ArnaudP1

December 1, 2023

Hello,

Does your FAS GPO apply to FAS and Storefront servers as well as VDAs?

Did you run the PoSh command on storefront server for FAS claims?

Thanks

Arnaud

October 26, 2023

Hi Fabio

You have to use rate-limiting. Limit Identifier would be CLIENT.IP.SRC. Set the limit wisely (for example 3 attempts in 5 minutes). Than bind a responder policy, resetting the connection.

August 30, 2023

Hi Jonathan

A Citrix gateway is recommended to provide more security but not required.
you may need to look at your load balances storefront vserver.
look at the service group to ensure to see both storefront and confirm they are both shown as UP.

thanks

Arnaud

August 7, 2023

Jeff,

You need to have both NetScaler with same Firmware if you want to create a HA Pair.

My suggestion here would be:

1. Upgrade from 12.0 to 12.1 with same Firmware.

2. Configure HA Pair.

3. Validate HA Pair synchronization is working and test Failover.

4. Upgrade secondary node to 13.0 or later and reboot.

5. After reboot, failover and test connection.

6. Upgrade remaining node, reboot and failover.

7. Test connection.

Thanks

Arnaud

January 26, 2023

8 hours ago, Support SADIES said:

Yes the possible solution is upgrade but I read this:

https://www.carlstalhood.com/system-configuration-citrix-adc-13/#upgrade

I don't have licence support and my file licence file has date 2020.0700... I don't sur can upgrade the firmware...

Thanks

Can you try to redownload your license file which should present newer date and as so allow you to upgrade the Firmware.

Thanks

Arnaud

January 25, 2023

39 minutes ago, Support SADIES said:

What...you're right....I try with wrong password and any validation I can login... There is not a solution do a 2FA if I can login without password.

I don't understand. To follow DUO article with nFactor I need AAA and I not have the licence....

Thanks Arnaud for your time. I appreciate

In this case I would recommend to update Firmware. Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license.

So Upgrade Firmware and then follow DUO documentation.

Thanks

Arnaud

January 24, 2023

4 minutes ago, Support SADIES said:

Yes finally that works!!!!

I delete all and reconfigure and java message not appears.

Rdweb works fine!!

Now I can view in my receiver that 2 password field appears and can't login (incorrect password)

I need to modify and pesonalise some configuration?

So here, you have 2 options:

1. Use nFactor to configure DUO and follow this article:https://duo.com/docs/citrix-netscaler-nfactor

2. Check the LDAP configuration, on LDAP-Receiver, you can uncheck authentication to hide Mode de passe 2, if I am correct.

Thanks for letting me know.

Arnaud

January 24, 2023

22 minutes ago, Support SADIES said:

Hello,

Not . It's a normal Citrix Gateway virtual server. I don'k know why try to launch java

Stuck with this issue

So in this case you need to check your session Profile configuration.

January 24, 2023

On 1/19/2023 at 6:22 PM, Support SADIES said:

I add authentication in Authentication/Dashboard section and bind to vs

For your authentication profile i have:

I dont know how configure it...

I use this guide https://duo.com/docs/citrix-netscaler#configure-the-proxy-for-your-citrix-gateway and I obtain de login a prompt for duo like this:

I can login but after a pop-up and this message appears:

is something about the Content-Security-Policy header.?

Thanks a lot a lot for your help

The message above shows that your are trying to launch SSL-VPN, I think you create an Unified Gateway site instead of Citrix Gateway using the Wizard, no?

Thanks

January 24, 2023

10 minutes ago, Lukas Meyer1709162786 said:

Because we do not have a license for creating a VIP in Netscaler (Traffic Management - Virtual Serer) we think about following setup:

Netscaler ADC

Server 1 with Storefront and Delivery Controller

Server 2 with Storefront and Delivery Controller

DNS-Entry for sf.contoso.com with IP of Server 1 and 2 (Round robin)

On Netscaler Session profile shows to sf.contoso.com

Both Servers as STA configured

Netscaler uses intermal DNS-Server, so will resolve sf.contoso.com with IP1 or IP2

On Store Server 1 and 2 are configured as Deliery Controller with https and load balancing enabled

When we test this by shutdown one of the Servers mostly login failes, sometimes with the message "Ica mode status is not okay".

When we delete one of the dns-entries and wait long enough until Netscaler sees the server as down, it is working well

Could it work like that with dns round robin or is this bullshit?

Thanks for feedback.

Lukas

Which license do you have to now have the option to create Load Balance Virtual Server?

Thanks

Arnaud

January 23, 2023

2 hours ago, Anders Eriksson 2 said:

Hi,

Is this feature not supported any longer, when trying to create new bookmark it fails with Invalid URL. I tried the same through CLI and gave same error.

I have searched a lot around this topic, but cannot find any updated information about this.

Running NS13.0 88.14.nc

Hello Anders,

The bookmark should be a web address not UNC path?

November 8, 2022

Hello Dirk,

Yes you are impacted, an update of the article has been done.

Arnaud

May 25, 2022

On 5/18/2022 at 5:48 AM, Jonas Henriksson1709156842 said:

He have issues with bad logon performance on Windows 10 20H2 VDI. We are using PVS and Citrix Hypervisor to host the machines. For user profiles we use Ivanti Environment Manager Personalization. Citrix Optimizer was run on the image.

With ControlUp we get the following result when running Logon Analysis. Can anyone help with how to handle this AppX Load time and the Gap between Group Policy and AppX Phases?

Source Phase Duration (s) Start Time End Time Gap (s)
------ ----- ------------ ---------- -------- -------
Windows Windows Logon Time 0.0 11:27:36.4 11:27:36.4
Windows User Profile 0.5 11:27:38.2 11:27:38.6 1.8
Windows Group Policy 1.0 11:27:38.6 11:27:39.6 0.0
Shell AppX File Associations 3.9 11:28:26.7 11:28:30.6 47.0
Shell AppX - Load Packages 111.4 11:28:26.8 11:30:18.1
Shell ActiveSetup 0.0 11:28:27.0 11:28:27.0
Windows Duration 160.0

Hello Jonas,

Did you look here: https://www.controlup.com/resources/blog/entry/logon-duration-research-appx-packages/

It's well explained with lot of tests and details that could help you.

Thanks

Arnaud

May 25, 2022

On 5/19/2022 at 7:08 AM, Nicolas Bautista Correa said:

Hi all:

We are deploying EPA in n-factor for ICA proxy access and we would like to know if EPA uses citrix gateway universal license or the standard licenses.

Currently our citrix gateway virtual server has set the ICA-only option as ON and the CItrix ADC has installed an ADC advanced license

Thank you and best regards

Hello Nicolas,

I would say no as Universal Licenses are used for VPN, running an EPA on Ednpoint does not bring up a VPN.

Thanks

Arnaud

May 25, 2022

1 hour ago, Bert Kaeding said:

Hi all,

netscaler 13.0 85.15 throws the following error when adding an intranet url:

> add vpn url OWA OWA "/owa" -vServerName lb_vsrv_ex2016_owa_ugw -ssotype unifiedgateway -applicationtype VPN
ERROR: Invalid URL

Same via GUI.

Any suggestions?

Thanks in advance

Bert

Hi Bert,

The bookmark should not be "/owa" but "https://server_name_fqdn/owa"

Thanks

Arnaud

April 24, 2022

2 hours ago, Matthew Riddler1709154367 said:

Sorry, also I am using LDAP for password auth & hoping to use duo just for 2fa. Also this store will also only be used by the web browser, no requirement for receiver config. Do I need to have the 2 entries in the duo proxy with different ports?

Matt,

I would say no only one port required but you will need to test.

Thanks

Arnaud

April 24, 2022

Matt,

Yes StoreFront is just configured with domain.

Thanks

Arnaud

March 23, 2022

3 minutes ago, John Francis1709163149 said:

Arnaud,

Thanks for the info. We installed VDA 2112 on a PC and the user was trying to get connected to that PC through Citrix Workspace and he is getting this. The user logs in and then disconnects, logs in and it automatically disconnects. So, I am not sure what is going on. We have not had any issues when I installed Remote PC on other computers. Also, why would Remote PC use a license since during day time we are connected from the laptop/desktop at office, at this time it should not use the license right? Only if we connect remotely from our home PC or laptop to the REMOTE PC it should take up a license, but when you are physically logged in why would it take the license?

Can you send me the registry key settings?

I found this and we tried adding this

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\RemotePC

RpcaMode (dword):

1 = The remote user will always win if he does not respond to the messaging UI in the specified timeout period.

2 = The local user will always win. If this setting is not specified, the remote user will always win by default.

John,

I would suggest you to try with on older VDA on the RemotePC, you can just test with 1 one them, just to ensure issue is not a Bug with this release.

You can find details on Reg Keys here: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/install-configure/remote-pc-access.html

Thanks

Arnaud

March 23, 2022

5 minutes ago, John Francis1709163149 said:

We have 25 licenses for now in a test environment. A user is connecting to Remote PC (VDA 2112) and is getting kicked out and looking at the Director Monitor it says session limit reached.

1. How is the licensing for these? Does Remote PC take one full license?

2. We have only 7 users with Remote PC and couple of more users accessing the VDI but we still have enough licenses

Why would it do this behavior? Also, just from last night I started getting

"Connection Interrupted - Citrix Receiver will try to reconnect for 5 minutes

This never used to happen to me at all even though I am using wireless.

Any ideas guys. I saw some registry settings and hopefully we could apply that and get it resolved using this. Any other thoughts or Policy that can be applied. The are regular desktops with VDA installed.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PortICA\RemotePC

RpcaMode (dword):

1 = The remote user will always win if he does not respond to the messaging UI in the specified timeout period.

2 = The local user will always win. If this setting is not specified, the remote user will always win by default.

Hi John,

Remote PC sessions consume licenses in the same way as other Citrix sessions.

Do you have only 1 user access for each Remote PC VDA?

If not, when a user try to connect, can you check if you already have a user connected to this Remote PC.

Also, by default, a remote user's session is automatically disconnected when a local user initiates a session on the computer, you can change this with a reg key.

For the connection interruption it's usually due to network interruption.

Do you have monitoring in place on your network to check that?

Thanks

Arnaud

March 18, 2022

8 minutes ago, John Francis1709163149 said:

My questions are:

1. Do we have to sysprep a MCS persistent desktop image?

2. I have MS Defender installed on the image, should I do something that it displays properly on the Defender console and it is gettings its updates or scanning properly?

3. Anything else that can be thought of?

Hi John,

To reply to your questions:

1. No, Citrix MCS will take care of it.

2. You should be able to see the VDA in Defender console when they will be deployed.

3. Depend of the applications to be installed ?

Thanks

Arnaud

March 16, 2022

On 3/15/2022 at 11:53 AM, John Francis1709163149 said:

We have cloud connectors for machines that are domain joined that we can access. How can we access non-domain joined virtual desktops and are sitting on EXTERNAL network in Azure.

Hi John,

Did you check information here: https://docs.citrix.com/en-us/tech-zone/learn/tech-briefs/citrix-managed-desktops.html

Thanks

Arnaud

March 14, 2022

10 minutes ago, Patrick Loftheim said:

I have tried creating another admin account just for this purpose, same error...

It gets stuck on connecting when i try to open the session from workspace.

I have tried re-creating several master-images without any improvement.

Yes everything did work before we changed the name of resource-group and network in Azure..

I am having a hard time seeing why these things should be affected in this way by that change.

Patrick,

I would suggest you to use PoSH SDK to connect to Citrix Cloud and retrieve details from there.

You will have more details on your configuration, hosting, machine catalog and delivery group.

Thanks

Arnaud

March 14, 2022

3 hours ago, Patrick Loftheim said:

Hi Arnaud

I have only 1 host connection now.

If i create the object manually in AD and then use existing computer account i get further but then i run in to another issue, the citrix session gets stuck on connecting..

things looks good from verification as far as i can see. (tried both the machine catalog and delivery group)

Patrick,

If you can create computer account locally and then use it with MCS, I would suggest you to review your connection settings (I mean the user account used to create AD computer).

When you said the Citrix session get stuck on connecting, it's after publishing a Desktop on the Delivery Group?

Did you ever create a machine catalog with same image, publish and access desktop/apps from this image?

Thanks

Arnaud

March 14, 2022

Hi Matt,

you have LDAP server on which you will need to uncheck Authentication

Arnaud

March 11, 2022

4 hours ago, Patrick Loftheim said:

Hi after a rename / restructure of Azure resource groups, we can no longer create machine catalogs.

First we had issues with an old network name, to fix this we had to re-add the host connection, now we are at least getting further, but stuck on this error(see attachment)

The account used is a local AD domain admin account which we have not touched or done any changes to.

Any suggestions?

Exception:
DesktopStudio_ErrorId : UnknownError
ErrorCategory : NotSpecified
DesktopStudio_PowerShellHistory : Create Machine Catalog '#####'
3/11/2022 7:51:36 AM

Error Source : CitrixOrchestration

Hi Patrick,

Do you still have 2 hosting connection defined?

Did you test resource to validate everything looks good?

Did you try to create computer account in AD using same account and then select use existing computer account?

Thanks

Arnaud

Forums

Articles

Labs

Videos

TechZone

Citrix Community Articles

Events

Profiles

Posts posted by ArnaudP1