Preview of what is coming this weekend…..
How about a way to convert basic authentication on Citrix Gateway on-prem to advanced authentication with nFactor.
Category: Citrix Page 6 of 10
It has been released! Ghostbusters summoned to get rid of those ghost sessions!
Wouldn’t you know it!? A vCenter certificate got changed out and now your hypervisor connector is showing it no worky. Come to find out you missed the email memo that the certificate was getting changed. Or you might’ve been busy and didn’t think too much of it. Well, now you have to get it fixed! What if there was a way to get that information quickly and easily so that you just had to do some copy / paste magic to resolve it? Well…. There is! This handy dandy little script will get those pesky thumbprints and kick them out as a csv so you can use them to update your connector in the XenDesktop database.
# A script to check SSL thumbprints on your Citrix hypervisor connections. This will get all of the thumbprints of your connectors and will get the SSL thumbprints of your vCenters if you happen to have more than one.
# This is for running on in-premise Citrix farm (7.x) on a Delivery Controller with 10.1.0 VMware.PowerCLI module and the Citrix SDK installed with VMware ESXi 7.0U1 or later. This also is ran in ISE. Get-SSLThumbprint function is from https://gist.github.com/lamw/988e4599c0f88d9fc25c9f2af8b72c92
# with the return $SSL_THUMBPRINT -replace '(..(?!$))','$1' changed from ending in '$1:' The instructions for changing the SSL thumbprint can be found at https://support.citrix.com/article/CTX224551.
asnp Citrix*
Function Get-SSLThumbprint {
param(
[Parameter(
Position=0,
Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)
]
[Alias('FullName')]
[String]$URL
)
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class IDontCarePolicy : ICertificatePolicy {
public IDontCarePolicy() {}
public bool CheckValidationResult(
ServicePoint sPoint, X509Certificate cert,
WebRequest wRequest, int certProb) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = new-object IDontCarePolicy
# Need to connect using simple GET operation for this to work
Invoke-RestMethod -Uri $URL -Method Get | Out-Null
$ENDPOINT_REQUEST = [System.Net.Webrequest]::Create("$URL")
$SSL_THUMBPRINT = $ENDPOINT_REQUEST.ServicePoint.Certificate.GetCertHashString()
return $SSL_THUMBPRINT -replace '(..(?!$))','$1'
}
$xdConnections = Get-ChildItem XDHyp:\Connections | Select HypervisorConnectionName, HypervisorAddress, SslThumbprints
$xdThumbprints = @()
foreach($xdc in $xdConnections)
{
$line = ""| Select HypervisorConnectionName, HypervisorAddress, SslThumbprints, vCenterThumbprints, SameThumbprint
$line.HypervisorConnectionName = ($xdc).HypervisorConnectionName
$line.HypervisorAddress = ($xdc).HypervisorAddress | Out-String
$line.SslThumbprints = ($xdc).SslThumbprints | Out-String
$line.vCenterThumbprints = Get-SSLThumbprint (($xdc).HypervisorAddress | Out-String)
$line.SameThumbprint = ($line.SslThumbprints -match $line.vCenterThumbprints)
$xdThumbprints += $line
}
$xdThumbprints | Export-Csv c:\scripts\logs\sslthumbprints.csv
Absolutely thrilled and amazed that I have the opportunity to join some of the best professionals out there in the Citrix world by being accepted into the ranks of Citrix Technology Advocates! Excited for what is to come with this! Make sure to welcome and congratulate all the new members and the returning members! Here is the link to check them all out!
Citrix Technology Advocate Awardees – Citrix
~~ Kris Davis
You ever get an email from a user that just has their name in it and my VDI isn’t working? You ever go to Citrix Studio and look for the user and sort to find them? Well…. How about a better, faster, more streamlined way!? (Might be some powershell involved)
Look no further! Below is a fast and easy way to find that machine that the user just may have happened to forget to include in said email!
If you happen to do the above, you get this:
And so you can do that sweet, sweet copy / paste, code snippet below.
asnp Citrix*
$adminAddress = "deliverycontroller.fqdn:80"
Get-Brokermachine -AdminAddress $adminAddress -MaxRecordCount 1000 | Where AssociatedUserNames -like "*partofusername*" | Where SessionSupport -eq "SingleSession" | Select AssociatedUserNames, HostedMachineName, RegistrationState, OSType
Hope that is of some help to you! I typically user the last name for the part of the user name to search the assignments.
Make sure and keep up to date from Citrix with the CVE-2021-44228. https://support.citrix.com/article/CTX335705
This link has the mitigations for the WAF and a Responder policy. https://www.citrix.com/blogs/2021/12/13/guidance-for-reducing-apache-log4j-security-vulnerability-risk-with-citrix-waf/
Went and got me some class! Wonderful instructor Matthew Jones over at Layer8!
Taking the CNS-420 Citrix Networking Assessment, Design, and Advanced Configuration course this week! #citrix #netscaler
https://www.citrix.com/downloads/workspace-app/html5/workspace-app-for-html5-latest.html
For the low low price of free, you too, can get the latest HTML5 Workspace App!!! ACT NOW! Supplies UNLIMITED!
So ran into an interesting thing restoring a Citrix Netscaler Gateway ADC. I went through and was doing a re-deploy of an ADC VPX. So a couple things that I noticed that were rather odd…..
First thing that I noticed was this:
So what I noticed was when you select “Import” radio button, the button to accept it once you select the file, is the “Backup” button still. I would think this would be a fantastic change to make a button with the name “Import.” This is something minor, but it was something that stood out to me.
Next thing of interest when restoring your backup file…..
Once you have “Backup / Imported” your file to the ADC, you can go back to the list of backup files available to you. Something of importance here. If you have the “Basic” backup, that is a very minimal backup including configuration files only. If you use the “Full” option, this includes the /nsconfig/, /var/, certificates, and License files. Rather important to make sure you are using the correct backup option here. And example here is re-deploying the VPX and wanting to replace the one you had.
Now when you select the “Restore” option, you get this screen:
You then get an option to “Reboot.”
Once I did the “Warm reboot,” I was presented with a wait 60 seconds screen. When I logged back in, I noticed that there was basically nothing there. I worked on it for a few minutes and decided to shut it down and power it back up after looking for another backup file. Once it had powered down and powered back on, low and behold it happened to have everything! Success was had! Something to note that will be rather important, should you decide to re-deploy a VPX on ESXi, make sure to note the MAC address of the VM BEFORE you re-deploy. The license file is married to the MAC and that is EXTREMELY important. You can open the license file with Notepad or Notepad++ and read the MAC there and then manually set it on the VM options. Just something that I ran into and thought would be useful information to have!
Note: I had already applied the license file and found that I had to change the MAC address, so all of that was done before attempting to restore the configuration from backup.