Application virtualization, IoT and Cloud Computing, Blog of Sacha Thomet

Uncategorized

Why I love my Meta Rayban

I was at an IT conference in Barcelona last week. Not only did I learn a lot, reconnect with old friends, and meet new people, but I also brought back inspiration and good memories. Additionally, I had the chance to test the Meta Ray-Ban, which is not yet available in Switzerland, thanks to my Danish friend Thomas Poppelgaard. At the airport Ray-Ban store, I got myself a pair of Ray-Ban Meta glasses, and I must say, I am fascinated. Moreover, I made my first extended vlog, which is available in “Swiss English” and Bernese German:

And Swiss German:

Citrix Workspace App 2307 and FIDO2 Keys

I was delighted when I started testing the new Citrix Workspace App 2307 (still in beta phase) and noticed that Citrix had improved the behavior of the FIDO2 key in the Workspace App for Mac. Previously, handling FIDO keys on macOS was limited, while it was better implemented on Windows. The release notes of the new Workspace App indeed indicated that work had been done on FIDO implementations in this release:

Source: https://docs.citrix.com/en-us/citrix-workspace-app-for-mac/ear.html (21.7.23)

Previously, under Mac, I simply mapped my USB YubiKey into the session and used it that way. However, this is no longer necessary. The function is now queried and passed through on the Mac. When a FIDO key is requested, I see the Mac prompt to enter the password.

I own several YubiKeys, each with multiple passkey identities — one for private use and one for business. However, I’ve noticed that the new feature with one of my keys is causing issues. The problem is that it doesn’t prompt me to choose which identity I want to use within the Citrix session. One key always picks the “correct” business identity, but with the other YubiKey, the system attempts to log me into corporate resources using my Gmail address.

Apparently, the development here is not yet 100% correct and complete. Therefore, after a conversation with Citrix, I learned the command to deactivate this new feature. Until I can use the passkey identity—given that I have multiple identities on the key—I’ll have to wait and loop my USB YubiKey back into the Citrix session through USB passthrough.

If you encounter the same problem, you can deactivate the FIDO feature with this command in the Mac Terminal:

defaults write com.citrix.receiver.nomas Fido2Enabled -bool NO

Update 28.8.23 Citrix reacted fast!

From Citrix Workspace App Version 2308 it’s possible to use multiple Idendities on one FIDO2 Key and choose in the OS inside the VDA Maschine which one should be used.

No more able to start SOAP on PVS

After the last monthly Microsoft Security Updates one of my PVS Servers was no more able to start the SOAP service. I received an Event 7000 with the message:

The Citrix PVS Soap Server service failed to start due to the following error: The service did not respond the the start or control request in a timely fashion.

I live in Bern, and we are known as slow-paced people here in Bern, probably because of our slow sounding accent. So my idea is if the service need more time to start, I’ll give him more time.

I’ve created a new DWORD called ServicesPipeTimeout  with the value 120000 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control which means the service has 2 minutes time to start. After a reboot my SOAP was again up and running.

By the way and additional tip according this service… SOAP is sometimes bitchy … it’s a good idea to set the service to auto restart after a crash.

How to bring your network back online in minutes with Ubiquiti UniFi gear

Less than a month ago I decided to buy a new WiFi Access Point to increase the quality and possibilities of my Home Wifi. Until now I just had a “Fritzbox” which is already very nice for home use. Fritz does anything, Fast WiFi, Modem, Router, VoIP, Call answer machine, DECT Gateway and it’s stable and easy to configure. Of course, I wished to have a more enterprise-like network setup, especially because also my lab environment is in my home network and a lot of IoT stuff. But honestly the components I had known that allows enterprise features were not in my budget.

So the first plan was to just increase WiFi. I just bought a Ubiquiti UniFi AP-AC-Pro without any ulterior motive. But to be honest, the new AP was like a starter drug. I saw what all is possible and for a price which is also payable for home use and with no extra license costs. I don’t want to write a review here about my new awesome Ubiquiti gear if you wish to know more about that stuff see here the blog post from my fellow CTP Jason Samuel: Building a secure high visibility WiFi network using Ubiquiti Networks UniFi gear

Just to say, now, some weeks later I have a Router (UniFi Security Gateway 3P), a managed Switch (UniFi Switch 16 POE-150W) and two WiFi AccessPoints (UniFi AP-AC-Pro and UniFi AP-AC-LR) in my Network from Ubiquiti. Finally, I’m able to segment my home network in virtual networks (VLANs) and to make all more transparent, hopefully, more secure and of course easier to manage for me. Currently, I have 3 different WiFi SSIDs and 4 VLANs. The software-defined network is great and let me do things I just dreamed of before. When I think about all the “use cases” I’m now really sure that a lot of Security considerations should be made for improvements in the network segment should be done … but that’s another topic …

The USG 3P, UniFi Security Gateway comes with 3 Ports, WAN, LAN, and VoIP. The Software of these devices will be always further developed and new features come with every new version. Some features are also implemented as beta features, e.g also to make out of the VoIP a WAN2 port:

With this feature, it’s possible to have a Second WAN link and to use it as Failover or as Weighted LB. Of course for home use, a second WAN link is not common. But definitely interesting for some small companies or maybe branch offices which need a reliable connection to the internet.

I have currently only one connection to the Internet, a cable connection with 250M down and 25M up from “Quickline”. Until now when I had an outage I was still able to use my 4G WiFi Hotspot from Huawei to access the Internet with my Laptop.

Last Saturday my Cable Internet connection was interrupted exactly at that moment where I was doing some lab works with my network components. So I decided to have a closer look at this WAN 2 Feature. I connected a Zyxel travel router (NBG2105) with the Cat5 cable to the USG and with WLAN to my 4G WiFi router, I configured the VoIP Port for WAN2. Wow after 30 minutes I was back online with my whole network.

On WAN2 there can just be anything that is providing an Internet link and give an IP address via DHCP in my case. Of course, first I connected the Zyxel NBG2105 with the cable to my laptop and connected with it to my WiFi router. The most important thing here with the NBG2105 is that the Switch is set to Client:

Of course the Speed of 4G is not near my cable connection but it’s still better than be offline:

And now I have not just the solution to “How to get back online” but rather also to “Stay always online”.

Win10 to Win10 with a Citrix VDA

Intro – my relationship with Windows 10

The company I’m working for, Die Mobiliar, started early with Windows 10, we rolled out in spring 2016 Windows 10 to all our physical devices and also to our virtual Desktops. We have two different kind of VDIs, pooled Win10 Desktops provided by Citrix PVS and also classical installed dedicated VDIs. Both with Citrix XenDesktop 7.x.

To be in the role as early-adopter with such a new operating systems is interesting but also nerve-racking on some days… Especially when you add Citrix XenDesktop on top to Windows 10 and then also special requirements like physical and virtual Smart Cards.
I talked about this adventure on E2EVC in Rome: The stony road of a VDI migration from Win7 to Win10

Next chapter

Now our story goes into the next round, we installed Windows 10 last year with the 1511 Release and we want to go now to the anniversary update (1607). For our pooled desktops it’s no question, fresh install on the new build. But an fresh install of the dedicated desktops where users have installed their own stuff will get me into big troubles … it’s really not an option!

I was curious who is in the same boat, so I created this poll:


36% are doing fresh install of dedicated desktops? Wow … BOFH? 🙂

I tell you now 2 secrets:

  • It’s not possible to update Windows 10 from one version to the other when a Citrix Virtual Desktop Agent (VDA) is installed!
  • Uninstall of Citrix VDA fails most of the times!

    Good News:
    Citrix knows that uninstall of the VDA is a problem, for that reason there exists the
    VDACleanupUtility.exe (https://support.citrix.com/article/CTX209255)
    Bad News: VDACleanupUtility.exe (VCU) should run as a User, need a reboot and login with the same user, what means it’s not in a easy way to automate that.

With some hints of the CTP colleague Stephane Thirion and my collegues at “Die Mobiliar” I was able to create this guide to automate the Windows 10 Update with an automated removal of the VDA.

Task Sequence for SCCM

We are doing this with Microsoft System Center but with the following infos it’s also possible to fulfil this challenge with other ESDs.

Upgrade Steps – Overview 
The Citrix VDI specific things highlighted in yellow, in this guide I’ll focus on that. We are using one task sequence to update all our Windows 10 installation, thats the reason we need to made a decision if the installation is a VDI or not.

After the OS upgrade we just install the VDA again with our existing software package.

Because the Windows upgrade kills the Citrix receiver we also re-install the receiver at the end.

The really hard part is the proper automated removal from the VDA, and thats where I go a bit into the deep in this article.

VDI or not – thats the question
Because we will use one TaskSequence for Win10 with and whiteout Citrix VDA we just check if the VDA is installed, we are doing that by query the Key which has been written by the Software package for VDA
A reboot to start is always smart

Sometimes the VDACleanupUtility ask for a reboot, it’s good to start with a reboot before any other steps are done.

first step of the VDA removal

The VDACleanupUtility should be started in silent mode and with a suppressed reboot:

cmd /c VDACleanupUtility.exe /silent /noreboot

The VDACleanupUtility.exe is the only thing in the Package you see on the screenshot.

Remove an action which would be done after the suppressed reboot in order of the VCU 

cmd.exe /c REG DELETE HKLM\Software\Microsoft
\Windows\CurrentVersion
\RunOnce /v CitrixVdaCleanup /f

 Now you can reboot 

Start the VCU again

this time with the switch silent and reboot – reboot doesn’t mean that it will do a reboot, it’s just the info for VCU that it’s now in phase after the reboot 

cmd /c VDACleanupUtility.exe /silent /reboot

 Now do all the Windows Upgrade steps you want to do,
here you also need to think about drivers or in virtualized environments XenTools, VMwareTools, etc. 
As a next Step install the VDA again
Re-install the Citrix Receiver

Update of Win10 will destroy your Citrix Receiver installation, for this reason install it again at the end

I want to thank here to Stephane Thirion  (https://www.archy.net) for the hints about automate the uninstall of the VDA. Also thanks to my colleagues Stefan Moser and Thomas Hahnel at Die Mobiliar with more Knowhow about SCCM Task Sequences and patience on testing.


Update Fall 2017: 

The Version of the Cleanup tool in September 2017 is able to run in unattend mode, see https://support.citrix.com/article/CTX209255 .
Also I’ve found out that the Update from 1607 to 1703 or 1709 works even when a VDA is installed.

Update November 2017: 

Now exists and article by Citrix: “How to Run the VDA Cleanup Utility with SCCM Task Sequences”: https://support.citrix.com/article/CTX229801 

IoT – ideology of technology | new MyStrom Smart Devices

Those who know me in person are aware that my life is not only controlled by Citrix technology, I’m also fascinated by Smart Home stuff and Internet of Things, IoT. Since years I use Philips Hue, Netatmo and other gadgets to make my life easier – or to solve problems which I won’t have without this Smart Home devices… Some of my neighbours believe that I have a girlfriend called “Alexa” and I’m very rude to her.

Anyway, I already wrote about the MyStrom Smart plugs in the article Control MyStrom smart plug by a trigger or Another LaMetric IoT script – power control .

The special thing about the MyStrom WiFi Switch is that they are only for Switzerland, we have here not the same wall sockets like they are common in Europe. For this reason in my point of view MyStrom is a niche product, even when it’s a very very good product.

Today I received a package from MyStrom with two very cool new products inside, the MyStrom Bulb and the MyStrom WiFi button. I have already similar products, for the Smart Bulb from Philips Hue and SengLed Boost. For the button I have currently an Amazon IoT button, which I have connected to IFTTT that I can trigger some things.

In this post I want to compare this new MyStrom devices to other existing devices on the market.

Comparison Smart Bulb:

myStrom WiFi Bulb

  • 39.- CHF (Color)
  • Color
  • E27

+ Has a HTTP Rest API
+ Show power consumption
+ great colors!
–  only 600 lm
– Bulb becomes pretty hot, 52,9°C after 30min test.

Philips Hue

  • 69.- CHF (Color)
  • 20.- CHF (White)
  • E27 and GU10 available (Update: Now also E14)

+ Use the ZigBee protocol
+ Up to 806 lm
– An additional device, called “Bridge” is required
– Colors not so saturated
– Range is limited, I was not able to have a Hue Bulb in my garage, why I added a SengLed Boost.
– Bulb becomes pretty hot, 62,5°C after 30min test.

SengLed Boost

  • 59.- CHF
  • E27

+ Works as an Wireless Wifi Repeater
–  only 470 lm

IKEA TRÅDFRI
LED-Bulb E27 1000 lm White

  • 14.95 CHF (White)
  • Color also available  but not with 1000lm
  • Uses 12,4 Watt
  • Is compatible with Hue-Bridge after latest firmware and perhaps 3rd party Software

+ brightest and cheapest Bulb
– Bulb becomes pretty hot, on some parts 84,9°C after 30min test!

 

Conclusion: It really depends on your needs which Smart Bulb is the best for you, if you have already a Philips Hue ecosystems it makes no sense to Switch to MyStrom. But if you start on green field, you really have to consider to go for MyStrom. With MyStrom you have Bulbs, Plugs and Buttons from one brand. The MyStrom Bulbs are cheaper than Hue and for me very important every MyStrom device has his Webserver which allows you to toggle the power state. If you want o extend you Wifi Range, have a look to SengLED Boost Bulb, but wit this it’s not easy to toggle the light with something other than the existing app.

Comparison Smart Button:

MyStorm WiFi Button

  • 25.- CHF

+ Availible in Switzerland – for everyone (soon …)
+ Battery rechargeable
+ Native IFTTT compatible
+ 3 Push Patterns
+ Fast reaction time (< 2sec to toggle a Switch)

Amazon IoT Button

  • 19.90$

– Only for Amazon Prime customers
– Battery not replaceable
– Reaction time pretty long
+ IFTTT with an “special setup” possible
+ 3 Push patterns

Hue Tap

  • 69.-
    NOT TESTET!

– need the Brigde
+ No need for battery
+ 3 buttons

Hue Dimmer Switch

  • 29.-
    NOT TESTET!

– need the Brigde (?)

Conclusion: For most “Home-automater” the MyStrom Wifi button will be the best choice, the way to configure an AWS IoT button is an “advanced expierience”. I don’t like that the Amazon IoT Button has a non replaceable/rechargeable battery inside. If you have already a large huge Philips Hue ecosystem maybe the Hue Tap / Dimmer Switch is the best for you.

StoreFront – Allow relogin without browser close

Citrix StoreFront is able to handle Logins with SmartCards, and after a successful SmartCard Login you cannot Logoff and Login again before you close the Browser, you will see this message:

You have logged off successfully. Please close your browser to protect your account. Sie haben sich erfolgreich abgemeldet. Schliessen Sie den Browser, um Ihr Konto zu schützen.

You have logged off successfully. Please close your browser to protect your account.

According the message, this is a feature and not a bug … Not in every case a Re-Login is a security problem as for example if SmartCards are mandatory in general you need to logon also on the VDI or the application with your SmartCard.
Especially as an Admin working with multiple accounts it can be very annoying.

In scope of the CTP program I’ve asked Citrix to improve that and give Citrix admins the possibility to configure this security feature in future versions. Now when StoreFront 3.8 was released I complained that this is still not implemented.

Feng Huang then gave me the hint that this is actually configurable but not yet implemented into the GUI.

All what must be done is to add the line CTXS.allowReloginWithoutBrowserClose = true in the file C:\inetpub\wwwroot\Citrix\YOURSTORE\custom\script.js

THANKS Citrix for Listening to special requests!

PowerManagement for dedicated Citrix desktops? Yes with Tags!

Are you using Tags in your XenApp & XenDesktop environment? Maybe you should. Tags to resources, in my case desktops can be very powerful especially in combination with PoSh scripts. You can do actions for machines depending on the tag. Of course you also can use tags to filter Citrix policies on it, also useful.

I had the Problem that I have a delivery group with dedicated Win10 desktops so for dedicated desktops there is no power management. Usually it’s also not needed because if a user launch a Citrix Session over Storefront the machine get’s powered on. The problem in my case, sometimes users connects on an other ways than Citrix to his desktop, so this built-it construct doesn’t work. So if they shutdown their virtual Desktop they can newer ever access it until an admin power it on over director or studio.

My solution to this was, I tagged this special user machines with a tag “AlwaysOnline” in Studio and I wrote this small script which runs every 15 minutes:

param([string]$tags=$(throw "Tag parameter is required"), [string]$poweroperation=$(throw "Power operaton parameter is required"))
#==============================================================================================
# Created on: 09.2016 Version: 0.2
# Created by: Sacha Thomet
# File name: PowerOperation-DependingMachineTags.ps1
#
# Description:  This is a Powershell to change the PowerState of VDI's or XenApp Servers in
#               a PowerManaged XenDesktop 7.x environment accodring to Tags.
#
# Prerequisite: None, a XenDesktop Controller with according privileges necessary
#
# Call by : Manual  or Scheduled Task
#==============================================================================================
# Load only the snap-ins, which are used
if ((Get-PSSnapin "Citrix.Broker.Admin.*" -EA silentlycontinue) -eq $null) {
try { Add-PSSnapin Citrix.Broker.Admin.* -ErrorAction Stop }
catch { write-error "Error Get-PSSnapin Citrix.Broker.Admin.* Powershell snapin"; Return }
}
# Change the below variables to suit your environment
#==============================================================================================



$maxmachines = "1000" # as default only 250 records, this increase it to 1000
#$tags = "AlwaysOnline" # if you comment out the param line you can have the tag here
#$poweroperation = "TurnOn"  # if you comment out the param line you can have the poweroperation here



$machines = Get-BrokerMachine -MaxRecordCount $maxmachines | Where-Object {$_.tags -eq $tags }



foreach($machine in $machines)
{
$machinename = $machine | %{ $_.MachineName }
Write-Host "Action $poweroperation will be performed for $machinename  "
New-BrokerHostingPowerAction  -Action $poweroperation -MachineName $machinename
}

I know I know, this is not a common use case, but the script construct show what is possible with tags … there are almost unlimited possibility to cover special cases with tags.

My example Script on GitHub: PowerOperation-DependingMachineTags.ps1

Welcome to the Jungle … of the Citrix Display Modes

When I started to work with Remote Desktop stuff back in 2001 there was one thing definitely not possible, watch a video over a remote connection – not even with Citrix … in the last years a lot of things changed and Citrix improved their protocols and Video codecs from version to version. Today you can do awesome things over a remote connection with Citrix. There are many blogs and articles which shows what’s possible, also for GPU mapping 3D stuff and so on … this blog doesn’t describe how you can get the awesome 3D things out from your VDI. It’s more what if you don’t have special requirements for 3D, you don’t have time to test all possibilities, no time to tune, but you want have the best result according to the Pareto principle.

What do you configure? Nothing? Just default, because default is the setting which will fit for most Users?

 

Are you aware that default setting on XenApp/XenDesktop until VDA  7.9 was Thinwire with H.264 and since VDA 7.9 it’s Thinwire Plus (Compatibility Encoder)?
You need to consider this fact before you upgrade from 7.x to 7.9! Why they changed that? Is Thinwire Plus better? No! Is Thinwire H.264 better? No!
It’s just different! What are the differences? What I need to choose? It depends! But on what?

This blog post is mainly a comparison between Thinwire Plus and Thinwire H264 !

I’ve done a survey what is preferred for the codec on twitter, funny result 50% vs 50%:

Twitter-h264thinwire

I’ve started some tests, also with the Pareto principle, so no deep scientific background! I tested an internal video in our Intranet of 53 seconds and 1 minute of a YouTube video, Big Buck Bunny, with 25 fps,  set to 720p in YouTube. I had an eye on the user experience, means fragments, fluent movie, lip-sync and on the other side on the resource consumption like CPU and bandwidth.

(Advice if you like to do your own tests, Big Buck Bunny is nice to impress people but if you want test for lip-sync take an other movie … the Bunny doesn’t talk much …. )

 

RDAnalyzer14

For this tests I used the best, or the only one tool on the market to analyze remote display stuff, the Remote Desktop Analyzer from
Bram Wolfs and Barry Schiffer. In version 1.4 you can do some very helpful statistic reports:

 

I have tested with:

Virtual Desktop:

  • Windows 10, VDA 7.9, 2 vCPU, 4 GB Memory, virtualized on VMWare ESX.

Video Codecs:

  • Thinwire +
  • Thinwire with H264

Client:

  • Mac OSX
  • Windows 10
  • HDX Raspberry Pi

and thank you to René Bigler (Twitter @dready73 ) to test with those clients:

  • ChromeBook
  • Linux ThinClient (IGEL)

 

And this are our Results:

h264-twplus-Win10-corrected2

h264-twplus-OSX

h264-twplus-RaspberryPi

h264-twplus-iOS

h264-twplus-IGEL_IE h264-twplus-IE-ChromeOS

 

My personal conclusion:

If you have clients like ChromeBook or Windows who can manage H.264 this is your way to go. With limited H264 on the end device you run better with Tw+.

I work in a company which has internal only Windows 10 client devices but from external we have users with BYOD, and MacBooks are not a minority. For this reason I set a Citrix Policy which set all connection not coming over  Netscaler to Tw with H.264. So we have internal the best result and external still a good result over the average. What would be the best, is when it’s possible to set a Citrix Policy according to the Client OS which connects.

 

Recommended Links:

HDX Graphics Modes – Which Policies Apply to DCR/Thinwire/H.264 – An Overview for XenDesktop/XenApp 7.6 FP3: http://support.citrix.com/article/CTX202687

Citrix Display modes: How to configure, what to configure, when to configure: https://bramwolfs.com/2016/02/24/citrix-display-modes-how-to-configure-what-to-configure-when-to-configure

H.264 compression JUL 19 2013 A graphical deep dive into XenDesktop 7 https://bramwolfs.com/tag/h-264-compression

Update 23.9.2016:

An excelent blog post here: Citrix HDX Just Got Smarter…Again https://www.mycugc.org/blog/citrix-hdx-just-got-smarter…again?source=6 a post about selective H264 with XenApp / XenDesktop 7.11

Use Octoblu with Amazon Echo as trigger to start A/C on Tesla Model S

It need’s a bit courage as a non native english speaker and with my hard swiss accent it’s maybe awkward … but I’ve done it … my first webcast … you cannot win without a risk 🙂

Goal: Use Amazon echo to start the Air Condition of the Tesla Model S.

21.6.2016, Update to this post:

It’s not so difficult to use Alexa without IFTTT in Octoblu, I just created a flow to ask Alexa what’s the battery level and she tell me the remaining battery in percent:

Details about how to integrate Alexa in octoblu look at this:  Use Alexa to kick off automations with Octoblu

By the way: If you don’t have a Tesla but you like to buy one,use my referral Link http://ts.la/sacha3162 and safe 1000.- !