Microsoft Office (Exchange) 365 – RDSH Myth 20 Comments

For many years now, the everything in cloud is happening more and more, among all the services / software available as a services, most of the vendor are promising a cheaper way to manage their software and a much more simple way to manage it.. I know some of you will disagree with what I writing about and some will agree, this is a view from my experience on the field :) A couple of weeks ago I launched a small poll on Twitter asking this question : "Why Do you think companies are moving to Exchange 365 ?" Here are the results : "It's less complex" won the poll follow by "it's a fashion" and then "it's cheaper"... I tend to agree with everything here, because if you get rid of a complete Exchange infrastructure with all the people you need to architecture and manage it, it will be cheaper and less complex for sure ! But this is just a dream without complexity of companies and without user's usage of their Outlook. What I try to point here is : Moving to Exchange 365 is not as easy as it seems, some company do have a "basic" Outlook / Exchange usage and it won't bring issues but most of the companies I saw have had issue because Microsoft and Microsoft's Partner did not capture the way users were used to work with their Outlook mail software. The picture above is the "put everything into the Cloud, you will save money" ideal. This ideal is true and can be reached when you know your users work habits and already have an organised mail infrastructure. But this ideal can be easily broken If it looks easy on the paper or in a Powerpoint presentation, simple things can break this kind of project into pieces and make it fails.. How ? Here is a list (to be completed :D ) Outlook plugins Online Mode RDSH environment Bad Architecture decision / Consulting ... ... Outlook plugins is the work enemy of the Cloudification because it means in 90% of the case you'll be forced to keep Outlook mail client, it's a road block for OWA adoption... Once you're stuck with the Outlook mail client, you need to deal with the Online or Cache mode with Exchange 365... Piece of cake right ? Workstation / Laptop --> Cache mode enable, no problem ! But what about…

Post Citrix Synergy / E2Evc Dublin 2016 20 Comments

May and June are very busy with conferences every years, this year was no exception. Attending this kind of event is very important for the kind of work we are doing. Knowing what's happening in the technology world and keeping touch with all the people willing to share their knowledge and experiences have always been very useful to gather 6 months of information in only few days. Citrix Synergy 2016 - Las Vegas First thing first, Citrix Synergy in Las vegas ! As a CTP, Synergy always have a special flavour because I get to know so many things from Citrix my brain is melting for 48hours and I need few days to digest everything :) This year Citrix made several announcement and beside the usual renaming and marketing bullshit, if I had one announcement to keep, that would be the Microsoft thing. Many people I met asked me about that, what do I think and what should we need to read between the line. My answer had been direct and surprise some of you :) I think Microsoft understand the value Citrix will add to accelerate the adoption of VDI (ie Windows 10 in Azure) The protocol, the acceleration the experience Citrix will bring is obvious. Are we tending toward a Windows 365 product ? The answer is as simple as a yes. A lot of Citrix Partner have been confused with this announcement, and we can easily understand why as Citrix is taking this part of business away from certain partner mouth. Of course it's not yet publicly said and it will maybe never be ;) Citrix need to make things clear for everyone and give customers and partners the big picture, one day or another. What I read between the line is Citrix and Microsoft announce they will be the only one to deliver Windows 10 in a DaaS mode and only in Azure, it is true indeed, they will be the only one but only for few months. Give some time to Vmware, Oracle or whatever company forced to deliver Windows 2012r2 desktop as a Service because of Microsoft licensing limitation, few anti-trust trial and Windows 365 Windows 10 will be available from everyone, everywhere. Another thing about the Microsoft Citrix thingy to understand is some of Citrix products overlap on Microsoft ones. As Citrix already got rid of many products, I think we will see in the…

Set acls remotely to a VDI / RDSH Delivery Group 7 Comments

In the same way as the previous blog post, some more automation to maintain a VDI/RDSH environment, and get back to a controlled and clean environment. This blog is a follow up to Remotely clean up Virtual Machines drives – XenDesktop , Expand virtual machines hard disk – automation , XenDesktop XenApp 7.x – vmware / ad / delivery group notes and descriptions sync . I had to automate an action to place ACLs on the D: drive using Powershell and icacls. This script is using XenDesktop / XenApp command to list all the Virtual Machines with SessionSupport value equal to SingleSession, it means the VDI only in my case. If you want to check the list of Virtual Machines you targeted you can use this command : If you want to target a specific XenDesktop Delivery Group, then just adapt the previous line : Once you know the target, you can execute the following script. Using this script assume Virtual Machines are switched on. If you have suggestion, and/or comment, share your though !

Load Balancing TFTP with Netscaler 10.5 30 Comments

Implementing Citrix Provisioning Services (PVS) is very common nowaday when it's about deploying Shared Desktops (XenApp) or Pooled, Private or Personal Desktops (XenDesktop). If there are still some debate around about using TFTP+PXE vs using BDM (Boot Device Manager) I still observe a large number of deployment made using TFTP+PXE rather than BDM. Both of these two solution have Pro and Cons (Check Wilco's website here) and this is an architectural choice you need to plan ahead the project. Using TFTP and PXE bring several spof along the line and need to be consider and design as the most resilient as the high availability require. TFTP is not redundant by design, using the DHCP 66 options (Boot Server Host Name) allow the use of only one IP address. and there is no redundance behind that. With Citrix Netscaler, Citrix gave us the ability to bring high availability to this spof and address this issue. With Netscaler previous version (prior 10.x) that wasn't that easy to setup and the understanding of Netscaler feature like Layer 2 Mode, DSR etc... And if you didn't understand exactly everything what you were doing, all the PVS traffic was going through the Netscaler and believe me, that was really pain in the ass... I saw that kind of mistake a number of time... With Netscaler 10.1 then 10.5 things are a lot more easy... So I just jump on the occasion I had at one customer's place to load balance 4 Citrix PVS servers (TFTP + PVS) to deliver this simple and fast how to. Information you need to gather : IP Adresses and name of all PVS servers (with TFTP) One IP Adress for the Virtual Server (VIP) One or more Netscaler 10.5 (I made this configuration with Here is a basic architecture overview of component we are impacting : Netscaler #1 and #2 : This is were the configuration will take place PVS Servers #1, #2, #3 and #4 : All the PVS / PXE / TFTP servers we will use in this example DHCP Servers #1 and #2 : This is where we will configure the 66 option by using the Load Balanced IP Address (VIP) VMs : All these Virtual Machines will use PXE to boot get the Load Balanced TFTP address to launch the ARDBP32.bin file.   Let's got for the Netscaler configuration, first you need to login, if you're using a multi Netscaler architecture you…

Netscaler 10.5 and Storefront 2.5.2 Configuration 13 Comments

Citrix Netscaler 10.5 is out since a couple of weeks now, and if you want to read what's new about this new release just click on the [link] because there are so many things I won't list everything here. I will use this blog to refresh the "how to" I already did about Netscaler and I will go through the basic setup, certificate request, import and Access Gateway configuration to plug my XenDesktop 7.5 lab. First, you need to download your Netscaler (download if you're using a VPX appliance). You can find the appliance corresponding to your hypervizor : vmware ESX Microsoft Hyper-V Citrix XenServer KVM You can download it here : [link] - myCitrix account is required One you boot up the appliance, after give the basic information like IP address, subnet and getway, you can fireup the GUI through your favorite browser. You need to logon and follow the step by step screenshots : The basic configuration is done. now time to add a certificate for the Access Gateway, creating a private key, a CSR and finally importing the pem certificate.   Don't forget to change the nsroot password. Now the certificate part is done (thanks to Digicert for my lab) you can go ahead to the next step and configure your Strorefront server to create a new store ready to connect with the Netscaler Access Gateway. Storefront part is easy and quick to do, you can now continue by creating the Access Gateway using the new wizard and following these steps : Here you go, just a reboot to have the Access Gateway up and running. I had few issue in the end with Application Firewall with Google Chrome and Safari from a Mac OSx computer, you need to enable the learning mode to check what need to be change in Application Firewall rules and allow connexion to you Access Gateway. You can customize the Netscaler Access Gateway logon page and your Storefront very easily, Eric one of my CTP friends did a very short and nice blog about that [link] and a very detailed blog written by Feng Huang Citrite here [link] This blog will give you a good overview on what needs to be done to set up an Access Gateway with Storefront, for those who don't have time to make test, now you know !

Citrix PVS vs MCS – Despectus 21 Comments

I know this subject has been cover thousand times here and there but this is an eternal discussion we have whatever the forum or the meeting going on when we speak about Citrix. To remind people not familiar with MCS or PVS here are the main differences : MCS : Machine Creation Service PVS : Provisioning Services All the blogs, articles, white papers are very good and very technical with a lot of details but lake too often of "real life" example. Of course this is important to know  detailed performance measuring iOPs in read and write, cache mode, disk and storage type etc. but what most of the time everyone is missing is a crucial component : complexity and ability of the technical team to handle PVS and/or MCS. At many of my customers place we've implemented PVS architecture on multi-site with DFS-R and SAN / NAS etc to provision XenApp 6.5 farm lightning fast and this is every time a success when everything is setup correctly and when everything works as expected. BUT the complexity we leave behind at the customer's place leave me a though that in 70% of the case, they will call us back to fix an issue they created while trying to handle PVS and surrounding component. 20% won't call us but nothing will change, event the XenApp servers will remain in the same state as when we left. Of course writing documentation and how to for everything won't solve this issue because managing XenApp servers provisioned with PVS is complex and needs good organisation and an understanding of the product. PVS is in version 7.1 (April 2014) and haven't evolve that much during last couple of years, some say PVS will disappear with time to let MCS take over, but I honestly don't know what are the plan for Citrix about PVS. But as PVS is an awesome technology, I think Citrix will bring more and more feature to MCS and keeping the simplicity while adding feature will be an interesting chalenge. To keep this topic short (that never happen when we speak about this during CTP meetings or forums :) ) I would say for large enterprise I would continue to use PVS on the current and new deployment but put in my customer's mind the overhead of complexity could cost more than intelligent storage solution (software, hardware) and introduce few desktops (XenDesktop…

List XenApp 6.5 hotfixes with PowerShell 8 Comments

This is a classic but needs to be written somewhere so I can find it again when I need it ! First thing, you need to add the XenApp Powershell snapin : Then you can use few very useful command to gather information and script your deployment / inventory. That's what you got access to, now I want to list hotfixes on XenApp servers, I used Get-XaServerHotfix "ServerName" The result format is not very useful and is about only 1 server in a farm of 100... And I was looking for all the servers which had the XA650R01W2K8R2X64061 hotfix installed I needed to have a list of all servers, only the machine name where this hotfix was installed. And the result look like this : This is simple and quite basic but it's very useful ! if you have any comment and/ or request, just drop me an email or comment !  

Cloudify my lab with Windows Azure 13 Comments

As I got an unlimited access to Windows Azure I wanted to check out how I could extend my lab into it and use it to store VMs workload (at first). Here what you need : Citrix NetScaler VPX (tested with NS10.1: Build & NS10.1: Build Windows Azure Access Homelab (running on vSphere 5.5) Of course, you need licence for everything... Considerations : Before configuring a CloudBridge tunnel between a CloudBridge appliance in datacenter and  Microsoft Azure, consider the following points: The CloudBridge appliance must have a public facing IPv4 address (type SNIP) to use as a tunnel end-point address for the CloudBridge tunnel. Also, the CloudBridge appliance should not be behind a NAT device. (or you'll have to setup a route for your LAN computers, I'm explaining how to at the end of this blog) Azure supports the following IPSec settings for a CloudBridge tunnel. Therefore, you must specify the same IPSec settings while configuring the CloudBridge appliance for the CloudBridge tunnel. IKE version = v1 Encryption algorithm = AES Hash algorithm = HMAC SHA1  You must configure the firewall in the datacenter edge to allow the following. Any UDP packets for port 500 Any UDP packets for port 4500 Any ESP (IP protocol number 50) packets IKE re-keying, which is renegotiation of new cryptographic keys between the CloudBridge tunnel end points to establish new SAs, is not supported. When the Security Associations  (SAs) expire, the tunnel goes into the DOWN state. Therefore, you must set a very large value for the lifetimes of SAs. You must configure Microsoft Azure before specifying the tunnel configuration on the CloudBridge appliance, because the public IP address of the Azure end (gateway) of the tunnel, and the PSK, are automatically generated when you set up the tunnel configuration in Azure. You need this information for specifying the tunnel configuration on the CloudBridge appliance. First thing first, you need to use your Windows Azure account and follow the next step to begin to configure the IPSec tunnel by creating a local network In the left pane, click NETWORKS. In the lower left-hand corner of the screen, click + NEW. In the NEW navigation pane, click NETWORK, then click VIRTUAL NETWORK, and then click ADD LOCAL NETWORK. In the ADD A LOCAL NETWORK wizard, in the specify your local network details screen, set the following parameters: NAME  VPN DEVICE IP ADDRESS In the lower right corner of the screen,…

Trend ServerProtect 5.80, XenApp 6.5 / PVS 3 Comments

AntiVirus software are always pain in the ass when it's about delivering desktops through golden images system like Citrix Provisioning Services. It's changing but still, in most of the company I'm working for there is always the AntiVirus dude who is yelling and requesting to be able to watch / watch and be able to know where the Antivirus software is deployed, if it's up to date and if all the machine are ok. Last blog I did about an antivirus was about Symantec SEP 11 (here) and Symantec did their job by understanding what was a virtual environment about with the version 12. With TrendMicro and ServerProtect, we're not there yet... Even if their product Office Scan seems to fit better the needs, today I had to deal with Trend Micro ServerProtect installed on the PVS golden images. The problem remain the same, a Trend GUID is created when installing the piece of software on the golden image but won't change across multi machine usage. The Trend GUID is located in the registry : HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion\SpntService\NS_GUID with a 75 long character chain. What I had to do : Create a 75 random character string Replace the registry value create a flag so the value won't change at each reboot So I did with my crappy PowerShell skills a very small script (and thanks to Livio @EldejiPoint for the cleanup ^^ ) So this script will be executed as a startup script for the computer (using GPOs) and by creating a trend.txt file on the fixed drive (d:\) the generated Trend GUID won't change upon the file is removed. I hope it will help !