[Cant see that Netscaler is listening on Port 1494]

NS 13.1 build 51.15

I´m Logged in as nsroot
show connectiontable | grep -E '1494 | 2598'
10.110.240.107  26970   192.168.190.6   2598    HTTP         0       ESTABLISHED                           0               S
10.110.240.107  38885   192.168.190.6   2598    HTTP         0       ESTABLISHED                           0               S
Other commands:
show vserver
show vnp vServer
Dont give me any clue

No AppFirewall
No ACL

 

I´m suprised. everything works, but why cant I Netscaler listening on port 1494? 

I really apprecites your answer

:)

[Temporary access for users?]

Is it possibly to create temporary access for a group of users.

When the users logout they have to go trough some steps to get access again.

Is something like that possible with Netscaler and within Citrix eco-system in general?

Really appreciate your answer

 

:)

[Restrict access time by AD group]

How about "Just In Time Access". In other words Temporary access each time for a user

[User with "Just in Time Access" -JIT]

I want to accomplish a group of user that always has temporary access.

I have these componenent

-Netscaler Gateway 

-MFA with FortiAuthenticator (token that appears in the users moblie phone)

-Storefront

When I already have NetScaler, StoreFront and FortiAuthenticator, I belive there is no rereason to
implementing a separate third-party just in time access solution.

So I´m here with what I called Custom Integration
Create a custom integration that places an approval step between authentication and session creation with A script in Powershell:

NetScaler API access: The script must be able to send and receive data from the NetScaler API.
FortiAuthenticator API Access: To interact with FortiAuthenticator for authentication.
Approval process: A method of sending and receiving approvals with sms to a Admin Person.

This is my question to come further 
What API and Methods shall to use in Netscaler to accomplish this. Is there anyone who can give som example?

Really appreciate your answer

:)

[Open ports to and from VDA (Source and Destination)]

I´ve to check with this forum, so I´m really sure.

I have a multisession VDA, with only the vda installed on a Windows server 2019 and published it to multisession desktop.

 

No, Director, no MCS, no PVS. Only a VM in VMware.

Authentication is done by the Netscaler
2 Storefront servers
2 DDC

 

Is there any more or less ports that are requiered to be open on that VDA?

My informatino below with comments is based on this link from citrix:
https://docs.citrix.com/en-us/tech-zone/build/tech-papers/citrix-communication-ports.html

 

Definition of my comment below

# = I  think I dont need this

Red colored text = my questions

 

License server

Any Citrix Component - Handles initial point of contact for license requests

-Citrix License Server TCP 27000

 

Access to applications and  virtual desktops

-ICA/HDX protocol 1494

Source and Destination?

 

Access to applications and  virtual desktops

EDT protocol requires 2598 to be open for TCP/UDP.
Source and Destination?

 

#I dont use html5 reciever

#-TCP 8008

 

Application/Desktop Request - communication with DDC

-TCP 80/8080/443, XML Service Destination: DDC

Source: VDA, Destination: DDC (Both directions)

 

#Authentication of user during application or desktop launch (Authentications is done by the Netscaler?)

#Domain Controller

#-TCP/UDP 389

 

Access to applications and virtual desktops by ICA/HDX over SSL

-TCP 443
Soruce:??    , Destination: ??

 

#Virtual  Delivery Agent Domain Controller

#Communication between Virtual Delivery Agent Agent and Microsoft Global Catalog used

#during the registration process in order to validate its list of configured

#-TCP 3268

 

#Citrix Workspace app, StoreFront - Communication with StoreFront

#TCP, UDP 80,443 (No citrix receiver installed on VDA)

 

Other ports

Fileshare for storage files and profiles

etc..

 

Really appreciate your answer with more or less ports with the source and destination

?

[Installing certificate in Netscaler - the right way]

Thanks for you answer. 
There seems like every person does install certificate by their own working method.

Ok, but I have always done a install  of certificate and a separate key in pem-format with password since Netscaler 12.XX something.

Never imported it into Storefront and then make the key exportable and then export it and then install it in Netscaler.

Option number 3 did work for me
(This worked, and I´m suprised that option number 2 did not work.)
3. "examplecertificate" in pem-format with a so-called no-key file (you do not need to provide a password when installing it in NetScaler)

But this worked in my Lab, so I hope it´s works "in live conditions".

:0)

[Installing certificate in Netscaler - the right way]

Object: Netscaler 13

I have received various suggestions on what is right and wrong, but I am convinced that you know this.

I have a certificate issued from our CA, which is a web server certificate called "examplecertificate".

I have the certificate in the following variants and formats as below: -
1. "examplecertificate" with an embedded key. A .p12 certificate. (you must provide a password when installing it in NetScaler)
2. "examplecertificate" in pem-format with a separate key file (you must provide a password when installing it in NetScaler)
3. "examplecertificate" in pem-format with a so-called no-key file (you do not need to provide a password when installing it in NetScaler)

 

If you unsure, please try to try to answer which of the options 1- 3 is completely wrong

 

Additionally, someone has said  "..no you shall only use that .pfx format with embedded key".

I´ve done this a few times before in Netscaler  for about 5 or 6 year ago, but I dont remember how I did back then and if something
changed since.

The problem is that when I try to install the certificate in .p12-format and in pem-format Netscaler is complain about:
Invalid private key or PEM pass phrase requiered for this private key. 
To now more about the error please click here  
(its not possible to click here in our environment becuase of security reason)
I know the password, so thats not the problem. It´s something else.

I really appreciate your answer

 

 

 

[VDA Registration Failure with Event ID: 1001]

Symptom: Cannot connect to Published Desktop (Multi user session)
VDA version: 7 220 3 LTSR CU3, Windows server 2019

Test ports with:
netstat -n -a

On VDA  I dont have any connection established on port 3268 with the Domain Controller.

Run a check with Powershell from VDA:
Test-NetConnection -ComputerName 192.168.162.213 -Port 3268
 

ComputerName     : 172.168.123.123

RemoteAddress    : 172.168.123.123

RemotePort       : 3268

InterfaceAlias   : Ethernet0 2

SourceAddress    : 172.168.121.3

TcpTestSucceeded : True
 

The port 3268 if open

 

ListOFfDDC is in the registry

EvenID:
 

Log Name:      Application
Source:        Citrix Desktop Service
Date:          2023-12-28 16:54:54
Event ID:      1001
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      .my.domain
Description:
The Citrix Desktop Service failed to obtain a list of delivery controllers with which to register. 
 
Please ensure that the Active Directory configuration for the farm is correct, that this machine is in the appropriate Active Directory domain and that one or more delivery controllers have been fully initialized. 
 
Refer to Citrix Knowledge Base article CTX117248 for further information. 
 
Error details: 
Exception 'The server is not operational.

Name: "my.domain"
' of type 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException'
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Citrix Desktop Service" />
    <EventID Qualifiers="49152">1001</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2023-12-28T15:54:54.021141700Z" />
    <EventRecordID>115532</EventRecordID>
    <Channel>Application</Channel>
    <Computer>srv12345.my.domain</Computer>
    <Security />
  </System>
  <EventData>
    <Data>The server is not operational.

Name: "my.domain"
</Data>

 

I really appreciate if someone has any idea of why not VDA not has an established connection on port 3268 with the Domain Controller

 

?
 

[Obsolete]

Obsolete

[Create Certificate Signing Request (CSR) - Netscaler 13.0]

@Rhonda Rowland
I tore the whole Lab down and started from scratch.

I had some network issues that occurred when I went from NAT to Bridged in VMware workstation.

To be continued...

?

[Citrix Certification for Citrix Netscaler or should I say ADC?]

 

Getting a bit confused when I try to read what certifications are available for Netscaler. The most recent certifications.

Citrix Certification for Citrix Netscaler or should I say ADC?

I Probably need some help from some Senior who can guide me?

 

What is the certification path to get some certification with Netscaler?

a )What  Exam must I pass?

b) What is the first level of Certification?

b) How do I get to the next level and so on.

 

Really appreciate your answer

?

 

 

[Create Certificate Signing Request (CSR) - Netscaler 13.0]

@Rhonda Rowland 

@Carl Stalhood
Thanks for your engagement!

A question like this usually doesn't get any answers

 

@Rhonda Rowland:
Yes I now and trying to understand what you saying.
Forget everything about bind certificate to virtual server.

 

Now I only want to creat a SSL cert for labtest.local

I think we need to reach a consensus on approach to "Create Certificate Signing Request (CSR)"

I hope some screenshots will give a better picture of this process.

 

Here is what I´m doing and what I see:
 

1. SSL files

1.2 Generate RSA key

-labtest.key

 

1.3 CSR - Create Certificate Signing Request (CSR)

-Create Certificate Signing Request (CSR)

1.4 Request Filename
labtest.csr

1.5 Key Filename:

-labtest.key

1.6 Pem

Subject alternative name

-DNS:www.labtest.local DNS:labtest.local

 

Create>

 

2. Nothing happens
Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc
Expect sto see something here:

 

3. Troubleshotting

Have set up a root Windows  Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates

-nothing except all web servers

Failed request

-nothing there

Event log Root CA server

-nothing there

 

On my ADCS server (Root CA)

The only option that is avialible is "Submit new request", but anyway I try this way (although it is not what I expect to do)

Then I recieve the error - se below:

 

-The question is,  how do I get to that state where I have a labtes.local.pfx with private key or onother .extension certificate so I move on?

 

Note: It works like a charm to enroll (distribute) client and server certificate for my windows client and window servers with GPO.

 

 

I hope this clears up how I'm doing it, so you can see what's wrong.

 

?

 

 

 

 

 

[Create Certificate Signing Request (CSR) - Netscaler 13.0]

Update: I´ve Googled the error:
 

This error message typically indicates that the certificate request does not contain information about which certificate template to use when issuing the certificate. The certificate template is a pre-defined set of attributes that determines the type and properties of the certificate.

To resolve this error, you need to ensure that the certificate request includes information about the certificate template. You can do this by either selecting a certificate template when creating the certificate request or by adding the Certificate Template extension to the certificate request.

 

-I´ts not possible to that in Netscaler?

-I hope I´m wrong?

-But if someone sees the possiblities to do this request in Netscaler I´m happy if you could share your knowledge.

 

This is the only avilible options in Netscaler 13.0 as far I can see:
 

1. SSL files

-Keys:

1.2 Generate RSA key

-labtest.key

1.3 CSR - Create Certificate Signing Request (CSR)

-Create Certificate Signing Request (CSR)

1.4 Request Filename
labtest.csr

1.5 Key Filename:

-labtest.key

1.6 Pem

Subject alternative name

-DNS:www.labtest.local DNS:labtest.local

 

Create>

 

2. Nothing happens Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc

 

3. Troubleshotting

Have set up a root Windows  Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates

-nothing except all web servers

Failed request

-nothing there

Event log Root CA server

-nothing there

 

 

?

[Create Certificate Signing Request (CSR) - Netscaler 13.0]

Ok, its a LAB

And I have installed the ADCS (Active Directory Certificate Services) on one server - labserver-02 
So Im´ trying to save (download) the labtest.csr in Netscalr and then go to certutil manager and Submit Request on labserver-02 by pointing to that labtest.csr.

The problem is that´s not possible, the only option is to submit a new request. And the error message displays as screenshot.

I´m CA Administrator. In other word I have the PKI environment.

And it works for both clients and servers but not with Netscaler.

(Distribute certificates by GPO)

.

 

Ps. Do you think of a external SSL supplier like sslforfree.com or something like that?

?

[Create Certificate Signing Request (CSR) - Netscaler 13.0]

 

Create a "Certificate Signing Request (CSR)" 

-But it fails for some reason

 

Here´s how Im doing it:

In Netscaler GUI

 

1. SSL files

-Keys:

1.2 Generate RSA key

-labtest.key

1.3 CSR - Create Certificate Signing Request (CSR)

-Create Certificate Signing Request (CSR)

1.4 Request Filename
labtest.csr

1.5 Key Filename:

-labtest.key

1.6 Pem

Subject alternative name

-DNS:www.labtest.local DNS:labtest.local

 

Create>

 

2. Nothing happens Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc

 

3. Troubleshotting

Have set up a root Windows  Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates

-nothing except all web servers

Failed request

-nothing there

Event log Root CA server

-nothing there

 

4. I assume that a signed labtest certificate should show up in Netscaler?

Something like www.labtest.local.crt

 

But there is nothing there under the tab Certificates

 

What could possible be wrong?

 

Really apreciate your answer

?

 

[Manage Netscaler ADC 13.0 with Powershell]

Great, you can manage your Netscaler with Powershell according to this article:
https://mickhilhorst.com/citrix/citrix-adc-sdk-powershell/

But first of all you´ve the Nitro.dll and Newtonsoft.Json.dll

These files should appear in following folder /Lib 

But thers are no such dll-files in Lib-folder.

 

-anyone?

 

Really appreciate your answer.

?

 

[Citrix Virtual Apps and Desktop - Evalution (90 days) - blank page]

If you have the same question about som trial with Citrix Gateway.

Citrix support contacted me - You have to buy to trye.

The End.

 

[Citrix Virtual Apps and Desktop - Evalution (90 days) - blank page]

Citrix support is not easy to deal with, first you´ll have to wait and  some scratchy music playing while you wait.  Then the call is suddenly interrupted for no reason.

All you recieve is an e-mail that says "We have tried to reach on xxxxxxxxx  but the call was not answered ".

Yes it´s right but it was Citrix support that not answered.

Very peculiar support.

So I´m stuck with this issue.

 

[Citrix Virtual Apps and Desktop - Evalution (90 days) - blank page]

Trying do download the license key for a small LAB. 

"Citrix Virtual Apps and Desktop - Evalution (90 days)"

https://www.citrix.com/account/#/betas-license-retrieval/xendesktop-evaluation-license-retrieval

Issued 2023-02-xx

 

But it only show a blank page - please see scrennshot below.

 

Blank page - no firewall or VPN in between.

Im trying Citrix support chatbot but the answer is really peculiar - see below:
 

 

Really appreciate a human answer

?

[Linux VDA : Issues when launching published Desktop from FAS store.]

 

I assume you already checked this one?:

https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configure/authentication/federated-authentication-service.html#incorrect-ca-certificate-configuration

[Delivery group sometimes powers on only a fraction of VMs]

Persistent or non-persistent machines?

In general for VDA logging, you could enable logging on the individual VDAs.
 

[Registered VDA's unregister at session launch]

If I understood your thoughts and description of the problem, I´m glad the 

disappeared.

It seems like there was an issue with the communication between the Delivery Controller

and the Virtual Machines in that Catalog.
The warning event ID #1039 says that the Broker Service was unable to contact the Virtual Machine, possibly due to a firewall blocking the 
connection or some other communication issue.

 

The fact that shutting down the Virtual Machines and updating the Machine Catalog fixed the problem pointing to that there

may have been a configuration  issue or corruption in the previous setup. It's possible that the update to the VDA and Windows

updates may have worsen this issue?
Anyway, it seems like the problem was resolved by updating the Machine Catalog, which may have refreshed the configuration and fix it?

That's all I can think of.

?

 

[CQI stuck on gathering data after VDA upgrade to 2203 CU2 on Chromebooks only]

 

It's been a long time since I worked with Chromebooks. But I'm gonna try to give you an answer, so you have something

to go on, if you haven't figured it out already?

 

It's possible that the issue with Chromebook endpoints not displaying CQI data accurately after updating

the VDAs to 2203 CU2 is related to a compatibility issue with the Citrix Workspace app for Chromebook.

 

One possible solution you can try is to check the version of Citrix Workspace app installed on the Chromebooks

and see if it's the latest version. If not, you can try updating the Citrix Workspace app to the latest version and

see if that resolves the issue.

 

Another possible solution is to check if there are any known compatibility issues between the version of

Citrix Workspace app installed on the Chromebooks and the VDA version you've updated to.

Check If you can find something about compatibility information between different versions of Citrix products. 

 

If neither of these solutions work, you may need to troubleshoot the issue further by reviewing the CQI logs and checking for

any errors or warning messages related to the Chromebook endpoints.

 

You can also try enabling logging for the Citrix Workspace  app on the Chromebooks to gather more information.

 

[Object already exists when removing machine from catalog]

If this still is a problem - see below answer.

 

The "object already exists" error message typically occurs when Citrix Studio or PowerShell

is attempting to create an object that already exists in the Citrix site database.

 

In this case, it's possible that the Virtual Machine you're trying to delete still exists in the database

even though it was removed from the Machine Catalog.

To resolve this issue, you can try the following steps:

Remove the Virtual Machine from the Delivery Group:

Before you can remove the Virtual Machine from the Machine Catalog, you need to ensure that

it's not a member of any Delivery Group. Use Citrix Studio or PowerShell to remove the Virtual Machine

from any Delivery Group.

Ensure the Virtual Machine is not in use:

Before you can delete the Virtual Machine, you need to ensure that it's not being used by any active sessions.

Check the Citrix Director console to see if any active sessions are using the Virtual Machine. If there are any

active sessions, you will need to disconnect them before proceeding. (You probably know that, already)

 

You can use PowerShell to force the removal of the Virtual Machine from the Citrix site database.

Use the Remove-BrokerMachine cmdlet with the -Force parameter to remove the Virtual Machine.

For example, you can use the following PowerShell command to remove a Virtual Machine named "VM01":

Remove-BrokerMachine -MachineName VM01 -Force

 

Note that using the -Force parameter can have unintended consequences, so use it with caution.

 

Verify that the Virtual Machine has been removed:

After using PowerShell to remove the Virtual Machine, verify that it has been removed from the Citrix site

database by checking Citrix Studio or running a PowerShell command to list all Virtual Machines in the site:

Get-BrokerMachine

If the Virtual Machine is still present in the Citrix site database, you may need to troubleshoot further to identify

the root cause of the issue.

 

Go luck

?

 

[Windows 10 22H2 build just won't register with the XDCs]

Yes, there are som logs except the event log.
Citrix Workspace App logs: 
These logs are located in the following directory:

%localappdata%\Citrix\Workspace\Logs. Look for log files with names that begin with "CitrixWorkspaceApp."

Citrix Virtual Delivery Agent logs  (the most current or acurate log for this kind of issue)
These logs are located in the following directory:

%ProgramFiles%\Citrix\Virtual Desktop Agent\Log. Look for log files with names that begin with "VDA."

Citrix Receiver logs: 
These logs are located in the following directory:

%appdata%\ICAClient\Logs. Look for log files with names that begin with "receiver."

I have used Citrix Diagnostic Facility (CDF) traces:

These logs are generated by the Citrix Diagnostic Facility tool and can provide more detailed information about the issue.

You can find the CDF traces in the following directory:

%ProgramFiles(x86)%\Citrix\ICA Client\Troubleshooting.

 

But there was a while since I´ve used the CDF tool.

 

?