Archive for the ‘Citrix’ Category

Info: Citrix XenMobile APNS certificate signing tool

Tuesday, October 7th, 2014

Hello Folks,

are you also not happy how Citrix handle the APNS (Apple Push Notification Service) Certificate signing requests in the past? It goes better now, Citrix has a new Website available where you can sign the APNS Certificate for use with the Citrix Mobile. Just click here:

Funny thing, this site is mentioned nowhere (Citrix Edocs or CTX Article i know/found) so it’s maybe not official (but who cares as long it works better like in the past). 🙂

Update: I just found a “new” CTX Article mention this… So it’s official… 🙂



P.S.: You need a valid Citrix account to use this tool.

Tip: Getting legacy printer names back in XenApp 7.5

Thursday, October 2nd, 2014

Hello Folks,

i got some questions regarding the use of legacy printer names in XenApp 7.5. In XenApp/XenDesktop 7.5 the legacy printer name policy is not available any more. This is really bad for a couple of applications which needs to get the old Printer name convention.

After doing a small research i found a working solution in the Citrix Forums, after the Login was done and the Printers are mapped you need to run a small powershell script:

$SessionID=((qwinsta /server:$ServerName | foreach { (($_.trim() -replace “\s+”,”,”))} | ConvertFrom-Csv)|Where-Object {$_.SESSIONNAME.StartsWith(">")}).id
$MyPrinters=Get-WmiObject -Class Win32_Printer -Filter "PortName like 'Client:$SessionID%'" -Property PortName,DeviceID
$MyPrinters|% {$_.RenamePrinter("Client/$env:clientname#/"+$_.PortName.Split(':')[2])}>$null

Save this code in a powershell script and execute it as last command in a logon script.

Of course you can modify it if required but please note: This comes without any support or warranty!


Tip: Troubleshoot Citrix HDX Flash redirection issues

Friday, September 12th, 2014

Hi Folks,

you have issues with the HDX Flash redirection? Just try the following steps:


1) Make sure the Flash Player plugin is installed on the Server and the Client site, it’s not available for ARM based devices like the IZ1(!).


2) Disable the Flash Player Auto Update at the Server site!


3) Flash redirection in general is not 100% compatible and never could be it.


4) Make sure that all Citrix Server Policies for HDX Flash redirection are enabled and configured in the right way.


5) Make sure that the Flash Redirection feature is enabled at the client site.


6) Make sure content fetching is enabled if the client can not access the Internet directly, this needs to be enabled at the Server and the Client.


7) Follow, perform the registry settings to disable the Version check:

You can disable the version check by modifying Windows Registry Key on VDA, named “FlashPlayerVersionComparisonMask” which is a dword that should be set to zero.

This needs to be set on each and every VDA you need the checking disabled on.

32-bit OS HKLM\\Software\\Citrix\\HdxMediaStreamForFlash\\Server\\PseudoServer

64-bit OS HKLM\\Software\\Wow6432Node\\Citrix\\HdxMediaStreamForFlash\\Server\\PseudoServer


8) Ask user where they have to upload or download data thru websites and verify that these sites will not be redirected. Why? If the content is redirected the user will only see the file system coming from the Thin Client! It’s running redirected local at the client right… 🙂


9) For XenApp 6.5 make sure CTX140236 Hotfix is installed,


10) For XenDesktop 5.x/XenApp 7.x or higher make sure the latest VDA Version incl. Hotfixes are installed.


11) If it is still not working add the following Registry Keys to the PseudoServer Registry Part (see 7).

UserEnabledFlashV2 as REG DWORD = 1
IEBrowserMaximumMajorVersion as REG DWORD = Installed IE Version in decimal, for example IE 9 = 9




Tip: Getting struggled with SHA2 certificates and the Citrix Linux Receiver?

Friday, September 5th, 2014

Hi Folks,

if you got issues with SHA2 certificates in the past and if used together with a Citrix environment you should try the latest IGEL 5.04.100 LX/OS firmware.

The new firmware contains a updated Citrix Receiver 13 version which comes now with SHA2 certificate support, important here: You must use the Citrix Receiver 13, no option to use Receiver Version 12 here! So it might be that you have to reconfigure your thin clients to work together with your environment and to get Receiver 13 to work.

Please test the new configuration in advance, do not just modify it to see what happens for all your users (otherwise they will hate you). 😉




Info: Citrix going back the Linux way… Register for the XenDesktop/XenApp Linux Desktop Tech Preview now.

Wednesday, August 27th, 2014

Hi Folks,

after years Citrix is going back the Linux way… You can now register for a XenDesktop/XenApp 7.5 Linux Desktop Tech Preview. This means: Offer your users a Linux Desktop or Apps.

There are a couple of reasons why to offer a Linux Desktop or App to the Users, App is not available for Windows like some Linux based GFX Tools, Licensing fee’s or general issues with Desktop OS Licensing for cloud offerings (CSP). So i really like to see what happens here in the future…

If you want to register for the Tech Preview or to get more information’s just visit the Citrix Blog here: Citrix Blog

Have Fun


Tip: How to solve scrolling issues with XenDesktop 7.x and the Linux Citrix Receiver 13

Wednesday, July 9th, 2014

Hello Folks,

if you got in issue with scrolling in web sites that contain a lot of pictures like Google Pictures than you should try the setting to enable the registry key to enable the h264 deep level compression (System->Registry->ica.wfclient.h264enabled).

Plesase note: You must use Receiver 13 and this settings is currently not available for ARM based Client like the IZ1 or UD2 Multimedia.



Tip: How to avoid Adobe Flash in Terminal Server/VDI environments with the IGEL LX/OS

Wednesday, May 28th, 2014

Hi Folks,

maybe you also agree that Adobe Flash content is one of the biggest crap that can be used in a Terminal Server/VDI environment. For example youtube or similar site’s mostly waste expensive Server CPU resources only for watching a “funny” video..

Yeah… One User with one HD Flash Movie use 41% of  Server CPU resources!

HTML5 is still not a big deal for most site’s, so how can you handle it?

1) Ban it… Block unwanted traffic with a firewall or proxy. This is highly efficient but will upset the user base and maybe you need it (schools/education), so mostly this option is no deal.

2) Buy more Server.. More or less efficient and very expensive (Hardware, licensing, setup and cooling). No deal!

3) Use solutions like Citrix HDX Flash Redirection… More or less efficient, hard to setup and not 100% compatible, it could be a option but it’s not a real solution.

4) Ban it from the servers… I just setup this for a PoC and it seams to be the most efficient way which is also acceptable for most users. So how is the setup?

a) You need IGEL Linux based devices (LX or OS) based on the x86 architecture to do this.

b) Setup a local Firefox browser session and deploy any Version of the Adobe Flash Player for Linux to it (Browser Plugins in the IGEL Setup).

c) Assign a Hotkey to the Firefox Browser Session like ALT+CTRL+i.

d) Setup a IIS/Webserver on any System that is not already running a IIS/Webserver

e) On the Terminal Server/VDI (i recommend to use the golden Image) site open the hosts file which is located in the Windows/System32/drivers/etc folder and edit it. Now add any Website you want to outsource, point it to the “new” Webserver. Example:

Do not perform this for any Website which is used for “business” uploads/work! Don’t use a DNS Server to apply the configuration, this might also point the Thin Clients to a “wrong” site… Of course you can also add Webradio Website’s, browser based games or what ever you don’t want to see in a Webbrowser on the server backend. But at all.. It’s not a security solution at all, it’s to save resources only!

f) Create a small HTML Website with a short Text like “This site can not be used on a Server/VDI! Please press ALT+CTRL+i to open the local Browser and use ALT+CTRL+TAB to switch between the Browser/Session.” or similar. Make it simple and easy to understand… Now set this HTML Page as default and 404 error page for the new Webserver (d).

g) Let the user test it… If the User enter the “new” Website will open and point the user how to work with the local Browser.. For the User it looks “very” embedded into the session, not 100% but it will be good enough to watch movies for most of them.

I know this solution is also not a 100% one and it can be bypassed if the User is using the IP. 😉 ..but it’s not a security solution, the User can watch Movies and you have minimized the wasted CPU resource on your backend. It’s easy to control, high compatible and everyone is happy. From my point it’s currently the best way to handle Flash until it will be fully replaced by HTML5 or any other “better” working solution. The performance depends on the User device, a UD5 will better perform than a UD2 but still: A slow client is better than a slow server for most company environments.

Also some more benefit’s.. You can seperate client traffic from your server traffic quite simple, the customer where i suggest this mentioned that they have 10GB or more “flash” streaming traffic (only youtube) per day in the server infrastructure with a little bit more than 300 user’s. You can use it with any Terminal Server/VDI solution but please note: If using VMWare View, Microsoft RemoteFX, Citrix XenDesktop x.x / XenApp 7.5 or any other solution that support real USB redirection don’t setup USB Redirection for Human Interface Devices (HID) because in this case the Mouse and Keyboard can not be used outside the Session (…and with the local Browser).

You can also add other description’s to the created “manual” website, for example for Android press the home button and open the local Browser or similar.

If you have suggestions to improve this solution feel free to give me a mail or add a comment.



Tip: Using ICA Sessions with IGEL Linux 5.03.100 and XenApp/XenDesktop 7.x

Thursday, May 8th, 2014

Hi Folks,

in the release notes for the IGEL Firmware 5.03.100 IGEL mentioned that “single” ICA session are not possible with the Citrix Receiver 12/13 for Linux and XenDesktop/XenApp 7.x:

"- ICA sessions created on the IGEL device only work
with Citrix XenApp servers up to version 6.5."

This statement is not really true because in Citrix Terms it means only ICA Sessions based on the Citrix IMA Service (XenDesktop or XenApp 7.5 is using FMA), it is not right for sessions based on a Server IP Address or Hostname where the IMA service is not required/used.

This is also mentioned in the Citrix Edocs in the XenDesktop/XenApp 7.5 Feature description:

  • Custom ICA files — Custom ICA files were used to enable direct connection from user devices (with the ICA file) to a specific machine. In this release, this feature is disabled by default, but can be enabled for normal usage using a local group or can be used in high-availability mode if the Controller becomes unavailable. 

If configured right it can be also used as small HA “solution” for smaller installations with only one XenDesktop/XenApp controller server, please refer also to:  How to enable simple XenDesktop/XenApp 7.5 HA Mode

To enable the feature in general follow this article: Enable direct ICA connections for XD/XA 7.x

In the ICA Session configuration in the UMS Profile/local Thin Client configuration use only the Server IP/Hostname for the connection (see picture below), if you have more than one Server you need to create seperate profiles for each server and assign the profiles to different clients. Of course this is a “manual” work but you are still able to use the ICA sessions if required, a Citrix Storefront or Webinterface Server is not required in this case. If HA mode is enabled like mentioned also a XenDesktop/XenApp 7.x controller can be offline for a short time period (for example maintenance).




1) It will only work in LAN environments.
2) No Load Balancing, the clients will always connect to “one” server or you have to configure “several” ICA sessions per Client.
3) No “roaming” sessions if the User use several Thin Clients and these Clients are connecting to different server.
4) Not really usefull for large environments.

It will work with Citrix Receiver 12 and 13 for Linux but also older Receiver Versions (any OS) should work with it.



Tip: Hidden Citrix Receiver failback switch in the IGEL Linux

Wednesday, April 30th, 2014

Hello Folks,

iam not sure how long this feature already exists but i should mention it here….

IGEL has included in all current LX/OS Firmware Versions (V4.13.x or V5.01.x to < 5.03.100) a hidden “failback” Switch which can help to bypass issues with the latest included Citrix Receiver Version.

In the current IGEL Firmware 5.02.100 you are able to switch between Citrix Receiver (default, mentioned in the release notes) and Citrix Receiver (mentioned nowhere… 🙁 ). I do not unterstand why this is included as a hidden feature because it’s a clear benefit to have this option available.

Switching between these Versions is quite simple, you only need to execute the command /services/ica/bin/switch_ica_fallback. This can be done from a command line/terminal session for tests / troubleshooting or you can execute it during boottime for production. If you want to switch back to the “default” version just execute the command again… Funny right?

If you want to perform the last option open a profile or the local IGEL Setup and browse to System – Firmware Customization – Custom Commands – Desktop Commands and enter the command in the Custom Command Desktop Final field. After this change is done the setting will be active after the next reboot.

Update: This solution is not available in the Firmware 5.03.100, use here the switch in the gui or the registry setting System->Registry->ICA and enable useversion13.



P.S.: It might be that this switch will be removed in later firmware releases..

Info: OpenSSL Heartbleed (CVE-2014-0160) issue doesn’t have an effect for Citrix Netscaler but..

Thursday, April 10th, 2014

Hello Folks,

all people talking about the OpenSSL Hearbeat/Heartbleed issue and how bad it is… Remembers me a little bit like the Sasser/MSBlast wave a couple of years ago.


At all, if you’re currently using Citrix Netscaler to protect your environment you should get a look at CTX140605.

In general the Citrix Netscaler is not affected by the Heartbleed issue but please note: This do not count for the internal Website running behind the Netscaler on your server by design, for example if you use Apache based Webserver, so in this case you should verify this and upgrade the Webserver. The Netscaler itself is safe at the moment, also the external access to websites hosted in your fabric should be save if the external connection run thru the Netscaler; primary risk are internal sites in your company where the Netscaler can/would be bypassed for internal access/users and if the affected OpenSSL Version 1.01 is used.

So the “but…” in the headline points to the fact that mostly attacks are coming from internal sources/users and here the Netscaler will not help you depending on your network setup if the OpenSSL Version 1.01 is used.

Iam quite sure a few web based companies are now feeling sad that they have not used the Netscaler in the past. 🙂



P.S.: If you want to check your site visit, if your site is “unsercure” you should to the following steps asap.

1) Upgrade your webserver to a secure OpenSSL Version
2) Change all used SSL certificates to new ones.
3) Notify all users to renew there passwords (force them)

There are already a lot articles covering this in more detail, so no more need to repeat this… I hope…

P.S.2: Details about the OpenSSL issue can be found here

Tip: Troubleshoot Certificate issues with Citrix Receiver and Apple IOS / MacOSX / Android / Linux

Friday, April 4th, 2014

Hello Folks,

if you are using the Citrix Receiver together with Apple devices you may have discovered some certificate issues in the last weeks or months.

This means, you have imported a “valid” Certificate but the user is still not able to connect to your Citrix environment. Very common for this issue is the public CA GoDaddy and there are a couple of Admins running into this issue in the last weeks.

The reason for this issue is quite simple, a few CA’s now create all certificates valid after the 01-01-2017 as a SHA2 certificate, this SHA2 certificate is not supported by the Citrix Receiver for Apple OS’s in the moment. See also

Only way to fix this at moment is to use an other certificate type or to wait until Citrix adds the SHA2 support for the Apple/Android/Linux receiver versions.


P.S.: Please refer also to the Citrix Client Feature Matrix mentioned in the previous post.

Tip: What are the differences in the Citrix Receiver by OS?

Friday, April 4th, 2014

Hello Folks,

you want to know what is the difference in the Citrix Receiver Versions for MacOSX, Android, Windows 8 or Linux, have a look in the new Citrix Receiver Feature Matrix which is available here: Citrix Receiver Feature Matrix


Release: XenDesktop 7.5, XenApp 7.5 and Storefront 2.5

Thursday, March 27th, 2014

Hello Folks,

Citrix has released there latest product version of XenApp 7.5 and XenDesktop 7.5 incl. Storefront 2.5.

The new versions are available at the Citrix website for download now and check out you licensing before upgrading your existing environment.

Have Fun


P.S.: For a nice Visio stencil of XenApp/XenDesktop 7.5 visit

Tip: Troubleshoot disconnecting ICA Session with Citrix Receiver for Linux

Monday, March 10th, 2014

Hi Folks,

if you have an issue with disconnecting ICA Session coming with the lates Version of the Citrix Receiver try the following steps:

1) Make sure you have no network issue (use the network tool coming with the IGEL Linux)

2) Disable all not needed redirection features in Sessions->ICA->ICA Global like Printer redirection, Serial Port redirection and so on.

3) Very often it seams to be that this issue is related to Flash (last Flash versions are very unstable, try also an older one on client and also server side) or Multimedia redirection, disable this in the ICA Global settings too.

Please report if this fixed the issue for you and what setting helps most.


Michael Hoting

P.S.: If you run in a issue like this, request exact reports what was the last user action before the session drops.

Tip: Citrix Linux Receiver settings explained

Thursday, December 5th, 2013

Hello Folks,

Citrix has released  a new Version for the Linux Receiver documentation explaining a couple of settings, the new document is already for the Receiver Version 13 but most settings are similar to Receiver 12 and explaining a lot of useful settings that can be found in the IGEL Setup->System->Registry->ICA->wfclient area.

You can found the documentation here: Download Linux Receiver Guide


Release: Citrix VDI-in-a-Box 5.4

Wednesday, November 13th, 2013

Hello Folks,

if you already using Citrix VDI-in-a-Box you should get a look on the new release 5.4 which comes with couple of new cool features:

– Support for Microsoft Windows Server 2012R2 Hyper-V incl. shared storage
– Support for Windows 8.1 virtual desktops
– Support for VMWare vSphere ESXi 5.5 as Hypervisor
– Build-in HTML5 device support (Browser needs to support it)
– Much improved SSL certificate handling
– Follow me Desktop (shared/dedicated User accounts)
– Improved VM image/template handling
– Remote Assistance support
– Support for multiple AD’s
– Storefront Smart Card support if Storefront is used (seperate download!)
– Wizard based upgrade path to XenDesktop 7 if required

I will test it soon together with the IGEL Linux V5 🙂



Tip: XenDesktop 7 and fixing Flash redirection issues on a Windows 7 VM

Tuesday, September 24th, 2013

Hello Folks,

if you’re running XenDesktop 7 together with Windows 7 VM’s you can run into a issue with Flash Redirection that Flash redirection doesn’t work.

Solving this issue is quite simple, it looks that the current Flash Player from Adobe is not compatible to HDX Flash redirection or cause some issues here. Just use an older Version and HDX Flash Redirection works like a charm again.

This has nothing to do with IGEL, it seams to be a general Flash issue in the current Flash Version from Adobe together with HDX Flash.

Update: I doesn’t know why it works for me one time with Windows 8 but in general Flash Redirection and Windows 8 is not supported and recorded as known issue by Citrix. The issue with the latest Flash Player do also has an impact on Windows 7 VM’s and can be solved like described.

Update2: Just if you are not familar with Flash redirection and what components are required, you have to use the Flash Plugin (Flash Player for other Browser) and not the ActiveX Plugin, if only the ActiveX Plugin is installed it will not work in general! You can also access older players from the archive (




Tip: How to allow RDP and unmanaged ICA connections to XenDesktop 7 Terminal Servers (Windows Server 2008R2/2012)

Monday, September 23rd, 2013

Hello Folks,

not 100% IGEL related: If you already use XenDesktop 7 you maybe want to allow/use RDP connections or unmanaged ICA connections to a Terminal Server.

In XenApp 6.5 you only need to setup the Citrix “Desktop Access” Policy but for XenDesktop 7 this is not enough and still RDP or unmanaged ICA connections didn’t work.

After you installed the XenDesktop 7 VDA for a Server OS you will get a new “local” User Group “DirectAccess Users”, add your Domain Users or User Groups to this local Group on the Terminal Server.

XenDesktop 7 local DirectAccess Users group.

XenDesktop 7 local DirectAccess Users group.


After this is done, you are able to connect to the Terminal Server as User via RDP or unmanaged ICA.




P.S.: This is useful for the IGEL Linux if you want to setup a direct ICA session for a Desktop Session… 😀

Using Citrix GoToMeeting with Citrix XenApp or XenDesktop

Wednesday, September 18th, 2013

Hi Folks,

maybe this information is useful: If you want to use Citrix GoToMeeting you should be aware that you can not use GoToMeeting  together with an Audio Headset and XenApp.

If you are using XenDesktop together with a Desktop OS (not Server OS!) then it will work and you can use the Headset.

This is not related to IGEL, it’s a general behavior for GoToMeeting together with XenDesktop/XenApp and the Client OS (Windows/Linux) is not important!



P.S.: Future versions of GoToMeeting maybe will not show this behavior… 🙂

Solution: introduces first Apple device support for Linux based Thin Clients

Friday, August 30th, 2013

Hi folks,

so often i’ve been asked to use Apple devices like the Iphone, Ipad or Ipod with an (IGEL) Linux based thin client without using (expensive) USB redirection solutions…

Here is our first custom partition sample introducing Apple device support for all Universal Desktop LX/OS (x86) based devices!


Apple devices can be used local, in Microsoft Remote Desktop sevices or Citrix sessions and more. The pack includes also a local running Application (Atunes) which works quite similar to Itunes. Itunes will not recognize the device in a terminal server session but you can use file based Itunes alternatives and access the Apple device file system to copy pictures or what ever!

This solution is tested with various Apple devices (Iphone 4, Iphone 5, Ipod 7gen and Ipad 3)but please note: No one will support it. 😉 A jailbreak is not required… 😀

To read more or download the solution klick here: Apple device support

The package is modular designed, so you can seperate not required functions like aTunes….

Have fun and a nice Weekend!



P.S.: Regarding the fact that i don’t own any Apple device i want to thank all guys that borrow me a device without being afraid that i damage any device during my test’s… 😀