Sep 05

Powershell – Part 2: Check ICA response, Check for exiestence of file and uptime of multiple remote servers

As always over time scripts get updated and evolve – bring a bit of a powershell novice my scripts could probably do with a great deal of evolution but here’s version 2 of the script I posted previously

I imagine this will only really be interestng to me but I thoguht I’d post it anyway – no ones forcing you to read! (if someone is forcing you to read leave a comment and I’ll contact the authorities – I’m sure it counts as some form of torture).

Continue reading

Aug 31

Powershell – Check ICA response, Check for exiestence of file and uptime of multiple remote servers

Following on my previous post I spent some time today refining our ability to check the ICA listener across the farm and created a little powershell script that I thought I’d share.

It probably wont be much use to anyone else as it only does a few fairly specific checks but here it is. It’s by no means perfect but does what I need it to
Script will:
1. output servers that do not respond to a port query on 1494 – this is the test used to check if the ICA listener is responding
2. check if the following file exists: ‘c:Program’ file  and rename it to Temp.$date if found ($date i.e 31082011). This check was created as one of the customers troublesome application had a habit of occasionally writing a log file to the C: called Program.

3. display servers that have an uptime less then 3 hours. This test is just useful for the particular customer : )
An input file will be requested, this cen be created by running a qfarm /online and taking the server netbios names from there. Ideally I would have liked to use the XenApp Cmdlets to obtain the information from the server but this wasn’t an option in this environment.

The Script has now been amended to return the list of online XenApp Servers from the Farm rather then using a file input.

test-port function was borrowed from to provide the port scanning functionality

Continue reading

Aug 30

The importance of encryption – Web Interface

The following is an extract from a document I wrote a while ago which was written to try and highlight the importance of encryption:
I’ve played with this type of thing before but it I believe Firesheep, although it may be used with questionable motives, has highlighted to the world quite well the importance of securing your web traffic by creating an exploit packaged so that it can be used by absolutley anyone.

On this train of thought I decided that in order to assert this point a little closer to home and show how easy it is to produce the same kind of attack on products I work with all the time.

Citrix Web Interface was my first victim as it’s a product I use a lot and is all too rarely deployed via HTTPS leaving cookies available for the stealing.

[warning]The point of this article is to stress the importance of encrypting your Web Interface site. Encrypt your Web Interface site. This will prevent attackers form being able to see inside your packets when communicating with the Web Interface site.[/warning]

Continue reading

Aug 30

Issue: XenApp 5 on Windows 2003 – ICA listener ‘down’

An issue I encountered when working with one of our customers today. The customer reported that users intermittently received a ‘Protocol Driver Error’ when launching applications from their XenApp 5 (windows 2003) farm.

As you know Protocol Driver error is one of those brilliant errors of a million causes but essentially it’s the client telling you “I couldn’t contact the server using the address provided” if taken literally it means the server address in the ICA file could not be contacted via ICA or CGP but over the years can be caused by anything from licensing to network connectivity..

Anyway in this particular instance the servers were provisioned (Provisioning Server 5.6 SP1) XenApp 5 (R06) servers hosted on VSphere 4.0. As all the hosts were provisioned from the same VDisk it was odd that the issue was ‘random’.

The customer had done some investigation and had managed to identify that the issue occurred on servers that would not respond to ICA (telnet to port 1494) so with this information a server that was effected was found by scanning the farm servers with a port scanner to check if the ICA listener responded, this this instance the customer had written their own but NMAP would do fine
Example NMAP command:

nmap -1494 -v

From the system eventlogs I could see at start up the main offender looked to be the following error:

Event Type: Error
Event Source: TermService
Event Category: None
Event ID: 1014
Date: 5/16/2007
Time: 2:15:35 AM
User: N/A
Computer: YourServerName
Description: Cannot load illegal module: C:WINDOWSsystem32VDTW20.DLL."

Checking TSADM the listener status was indeed down making it entirely reasonable for the server have problems taking ICA connections. Thankfully a quick Google produced the following Article:

I don’t want to duplicate the efforts of the article but it turns out Cause 2, the presence of Microsoft hotfix 938759, was the issue on these servers. This has now been removed and we’re yet to see an instance of the ICA listener being in a down state so until proven otherwise I consider this case closed.



Aug 25

Ardbp32.bin Load Balancing – HTTP

Thought it was time for an update – This is something I’d previously written when implementing Provisioning Services 5.6 sp1 and XenServer 5.6 FP1 into a a reasonable sized Presentation Server 4.5 farm that wanted to move away from their currrent physical servers to embrace the wonders of virtualization.

It’s been said before but load balancing TFTP is difficult, and as Provisioning server by default will use TFTP to deliver the ardbp32.bin file to target devices this presents a challenge. This challenge has been well documented already in the following document form the Citrix Blogs

• TFTP is difficult to load balance. The following article describes the difficulties of bootstrap resilience:

What we did was slightly different. I wanted to use the Netscaler to load balance this as Netscaler VPX has been deployed to make other areas of the infrastructure highly avialable so we set about looking for a way and came up with the following..

Instead of using TFTP to deploy the ardbp32.bin file we would use HTTP.

Continue reading

Sep 26

XenClient & HP connection Manager

Just an update, with the help of the guys on the XenClient forum the HP connection Manager issue is resolved.

The reason this would not install is because during the install the package would run a number of checks to ensure that it was installing to HP kit. While this is an HP laptop the OS was a virtual guest within XenClient so returned fields such as manufacturer as Xen.

There is however a feature to accommodate this. This can be enabled by selecting the virtual guest within the XenClient console and from within the Advanced tab enable:

Allow OEM Windows installs
Expose Physical Hardware Information

Since enabling these the correct values are passed to the installer and HP connection manager installs corerctly. I am however still having issues with loading the Vodafone UK firmware to the UN2400 3g card.

Sep 08

XenClient RC2

As expected I’ve ignored this blog for a substantial amount of time – so much time in fact that my last post was awaiting a public beta of XenClient and since two release candidates have been released.

I have finally managed to obtain a copy of XenClient and eventually a laptop that it will run on. I was quite disappointed after discovering my HP 6930p had an ATI graphics card in so was not compatible with XenClient.

Since I have obtained from eBay another HP 6930p with the Intel G45 graphics chipset so I can at last play with XenClient!

Due to a lack of time I’ve not been able to have a full play but it looks impressive so far.

I have a Ubuntu 10.04 Virtual Machine which works fine despite the lack of XenClient tools (as Linux is not a supported guest OS at the moment). As a result I cannot assign the ‘HDX’ or direct graphics card access to this VM and it looks like I’ve only got basic USB support (3g modem isn’t being detected but mouse and mass storage devices are fine).

The Windows 7 x86 and x64 guests seem to be fine. The only issues I have are a inconsistent issue with using wireless networking and a problem installing the HP Connection Manager software which will install when windows 7 is on the physical device but is suddenly not compatible when being installed into a windows 7 guest..

I hope to update further then I’ve had a chance to fix some of these issues if I can

May 12

Citrix XenClient

Well I’ve been waiting a while for this, you can call me sad if you like but really you’ll just be talking to computer as you read this… who’s sad now?

XenClient RC is released. If I didn’t have to use my laptop tomorrow this would be going on my 6930p right now but unfortunately it’ll have to wait till Friday.

For those people who have lives XenClient is a type 1 hypervisor designed by Citrix and Intel specifically for YOUR laptop (providing you have a VPro laptop. If you don’t then sorry, you’re missing out).

What this means if you can run multiple Virtual machines on your laptop and allow them direct access to the hardware unlike what we currently have which is your OS, say windows 7, running VMware workstation on top of the native OS (type 2 hypervisor).

I could and have previously written a lot on this topic but I don’t see the point of replicating the work of people who know a lot more about it then I do so I will simple post the links to download and the Syngergy 2010 key note video which includes a XenClient Demo plus some other interesting new Citrix advancements.


Keynote Video

I will however post more information on XenClient after Friday when I a chance to install and play with it.

May 10

WordPress: Publishing code containing quotation marks

Well in the interest of the blog I’ve just learnt something new when trying to publish the last entry.

When trying to publish a code exert I noticed that the code would not display as text even when the <code> tags were used, apparently this is due to the existence of quotation marks within the code I was trying to publish.

Thanks to The answer was to use character codes for the first less-than character at the start of the code that needs to be published

I’m a great believer that if you don’t know something, someone on the internet has probably already answered the question so thank you as well google.

May 10

Access Gateway Advanced: AlwaysUseClientLessURL

This is an old issue that I dealt with a few years ago that needed digging up a couple of weeks ago during an AGA install. It’s issues like these that caused me to start this log as finding the exact entry to add to the web.config file took me a good hour of digging through my sent items when I coudl have had them nicely detailed here!

Issue: If SAClient fails to load when logging into CAG Advanced and a connection policy is set to launch client if allowed then the user will be redirected to the internal name of the AGA server.

Because the SAClient hasnt launched there is no VPN session to enable the client to reach the internal name of the AGA server and the redirect will fail.

This issue effects all hotfix levels of AGA but the addition only works post HF3.

Workaround: A small addition to the web.config file in the CitrixSessionInit folder will force the AGA to use the external FQDN and proxy the redirect with the externally addressable FQDN.

It’s arguable preferred to use this even when the SAClient is working correctly as you do not reveal the internal server name of the AGA server.

Edit %systemdrive%inetpubwwwrootCitrixSessionInitweb.confg

Add line the following line:
<add key=”AlwaysUseClientLessURL” value=”true”/>

I try to credit the appropriate person when I’ve been given a solution but it’s been so long since I was told this I can’t remember which of the fine people at Citrix Technical Support told me. Thanks again whoever that was.