Citrix XenApp Application Error: “Cannot connect to the Citrix XenApp Server. SSL Error 61

Citrix XenApp Application Error: “Cannot connect to the Citrix XenApp Server.  SSL Error 61: You have not chosen to trust “certificate authority”, the issuer of the server’s security certificate.

You may receive SSL Error 61 when attempting to launch a Citrix XenApp application through Citrix Netscaler using  the legacy Program Neighborhood Agent (PN Agent).

As explained below, certificates are signed with SHA256 which older versions of the ICA client do not support.

Ensure that clients have the latest version of Citrix Receiver installed.

http://discussions.citrix.com/topic/284298-citrix-ica-client-ssl-error-61-you-have-not-chosen-to-trust-verisign-blah-blah-the-issuer-to-the-servers-security-certificate/.

I ran into this issue today after having setup a new Netscaler VPX access gateway with new server cert linked. We are migrating from Citrix Secure Gateway.

When trying to establish the Citrix session via the Access Gateway, I got the same error. Of course the ICA client version we are using is 11.x

The reason for the error: Server certificates are now digitally signed using SHA256 algorithm, not SHA128. The older versions of the ICA client do not support this.

So the answer is to upgrade the client to the Online Plug-in 12.3 if you need PNAgent and / or Web Client. Upgrade directly to Citrix Receiver if you don’t need PNAgent.

#cannot-connect-to-the-citrix-xenapp-server, #citrix-receiver, #citrix-xenapp-application-error, #netscaler-access-gateway, #sha256, #ssl-error-61, #you-have-not-chosen-to-trust-the-issuer-of-the-servers-security-certificate

XenApp 5.0 to Xenapp 7.6 Upgrade / Migration Part 3

XenApp76-e1412349289803

This is a follow-up to the previous two posts for migrating to XenApp 7.6 from a XenApp 5.0 farm.

https://maaadit.wordpress.com/2015/09/10/xenapp-5-0-to-xenapp-7-6-upgrade-migration-part-1/

https://maaadit.wordpress.com/2015/09/11/xenapp-5-0-to-xenapp-7-6-upgrade-migration-part-2/

Installation and configuration of a new XenApp 7.6 site can go smoothly if we prepare for it.  The following XenApp 7.6 free training courses and videos are a good place to start; for those with prior Citrix experience, it may be enough for a successful deployment.

CXA-105 XenApp and XenDesktop 7.6 Foundations

http://training.citrix.com/mod/ctxcatalog/course.php?id=974

CXD-300eCW Deploying App and Desktop Solutions with Citrix XenApp and XenDesktop 7.6

http://training.citrix.com/mod/ctxcatalog/course.php?id=1102

XenDesktop Master Class: Live Install of XenDesktop/XenApp 7.6

wpid-wp-1441300745604.jpeg As with any other deployment, I find it useful to first make a diagram of the existing network/ server infrastructure to visualize what the current farm looks like.  I then conceptualize the server infrastructure for the new XenApp 7.6 Site by listing the various servers and how they will interact with other XenApp 7.6 servers/ components.  It is not something that you will be presenting at the next board meeting so don’t cringe your teeth just yet.  It’s merely an exercise to identify the various components and plan which servers will be allocated for which services in the new 7.6 site.

Using the same scenario from the previous two posts, our migration is well underway after the License Server component installation as discussed in Part 2.  Assuming the Domain Controller/s, File Server/s, and Print Server/s are already in production, we start by understanding what other infrastructure must be in place for a simple Xenapp 7.6 deployment.

The 7.6 Site will be composed of the following:

  • Delivery Controller

For those coming from XenApp 5.0, the Delivery Controller in XenApp 7.6 is sort of like the Data Store in a XenApp 5.0 Farm.  Citrix Director and Citrix Studio are installed along with the Delivery Controller.  Citrix Studio is where you can create, configure and manage your new site.  Citrix Director is a great tool for viewing all sorts of information and statistics regarding your XenApp 7.6 site and includes administrative tools such as shadowing users, logging off sessions, and placing VDA servers in Maintenance Mode to disable user logons.  It is recommended that the Delivery Controller be installed on a separate server; for high availability, it is also recommended to have more than one Delivery Controller.

  • SQL Express

SQL Express is the database that contains all the site’s data; it is created during the Delivery Controller installation.  If you already have an existing SQL database, you can point to that instead for backup and maintenance purposes.  In our scenario, the SQL Express database is created during the DC installation and resides on the same server.

  • License Server

The License Server component handles product licensing for XenApp 7.6.  Note that XenApp 7.6 no longer uses Terminal Server licensing; instead it uses Remote Desktop Services.  An important thing to keep in mind is that every VDA machine in the XenApp 7.6 site needs to point to the License Server.  You can achieve this through the VDA server’s Local Group Policy as explained here.

To set the correct license server and the mode it is operating in, we need to use a (local) group policy or change it directly in the registry.

The group policy setting the Remote Desktop licensing mode is located in:

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

  • StoreFront

The Citrix StoreFront, for those coming from XenApp 5.0, is sort of like the Secure Access Gateway.  It is what the user connects to in order to access site resources such as applications and shared desktops.  It is recommended that you install two or more StoreFront servers for high availability.

  • XenApp Worker/s (Virtual Deliver Agent)

The Virtual Delivery Agent (VDA) is the XenApp 7.6 component installed on all servers that will be hosting applications and/or shared desktops.

Note that in order to run the XenApp 7.6 installer all servers on which the above listed components will be installed must already be added to the domain.  Prerequisite Windows Server Roles are installed automatically during the XenApp 7.6 installation with the exception of the License Server.  Prior to installing the License Server component, you must add the Remote Desktop Services Role – Remote Desktop Licensing.

The first XenApp component to be installed in our scenario is the License Server.  A not so robust server has been allocated for this purpose.  That same server will also house Citrix StoreFront as these are not generally resource intensive services for a small 300+ user organization.

Next up is installation of the Delivery Controller for which we allocate another server.  While a separate SQL server is recommended for larger deployments and to support mirrored backups, our small XYZ company wants to keep it simple.  Thus, SQL Express will be installed along with the Delivery Controller.

Lastly, XenApp 7.6 Virtual Delivery Agent is installed on each of the servers that will host shared desktops.  I find it helpful to have an application list I can use to make sure that all servers have the same applications installed.

XenApp 7.6 overall step by step installation instructions are included in the video above.  I found the video in Part 2 more useful when installing the License Server Component.

Once all required XenApp 7.6 services are installed we can move on to creating a new site.  As mentioned prior, we do this through Citrix Studio.  I like using the Full Operational Site option.  Since our deployment is quite simple and we are using physical servers, we select the No Machine Management option.

Next, we create our StoreFront. The following video details installation instructions for Citrix StoreFront.

In order to deliver applications and Server OS shared desktops to our users we will need to create a Machine Catalog and Delivery Group.  The Machine Catalog includes the VDA servers that will be hosting apps and desktops.  The Delivery Group is sort of like a group object where you add Active Directory users.  VDA servers are allocated to a Delivery Group from a Machine Catalog.

Lastly, we create Citrix policies for things such as Twain Redirection for scanner support and to add session printers.  Citrix User Profile Management is included in the VDA installation.  In our scenario, that was already in place through Group Policy.  Our XYZ company users are able to launch their shared desktops by using Citrix Receiver 4.3, 4.1 and also using the legacy PN Agent.

As always, it is useful to note the steps and options selected while creating and configuring your XenApp 7.6 site to easily back track or to use as a checklist for future installations and/or modifications.

#citrix, #citrix-receiver, #publisheddesktop, #storefront, #vda-7-6-0, #virtualization-2, #windows-server, #xenapp-7-6-2

Citrix XenApp StoreFront – Disable Reciever Client Check and Download

Being on Citrix XenApp StoreFront 2.6 is better than the previous XenApp 5.0 Web Interface.  The user interface is cleaner; it has a professional look and feel.

StoreFront checks for Receiver client upon first visiting the Site.  Our clients were using Receiver 4.3 to launch applications and the Chrome browser to access the site.  The problem was that Citrix XenApp StoreFront prompted the user to Install the client software rather than going straight to the login page.

Although not a big issue for technically savvy users, our less technically advanced staff would click Install rather than Logon causing a huge spike in our bandwidth starved environment even while receiver was already installed on the client.  The data bottleneck that resulted from multiple unnecessary downloads caused session errors for other users already logged in.  In addition to that, it affected VOIP communications and quite possibly, caused our main router to crash a few times (outdated firmware).

Fortunately, we were able to disable client detection / download in Citrix Storefront by following the steps outlined here except for executing the IISRESET command.  For some reason that was not necessary in our case and changes took effect immediately.  I took the precaution of backing up the file first.

StoreFront – Disabling Client Detection
Disabling Client Detection

This article provides the steps to disable client detection on a Citrix StoreFront web site by performing the following steps.

Logon to the StoreFront Server as an administrative account
Open Windows Explorer and navigate to thec:\inetpub\wwwroot\Citrix\{Your StoreFront Site Name}Web

E.G. c:\inetpub\wwwroot\Citrix\My-App-StoreWeb

Edit the web.config file on Notepad
Search for the line :-

<pluginAssistant enabled=”true” upgradeAltLogin=”true”/>

Change the <pluginAssistant enabled=”true” to <pluginAssistant enabled=”false”

Save and Exit the web.config file
Open a Command Prompt and execute IISRESET to restart the World Wide Web Service

Repeat the steps above on all StoreFront Servers in the Server Group

#citrix, #citrix-receiver, #storefront, #storefront-2-6, #xenapp-7-6-2

Xenapp 5.0 to Xenapp 7.6 Upgrade / Migration Part 2

This is a follow-up to Xenapp 5.0 to Xenapp 7.6 Upgrade / Migration Part 1.

In the scenario explained in Part 1, we already have a functioning XenApp 5.0 Farm and are moving to XenApp 7.6.  The XenApp 5.0 Farm already has a License Server.  The old License Server in the Farm will not be able to service the new XenApp 7.6 Site because it is an older version.

There are two options when upgrading from Xenapp 5.0 to Xenapp 7.6 in regards to licensing.

  1. You can install a brand new License Server
  2. You can upgrade the old License Server

The second option will not be recommended for our scenario since our Xenapp 5.0 License Server is installed on a XenApp server that is also delivering published desktops to users.  Additionally, it is running on Server 2008 and we want our entire Citrix XenApp 7.6 site to be on Server 2012.  It is possible to upgrade the old License server and leave it on the Server 2008 platform and uninstall all other XenApp 5.0 components but we would like a fresh new install 🙂

Installing a new License Server will not invalidate your old 5.0 Farm License Server so breath easy.  What’s more, the newer License Server version installed with XenApp 7.6 is backwards compatible, meaning that you can point both your Xenapp 7.6 Site and your old Xenapp 5.0 Farm to the same License Server; this is what is recommended as to not infringe on the license agreement.

Once you know which server will be the License Server, you can go to your Citrix account to activate and allocate or reallocate your licenses to the new server using the server host name.  After doing so, the files needing to be imported to the new License Server will be available for download.  All the while, your old License Server is functioning as normal.

You will now have to install the License Server component on the server to which you have allocated the license files.  One thing to keep in mind is that you must install Remote Desktop Services through the Add Server Roles and Features prior to installing the License Server.  Citrix has done an awesome job of adding server roles and features for you during the installation of all other XenApp 7.6 components with the exception of the License Server.  The following video shows how to install Xenapp 7.6 License Server step by step.

After installing the License Server from the XenApp 7.6 installation disc you will need to import license files (downloaded previously from Citrix) through the License Administration Console and select Overwrite License File on License Server.  The LAC login will be the Domain Admin credentials.  After importing, clicking on Reread License Files should make them show up in Dashboard.  For detailed instructions you can Google How to Add Allocated Licenses to the License Administration Console.  The official Citrix support article will walk you through it step by step.

#citrix, #citrix-receiver, #publisheddesktop, #shared-desktop, #storefront, #vda-7-6-0, #virtualization-2, #windows-server, #xenapp-7-6-2