Kategorie: Virtual Apps and Desktops service

How to Enable SSL on Cloud Connectors to Secure XML Traffic v0.2

A little update to my set-CTXCloudConnectorToSecureXMLTraffic.ps1 script.

Now it lists all available certificates on the machine and you have to select the one you want to use.

<#
    set-CTXCloudConnectorToSecureXMLTraffic.ps1

    v0.2 - Check for Certificates
    v0.1 - Initial Version

    https://support.citrix.com/article/CTX221671
    
    netsh http add sslcert ipport=0.0.0.0:443
    certhash=PASTE_CERT_HASH_HERE_FROM_NOTEPAD
    appid={PASTE_XD_GUID_HERE_BETWEEN{}_FROM_NOTEPAD

    Browse to HKEY_LOCAL_MACHINE\Software\Citrix\DesktopServer\
    Right-click DesktopServer, select New > DWORD (32-bit) Value
    Name: XmlServicesEnableNonSsl
    Value Data: 0

#>

# Find Citrix Broker Service GUID on the Cloud Connector
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
$keys = Get-Item "HKCR:\Installer\Products\*"
Remove-PSDrive -Name "HKCR"

foreach($key in $keys){
    if((get-itemproperty $key[0].PsPath).Productname -eq 'Citrix Broker Service'){
        $CtxBrokerServiceValues = Get-ItemProperty $key.PSPath
    }
}

# Format the String of the Service GUID
# It is important to mention that the entry in the registry is presented without the dashes for the GUID. 
# Please make that the dashes are added in the following format: 8-4-4-4-12
$appID = '{' + ($CtxBrokerServiceValues.PSChildName) + '}'
$appID = $appID.Insert(9,'-')
$appID = $appID.Insert(14,'-')
$appID = $appID.Insert(19,'-')
$appID = $appID.Insert(24,'-')


# Check for Certificates
$certs = (Get-ChildItem Cert:\LocalMachine\My\)
$selectedCert = $null

$certNames = $certs | ForEach-Object { $_.Subject }
write-host "******* Installed Cert Subjects **********" -ForegroundColor Green
$i = 0
foreach($certname in $certnames){
    $i++
    write-host "$i - $certname"
}
#$certNames
write-host ""

[int]$selectedCertName = Read-Host "Enter the number of the certificate you want to select"

if ($selectedCertName -le $i -AND $selectedCertName -gt 0) {
    #$selectedCert = $certs | Where-Object { $_.Subject -eq $selectedCertName }
    $selectedCert = $certs[$selectedCertName-1]
    $selectedCert
}
else {
    Write-Host "Certificate not found." -ForegroundColor Yellow
    $selectedCert = $null
    break # exit if no certificate is selected
}


# Get CC Computer Certificate Thumbprint
#$certhash = (Get-ChildItem Cert:\LocalMachine\My\).Thumbprint
$certhash = $selectedCert.Thumbprint


# Note: The “Citrix Broker Service GUID” being used to create the SSL binding may change with the Connector upgrades, however, no change is required to the SSL binding. 
# The binding would persist through these changes and SSL would continue to be enabled for the XML traffic.
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$appID


# Allow only secure traffic
$registryPath = "HKLM:\Software\Citrix\DesktopServer"
$Name = "XmlServicesEnableNonSsl"
$value = "0"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

How to Enable SSL on Cloud Connectors to Secure XML Traffic

I will not explain how to do it, this is explained in the CTX221671.

But because I’m a bit lazy, I wrote a quick and dirty script to get the AppID of the Service (Citrix Broker Service GUID) and the Cert-Hash of the computer certificate of the Citrix Cloud Connector and set it via netsh.

This is version 0.1!
No error handling etc.

<#
    set-CTXCloudConnectorToSecureXMLTraffic.ps1

    v0.1 - Initial Version

    https://support.citrix.com/article/CTX221671
    
    netsh http add sslcert ipport=0.0.0.0:443
    certhash=PASTE_CERT_HASH_HERE_FROM_NOTEPAD
    appid={PASTE_XD_GUID_HERE_BETWEEN{}_FROM_NOTEPAD

    Browse to HKEY_LOCAL_MACHINE\Software\Citrix\DesktopServer\
    Right-click DesktopServer, select New > DWORD (32-bit) Value
    Name: XmlServicesEnableNonSsl
    Value Data: 0

#>

# Find Citrix Broker Service GUID on the Cloud Connector
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
$keys = Get-Item "HKCR:\Installer\Products\*"

foreach($key in $keys){
    if((get-itemproperty $key[0].PsPath).Productname -eq 'Citrix Broker Service'){
        $CtxBrokerServiceValues = Get-ItemProperty $key.PSPath
    }
}

# Format the String of the Service GUID
# It is important to mention that the entry in the registry is presented without the dashes for the GUID. 
# Please make that the dashes are added in the following format: 8-4-4-4-12
$appID = '{' + ($CtxBrokerServiceValues.PSChildName) + '}'
$appID = $appID.Insert(9,'-')
$appID = $appID.Insert(14,'-')
$appID = $appID.Insert(19,'-')
$appID = $appID.Insert(24,'-')


# Get CC Computer Certificate Thumbprint
$certhash = (Get-ChildItem Cert:\LocalMachine\My\).Thumbprint

# Note: The “Citrix Broker Service GUID” being used to create the SSL binding may change with the Connector upgrades, however, no change is required to the SSL binding. 
# The binding would persist through these changes and SSL would continue to be enabled for the XML traffic.
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$appID


# Allow only secure traffic
$registryPath = "HKLM:\Software\Citrix\DesktopServer"
$Name = "XmlServicesEnableNonSsl"
$value = "0"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

MS Teams Probleme bei Anrufen/Meetings unter Citrix

Bei MS Teams 1.5.00.2164 scheinen sich Fehler eingeschlichen zu haben. Es treten Probleme bei P2P Calls (Peer2Peer) auf mit eingeschalteter Teams Optimization unter Citrix Virtual Apps & Desktops (CVAD).
Diese sind inzwischen auch im Citrix KB Artikel CTX253754 beschrieben.

Diese Fehler sind mit Teams Version 1.5.00.4689 behoben.
Bisher treten auch lokal keine HDXEngine.exe Abstürze mehr auf.
(Getestet mit Citrix WorkspaceApp 2202 for Windows und VDA1912CU4)

UPDATE 08. März 2022
Microsoft hat den Fix inzwischen komplett ausgerollt. Es ist kein Update einer Citrix Komponente dazu notwendig.

3/8/2022: Fix for P2P call failure is now completely rolled out by Microsoft. No Teams client/Workspace app/VDA upgrade required (the fix was applied to the Teams backend services)

Troubleshooting HDX Optimization for Microsoft Teams (citrix.com)

UPDATE 04. März 2022
Es ist inzwischen klar, dass es sich um ein Microsoft Teams Backend Problem handelt und nicht „nur“ ein Teams Client / Citrix Problem ist.

3/4/2022: The P2P call failure issue between native Teams desktop clients (1.5.00.2164 or higher) and an HDX optimized user (or even a non Citrix user using web Teams) has been root caused by Microsoft and identified in the Teams backend services. A targeted fix to repair this is being developed. It will not require a CWA or VDA update.

Troubleshooting HDX Optimization for Microsoft Teams (citrix.com)

Danke auch an Marco Klose für sein Feedback!
Quick Post: Microsoft Teams P2P Calls disconnecting after some seconds in Citrix HDX Session – Marco Klose

Citrix PVS Device Driver 1912 CU1 installation issues

Wenn die PVS Device Driver 1912CU1 nicht korrekt per Softwareverteilung im Systemkontext installiert werden können da die benötigten Treiber nicht kopiert werden und der „Citrix Virtual Hard Disk Adapter“ im Gerätemanager eine Warnung über die fehlenden Treiber zeigt:

Dann kann dies eine Lösung sein:

Nach Setup folgenden Befehl ausführen:
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 c:\Program Files\Citrix\Provisioning Services\drivers\cfsdep2.inf

Wichtig bei DSM x64 Umleitung beim Rundll32.exe Befehl abschalten.

Citrix Vertical Load-balancing

{:de}

Vertikales Loadbalancing aktivieren

  1. Virtual Apps and Desktops Remote PowerShell SDK installieren: https://www.citrix.com/downloads/citrix-cloud/product-software/xenapp-and-xendesktop-service.html
  1. Citrix PS-SDK Mogule laden und Citrix Cloud Login durchführen:
    • asnp citrix*
    • Get-XDAuthentication
  1. Aktuelle Site-Konfiguration prüfen („UseVerticalScalingForRdsLaunches“):
    • Get-Brokersite
  1. Vertikalen Lastausgleich aktivieren
    • Set-Brokersite -UseVerticalScalingForRdsLaunches $true

Get-Brokersite sollte dann so aussehen:

Damit nach dem Aktivieren auch was passiert muss man noch passende Policies bauen.

Ohne angepasste „Load Policies“ meldet ein „Citrix Server“ erst bei 250 gleichzeitigen Benutzern „Volllast / 10.000“.
Lastindex per PowerShell anzeigen:
Get-BrokerMachine | Select DNSName, LoadIndex

Natürlich haben CPU, RAM etc. auch Einfluss auf den Server Load, welcher ebenfalls per Citrix Richtlinien gesteuert werden kann.

{:}{:en}

How to enable vertical load balancing

  1. Download and install the ‚Virtual Apps and Desktops Remote PowerShell SDK‘: https://www.citrix.com/downloads/citrix-cloud/product-software/xenapp-and-xendesktop-service.html
  1. Load the Citrix Remote SDK Module and login to yout Citrix Cloud account:
    • asnp citrix*
    • Get-XDAuthentication
  1. Examine the current configuration („UseVerticalScalingForRdsLaunches“):
    • Get-Brokersite
  1. Enable vertical load balancing
    • Set-Brokersite -UseVerticalScalingForRdsLaunches $true
    • Check with Get-Brokersite that ‚UseVerticalScalingForRdsLaunches‘ is set to ‚true‘:

Now all new user connections get brokered to the same server VDA until this server reaches ‚maximum load‘.

By default the Citrix Policy is set to a maximum number of sessions of 250 per server. So be careful and change that to a proper value before activating vertical load balancing.


Get the load index via PowerShell:
Get-BrokerMachine | Select DNSName, LoadIndex

{:}