NetScaler and PowerShell cmdlets

Now this is something I have been planning a post on for some time, ever since I started working with the C# library to do NITRO API calls against NetScaler. I was planning and started on a a PowerShell module for NetScaler, but still someone beat me to the race, so no reason to reinvent the wheel anymore Smilefjes

Someone at Citrix (Santiago Cardenas)  has already created an REST API based PowerShell module, which is placed on GitHub here –>

Now the scripts which contains many of the basic features, but ill give you an recipe which will allow you to create your own extensions to the scripts. Now using REST API, we have built-it documentation which is available on the NetScaler here –> Under the download page of the NetScaler


From the download you have an index.html file which will show you the different tasks

There are two main categories, Configuraiton and statistics, from there I can drill down into a specific feature. So for instance let us look at gateway vServer (Which is located under SSL VPN) which is also the same as Gateway vServer

So if we want to setup a Gateway vServer what do we need to specify ? If we from there choose vpnserver which is the base object
We get all the attributes that can be configured from the vpnvserver object.

name, servicetype, ipv46, range, port

Now its a long list, but if you scroll down the documentation page you can see a specific example if you for instance wish to add a vServer (The objects in red are the ones that ARE required)


Now using a REST API we need to use a POST command which will push the settings we specify using PowerShell. The github PowerShell cmdlets have already taken care of this, so the commands are built up llike this.

function GatewayvServer ($GatewayFQDN, $VIP) {
EnableFeatures SSLVPN

$body = @{
$body = ConvertTo-JSON $body
Invoke-RestMethod -uri «» -body $body -WebSession $NSSession `
-Headers @{«Content-Type»=»application/»} -Method POST

A funciton is the name we use when starting it from PowerShell and the variables are the ones that we can specify behind the cmdlet. Now all the specific attributes are part of a variable called $body, which then added to the HTTP Body. The is the direct name of the NetScaler.

Now what if we want to create a function that gets information about a particular vServer? We can see from the documentation that there is a “get” example


So an example Powershell function would look like this,

function Get-GatewayvServer {
# Login to NetScaler and save session to global variable
$gateway = Read-host -Prompt «Type VIP name»
$body = ConvertTo-JSON @{
Invoke-RestMethod -uri «” -WebSession $NSSession -Method GET
$Script:NSSession = $local:NSSession

As we can see from the URI (All we need is to specify the hostname of the NetScaler and that particular VPN vServer using the GET HTTP Method. So if you are unsure of the URI you can just open up a browser and connect to that particular URI


So the PowerShell cmdlets from Santiago Cardenas can be used as a starting point, adding your own PowerShell functions is pretty easy when you just look at what attributes and URI that are being used. So start scripting!

#netscaler, #powershell

Hiding and publishing applications using XenDesktop 7.7 and Powershell

So when creating a delivery group in Studio you have limited capabilities into how we can control who gets access to a certain delivery group or application. NOTE This is not using Smart Access on the Netscaler, this is purely a Citrix Studio feature

. We have for instance filtering on users


And after we have created the delivery group we also have the option to define access rules, and as by default there are two rules that are created pr delivery group.


One rule that allows access using Access Gateway and one for direct connections using Storefront. So what if we need more customization options ? Enter PowerShell for Citrix…

First before doing anything we need to import the Citrix module in Powershell,

asnp citrix.*

Then we use the command Get-BrokerAccessPolicyRule (by default there are two rules for each delivery group. one called NAME_AG and one called NAME_Direct. The AG one is used for access via Netscaler Gateway, the other for direct to Storefront.

From this OS_AG Policy we can see that it is enabled, and allowedconnections are configured to be via Netscaler Gateway. And that it is filtered on Domain users.


We can see from the other policy, OS_Direct that it is set to enabled and that it is for connections notviaAG.


So how do we hide the delivery group for external users? The simples way is to set the accesspolicy true for AG connections to disable.

Set-BrokerAccessPolicyRule -name OS_AG -Enabled $false

Via Netscaler


Via Storefront


Or what if we want to exclude it for certain Active Directory User Group? For instance if there are some that are members of many active directory groups but are not allowed access to external sessions.

Set-BrokerAccessPolicyRule -Name OS_AG-ExcludedUserFilterEnabled $True -ExcludedUsers «TEST\Domain Admins»

This will disable external access to the delivery group for alle members of Domain Admins, even if they are allowed access by another group membership.

#citrix, #powershell, #xendesktop

Getting Started With Nutanix and PowerShell

Now that I have my hands on some Nutanix hardware it was about time to play a little bit with the features that are available on the platform. All of the stuff we do in PRISM is linked to the REST API, Nutanix also has a PowerShell cmdlets which also leverages the REST API.

Downloading the Nutanix cmdlets can be done from within PRISM

In order to connect to a cluster use the follwing command line

NOTE: for security reasons we should store our passwords as a secure string, by declaring these as variables before starting PowerShell.

$user = «your prism user»

$password = read-host «Please enter the prism user password:» -AsSecureString

connect-ntnxcluster -server ip -username -password password –acceptinvalidcert (only if you are using the self-signed certificate)

After we have connected we can use other commands such as



Using the command get-command -module NutanixCmdletsPSSNapin will list out all cmdlets available in the snapin. Now most of the cmdlets have the same requirements in form of input as the REST API 

But not all cmdlets are properly documented, so during the course of the week I found out that there was one line of code that was crucial.

Get-ntnxalert | resolve-ntnxalert


And also for instance if someone has read my blogpost on setting up Nutanix monitoring using Operations Manager we can also use PowerShell to setup the SNMP config using these simple commands

add-ntnxsnmptransport –protocol “udp” –port “161” | add-ntnxsnmpuser –username username –authtype SHA –authkey password –privtype AES –privkey password

BTW: Here is a reference poster for all PowerShell cmdlets for Nutanix

#nutanix, #powershell

Getting started with PowerShell management with Arista

In 2012 Microsoft Introduced (Open Management Infrastructure) OMI which allows for standard based management across different platforms. As of now Microsoft is working with Cisco and Arista to port OMI to their network switches. And also with the latest version of PowerShell DSC we can also use DSC against OMI servers running on these switches, stay tuned for more about that.

But this is a blogpost on how to get started with PowerShell management with Arista. We can download a trial from Arista’s website to run in a virtual enviroment.

After setup we need to configure a management IP and define the port parameters for the CIM session and deploy an ACL, then save the configuration.

interface management 1
ip address


management cim-provider
no shutdown
http 5985
https 5986


aaa root secret Password1

ip access-list OMI
10 permit tcp any eq 5985 5986


ip access-group OMI in

copy running-config startup-config

Now that the appliance is available we need to connect to it using a new-cimsession

# Since the computer does not trust the certificate we need to skipCAchecks
$nossl = New-CimSessionOption -SkipCACheck -SkipCNCheck -UseSsl

# Switch credentials
$password = ConvertTo-SecureString «Password1» -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential( «root», $password )

# Create a session to the switch
$switch = «»
$session = New-CimSession -CN $switch -port 5986 -Auth Basic `
        -Credential $credentials -SessionOption $nossl

Now with WMF 5.0 we can use the included NetworkSwitchManager module to do management against the switches natively without knowning the diferent CIM classes.

For instance, we can use get-networkswitchfeature or ethernetport.


for instance we can define trunk ports and VLAN access


And as we can see from the running configuration that the parameters are set


Still there is alot missing from the NetworkSwitch module, hence we need to use the built-in CIM classes to do much of the management, stay tuned for more.

#arista, #powershell

Howto create a custom RemoteApp image in Microsoft Azure

Finally its here! the ability to remote custom remoteapp images in Microsoft Azure. Before this we had a long process of creating a custom VM locally and sysprepping it and running a powershell command to upload the VHD file containing all our LOB to Azure. Those days are over! Smilefjes

Instead we can use this method to create remoteapp images. Setup a new virtual machine in Azure, choose from Gallery and there choose the “Windows Server Remote Desktop Session Host” VM this is the one that we  use to create our Image.


Then we provisoing the VM (Note this is automatically setup as an A3 because of the instance size on RemoteApp) Next we can install our applications that we need.

Next we run the ValidateRemoteApp image PowerShell script on the desktop (This will go trough all the prerequisites to setup the image.


Then do a sysprep and generalize

Run Sysprep

Then do a capture of the virtual machine so it is stored in the virtual machine library


Then we go into RemoteApp, templates and choose Import an image from your virtual machine library.



And we are good to go! Smilefjes

#azure, #powershell, #remoteapp

Automating Citrix Netscaler and PowerShell

This is something I have been wanting to do for some time now, and now that I am doing a lot of research for my upcoming book, this subject poped up in my head…. How can we automate setup on a Citrix Netscaler ?

Citrix Netscaler has a NITRO protocol which is in essence a REST interface, which means that we have an API to communicate with on the Netscaler. We can also make custom applications using C# and JAVA since within the NITRO SDK comes with common libraries for both.

You can download the Netscaler SDK for each build in
Link to the latest SDK –>

Extract the Csharp tar file and browse into the lib folder. Here we have to import the two library files.

$path1 = Resolve-Path Newtonsoft.Json.dll
$path = Resolve-Path nitro.dll

After we have imported the library files we can start a connection to Netscaler. First of we can either code the variables here NSIP, Username and password before or we can use read-host command. In this example the NSIP of the Netscaler is set to and the username and password is default nsroot Smilefjes As you can see security is my top priority Smilefjes

$nsip = «»
$user = «nsroot»
$pass = «nsroot»

$nitrosession = new-object com.citrix.netscaler.nitro.service.nitro_service($nsip,”http”)
$session = $nitrosession.login($user,$pass)

This COM object is the one that contains the common services against the Netscaler for instance

  • Login / Logout
  • Save Config
  • Restart
  • Enable / Disable features

If we wanted to for instance do a restart we would need to use the same object. For instance some examples to save config and restart.

$session = $nitrosession.save_config()

$session = $nitrosession.reboot($true)

Since the Com object is already loaded we can just run the commands directly. Just to name a few (refer to the SDK documentation for info about all the classes)
So what are some of the basic configurations that we need to do on a Netscaler? First of we need to change the default hostname for instance.

$hostname = New-Object com.citrix.netscaler.nitro.resource.config.ns.nshostname
$hostname.hostname = «NSpowershell»;

Next we should also add an DNS server to the Netscaler so It can do hostname lookups.

$dns = New-object com.citrix.netscaler.nitro.resource.config.dns.dnsnameserver
$dns.ip = «»;
$ret_value=[ com.citrix.netscaler.nitro.resource.config.dns.dnsnameserver]::add($nitrosession,$dns)

And then if we want it to do load-balancing we first need to add a server or two which we want it to load-balace.

$server1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.server
$ = «Powershell»;
$server1.ipaddress = «»;  

Next we need to bind that server to a service.

$service1 = New-Object com.citrix.netscaler.nitro.resource.config.basic.service
$ = «IIS»;
$service1.servicetype = «HTTP»;
$service1.monitor_name_svc =»http»;

And lastly create a load balanced vServer and do a service to vServer binding.

$lbvserver1 = New-Object

$lb_to_service = New-object
$ = «lbvip_sample»;
$lb_to_service.servicename = «IIS»;

And of course lastly remember to save the config of the Netscaler

So there you have it, some example Netscaler/PowerShell commands! I just getting started here myself so I will return when I have some more usefull commands and im going to make a custom setup script as well Smilefjes

#citrix, #netscaler, #powershell

Excalibur and Orchestrator Magic

When Citrix released Excalibur they also included a whole bunch of Powershell which allows you to run Powershell cmdlets to alter anything.
If you are inside the Studio console you can see that there is a PowerShell window there, which shows all of the cmdlets that you have run.

and how does this help ? With the combination of Orchestrator, we can add automation to the equation.
What if we could automate the assignment of application to users via Orchestrator? and we could also add an approval workflow if we used it with Service Manager.
If a new users want a set of 20 new desktop for his or hers company we could create a new workflow which would run a PowerShell script against MCS and do this automatically.
However, I’m not going to go ahead of myself here, this is a start post to show what we can do with the provided PowerShell modules.

First I’m going to show how to import the modules that Citrix provides in this release.
Head over to the Studio server and open Powershell ISE
From there you can run this import commands.

There are more modules but these cover most of the administrative tasks.
If you refresh the ISE modules list now, the Citrix components will show up.

If we created a simple «Publish Application task» We can use the New-BrokerApplication to publish notepad.

New-brokerApplication -CommandLineExecutable C:\windows\notepad -displayname notepad -Applicationtype HostedonDesktop

NOTE: A bit of advice if you are unsure of how the cmd should look like, create an application with the wizard and extract the info after using the get-brokerapplication cmdlet.
Now we have a functional PowerShell cmd to publish Notepad to the studio.

So we know now that we have to import the modules first, then we can run the command to publish notepad, but how do to this via Orchestrator?
First set set-executionpolicy unrestricted on the Studio server.

And your script should be saved.

Now we simplest way is to use the Run Command activity in Orchestrator

I saved the script file locally on the Studio server, and the script looks like the output from the PowerShell ISE above.
So when I run this runbook what happens ?

This just publishes the application in Desktop Studio, it still isn’t assigned a user yet, that requires a bit more in PowerShell ill come back to that later this is just to show the abilities you have with Excalibur and PowerShell

#citrix, #excalibur, #orchestrator, #powershell, #system-center