Loopback Options When Load Balancing StoreFront Server Group Using NetScaler

NSIn previous versions of StoreFront servers (2.6 or older), Citrix recommended to manually modify the hosts file on each StoreFront server to map FQDN of the load balancer to the IP address of the specific StoreFront server or the loopback address.

This is necessary because an HTTP session is created during the explicit login process between Receiver for Web and the authentication service and Receiver for Web communicates with StoreFront services using the base FQDN. If the base FQDN were to resolve to the load balancer, the load balancer could potentially send the traffic to a different StoreFront server in the group, leading to authentication failure.

By doing this Receiver for Web always communicates with the StoreFront services on the same server in a load balanced StoreFront deployment.

You can set loopback options using PowerShell. Enabling loopback negates the need to create host file entries on every StoreFront server in the server group.

Example – Receiver for Web web.config file:
<communication attempts=”2″ timeout=”00:01:00″ loopback=”On” loopbackPortUsingHttp=”80″>

Example – PowerShell command:
& “c:\program files\Citrix\receiver storefront\scripts\ImportModules.ps1”
Set-DSLoopback -SiteId 1 -VirtualPath “/Citrix/StoreWeb” -Loopback “OnUsingHttp” -LoopbackPortUsingHttp81

From StoreFront 3.0, we can enable loopback in the StoreFront Console.

Posted in Citrix XenApp

What is New in Citrix StoreFront 3.0

Classic Receiver Experience

To help you smooth the transition, StoreFront 3.0 supports the classic Receiver experience and when we upgrade from StoreFront 2.x to 3.0, the UI for the existing Receiver for Web sites will remain as the classic green bubble UI. When you create new Receiver for Web sites after the upgrade, users will see the new unified UI.
We can enable the new unified UI by selecting the Disable Classic Receiver Experience and Set Unified Experience as Default in Receiver for Web site.

Google Chrome Support without NPAPI

Google Chrome on Windows and Mac is fully supported without Netscape Plugin Application Programming Interface (NPAPI) in StoreFront 3.0. Receiver for Windows 4.3 and Receiver for Mac 12.0 support this features.

No Need of Editing Hosts File

Previously, as stated here, Citrix recommends that you modify the hosts file on your StoreFront servers to ensure that Receiver for Web always talks to the local StoreFront server instead of the load balancer. In StoreFront 3.0, we leverage a new feature in the .NET Framework 4.5 to implement loopback communication between Receiver for Web and the rest of StoreFront Services. This is configurable using PowerShell cmdlet

Set-DSLoopback [-SiteId] &lt;Int64&gt; [-VirtualPath] &lt;String&gt; [-Loopback] &lt;String&gt; [[-LoopbackPortUsingHttp] &lt;Int32&gt;]

Set-DSLoopback -SiteId 1 -VirtualPath /Citrix/StoreWeb -Loopback OnUsingHttp -LoopbackPortUsingHttp 81

Delegating Authentication to the Backend Providers

StoreFront 2.x communicates with the Active Directory to authenticate users. So the domain hosting StoreFront servers should have one-way external trust to the domain hosting the backend XenApp farms/sites. This may not be possible in some deployments. StoreFront 3.0 has the capability to delegate authentication to the XenApp farms.

Treating All Desktops as Applications

In earlier StoreFront, Desktops and applications are treated differently and are placed in a separate tabs in Receiver for Web. To keep published Desktop in the same tab with published applications, we have to add the TreatAsApp keyword to the published desktops. StoreFront 3.0 enables you to configure treating all desktops as applications at the store level without the need of adding the TreatAsApp keyword to all the published desktops

Integrated Monitoring Service for NetScaler

Before StoreFront 3.0, we have to install add-on package on the StoreFront server to support NetScaler monitoring. Now from StoreFront 3.0 it is integrated in StoreFront 3.0. It is installed and enabled by default. You can use PowerShell commands to modify the settings of this service or disable this service.

To check the URL for this service, use the cmdlet:

Set-DSServiceMonitorFeature -ServiceUrl https://localhost:444/StorefrontMonitor

Posted in Citrix XenApp

How to recover/reset password for a NetScaler appliance

We should avoid HA failover due to reboot, so it is recommended to set STAY PRIMARY on primary node and STAY SECONDARY on secondary node.

To reset the nsroot password, you must boot the appliance into single user mode.

Connect the console cable to the Netscaler Serial Console (9600 baud, 8 bits, 1 stop bit, No parity) of the NetScaler appliance. In case of NetScaler VPX access NetScaler through vSphere console.

1. After connecting to the Netscaler Serial Console, restart the NetScaler appliance.

2. Press Ctrl+C keys simultaneously to Boot in kernel.

3. To start the appliance kernel on a single user mode, run boot -s. If boot -s does not work, then try reboot — -s.

4. Press ENTER key to display the # prompt, and run the following command to verify the /flash drive consistency:
$ /sbin/fsck /dev/ad0s1a

5. Run the following command to display the mounted partitions:
$ df

6. Check if /flash drive is created, then run the following command to mount the flash drive:
$ /sbin/mount /dev/ad0s1a /flash

If the preceding command fails to mount the flash drive, then run the following command to create the flash directory and then run the preceding command again to mount the drive:
$ mkdir /flash

In case of NetScaler VPX on VMware, the disk uses SCSI emulation and the device name of the flash drive is da0s1a.

7. Run the following command to change to the nsconfig directory:
$ cd /flash/nsconfig

8. Create a new configuration file that does not have commands defaulting to the nsroot user:
$ grep –v “set system user nsroot” ns.conf > new.conf

9. Make a backup of the existing configuration file:
$ mv ns.conf old.ns.conf

10. Rename the “new.conf” file to “ns.conf”:
$ mv new.conf ns.conf

11. Run the following command to restart the appliance:
$ reboot

12. Log on to the appliance using the default nsroot user credentials (nsroot/nsroot).

13. Reset the nsroot user password of your choice:
$ set system user nsroot <New_Password>

Posted in Citrix XenApp

The hard disk names for the various Citrix NetScaler appliance models

When troubleshooting a NetScaler appliance we should know the hard disk partition that is mounted on the /var directory. It differs according to the NetScaler appliance model.

To check free space:
root@netscaler# df –h
Filesystem Size Used Avail Capacity Mounted on
/dev/md0c 161M 156M 2.6M 98% /
/dev/ad0s1a 237M 133M 85M 61% /flash
/dev/da0s1e 23G 8.7G 13G 41% /var
procfs 4.0K 4.0K 0B 100% /proc

To verify the mount point on the /var directory:
root@netscaler# mount
/dev/md0c on / (ufs, local)
/dev/ad0s1a on /flash (ufs, local)
/dev/da0s1e on /var (ufs, local)
procfs on /proc (procfs, local)

The hard disk names for the various Citrix NetScaler appliance models:

The following models use the /dev/ad2s1e device name for the hard disk:
-12000 series

The following models use the /dev/ad4s1e device name for the hard disk:

The following models use the /dev/ad6s1e device name for the hard disk:

These models may also use the /dev/ad0s1e device name for the hard disk, please check article CTX121853.

The following models use the /dev/ad8s1e device name for the hard disk:

The following model uses the /dev/da0s1e device name for the hard disk:

To mount a /flash drive on a NetScaler, we need a serial connection to the NetScaler appliance with the following specifications:

9600 bits per second
8 data bits
No parity
1 stop bit

To mount the missing flash drive, complete the following procedure:

1.Connect a console cable to the NetScaler appliance Serial Console.
2.Restart the NetScaler appliance.
3.Press the SPACEBAR key as soon as the following message is displayed:

Hit [Enter] to boot immediately, or any other key for command prompt
Booting [kernel] in 10 seconds

Note: On the NetScaler 7000 appliance, press the Ctrl+C keys simultaneously.

4.To start the kernel of the appliance in the single user mode, run the following command:
boot -s

5.Press the Enter key as soon as the following message is displayed:
Enter full pathname of shell or RETURN for /bin/sh:

Note: The prompt of the appliance changes to \u@\h\$.

6.Run the following command to verify the disk consistency:
\u@\h\$ /sbin/fsck <Device_Name>

7.Run the following command to verify if the flash drive is mounted:
\u@\h\$ df –k

8.If the output of the preceding command does not display the flash drive, then run the following command to mount the flash drive:
\u@\h\$ /sbin/mount <Device_Name> /flash

Note: For NetScaler 10.5, use -t ufs command with fsck and mount command.

9.Restart the NetScaler appliance.

10.From the shell prompt, run the following command to verify if the flash drive is mounted:
root # df –k

Posted in Citrix XenApp

Netscaler Basics – SSL Offload

The MPX series appliances have a Cavium SSL accelerator card and this card has the ability to handle SSL encryption/decryption cycles using a hardware card, rather than consuming valuable CPU resources. The VPX can have the SSL offload feature enabled also, however as there is no Cavium card, the SSL offload performance is not as high as an MPX appliance

1. Create a server object

“SSL Offload -> Servers” and then select “add”

The webserver is named WinWeb01 and has an IP address of

2. Create a service object to reflect the HTTP service that is running on this web server.

A NetScaler service consists of a server object, a protocol, port and a monitor.

The monitor is used to determine if the service is available, if the service is unavailable the NetScaler will mark the service as down, removing it from load balancing decisions.

3. Create a NetScaler virtual server (vServer) and provide the following information and bind the service to the vServer.

IP Address
Bound services

The IP address of the vServer will be used by clients to connect to the backend services.

Bind a certificate to the vServer, this is certificate will be presented for client connections.

Client connections should now be directed to the vServer’s IP address – The vServer will present the SSL certificate when a connection is made using HTTPS (TCP 443), any encryption/decryption of data will be processed using the NetScaler’s built in Cavium card.

Posted in Citrix XenApp