Building NVidia GRID and XenDesktop POC – Part1

It’s always exciting to get your hands on some new technology that breaks the mold when it comes to deploying VDI and applications on Citrix. For years, using CAD and high end graphics has been a no go area on shared desktops hosted on Presentation Server or XenApp. The best you could probably achieve would be  CAD viewer for some light review work – no chance of full blown Auto-Cad or video editing software. You really needed to keep your big workstation PC or MAC with expensive hardware to do any serious work. More recently though Citrix have been able to connect you into dedicated PCs or blade-PC hosted in you data center with much improved graphics and capabilities for rendering images and video. We have had some success with this in hospital environments where medical staffs can remote in to their desktop and review x-ray and other patient videos from their home PC of tablet.

NVidia GRID and XenDesktop really do change the game. With dedicated Graphics Processing Units that you can allocate to your Windows PCs – the days of using hardware PC or blade PCs are banished. The NVidia cards can be fitted into a server running XenServer 6.2.  A XenServer plugin then allows access to the GPU and the XenDesktop Agent talks to the hardware. The result is quite spectacular! The POC I have been working on recently involves users in India accessing a XenDesktop Windows 7 PC in a server room in Northern Ireland. That’s a looonnng way away to be using a CAD application over a 3G connection. Results?  “Better than a desktop PC” was one user’s feedback.

So here are some tips.

Make sure you have all the cards, cables and components to put in the server. Check you have enough network ports, and switch connections for storage.nvidia

I was using HP DL380g8 servers with 2 NVidia GRID cards per server. To fit these, you need to order alternative PCI riser cards with cage from HP – and you need two different parts. One has an additional PCI slot, the other has not. The additional PCI slot is critical as you need this to facilitate another PCI card – in my case a HP dual port HBA for connecting to the fiber channel SAN. Without this, you’re pretty stuck with only local storage, unless you’re using iSCSI perhaps.

You’ll also need a set of torque screwdrivers as the cages (that house the NVidia cards) have tiny screws that would be easily damaged if you try to force them loose with something else.

It’s also worth ordering your server with on-board 10GB NICS instead of the standard 1Gb NICS. This will provide better connectivity that the standard 4 port 1Gb NIC card.

To fit these new risers and cage – you need to remove the CPU heat sinks and grab handle on the mother board and replace these with new ones that fit with the cages. If your happy enough to do that, make sure you have an anti-static wrist band and be very careful not to drop any screws into the server.

If you have all the cards, cages and cables – you can do it all in one go instead of having to rack and stack the servers and then come back and have more downtime.

BIOS – After installing the cards – go into the BIOS and make sure the on-board graphics card is still the main display card. If your server is set to use the external or extended graphics card as the main one – you won’t be able to see anything on the console, or on the iLO card for remote management.

Then you’re ready to install XenServer 6.2 + Spk1 , and add in the NVidia graphics plugin. Check here –

This needs to be copied to the root folder of the server using WinSCP or similar tool. Once installed, the XenCentre tools should show a new tab for GPU.

RAM – Make sure your server is fully loaded with as much RAM as you can get. If you’re running a CAD application like Auto-Desk or Creo you’re going to need a minimum of 16 Gb per Windows 7/8 virtual PC. If you need more per PC, you won’t be long running low on resources.

In deploying an initial server for a proof-of-concept, I limited the number of users to six. After building the OS, and installing the NVidia drivers, you then install the XenTools as normal and you’re ready to install whatever software you need. I left this to the customer to do while I created the Machine Catalogs and Delivery groups in Desktop Studio.

More later..

Citrix Reference doc:



Planning your XenMobile MDM Pilot

Mobile Device Management has been around for a few years now for iPads and Androids devices, and of course BlackBerry has been doing BES for much longer. I have been doing a few MDM installs recently with Citrix XenMobile MDM. This is now in version 8.6 and was already in version 7 when Citrix purchased Zenprise, one of the market leaders in December 2012.

If you’re looking at deploying Citrix XenMobile MDM in a pilot make sure you check through the installation guide, the References Architecture and the MDM Deployment kit if you can get your hands on one. These will help you plan for the infrastructure you need to put in place.

You also need to decide the limits of your POC. Do you just want to look at the device management, security and inventory? Or do you want the whole Enterprise solution with your own corporate app store, micro-vpn into the LAN and secure apps that you can sandbox and have full control over?

For Enterprise MDM, Citrix have bundled ShareFile Enterprise which make the whole solution even more appealing if you want to enable secure file access into your corporate shares and encrypted ShareFile repository. Indeed, the combined features of XenMobile MDM, Worx corporate app store and ShareFile make the enterprise solution very appealing as it would take 2-3 other vendors’ products to do all of these.

Some questions to start you off..

  • What infrastructure servers will I need?
  • Have I got external IPs?
  • What type of devices will I need to control? (Apple, Android, Windows Mobile etc)
  • What users will I target for the pilot?
  • Will I let them use their own device?
  • Have you updated any use policies and got users to sign?
  • What are the implications for controlling personnel devices?
  • Will the project include ShareFile?
  • What SSL certs will I need?
  • Is there a budget for installation and licensing?
  • Have I got a project plan and success criteria sorted?



Once you have worked out the answer to the questions’ll need to get the following sorted out well in advance of installation.

  • External IP/ports – get your change control submitted to Firewall manager in good time.
  • DNS – make sure you have external DNS records for CAG,MDM and ShareFile.
  • SSL – You will need at least two external SSL certs or wildcard. You will also need another 2-3 internal certs for App Controller and StoreFront internally.
  • DUNS Number – Dun and Bradstreet ID from – for Apple Dev Kit
  • Apple Enterprise Developer Kit from Apple at $299 + APNS Certificate
  • NetScaler – you will need a NetScaler with virtual CAG

The last two go together, and you need to get that DUNS number 4-5 weeks before you apply for the Apple Ent. Dev kit.

When Applying for that Apple Dev Kit, make sure you are the project manager or someone who can say they have authority to purchase the kit from Apple – otherwise they won’t talk to you if you need to call support.

The Apple kit is required for pushing secure apps to iOS devices and for packaging the Worx app son iOS and Android. The Apple Push Notification Service (APNS) is required for installation. This is a certificate for your MDM server that you need to email to Citrix, then post into your Apple account to generate an APNS certificate. This is required just to install the MDM software.

If you don’t already have one –you’ll need NetScaler to provide secure access into the Worx Store which resides on the App Controller component, and the StoreFront server for XenApp/XenDesktop access. It also provides the micro-vpn for access to internal web and mail.


Beware of any documentation or sales blurb that promises that any MDM solution will work on every device with every OS. The dream of BYOD for everyone may be possible, just –  but probably with some limitations to certain functionality.

For example, HTC Desire X and 500 models with android 4.1.2 simply won’t load the Citrix Worx Mail client, while a Samsung model with 4.1.2 works perfectly. All the MDM policies work fine. Documentation for the various components in the Enterprise MDM has different supported levels of Android OS and Android SDK API for Worx apps and the micro-vpn so worth checking.

If possible, make sure your Android device has latest build and is at least in support and not End Of Life in terms of downloads and updates to core OS components.

Apple devices are easier to support as there is only one hardware platform, albeit with 2-3 iOS version out there. MDM 8.6 has support for latest iOS 7.


Citrix, (2013) MDM Editions Data Sheet [Online] Available from:

Citrix (2013) Reference Architecture for Mobile Device and App Management [Online] Available from:

Citrix (2013) Compare XenMobile to the competition [Online] Available from:

Dun and Bradstreet (2013) DUNS Number [Online] Available from:

Apple (2013) iOS Developer Enterprise Program [Online] Available from:

How to – Cert requests on NetScaler for CAG

When setting up a virtual CAG on NetScaler – you can apply a certificate in a couple of different ways.

One option is to use IIS and request the certificate, return the request from the vendor and then use openssl on the IIS server, to convert the IIS to .PEM format.

Another option is to use the NetScaler admin tools to generate the request. To do this, you first must have your NetScaler license applied.

When requesting a cert from the NetScaler you have to generate a private key file. This is attached in the code of the cert request file, and then used to verify the source when you re-import.

You can also use a wildcard certificate. This is likely to be one that is used in other web servers so it’s important you know the private key password so you can import. You may also have to carry out the openssl conversion on IIS server before you can use on the NetScaler.

NetScaler can of course host multiple CAG vm, and act as a proxy for other internal sites –as well as perform SSL of loading for secure site traffic – so you could have more than one certificate on NetScaler.

I’m going to create my certificate request on the NetScaler using the admin gui.

  • Go to Traffic Management and SSL – look for Create RSA Key
  • This prompts for filename – which is held on the NetScaler file system.
  • Give the file a name, a bit size – usually 2048 and then format – PEM and Encoding DES.
  • Enter a passphrase and then confirm this – make sure you record it or use a familiar phrase.
  • You can check the location of the file using Manage Certificates – which lists the folder location of the certificate and key files.
  • Next, generate the certificate request using Create CSR.
  • In the next screen, enter the details of the cert request as shown here.
  • Give the cert request a name – and Browse to the key file.
  • Enter the passphrase, and fill in the Distinguished Name Fields.

Make sure that the cert or domain name you are requesting is actually associated with the company.

This can cause issues if the company name is not precise – so worth checking the domain in a whois lookup.

Also make sure you enter the fields marked “*” – an error will prompt you if you miss any. Also, before going to site – do the cert request at least a week in advance – it can take several days to get certs approved by some vendors in relation to government organisations for example.

When confirmed, click OK – then go into Manage Certificates to locate the request.

At this stage, you will need to either download the file OR select View and copy the text.

Your request is now ready to be submitted to a certificate authority.

On return, download the certificate and.

You should also apply the intermediate certificate chain and link it to your main cert.

To do this, get the intermediate cert from the vendor, and save to local folder.

  • Click on Install and browse to the folder – give the intermediate cert a name eg DaddyBundle, and click on Create then Close.
  • In the main cert screen – you can then right click on main CAG cert and select Link – then select the DaddyBundle.
  •  Click ok
  • You can now assign the ssl cert to your virtual CAG.

The process is pretty easy once you do it a few times, so do practice it before you go to site or get stuck with a support call.


Generate SSL Cert Request

Converting CAG pfx to PEM

OpenSSL Commands

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

When converting from IIS – you need to import on the IIS server you generated the request from  – otherwise export with key will fail.

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes