the GoTo package (GoToAssist and ) But I am unsure how they compete against Operations Manager which has been around for a long time and against Service Manager which is a core part of the Self-service solution to System Center.

System Center with SPF (Service Provider Foundation) provides the capabilities for hosting providers to create their own control panel solution to automate activities against Orchestrator and VMM) This is a feature that is still in the early stages with an open API. Citrix on the other hand has a more mature product with their CloudPortal solution which can provision users, set up full services on Lync, Exchange, SharePoint, CRM, XenApp and XenDesktop ++ for customers.
But the weakness is that it does not have any integration against System Center to complete the circle on management and monitoring ( and of course backup)
But again this feature is more suited for hosters, for enterprise businesses not so much.

So a little conclusion on my part. What do I think makes a good combination of what these two deliver. This solution will consist of a few products that are yet to be released (But are in beta)
1: Hyper-V 2012 as my main Hypervisor
2: System Center for infrastructure & cloud management and monitoring (SP1 with provides support for WS2012)
3: Project Excalibur next generation XenApp / XenDesktop which provides the best BYOD support (And Provides support for WS2012)
4: XenServer for components that need XenServer
4: Cloudgateway with Netscaler ADC

So it would look like something like this
(Just a glimpse)

And I would appreciate some feedback on your thoughts

This guide has been written with Netscaler build 73 and Operations Manager 2012 SP1 (on WS2012) with the management pack from Citrix.

Operations Manager 2012 supports monitoring network devices either through SNMP (v1, 2 and 3) or through just basic ICMP.
Citrix has made a management pack solution, which you can use to enhance the monitoring capabilities in SCOM.
The pack also includes VMM PRO management pack (Which is not gone through in this guide, just the basic management pack)

The management pack can be downloaded from mycitrix (Requires login)
https://www.citrix.com/downloads/netscaler-adc/components/netscaler-management-pack-for-operations-manager-2012.html

(Just a side note: Comtrade is a Citrix Partner who is currently making a new management pack for Netscaler so stay tuned for the new release )

So when we have a functional Operations Manager server up and running we have to install the SNMP service on one of the servers.
This can be done via Server Manager.

After that is installed go into services.msc and choose “Accept SNMP packets from any host” or just enter the IP of the Netscaler server.
Make sure that firewall on the OpsMgr server allows for SNMP traffic in.

After that is done you can install and open the management pack folder.

You will see that it includes a Guide and MP folder (which contains the Management Packs)
Now open Operations Manager console and go to administration and choose Management Packs, right-click and choose import.

And from there browse to the directory and choose the regular NS MP (Not the PRO)

And choose Install.

After that is installed, go back to monitoring and you will see that a new folder has appeared under Citrix Netscaler

by default all Performance monitoring are mostly disabled so we have to enable these to actually get some data.
So go into Authoring -> Rules and scope it to Citrix Netscaler

First of we can enable Virtual Servers current up

So we create a override rule for Netscaler Devices

and choose Enabled and save it into a Management Pack where we save our overrides.
After that is done we alter the SNMP settings on the Netscaler devices, im going it in CLI

add snmp manager IP
add snmp community enternamehere ALL (The last one is used to define which rights this community string has)

Add the IP of the SCOM MS and add a community string (In my case I used “com”)

After that is done we have to add the network device into Operations Manager.
Open Administration -> Network Management -> Right Click and choose Discovery Wizard from the wizard choose Network Devices ->

From there specify a name and which MS and resource pool to manage the device

Click next -> choose Explicit

Click Next -> Here we add the community string which we will use to authenticate with the NS
We have to add a new run as account which includes the Community String

Next we add the device IP and choose what type of service it will use to communicate with the device

After the Device Discovery Wizard is done, go into Discovery Rule and choose Run.
After a while the Device will appear under Network Devices pane.

You can check the Application Log on the Operations Manager server for info and you can check the snmp stats option in Netscaler.
So after this is complete we can see the device health properties

We also have some Performance counters for CPU and Memory we can see.

After you have enabled other Performance Monitors they will appear here as well, this allows you to create a baseline for how connections should be on your box.
This also allows for Operations Manager to generate alarms in case of DDoS attacks.

I recently took the A28 exam from Citrix and wish to share my tips and my experience with this exam.

Now to compare with the 9.2 exam this was A LOT more difficult. Have to say that Citrix has really created a challenging exam which focused a lot on most of the different functions within Netscaler.

There werent so many CLI commands (Which I felt the 9.2 exam was) but more about how to think “when do I use this function over that function”

For my part I have worked with the product some time now and I have taken a traning course on the older version. The best part is the study guide that Citrix offers on their web site.

Which can be found here –> training.citrix.com/mod/ctxcatalog/course.php?id=511

The study guide shows on what areas you will be tested, and on what area you need to know “HOW” which is the most typical case for CLI commands
and “WHEN” is mostly when to use one function or another.

But you should remember most of the cli commands assosiated with each of the focus areas in the study guide.

So my top tips!
* Troubleshooting commands
* SSL (ciphers, converting, importing, binding)
* Load balancing (monitoring, persistency)
* VLANs, IP config and interface configuration
* Link-load balancing
* Use the study guide! and eDocs!

Here are the other points from the study guide how to configure the different parts can be found on eDocs

Citrix eDocs:
? Forcing the Primary Node to Stay Primary
? Forcing the Secondary Node to Stay
Secondary
? Configuring High Availability Nodes in
Different Subnets
? Configuring the Communication Intervals
? Configuring Fail-Safe Mode
? Configuring Users and Groups
? Creating or Modifying a VLAN
? Configuring VLANs on a Single Subnet
? Configuring Multiple Untagged VLANS
? across Multiple Subnets
? Synchronizing Configuration Files in a
High Availability Setup
? Monitoring the Extended ACL
? Renumbering the priority of Extended
ACLs
? Choosing and Configuring Persistence
Settings
? Viewing Persistence Sessions
? Configuring Persistence Groups
? Configuring Load Balancing in Direct
Server Return Mode
? Configuring a Backup Load Balancing
Virtual Server
? Redirecting Client Requests to an Alternate
URL
? Configuring Access Gateway Settings with
the Remote Access Wizard
? Converting the Format of SSL Certificates
for Import or Export
? Specifying a TCP Buffer Size
? Configuring TCP Window Scaling
? Configuring TCP Profiles
? How the Integrated Cache Works
? Improving Cache Performance
? Monitoring TCP-based Applications
? Configuring Call Home
? Generating the Tar Archive of
Configuration Data of NetScaler Devices

A customer asked me recently can I configure load balancing for my Application Catalog service on Configuration Manager, since It runs on Silverlight im unsure how it will work…

Sure you can!
The Application Catalog in Configuration Manager consist of two components, the Application Catalog Web Service Point and the website point.

Now when you install these you have the option to configure what ports they should run on. In my case I choose port 80 (Since I want my load balancer to handle the SSL traffic)

First I make sure that the catalog is working
Open a web browser to http://applicationcatalogserver/CMApplicationCatalog 
From here I have to enter my username and password (Since im using Chrome)

The Application catalog server is the one that has the Silverlight XAP module that runs on the web server, the Silverlight module again contacts the Web Service point in order to generate the software that the user has access to.

The silverlight module is located in “ClientBin”
Content folder contains images and css files and JS and can be targeted for caching (If you have that option on your load-balancer)

Now in my case I have a Netscaler VPX that Im going to use.
So a quick runtrough there.

1: Add Servers (Which have the applicationcatalog role intalled)

2: Add the service you want to setup (And add a monitor, HTTP in this case)

3: Create a Virtual Server and choose SSL and add a certificate (Note if you choose SSL and don’t add a certificate the service will go down)

4: Add persistency (For my case I choose client-ip) and choose LB method

After this is done check the virtual server and open the same url with https:

And it worked.
One last thing is to change the default URL in the Client Agent settings.
Here you have to specify a URL and enter the whole path for the Application Catalog.

After that is done you have to update the policy on a client and check for yourself.
You can open Software Center to see that the policy is active.
NOTE: It is important that the Value for the HTTP is
https://servername:port/CMApplicationCatalog/ or else the url won’t redirect.

Or you can do a redirect at the load balancer

This is going to be a long one
Always wanted to document this myself but never had the time, so I figured why not knock two birds with one stone and blog it as well since many are probably wondering about the same thing.

This is a typical deployment for many right? You have your internal XA/XD which are tied to a StoreFront web server and for remote access you have Netscaler Gateway/AG

And depending on the setup you might have a Netscaler in DMZ behind a NAT firewall, or directly connected to the internet from the DMZ or you might have a double hop network where you have multiple DMZ sones and firewalls.

So how to tie them together ?
First I suggest you read my previous post regarding XenDesktop 7 with StoreFront and Appcontroller deployment.
https://msandbu.wordpress.com/2013/06/26/xendesktop-7-setup-and-appcontroller-setup/

Lets head over to our Netscaler deployment. We can start by cheching our network connection.

We have different types of networking within the NS, we have VIP( Virtual IP) which are typically tied to load balanced service. We have SNIP (Subnet IP) which are used to initiate a connection to the back-end servers (XenDesktop Servers, Storefront etc) and you have a NSIP (Netscaler IP which is used for management)

So for a user the connection will look like this.

User –> VIP –> SNIP –> XenDesktop (Servers)

Typical deployment is that you have a netscaler with two interfaces, one in to the DMZ and one into the backend servers. (In my case I have all interfaces connected to the same subnet.

Next we can add authentication.
Go into Netscaler Gateway –> Policies –> Authentication –> LDAP –> Add

For named expression I choose General and True and choose Add.
((What does this do ? specifies that IF the traffic is going trough the NS appliance then this policy should be applied)

Then give it a name and choose new server and enter the information to the AD server. After you have entered the info “Press Retrieve Attributes”
Remember that this command uses the IP address of the server you are using the browser on.

If you are having trouble with authentication fire up console to the Netscaler Appliance type in shell then cd /tmp then type the command cat aaad.debug
This will display in real time information regarding the authentication tries.

After that is done, add a DNS server.

Now lets add a certificate (for this purpose I have a Enterprise Root CA on Windows Server 2012 which I used to create a web server certificate which contained the host name of the access gateway) nsgw.msandbu.local in my case and I choose to export it as a PFX file including the private key (You will need the private key!!) In production you should use a third party CA to isse a certificate to you.

You can upload the PFX file under Traffic Management –> SSL –> Manage Certificates –> then you can upload the PFX.

After this is done open Netscaler console and extract the certificate and the key from the PFX.
This can be done by running openssl from the Netscaler Console

openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem (Extract keys)
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem (Extract Certs)

After that is done you can install the certificate

Next we create a virtual server under Netscaler Gateway and assosiate it with an IP-address.
Since we just want ICA-proxy and no VPN (Smart Access solution) we can choose Basic Mode.
Under Protocol choose SSL (After this is done the service will go down unless you have a valid ceritificate installed)

If you go into the Authentication Tab (mark the Enable Authentication)
and under Primary Authentication Policiess choose insert policy. (By default the one we created earlier will appear)

Now if you wish to have two-factor authentication you can add another Primary authentication policy.

After this is done head over to policies. We need to add a Session Policy, here as well we use ns_true as an expression. Give it a name and press create New Request Profile.

Here we enter the information about the backend storefront servers. (NOTE I already have one stored there this is because I have created this earlier

Now there are a couple of options here we need to define.
First under Published Applications.

1: We have to define ICA-proxy, this will tunnel ICA traffic via port 443 back to the user.
2: Web Interface address this has to be Storefront web address.
3: Single sign-on domain should be your local AD domain. (Don’t enter anything here in case you have multiple domains)

Next is under Client Experience –>
Define Single Sign-ON to web applications using Primary Credentials, this allows the Netscaler gateway to authenticate to the Storefront site.

We have to define at the NS should use SSO to the storefront web adress using the Primary authentication mechanism which is AD in my case.

Last but not least, Security so we can allow users to actually enter.

You should also enable TCP profile for this virtual server set to nstcp_default_xa_xd_profile (This profile works best for internal usage and high bandwidth networks)

Then we also have to add STA (Of the XD controllers in my case) Go back to Published Applications.

Click Add and enter the URL of the XD controller. After you save and refresh the page it will show up like mine did now.

Remember to save the config!
After that is done we have head over to Storefront

Now there are a couple of things we need to fix there. First we need to add an authentication option from Netscaler.

This will allow the Storefront to authenticate users coming from  Netscaler. (To pass the credentials forward)

Next we have to go to Stores –> Enable Remote Access –> Choose Add netscaler appliance –>

Here enter the info regarding your netscaler.
SNIP here is the one that you entered inn earlier on the Netscaler, StoreFront uses this to validate that any incoming connections comes from a trusted host.
The CallBack URL is the Internal IP-address of the Netscaler.

Then you setup it as a NO VPN Tunnel and choose the Gateway appliance to use.
You also have to add the STA’s here as well.

And last but not least, Beacons.
Beacons are used to identify if the end-user comes from an internal or external connection.
For instance you can put an external beacon for a public accessable website and internal for a website that is ONLY available for internal users.

This is what decides if the ICA-file the end-user receives is going to be used via ICA-proxy or a plain ICA-connection straight to the server.

In this case since it’s a demo enviroment all are on the same network. But I could remove the nsgw as an external beacon. And just have www.citrix.com and another external site.

Now since the AppController connected to the Storefront service we don’t need to anything else inorder to view Apps deployed from AppController.

NOTE: There is a couple of things if you are doing to deploy for instnace WorX apps from appcontroller and going to use mVPN solution to iOS and Andriod.

You will need to enable a couple of things here.
* Split-tunneling
* Clientless Access URL Encoding = Clear

You also need to enable Secure Browsing

After this is done, we can open up our virtual IP URL.
In my case it is https://nsgw.msandbu.local

Login with my username and password and start a desktop connection (For the purpose of this demonstration I have also added a weblink from AppController that points to yammer.com

If you open resource monitor you can see that traffic is tunneled in port 443

And if we open resource monitor on the desktop I just launched I can see that the servers speaks via the session reliability port to the SNIP ip (Which is 60.114)

Wopptidoh!
Something I’ve been wanting to write for a long time since I always get some questions regarding licensing on either Access Gateway / Netscaler Gateway or Netscaler I thought I would write a post so others stumbling in the dark might benefit from it as well.

Now Netscaler Platform licenses (This depending on what Netscaler you have, gives you features inside the Netscaler appliance (for instance Standard, Enterprise or Platiunm)

The physical appliance (MPX or SDX) and VPX (virtual) on the Netscaler is licended pr Mac address this can be obtained from the CLI by running the command lmutil lmhostid –ether

(So for the sake of it, when you buy a platform license of Netscaler which is Standard or higher) you will get a Netscaler Gateway Platform license as well.

Example:

root@ns1# lmutil lmhostid –ether
lmutil – Copyright (c) 1989-2006 Macrovision Europe Ltd. and/or Macrovision
Corporation. All Rights Reserved.
The FLEXlm host ID of this machine is “00d068107316″

This info has to be entered in mycitrix.com license site and allocated to.

If you get any error messages these can be viewed under the /var/log/license.log file.

Access Gateway Platform license on the other hand are licensed on the hostname of the appliance. You must upload this license to increase the Independent Computing Architecture (ICA) connections up to 10000.
root@ns# grep hostname /nsconfig/rc.conf

Netscaler Gateway platform license also uses the hostname to generate a license file.
The same goes for Universal licenses for both Netscaler and Access Gateway editions.

Import note thou that Citrix Receiver DOES NOT USE a Universal license (they only need platform license) This is only needed for Smart Access and endpoint scan etc.

Another import note is that with version 10.1 it will say 0 ICA users, this is because of with version 10.1 it is unlimited ICA connections http://support.citrix.com/article/CTX138561
You can view this by using show license

Now for older solutions like CAG 5.0 (You can either use a license server or a license on the same host) http://support.citrix.com/article/CTX128869 for Standard edition
If you wish to install the license on a CAG 5.0 appliance you need the MAC address of the appliance if you wish to install it on a license server you need to specify the host name of the licensing server.

Access Gateway VPX Express gives you rights for 5 concurrent users on a 12-month plan.

So alot is happening on the Netscaler front from Citrix this day!
Citrix just released a new build version for all of their platforms.

The latest build is 120.13
Which can be downloaded from here –> http://bit.ly/1eMoKFP (Requires mycitrix)
This includes some new features in the wizard for XenDesktop and the setup wizard and alot of bug fixes.

https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_10_1_120_13.html

Citrix also released a new version of Insight Center (Still not for hyper-v) but this comes in version 120.13 as well (so it looks like Citrix is releasing Insight at the same time a new build for Netscaler is released)

But Citrix hasen’t released the release notes for 120.13 yet so hard to know what is new
There is some of the new features in the download page.

With this release we extend the Insight visibility offering from Web traffic (Web Insight) to HDX traffic (HDX Insight) analytics.

It will now collect ICA AppFlow records generated by NetScaler ADC appliances and populate analytical graphs over Layer 3 to Layer 7 statistics. The HDX Insightwill provide in-depth analysis over real time and historical data across last 5min (real time) and last one hour, one day, one week, one month as historic data.

You can download it here –> http://bit.ly/1aIumfa

Citrix as well! released a new management pack for Netscaler 10.1 which also supports 2012 SP1 but they haven’t released a new documentation for it but still it offers a lot of new options.  You can download it here –>
http://bit.ly/1a1m9Sq

Anyways interesting times ahead! still waiting for Insight center to be released for hyper-V !

So something happend with the latest Netscaler GUI after the last Java Updates. When we tried to open any config changes in the GUI the java applet just wouldn’t load.

Then I discovered that something has changed in the java version, since it containes new parameters. In order to allow the netscaler to load the applet from the browser we have to do some changes to the java gui applet in the control panel.

So we have to remove the keep temporary files on my computer and then restart the browser and voila!

So the purpose of this post is to post different tips and tricks with Netscaler, so this is going to be updated from time to time. So it’s what I call a dynamic post
Now there are a tons of different areas to explore here, but im going to start easy.

1: Password reset Netscaler MPX / VPX
Now from time to time you might come by this, you have a customer which has a Netscaler setup and they have forgotten the password for the device. What do you do ?

If you have a MPX you need to connect to the device using a serial cable and use for instance Putty to connect to the serial port.  If you have an VPX you just need to open the console. Now when the device boots you need to press CTRL + C now on the VPX it is simple the boot menu appears

Then you just press 4 and go into single user mode. On the MPX we have to press CTRL + C simultaneously as well when the following appears in the console

Press [Ctrl-C] for command prompt, or any other key to boot immediately.
Booting [kernel] in 2 seconds…

Now to start the MPX in single-user mode you have to type either boot –s or reboot — -s to restart in single user mode. When you are in single user mode the console will look like this.

Next we have to mount the flash device since this is where the config file resides. Now on different devices this flash device has different names http://support.citrix.com/article/CTX121853

For VPX this device is called /dev/ad0s1a
So first we have to check disk consistency first before we can mount the device.

fsck /dev/ad0s1a (This checks disk consistency)

mount/dev/ad0s1a/flash (This mounts the drive under the folder /flash )

df –l (List the devices and where they are mounted)

Next we need to change directory to the flash drive where the config file is located.
cd /flash/nsconfig from there

Next we use a grep command to create a new config file but without the line which contains the passoword string.
grep –v “set system user nsroot” ns.conf > new.conf

Next we need to rename the current config to another name
mv ns.conf old.ns.conf
mv new.conf ns.conf

After this is done we have a new config file without the password for nsroot and we can reboot.

2: Use of profiles
A feature that I don’t see so commonly used and I think that is because of its not a obvious known feature, so let’s change that. When setting up virtual services you have the option to define a network profile attached to this service.

For instance the netscaler has many built-in TCP profiles which can help with improving the perfomane on a service either over LAN or WAN. These profiles tune different settings on the TCP stack and a desricption for each TCP profile can be found here –> http://support.citrix.com/proddocs/topic/ns-system-10-map/ns-ac-confg-tcp-profl-tsk.html

For instance on virtual services you have an profile pane where we can define which Profile to use.

If for instance you are using this only in a LAN you should use the nstcp_lan_profile. By changing this you will note the performance increase it has.

3: Change GUI on Gateway portal

Now in many cases you want to customize the GUI of the default Netscaler Gateway Vserver.

Now this is possible but not as easy as with Storefront…
First of we need to do some changes within the Netscaler Gateway GUI.

Change setting to Green Bubble under global settings on a Access Gateway vServer (if you want to use it as an template)

Then we can make customizations, we can do this by opening for instance a FTP connection to the netscaler (with for instance winSCP) The gui is located under /netsacler/ns_gui
Changes which are done here can be viewed in real-time.

For instance if we wish to change the background image we can add a new image to the folder /var/netscaler/gui/vpn/media by added a new image by the name bg_bubbles.jpg to replace the old background. (Now I’ve changed it with a picture from the familiy album.

If we wish to change the text that appears in the portal we can change this under /vpn/resources/en.xml (This file contains most of the text that appears in the portal.
So after a few changes here we can get this.

Now if we want to same this custom theme, we first need to create a folder called ns_gui_custom under the /var/ folder.

This can in shell by writing  mkdir /var/ns_gui_custom

Next change directory to /netscaler by typing: cd /netscaler

Now we to archive the ns_gui folder: tar -cvzf /var/ns_gui_custom/customtheme.tar.gz ns_gui/* This is because when the netscaler boots it exports the tar file to the nsgui folder.
After this is done we need to change the vServer global settings to custom theme and reboot to make sure it applies properly

4: Trouble with VIP in a DMZ site

So you have a two armed Netscaler solution where you have a SNIP, NSIP in the LAN network which talk to your backend servers and AD and DNS as such, and then you setup a VIP in the DMZ sone where you host your Access Gateway vServer, you reckon it should work.
But you are unable to ping the VIP address and you are uanble to open the vServer HTTPS.

You can see that the Default Gateway is going trough the LAN interface and when you want to change the gateway you get this error

The solution you need to have a SNIP address in the DMZ sone with the VIP address, this is because a VIP address is not “fully” features network IP unless it has a SNIP on the same network.

Citrix released yesterday a tech preview of their Service Template for XenDesktop 7.1 for System Center Virtual Machine Manager.
This template allows for rapid and easy deployment of an entire XenDesktop 7 infrastructure, including setup of Director, License Server, Desktop Delivery Controller and Storefront.

It does not by default include Netscaler as part of the that template but that is something we can add to the “mix” later.
the Techpreview of the template can be downloaded from mycitrix here –> https://www.citrix.com/downloads/xendesktop/betas-and-tech-previews/system-center-service-template-tech-preview.html (This requires a valid mycitrix account) it has a template for XenDesktop and for PVS.

ill continue on with the XenDesktop template and show how it is deployed.
The template contains a bunch of PowerShell scripts, XenDesktop 7.1 ISO file and the template file itself, in order to fully setup the template it needs to VMM ISO file and a generalized 2012 VHD file.

After we have downloaded the template file open VMM –>
Then go into Library and Import Template –>

Then point to the extracted XenDesktop folder.
Then choose next, now we need to point the template to the different ISO files and generalized 2012 template.

After that is done and the mappings are correct we can contine on with the importing.

This will take some time since it needs to import the XenDesktop to the library. When we now go into Service Templates we can see XenDesktop listed as an option there. If we right click and choose “Open Designer” we can see how the layout will look like.

Now if we wanted to we could use the Netscaler integration as well to deploy multiple DCC and Storefronts and automatically setup a load balancing of these services as part of the deployment. Lets see how that can be done using the Service Template. (Note that this integration is still not support in 2012 R2) (UPDATED: IT WORKS) but for the purpose of demonstrating how it CAN be done ill show it anyways. So after we have installed the addon and created a VIP template for DCC and one for Storefront we can open the designer again.

Next we can connect the VIP profiles to the different components, one DCC VIP template for DCC and one for Storefront which has different load balancing mechanisms setup.

Now If I where to configure a deployment of this. I can configure the amount of each server I want in order to ensure scailability and redudancy.
When I start the deploy wizard I get a question to define what is my management network.

Here I can define what is the backend of the netscaler and what the VIP addres of the load balancing solution is going to be.

But since the integration between Netscaler and VMM is not functioning in R2 ill need to get back on that in a later post (UPDATE IT WORKS). But if I go into one of the servers I can see the application scripts that are run in order to setup a functional site.

If I for instance have ComTrade installed on Operations Manager in order to have monitoring of my Citrix enviroment I can add this as a Application Configuration in the last step to have a complete, XenDesktop 7 setup with load balanced Netscaler solution and have complete monitoring using Operations Manager.

This is the power of Citrix and Microsoft!

This is another one of Citrix hidden gems, Netscaler Insight. This product has been available from Citrix some time now, but with the latest update in became alot more useful. Insight is an virtual applance from Citrix which gathers AppFlow data and statistics from Netscaler to show performance data, kinda like old Edgesight. (NOTE: In order to use this functionality against Netscaler it requires atleast Netscaler Enterprise or Platinum)

Insight has two specific functions, called Web Insight and HDX insight.
Web Insight shows traffic related to web-traffic, for instance how many users, what ip-adresses, what kind of content etc.
HDX Insight is related to Access Gateway functionality of Citrix to show for instance how many users have accessed the solution, what kind of applications have they used, what kind of latency did the clients have to the netscaler etc.

You can download this VPX from mycitrix under Netscaler downloads, important to note as of now it is only supported on Vmware and XenServer (They haven’t mentioned any support coming for Hyper-V but I’m guessing its coming.

The setup is pretty simple like a regular Netscaler we need to define an IP-address and subnet mask (Note that the VPX does not require an license since it will only gather data from Netscaler appliances that have a platform license and it does not work on regular Netscaler gateways)

After we have setup the Insight VPX we can access it via web-gui, the username and password here is the same as Netscaler nsroot & nsroot

After this is setup we need to enable the insight features, we can start by setting up HDX insight, here we need to define a expression that allows all Gateway traffic to be gathered.
Here we just need to enable VPN equals true. We can also add mulitple Netscalers here, if you have a cluster or HA setup we need to add both nodes.

After we have added the node, just choose configure on the node and choose VPN from the list and choose expression true.

Now for Web insight we need to define an expression for instnace I can use an hostname expression and define a website that I have using DNS. This will start gathering appflow data when clients are accessing websites having the hostname web in it.

After a while now we can see that info is starting to appear in Insight, we can “drill” down in the data to show different metrics.

I can go into a user and show his sessions

And I can show what kind of applications the user has been running

For web insight we can see what kind of URLs that are accessed

And I can see what clients have accessed the URL

Now that is the first part, the Insight will not just sit there and gather data. The next part is to integrate this with Director to allow helpdesk users to user this data together with the Edgesight feature which is now a part of XenDesktop 7.

To integrate this we need to install Director on a server, next we need to run a command C:\inetpub\wwwroot\Director\tools\DirectorConfig.exe  /confignetscaler

After this is done do an IIS reset and log into Director again.
We can now go into the Network pane and see the data that is collected.

Note: There are some requirements that need to be in place in order for it to function properly.

• NetScaler HDX Insight must  be v10.1 or above.
• XenDesktop VDA version 7.0 and above are supported by HDX Insight and NetScaler.
• Storefront from the XenDesktop 7.0 installer or above versions can be used to launch the user sessions.
• Receiver for Mac v11.8 and Windows Receiver 14.0 (4.0) and above are required for accurate ICA RTT metrics.

I some cases you want users to have the option to choose between a regular VPN connection when connecting to your solution or they just want to access their applications and desktops using receiver, of course you can create multiple session policies for users or based on something else but there is also another option which displayes the different options in the web GUI.

If you have a Netscaler Gateway vServer setup with a session policy we can do a change here, open the session policy and go into “request policy” and choose modify –>

NOTE: This requires Smart Access Mode and Smart Access requires the use of Universal licenses

Under Client Experience choose Advanced –>

Here you have a setting called “Client Choices”

When users now login they will be presented with this screen
Which allows them to choose between Network Access, XenApp or Clientless Access.
If I disallowed Clientless Access here it would not appear on the menu.

ill come back in detail later on how to setup Access Gateway for users with plugin or java client.

NOTE: If Netscaler is unable to communicate with the Storefront or WebInterface the XenApp choice will not appear.

And there are three options regarding clientless access.

• On. Enables clientless access. If client choices are disabled and the Web Interface is not configured or disabled, users log on using clientless access.
• Allow. Clientless access is not enabled by default. If client choices are disabled, and the Web Interface is not configured or disabled, users log on using the Access Gateway Plug-in. If endpoint analysis fails when users log on, users receive the choices page with clientless access available.
• Off. Clientless access is turned off. When this setting is selected, users cannot log on using clientless access and the icon for clientless access does not appear on the choices page.

So been a few hetical weeks! (Or should I say months)

My book has been released to most of the major online book resellers, its called

Microsoft System Center Configuration Manager High-Availability and Performance tuning

You can see it from Amazon here –> http://amzn.to/19Uid4q

I am also in the process of writing another book regarding Citrix Netscaler which will most likely be finished in Q2 2014 so really exited about that since I see few Netscaler book out there and hopefully with the latest changes in Netscaler my book has a place in that major gap.

Also im speaking in January at NIC (Nordic Infrastructure Conference) which is one of the largest IT-conference in the nordics. It mostly focuses on Microsoft technology (System Center, Hyper-V, Collabaration etc)

I have a session on thursday regarding Cross-platform monitoring using System Center, which will mostly focus on how to monitor different platforms such as Citrix, Vmware, Azure, Amazon and what other possibilities we have with Operations Manager. So for those that are attending NIC please drop by!

So the latest Java update Version 7 Update 51 again contains new updates and again more security fixes. Alas it also stops Netscaler from working. Even thou Citrix released a new build today 123.81 it does not working with the latest version.

In order to fix the issue we need to add the netscaler URL to a JAVA exception, open the control panel applet.

And choose Edit Site list and add an exception.

After that, restart the browser and start again