XenDesktop 7.5 and Windows Azure Pack Gallery Image

Yesterday Citrix announced a Tech Preview of a XenDesktop 7.5 Gallery image for Azure Pack.
For those so not familiar with Azure Pack, this is a portal which builds upon System Center (and some other tools) do deliver an Azure-like portal where you can setup some of the features like Azure does. I’ve blogged about it before if you want to know more about it here –> https://msandbu.wordpress.com/2013/06/28/azure-pack-configuration-for-windows-server-2012-r2/

Now a Gallery Image is where a end-user want to provision a new-service, he can either choose custom create of choose a finished Image from the gallery.
(A copy from the Azure Gallery)

Now imaging giving customers the ability to provision XenDestkop resources as they need it. Or just for the IT-guys to have a streamlined process of doing it. This is where the XenDesktop gallery image comes in.

Now what do we need to setup this image ?

* Windows Azure Pack
* Server 2012 R2 image sysprepped
* XenDesktop 7.5 Media
* The XenDesktop Gallery Image

Then we need to do alot of changes, first we need to create a new VHD which will contain the setup files. First go into disk management and create a new VHD (Which needs to be 4GB) which is called XenDesktop.vhd


After you created the VHD, mount it using Explorer and copy the content from the 7.5 ISO to the VHD file.
When you are done with this, go into the Virtual Machine Manager console, the into the library node and then click import physical resources.


Then choose “add resources”, select the XenDesktop.vhd then select which library server and destionation to store the VHD file. After it is finished importing right-click on it and choose properties. The set Famility to CitrixXenDesktopMedia, and then set the release to and lastly set the operating system type to “none”


Then Click OK, after we are done with this we need to modify our operating system disk image. Does this need to be VHD ? YES! Azure Pack does not support VHDX. ) and it needs to be fixed)

Right-click on the sysprepped VHDX file and choose Properties, from there alter the Famility to which type of operating system it is running, in my case its
”Windows Server 2012 R2 Datacenter”

and set the release to and then of course change the Operating System to Windows Server 2012 R2 Datacenter as well.


Click OK after you are done. Next we need to “tag” the virtual disks so that the gallery item can use to find the vhds.

Open up Virtual Machine Manager PowerShell console. Run the following command,

$myVhd = Get-SCVirtualHardDisk | where {$_.Name -match ‘sysprepped’} “Make sure that the name matches the name of your VHD file)

$tags = $myvhd.tag
$tags += «WindowsServer2012»
Set-scvirtualharddisk -virtualharddisk $myVHD -Tag $tags

$myVhd.Tag (This spits out the info so you can see that the tag is applied)


Now we need to import the Gallery image extention to the Library share, this can either be done by using the GUI or the PowerShell.


$libraryShare = Get-SCLibraryShare | Where-Object {$_.Name -eq ‘MSSCVMMLibrary’}
$resextpkg = «C:\Users\administrator.CONTOSO\Downloads\XenDesktopRole.resextpkg» (Here the path needs to be changed to where the resextpkg is located)
Import-CloudResourceExtension -ResourceExtensionPath $resextpkg -SharePath $libraryShare


Next we need to enter Azure Pack – admin site. Go into VM Clounds and Gallery and choose Import.


From here add the XenDesktopRole.resdefpkg, and verifies that it actually imports.


Next we need to make this item, public and add it do some different plans.

Go into the item and choose Make Public, then assign to some plans. If you don’t have any plans you need to create some from the plans menu pane within the Admin site.

So what now ? Open the Azure Pack site as and tenant which is enabled for the plan and choose from Gallery and see for yourself.



Then click next (From here the OS “sysprepped” image should appear and you need to have a virtual network in place before you can continue on here .


Next we can define which role this VM should have, and we can setup a XenDeskTop Controller but we still need to create the site after VM creation. But we can also deploy StoreFront, LicenseServer, Session Host and Desktop Director


Pretty cool!

Citrix Connector for System Center Configuration manager 7.5 walkthrough

Earlier today, Citrix released their updated System Center Configuration Manager connector to XenDesktop 7.5. It can be downloaded from here –> http://www.citrix.com/downloads/xendesktop/product-software/xendesktop-and-xenapp-75-connector-for-sccm.html note that it requires an mycitrix account in order to download it.

So what does it do ? well a couple of things. Mostly it’s about pushing software out to regular clients and servers including XenApp/XenDesktop servers where the clients might get the XD/XA version of an application. You can also use it to publish applications directly to XD/XA from Configuration Manager which makes it easy to maintain a consistant software library.

Now there are a couple of components here that are needed.

* Citrix Connector Service (This does the syncing, publishing and orchestration jobs between Configuration Manager site and the XA/XD site)

* Citrix DT handler (This component is needed on VDA servers/clients and on managed clients which you want to use the integration between) NOTE: There are different DT handlers for clients and VDA agents


So in my case I installed the Citrix Connector Service on my site server since it is a demo-enviroment. Now the installation is pretty straight forward.


Install both the service and the console extension


Enter a service account for the connector serivce


New in this release is the ability to define maintance windows, in case you want automated deployment to VDA agents.


Now after the installation is finished there are a few things which should be done first.

Make sure that Configuration Manager client is installed on the VDA agents you want to use with this deployment. Now you should create an application of the DT handler and deploy out to all VDA agents.

  • Using the following installation paramters msiexec /i «CitrixDTHandler_x64.msi» /q
  • Also all applications you want to publish should be pre-created and added to Configuration manager.

Now in my case, I have installed the DThandler on 1 VDA server, and have created 7-zip as an application in Configuration Manager. When we open Configuration Manager Console we have some new options. First of under Assets and Complliance we have the machine catalogs listed up


First of we need to deploy 7-zip to the machine catalog and VDA agents. After that Configuration Manager has gotten the info that the application has been installed


We can go ahead and do a publication action. Go into Software library and into Citrix Applications Publications andchoose Create Publication.


Then we run trough the wizard


Now the connector has been added a nifty new feature which check if all the prerequistes are in place.


So after we have done the wizard and the syncronization is complete the application will appear in the XenDesktop studio.


So now we have successfully installed 7-zip on a VDA agent and successfully published it from Configuration Manager. So this means that the application is available as an resource if the user starts up Citrix Receiver or logs into StoreFront.

Now onto the next option, what if we want users to get applications from Software Center or the Application Catalog (But they can start a citrix session if we want them to?) this is part of the DT handler on the managed clients.

Now let’s deploy 7-zip from Configuration Manager to some managed clients, first of we need to create a new deployment type which references the newly published applications. in the the deployment type choose XenApp


Under publishing you need to choose the existing Citrix deployment that was published earlier.


NOTE: Citrix DT handler needs to be installed on the clients.

Now go trough the wizard and after you are done with the wizard you need to give the XenApp deployment type a lower priority then the other option.

Now after you have created the deployment type and you want to deploy the appliaction you need to choose the clients or the users which are defined in the delivery groups


Now if you head over to the application portal on a managed client with a valid user, the application will appear.


Now if you click this application the configuration manager agent and the DT components will interact and publish the application in the receiver. If you have a valid single-sign-on deployment working on your Xendesktop enviroment you can see that 7-zip is published on the managed clients desktop


this is a quick walkthrough but it gives you the quick overview of what you can use this connector with. You can also integrate it with MCS and PVS, also we can integrate App-V applications. Also important to remember that with XenDesktop 7.5 you can integrate with Configuration Manager for Wake on lan functionality.

SCVMM and XenApp 6.5 + PVS = Trouble!

Having been involved in a case for a long time now where a partner wanted to use SCVMM with XenApp 6.5 and PVS 7.1 for a customer and it has not been quite as successfull.

Now I wanted to share some notes with PVS and Hyper-V and what the limitations are there at the moment.

  • First of it is important to note that PVS 7.1 is the only version of provisioning that supports SCVMM 2012 R2, as the support matrix lists.


  • Using PVS with Hyper-V is now functional with PVS 7.1 this requires Legacy adapters in Hyper-V since Legacy adapters are the only NICs in Hyper-V that support PXE boot


  • Citrix has implemented a failover mechanism between Legacy and Synthetic which means that the streaming traffic can start from the Legacy adapter and then switch to the synthetic.


  • Hyper-V 2012 R2 does support PXE with Sythentic devices with Generation 2 Virtual Machines, but THIS IS NOT SUPPORTED BY CITRIX YET.
  • If we for instance are using a VM with two Legacy adapters, Hyper-V will always boot from the last legacy NIC added to the virtual machine, if we are using “Stream VM wizard” in PXE it will add the first NIC in the virtual machine meaning that we get the wrong MAC address in the PVS database
    • Hyper-V creates a new NIC GUID when creating a machine from a tempalte unlike Vmware or XenServer which does not.
    • Stream VM wizard in PVS creates virtual machines from templates which means that NIC’s on the PVS virtual machines get reinitialized when booting and therefore service stop responding since it delays the network start.
    • The only solution to this is to clone machines and then add them manually to PVS like in this CTX article –> http://support.citrix.com/article/CTX128750
    • XenDestkop setup wizard in PVS DOES NOT create virtual machines from template, but clones the virtual machine using a set of PowerShell cmdlets.

Hopefully 7.5 has support for Generation 2 Virtual Machines!

XenApp 7.5 the return of XenApp

So after the public announcement Citrix made earlier today, it was clear that they are going to bring back XenApp to life more or less. You can see more about the product here –>

Not quite, even thou it is called XenApp it is still running the XenDesktop FMA architecture beneath. The reason why they are bringing the XenApp name ? because of the brand, since many people are very familiar with the name and the concept it brings. Since many think of XenDesktop as an VDI solution.

It will again be available as the same versions that it was before, Advanced, Enterprise and platinum. Thus meaning the end of XenDesktop app edition (Since this is actually the XenApp functionality) Customers that have XenDesktop App edition have the same functionality as XenApp Enterprise 7.5

So what does XenApp 7.5 bring to the playing field ?

Hybrid Cloud provisioning  – To AWS and Cloudplatform (No Azure here! will come later) gives the ability to provision XenApp servers directly in to the cloud provider.

And for existing XenApp 6.5 customers you have more mobile HDX funcionality to provider an better application delivery to mobile devices.

So for those that were hoping for a full return of XenApp, well it just marketing group that is doing a name change to the existing productline to use its branding to its full potential Smilefjes

So the 7.5 product line is rumored to be released in the summer, is it going to be interesting to see what Project Merlin will bring besides the hybrid cloud provisioning Smilefjes


Also you can see what else is available here, it will be released in March



XenDesktop 7.1 TechPreview Service Template

Citrix released yesterday a tech preview of their Service Template for XenDesktop 7.1 for System Center Virtual Machine Manager.
This template allows for rapid and easy deployment of an entire XenDesktop 7 infrastructure, including setup of Director, License Server, Desktop Delivery Controller and Storefront.

It does not by default include Netscaler as part of the that template but that is something we can add to the “mix” later.
the Techpreview of the template can be downloaded from mycitrix here –> https://www.citrix.com/downloads/xendesktop/betas-and-tech-previews/system-center-service-template-tech-preview.html (This requires a valid mycitrix account) it has a template for XenDesktop and for PVS.

ill continue on with the XenDesktop template and show how it is deployed.
The template contains a bunch of PowerShell scripts, XenDesktop 7.1 ISO file and the template file itself, in order to fully setup the template it needs to VMM ISO file and a generalized 2012 VHD file.

After we have downloaded the template file open VMM –>
Then go into Library and Import Template –>


Then point to the extracted XenDesktop folder.
Then choose next, now we need to point the template to the different ISO files and generalized 2012 template.


After that is done and the mappings are correct we can contine on with the importing.


This will take some time since it needs to import the XenDesktop to the library. When we now go into Service Templates we can see XenDesktop listed as an option there. If we right click and choose “Open Designer” we can see how the layout will look like.


Now if we wanted to we could use the Netscaler integration as well to deploy multiple DCC and Storefronts and automatically setup a load balancing of these services as part of the deployment. Lets see how that can be done using the Service Template. (Note that this integration is still not support in 2012 R2) (UPDATED: IT WORKS) but for the purpose of demonstrating how it CAN be done ill show it anyways. So after we have installed the addon and created a VIP template for DCC and one for Storefront we can open the designer again.

Next we can connect the VIP profiles to the different components, one DCC VIP template for DCC and one for Storefront which has different load balancing mechanisms setup.


Now If I where to configure a deployment of this. I can configure the amount of each server I want in order to ensure scailability and redudancy.
When I start the deploy wizard I get a question to define what is my management network.


Here I can define what is the backend of the netscaler and what the VIP addres of the load balancing solution is going to be.


But since the integration between Netscaler and VMM is not functioning in R2 ill need to get back on that in a later post (UPDATE IT WORKS). But if I go into one of the servers I can see the application scripts that are run in order to setup a functional site.


If I for instance have ComTrade installed on Operations Manager in order to have monitoring of my Citrix enviroment I can add this as a Application Configuration in the last step to have a complete, XenDesktop 7 setup with load balanced Netscaler solution and have complete monitoring using Operations Manager.

This is the power of Citrix and Microsoft!

News from Citrix and Microsoft

Wow this has been a huge day for both Microsoft and Citrix.
First of Microsoft announced today publically that they are making RemoteFX clients for all mobile platforms (Maybe part of the Mohoro DaaS?) Which means that Microsoft VDI and with Storage dedup might make MIcrosoft a better alternative and gain some lost grounds there, because this has been one of Citrix’s best features broad platform support. So about time Microsoft came aboard as well!

Anyhow… Citrix also made an announcent today that they will release XenDesktop 7.1 as of 23th of October, this release will support all of the new platforms that Microsoft will release the 18th great news! That means VDA on Windows 8.1 and Windows Server 2012 R2, and that XenDesktop can leverage all of the SMB features and SCVMM 2012 R2 with MCS.

(Still eager to see the PVS features here)

So that means you can upgrade your infrastructure first and then Citrix later Smilefjes
Hopefully this means that we can use XenDesktop 7.1 against New gen VMs, and hopefully 7.1 also includes provisioning against Azure it might be….

Setup Netscaler for XenDesktop 7 and AppController 2.8

This is going to be a long one Smilefjes
Always wanted to document this myself but never had the time, so I figured why not knock two birds with one stone and blog it as well since many are probably wondering about the same thing.

This is a typical deployment for many right? You have your internal XA/XD which are tied to a StoreFront web server and for remote access you have Netscaler Gateway/AG

And depending on the setup you might have a Netscaler in DMZ behind a NAT firewall, or directly connected to the internet from the DMZ or you might have a double hop network where you have multiple DMZ sones and firewalls.

So how to tie them together ?
First I suggest you read my previous post regarding XenDesktop 7 with StoreFront and Appcontroller deployment.

Lets head over to our Netscaler deployment. We can start by cheching our network connection.

We have different types of networking within the NS, we have VIP( Virtual IP) which are typically tied to load balanced service. We have SNIP (Subnet IP) which are used to initiate a connection to the back-end servers (XenDesktop Servers, Storefront etc) and you have a NSIP (Netscaler IP which is used for management)

So for a user the connection will look like this.

User –> VIP –> SNIP –> XenDesktop (Servers)

Typical deployment is that you have a netscaler with two interfaces, one in to the DMZ and one into the backend servers. (In my case I have all interfaces connected to the same subnet.image

Next we can add authentication.
Go into Netscaler Gateway –> Policies –> Authentication –> LDAP –> Add


For named expression I choose General and True and choose Add.
((What does this do ? specifies that IF the traffic is going trough the NS appliance then this policy should be applied)

Then give it a name and choose new server and enter the information to the AD server. After you have entered the info “Press Retrieve Attributes”
Remember that this command uses the IP address of the server you are using the browser on.

If you are having trouble with authentication fire up console to the Netscaler Appliance type in shell then cd /tmp then type the command cat aaad.debug
This will display in real time information regarding the authentication tries.

After that is done, add a DNS server.


Now lets add a certificate (for this purpose I have a Enterprise Root CA on Windows Server 2012 which I used to create a web server certificate which contained the host name of the access gateway) nsgw.msandbu.local in my case and I choose to export it as a PFX file including the private key (You will need the private key!!) In production you should use a third party CA to isse a certificate to you.

You can upload the PFX file under Traffic Management –> SSL –> Manage Certificates –> then you can upload the PFX.


After this is done open Netscaler console and extract the certificate and the key from the PFX.
This can be done by running openssl from the Netscaler Console

openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem (Extract keys)
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem (Extract Certs)

After that is done you can install the certificate

Next we create a virtual server under Netscaler Gateway and assosiate it with an IP-address.
Since we just want ICA-proxy and no VPN (Smart Access solution) we can choose Basic Mode.
Under Protocol choose SSL (After this is done the service will go down unless you have a valid ceritificate installed)


If you go into the Authentication Tab (mark the Enable Authentication)
and under Primary Authentication Policiess choose insert policy. (By default the one we created earlier will appear)

Now if you wish to have two-factor authentication you can add another Primary authentication policy.


After this is done head over to policies. We need to add a Session Policy, here as well we use ns_true as an expression. Give it a name and press create New Request Profile.


Here we enter the information about the backend storefront servers. (NOTE I already have one stored there this is because I have created this earlier Smilefjes

Now there are a couple of options here we need to define.
First under Published Applications.
1: We have to define ICA-proxy, this will tunnel ICA traffic via port 443 back to the user.
2: Web Interface address this has to be Storefront web address.
3: Single sign-on domain should be your local AD domain. (Don’t enter anything here in case you have multiple domains)

Next is under Client Experience –>
Define Single Sign-ON to web applications using Primary Credentials, this allows the Netscaler gateway to authenticate to the Storefront site.


We have to define at the NS should use SSO to the storefront web adress using the Primary authentication mechanism which is AD in my case.

Last but not least, Security so we can allow users to actually enter.


You should also enable TCP profile for this virtual server set to nstcp_default_xa_xd_profile (This profile works best for internal usage and high bandwidth networks)


Then we also have to add STA (Of the XD controllers in my case) Go back to Published Applications.

Click Add and enter the URL of the XD controller. After you save and refresh the page it will show up like mine did now.


Remember to save the config! Smilefjes
After that is done we have head over to Storefront

Now there are a couple of things we need to fix there. First we need to add an authentication option from Netscaler.


This will allow the Storefront to authenticate users coming from  Netscaler. (To pass the credentials forward)

Next we have to go to Stores –> Enable Remote Access –> Choose Add netscaler appliance –>


Here enter the info regarding your netscaler.
SNIP here is the one that you entered inn earlier on the Netscaler, StoreFront uses this to validate that any incoming connections comes from a trusted host.
The CallBack URL is the Internal IP-address of the Netscaler.


Then you setup it as a NO VPN Tunnel and choose the Gateway appliance to use.
You also have to add the STA’s here as well.


And last but not least, Beacons.
Beacons are used to identify if the end-user comes from an internal or external connection.
For instance you can put an external beacon for a public accessable website and internal for a website that is ONLY available for internal users.

This is what decides if the ICA-file the end-user receives is going to be used via ICA-proxy or a plain ICA-connection straight to the server.


In this case since it’s a demo enviroment all are on the same network. But I could remove the nsgw as an external beacon. And just have www.citrix.com and another external site.

Now since the AppController connected to the Storefront service we don’t need to anything else inorder to view Apps deployed from AppController.

NOTE: There is a couple of things if you are doing to deploy for instnace WorX apps from appcontroller and going to use mVPN solution to iOS and Andriod.

You will need to enable a couple of things here.
* Split-tunneling
* Clientless Access URL Encoding = Clear


You also need to enable Secure Browsing

After this is done, we can open up our virtual IP URL.
In my case it is https://nsgw.msandbu.local

Login with my username and password and start a desktop connection (For the purpose of this demonstration I have also added a weblink from AppController that points to yammer.com



If you open resource monitor you can see that traffic is tunneled in port 443

And if we open resource monitor on the desktop I just launched I can see that the servers speaks via the session reliability port to the SNIP ip (Which is 60.114)