Enabling XenApp Administrative logs

If you have a busy XenApp farm with lots of published apps, users and administrators who have (I hope!) got delegated access – you may often want to check on who made a change, or removed a published app or affected some other settings. XenApp 7.5 Desktop Director has logging enabled by default.

 

It often gets over looked during setup, but the History node in the XenApp AppCentre console is all you need. If you click on it, and it’s blank – then it’s not enabled and you will need to configure it. Here’s how!

log1

Create a  service account for the DB owner- AD or a local SQL account on the database server, documenting the account and password.

Setup a new SQL database on your preferred server. By the way  –  If you want put the logs on the same server as your Farm DataStore server, you could look in the MF20.dsn and look for the “server=” line.  Start/Run  – \\citrixserver1\C$\Program Files (x86)\Citrix\Independent Management Architecture\  – should take you to mf20.dsn.

You can use Oracle, but all customers I come across are on SQL server.

Then create the database with a suitable name – eg xenapplog and assign the service account as the DB Owner.

Now – login to a DataCollector in your Citrix Farm. Right click on the farm name, and go to Farm Properties and click on Configuration Logging.

 log2

Then click on Configure Database.

log3

Enter the name of the database server, the authentication mode and the service account details.

log4

Then select the database you created from the list.

log5

Unless your database  uses encryption, select No for Use Encryption. Click Next.

log6

Then click on Test Database Connection – OK, then Finish.

log7

The only other option is to secure the delete options – by ticking the box for “Require Admin to enter database credentials before clearing log”. You did record that account password didn’t you?

log8

Click on Get Log – and recent changes should start to appear. You can also amend the columns and set Filters for tasks and data range if looking to narrow down the search for changes.

log10

So, a very useful addition to the console, and easy to setup. Happy Logging!

Advertisements

ShareFile Enterprise – to Mobility and beyond!

With so many customers looking at ShareFile I often get asked how it works and where does the data get saved and sync’d. In this blog, I will give you a quick overview of ShareFile Enterprise and some of the useful tools you can use for accessing, sharing and syncing your files and data to a secure location in your data centre.

ShareFile is a Citrix product that competes directly with Dropbox, Google Drive and other online file sync tools of which there are now dozens available – all with cloud storage, some with on premise and varying security standards. With ShareFile you can store data in the cloud and in your data centre as well as getting access to your existing file server resources and NAS drives in your secure network.  For full details, check out the Citrix web site – but here is a quick overview for now. 

sf1

The StorageZone Controller provides users with secure access to SharePoint document libraries and network file drives through Storage Zones Connectors. Users log onto ShareFile from their mobile device and retrieve a list of enterprise data repositories, which may include network drives and SharePoint document libraries.

After choosing an enterprise resource, the user authenticates with the StorageZone Controller using their company credentials, and is then able to enumerate and securely transfer files between the mobile device and the customer data center.

sf2

 

All  folders here – except Internal NovoShare – are hosted on Citrix ShareFile cloud. We have a 20gb cloud store. By default, all users’ folders are on the internal storage.

The Internal NovoShare is an iSCSI attached NAS with 3TB data available to staff. This is called a StorageZone, and runs on an internal Windows 2008 R2 server and gives our users about 20Gb each.

sf3

Being ISO certified, all our key data resides in a secure data center with very controlled access. Only our BCP documents would be stored in the Citrix cloud for emergencies.

Below – Connectors – links into your existing NTFS shares and SharePoint document repositories. New connectors can link into DropBox and other storage to enable migration or two way collaboration.

sf4

All of these folders are residing in our secure hosted data center. None of the files get sent to the Citrix Cloud – which only acts as a broker and authentication.

Single Sign-On from AD

Logging into the MDM portal on a browser, allows you to click on ShareFile – and seamlessly login to the ShareFile web site.

sf5

SAML single sign-on can also be enabled for using the /SAML/login extension to the normal web portal.

Outlook Plugin

sf6

 

 

 

 

This is very useful and allows files to be attached easily from ShareFile –  and to attach new files, that are then sent into ShareFile instead of emailed to multiple recipients.

Desktop Widget

Allows you to browse into your files and folders from a Windows/Mac desktop.

sf7

Sync Tool

Sync Tools allows you to sync local folders up to your ShareFile storage.

sf8

So, if your local laptop drive is encrypted as it should be , you can sync all or some of the data files to the Sharefile cloud folders.

Citrix World Wide ShareFile

sf9

Citrix ShareFile uses a “Control Plane” – sharefile.com and sharefile.eu, are used for broker authentication and location of data when hosted.  For example, European customers can choose to have the data in .eu. The Control Plane provides users with a list of files and folders, but doesn’t hold them in the Citrix cloud if they are onsite – instead, the device is directed to the on premise store.

sf10

Guest users and other contacts can be given access to shares and files very easily for single download or time restricted periods. FTP service? – no problem. Customizing your web portal is also very easy and provides a nice familiar interface for users. Various administrative rights can be delegated, and folder permissions granted so you can allow other users to control access and content.

ShareFile Enterprise is available as a separate product. However, if you are also considering an enterprise mobile device management (MDM) solution  Citrix XenMobile Enterprise includes ShareFile Enterprise for just a few dollars more than ShareFile on its own. Definitely worth checking that out. Free 30 days trial also available on request.

 

Some useful links:

Main product information

http://www.sharefile.com/

ShareFile for Health

http://www.sharefile.com/industries/Healthcare/?src=direct&v=e&cat=1

Security

http://www.citrix.com/products/sharefile/features/secure-by-design.html

Choose where data is stored

http://www.citrix.com/products/sharefile/features/storagezones.html

XenDesktop & XenApp 7.5 – time to get planning!

Time is moving on for the current XenApp 6.5 platform with only some two years left to go on the standard Life Cycle, that will come around sooner than you think.

There are many things to consider when moving to a new XenApp platform, not least of all changes in operating systems, application compatibility and printing (as always). Since my early days of working on MetaFrame 3, Citrix has been promising reduced management overheads, fewer consoles and better support for mixed OS environments. However, while they did do away with the old Citrix Management Console eventually, you were still left with Web Interface, Licensing and AppCentre to manage different parts of your environment. Then of course XenDesktop came along and brought new consoles, new management protocols and another database – and a StoreFront. Nearly forgot –  a Provisioning Server farm, console and database just to keep you on your toes!

My previous blog post on AppDNA touched on the challenge of making applications compatible with new desktop and server operating systems. But what about the management challenge of hosting virtual desktops, shared desktops and publishing your applications?

Citrix has been working hard on that chestnut for a couple of years and the recent launch of XenDesktop/XenApp 7.5 now provides administrators with the ability to manage and deploy various operating systems and applications from a more unified console, namely Citrix Studio.

Key to this new platform is the FlexCast Management Architecture, or FMA. FlexCast was previously used in licensing terms only. For nearly twenty years now Citrix Presentation Server based products including XenApp 6.5 have relied on IMA – Independent Management Architecture for the underlying farm communications, load balancing, policies, and admin etc etc. A tried and tested product, many millions of users have been relying on IMA all over the world for application and desktop delivery.

Here are a few of the new terms to get your head around –

Instead of this in XenApp 6

Think of this in XenApp 7

Independent Management Architecture (IMA)

FlexCast Management Architecture (FMA)

Farm

Delivery Site

Worker Group

Session Machine Catalog, Delivery Group

Worker

Virtual Delivery Agent, Server OS Machine

Desktop OS Machine

Zone and Data Collector

Delivery Controller

Delivery Services Console

Citrix Studio and Citrix Director

Publishing applications

Delivering applications

Data store

Database

Load Evaluator

Load Management Policy

Administrator

Delegated Administrator Role

(Source, XenApp eDocs – http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-previous-xa-admins.html )

FMA however introduces some new capabilities that IMA could not deliver. The main being the ability to deploy the Citrix Virtual Desktop Agent (VDA) to both Windows desktop operating systems, and servers –  and manage both in the same place. Think about that for a second. No more multiple farms with different version of Windows and XenApp. A single console where you manage desktops, machine images and applications. You can even use the VDA on physical PCs – useful for administrator or power users with heavy graphics and connect directly with HDX.

Key Components:

fma

Of course, with change – there are some things that are no longer. User Shadowing, Oracle Database support, SSO for Win 8.1/2012, Local Text Echo, Legacy Printing (XP/DOS clients) –  are no longer supported. Secure Gateway, still in use by some customers, is no longer supported and customers are advised to move to NetScaler Gateway as a replacement for remote access. Web Interface is still supported but customers are also expected to migrate to StoreFront with Web Interface having a limited shelf life and no further development.

So get planning! A two year window to get all your old x32 or 16 bit applications tested, upgraded or redeveloped is really not very long. Some will be easier than others. With an AppV now bundled, you could give that a try or look at Unidesk. Licensing, print strategy, remote access and your hyper visor platform all need careful consideration. I’ll be looking into those in more depth in my next few blogs.

Useful Links:

XenApp 7.5 and XenDesktop 7.5

XenApp/Desktop 7.5 – Not supported

XenApp Support Matrix

 

Citrix AppDNA – analyzing your apps for those new OS deployments.

Upgrading a Citrix farm from one operating system to another has always been a difficult task to manage particularly if you have a stack of applications that have been developed for an older operating system. Neither Microsoft of Citrix support “in place” upgrade for terminal servers – so you must deploy new server OS and new Citrix platform to move up to the latest system. New servers, new Citrix, new profiles, new printers ..and potentially new applications.

Getting your apps to work on a new OS is often the biggest headache in a Citrix migration. This may be because your internal application team or third party developed the apps for your business on tools that were current at the time – but pretty useless now. If they developed them on Windows XP or Server 2003 – it’s very likely they won’t run at all on Windows 8 or Server 2012 R2. Various changes to Windows security and kernel access on 2008 R2 and 2012 mean that these older apps will fail at the first hurdle on any x64 OS. The same challenge exists if you want to move from Windows XP to Windows 7 or 8, and if you want to go for a VDI solution like Citrix XenDesktop or VMware View.

This is not the same challenge as deploying the application. Using tools like AppV or Citrix Streaming, or Unidesk doesn’t get around the problem of the application not working on the platform. These tools help with deployment – not compatibility if the application doesn’t work.

This is a big challenge for companies with a large set of applications. Hospitals, councils and other government department have hundreds of applications. Some private sector companies with lots of staff and specialist manufacturing systems have apps written by staff that may have left years ago – but the business relies on those applications for critical processes. I know of one customer who is still running Windows NT 4 and Citrix MetaFrame 1.8 because of this very issue. They also have Windows Server 2000 and 2003 with Citrix XP and PS4. The apps are written as 16 bit. The systems are years out of support – but they can’t migrate the applications – they just don’t run. They have a XenApp 6.5 farm on 2008 – but can’t deploy the apps.  The risk to the business is running aging applications on old server platforms with no support, poor recovery methods and lack of best practice and security. With little or no chance or being updated  – without massive cost just to evaluate the code.

So what do you do? You could take the application and ask one of your developers (if you have one) to dissect the code, tell you what’s wrong and then fix it. This could take weeks depending on the code and your developer’s knowledge of an app he didn’t write, in a language he’s never used. There is a good chance something will be missed. You could engage an external developer to look at the app and the code, and give you a quote for rewriting it. That could also take weeks, and be very expensive – per application. Multiply that across your entire application list and you could be looking at a substantial outlay to get your applications up to Windows 8 and Server 2012 standards.

The Citrix answer to this challenge is AppDNA. AppDNA “reduces the amount of testing needed for applications and provides detailed information that can be used as the basis for the overall testing plan when migrating”.

 app1

AppDNA – Windows 8 overview. Five applications analysed, one needs re-written, others need some work and two are good to go.

This is a powerful analysis tool that can take your application installer MSI, capture or AppV package and deploy it through a virtual machine template and pull together all the changes, DLL’s, registry and system security changes that are required to get it installed. The AppDNA server is then able to compare this to various target operating systems that you want to migrate to – and provide you with a very detailed breakdown of the applications requirements and what’s needed to get it over to the new OS. Newer applications may only require a few changes.

Older applications may require complete re-write. Either way , the system reports this back in minutes – not days or weeks. Inject a several more application into the system and you could easily have an estimate of the work involved in updating or re-writing  your critical applications. Web sites can also be targeted to report back on browser compatibility using user simulation and a web spider tool. Using an easy to follow Red, Amber,Green traffic light system – management reports and effort calculations can be provided.

The latest 7.5 version is available for download and trial, bundled with Platinum Edition, and includes integration with XenServer, VSphere and Hyper-V as well as VMware Workstation. As a Citrix engineer I can see this being a very useful tool and could drastically reduce the time, effort and cost involved in application migration to the latest server and desktop operating systems. Still, I’m glad I’m not a developer!

Some sample reports:

app3

app4

References:

AppDNA – Over View

http://www.citrix.com/products/appdna/overview.html

Citrix TV – AppDNA

http://www.citrix.com/tv/#tags/appdna+7.5

Creating A User Agreement Policy for XenMobile Users

Getting users to agree to security policies is tricky enough at the best of times. It’s one thing to say your managing devices – but do your users agree to how you do it, how you monitor their use of the device and access to your corporate data? We could spend a lot more time discussing that question – but for now, lets get a basic agreement in place for smartphones and tablets. Make sure you run it past HR and that you are quoting the correct IT policies and terms of use. You should have these in place for PC and laptops already.

Notices are pushed out from the XenMobile server using a combination of a simple PDF document and a Deployment package targeted at a group of users or mobile devices. Inserting the Notice to a Base Package will ensure all devices get it on enrollment.

There are three main steps to deploying the notice:

  • Create Security Notice document
  • Deploy to test user/group
  • Deploy in live package

First, start by creating your security or user agreement notice – bearing in mind the size of the device screen. For example, A5 is well suited to 9/10” tablet devices. Include your company logo or letter heading to brand and make it look official.

Save the document as a PDF to your local PC. Then go into the MDM Console.

pol1

In the Files tab, click on New File – upload the document.

pol3

Select the document, and tick the button for Term and Conditions PDF – and Default if required.

pol3

Then go to the Deployment tab. Select a Base Package – select Files, and use “>” to add to Resources to Deploy.

pol4

You can then deploy the Package. New devices should now get prompted with the notice on enrollment.

Once in place, you can then use the Reporting tab and get feedback on who has accepted the policy using the Terms and Conditions report.

pol5

Citrix Synergy 2014 Review

My preview of Citrix Synergy 2014 a few weeks back highlighted the ever growing focus on mobility and data sharing that was certain to be a big topic this year. Following on from the purchases of Zenprise and ShareFile, Citrix have finally got to grips with integrating these products into the brand and with NetScaler and XenApp/Desktop – which have also seen several enhancements. So off to LA on a long Virgin Atlantic flight for a few days.

The first day keynote from CEO Mark Templeton was a stirring opening. Some great use cases for Citrix Cloud services (BT) and AutoDesk winning the heralded Innovation award. “Autodesk??” you say.. “The 3D CAD people?”  Yes Sir! That’s the one.

Image

 

Above, Citrix CEO Mark Templeton

An emotional speech at times, with Mr Templeton due to stand down this year – there were certainly a few teary eyes among the crowd. His successor may not have been announced just yet, but his parting words “Leave it better than you found it” will certainly be remembered.

The main Expo hall had plenty to see and do with many great products from numerous partners. We spent a good bit of time at the CA Nimsoft stand and got a great demo of their monitoring tools for XenApp and XenDesktop.

Image

A welcome product update due in Q3 is the latest Citrix Receiver X1. For anyone using Worx Home for XenMobile – this is will integrate the on-boarding and corporate app store features of app Controller with a built in Citrix Receiver client. No more having to configure two clients, one with dummy settings to avoid the prompts etc. 

Image

Other new features include easy branding for your app store. This was previously very tricky to do on StoreFront with hardly any on mobile devices. The new X1 will allow you to add corporate logo and colour schemes to your heart’s desire.

“Big News”

Another key announcement was Citrix Workspace Suite. This suite bundles XenDesktop, XenApp, XenMobile and ShareFile into one customer license for $450 per user. This is said to represent a saving of some 70% on purchasing the individual products. That’s a lot of product for your $ or £.

Back to mobility. Several really nice tools will be out soon for mobile devices including Worx Desktop which connects back to your PC and gives seamless access to documents. Worx Notes, a simple note taking utility that will give you access to save a quick note back to ShareFile or your corporate folders. ShareFile has shipped over 1,000,000 licenses in the past year and can now hook into GoToMeeting and other cloud storage services.

XenDesktop and XenApp have had some major enhancements to HDX with the addition of Adaptive H.264 encoding, double the speed frame refreshing on 3G connections, a reported 100% increase in bandwidth efficiency across a WAN for video quality and 10x reduced bit rate for HD video on low speed connections. Citrix certainly are not taking the foot of the gas on the virtual desktop front.

Putting all this together in a cloud infrastructure sounds daunting – or great fun if you’re a techie! To help with all that hosting Citrix now have WorkSpace Services. You can start from the bottom and use an automated tool called “Design and Automation” to build it all. Ideally a platform for service providers – it sure looks impressive on the demo.

Of course to access all of this you need the Citrix Receiver and apart from the X1 release, new HTLM5, MAC and Chrome book versions are able to provide even better user experience with added support for USB3, flash, webcams and  Microsoft Lync enhancements for Linux and iOS devices.

There’s lots more over on Citrix TV and YouTube   – for now, here are a few links to the key topics and announcements.

References:

AutoDesk Innovation Winner:

Receiver on Chrome:

http://www.youtube.com/watch?v=UN3ORK8P9fM

Receiver X1:

http://www.youtube.com/watch?v=HIjCXnPB4XE

ShareFile update:

http://www.youtube.com/watch?v=BJsrxns-BYc

Workspace Suite:

http://www.youtube.com/watch?v=nYVx7dyotN8

Works Desktop:

http://www.youtube.com/watch?v=DTRmcSgsyco

What’s New in XenDesktop and Xenapp:

http://www.youtube.com/watch?v=fD9SdceZOfo

WorkSpace Services – Design and Automation:

http://www.youtube.com/watch?v=P-l4cc0y-E8

Securing Mobile Devices – Use Case:

http://youtu.be/6yYOwfr-pYY

Session Printers in XenApp 6.5

Citrix has several ways to enable printers in user’s sessions including network print server based printers. These are called Session Printers and are configured in the Policies node in the Citrix AppCentre Management console.

Printers can also be mapped using a login script or Vb-script. In this case, all the print server drivers for individual printers need install on the XenApp server of PVS image. Printers mapped in scripts are outside of the control of Citrix Policies and management.

By Using Citrix Policies, administrators have more control over when and how printers are made available.

For example, a set of Printer Policies filtered by IP Subnets could be used to enable roaming printers on mobile devices or laptops. Users would then find printers in session that are close to the department they are working in at the time. Other filters include Groups/Users and client device names.

So, you could have a Policy that is enabled by “IPAD*” for example where all devices called IPAD will get that policy – and enabled printers and other settings.

Client connected printers (not addressed here) are either locally attached OR may be mapped network printers on a PC or Mac client machine. These can be controlled in Citrix AppCentre Management and are known as Client Connected printers.

Citrix XenApp servers can use server printers in two ways:

  • Citrix Universal Print Server (requires UPS server and client install, on XenApp media).
  • Native Manufacturers Printer driver.

To install a native driver

  • login as an admin to the XenApp server.
  • browse the print server and find the printer (must have x64 drivers).
  • double click and install the printer as normal.
  • then delete the printer from the Control Panel/Devices and Printers – leaving the driver installed.

Creating a Policy with Session Printers

The three steps you need to enable Session printers are:

Create a new User Policy

Under Policies – select the User tab, and click on New – or edit an existing policy. Givr your policy a name.

Assign the Session Printers

Go to Settings and look for Printers

Click on Add/Edit at Session Printers – when prompted type the name of the print server – and browse the servers printers – select the printer you need.

Add in other printers if required – you can also set the Default printer as shown above.

Filter by AD User Group

Click on the item you want to use as the filter – for example, User of Group.

You should then test the policy by using a suitable test account or known user. If the UPS service is compatible with the printer – the device should be shown as an available printer in the users session and applications.

Issues:

  • Citrix UPS is not compatible with manufacturers Universal Drivers.
  • If the Citrix UPS Driver does not print to the device – the native driver will need to be installed. The server policy should be set to “fallback” to native in this case.
  • Some printer drivers may not be Citrix ready. It is recommended to check the vendors support or documentation regarding suitable models and drivers.

Some manufacturers support references:

HP Supported Printers in XenApp

http://support.citrix.com/servlet/KbServlet/download/10498-102-649930/HPprinters_CitrixXenApp_1053.pdf

Ricoh Terminal and Citrix supported printers

https://support.citrix.com/article/CTX121349

Sharp

https://support.citrix.com/article/CTX135670

Xerox

http://www.office.xerox.com/support/dctips/dc14cc0492.pdf

Brother

http://www.brother.co.uk/g3.cfm/s_page/257810/s_name/citrixreadybrotherdevices