Archive for December, 2011

Install an Enterprise Certificate Authority in Windows 2008 R2

December 23rd, 2011 No comments

based on:

How to set up an enterprise certificate authority (CA) in a Windows Server 2008 R2 Active Directory domain.  The steps needed to configure this are fairly simple and straightforward.  Having your own CA is useful for testing SSL and other services that require certificates without the need to purchase certificates from a third party.  However, these certificates will not be automatically trusted by computers external to your AD domain, so there are some limitations.

First, start the Server Manager.


Click Add Roles under Roles Summary.

Check the Active Directory Certificate Services role and click Next.

Under Role services check Certification Authority and Certification Authority Web Enrollment.  The Web Enrollment service is useful if you choose to make requests for certificates from computers that are not members of your AD domain.  If you have not yet installed all of the IIS components the Web Enrollment service needs, it will ask for prerequisites to be installed.  Go ahead and accept these, then click Next.

Keep the default and use an Enterprise CA, click Next.

This if my first and only CA, so I’ll choose Root CA and click Next.

This is a new CA without existing keys so select Create a new private key and click Next.

Keep the default CSP, hashing method, and key length and click Next.

Keep the defaults and click Next.

Click Next.

Accept the default database locations and click Next.  Then at the confirmation screen click Install.  Done!

Categories: Uncategorized Tags:

Installing EdgeSight Server 5.3 with SQL Server Express 2008 Express on Windows Server 2008 R2

December 20th, 2011 No comments

based on:

EdgeSight is an essential part of a modern XenApp implementation, though only Platinum customers get the full blown version.  In Citrix’s usual way these are named “Advanced” and “Basic” – there’s never a “normal” one anymore, is there?!

Anyway, if you need the Advanced features you can install a test system for a couple of weeks and join a freshly installed XenApp server to it – you get a 14 day grace period followed by a 7 day allowed “violation” period before it stops working.  Bear in mind you can have multiple EdgeSight servers, though an individual XenApp server can only see one at a time.  Whether to have the EdgeSight Agent installed on every server is an interesting question – it does create an overhead – but without that overhead you might not realise your server is overloaded.

Below are basic instructions on installing an EdgeSight 5.3 server to monitor a XenApp 6 farm, though to be honest they are mostly the same as the instructions for EdgeSight 5.2 for XenApp 5 on Server 2008 R1.

I’m using SQL Server 2008 Express.  Express does work with EdgeSight, with the exception of Scheduled Reports, which rely on the SQL Agent, a feature of full blown SQL Server.  Bear in mind that the use of SQL Express is not supported, and depending on how much data you keep its 2gb limit on databases could be a serious issue.  For a temporary system to run in Advanced mode for a fortnight though, its going to be fine.

In this example I installed EdgeSight and SQL on a single server – this might not be a good idea.

I did this install with UAC turned off.


Preparing SQL – Install SQL Express 2008 with Advanced Features

You need the Advanced Features if using Express as you need Reporting Services.  If you’re installing full SQL Server, install the Reporting Services components.

Download from:

Run the installer (as Administrator). Click Installation on the left and then select “Next sql server stand-alone installation…”


Ignore the warnings about SP1 if you’re on Server 2008 R2 – you can install this afterwards

Accept the license terms and continue through install accepting the defaults.

Run install and select Reporting Services, Database Engine, Client Tools.


Accept defaults on the Instance Configuration screen, choosing a named instance of SQLExpress. Click Next, Next.

Click “Use the same account for all SQL Server services” and enter a domain user created for the purpose.  This domain user should be an administrator on the server.


Click Next. Set to Mixed Authentication and set the SA to something you will remember.  Setup the administrators to something sensible.

Click the Data Directories tab. Set all Data directories to c:\MSSQL except backup – set to c:\MSSQL\Backup.  Okay, so you don’tneed to do this, I just like to keep the data somewhere easy to get to, not buried in Program Files.


Accept the rest of the defaults until you get to the main Install, which should take a few minutes. Close the installer when finished.

Download and install the “Microsoft SQL Server 2005 Backward Compatibility Components” for the version of SQL 2008 you have installed (its part of the feature pack). The x86 version (should you need it – if this is Server 2008 R2 you should be using x64 software though) is at:

The x64 version is at:

This is because the SQL-DMO Objects are required but not installed in SQL Server 2008.

Finally, update your SQL installation to the latest service pack.  At the moment this is SP1 (x64 edition) – this will take a while.


Installing Edgesight

Turn off IE ESC – Enhanced Security Configuration.  This is because the last stages of setup use the local browser, though you could use a browser on another system if you really wanted to.  It is turned off in Server Manager or group policy – click here for detailed instructions.

Download EdgeSight 5.3 or extract the XenApp 6 media and run Autorun

If getting it from the XenApp 6 media, click Manually Install Components, Server Components, Application Performance Monitoring, EdgeSight Server


By default a server will not have the necessary pre-requisites and will probably come up with these messages:




Go to Server Manager, select Role Manager. Click Add Roles, select Web Server and go on to choose its components. Select Application Development (with default sub-components), Windows Authentication, IIS 6 Management Capability. Click Next and Install.

In Server Manager again, add a Feature – Message Queuing, with default options.

Reboot and try again.

Select Website and Database assuming this is a new system


Accept the EULA

Enter your SQL details and click Test Connect. If you have used the full version of SQL you probably just need to put the server name, otherwise SQL Express or another named instance will need the instance name. Use the sa password to connect and test the connection.


Assuming this is a new installation, create a new database. If not, you should be able to join an existing one.


Enter a domain username and password to connect to the database.  Personally I make this an administrator on the server and a sysadmin of the SQL Server instance.  I’m not sure if these steps are needed I’m afraid.


Choose defaults for the recovery model and paths, and click Install.

At the end, click Finish to load the website. Make sure again that IE ESC is off!


Click Next to start creating your Company (which is the way that EdgeSight will organise a group of servers).


Enter the name of your super administrator – this can be a group or a person but should be something you will remember. EdgeSight can be tied to active directory but you will need to be able to get in this account too.

Enter the SMTP details for the server to send out mail as well.

Enter your licensing details and the level of EdgeSight Agent to support.


The license server needs to be v4.5 or higher. If you have platinum XenApp you can use the Basic And Advanced Agents. If you have Advanced or Enterprise you can only use the Basic clients unless you have specifically bought Advanced EdgeSight Agent licenses.

Note you do not actually need to get these details right to click next, so if your license server is not ready (or will never be ready and you are just building a temporary server) you can continue in the grace period for 14 days. You will get a message on every screen in EdgeSight saying there is a problem with the license server until valid details are entered.

Click Next when done and you will see the main login screen. Enter the Super User credentials to log in.


Open another IE window on your server and go to http://localhost/Reports_SQLEXPRESS/Pages/Folder.aspx?SelectedTabId=PropertiesTab

Fill in as below:


Go back to your new EdgeSight website and enter the username and password you just gave admin rights to the database. Enter the URL as:


Obviously, put in the name of the server instead of “sqlservername”.

You should then see a popup window which will run through setting up EdgeSight in Reporting Services. It will error at the end if using SQL Express with “Error publishing default schedules…” – this is because SQL Express does not support this functionality.


Configuring a XenApp Server to use the EdgeSight Server.

Install the client on the server and reboot (yes, you need to reboot).

Go to control panel and switch the view from Category to Small Icons or Large Icons.

Click Citrix System Monitoring Agent


Click Mode to change between Advanced and Basic, depending on your license.


Click the EdgeSight server tab and enter your server name – should still be port 80 unless you changed it. Obviously, it needs to be able to contact that server on that address.

Click OK and within about 5 minutes you should see an email about the new instance that has been discovered, assuming you set up the emailing details properly.

In the EdgeSight website, look in Configure > Devices to try to find your device. If you can’t see it, look in Configure > Unmanaged Devices


This should be enough for a basic implementation of EdgeSight.  There is a lot of work to do if this is going to be a fully fledged systems monitoring a lot of systems, and the size limitations of SQL Server Express will mean that in long term use you might need to adjust the Data Grooming settings.  By default they keep data up to 30 days – I’ve had to set this down to 7 days before.  If its full SQL, kiss goodbye to a lot of disk space instead.

You can also link it into Active Directory and administer it with your normal account, but hang onto the Super Administrator username and password in case it has trouble connecting to AD in the future.

Categories: EdgeSight Tags:

Set up License Server in XenApp 6

December 17th, 2011 No comments

Farm and server settings are now configured via the Policies node.

Click Policies, then click the Computer tab; you will see an unfiltered policy. Click on the Settings tab in the policy detail pane (lower section of Policies pane), select Licensing in the Categories list. Here you can indicate the License Server hostname and port number.

This settings, like all of the Citrix Policy settings, can be set in any GPO. So if you are using multiple farms, you can set the license server in a GPO and apply it to a department, site, or even your entire organization, depending on how your OUs are defined in Active Directory.

Categories: XenApp Tags:

How to Load Balance Citrix Web Interface with NLB

December 12th, 2011 No comments


Every Citrix Web Interface Server (WI) without any form of load balancing is a potential single point of failure in your environment. Network Load Balancing is available in both the Standard and Enterprise Editions of Windows 2008 so there shouldn’t be to many excuses for not implementing. This picture tutorial will take you through the process of creating a Network Load Balancing Cluster for your Citrix Web Interface Servers.

IP Address Overview :


Configure Citrix Web Interface :

  1. Assign static IP Address to both nodes in the NLB Cluster
  2. Install and create a Site on Citrix WI on Node A
  3. Install and create a Site on Citrix WI on Node B
  4. Customize, test and replicate WI Site from Node A to Node B
  5. RoboCopy c:inetpubwwwrootCitrix \winlb2c$inetpubwwwrootCitrix /MIR


Configure Network Load Balancing :

Network Load Balancing NLB 01 300x189 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 02 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 03 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 04 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 05 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 061 300x278 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 07 243x300 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 08 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 09 300x189 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 10 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 11 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 12 300x279 How to Load Balance Citrix Web Interface with NLB

Network Load Balancing NLB 13 300x188 How to Load Balance Citrix Web Interface with NLB

Categories: Web Interface Tags:

Add a static IP route

December 12th, 2011 No comments
Add a static IP route

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


To add a static IP route

  1. Open Command Prompt.
  2. At the command prompt, type:route adddestinationmasksubnetmaskgatewaymetriccostmetricifinterfacewhere:

    Static IP route entry Definition
    destination Specifies either an IP address or host name for the network or host.
    subnetmask Specifies a subnet mask to be associated with this route entry. If subnetmask is not specified, is used.
    gateway Specifies either an IP address or host name for the gateway or router to use when forwarding.
    costmetric Assigns an integer cost metric (ranging from 1 through 9,999) to be used in calculating the fastest, most reliable, and/or least expensive routes. If costmetric is not specified, 1 is used.
    interface Specifies the interface to be used for the route that uses the interface number. If an interface is not specified, the interface to be used for the route is determined from the gateway IP address.

    For example, to add a static route to the network that uses a subnet mask of, a gateway of, and a cost metric of 2, you type the following at a command prompt:

    route add mask metric 2


  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
  • To make a static route persistent, you can either enter route add commands in a batch file that is run during system startup or use the -p option when adding routes.
  • Routes added by using the -p option are stored in the registry under the following key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\PersistentRoutes
  • All symbolic names used for destination or gateway are looked up in the network and computer name database files (Networks and Hosts), which are stored in the local systemroot\System32\Drivers\Etc folder.
  • If a route addition fails, you can use the tracert command to verify that the gateway specified is directly reachable from the same subnet as this computer.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

[download id=”1″]

Categories: Networking Tags:

How to Install Citrix XenServer from a USB Key

December 12th, 2011 No comments

by michael o’neill

1. Format USB key with Fat32

2. Download the latest copy of “syslinux” and extract it

3. Open a command prompt and change directory to your extracted ‘syslinux\win32′ folder

4. Run ‘syslinux.exe X: ‘ replacing “X” with the drive letter of your USB drive to make the USB bootable

5. Extract the “XenServer-6.X.X-install-cd.iso”

6. Copy the contents of the extracted “XenServer-6.X.X-install-cd” folder to the root of the USB

7. On the USB drive, copy the contents of the /boot/isolinux folder to the root of the USB

8. At the root of USB drive, rename the ‘isolinux.cfg’ file to ‘syslinux.cfg’

9. At the root of USB drive, rename the ‘isolinux.bin’ file to ‘syslinux.bin’

Categories: XenServer Tags:

The facts about the Citrix Access Gateway, the Generic hardware it’s built on, and running it in VMware

December 12th, 2011 No comments

by Brian Madden

There is a lot of (mis)information out there about the Citrix Access Gateway (Citrix’s SSL VPN appliance) with regards to how it works and whether you can make your own in VMware. In this article I plan to clear up all the uncertainty with real information and real facts, both from the technology and legal standpoints.

The Citrix Access Gateway “Appliance”

Citrix calls their Citrix Access Gateway (CAG) an appliance. The term “appliance” has many uses in the IT world, but the essence of the term is that an appliance is an IT device that you turn on and it just works. Period.

When people think of an IT appliance, they mostly think of things like routers or firewalls or wireless access points. They don’t think of Pentium-based Windows or Linux servers. Of course a router and a Windows Pentium server have many things in common. They both have CPU, memory, and an OS stored on some kind of media. The main difference is that an appliance usually has a custom or real-time OS that is stored in NVRAM as opposed to something like Windows stored on a hard drive.

The CAG is an appliance in practice. What that means is that it is used like an “appliance,” although some might argue that calling it an “appliance” is a stretch. Consider these facts:

  • Fact: The Citrix Access Gateway hardware is a standard off-the-shelf server made by Supermicro that can be bought anywhere. (It’s a Supermicro SuperServer 5013C-M.)
  • Fact: This particular Supermicro server configuration includes an Intel P4 processor, 1GB of memory, a 40GB hard drive, a CD-ROM drive, and a floppy drive.
  • Fact: The operating system that powers the Citrix Access Gateway is a hardened version of Linux. (Hey, doesn’t the GPL specify that Citrix needs to give away their source code with this? ..That’s an article for another day.)

My point is that the Citrix Access Gateway is not an “appliance” in the truest sense of the word. It’s just an Intel server running Linux that’s supposed to be treated like an appliance. Fair enough.

The 227% Citrix “Tax”

The Supermicro 5013C-M chassis can be bought online for about $600. Throw in another $500 or so for the memory, hard drive, and CPU, and you’re looking at about $1100 in hardware. Citrix charges $2500 for this $1100 device (except they also throw in a custom plastic bezel that snaps on the front that says “Citrix”).

So is it fair for Citrix to take an $1100 device and mark it up over 200%? That depends on your perspective. On one hand, Citrix has put considerable time and effort into the software that runs on this device. So in essence the $2500 Access Gateway can be viewed as a pass-through cost of $1100 for hardware plus $1400 for the CAG server software.

The problem with that line of thinking is that it doesn’t really jive with the licensing policies in the rest of the Access Suite. (The CAG is part of the Citrix Access Suite.) In the rest of the Citrix Access Suite, the licensing is such that you pay for each concurrent user, and then you are allowed to build as many servers as you want to support your users. From a licensing standpoint, there’s nothing wrong with buying 10 user connection licenses and then building 20 servers. As long as you don’t have more than 10 concurrent users across all 20 of your servers, you’re legal.

The CAG’s user-based licensing is no different. That $2500 for the CAG is for the hardware only—that $2500 does not include any connection licenses. In other words, for $2500 you buy a Taiwanese paperweight. If you want to actually use the thing then you need to buy connection licenses which start at $90 per user.

So in that sense, the CAG is no different than the other members of the Citrix Access Suite, and Citrix makes their licensing money off of your connection licenses, just like the other products in the suite.

So can I just build my own CAG on my own hardware?

What makes this more interesting is that the CAG “appliance” ships with a CD-ROM that, when booted, will wipe out and image whatever device it’s inserted into. Also, when you download updates to the CAG from Citrix, you can actually download ISO images that you are instructed to burn onto a CD-ROM. The upgrade process is to insert the CD-ROM into your CAG “appliance” and then to restart it. The CD-ROM re-images the appliance with the new CAG image.

This leads to an interesting question. Is it okay to buy a Supermicro SuperServer 5013C-M, a P4 processor, a 40GB hard drive, and a gig of RAM and make your own CAG while saving about $1400 in hardware costs?

From a legal standpoint, the answer is “No.” The license agreement that is included with the Citrix Access Gateway software clearly states that you can only use the server software on a device with a CPU that you bought from Citrix.

From a technical standpoint, however, there is nothing stopping you from doing this.

Before I go on, I understand that a lot of people at Citrix will be upset to read this. It is in Citrix’s interest (for valid reasons that I will get to in a moment) for the community to view the CAG as a real appliance and not as a Supermicro 5013C-M running Linux. However, Citrix not admitting this does not make it less true, and it does not stop the rumors from half-informed people that are easily uncovered via basic Google searches. So I view my purpose to get ALL the REAL information out there—technical possibilities, legal ramifications, and why you wouldn’t want to do this on your own.

Also, while I’m off on this tangent, in case anyone is wondering whether I “hacked” or “reverse engineered” my CAG to figure out that it was a Supermicro 5013C-M, the answer is “no.” I just turned it over and read the sticker from Supermicro that had the specific make, model, and serial number.

When will Citrix start enforcing the use of their own hardware?

Some people have suggested that Citrix might start building a custom BIOS or some other mechanism into these servers to ensure that the CAG software is only installed onto a server that was purchased from Citrix. The problem with this is that there are thousands of these CAGs in the field now that do not have custom BIOSes, so if Citrix started making a protected version of their CAG server software then they would have to do field replacements of all the current devices.

A more likely outcome is that Citrix will release a new CAG that’s based on NetScaler hardware (more of a “real” appliance) that will be a different platform, and the current CAG will be end-of-lifed. I think they’re planning on calling this a NetScaler 2000 series, although I need to do more research to work out all of these details.

The bigger question is why does Citrix care about whether you use their server or a generic server (besides the fact that they are undoubtedly making several hundred dollars in profit for each CAG device they sell)? The main reason has to do with support. Can you imagine the nightmare it would be for Citrix support if they publicly endorsed, encouraged, or even acknowledged that you could install a CAG onto non-supported hardware? They would have to ask people on the phone about the type of device they’re using, and the callers would probably lie anyway.

What about installing the CAG into a VMware session?

The last “fact” that I want to discuss has to do with running the CAG in a VMware session. Again, let’s be perfectly clear about two facts here:

  • Fact: It is possible to run a CAG in a VMware session.
  • Fact: Citrix is doing this internally for testing and training purposes.

Should you do it? No. Why not? Because it violates the license agreement as it’s currently written.

Since the Supermicro 5013C-M server is just a pretty generic Intel server, it is possible to build a VM with similar specs to the CAG and then to “boot” the CAG installation CD-ROM to install the CAG into that VM. (Just configure the appropriate NICs in the VMX file and you’re all set.)

Remember though that doing this is a direct violation of the Citrix license agreement. But again I wanted to be clear here that this technically works since it’s easy to find descriptions of this via Google, and unfortunately those descriptions don’t include the full legal and technical conversation presented here.

The other important fact about running a CAG server in a VM is that performance would be terrible. Without getting into all the details, the short explanation is it has to do with the fact that the virtualization layer has to translate TCP/IP calls between the various virtualized and physical processor ring layers on the host, and this gets expensive in terms of performance. (This performance problem goes away in the new Vanderpool Xeon CPUs, but those are so expensive that you might as well just buy a CAG.)

Categories: Access Gateway Tags:

How to set up NFS on Ubuntu

December 12th, 2011 No comments

from Ubuntu Docs


The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.

  • NFSv4 client
    # apt-get install nfs-common
  • NFSv4 server
    # apt-get install nfs-kernel-server

After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring.

For the error message:

mount.nfs4: No such device

You will have to load the nfs module with the command

# modprobe nfs


NFSv4 without Kerberos


NFSv4 Server

NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the --bind option. Here is some additional information regarding this fact.

  • Let’s say we want to export our users’ home directories in /home/users. First we create the export filesystem:
    # mkdir /export
    # mkdir /export/users

    and mount the real users directory with:

    # mount --bind /home/users /export/users

    To save us from retyping this after every reboot we add the followingline to /etc/fstab

    /home/users    /export/users   none    bind  0  0
  • In /etc/default/nfs-kernel-server we set:
    NEED_SVCGSSD=no # no is default

    because we are not activating NFSv4 security this time.

  • In /etc/default/nfs-common we set:
    NEED_GSSD=no # no is default
  • To export our directories to a local network add the following two lines to /etc/exports
  • Be aware of the following points:
    • Setting the crossmnt option on the main psuedo mountpoint has the same effect as setting nohide on the sub-exports: It allows the client to map the sub-exports within the psuedo filesystem. These two options are mutually exclusive.
    • Note that when locking down which clients can map an export by setting the IP and subnet mask, does not work. Either do not set any subnet or use /24 as shown. Can someone please provide a reason for this behaviour?
  • Restart the service
    # /etc/init.d/nfs-kernel-server restart

    On ubuntu 11.04 or later you may also need to start or restart the idmapd with:

    # start idmapd   # or...
    # service idmapd restart


Categories: Ubuntu Tags: