Going through my first Citrix Cloud/Workspace/CVAD deployment I thought I’d blog the process I go through to configure Workspace. This blog post will get updated as I go and discover more about Workspace.
After authenticating into your Citrix Cloud instance, browse to Workspace Configuration
Access
Enable the Workspae URL and then click Edit. Choose a relevant name for your Workspace URL, once it has been Save, it can take 10mins to become available as mentioned below.
Authentication
Select the authentication method used to sign into Workspace. Configuration of each of these authentication methods is done via Identity and Access Management section.
Customize / Appearance
Upload your Sign-in Appearance logo
Upload your After Sign-in Appearance logo
Content Branding (colour scheme)
Customize / Preferences
Configure the following:
Allow Favourites (Enabled/Disabled)
Automatically Launch Desktop (Enabled/Disabled)
Workspace Timeout (20mins is default)
Citrix Workspace Preferences (In a browser / In a native app / Let subscribers choose)
Enabled Microsoft Teams (Enabled/Disabled)
Manage Services Integrations
By default, Virtual Apps and Desktops is enabled by default. To configure Workspace for an On Prem Virtual Apps and Desktops or XenApp 6.5 site, on ‘Virtual Apps and Desktop On-Premises Sites” click Add Site.
Will document the On Prem site connections later.
Configure Workspace with On Prem ADC Gateway
Browse to Access, under the required Resource Location select Configure Connectivity.
Click Edit and enter in the external FQDN of your On Prem ADC Gateway.
Select Test STA, this is likely to fail as they are behind the ADC Gateway
Click Save
Under Access and your Resouce Location you should now see: Gateway:Gateway_FQDN:443
To validate the Citrix Gateway is now handling the ICA traffic via Citrix Workspace, log into your Citrix Gateway > select Citrix Gateway > ICA Connections
Because the user authentication is handled by Citrix WorkSpace via the Citrix Cloud Connectors to Active Directory, the Citrix Gateway will show ‘anonymous’ as the username.
To validate that the Citrix Gateway is being used I SSH’d into the ADC and run:
shell
nstcpdump.sh host <Gateway VIP> or <Content Switch VIP> (if using Citrix Unified Gateway)
You will see hits on this once applications are launched from Citrix Workspace.
The upgrade passes the ‘Upgrade initialization’ phase and after a short period of time it fails on the ‘Management Service upgrade’ with the follwoing error:
“Upgrade of Management Service to build-svm-13.0-36.27.tgz failed. Upgrade of Management Service should have rebooted the system but did not reboot even after 5 minutes. Manually reboot the Management Service. Restart Update Software operation. If problem persists contact Support.”
Run the following:
shell
/var/log
more messages
“Oct 23 13:30:09 <local0.err> <SDX Hostname> svm_event: 11.247.32.36 10/23/2019:00:30:09 GMT : SNMP TRAP_SENT : 127.0.0.1:BackupFailure:<SDX SVM IP> – Single Bundle Image was not found for SVM version 11.1-61.112 Oct 23 13:30:09 <local0.err><SDX Hostname>svm_event: <SDX SVM IP> 10/23/2019:00:30:09 GMT : EVENT BACKUPFAILED : 127.0.0.1:BackupFailure:11.247.32.36 – Single Bundle Image was not found for SVM version 11.1-61.112″
In the System > Events section it had the following event:
Troubleshooting
Logged back into the SDX SVM, and rebooted the Management Service via UI and SSH, attempted another SDX bundle upgrade and got the same error message.
Rebooted the whole SDX appliance then attempted the SDX bundle upgrade and the same error again.
Attempted to upgrade to Bundle 12.1 Build 54.13, same issue
Attempted to upgrade to Bundle 11.1 Build 63.9, failed as the ‘platform’ version in this build is lower than the version I’m on, even though its currently at Bundle 11.1 Build 61.112
Factory reset on SDX2, no customizations done, attempted an upgrade to Bundle 13.0, same issue
After the above factory reset, checked out /var/log/messages
Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: BEGIN_TIME 1571884055 Thu Oct 24 02:27:35 2019 Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: VERSION svm-13.0-36.27.gz Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: installsvm version (13.0-36.27) kernel (svm-13.0-36.27.gz) Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: inside check_sysid_white_list, sysid_to_check = –450097– Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: now reading sysid_white_list Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: currentLine: 450093:2:0/1,0/2 Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: currentLine: 450087:2:0/1,0/2 Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: currentLine: 450092:1:0/1 Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: currentLine: 450096:2:0/1,0/2 Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: currentLine: 450089:2:0/1,0/2 Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: sysid=450097 NOT found in whitelist Oct 24 02:27:35 <user.notice> nssdx-mgmt installsvm: [2699]: Error: This version of Management Service software is incompatible with the hardware platform 450097 , please contact Citrix support
Attempted to upgrade to Bundle v12.1 again, same GUI and ‘messages’ errors regarding the Management Service.
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: BEGIN_TIME 1571886540 Thu Oct 24 03:09:00 2019
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: VERSION svm-12.1-54.13.gz
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: installsvm version (12.1-54.13) kernel (svm-12.1-54.13.gz)
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: inside check_sysid_white_list, sysid_to_check = –450097–
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: now reading sysid_white_list
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: currentLine: 450093:2:0/1,0/2
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: currentLine: 450087:2:0/1,0/2
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: currentLine: 450092:1:0/1
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: currentLine: 450096:2:0/1,0/2
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: currentLine: 450089:2:0/1,0/2
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: sysid=450097 NOT found in whitelist
Oct 24 03:09:00 <user.notice> nssdx-mgmt installsvm: [4908]: Error: This version of Management Service software is incompatible with the hardware platform 450097 , please contact Citrix support
Resolution
Just found out that the new SDX 15xxx ONLY support v11.1 build 61.112, the version it gets shipped with
I have a project underway moving from Citrix XenApp 6.5 to Citrix Cloud, because this environment has applications that are only compatibile with certain Windows Operating Systems (possibily even Windows Server 2008 R2) we are going to have to build a multi-OS VDA environment.
I havent been able to find a matrix showing what VDAs support which Operating System, only whats in the Citrix docs for each OS release I decided to build a basic table showing the compatiblity. It might be useful for others in a similar situation as mine.
Server 2019
Server 2016
Server 2012 R2
Server 2012
Server 2008 R2
Latest Build
17763
14393
9600
9200
7601
Support Status
Mainstream
Jan 9, 2024
Jan 11, 2022
Oct 9, 2018
Oct 9, 2018
Jan 13, 2015
Extended
Jan 9, 2029
Jan 12, 2027
Oct 10, 2023
Oct 10, 2023
Jan 14, 2020
VDA for Server OS
2003
√
√
X
X
X
1912
√
√
√
X
X
1912 LTSR
√
√
√
X
X
1909
√
√
√
X
X
1906
√
√
√
X
X
1903
√
√
√
X
X
1811
√
√
√
X
X
1808
√
√
√
X
X
7.15 LTSR
X
√
√
√
√
Created: 13/04/2020
Updated: 14/04/2020 – Windows 2012 R2 Compatibility with VDA 1912 and 1912 LTSR
I was recently involved in a project where 2 new Citrix ADC SDX’s were purchased and required to move the VPX’s off the old SDX’s to these new ones.
There are multiple approaches of moving VPX’s to new SDX hardware, some being:
Re-create all of the VPX’s on the new SDX, copy over the required files (ns.conf, SSL certs etc), shut down the old VPX and power on the new VPX. This option is quicker but potentially a higher risk ensuring everything is working before powering down the old VPX and powering on the new VPX.
Migrate service by service (VIP by VIP). This requires the new VPX’s to be created prior with new NSIPs. This option does give the ability to clean up the config while migrating over to the new VPX but can be very time consuming.
HA failover method. This requires new VPX instances created on the new SDX hardware with new NSIPs and using HA to detach and reatach to move the VPX config and files.
For this project I went with Option 3, this wasn’t the quickest option nor the longest but for us it was the least disruptive and least riskiest to the business.
Step 1 – Provision new ADC SDX appliances with a like for like configuration with the existing SDX appliances. The new SDX appliances will need new SVM and XenServer IPs.
NOTE:Instance highlighted in Yellow below indicates the current Primary node serving traffic.
Step 2 – Provision new Primary VPX instance on new SDX #2, this new instance will need a new NSIP but don’t configure the SNIP. Set this new instance High Availablity Status to STAYSECONDARY, but because its a standalone instance it will be still a Primary instance.
Step 3 – On the existing SDX appliances, break HA on one of the HA pairs that are going to be migrated over to the new SDX. The previous Secondary node will now be a standalone Primary node.
NOTE: Set the old Secondary VPX node (which will now be a standalone Primary) High Availabilty Status to STAYSECONDARY.
Step 4 – On the current Primary node in Yellow, add the new VPX node on SDX #2 (which shopuld be configured as STAYSECONDARY) into HA. This will now change the status of the new VPX node to Secondary.
Ensure that HA Sync has completed successfully, HA Sync will sync over all of the VIPs from the Primary node, SNIP, Certificates and anything else on the Primary node.
Step 5 – Change the STAYSECONDARY High Availabilty Status on the now Secondary VPX node to ENABLED.
Perform an HA Failover making the Secondary node now become Primary, now all VIP traffic will be going through the new Primary node. Carry out normal testing to ensure that VIPs are working as expected. If there are any issues you can do another HA failover back to the existing Primary node while any issues are resolved. Because HA would have sync’d all of the VPX config/certs etc any issues are likely to be VPX or SDX networking issues.
Once everything has tested successfully, set the now Secondary node on the Old SDX #1 High Availability Status to STAYSECONDARY.
Shut down the old Secondary node on Old SDX #2
Step 6 – Provision a new VPX instance on the new SDX appliance #1. Set the new instance HA Status to STAYSECONDARY.
Now that all of the production traffic is going through the VPX on the new SDX appliance and tested successfully, break HA on the VPX pair.
Step 7 – On the Primary node, add the new VPX node on SDX #1 into HA. Ensure HA Sync has completed successfully.
Step 8 – Now that the new VPX pair are running on the new SDX appliance, the Secondary node on Old SDX #1 can be shut down.
If there are more VPX’s to migrate, follow the same process for each HA pair.
This process worked very well for us, zero down time for the business and we were able to move the VPX’s fairly quickly.
Cloud Connectors configured as Delivery Controllers on HTTPS/443
Citrix Cloud Connectors
Issue:
When we were browsing to the Storefront URL it would do Domain Pass Thru, it logs in as the user but no apps or desktops available.
In Event Viewer it has 3 errors:
Cloud Connector 1 is not available
“The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address https://<cloud_connector_1>/scripts/CtxIntegrated/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.”
2. Cloud Connector 2 is not available “The Citrix XML Service object was not found: 404 Not Found. This message was reported from the XML Service at address https://<cloud_connector_2>/scripts/CtxIntegrated/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.”
3. All the Citrix XML Services configured for farm failed to respond to this XML Service transaction. “All the Citrix XML Services configured for farm <name> failed to respond to this XML Service transaction.”
After around 10secs in Event Viewer
Cloud Connector 1 is available
“The Citrix XML Service at address <cloud_conenctor_1>:443 has passed the background health check and has been restored to the list of active services.”
2. Cloud Connector 2 is available
“The Citrix XML Service at address <cloud_conenctor_2>:443 has passed the background health check and has been restored to the list of active services.”
If we refreshed the Storefront URL or browse again the above process repeats. If we enabled the Store to do Username/Password auth we can log in fine and apps are there.
Resolution:
Within Storefront,
Select the Store experiencing the issue
Select Configure Store Settings
Select Kerberos Delegation
Select ‘Disable Kerberos Delegation’
As soon as Kerberos Delegation was disabled, Storefront Domain Pass Through continued to work, all applications were available and no errors in the Storefronts Event Viewer.
When accessing the local Computers certificate, right-click, All Tasks and Manage Private Keys I get this:
But doing the same procedure on the working Cloud Connector I get:
Opening the certificate on the working and non-working server, both showed:
Resolution:
Exported the certificate from the working server including the Private Key
Imported the certificate onto the non-working server, it came in as an additional certificate but didnt look like the same so I removed it. Checked the properties of the non-working certificate and suddenly they were now working.
On the Citrix NetScaler both STA Servers are now online
