blog.sachathomet.ch

Application virtualization, IoT and Cloud Computing, Blog of Sacha Thomet

“Cannot complete your request‘” on Netscaler Gateway VPX

In my lab environment I was using a Citrix Webinterface 5.x which was accessible  from Internet over a Access Gateway 5 VPX. Since Citrix Store Front is in a fairly usable release (> Version 2.x), I intended to update my lab environment to the current software releases and update my skills to Store Front and Netscaler Gateway VPX.

You can find a step by step Netscaler Gateway intro here http://blogs.citrix.com/2013/07/03/citrix-netscaler-gateway-10-1-118-7-quick-configuration-wizard
Also a very nice guide you can find here, this guide also contains information about how to configure StoreFront for Netscaler Gateway VPX: http://benjamin.eavey.com/2013/07/netscaler-vpx-as-secure-gateway-replacement

Cannot complete your request

After completion of the configuration I was not able to access the my environment from outside. The login to the Netscaler Gateway, the black window, was working fine, but as soon I hit the StoreFront I get this Error:

cannot-complete

Because StoreFront is working fine from internal, I assumed that’s not a completely wrong StoreFront configuration. After i had a look into the event viewer on the StoreFront server I can see that something is wrong here:

eventlog_error_callback

 

The crucial indication that’s a problem between the Store Front server and the the Netscaler Gateway in role of Authentication Callback Server I found here:

eventlog_error_callback_event3

when I browse to the address https://192.168.x.x/CitrixAuthService/AuthService.asmx you can see a certificate error, so I need to have here a FQDN that match to the installed certificate but I wont communicate outside, so first I’ve defined the internal IP as Callback URL:

general-settings

 

Now I’ve changed the Callback URL to the FQDN appropriate to the certificate:

general-settings-ok-with-fqdn

But because the DNS resolve this URL as the external IP which is not accessible over the necessary TCP ports, I was constrained to do a dirty hack … I have edited my host file :

hosts

 

Achieve fastest Citrix Provisioning Target Device

Citrix Provisioning Services is in my point of view an incomparable way to deliver a Software image to a  system. It’s not a kind of an known enterprise software deployment, rather it’s a way to stream a virtual disk during runtime to hardware. Beside of PVS, the acronym of Provisioning Services.

This article doesn’t explain what’s PVS and how it works. It only shows my personal best practice to have the fastest PVS target device. It’s maybe not the only one and right solution to work with PVS, e.g. for VDI other approaches would match better.  In the last couple of years I was working on multiple projects to introduce PVS OS streaming for XenApp servers on physical hardware or virtualized servers. The following instruction shows my way to deliver the fastest PVS Target for read-only XenApp servers, or in the XenApp replacement this  role is  Xen Desktop 7.x  App Edition called .

In this article I only mention performance relevant topics, I will not talk about HA, continuous availability or about PXE, TFTP and so on.

#1. Reduce reads from disk, make use of Standby Memory for vDisks

The best way to increase performance is to reduce work, in this  first step it’s to reduce the hard disk read by reading virtual hard disk files (VHD’s). This can be achieved by make use of the Windows disk cache, this approach is possible on physical PVS servers and as well on virtualized PVS servers on any hypervisor. Using the Windows disk cache means that files which are read from disk, are cached in Standby memory of the Server.
(If you are using XenServer as hypervisor have a look to the IntelliCache feature, http://blog.citrix24.com/how-does-intellicache-work. )

To make use of the file cache you need:

  • The vDisk on local drives, no CIFS share, no NFS share.
  • A plenty of memory to the PVS.

Having the vDisk’s on local disks is not the common way to work with PVS, keep in mind that you have to synchronize the files on all servers in PVS farm.

You can check if the file cache is used properly by having a look in the resource manager. If you have nearly no free memory and have a lot of use standby memory it’s a good sign:

ressourcemgr

To have a deep dive look in the cache use RamMap and keep an eye to File Summary:

rammap-vhd

 

#2. Use Target Device Write Cache on Ram

The second second way to increase performance is to use fastest possible storage, hard disk drives are quite fast today, solid state disks are faster but Ram is still the fastest memory. Because we need on the Target device only the Write Cache it doesn’t matter that the Ram is a transient memory.

A short performance comparison:

With AS SSD Benchmark you can measure the speed of your disk.

Target Device with WriteCache on Ram:
assd_benchmark_CacheRam

Target Device with WriteCache on local disk:
assd_benchmark_Cache_TargetDisk

( AS SSD Benchmark is Freeware and you can download and donate on: http://www.alex-is.de/PHP/fusion/downloads.php?cat_id=4&download_id=9 )

Keep in sight the Memory

When you working with Write Cache in the Target device Ram you must  appreciate the dangers of it … If you are running out of WriteCache the Target Device, perhaps a XenApp server with 50 users on it, will reboot immediately .
(By the way …  Citrix Provisioning Services 7.1 offers a great new feature, it’s the possibility to Cache to Ram with overflow to hard disk. Do not use it … it doesent work proper! Waiting for a hotfix.)

  • Plan the amount of real used Memory:Think how much of the Ram you will use for WriteCache, give as much as possible and consider the real memory usage of a fully loaded server. e.g. if you have a XenApp server as Target device with 16GB of Memory you can allocate 6GB for WriteCache and have still 10GB Memory for the XenApp servers. If you have special memory hungry application on the server you need maybe an other segmentation. It doesn’t exists a recipe, have a look on your currently productive servers about the used memory.
  • Reboot your Target device periodically to reset the used cache.
  • Reduce usage of Write Cache by redirecting as much as possible to an other disk drive, of course this is only possible if you still have a local disk attached to the Target Device.Good candidates to redirect are:
    • Printer Spooler
    • Pagefile
    • EventLog
    • EdgeSight database
  • Monitor your Write Cache,  a way to do this is e.g. using this small Powershell script on the PVS server with a scheduled task:
    (If you have PVS 7.1 with the newest Hotfixes I recommend to use WriteCache on Ram with overflow to hard disk)
#========================================================================
# Created on: 09.01.2014
# Created by: Sacha T. blog.sachathomet.ch
# Filename: Citrix-PVS-Get-Targetdevice-WriteCacheSize.ps1
#
# Descritpion: This script query the used write cache of the PVS farm
# connected target devices and write an event log entry if
# a target device exceed a definec % value of cache.
#
# Prerequisite: Script must run on a PVS server, where MCLI snap-in is registered.
#
# Register SnapIn with command: C:\WINDOWS\Microsoft.NET\Framework64
# \v2.0.50727\InstallUtil.exe 'C:\Program Files\Citrix\Provisioning S
# ervices Console\McliPSSnapIn.dll'
#
# Call by : Scheduled Task all e.g. all 5 min.
#
#========================================================================
$thresholdInformation=55 # define the Threshold in %
$thresholdWarning=70 # define the Threshold in %
Add-PSSnapin -Name McliPSSnapIn -ErrorAction SilentlyContinue
$pvsdevices = mcli-get device -f deviceName | Select-String deviceName
foreach($target in $pvsdevices)
{
 $target | Select-String deviceName
 $_targetshort = $target -replace "deviceName: ",""

 mcli-get deviceinfo -p devicename=$_targetshort -f status

 $devicestatus = mcli-get deviceinfo -p devicename=$_targetshort -f status
if ($devicestatus[4].TrimStart("status: ") -replace ",","." -gt $thresholdWarning)
{Write-Host "WARNING: The Write Cache of the PVS-Target device $_targetshort exceeded $thresholdWarning %! Intervention is needed" -foregroundcolor "red"
#do here what you need, email, eventlog etc ...
 write-eventlog -logname Application -source StreamProcess -eventID 3001 -entrytype Warning -message "A PVS target device, $_targetshort, exceeded the threshold ($thresholdWarning %) !" -category 1 -rawdata 10,20
 }

 elseif ($devicestatus[4].TrimStart("status: ") -replace ",","." -gt $thresholdInformation)
{Write-Host "INFORMATION: The Write Cache of the PVS-Target device $_targetshort exceeded $thresholdInformation %! " -foregroundcolor "yellow"
#do here what you need, email, eventlog etc ...
 write-eventlog -logname Application -source StreamProcess -eventID 3001 -entrytype Information -message "A PVS target device, $_targetshort, exceeded the threshold ($thresholdInformation %) !" -category 1 -rawdata 10,20
 }

#3. Avoid if possible cross Data centre streaming 

  • If you have different subnet’s, make use of subnet affinity in the load balancing configuration on the vDisk.
  • If you have one subnet over more data centres, create a store with the vDisk for each data centre and let only provide servers from the corresponding data centre this store. With this way you can still switch fast to a cross data centre configuration in a case of a PVS server outage in a data centre.

4#. Use all exiting best practice guides for tuning:
(for all what I’ve forget here … )

e.g. : http://blogs.citrix.com/2010/11/05/provisioning-services-and-cifs-stores-tuning-for-performance  and http://support.citrix.com/article/CTX127549

 

ff

Citrix DSCHECK doesen’t work … “No resource module ImaMsgsUI.dll found.”

When you try to make a Citrix Datastore validaiton with DSCHECK you receive the error message :

” No resource module ImaMsgsUI.dll found. “

dscheck_doesent_work

Cause:
Probably you are on a Citrix server with UAC,

Solution:
Launch the command line with administrative privileges, “run as administrator” before you make the dscheck.

more details about dscheck.exe here: http://support.citrix.com/article/CTX124406

Check Citrix XenApp published application properties with a PowerShell script

To avoid troubles with session sharing, you have to keep in mind that you set the application properties which are relevant for the session and his virtual channels in the same way.
This is for example the properties like color depth or the audio setting.

To check this, I’ve written a small PS script which loops trough all application, reads the application properties and shout if something is not like expected.

Show all apps which are not published as 32bit Color:

#========================================================================
# Created on: 5.11.2013 
# Created by: Sacha T. http://blog.sachathomet.ch 
# Filename: apps_not32bit_Office.ps1
#========================================================================
write-host "This Script show all Apps in Workergroup National which are not in 32 bit color depth published"
Add-PSSnapin Citrix.XenApp.Commands

 #$applications = Get-XAApplication #Gets the published applications
 $applications = Get-XAApplication -WorkerGroupName National


foreach($app in $applications){
 
 #Check to see if the application audio is disabled
 if($app.ColorDepth -ne "Colors32Bit"){
 $app_no32b+= "$app is not published in 32 bit.`n"
 }
 
 }
 
 echo "`nApps not 32bit: "
 echo $app_no32b
 
 
Write-Host "Press any key to continue …" 
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

 


Change the green Workergroup to your workergroupname, it’s also possible to run this script without the parameter -WorkerGroup, but then all published content will be recognized as “non-32-bit”.

If you want see which application has audio disabled just change the attribut in the loop: 

---<snip>--- foreach($app in $applications)
{ #Check to see if the application audio is disabled if($app.AudioType -eq "none")
{ $app_noaudio+= "$app audio is currently disabled.`n" } } echo "`nApps Audio disabled: " echo $app_noaudio
---<snip>---

 

This easy loop you can recycle to check every application attribute, all possible attributes of an app you can get with an

Get-XAApplication -BrowserName "thebrowsernameofourapp"

Have a look into the StoreFront 2.x Subscription Database

Last days I had to deal with Citrix StoreFront 2.0 and found out that a numerous issues still exists and that some things are still not implemented to configure in the StoreFront MMC SnapIn.

Session timeouts and settings like enable or disable of features like workspace control still must be handled over the config-files. But this is all well documented the official documentation of Citrix.

But seems there is no possibility to have a look into the subscription database from Citrix Storefront which is now with version 2.0 in a proprietary non-MSSQL format. For this reason I created this small script (execute it on the StoreFront server):

#========================================================================
# Created on: 22.10.2013
# Created by: Sacha T. blog.sachathomet.ch
# Filename: GetSubscriptedStoreFrontApps.ps1
#========================================================================
#define some variables
#$domainname = "anotherDomain" # use that if your user is in another domain
$domainname = $env:userdomain
$storename = "StoreFront"      # Change this to your Store-Name
$subinfofile = "C:\temp\temp-subscriptions.csv"
Write-Host Query StoreFront apps in domain $domainname in Store $storename
$username = Read-Host "Please enter username to query"
#Add Module for Citrix StoreFront
Import-Module "C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1"
#Change username to domain SID
$objUser = New-Object System.Security.Principal.NTAccount($domainname, $username)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
#delete old Subcriptionexportfile
Remove-Item $subinfofile -ErrorAction SilentlyContinue
#Create new Subcriptionexportfile
Export-DSStoreSubscriptions -StoreName $storename -FilePath $subinfofile
##Add a caption to the file, this is needed to process csv
$content = Get-Content $subinfofile
Set-Content $subinfofile sid.app
Add-Content $subinfofile $content
#Read all Lines in CSV from this User which are not unsubscribed
import-csv C:\Temp\temp-subscriptions.csv -delimiter "."| Where-Object {$_.sid -like "$strSID*" -and $_.app -notlike "*unsubscribed*"}| Format-Table -Property app
#wait to read the result - usefull if started from WindowsExplorer with "Run in PowerShell"
Write-Host "Press any key to continue …"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

 

When I’ve created this script I found out that deleted apps wont be removed from the subscription database and as well users who leave the company will still have records in the database after they are deleted in the AD. So within the years, the subscription database will have a lot of orphan data in the database. Seems that an automated clean-up does not exists.

There is a way to delete the records, have a look to forum post of Duncan Gabriel Thread:

Delete user subscriptions?  http://forums.citrix.com/thread.jspa?threadID=334609

Display the server name on Citrix StoreFront 2.0 WebReceiver

In enterprise environments most admins have more than one Citrix Storefront Webserver and loadbalance them over a Netscaler,  F5 or something equivalent.If a user has a misbehaviour on the website it’s not always easy to find out on which Storefront Website this user is working. To simplify troubleshooting it can be helpful to know which web server  user is accessing.

To see this on the website just add the following lines to the bold written files:

C:\inetpub\wwwroot\Citrix\[Storenname]\contrib\custom.style.css

#SFserver {
 padding-right: 30px;
 padding-bottom: 20px;
 float: right;
 color: silver;
 }
C:\inetpub\wwwroot\Citrix\[Storenname]\contrib\custom.script.js
$(document).ready(function() {
 var $markup = $('<div id="SFserver">Storefront:  [Name of the Server e.g. StoreFront001] </div>');
 $('#resources-footer').append($markup);
 });

 

StoreFront Website with Name in footer

 

This can also be done dynamic with JavaScript (System.Environment.machineName) but I had some troubles with formatting … and maybe you wont reveal the real hostname and just put an alias there to distinguish on which server the user is working.

Keep in mind that this file will be updated/overwritten in a multi server environment when you click on propagate changes.

 

By the way, if you need this for the legacy Citrix Webinterface visit:  http://techblog.deptive.co.nz/2012/03/display-server-name-on-citrix-web.html