Java Runtimes JRE7 – Your Java version is insecure popup 3 Comments

This one has been pain in the ass to find out... Since Java 7 (1.7_xx) the security and setting management is a total nightmare. This is so messy you can't find a reliable information on Oracle website... The worse thing is all the mechanism seems to change between versions... from 1.7_01 to _11 is one way to do thing and version after it's done another way... Here is the ugly pop up I want to eliminate from the user interface on the XenApp Desktop. To do so, I had to check every change within files, registry to finally find out everything was located in the registry for this version of java, JRE7 1.7_13... So I wanted to create a GPP to target user connected on the XenApp servers, here is my xml file created from a registry export : Next, I wanted to filter this GPP with a WMI filter, this WMI Query will look for locations of the JRE7 Folder on the System and if found it will apply the policy.   And this works ! I didn't need to do anything with deployment.properties and deployment.config as described everywhere on the Oracle website... (This website is really pain in the ass to find good documentation...) I hope it will help, and I hope Oracle will stop to change the way we need to use to manage Java configuration....

Symantec Endpoint Protection 12.1 RU1 and AppV 4.6 2 Comments

Another moment of pure fun with Symantec Endpoint Protection... I liked the version 11 so much and I was missing mysterious Symantec issue so much I decided to update the anti-virus software to 12 on all my customer XenDesktop virtual machines... The version we chose to deploy was Symantec Endpoint Protection 12.1 RU1 (version given by the security administration team), the update went fine, no BSOD, no weirdness and that was weird actually, I was prepare and ready for so much trouble, nothing happened ! the vDisk was updated and the only change this time was SEP, so I pushed the next vDisk into production. Few hours and next day, users were complaining about App-V applications launch issues, that was a known issue because the App-V infrastructure is a bit old (v4.5 on the server-side) and begin to have some weirdness after the weekly reboot (services started but no stream.., next blog post I guess) So we checked everything out around the App-V servers and App-V client (4.6 SP2) and the only things we saw was error in event log but nothing to really think App-V was the root of these issue. Some streamed applications were working some other not.   After searching again and again, I just roll back one vDisk to use the earlier version to check if everything was ok with the earlier version and yes, everything was working fine with App-V applications. So i went to check Symantec knowledge base and I found these two articles : Application Error when launching an App-V virtualized application on a computer with SEP 12.1 client installed. New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2 So you guessed it right, the update to Symantec Endpoint Protection 12.1 RU2 is fixing App-V 4.6 compatibility issues... App-V virtualized applications cannot load with Proactive Threat Protection installed Fix ID: 2689005 Symptom: App-V virtualized applications cannot load with Proactive Threat Protection installed. Solution: Changed Application Control and User Mode Hooking to allow NTDLL image validation. So, one more time thank you Symantec to waste our time and make our life much more complicated !

XenDesktop 5.6 – The WinRM service is unable to start. 10 Comments

During a XenDesktop 4 to 5.6 migration I had to deploy WinRM on Windows XP SP3 virtual machines. I had a Desktop Group of 60 Machines for developers with IIS installed on it. WinRM installation went fine but the configuration wasn't possible, I always got an error when the service was trying to start : The WinRM service is unable to start because of a failure during initialization. Additional Data The error code is 1300.   After trying to understand what was wrong I found in the Local Security Settings / Local Policies / User Rights Assignment / Generate security audits, only LOCAL SERVICE was authorize, so I just try to add NETWORK SERVICE account as well. Then and at last WinRM service was able to start normally. Now everything is working like a charm with Desktop Director.

This is the personalized installation I do when I deploy vmtools on the VMs with VDA to install on it. Don't forget to install vmtools before Citrix Virtual Desktop Agent ! It always good to have this information shared because I had a lot of question regarding vmware vmtools installation with Citrix XenDesktop VDAs. Toolbox – Enable – Used for functions like time synchronization and clean shutdown of guest. Memory Control Driver – Enable - Driver for improved memory management in the virtual machine. This driver is available and recommended if you use VMware vSphere. Excluding this driver hinders the memory management capabilities of the virtual machine in a vSphere deployment. Thin Print Driver – Disable - Handled by Citrix printing in VDA. Paravirtual SCSI – Disable – Used in high I/O operation with SAN and mostly is applicable to Server VMs and not VDA. This driver is for PVSCSI adapters, which enhance the performance of some virtualized applications. Mouse Driver – Enable – Needs the mouse driver as it improves fixes in glitches with the mouse. File System Sync Driver – Disable - Driver for the synchronization of the file system within the virtual machine. For example, for preparation of backups. Only used if you have dedicated VMs and used agents in VMs to backup VMs. In VDA environments most common settings is profile management in which data is moved to a share as opposed to being local on VMs. Shared Folders – Disable – Directory for data exchange between host system and guest system. Currently only works with VMware Workstation and have seen it cause a lot of synchronization issues. SCSI Driver – Enable – Installs and improves BusLogic SCSI driver. If you use LSI Logic this driver is not required. SVGA Driver – Disable – We want to use the Citrix VGA adapter and not the VMware VGA. Use CTX 123952 (below) as work around if using Windows 7. Audio Driver – Enable – Needs audio driver to playback sound. This sound driver is required for all 64-bit Windows guest operating systems and 32-bit Windows Server 2003, Windows Server 2008, and Windows Vista guest operating systems if you use the virtual machine with VMware Server, Workstation, or Fusion. VMXNet NIC Driver – Enable - Network card driver for the VMXNet VMware network card. Improves network performance of the virtual machine, especially in gigabit environments. Furthermore the CPU…

VDI Project – Not only a XenDesktop project (part.1) VDI Project - The framework (part.2) VDI Project - Hypervisor war (part.3) VDI Project - Desktops and applications delivery (part.4) VDI Project - User Environment Manager (part.5) Beginning a new project is every time a new challenge, new team, new processes and new environment. Each customer have its own past IT history and,  depend of the size, different IT, politics and complexity. This time I'm a desktop architect and I've been hired mostly for my Citrix skills. The challenge is the size of this new project, I will design for sure some Citrix architectures, XenDesktop, XenApp, PVS, maybe Access Gateway or Netscaler on a very large scale but I'm also responsible to design a complete workstation delivery service (automation / industrialization) and address all kind of endpoints, from the "classic" workstation to the well known iPad. This is my largest XenDesktop 5 project, I will use XenDesktop to bring flexibility and mobility to users. I will write some blogs along the project because I think this will be a great experience to share, technical and not technical. I can't wait to post some very technical stuff about IOPS with Citrix Provisioning Services, XenDesktop and Machine Creation Service related with storage. I will post every major subject for ex : The Software Framework, The Hypervisor War (these two blogs are almost finished) etc etc... I also want to share the non technical subjects because this is how a project live... Changing the way people are working in a company can be very painful, first you need to bring the idea of a change in their everyday life and then prove them they will have more time to work on more important project. Then you show they can save some money within 3 or 5 years. I can tell you this is the big part of a project and the less fun (for me) but this is a mandatory part of every project : Show the company board and managers how much they can save and explain to the IT staff they will be able to spend more time on larger scale issue and project, work more efficiently. This is a lot of work, first administrative / politics, then technical (POC) and very technical (Global Architecture) And I always I will learn so many thing, and I'm sure it will be a great…

One of my customer needs to have robust workstations in a factory where there is a lot of dust and vibrations. This is a common environment for a factory but it doesn't really suit for a computer. My customer is spending a lot of money in the maintenance of these computers. Worker in the factory need to access the company main ERP with those computers and they are accessing this software through a XenApp connection. My project was to build from the ground a new Citrix Architecture (XenApp / PVS / EdgeSight / PCM / XenServer / Netscaler etc...) and early in this project I wanted to include endpoints as a full part in this architecture. (If endpoints are failing, old plug-in versions for ex) the whole architecture won't mean anything if users are not able to have the full and last functionality introduced in this project. The factory workstations were a pain in the ass for everyone, for the IT department, technicians were always on the move, spending time trying to repair and most of the time just replace the computer. For the Finance department, it's very expensive to replace computer every month (basic / normal life cycle renewal for a workstation is about 3 year) and the need for more technicians to change and repair these machines. With issues listed above, bringing thin clients in this project was obvious and I really wanted to try the new Wyse product Xenith. So I called my french contact Boris Espiand (Wyse France) to borrow me this 'HDX ready' thin client. Less than one week after, I had it in my lab ready to test it. As my personal lab is limited to my XenServer @ Home, I won't make any performance test but I will be more focus on features and integration in the architecture I chose to design for my customer. I tested access to XenApp 6 published desktop (Hosted Shared), XenDesktop 4 with Windows 7 virtual machines and with Windows XP virtual machines (Hosted VDI) Of course HDX features have been tested, I plugged all sort of devices, webcam, wacom devices, mouses, USB hard drives, USB pen drives... The reference of the Xenith I received were : Model No : C00X C00X, 128F/512R, XENITH, INTL Part No : 902196-02L Serial No : 2NN0J549524 Here are some information I got on-screen within the admin menu : But first, here are my customer's needs…

These last days I had to find out what was wrong with an extranet publish through XenApp. This extranet is using java and the issue users reported was random disconnection with a java popup. Find out what is wrong with extranet application is very hard because this is just a published browser with an URL pointing to a website in another company, everything works well until one day... My goal was to bring as much information and details as possible to the extranet's support team and I needed to use the java console and grab the most verbose log possible. First you need to publish the Java Control Panel, you can do it easily by make a new publish application and using the executable file called javacpl.exe in the java/bin directory of your Java JRE installation directory. Look the next screenshot for details about published application : Once you Java Control Panel is published you need to grant access to this publish application to the target account and launch it. Then you need to go to the advanced tab and use the same configuration as above : Next, you need to go to Java tab and view to add this command line after the javaw.exe path -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect -Djavax.net.debug=all The click on Apply the OK to close everything. The setup to trap all the information in the java console is done, now you can open you publish browser and go the the website and get all the debug information you will need to send the the dev of the problematic website. You can test you console/debug mode with this url : http://java.com/en/download/help/testvm.xml it should give you something like that : The word <DEBUG> should appear in the console. If you have any request or detail to ask, just go on the forum and ask.

This information can be very useful, because as you might know, there are build numbers and version numbers, and it become a mess very fast when you try to list all ICA client version connecting your Citrix Presentation / XenApp servers. 4.00.581 4.00.686 4.20.715 4.20.727 4.20.741 4.21.779 6.00.910 6.01.963 6.01.964 6.01.967 6.20.985 6.30.1050 6.31.1051 7.00.17534 7.01.20497 7.10.21845 7.10.22650 8.00.24737 8.100.29670 9.00.32649 9.10.36280 9.150.39151 9.200.44376 9.230.50211 9.237.53063 9.7 (Java client) 10.00.45418 10.00.49686 10.00.52110 10.100.55836 10.150.58643 10.200.2650 11.00.5284 (beta Windows) 11.00.5357 11.0.150.5357 11.1.0.19460 11.16.153430 11.2.0.169077 (Mac) 11.2.0.31560 11.2.2.3 11.2.38.1 11.2.5.2 11.3.143202 (HP Thin Client) 11.3.2.176933 (Mac) 11.4.0.188921 (Mac) 11.4.3.192268 (Mac) 12.0.0.184893 12.0.0.189834 12.0.0.6410 12.0.3.6 12.0.13.1 12.1.0.30 12.1.44.1 (ActiveX Web Client - Fix for IE9) 13.0.0.13 (beta Project Mach 3) 13.0.0.6645 (with Receiver 3.0.0.56410 - Windows) 13.0.0.6684 (XenApp 6.5 DVD) 13.0.0.6685 (Citrix website download) 13.1.0.45 (with Receiver 3.1 Tech Preview - Windows There are several way to list all client version connecting to a PS or XenApp farm, my favorite because the simplest one is by using Edgesight. You need to open you Edgesight website and go to the "Browse" tab and then click on "Session" category and this is it "ICA Client Version" is here waiting for your click. The result will be this kind of report : I will post in next few days how to retrieve the client version with a vbs script and then using Powershell scripting. Updated 08 Dec 2010 : added more detail about version 11.3.143202 and some new version released. Updated 23 Sept 2011 : Many client version added, Java & Mac Updated 30 Oct 2011 : added 13.1.0.45 (Receiver 3.1 Tech Preview) Update 21 Nov 2011 : added 11.4.3.192268 (Mac) Update 22 Nov 2011 : added XenApp 6.5 DVD media plug-ins + ActiveX versions (Thx Neil Spellings)

Now we know how to install Citrix Provisioning Server 5 on Windows 2008 ( Citrix Provisioning Server 5 on Windows 2008 ) and how to deploy the 'client' on a target device (  ) we need to know to learn how everything works together. This video shows how to configure Citrix Provisioning Server 5 and  how to create the first template then build a virtual hard disk from scratch and share it for 2 or more Virtual Machine.  If you want to use your Citrix Provisioning Server, you need to complete the two previous steps and have a Citrix Licence Server runing with proper licences. Click on continue reading to watch the video [flash medium=4] Next step, try to make everything work with XenDesktop 3 :)