Citrix AppDNA – analyzing your apps for those new OS deployments.

Upgrading a Citrix farm from one operating system to another has always been a difficult task to manage particularly if you have a stack of applications that have been developed for an older operating system. Neither Microsoft of Citrix support “in place” upgrade for terminal servers – so you must deploy new server OS and new Citrix platform to move up to the latest system. New servers, new Citrix, new profiles, new printers ..and potentially new applications.

Getting your apps to work on a new OS is often the biggest headache in a Citrix migration. This may be because your internal application team or third party developed the apps for your business on tools that were current at the time – but pretty useless now. If they developed them on Windows XP or Server 2003 – it’s very likely they won’t run at all on Windows 8 or Server 2012 R2. Various changes to Windows security and kernel access on 2008 R2 and 2012 mean that these older apps will fail at the first hurdle on any x64 OS. The same challenge exists if you want to move from Windows XP to Windows 7 or 8, and if you want to go for a VDI solution like Citrix XenDesktop or VMware View.

This is not the same challenge as deploying the application. Using tools like AppV or Citrix Streaming, or Unidesk doesn’t get around the problem of the application not working on the platform. These tools help with deployment – not compatibility if the application doesn’t work.

This is a big challenge for companies with a large set of applications. Hospitals, councils and other government department have hundreds of applications. Some private sector companies with lots of staff and specialist manufacturing systems have apps written by staff that may have left years ago – but the business relies on those applications for critical processes. I know of one customer who is still running Windows NT 4 and Citrix MetaFrame 1.8 because of this very issue. They also have Windows Server 2000 and 2003 with Citrix XP and PS4. The apps are written as 16 bit. The systems are years out of support – but they can’t migrate the applications – they just don’t run. They have a XenApp 6.5 farm on 2008 – but can’t deploy the apps.  The risk to the business is running aging applications on old server platforms with no support, poor recovery methods and lack of best practice and security. With little or no chance or being updated  – without massive cost just to evaluate the code.

So what do you do? You could take the application and ask one of your developers (if you have one) to dissect the code, tell you what’s wrong and then fix it. This could take weeks depending on the code and your developer’s knowledge of an app he didn’t write, in a language he’s never used. There is a good chance something will be missed. You could engage an external developer to look at the app and the code, and give you a quote for rewriting it. That could also take weeks, and be very expensive – per application. Multiply that across your entire application list and you could be looking at a substantial outlay to get your applications up to Windows 8 and Server 2012 standards.

The Citrix answer to this challenge is AppDNA. AppDNA “reduces the amount of testing needed for applications and provides detailed information that can be used as the basis for the overall testing plan when migrating”.


AppDNA – Windows 8 overview. Five applications analysed, one needs re-written, others need some work and two are good to go.

This is a powerful analysis tool that can take your application installer MSI, capture or AppV package and deploy it through a virtual machine template and pull together all the changes, DLL’s, registry and system security changes that are required to get it installed. The AppDNA server is then able to compare this to various target operating systems that you want to migrate to – and provide you with a very detailed breakdown of the applications requirements and what’s needed to get it over to the new OS. Newer applications may only require a few changes.

Older applications may require complete re-write. Either way , the system reports this back in minutes – not days or weeks. Inject a several more application into the system and you could easily have an estimate of the work involved in updating or re-writing  your critical applications. Web sites can also be targeted to report back on browser compatibility using user simulation and a web spider tool. Using an easy to follow Red, Amber,Green traffic light system – management reports and effort calculations can be provided.

The latest 7.5 version is available for download and trial, bundled with Platinum Edition, and includes integration with XenServer, VSphere and Hyper-V as well as VMware Workstation. As a Citrix engineer I can see this being a very useful tool and could drastically reduce the time, effort and cost involved in application migration to the latest server and desktop operating systems. Still, I’m glad I’m not a developer!

Some sample reports:




AppDNA – Over View

Citrix TV – AppDNA


Creating A User Agreement Policy for XenMobile Users

Getting users to agree to security policies is tricky enough at the best of times. It’s one thing to say your managing devices – but do your users agree to how you do it, how you monitor their use of the device and access to your corporate data? We could spend a lot more time discussing that question – but for now, lets get a basic agreement in place for smartphones and tablets. Make sure you run it past HR and that you are quoting the correct IT policies and terms of use. You should have these in place for PC and laptops already.

Notices are pushed out from the XenMobile server using a combination of a simple PDF document and a Deployment package targeted at a group of users or mobile devices. Inserting the Notice to a Base Package will ensure all devices get it on enrollment.

There are three main steps to deploying the notice:

  • Create Security Notice document
  • Deploy to test user/group
  • Deploy in live package

First, start by creating your security or user agreement notice – bearing in mind the size of the device screen. For example, A5 is well suited to 9/10” tablet devices. Include your company logo or letter heading to brand and make it look official.

Save the document as a PDF to your local PC. Then go into the MDM Console.


In the Files tab, click on New File – upload the document.


Select the document, and tick the button for Term and Conditions PDF – and Default if required.


Then go to the Deployment tab. Select a Base Package – select Files, and use “>” to add to Resources to Deploy.


You can then deploy the Package. New devices should now get prompted with the notice on enrollment.

Once in place, you can then use the Reporting tab and get feedback on who has accepted the policy using the Terms and Conditions report.


Citrix Synergy 2014 Review

My preview of Citrix Synergy 2014 a few weeks back highlighted the ever growing focus on mobility and data sharing that was certain to be a big topic this year. Following on from the purchases of Zenprise and ShareFile, Citrix have finally got to grips with integrating these products into the brand and with NetScaler and XenApp/Desktop – which have also seen several enhancements. So off to LA on a long Virgin Atlantic flight for a few days.

The first day keynote from CEO Mark Templeton was a stirring opening. Some great use cases for Citrix Cloud services (BT) and AutoDesk winning the heralded Innovation award. “Autodesk??” you say.. “The 3D CAD people?”  Yes Sir! That’s the one.



Above, Citrix CEO Mark Templeton

An emotional speech at times, with Mr Templeton due to stand down this year – there were certainly a few teary eyes among the crowd. His successor may not have been announced just yet, but his parting words “Leave it better than you found it” will certainly be remembered.

The main Expo hall had plenty to see and do with many great products from numerous partners. We spent a good bit of time at the CA Nimsoft stand and got a great demo of their monitoring tools for XenApp and XenDesktop.


A welcome product update due in Q3 is the latest Citrix Receiver X1. For anyone using Worx Home for XenMobile – this is will integrate the on-boarding and corporate app store features of app Controller with a built in Citrix Receiver client. No more having to configure two clients, one with dummy settings to avoid the prompts etc. 


Other new features include easy branding for your app store. This was previously very tricky to do on StoreFront with hardly any on mobile devices. The new X1 will allow you to add corporate logo and colour schemes to your heart’s desire.

“Big News”

Another key announcement was Citrix Workspace Suite. This suite bundles XenDesktop, XenApp, XenMobile and ShareFile into one customer license for $450 per user. This is said to represent a saving of some 70% on purchasing the individual products. That’s a lot of product for your $ or £.

Back to mobility. Several really nice tools will be out soon for mobile devices including Worx Desktop which connects back to your PC and gives seamless access to documents. Worx Notes, a simple note taking utility that will give you access to save a quick note back to ShareFile or your corporate folders. ShareFile has shipped over 1,000,000 licenses in the past year and can now hook into GoToMeeting and other cloud storage services.

XenDesktop and XenApp have had some major enhancements to HDX with the addition of Adaptive H.264 encoding, double the speed frame refreshing on 3G connections, a reported 100% increase in bandwidth efficiency across a WAN for video quality and 10x reduced bit rate for HD video on low speed connections. Citrix certainly are not taking the foot of the gas on the virtual desktop front.

Putting all this together in a cloud infrastructure sounds daunting – or great fun if you’re a techie! To help with all that hosting Citrix now have WorkSpace Services. You can start from the bottom and use an automated tool called “Design and Automation” to build it all. Ideally a platform for service providers – it sure looks impressive on the demo.

Of course to access all of this you need the Citrix Receiver and apart from the X1 release, new HTLM5, MAC and Chrome book versions are able to provide even better user experience with added support for USB3, flash, webcams and  Microsoft Lync enhancements for Linux and iOS devices.

There’s lots more over on Citrix TV and YouTube   – for now, here are a few links to the key topics and announcements.


AutoDesk Innovation Winner:

Receiver on Chrome:

Receiver X1:

ShareFile update:

Workspace Suite:

Works Desktop:

What’s New in XenDesktop and Xenapp:

WorkSpace Services – Design and Automation:

Securing Mobile Devices – Use Case:

Session Printers in XenApp 6.5

Citrix has several ways to enable printers in user’s sessions including network print server based printers. These are called Session Printers and are configured in the Policies node in the Citrix AppCentre Management console.

Printers can also be mapped using a login script or Vb-script. In this case, all the print server drivers for individual printers need install on the XenApp server of PVS image. Printers mapped in scripts are outside of the control of Citrix Policies and management.

By Using Citrix Policies, administrators have more control over when and how printers are made available.

For example, a set of Printer Policies filtered by IP Subnets could be used to enable roaming printers on mobile devices or laptops. Users would then find printers in session that are close to the department they are working in at the time. Other filters include Groups/Users and client device names.

So, you could have a Policy that is enabled by “IPAD*” for example where all devices called IPAD will get that policy – and enabled printers and other settings.

Client connected printers (not addressed here) are either locally attached OR may be mapped network printers on a PC or Mac client machine. These can be controlled in Citrix AppCentre Management and are known as Client Connected printers.

Citrix XenApp servers can use server printers in two ways:

  • Citrix Universal Print Server (requires UPS server and client install, on XenApp media).
  • Native Manufacturers Printer driver.

To install a native driver

  • login as an admin to the XenApp server.
  • browse the print server and find the printer (must have x64 drivers).
  • double click and install the printer as normal.
  • then delete the printer from the Control Panel/Devices and Printers – leaving the driver installed.

Creating a Policy with Session Printers

The three steps you need to enable Session printers are:

Create a new User Policy

Under Policies – select the User tab, and click on New – or edit an existing policy. Givr your policy a name.

Assign the Session Printers

Go to Settings and look for Printers

Click on Add/Edit at Session Printers – when prompted type the name of the print server – and browse the servers printers – select the printer you need.

Add in other printers if required – you can also set the Default printer as shown above.

Filter by AD User Group

Click on the item you want to use as the filter – for example, User of Group.

You should then test the policy by using a suitable test account or known user. If the UPS service is compatible with the printer – the device should be shown as an available printer in the users session and applications.


  • Citrix UPS is not compatible with manufacturers Universal Drivers.
  • If the Citrix UPS Driver does not print to the device – the native driver will need to be installed. The server policy should be set to “fallback” to native in this case.
  • Some printer drivers may not be Citrix ready. It is recommended to check the vendors support or documentation regarding suitable models and drivers.

Some manufacturers support references:

HP Supported Printers in XenApp

Ricoh Terminal and Citrix supported printers




What’s up at Synergy 2014?

If you have never been to a Citrix Synergy event – Synergy is the best conference for Citrix engineers, sales and geeks everywhere. The event used to be held in both the USA and Europe until Citrix split up the event in the EU to 4-5 separate product days instead.

As you can imagine, the whole event is about the many great products in the Citrix portfolio. This has changed somewhat since my first one ten years ago when it was nearly all about Presentation Server, some remote access, best practice for terminal servers and what thin client worked best.

Today, the event is a very busy and full featured show with many industry leading products like XenDesktop, ShareFile, XenMobile, AppDNA and Netscaler being just a few.

In fact, the tricky part is fitting in everything you want to see in the three days. Along with experts on the various products and real customer experiences, you can also indulge in technical labs and even have a crack at some certifications in between sessions.

This year promises a feast of information and best practice for anyone interested in Mobility. With product like ShareFile, Worx Mail not to mention XenMobile taking up many of the sessions. There are also a load of specialist breakout sessions focused on specific technologies from real live customers and partners. You can catch me at 1630 pm on Thursday 8th May talking about XenMobile use cases.

I’m looking forward to some exciting demos from Brad Peterson – why do his demos always work?

What’s that? You can’t make it to LA? Don’t worry you can catch up on all the best sessions and demos at Citrix TV.

Planning your XenMobile MDM Pilot

Mobile Device Management has been around for a few years now for iPads and Androids devices, and of course BlackBerry has been doing BES for much longer. I have been doing a few MDM installs recently with Citrix XenMobile MDM. This is now in version 8.6 and was already in version 7 when Citrix purchased Zenprise, one of the market leaders in December 2012.

If you’re looking at deploying Citrix XenMobile MDM in a pilot make sure you check through the installation guide, the References Architecture and the MDM Deployment kit if you can get your hands on one. These will help you plan for the infrastructure you need to put in place.

You also need to decide the limits of your POC. Do you just want to look at the device management, security and inventory? Or do you want the whole Enterprise solution with your own corporate app store, micro-vpn into the LAN and secure apps that you can sandbox and have full control over?

For Enterprise MDM, Citrix have bundled ShareFile Enterprise which make the whole solution even more appealing if you want to enable secure file access into your corporate shares and encrypted ShareFile repository. Indeed, the combined features of XenMobile MDM, Worx corporate app store and ShareFile make the enterprise solution very appealing as it would take 2-3 other vendors’ products to do all of these.

Some questions to start you off..

  • What infrastructure servers will I need?
  • Have I got external IPs?
  • What type of devices will I need to control? (Apple, Android, Windows Mobile etc)
  • What users will I target for the pilot?
  • Will I let them use their own device?
  • Have you updated any use policies and got users to sign?
  • What are the implications for controlling personnel devices?
  • Will the project include ShareFile?
  • What SSL certs will I need?
  • Is there a budget for installation and licensing?
  • Have I got a project plan and success criteria sorted?



Once you have worked out the answer to the questions’ll need to get the following sorted out well in advance of installation.

  • External IP/ports – get your change control submitted to Firewall manager in good time.
  • DNS – make sure you have external DNS records for CAG,MDM and ShareFile.
  • SSL – You will need at least two external SSL certs or wildcard. You will also need another 2-3 internal certs for App Controller and StoreFront internally.
  • DUNS Number – Dun and Bradstreet ID from – for Apple Dev Kit
  • Apple Enterprise Developer Kit from Apple at $299 + APNS Certificate
  • NetScaler – you will need a NetScaler with virtual CAG

The last two go together, and you need to get that DUNS number 4-5 weeks before you apply for the Apple Ent. Dev kit.

When Applying for that Apple Dev Kit, make sure you are the project manager or someone who can say they have authority to purchase the kit from Apple – otherwise they won’t talk to you if you need to call support.

The Apple kit is required for pushing secure apps to iOS devices and for packaging the Worx app son iOS and Android. The Apple Push Notification Service (APNS) is required for installation. This is a certificate for your MDM server that you need to email to Citrix, then post into your Apple account to generate an APNS certificate. This is required just to install the MDM software.

If you don’t already have one –you’ll need NetScaler to provide secure access into the Worx Store which resides on the App Controller component, and the StoreFront server for XenApp/XenDesktop access. It also provides the micro-vpn for access to internal web and mail.


Beware of any documentation or sales blurb that promises that any MDM solution will work on every device with every OS. The dream of BYOD for everyone may be possible, just –  but probably with some limitations to certain functionality.

For example, HTC Desire X and 500 models with android 4.1.2 simply won’t load the Citrix Worx Mail client, while a Samsung model with 4.1.2 works perfectly. All the MDM policies work fine. Documentation for the various components in the Enterprise MDM has different supported levels of Android OS and Android SDK API for Worx apps and the micro-vpn so worth checking.

If possible, make sure your Android device has latest build and is at least in support and not End Of Life in terms of downloads and updates to core OS components.

Apple devices are easier to support as there is only one hardware platform, albeit with 2-3 iOS version out there. MDM 8.6 has support for latest iOS 7.


Citrix, (2013) MDM Editions Data Sheet [Online] Available from:

Citrix (2013) Reference Architecture for Mobile Device and App Management [Online] Available from:

Citrix (2013) Compare XenMobile to the competition [Online] Available from:

Dun and Bradstreet (2013) DUNS Number [Online] Available from:

Apple (2013) iOS Developer Enterprise Program [Online] Available from:

How to – Cert requests on NetScaler for CAG

When setting up a virtual CAG on NetScaler – you can apply a certificate in a couple of different ways.

One option is to use IIS and request the certificate, return the request from the vendor and then use openssl on the IIS server, to convert the IIS to .PEM format.

Another option is to use the NetScaler admin tools to generate the request. To do this, you first must have your NetScaler license applied.

When requesting a cert from the NetScaler you have to generate a private key file. This is attached in the code of the cert request file, and then used to verify the source when you re-import.

You can also use a wildcard certificate. This is likely to be one that is used in other web servers so it’s important you know the private key password so you can import. You may also have to carry out the openssl conversion on IIS server before you can use on the NetScaler.

NetScaler can of course host multiple CAG vm, and act as a proxy for other internal sites –as well as perform SSL of loading for secure site traffic – so you could have more than one certificate on NetScaler.

I’m going to create my certificate request on the NetScaler using the admin gui.

  • Go to Traffic Management and SSL – look for Create RSA Key
  • This prompts for filename – which is held on the NetScaler file system.
  • Give the file a name, a bit size – usually 2048 and then format – PEM and Encoding DES.
  • Enter a passphrase and then confirm this – make sure you record it or use a familiar phrase.
  • You can check the location of the file using Manage Certificates – which lists the folder location of the certificate and key files.
  • Next, generate the certificate request using Create CSR.
  • In the next screen, enter the details of the cert request as shown here.
  • Give the cert request a name – and Browse to the key file.
  • Enter the passphrase, and fill in the Distinguished Name Fields.

Make sure that the cert or domain name you are requesting is actually associated with the company.

This can cause issues if the company name is not precise – so worth checking the domain in a whois lookup.

Also make sure you enter the fields marked “*” – an error will prompt you if you miss any. Also, before going to site – do the cert request at least a week in advance – it can take several days to get certs approved by some vendors in relation to government organisations for example.

When confirmed, click OK – then go into Manage Certificates to locate the request.

At this stage, you will need to either download the file OR select View and copy the text.

Your request is now ready to be submitted to a certificate authority.

On return, download the certificate and.

You should also apply the intermediate certificate chain and link it to your main cert.

To do this, get the intermediate cert from the vendor, and save to local folder.

  • Click on Install and browse to the folder – give the intermediate cert a name eg DaddyBundle, and click on Create then Close.
  • In the main cert screen – you can then right click on main CAG cert and select Link – then select the DaddyBundle.
  •  Click ok
  • You can now assign the ssl cert to your virtual CAG.

The process is pretty easy once you do it a few times, so do practice it before you go to site or get stuck with a support call.


Generate SSL Cert Request

Converting CAG pfx to PEM

OpenSSL Commands

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

When converting from IIS – you need to import on the IIS server you generated the request from  – otherwise export with key will fail.

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Backing up NetScaler

NetScaler stores its configuration in a file called “ns.conf” stored in the unix file system.

It would be good practice to take a copy of this file before any major work, version upgrades or migration of the virtual appliances to another data centre for example.

You can back up the config in two ways:

· Using the Generate Support File wizard in the GUI – I mostly use this for sending support files to Citrix.

· Using ftp or secure FTP tools like WinScp or Bitvise

I prefer to use WinSCP/Bitvise and usually install this on the Web Interface or Storefront server.

Method 1

Login to your NetScaler through the management gui.


Go to System, Diagnostics and click on Generate Support File

Click on Run, takes a minute to run. You can then click on Download to export a unix tar file

And also save the config to a text file.

image image

Click download to get the .tar file.


Click on Select to select the recent version


Select a suitable path for the backup and click on Download.


Method 2

The 2nd method, and one I prefer to use is through a Windows based ftp/secure Ftp tool


Login to the NetScaler IP with the nsroot other admin account.


This then presents you with an explorer interface into the NetScaler file system,

and of course my local PC.

Browse to a suitable location on the left pane, and then browse on the right to find the /nsconfig folder – drag the ns.conf over to the right.

**Other files called ns.conf.0 are the previous versions, which you may rename to ns.conf if required to get back to previous settings.

StoreFront 2.0


Citrix StoreFront v 2.0 has been out for a few months now and it’s finally worth a look if you haven’t already. StoreFront is what Citrix call “enterprise app store” where users can subscribe to applications just as you do with smartphone devices on Android or iOS.


The previous versions required you to install SQL Express on the server which is obviously an unwelcome addition as you have to them provide backup maintenance plans, and give your server a few more virtual sticks of RAM in your hypervisor.

Early Storefront also proved to be a bit unreliable. After one install, I had to remove it and revert to Web Interface 5.4 as the Storefront Wallet Service kept failing and even a re-install would not fix.

With Web Interface 5.4 development at an end, and End Of Life coming in next year or two, its StoreFront you need to be installing and getting to know.

Version 2 is much leaner due to no SQL Express, and while the management console is still limited in terms of customisation (compared to Web I) – the Green Bubble GUI is now the same across web and mobile devices. Integration to CAG and your XenDesktop and XenApp farms is similar to Web-I and easy to setup.

I expect that the StoreFront management tool will get an upgrade soon to allow easy customisation and addition of your corporate logo and security notices.


With StoreFronts and App Controller – you can now push out other apps (Web/SaaS/Data) to users on web and mobile devices from your own company app store and integrate to XenMobile.

HA is much easier to configure in StoreFront compared to Web Interface. When you configure a 2nd server, it’s a simple task to initiate a link from server1 to server2.

You can then load balance in your NetScaler with Load Balancing. For migration, Web Interface and Storefront can co-exist on the same server, and Storefront can also act as the PNAgent site. Post testing -you can easily set the StoreFront web site as default in IIS and remove Web Interface.


StoreFront eDocs :

StoreFront @ CitrixTV:

Unified App Store OverView: