-
Posts
152 -
Joined
-
Last visited
-
Days Won
3
Content Type
Forums
Articles
Labs
Videos
TechZone
Citrix Community Articles
Events
Profiles
Posts posted by Bit-101
-
-
Is it possibly to create temporary access for a group of users.
When the users logout they have to go trough some steps to get access again.
Is something like that possible with Netscaler and within Citrix eco-system in general?
Really appreciate your answer:)
-
How about "Just In Time Access". In other words Temporary access each time for a user
-
I want to accomplish a group of user that always has temporary access.
I have these componenent
-Netscaler Gateway
-MFA with FortiAuthenticator (token that appears in the users moblie phone)
-Storefront
When I already have NetScaler, StoreFront and FortiAuthenticator, I belive there is no rereason to
implementing a separate third-party just in time access solution.So I´m here with what I called Custom Integration
Create a custom integration that places an approval step between authentication and session creation with A script in Powershell:NetScaler API access: The script must be able to send and receive data from the NetScaler API.
FortiAuthenticator API Access: To interact with FortiAuthenticator for authentication.
Approval process: A method of sending and receiving approvals with sms to a Admin Person.This is my question to come further
What API and Methods shall to use in Netscaler to accomplish this. Is there anyone who can give som example?Really appreciate your answer
:) -
I´ve to check with this forum, so I´m really sure.
I have a multisession VDA, with only the vda installed on a Windows server 2019 and published it to multisession desktop.
No, Director, no MCS, no PVS. Only a VM in VMware.
Authentication is done by the Netscaler
2 Storefront servers
2 DDCIs there any more or less ports that are requiered to be open on that VDA?
My informatino below with comments is based on this link from citrix:
https://docs.citrix.com/en-us/tech-zone/build/tech-papers/citrix-communication-ports.htmlDefinition of my comment below
# = I think I dont need this
Red colored text = my questions
License server
Any Citrix Component - Handles initial point of contact for license requests
-Citrix License Server TCP 27000
Access to applications and virtual desktops
-ICA/HDX protocol 1494
Source and Destination?
Access to applications and virtual desktops
EDT protocol requires 2598 to be open for TCP/UDP.
Source and Destination?#I dont use html5 reciever
#-TCP 8008
Application/Desktop Request - communication with DDC
-TCP 80/8080/443, XML Service Destination: DDC
Source: VDA, Destination: DDC (Both directions)
#Authentication of user during application or desktop launch (Authentications is done by the Netscaler?)
#Domain Controller
#-TCP/UDP 389
Access to applications and virtual desktops by ICA/HDX over SSL
-TCP 443
Soruce:?? , Destination: ??#Virtual Delivery Agent Domain Controller
#Communication between Virtual Delivery Agent Agent and Microsoft Global Catalog used
#during the registration process in order to validate its list of configured
#-TCP 3268
#Citrix Workspace app, StoreFront - Communication with StoreFront
#TCP, UDP 80,443 (No citrix receiver installed on VDA)
Other ports
Fileshare for storage files and profiles
etc..
Really appreciate your answer with more or less ports with the source and destination
? -
Thanks for you answer.
There seems like every person does install certificate by their own working method.Ok, but I have always done a install of certificate and a separate key in pem-format with password since Netscaler 12.XX something.
Never imported it into Storefront and then make the key exportable and then export it and then install it in Netscaler.
Option number 3 did work for me
(This worked, and I´m suprised that option number 2 did not work.)
3. "examplecertificate" in pem-format with a so-called no-key file (you do not need to provide a password when installing it in NetScaler)
But this worked in my Lab, so I hope it´s works "in live conditions".
:0) -
Object: Netscaler 13
I have received various suggestions on what is right and wrong, but I am convinced that you know this.
I have a certificate issued from our CA, which is a web server certificate called "examplecertificate".
I have the certificate in the following variants and formats as below: -
1. "examplecertificate" with an embedded key. A .p12 certificate. (you must provide a password when installing it in NetScaler)
2. "examplecertificate" in pem-format with a separate key file (you must provide a password when installing it in NetScaler)
3. "examplecertificate" in pem-format with a so-called no-key file (you do not need to provide a password when installing it in NetScaler)If you unsure, please try to try to answer which of the options 1- 3 is completely wrong
Additionally, someone has said "..no you shall only use that .pfx format with embedded key".
I´ve done this a few times before in Netscaler for about 5 or 6 year ago, but I dont remember how I did back then and if something
changed since.
The problem is that when I try to install the certificate in .p12-format and in pem-format Netscaler is complain about:
Invalid private key or PEM pass phrase requiered for this private key.
To now more about the error please click here
(its not possible to click here in our environment becuase of security reason)
I know the password, so thats not the problem. It´s something else.
I really appreciate your answer
-
Symptom: Cannot connect to Published Desktop (Multi user session)
VDA version: 7 220 3 LTSR CU3, Windows server 2019Test ports with:
netstat -n -aOn VDA I dont have any connection established on port 3268 with the Domain Controller.
Run a check with Powershell from VDA:
Test-NetConnection -ComputerName 192.168.162.213 -Port 3268
ComputerName : 172.168.123.123
RemoteAddress : 172.168.123.123
RemotePort : 3268
InterfaceAlias : Ethernet0 2
SourceAddress : 172.168.121.3
TcpTestSucceeded : True
The port 3268 if open
ListOFfDDC is in the registry
EvenID:
Log Name: Application
Source: Citrix Desktop Service
Date: 2023-12-28 16:54:54
Event ID: 1001
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: .my.domain
Description:
The Citrix Desktop Service failed to obtain a list of delivery controllers with which to register.
Please ensure that the Active Directory configuration for the farm is correct, that this machine is in the appropriate Active Directory domain and that one or more delivery controllers have been fully initialized.
Refer to Citrix Knowledge Base article CTX117248 for further information.
Error details:
Exception 'The server is not operational.Name: "my.domain"
' of type 'System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException'
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Citrix Desktop Service" />
<EventID Qualifiers="49152">1001</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2023-12-28T15:54:54.021141700Z" />
<EventRecordID>115532</EventRecordID>
<Channel>Application</Channel>
<Computer>srv12345.my.domain</Computer>
<Security />
</System>
<EventData>
<Data>The server is not operational.Name: "my.domain"
</Data>I really appreciate if someone has any idea of why not VDA not has an established connection on port 3268 with the Domain Controller
?
-
Obsolete
-
@Rhonda Rowland
I tore the whole Lab down and started from scratch.I had some network issues that occurred when I went from NAT to Bridged in VMware workstation.
To be continued...
?
-
Getting a bit confused when I try to read what certifications are available for Netscaler. The most recent certifications.
Citrix Certification for Citrix Netscaler or should I say ADC?
I Probably need some help from some Senior who can guide me?
What is the certification path to get some certification with Netscaler?
a )What Exam must I pass?
b) What is the first level of Certification?
b) How do I get to the next level and so on.
Really appreciate your answer
?
-
@Rhonda Rowland
@Carl Stalhood
Thanks for your engagement!A question like this usually doesn't get any answers
@Rhonda Rowland:
Yes I now and trying to understand what you saying.
Forget everything about bind certificate to virtual server.Now I only want to creat a SSL cert for labtest.local
I think we need to reach a consensus on approach to "Create Certificate Signing Request (CSR)"
I hope some screenshots will give a better picture of this process.
Here is what I´m doing and what I see:
1. SSL files
1.2 Generate RSA key
-labtest.key
1.3 CSR - Create Certificate Signing Request (CSR)
-Create Certificate Signing Request (CSR)
1.4 Request Filename
labtest.csr1.5 Key Filename:
-labtest.key
1.6 Pem
Subject alternative name
-DNS:www.labtest.local DNS:labtest.local
Create>
2. Nothing happens
Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc
Expect sto see something here:3. Troubleshotting
Have set up a root Windows Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates-nothing except all web servers
Failed request
-nothing there
Event log Root CA server
-nothing there
On my ADCS server (Root CA)
The only option that is avialible is "Submit new request", but anyway I try this way (although it is not what I expect to do)
Then I recieve the error - se below:
-The question is, how do I get to that state where I have a labtes.local.pfx with private key or onother .extension certificate so I move on?
Note: It works like a charm to enroll (distribute) client and server certificate for my windows client and window servers with GPO.
I hope this clears up how I'm doing it, so you can see what's wrong.
?
-
Update: I´ve Googled the error:
This error message typically indicates that the certificate request does not contain information about which certificate template to use when issuing the certificate. The certificate template is a pre-defined set of attributes that determines the type and properties of the certificate.
To resolve this error, you need to ensure that the certificate request includes information about the certificate template. You can do this by either selecting a certificate template when creating the certificate request or by adding the Certificate Template extension to the certificate request.
-I´ts not possible to that in Netscaler?
-I hope I´m wrong?
-But if someone sees the possiblities to do this request in Netscaler I´m happy if you could share your knowledge.
This is the only avilible options in Netscaler 13.0 as far I can see:
1. SSL files
-Keys:
1.2 Generate RSA key
-labtest.key
1.3 CSR - Create Certificate Signing Request (CSR)
-Create Certificate Signing Request (CSR)
1.4 Request Filename
labtest.csr1.5 Key Filename:
-labtest.key
1.6 Pem
Subject alternative name
-DNS:www.labtest.local DNS:labtest.local
Create>
2. Nothing happens Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc
3. Troubleshotting
Have set up a root Windows Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates-nothing except all web servers
Failed request
-nothing there
Event log Root CA server
-nothing there
?
-
Ok, its a LAB
And I have installed the ADCS (Active Directory Certificate Services) on one server - labserver-02
So Im´ trying to save (download) the labtest.csr in Netscalr and then go to certutil manager and Submit Request on labserver-02 by pointing to that labtest.csr.The problem is that´s not possible, the only option is to submit a new request. And the error message displays as screenshot.
I´m CA Administrator. In other word I have the PKI environment.
And it works for both clients and servers but not with Netscaler.
(Distribute certificates by GPO)
Ps. Do you think of a external SSL supplier like sslforfree.com or something like that?
?
-
Create a "Certificate Signing Request (CSR)"
-But it fails for some reason
Here´s how Im doing it:
In Netscaler GUI
1. SSL files
-Keys:
1.2 Generate RSA key
-labtest.key
1.3 CSR - Create Certificate Signing Request (CSR)
-Create Certificate Signing Request (CSR)
1.4 Request Filename
labtest.csr1.5 Key Filename:
-labtest.key
1.6 Pem
Subject alternative name
-DNS:www.labtest.local DNS:labtest.local
Create>
2. Nothing happens Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc
3. Troubleshotting
Have set up a root Windows Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates-nothing except all web servers
Failed request
-nothing there
Event log Root CA server
-nothing there
4. I assume that a signed labtest certificate should show up in Netscaler?
Something like www.labtest.local.crt
But there is nothing there under the tab Certificates
What could possible be wrong?
Really apreciate your answer
?
-
Great, you can manage your Netscaler with Powershell according to this article:
https://mickhilhorst.com/citrix/citrix-adc-sdk-powershell/But first of all you´ve the Nitro.dll and Newtonsoft.Json.dll
These files should appear in following folder /Lib
But thers are no such dll-files in Lib-folder.
-anyone?
Really appreciate your answer.
?
-
If you have the same question about som trial with Citrix Gateway.
Citrix support contacted me - You have to buy to trye.
The End.
-
1
-
-
Citrix support is not easy to deal with, first you´ll have to wait and some scratchy music playing while you wait. Then the call is suddenly interrupted for no reason.
All you recieve is an e-mail that says "We have tried to reach on xxxxxxxxx but the call was not answered ".
Yes it´s right but it was Citrix support that not answered.
Very peculiar support.
So I´m stuck with this issue.
-
Trying do download the license key for a small LAB.
"Citrix Virtual Apps and Desktop - Evalution (90 days)"
https://www.citrix.com/account/#/betas-license-retrieval/xendesktop-evaluation-license-retrieval
Issued 2023-02-xx
But it only show a blank page - please see scrennshot below.
Blank page - no firewall or VPN in between.
Im trying Citrix support chatbot but the answer is really peculiar - see below:
Really appreciate a human answer
?
-
-
Persistent or non-persistent machines?
In general for VDA logging, you could enable logging on the individual VDAs.
-
If I understood your thoughts and description of the problem, I´m glad the
disappeared.
It seems like there was an issue with the communication between the Delivery Controller
and the Virtual Machines in that Catalog.
The warning event ID #1039 says that the Broker Service was unable to contact the Virtual Machine, possibly due to a firewall blocking the
connection or some other communication issue.The fact that shutting down the Virtual Machines and updating the Machine Catalog fixed the problem pointing to that there
may have been a configuration issue or corruption in the previous setup. It's possible that the update to the VDA and Windows
updates may have worsen this issue?
Anyway, it seems like the problem was resolved by updating the Machine Catalog, which may have refreshed the configuration and fix it?That's all I can think of.
?
-
It's been a long time since I worked with Chromebooks. But I'm gonna try to give you an answer, so you have something
to go on, if you haven't figured it out already?
It's possible that the issue with Chromebook endpoints not displaying CQI data accurately after updating
the VDAs to 2203 CU2 is related to a compatibility issue with the Citrix Workspace app for Chromebook.
One possible solution you can try is to check the version of Citrix Workspace app installed on the Chromebooks
and see if it's the latest version. If not, you can try updating the Citrix Workspace app to the latest version and
see if that resolves the issue.
Another possible solution is to check if there are any known compatibility issues between the version of
Citrix Workspace app installed on the Chromebooks and the VDA version you've updated to.
Check If you can find something about compatibility information between different versions of Citrix products.
If neither of these solutions work, you may need to troubleshoot the issue further by reviewing the CQI logs and checking for
any errors or warning messages related to the Chromebook endpoints.
You can also try enabling logging for the Citrix Workspace app on the Chromebooks to gather more information.
-
If this still is a problem - see below answer.
The "object already exists" error message typically occurs when Citrix Studio or PowerShell
is attempting to create an object that already exists in the Citrix site database.
In this case, it's possible that the Virtual Machine you're trying to delete still exists in the database
even though it was removed from the Machine Catalog.
To resolve this issue, you can try the following steps:
Remove the Virtual Machine from the Delivery Group:
Before you can remove the Virtual Machine from the Machine Catalog, you need to ensure that
it's not a member of any Delivery Group. Use Citrix Studio or PowerShell to remove the Virtual Machine
from any Delivery Group.
Ensure the Virtual Machine is not in use:
Before you can delete the Virtual Machine, you need to ensure that it's not being used by any active sessions.
Check the Citrix Director console to see if any active sessions are using the Virtual Machine. If there are any
active sessions, you will need to disconnect them before proceeding. (You probably know that, already)
You can use PowerShell to force the removal of the Virtual Machine from the Citrix site database.
Use the Remove-BrokerMachine cmdlet with the -Force parameter to remove the Virtual Machine.
For example, you can use the following PowerShell command to remove a Virtual Machine named "VM01":
Remove-BrokerMachine -MachineName VM01 -Force
Note that using the -Force parameter can have unintended consequences, so use it with caution.
Verify that the Virtual Machine has been removed:
After using PowerShell to remove the Virtual Machine, verify that it has been removed from the Citrix site
database by checking Citrix Studio or running a PowerShell command to list all Virtual Machines in the site:
Get-BrokerMachine
If the Virtual Machine is still present in the Citrix site database, you may need to troubleshoot further to identify
the root cause of the issue.
Go luck
?
-
Yes, there are som logs except the event log.
Citrix Workspace App logs:
These logs are located in the following directory:%localappdata%\Citrix\Workspace\Logs. Look for log files with names that begin with "CitrixWorkspaceApp."
Citrix Virtual Delivery Agent logs (the most current or acurate log for this kind of issue)
These logs are located in the following directory:%ProgramFiles%\Citrix\Virtual Desktop Agent\Log. Look for log files with names that begin with "VDA."
Citrix Receiver logs:
These logs are located in the following directory:%appdata%\ICAClient\Logs. Look for log files with names that begin with "receiver."
I have used Citrix Diagnostic Facility (CDF) traces:
These logs are generated by the Citrix Diagnostic Facility tool and can provide more detailed information about the issue.
You can find the CDF traces in the following directory:
%ProgramFiles(x86)%\Citrix\ICA Client\Troubleshooting.
But there was a while since I´ve used the CDF tool.
?
Cant see that Netscaler is listening on Port 1494
in NetScaler Gateway
Posted
NS 13.1 build 51.15
I´m Logged in as nsroot
show connectiontable | grep -E '1494 | 2598'
10.110.240.107 26970 192.168.190.6 2598 HTTP 0 ESTABLISHED 0 S
10.110.240.107 38885 192.168.190.6 2598 HTTP 0 ESTABLISHED 0 S
Other commands:
show vserver
show vnp vServer
Dont give me any clue
No AppFirewall
No ACL
I´m suprised. everything works, but why cant I Netscaler listening on port 1494?
I really apprecites your answer
:)