Category Archives: Citrix

Citrix Error: The connection to *** failed with status 1030

2 Replies

In most situation, if you get this error, it means that there are some configuration errors in your Citrix environment. You can refer to below Citrix article for more information.

https://support.citrix.com/article/CTX124143

But, this week when we tried to renewal our netscaler certificate, we got a problem that:
1. Windows Machines works well with the new certificate. End users can start their VDIs with out any problem;
2. Windows Thin client which is running Windows Embedded XP can’t start VDI. They always got the error code’1030′
3. Some Linux thin client users can start their VDI, while some of them can’t. For who can’t start their VDI they got an error message said that S’SSL error’

Finally, after two days investigation, we fixed this issue.

1. Use Symantec SSL toolbox to scan the certificate installed on our server. We found below error message
SSL

It means that for some old client, they may get problem without the chain. So download the chain and put it into the certificate on Netscaler.

2. After we fixed the chain issue, our thin client still can’t connect. And we found that for the thin client which is running Citrix Receiver 13.1, it can connect. And then we checked Citrix Receiver version changelog and we found

New features in this release

    Native Smartcard authentication to StoreFront
    Session Reliability for robust HDX connection
    SHA-2 encryption for enhanced security
    Improved 64-bit packaging to enable access from 64-bit Linux distributions


https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-131.html

Well, that’s the key point. For thin client have, they are still using citrix online plugin 11.2 or Citrix Receiver 13.0 for Linux.
So we changed our certificate to SHA1, and all works.

The next step is to upgrade Citrix Receiver to the latest version on all Thin Client and then deprecation SHA-1 certificate and moving to SHA-2.

Citrix PVS server Dual IP issue in multiple DHCP servers with a split scope environment

4 Replies

Usually, when deploy PVS servers, we only use 1 DHCP scope. But for some large environment, we have to use multiple DHCP servers with a split scope if we can’t use Windows Server 2012.

Then it’s more likely to get the dual IP issue:

1. When VDI start, first, it contacted DHCP server to get the 1st IP address, then use this IP address to connect to PVS server to start to download the image and startthe VDI.
2. And when windows is up, windows DHCP client will request an IP address from DHCP server. In multiple DHCP environment, it may request IP address from a different DHCP server and got a different IP address..

Then we got below problem:
1. VDIs may have two IP address.
2. We run out IP address. You will find that lot’s IP address are marked as ‘bad addresses’
3. DNS record issue. Because some VDIs have two IP addresses, VDIs registered the wrong IP address to DNS server.

We spent lots of times with Citrix, and Citrix can’t provide a solution for this issue. They only suggest to use PVS server in single DHCP scope environment.

But finally, we found a solution to fix this issue by ourselves.

This issue was caused by that when windows is up, Citrix PVS Device Service will inject the IP address it got during PXEboot process into system. And if Citrix PVS Device Service starts before DHCP client service, then VDI will get 1 IP address. But if DHCP client start first, Citrix will still inject the IP address, and then VDI will get two IP addresses.

There are two ways to fix this issue.

1. Disable DHCP client in VDI. This option is not good, but it works. But please be aware that after you disable DHCP client service, the VDI may not be able to get DNS server from DHCP servers. Because Citrix only inject IP address/Netmask/Gateway information to windows.

2. Make “Citrix PVS Device Service” as a dependency service of DHCP client servers to make sure that DHCP service starts after Citrix inject the IP address.

Edit the reg key:
HKLMSystemCurrentControlSetServicesdhcpDependsOnService
Add "BNDevice" to the end of the list of dependent services.

Dual to Citrix can’t fix this issue, this is the only solution we found to fix this issue.
But if you are able to use windows server 2012, then go for windows server 2012 DHCP cluster maybe another choice.

Updating Database Connection Strings in XenDesktop 7.x

1 Reply

The scripts need powershell v3 at the moment (I may turn part of it into a module, and might be able to switch to powershell v2, but v3 is needed to load the core script into the other scripts.)

The scripts have been tested on Server 2012 R2, with XenDesktop 7.5 and XenDesktop 7.6. Note that this was as a full site admin and in local admin powershell window.

The provided scripts are:
DBConnectionStringFuncs.ps1 – this is the core script, and does the actual work. It contains common functions which the following scripts then use.
Change_XD_Failover_Partner_v1.ps1 – this is similar to the previous script I posted, and is used to update the failover partner.
Change_XD_To_ConnectionString.ps1 – this takes passed in connection strings and uses them, so a very generic version.
Change_XD_To_MultiSubnetFailover.ps1 – this toggles the addition and removal of MultiSubnetFailover=true. IE run it once and the option is added, run it again and the options is removed.
Change_XD_To_Null.ps1 – this is a reset of all the connection strings on the localhost as something has gone wrong. Note because this resets the connection strings to null, it will actually place the ddc into a “initial” state. IE if you run studio it’ll ask if you want to create a site, or join to another ddc. This is useful is something has gone wrong somewhere, and a reset is needed, as you can then attempt to set the connection strings again.

If you need to do some kind of connection string manipulation feel free to look at how the Change_XD scripts use the functions in DBConnectionStringFuncs.ps1.
XDConnectionStringScripts

Script used for enable XenDesktop Database Mirroring

Leave a reply

Make sure that all DDCs are up and running, then run below PowerShell Script.

$cs = 'Data Source=DB1; Failover Partner=DB2; Initial Catalog=XenDesktopDB; Integrated Security=True; Network=dbmssocn’


$controllers = Get-BrokerController | %{$_.DNSName}
foreach ($controller in $controllers) {
    Write-Host "Disconnect controller $controller ..."
    Set-ConfigDBConnection –DBConnection $null –AdminAddress $controller
    Set-HypDBConnection –DBConnection $null –AdminAddress $controller
    Set-AcctDBConnection –DBConnection $null –AdminAddress $controller
    Set-ProvDBConnection –DBConnection $null –AdminAddress $controller
    Set-PvsVmDBConnection –DBConnection $null –AdminAddress $controller
    Set-BrokerDBConnection –DBConnection $null –AdminAddress $controller
} 



    Set-ConfigDBConnection –DBConnection $cs –AdminAddress $controller
    Set-HypDBConnection –DBConnection $cs –AdminAddress $controller
    Set-AcctDBConnection –DBConnection $cs –AdminAddress  $controller
    Set-ProvDBConnection –DBConnection $cs –AdminAddress $controller
    Set-PvsVmDBConnection –DBConnection $cs –AdminAddress $controller
    Set-BrokerDBConnection –DBConnection $cs –AdminAddress $controller

NetScaler NSIP/SNIP/MIP/VIP

4 Replies

NetScaler IP Address type definitions

There are a number of types of IP addresses which can be defined on the NetScaler, all of which have specific usages.

NSIP – NetScaler IP Address

The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes.
You must add this IP address when you configure the NetScaler for the first time.
You cannot remove the NSIP address.
The NetScaler can have only one NSIP.
The NSIP is also called the Management IP address.
If you modify this address, you must reboot the NetScaler.

SNIP – NetScaler Subnet IP Address

A subnet IP (SNIP) is similar in functionality to a MIP (defined later)
A subnet IP (SNIP) address is used in connection management and server monitoring.
It is not mandatory to specify a SNIP when you initially configure the NetScaler appliance.
In a multiple-subnet scenario, the NetScaler IP (NSIP) address, the mapped IP (MIP) address, and the IP address of a server CAN exist on different subnets.
To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler
With Use SNIP (USNIP) mode enabled, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default.
When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service.
When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner.

MIP – Mapped IP Address

A Mapped IP address is similar in functionality to a MIP (defined above)
Mapped IP addresses (MIP) are used for server-side connections.
A MIP can be considered a default subnet IP (SNIP) address, because MIPs are used when a SNIP is not available or Use SNIP (USNIP) mode is disabled.
If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry, with this IP address as the gateway to reach the subnet
You can create or delete a MIP during run time without rebooting the appliance.
As an alternative to creating MIPs one at a time, you can specify a consecutive range of MIPs.

VIP – Virtual IP Address

The Virtual IP address is where the external users will be authenticated.
A VIP is an IP address assigned to multiple domain names, servers or applications residing on a single server instead of connected to a specific server or network interface card (NIC) on a server
Incoming data packets are sent to the VIP address which are routed to actual network interfaces.
A server IP address depends on the Media Access Control (MAC) address of the attached NIC, and only one logical IP address may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address.
VIP have several variations and implementation scenarios, including Common Address Redundancy Protocol (CARP) and Proxy Address Resolution Protocol (Proxy ARP).
VIPs are mostly used to consolidate resources through the allocation of one network interface per hosted application.
It is also used for connection redundancy by providing alternative fail-over options on one machine; A VIP address may still be available if a computer or NIC fails, because an alternative computer or NIC replies to connections.
A VIP is the only IP address which can be disabled, causing any attached devices or services to go down.

NetScaler IP Address communication Usage

With the NetScaler, certain traffic will be sent using a specific type of IP address as the source address. Ensure that when you are deploying a NetScaler between firewall(s) that the correct traffic is permitted to run from the correct IP address.

LDAP, RADIUS, and other authentication traffic will use the NetScaler IP (NSIP).
DNS / WINS traffic will use the mapped IP (MIP) or Subnet IP (SNIP), depending on the route to the destination host.
VPN Traffic (from the Access Gateway Enterprise Edition to internal resources) uses the MIP, SNIP, or Intranet IP depending on which configuration you have chosen.
File System Portal, which is the “File Transfer” button on Access Gateway Enterprise Edition, uses the NSIP.
If ICA PROXY is switched ON, the MIP or SNIP is used, depending on the route to the destination host.

Example Firewall Rules
Usage Source Target Port Numbers
Management Internal Network NSIP Address

TCP 443 (HTTPS)

TCP 80 (HTTP)

TCP 22 (SSH)

TCP 3008 (JAVA)

TCP 3010 (JAVA)
External User Access Client Machine / Internet VIP Address TCP 443 (HTTPS)
DNS Lookup MIP / SNIP DNS Server

TCP 53 (DNS)

ICMP Echo (PING)

DNS Servers MUST be PING-able to be reported as UP and for the NetScaler to use them.

Authentication –

Active Directory / LDAP
NSIP Domain Controller(s) / LDAP Server(s)

TCP 389 (LDAP) and/or

TCP 636 (LDAPS)

Authentication –

RADIUS
MIP / SNIP RADIUS Server(s) TCP 1812 (RADIUS)
NTP Time Sync NSIP Time Server UDP 123 (NTP)

Citrix Edgesight Monitoring In Internal Network / Edgesight Server NSIP TCP 9307 (Edgesight Agent)
Citrix Edgesight Monitoring Out NSIP Internal Network / Edgesight Server TCP 9307 (Edgesight Agent)
SCOM Monitoring In Internal Network / Management Server NSIP TCP 5723 (SCOM Agent)
SCOM Monitoring Out NSIP Internal Network / Management Server TCP 5723 (SCOM Agent)

Web Interface Access
MIP / SNIP Web Interface Server TCP 443 (HTTPS)
Web Interface SSO Call Back Web Interface Server VIP TCP 443 (HTTPS)
ICA / XenApp Access MIP / SNIP XenApp Servers

TCP 443 (HTTPS)

TCP 1494 (Citrix ICA)

TCP 2598 (Citrix ICA with session reliability)
Licence Server Access (If Needed) NSIP Licence Server TCP 27001 (Citrix Licence)

BackEnd Communications (MIP or SNIP)

The following are the different scenarios where a NetScaler appliance selects the IP address to initiate the backend server connections using a MIP or a SNIP (depending on which you are configured for).
MIP and SNIP Address Available and USNIP Disabled

A NetScaler appliance uses MIP address to open a backend server connections and SNIP addresses are not used.

MIP and SNIP Address Available, USNIP Disabled, and SNIP is Bound to VLAN and L3 Interface

A NetScaler appliance uses MIP address to open backend server connections and SNIP addresses are not used. SNIP address is used only for L3 connectivity.

MIP and SNIP Address Available and USNIP Enabled

A NetScaler appliance uses SNIP address to open backend server connections and MIP addresses are not used. If the MIP address is configured in the same subnet as that of SNIP address, then MIP address is also used.
When you enable USNIP the NetScaler appliance selects the IP address. The appliance looks up for a route or subnet for the destination IP address and selects the IP address regardless of whether it is SNIP or MIP address.

MIP and SNIP Address Available, USNIP Enabled, and SNIP is Bound to VLAN and L3 Interface

A NetScaler appliance uses SNIP address to open backend server connections and MIP address is not used. The SNIP address is also used for L3 connectivity. If you configure the MIP address in the same subnet as that of SNIP address, then MIP address is also used.
When you enable USNIP the NetScaler appliance selects the IP address. The appliance looks up for a route or subnet for the destination IP address and selects the IP address regardless of whether it is SNIP or MIP address.
VLAN binding does not affect the source IP address selection.

Netscaler VPX license

Leave a reply

When I tried to install certificate to netscaler vpx, I got below error message:

Certificate with key size greater than RSA512 or DSA512 bits not supported

After investigate, I found that this problem is caused by Netscaler License. You need to install at least 3 licenses to Netscaler to support it’s functions

1) Netscaler Platform licence: this enables netscaler features, but more importantly, unlocks the higher grades of encryption. License issued against Host-ID (= mac addr)
2) Netscaler Gateway platform licences / ICA licenses: this licence gives you up "unlimited" basic mode (ie ICA-only) connections. License issued against Hostname
3) Universal licenses: paid for licenses (you get free ones with XD platinum / NS platinum) which allow use of smart-access mode (=vpn, clientless, or ICA with epa). License issued against Hostname.