AirFoil for Mac

September 13, 2009 in Uncategorized | 3 comments

I hosted a spontaneous and altogether rather successful BBQ yesterday… even if I do say so myself.

When I host an event like that I like to ensure the music being played caters for the wide and varied audience that may be coming, music makes it for a lot of people, who I choose to call friends!  Having a relatively large house (1900′s Edwardian “Villa”) and a (personal) need to pump music into the kitchen, dining room, lounge and garden I had to look for a good solution with little effort and little expense, since it was spontaneous and only had a couple of hours before guest arrivals.  No waiting for hardware deliveries this time!

Let it be known, I’m a huge Mac fan and I’m not embarrassed to tell you. My music library is on my Mac Pro in the office via iTunes, an iMac G5 in the kitchen and a Mac Mini in the lounge for Home Theater / Freeview DVR and a couple of Apple Airport Express units. With the traditional use of Airtunes on the Airport Express units, I had the instant ability to pump music *simultaneously* to only two rooms, not four.  Until, that is, I came across the rather splendid AirFoil.

I seem to remember looking at this before but I essentially saw it and bought it as soon as my quick Google search brought it up!

What AirFoil does is allows you to hijack the audio feel from a source on one Mac (or Windows PC, there is a Windows version) and send that audio stream to compatible and active devices on your network, wired or wireless.  In this case both my Express devices and my remote Macs.  I was able to send music to the 4 locations I needed, all simultaneously (could not discern any delay between rooms or outside), and all controlled from one source.  That source was then controlled by my iPhone so I could be DJ whilst being the Chef!  Winner.

The remote part of the equation is an application called Airfoil Speakers, which essentially turns your remote Mac/PC into a Airport Express (Airtunes) device, so the audio output of the computer is pumping out the audio from the central source!  What’s more, you can switch each of your remote speaker locations on/off when you want, should it rain or the neighbours complain and you need to take the party indoors :)

I recommend you check this software out at Rogue Amoeba http://rogueamoeba.com/airfoil/mac/ to see for yourself.

The demo version, which you can download for free, is limited to 10 minutes, but for $25 or £15 you can get the full version (PayPal accepted) and you get the license key immediately!

I haven’t tried this yet, but there is an AirFoil Speakers application for your iPhone, so if you’re connected to the WLAN, you can listen to the music on your iPhone or iPod Touch too, or plug that into an amplifier and get big sounds.

Happy listening all over!
PL

Citrix XenApp 5.0 the successful upgrade

June 11, 2009 in Terminal Services | Tags: | 1 comment

It’s been quite some time since I last could be bothered to blog anything, but I thought I’d finish this one off in case anyone cared!  The upgrade process works a charm, even though the process is a little convoluted.  I’m happy with it, to say the least!

As a recap, the upgrade is based on Windows 2003 Server, Citrix PS4.0 going to XenApp 5.0.

As an additional complication, we are moving from an Oracle datastore on PS4.0 to SQL Server on XenApp 5.0.  This is a “complication” because we don’t want to upgrade any data in the Oracle datastore and keep each instance dedicated to its’ specific version. ie. no XenApp 5.0 tables/data in the PS4.0 data store.

In a nutshell…here’s the order of events, split into three areas, which incidentally coincide with the reboots on the server: -

  1. Preparation and Upgrade
  2. Supplemental Tools & Configuration
  3. Farm Membership

Preparation & Upgrade:

  • Disable logins, enter Installation Mode (for good measure)
  • Change farm to an interim SQL farm, created purely for the upgrade process
  • Promote Network Service to Administrator privileges
  • Stop some system services to speed up the process.
  • Stop/Kill Citrix Print service as it can screw with the upgrade installation
  • Remove UPHClean v1.6
  • Remove JRE 1.4.x
  • Remove Visual C++ Runtime
  • Remove EdgeSight v4.x Agent
  • Install .Net Framework 3.5
  • Install JRE 1.6.13 (including compatibility tweaks)
  • Install Visual J# v2.0
  • Install Visual C++ Runtime 2005
  • Install XenApp 5.0 (yeah baby)
  • Install all ASC components
  • Reboot

As Alexander Orlov would say “simples” – yeah right.

Supplemental Tools & Configuration

  • Install Roll-Up v04
  • Install Edgesight Agent v5.0 (set service to manual in CL)
  • Install UPHClean 2.0
  • Move profile folders from C:\Documents & Settings to other non-system partition
  • Set/Confirm ICA and RDP settings
  • Set/Confirm TSCAL Server(s)
  • Re-Apply ACLs on all partitions
  • Clean up log files
  • Set Citrix services startup account to Local System where ncessary
  • Demote the Network Service
  • Reboot

Farm Membership:

  • Change Farm from temporary SQL hybrid/upgrade farm to permanent SQL XenApp farm
  • Set License Edition to Enterprise (which we still use)
  • Reboot

Did  I mention it was a little convoluted?

I think I did.

Let me know if you want any of the specific details posting.

PL

Citrix e-Docs

April 8, 2009 in Uncategorized | Leave a comment

Have you seen this – a really cool collection of Citrix product documentation in one handy location.

Link

Really good for picking out information you might need in a fraction of the time!

PL

Citrix XenApp 5.0 – Upgrade Woes!

April 8, 2009 in Uncategorized | Leave a comment

I haven’t posted for a little while because I was having some problems with the upgrade process!

Previously seen working on a server which I was forced to relinquish, the process kept bombing out with the dreaded 26005 error, as seen all over the Citrix Forums.

Sure, it’s well documented but I couldn’t find the specific reason for it on our build…until today.

It’s all about the Network Service, as you will probably be shouting at the screen but this one was something I hadn’t expected.  For some reason, our build “engineers” had the good grace to set some explicit permissions on the D: partition from root and throughout the tree for the Network Service account to have read-only permissions, so even if it was elevated to Administrator privileges, the file permissions were winning and the installation was failing!

A quick CACLS command later, providing temporary change permissions and we were once again onto a winner!

I’ll regroup and provide more information in a further post…very soon…PL

Abusing Citrix – food for thought on securing your builds!

March 29, 2009 in Uncategorized | Tags: , , | Leave a comment

Some nice work by SynJunkie. A blog in 4 parts, so far…

Check it out <here>

Whether you’re a GPO user or have taken on-board AppSense or some other such tools, I suggest this will give you areas to concentrate your security on.  I will be checking my current AppSense configurations to see if we are suitably covered!

PL

Citrix XenApp 5.0 – Build Part 4a – The Upgrade

March 26, 2009 in Terminal Services | Tags: , | 2 comments

OK, so we have ourselves a task ahead of us…no mistake.

In order to perform an upgrade-in-place solution, we are going to be doing some pretty extraordinary things.

Our situation is:

  • Currently running Development and Production farms in PS4.0, connecting to an Oracle IMA data store
  • Want to upgrade to PS4.0 fleet to XenApp 5.0
  • Not able to do this in a single hit(!) due to various business groups accessing the applications, testing schedules etc.
  • Need to protect the current PS4.0 farm so that any upgrades do not affect the day-to-day operations of those not yet migrated
  • Want to stop using Oracle and switch to SQL for the IMA data store
  • Want to do this in a hands-off unattended manner!  Yes…you heard me right

Anyone out there done this?  I very much doubt it!

Anyone in the same situation, again, maybe doubtful but if so….read on….I have the answer!

Upgrading from PS4.0 straight to XenApp 5.0 will mean that you will introduce XenApp 5.0 tables & components into your PS4.0 data store, which is something I for one want to avoid as this *may* have unknown consequences on the data store.  Having had a corrupted DS in the past, I’d rather avoid this possibility.

The trick is to create an intermediary “farm” data store and move your server to this space before performing the upgrade, then when XenApp 5.0 is successfully installed, we move it to the permanent XenApp 5.0 farm.  It does sound like a complex series of events but it works.

The PS4.0 farm simply thinks a server has been removed – the “migration” or “middleman” farm doesn’t much care, and the XenApp 5.0 farm just thinks it has a shiny new XenApp 5.0 server connecting when IMA is started.

Of course if it was as simple as that I’d probably not really write about it.  There are some nuances (aren’t there always) about making it work.  I’ve had to read quite a bit about some of the behaviors of XenApp in the knowledgebase and the usual web resources to get round what I was seeing but I got there in the end and I hope I can depict some of the steps here.

Prerequisites:

  • You have servers in PS4.0 farm to migrate!
  • “Migration Farm” has been created with a “create farm” routine on a dummy test server – this creates the table space on your blank SQL database.
  • Destination XenApp 5.0 farm has been created on the SQL database and can be joined by new servers
  • You have sufficient license on your license server
  • You have administrator rights to all above farms and servers

Step 1:

Assumptions are that you have no sessions on the server and logons are disabled!

Change farm to the “Migration Farm”

Command line:

CHFARM /quiet /joinfarm /ddsc:SQL Server /zone:Migrated /odbcuser:USERNAME /odbcpwd:PASSWORD /dsnfile:Migration.dsn

The Migration.DSN file points to the temporary SQL database.  Once IMA has restarted with the CHFARM command you will be in the Migration farm.

Step 2:

Stop all relevant services – if you don’t the upgrade will ask you to stop them

REM *** Stopping and disabling relevant Citrix services
ECHO Stopping UPHCLEAN..
SC STOP “UPHClean” > nul
SC CONFIG “UPHClean” start= disabled > nul
SLEEP 5

ECHO Stopping Citrix Metaframe COM Service..
SC STOP “MFCom” > nul
SC CONFIG “MFCom” start= disabled > nul
SLEEP 5

ECHO Stopping Citrix SMA Service..
SC STOP “Citrix SMA Service” > nul
SC CONFIG “Citrix SMA Service” start= disabled > nul
SLEEP 5

ECHO Stopping Citrix WMI Service..
SC STOP “CitrixWMIService” > nul
SC CONFIG “CitrixWMIService” start= disabled > nul
SLEEP 5

ECHO Stopping Citrix XML Service..
SC STOP “CTXHttp” > nul
SC CONFIG “CTXHttp” start= disabled > nul
SLEEP 5

ECHO Stopping IMAService..
SC STOP “IMAService” > nul
SC CONFIG “IMAService” start= disabled > nul
SLEEP 5

ECHO Stopping Citrix Print Manager Service..
SC STOP “cpsvc” > nul
SC CONFIG “cpsvc” start= disabled > nul
SLEEP 5

ECHO Stopping Citrix XTE Service
SC STOP “CitrixXTEServer” > nul
SC CONFIG “CitrixXTEServer” start= disabled > nul

As you can see, I use SC to effect change on the services.  Firstly they are stopped, then they are set to disabled.  I add a 5 second pause in between just to slow the process down so any dependent services have chance to stop.

Step 3:

Remove any unwanted software:

In my case I need to remove the UPHClean tool, which is version 1.6, in order to install 2.0 later.  In addition to that, I am using JRE 1.4.x.x so I need to remove that in order to meet the minimum for XenApp’s Presentation Server Console, since it is being installed.

To remove the software, there is an easy way in which to do this, of course we use MSIEXEC but the registry holds all the necessary information to doing this right every time, even if you don’t know where the original source MSI files are located.

In regedit, browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
and search for a string <CTRL-F> related to your software, e.g. UPHClean…press F3 until you hit the “InstallProperties” location.  Within this key you will see “UninstallString” and the value of that is what you need to uninstall your products.  If you used the same source and version for each server, you only need to use the one string.

START /WAIT “UPH-y” MsiExec.exe /x{8D166051-2C3B-4BF3-A68D-B11D45F3E1B6} REBOOT=REALLYSUPPRESS /qb-

NOTE: sometimes the value is MsiExec.exe /i – change the /i to a /x and it will uninstall correctly.  Add /qb- to be totally silent.  Add REBOOT=REALLYSUPPRESS so that you don’t get a reboot…this is particularly necessary for removal of Java.

Now it’s time to put on your XenApp 5.0 prerequisites.  My earlier 32-bit installation blog entry shows the CMD line references to use, so please start installing them :)

  • .Net Framework 2.0
  • .Net Framework 3.0
  • .Net Framework 3.5
  • JRE 1.5.09
  • J# 2.0
  • Visual C++ runtime (needed for post roll-up 03 patches!)

Step 4:

For good measure, I rename the existing LHC, so it doesn’t have any cause to confuse things, rename it to “.OLD”

Step 5:

Deal with the peskiest of anomalies with installing XenApp – namely the IMAService.  Under all circumstances, I have seen while performing this upgrade, the IMAService wants to run under the context of the “NETWORK SERVICE” credentials.  So, in order for it to have sufficient privileges to do the necessary, we elevate it to administrator, albeit temporarily.

net localgroup Administrators “nt authority\network service” /add > nul

That will allow the installation routine to complete as expected.  After we have performed the installation, we will change the service once more to use Local System.

This is turning into a mammoth entry, so I’ll split it in two.

I’ll be back with Part 2 of the upgrade (Part 4b) as soon as possible..PL

Citrix XenApp 5.0 – Build Part 3 – Tweaking!

March 26, 2009 in Uncategorized | Tags: , , , , , , , , | 4 comments

It’s widely documented in many different areas that there a plethora of ways to optimize your server for running your beloved Presentation Server.  I’ll show you here the ones I like to use.

Firstly though, lets put Roll Up 03 on to the server.  This roll up is very much recommended as it stabilizes the product installation considerably.

At this point, I don’t add any subsequent patches – I use Installation Manager for that…much easier.  I want R03 to be the baseline, so with that in mind we install it like this :-

START /WAIT “R03″ msiexec.exe /update PSE450W2K3R03.msp /passive /norestart

An easy one you will no doubt be thinking!  Only easy if you know though!

UPHClean

This is a utility that…you know what, check it out yourself at http://blogs.technet.com/uphclean/default.aspx 

If you haven’t used it before…use it now…it really help with user logoff times and reduces some profile issues.

START /WAIT msiexec /i “uphclean-setup.msi” TARGETDIR=”D:\Program Files\UPHClean” /l*v “C:\Setup\Log\uphclog.log” /q

There is a tweak for UPHClean in v2.x that allows it to act on problems caused by application holding onto files after logoff…virus checker anyone!  So it’s recommended to switch this on too.

REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\UPHClean\Parameters” /v SHARING_VIOLATION_REMAP /t REG_DWORD /d 1 /f > nul

Print Spooler

As a rule I always move the print spooler to any common partition other than C: so as not to unsuspectingly fill the C: drive with those occasional rogue print files.

I generally create a TEMP folder on the D: drive (if one does not exist), then create a SPOOLER folder within it.  At the same time, it is worthwhile changing the system environment variables to re-point TEMP and TMP to D:\Temp, keeping more crap of your system partition – that reg key is listed at the bottom.

A registry hack is needed for this.  Get into regedit, use REG or a .reg file to change the spooler location:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers]

“DefaultSpoolDirectory”=”D:\\TEMP\\SPOOLER”   

User Profiles Folders

By default, unless you are doing some fancy schmancy Folder Redirection (which I may get to later) the default profile folder is set to C:\Documents & Settings.  Argh…C: drive bloatage potential once again.

It is, again, in my mind, worthwhile changing the location of the folder so that any Locally cached profiles don’t get caught in the folder and start to fill up the C: drive.  Changing the folder location is relatively simple in the registry but you *must* also copy the contents of All Users and Default User into your new folder, so that the logon process can complete as expected.

Here’s the all-in-one solution for this:

ECHO Creating Local Profiles Alternative Locations..
md “e:\Local Profiles”
md “e:\Local Profiles\All Users”
md “e:\Local Profiles\Default User”

ECHO Populating “All Users” and “Default User” Folders..
xcopy “C:\Documents and Settings\All Users\*.*” “e:\Local Profiles\All Users\*.*” /s /e /y /q /h > nul
xcopy “C:\Documents and Settings\Default User\*.*” “e:\Local Profiles\Default User\*.*” /s /e /y /q /h > nul

ECHO Redirecting “All Users” and “Default User” Profiles to E:\Local Profiles..
REG ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” /v ProfilesDirectory /t REG_EXPAND_SZ /d “E:\Local Profiles” /F > nul

You may not like E:\Local Profiles, fine, just change it where you see it!

Tweaks

As for the rest of the tweaks, I’m not going to go into detail with them right now, but here you go.  I’m pretty sure Madden has them all listed on his pages and most of them will be in Doug’s Methodology In A Box document which is tight (although I don’t use everything posted there)!

Here’s the dump of the reg file I load up.  I’m actually thinking of just adding this to an MST to accompany the XenApp installation but we’ll see.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CPQTEAM”=-
“vptray”=-
“IcaBar”=-

[HKEY_CLASSES_ROOT\regfile\shell]
@=”edit”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
“PerUserItem”=dword:00000001
“CacheLimit”=dword:00002500
“CachePath”=”%userprofile%\\local settings\\temporary internet files”
“CachePrefix”=”"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
“IRPStackSize”=dword:0000000f

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
“UtilizeNTCaching”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
“DisablePagingExecutive”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“TcpMaxDataRetransmissions”=dword:0000000a
“KeepAliveTime”=dword:006ddd00
“KeepAliveInterval”=dword:000003e8

[HKEY_LOCAL_MACHINE\Software\Microsoft\ WindowsNT\CurrentVersion\Winlogon]
“AllocateFloppies”=”1″
“AllocateCDRoms”=”1″

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections]
“SaveConnections”=”no”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoRecentDocsNetHood”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
“MaxWorkItems”=dword:00002004
“MaxMpxCt”=dword:00000800
“MaxRawWorkItems”=dword:00000200
“MaxFreeConnections”=dword:00000064
“MinFreeConnections”=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
“MaxCmds”=dword:00000800

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager]
“RegistryLazyFlushInterval”=dword:0000003c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers]
“DefaultSpoolDirectory”=”D:\\TEMP\\SPOOLER”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers]
“NetPopup”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
“ErrorControl”=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
“NoAddPrinter”=dword:00000001
“NoDeletePrinter”=dword:00000001
“NoSMBalloonTip”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“dontdisplaylastusername”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“DeleteRoamingCache”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
“Debugger”=”"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
“NtfsDisableLastAccessUpdate”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print]
“BeepEnabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers]
“NetPopup”=dword:00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
“ForceOffscreenComposition”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
“TEMP”=”D:\\TEMP”
“TMP”=”D:\\TEMP”
“PROFILEPATH”=”E:\\Local Profiles”

[HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\KEY_orahome10201\OO4O]
“TempFileDirectory”=”D:\\TEMP\\ORATEMP”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows]
“ErrorMode”=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
“Posix”=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp]
“fInheritShadow”=dword:00000000
“fInheritMaxSessionTime”=dword:00000000
“fInheritMaxDisconnectionTime”=dword:00000000
“fInheritMaxIdleTime”=dword:00000000
“fInheritAutoClient”=dword:00000000
“fDisableExe”=dword:00000000
“fDisableCam”=dword:00000001
“fDisableCcm”=dword:00000001
“MaxDisconnectionTime”=dword:000927c0
“MaxIdleTime”=dword:02255100

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop\WindowMetrics]
“MinAnimate”=”0″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\AutoClientPrinters]
“Flags”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Colors]
“Background”=”0 0 0″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop]
“AutoEndTasks”=”1″
“CursorBlinkRate”=”-1″
“DragFullWindows”=”0″
“MenuShowDelay”=”10″
“WaitToKillAppTimeout”=”5000″
“SmoothScroll”=dword:00000000
“Wallpaper”=”(None)”
“AutoEndTasks”=”1″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
“fInheritShadow”=dword:00000000
“fAutoClientDrives”=dword:00000000
“fDisableCdm”=dword:00000001
“Shadow”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserOverride\Control Panel\Desktop]
“Wallpaper”=”(None)”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix]
“AnnoyAdminsOnly”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
@=”Microsoft Outlook Express 6″
“StubPath”=

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Print]
“DefaultPrnFlags”=dword:00004000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPHClean\Parameters]
“REPORT_ONLY”=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom]
“Autorun”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
“Max Cached Icons”=”4096″

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
“LinkResolveIgnoreLinkInfo”=dword:00000001

[HKEY_CURRENT_USER\Control Panel\Desktop]
“MinMaxClose”=”0″

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
“AlwaysUnloadDLL”=”1″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“EnableBalloonTips”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI]
“DllName”=”seamls20.dll”
“NotifyEvent”=”WfshellTwiNotify”
“LogoffCheckSysModules”=”ssoshell.exe,ssobho.exe,ssomho.exe,acrodist.exe,acrotray.exe”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\ClientPrinterProperties]
“fPurgeAnyWay”=dword:00000001
“fNotInheritKeepPrintedJobs”=dword:00000001

That’s pretty much it (for now) on the 32-bit build.  I will go over to the 64-bit build asap, there are some slight differences in the routines, but not too many…PL

Citrix XenApp 5.0 – Build Part 3 – Security

March 26, 2009 in Uncategorized | Tags: , , , | 2 comments

In my opinion, there are a few too many easy ways to get onto your Citrix servers by default.

I like to make sure there are no anonymous ways to log on to each server.
Firstly I disable the Anonymous local accounts:
net user anon000 /active:no > nul
net user anon001 /active:no > nul
net user anon002 /active:no > nul
net user anon003 /active:no > nul
net user anon004 /active:no > nul
net user anon005 /active:no > nul
net user anon006 /active:no > nul
net user anon007 /active:no > nul
net user anon008 /active:no > nul
net user anon009 /active:no > nul
net user anon010 /active:no > nul
net user anon011 /active:no > nul
net user anon012 /active:no > nul
net user anon013 /active:no > nul
net user anon014 /active:no > nul

Then for good measure, I remove these from the Remote Desktop Users local group

net localgroup “Remote Desktop Users” Anon000 /delete > nul
net localgroup “Remote Desktop Users” Anon001 /delete > nul
net localgroup “Remote Desktop Users” Anon002 /delete > nul
net localgroup “Remote Desktop Users” Anon003 /delete > nul
net localgroup “Remote Desktop Users” Anon004 /delete > nul
net localgroup “Remote Desktop Users” Anon005 /delete > nul
net localgroup “Remote Desktop Users” Anon006 /delete > nul
net localgroup “Remote Desktop Users” Anon007 /delete > nul
net localgroup “Remote Desktop Users” Anon008 /delete > nul
net localgroup “Remote Desktop Users” Anon009 /delete > nul
net localgroup “Remote Desktop Users” Anon010 /delete > nul
net localgroup “Remote Desktop Users” Anon011 /delete > nul
net localgroup “Remote Desktop Users” Anon012 /delete > nul
net localgroup “Remote Desktop Users” Anon013 /delete > nul
net localgroup “Remote Desktop Users” Anon014 /delete > nul  

And after that, I delete the Anonymous local group:

net localgroup “Anonymous” /delete > nul

The reason behind all this is to use “Remote Desktop Users” as the gateway to your server.  If you are happy to have domain users gain access to the server, then there is no reason not to simply add that to the RDU group.  At my company, we are a little more restrictive and mindful of our security needs, we do it a little different.
A global group is required for each application and the users that need access to that application get added to that global group.
These global groups are then added to the RDU local group on the server(s) that host that specific application.
Some time ago we asked the question, who uses the RDP protocol to log on to the servers when we add XenApp/PS/MF etc…  and the answer was only the server operations/administrators.
So in addition to everything we do here, we have removed the Remote Desktop Users group from the RDP-TCP protocol permissions (Administrator Tools/Terminal Services Configuration).  To do this I use a handy command line tool called TSCONSEC which is freely available from http://www.thincomputing.net  

tsconsec.exe /t:R /a:”Remote Desktop Users” /p: /q

This effectively removes RDU from the RDP-TCP protocol, allowing only the local Administrator group to log on via RDP.
As Alexander Orlov would say…”Simples”.
Now it’s time to reboot again.  I will add Roll Up 3 after this and, although it’s not always necessary to do this after the core XenApp installation, there are many references to it being recommended.  I’m in the reboot here camp so, go on, push the button…PL

Citrix XenApp 5.0 – Build Part 2 – Installing XenApp

March 26, 2009 in Uncategorized | Tags: , , | Leave a comment

It’s official…Citrix actually out-did themselves this time.
They provided some pretty decent information in their Adminstration Guide for command line installations along with the parameters that you need to get all the components installed, choose a license server etc. I don’t think I’m out of place suggesting they have set a precedence for themselves.
For the PS4.0 build, I had to do some serious delving into the MSI installation logs to get all the parameters for an unattended script, it’s almost like I feel cheated by having them all presented to me.

But I jest, it rocks!

Before you can run the unattended installation, you need to make a File DSN to point your installation to the database. As I am using SQL, I will show you the make up of the file. Some lines aren’t required from that which the ODBC creates for you.

[ODBC]

DRIVER=SQL Server
UID=USERNAME
Trusted_Connection=Yes
Network=DBMSSOCN
DATABASE=NAME_OF_DATABASE
APP=Citrix IMA
SERVER=DB_SERVER_NAME
Description=Citrix Xenapp Design Development

This is the meaty bit, installing XenApp, essentially everything should be in place for you to proceed with the installation.
You will see my interpretation of the installation routine, using a variable-based command line builder, which rather nicely lets you view each option separately, in case you need to review them. I have used this method for some time for more complex application installs and it works well here. Stealthpuppy also uses this method on his blog, so you may have seen this before.
The difference with my choices are that I don’t want PN Agent installing on any of the servers, so the last line specifically chooses all the components I need without putting PN Agent down (and IM Packager) on each server.


SET OPTIONS=ALLUSERS=TRUE REBOOT=ReallySuppress /l*v “c:\setup\log\xenapp.log” /QB
SET OPTIONS=%OPTIONS% INSTALLDIR=”D:\Program Files\Citrix”
SET OPTIONS=%OPTIONS% CTX_MF_FARM_SELECTION=Join
SET OPTIONS=%OPTIONS% CTX_MF_JOIN_FARM_DB_CHOICE=Direct
SET OPTIONS=%OPTIONS% CTX_MF_ZONE_NAME=”UK Xenapp Dev Farm”
SET OPTIONS=%OPTIONS% CTX_MF_SILENT_DSNFILE=MF20.DSN
SET OPTIONS=%OPTIONS% CTX_MF_ODBC_USER_NAME=DOMAIN\USER
SET OPTIONS=%OPTIONS% CTX_MF_ODBC_PASSWORD=xxxxxxxx
SET OPTIONS=%OPTIONS% CTX_MF_SHADOWING_CHOICE=Yes
SET OPTIONS=%OPTIONS% CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA=No
SET OPTIONS=%OPTIONS% CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION=No
SET OPTIONS=%OPTIONS% CTX_MF_SHADOW_PROHIBIT_NO_LOGGING=No
SET OPTIONS=%OPTIONS% CTX_MF_XML_CHOICE=Separate
SET OPTIONS=%OPTIONS% CTX_MF_LAUNCH_CLIENT_CD_WIZARD=No
SET OPTIONS=%OPTIONS% CTX_MF_SERVER_TYPE=E
SET OPTIONS=%OPTIONS% CTX_MF_REBOOT=No
SET OPTIONS=%OPTIONS% CTX_IGNORE_MCM=No
SET OPTIONS=%OPTIONS% CTX_REMOVE_WI_TURNKEY=No
SET OPTIONS=%OPTIONS% CTX_MF_ENABLE_VIRTUAL_SCRIPTS=Yes
SET OPTIONS=%OPTIONS% CTX_MF_LICENSE_SERVER_NAME=SERVERNAME
SET OPTIONS=%OPTIONS% CTX_MF_LICENSE_SERVER_PORT=27000
SET OPTIONS=%OPTIONS% CTX_MF_LICENSE_SERVER_PORT_DEFAULT=1
SET OPTIONS=%OPTIONS% CTX_MF_LIC_CHOICE_FOR_CREATE=UseFarmSettings
SET OPTIONS=%OPTIONS% CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE=UseFarmSettings
SET OPTIONS=%OPTIONS% CTX_RDP_DISABLE_PROMPT_FOR_PASSWORD=Yes
SET OPTIONS=%OPTIONS% CTX_MF_ONLY_LAUNCH_PUBLISHED_APPS=Yes
SET OPTIONS=%OPTIONS% CTX_ADDLOCAL=CTX_MF_MetaFrame_Core,CTX_MF_IM,CTX_MF_IM_Service,CTX_MF_LM,CTX_MF_NM,CTX_MF_RM,PN_ENGINE,PN,
WMI,MetaFrame_XP,CTX_MF_CMC,CTX_MF_ICA_Shell_Editor,CTX_MF_IMA_Core,CTX_MF_IM_Plugin,CTX_MF_RM_Plugin,CTX_SMA,
CTX_MF_CTXCPU,CTX_MF_CTXSFO,CTX_MF_ASCII

This line must have no spaces in it (or line breaks). Each component is comma separated, but again no spaces, otherwise it doesn’t work. As previously mentioned, I didn’t want the PN Agent or the IM Packager deploying and this does everything but those!

Next I put down the AMC components…

I decided to install all the components I required on each server. This will make it easier to publish for remote support and to load balance where necessary.

ECHO Framework..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_Framework.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO Diagnostics..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_Diagnostics.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO Hotfix Management..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_HotfixManagement.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO Knowledgebase..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_KnowledgeBase.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO Legacy..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_Legacy.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO Licensing..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_Licensing.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO Presentation Server..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_PresentationServer.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO PS Reports..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_PSReports.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-
ECHO (and finally..) Report Centre..
START /WAIT %systemroot%\system32\MSIEXEC /I “ASC_ReportCenter.msi” INSTALLDIR=”D:\Program Files\Citrix” ALLUSERS=TRUE REBOOT=SUPRESS /QB-

NOTE: the AMC does not respond to INSTALLDIR= and automatically installs your files in C:\Program Files\Common Files\Citrix

To someone like me who always uses the D: partition for infrastructure software installations, it’s a kick in the nuts! I’m almost OCD about that and as yet I haven’t found a way to change it. Incidentally I haven’t found the reason why it *needs* to be on C: – I will persevere…oh, perhaps it’s time to stop being lazy and delve into the logs like in the good old days!

So, by now you should have a perfectly installed XenApp Server.  Of course this will need some tweaking for your environment, I will show you the tweaks I make in the next entry.

Hope you get something from this…PL

Citrix XenApp 5.0 – Build Part 1 – Prerequisites

March 26, 2009 in Uncategorized | Tags: , , , , , , , | 3 comments

Based on Windows 2003 R2 Standard

Time to admit something to you…part of my job is made easy as there is a team dedicated to prep’ing the base build and creating OS patch payloads for security compliance, so I don’t have to concern myself with automating the base OS – I just have to fill in the gaps for XenApp to install without barfing!

Pre-requisites

there are seemingly so many pre-requisites for this build it is mind boggling. From experience, some non-virtualised application suites have their own common requirements, so we believe we should be able simplify things by providing what XenApp needs as well as what we’ve seen some of our more complicated application requirements to make hosting applications somewhat easier.

  • .Net Framework 2.0
  • .Net Framework 3.0
  • .Net Framework 3.5
  • JRE 1.5.09
  • J# 2.0
  • Visual C++ runtime (needed for post roll-up 03 patches!)

All these will be installed via command line scripts in unattended and silent mode, examples of working installation syntax will follow below.

This will save you oodles of time, I assure you. Some of the install commands are pretty easy but others can be a pain in the rear. I admit to getting some guidance from some pretty good resources on the web but to get them right for my own environment sometimes takes a little extra cunning!

Every one of these components need to be installed before putting XenApp 5.0 on the W2K3 server but before we install these, we need to put the server in Terminal Server Application mode.

I also turn off the Internet Explorer “Hardening” restrictions at this point too, within the same process.  For this I use sysocmgr  in cmd line scripts…  

sysocmgr.exe /i:%systemroot%\inf\sysoc.inf /u:”%INSTALLDIR%\CONFIG\TermServ.inf” /r /x /q


The contents of TermServ.inf (which you need to create and make accessible to the installation routine) is as follows: -
[Components]
TerminalServer = on
IEHardenUser = off
IEHardenAdmin = off
[Terminal Services]
AllowConnections = 1
LicensingMode = PerUser
PermissionsSetting = 1

You can change PerUser to PerDevice if that is your preferred licensing medium.
.Net Framework 2.0
Download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=0856eacb-4362-4b0d-8edd-aab15c5e04f5&displaylang=en
START /WAIT “dotnet2″ dotnetfx.exe /Q:A /C:”INSTALL.EXE /Q /l c:\setup\log\dotnet2.log”  

.Net Framework 3.0

Download it here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=10CC340B-F857-4A14-83F5-25634C3BF043&displaylang=en
START /WAIT “dotnet3″ dotnetfx3.exe /Q /PASSIVE /NORESTART  

.Net Framework 3.5

Download it here:
http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe  

START /WAIT “dotnet35″ dotNetFx35.exe /Q /PASSIVE /NORESTART

Java JRE 1.5.09

Download it here:
http://java.sun.com/products/archive/  

START /WAIT “java” jre-1_5_0_09-windows-i586-p.exe /s /v”ALLUSERS=TRUE REBOOT=REALLYSUPPRESS INSTALLDIR=D:\Progra~1\Java\j2re1.5.0_09 ADDLOCAL=jrecore IEXPLORER=1 MOZILLA=0 JAVAUPDATE=0 /QB-” /QB /l c:\setup\log\jre15.log

In addition to the JRE installation, a few things need to be tidied up, general stuff to delete shortcuts and disable the auto update. I recommend using them as-is.

REG ADD “HKLM\SOFTWARE\JavaSoft\Java Plug-in\%JAVAVERSION%” /v HideSystemTrayIcon /t REG_DWORD /d 0×00000001 /f > nul
REG ADD “HKLM\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableJavaUpdate /t REG_DWORD /d 0 /f > nul
REG ADD “HKLM\SOFTWARE\JavaSoft\Java Update\Policy” /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f > nul
REG ADD “HKLM\SOFTWARE\JavaSoft\Java Update\Policy” /v NotifyDownload /t REG_DWORD /d 0 /f > nul
REG ADD “HKLM\SOFTWARE\JavaSoft\Java Update\Policy” /v NotifyInstall /t REG_DWORD /d 0 /f > nul
REG DELETE “HKLM\SOFTWARE\JavaSoft\Java Update\Policy” /v PromptAutoUpdateCheck /f > nul
IF EXIST “%ALLUSERSPROFILE%\Desktop\Java Web Start.LNK” DEL “%ALLUSERSPROFILE%\Desktop\Java Web Start.LNK” > nul
IF EXIST “%ALLUSERSPROFILE%\Start Menu\Programs\Java Web Start\Java Web Start.LNK” RD /Q /S “%ALLUSERSPROFILE%\Start Menu\Programs\Java Web Start” > nul

I usually add “> nul” to the end of the command line where I don’t want to see the results…nothing worse than a messy CMD window.  Once you’ve tested the syntax successfully it can be hidden.
J# 2.0
Download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=F72C74B3-ED0E-4AF8-AE63-2F0E42501BE1&displaylang=en
START /WAIT “jsharp” VJREDIST.EXE /Q:A /C:”INSTALL.EXE /Q /l c:\setup\log\vjredist.log”  

VisualC++ Runtime

Download it here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=200b2fd9-ae1a-4a14-984d-389c36f85647&displaylang=en  

START /WAIT “C++” vcredist_x86.exe /q:a /c:”VCREDI~3.EXE /q:a /c:”"msiexec /i vcredist.msi /qn”" “

Success confirmation:
Open up the Application Eventlog and check the results of the recent MSIInstaller entries.  All of them should say successful at this point.  If not check your lines of code!
Reboot time:  

You will need to reboot your server at this juncture to ensure the SYSOCMGR change you made for Terminal Services Application Mode is registered. XenApp will not install unless you do…

So what are you waiting for, reboot!

Next time I’ll install XenApp…PL

Posts

May 2012
M T W T F S S
« Feb    
 123456
78910111213
14151617181920
21222324252627
28293031  

@palowther

Follow

Get every new post delivered to your Inbox.