Quick Tip – Enable Framehawk Support in NetScaler Gateway

Here is a quick tip on enabling Framehawk support in NetScaler Gateway. This will help expand your current Framehawk use and testing to external access through NetScaler Gateway.

With NetScaler firmware release 11.0 build 62.10 (nCore), Citrix has added support for Framehawk in NetScaler Gateway. In previous releases, Framehawk support has been limited to internal, VPN, etc use cases not going through a NetScaler Gateway. Framehawk support in NetScaler Gateway uses the DTLS feature which has been used for UDP Audio through NetScaler Gateway and available in the NetScaler Enhancement firmware builds.

To enable Framehawk support in NetScaler Gateway, do the following:

Upgrade the NetScaler firmware to 11.0 build 62.10 (nCore).

Ensure UDP port 443 is open on the NetScaler Gateway virtual server. Framehawk will use UDP over port 443 when accessing XenApp/XenDestop remotely through NetScaler Gateway.

Enable DTLS on the NetScaler Gateway virtual server. This is done in the Basic Settings under More on the NetScaler Gateway virtual server.

Unbind the SSL certificate from the NetSaler Gateway virtual server. Confirm the SSL certificate unbinding and close the SSL certificate binding configuration. Reopen the SSL certificate binding configuration and rebind the SSL certificate back the NetScaler Gateway virtual server. If you get the following warning rebinding the SSL certificate, just click ok.

Close the NetScaler Gateway virtual server configuration and save the NetScaler configuration. You can now begin testing Framehawk through NetScaler Gateway.

Thanks to the Framehawk – NetScaler Gateway post by Derek Thorslund over the weekend in the Citrix Support Forums for the early information on this before the official guide is posted.

The official Citrix guide on Framehawk should be posted sometime today with complete information on configuring Framehawk. Keep any eye on the following Citrix Blog posts:

The official Citrix guide on Framehawk has been released. Check it out – HDX Framehawk Virtual Channel Administrator Guide. You can also get to it from the Citrix Product Documentation in the Framehawk Virtual Channel section on the What’s New Feature Pack 2 page.

Also for testing in lab, take a look at the Citrix Blog post Setting Up a Persistent WAN Emulator to test different WAN scenarios using Framehawk.

For any feedback you have while testing Framehawk, please post that feedback in the Framehawk Performance Compared to Thinwire post in the Citrix Support Forums.

If you have found this article interesting or if you have any insights, please feel free to leave comments on this article.

Quick Tip – Upgrading to StoreFront 3.0

Here is a quick tip on upgrading from Citrix StoreFront 2.6 to StoreFront 3.0.

StoreFront 3.0 was just released as part of the latest Feature Packs for XenApp and XenDesktop. I saw a few Citrix Forum posts about upgrading. I looked in the StoreFront 3.0 product documentation, but didn’t find anything on upgrading.

The upgrade process is very similar to the upgrade process for StoreFront from 2.1 to 2.6. There is just one extra step after upgrading, you need to Disable Classic Receiver Experience to enable the new features:

  1. Click Disable Classic Receiver Experience

2. Read the warning and Click Disable

3. New Receiver options are now enabled

Upgrade was pretty straight forward from StoreFront 2.6 in a two node deployment running on Windows Server 2012 R2 in my lab.

The Citrix Blogs also has a blog post What’s New in StoreFront 3.0, that mentions in place upgrade from StoreFront 2.6 and enabling the new unified Receiver experience. Also don’t forget to Set Unified Experience as Default to give the Receivers same look and feel as the Receiver for Web.

Update – If you have upgraded with the initial release build of StoreFront 3.0, there have been issues reported with the ugprade. Citrix has pulled that build and released a new one. The new build is available in the StoreFront downloads. To fix Credential Wallet issues after upgrading to StoreFront 3.0 with the initial release build, see Citrix Knowledge Center Article – Issues after Upgrading StoreFront to Version

If you have found this article interesting or if you have any insights, please feel free to leave comments on this article.

XenMobile 10 Clustering

While prepping for a new XenMobile 10 deployment that required high availability, I started working with clustering the virtual appliance.  With some guidance from the XenMobile team and some lab testing, I was able to get it working and verify the functionality.  Since the documentation for XenMobile 10 clustering hasn’t been released yet, I thought I would share my experience for anyone else looking to do clustering in XenMobile 10.
Continue reading “XenMobile 10 Clustering”

A New End User Computing Podcast, FrontLine Chatter!

 and I talk daily on twitter with a host of friends and community members about the weekly movers and shakers. There’s long been talk about an End User Computing podcast and over a few beers we finally decided we’d give it a go.

FrontLine Chatter is a podcast every fortnight focusing on EUC industry news. Each episode will be roughly 30 minutes long and we’ll invite a member of panel from the EUC community to tell their story or talk about a technology of their choice.

Our first episode is now live with the wonderfully colorful and interesting Rory Monaghan  talking all about application compatibility, Unidesk, VMware’s App Volumes acquisition and the other hidden gems Rory has been testing.

So what are you waiting for! Head over now and catch our first podcast.

Our next podcast (2 weeks from now) will be with industry hero Kees Baggerman  talking about moving from being a senior End User Computing consultant to Nutanix, his first 3 months with Nutanix, his view of the industry and some talk about User Environment Virtualization (UEV). So drop back soon!


Citrix Receiver Desktop Lock

With the launch of Citrix Receiver 4.2, Citrix has brought back their desktop to thin client converter “Desktop Lock”.

Citrix Desktop Lock was dropped from support back in Citrix Receiver 3.4 as it relied on the PNAgent functionality that was killed off in the last release of Receiver 3.4 Enterprise.

With Desktop Lock’s return, it now fully supports the latest and greatest Receiver versions and Citrix StoreFront communication.

Fellow CTP Andrew Morgan and I spent some time looking at Desktop Lock to write this article.  Below you’ll find a review of the product along with an installation guide on how to get Desktop Lock up and running.

How was Desktop Lock before this upgrade?

Before we look at the new version, lets look at why the previous Citrix Desktop Lock was a very fundamental solution with some gaps.

For example:

  • The machines you convert need to be on the corporate domain.
  • The user needed to sign in as themselves on the local end point.
  • There was no “choice in the matter”.  If you had more than one desktop available, Desktop Lock would just fire one desktop session alphabetically.
  • User profiles on the local machine quickly became an issue in a shared kiosk environment as they are not cleaned up.
  • No Hotkey pass through.  By default ctrl alt and del and [Win] + [L] lock the local workstation, not the remote workstation.
  • Local applications like flash/media player redirection may not work or local hardware may not work. (Desktop Lock does not run active setup, or the run keys which are needed by a number of applications).
  • If you are a local administrator, you cannot use the solution as Desktop Lock closes and logs in locally.

With the return of Desktop Lock, we were hoping some of these drawbacks would be resolved in the return.  Sadly, that’s not the case.  Unfortunately there are new ones we weren’t expecting to add to the list:

  • Citrix Desktop Lock does not allow for desktops in maintenance mode, it just hangs and eventually logs the user off again.
  • Citrix Desktop Lock will prompt users if it has a difficult time connecting to restart the machine.  But the restart button on the menu just restarts the local machine!

Desktop Lock for Receiver is simply an update to the previous version to add StoreFront support.  None of the previous gotcha’s seem to have been addressed.

In Review:

Desktop Lock is a clever utility in the tool belt for Citrix Deployments but has some limiting drawbacks.

If SSO isn’t an immediate requirement and if you are comfortable just publishing a browser, then consider the Desktop Appliance site from StoreFront (with some configuration):

  • Can deliver a better experience
  • Can offer desktop choices
  • Have no domain or SSO requirement
  • Has better handling of errors

Reviewing your options:

There are a number of free products for Windows like ThinKiosk available with greater functionality out of box than desktop lock but the customers use case will determine your course of action.

Installation Guide:

Installing Receiver and Desktop Lock

Citrix Desktop Lock requires a number of key installation settings in order to function correctly, below we’ve documented them step by step for ease of configuration.

Citrix receiver must be installed with the SSON functionality

When installation Citrix Receiver, specify the SSON and storefront details here to save some heartache: CitrixReceiver.exe /includeSSON /ENABLESSON=Yes /silent STORE0=”Store;https://storefront.domain.local/Citrix/Store/discovery;on;Store”

SSON must be enabled in Group Policy

Import the icaclient.adm file locally (or via gpo) in the Citrix ICA Client installation directory\configuration.

Browse to Administrative Templates > Citrix Components > Citrix Receiver > User authentication and Enable Local username and password as below:

If Trusted Sites, the Trusted Sites Zone must be configured to allow SSO pass through
Computer Policies > administrative templates > Internet Explorer > Internet Control Panel > Security Page > Trusted sites zone:

Enable Automatic logon with current username and password.

Storefront SSO

SSO must be configured in the StoreFront Receiver is connecting to. In the StoreFront, make sure your site is configured to allow SSO:

Testing it before installing Desktop lock

So there you have it, with a bit of know how and a pinch of luck, it’s time for testing.

Note: Test this as a user or users.  Ensure Receiver opens as the user when they log in without providing login details. If it works, you’re good to go.

Installing Desktop Lock

Installing Desktop Lock is a fairly trivial matter.  Just fire up the installer and next, next, finish. You’ll then be prompted to restart.

For reference, Desktop Lock works by taking control of the Shell key in HKLM\Software\Microsoft\Windows NT\Current Version\WinLogon.

Desktop Lock also uses ImageFileExecutionOptions to redirect all calls to task manager to Citrix’s own task manager.

Once finished, Desktop Lock should now be installed.  Restart.

Note: If Desktop Lock detects an administrator logged in, it will revert the shell value to explorer, launch explorer in full desktop mode, and then revert the key again.

Testing Desktop Lock

Logging in as a user, the user is presented with the familiar login screen for desktop lock then get forwarded to their session:

Note: The log off and restart buttons action locally.

Admin Login

If you log in as an administrator with UAC controls, you will receive the following:

Once you click OK, you will be logged into the full Windows shell.

So now you have some initial thoughts to Citrix Receiver Desktop Lock 4.2 and how to configure it.

If you have found this article interesting or if you have any insights, please feel free to leave comments on this article.


Quick Tip – XenMobile iOS App Wrapping Error

Here is a quick tip to fix an error when wrapping iOS apps using the updated MDX Toolkit for the updated iOS 8 Worx Apps.

You may receive the following error when trying to wrap Worx apps after updating your Apple iOS Devlepor for Enterprise certificate and provisioning file to include Team Identifier (ID) and the Organizational Unit (OU) fields required for iOS 8.

Error: “Failed to execute dylibcodesign with exit code: 1”

There is an article on Citrix Support – CTX135253 – Error:”Failed to execute dylibcodesign with exit code: 1”.  Now the Citrix support article states the error is from not having the Xcode Command Line Tools installed or an expired Apple iOS Developer for Enterprise certificate.  Neither of the above were causing the error as the Apple iOS Devloper for Enterprise certificate was not expired and the Xcode Command Line Tools were installed.

Since the Apple iOS Developer for Enterprise certificate and provisioning profile were updated as required for iOS 8, having both the previous and current certifcate and profiles on the system causes the problem and you will see the error mentioned above.  Both the previous and current certificates are not expired, they are current.  

To fix the issue simply do the following:

  1. Delete the previous certificate in Keychain Access in the login and System Keychains.  Make sure the All Items Category is selected when doing this.
  2. Delete all previous provisioning profiles.

Once the above has been completed, you should be able to wrap the updated Worx apps for iOS without errors.

If you have found this article interesting or if you have any insights, please feel free to leave comments on this article.