Virtualization, technology, and random rantings with a focus on Citrix and VMware.

Tag: citrix Page 1 of 3

In-depth Review: Goliath Performance Monitoring

I have had some time to really check out this software and put it through its paces and bring my findings. Goliath Performance Monitoring software. I have been really surprised with what I was able to accomplish with it. But the proof is in the pudding, so pudding I shall prepare!

First with it. Pretty simple installation. You just need a server to run the software and a database / database server (SQL) to host the information. Some exclusions for AV / security software are rather important as well. Setting up the inventory and such was a breeze as the personnel at Goliath were willing to assist setting it all up. I explained the environment I wanted to test with and the resources I wanted to monitor and they walked through the paces with me. Then I had a working monitoring solution.

The question you have when you have a monitor solution, is how to make it monitor what you want without TONS of alert fatigue. It is easy to get overwhelmed by alerts that may mean nothing and take valuable time away. The default monitor rules it came with already configured were mostly sufficient and I didn’t notice a bunch of unwanted alerts. There were even some alerts I wasn’t expecting to see. One was an instance where Citrix Cloud went offline for a short time. I got an alert saying DaaS down and LHC engaged. I went and checked to see what was going on. I didn’t see anything for a few minutes and then all of sudden, it displayed there was an issue going on. I was alerted quite a bit before even the status console showed it. That was rather handy to know.

Setting up a custom alert outside of the defaults was easy enough as well. I configured one to monitor FAS in case of issue where it didn’t like to issue certs. Simple setup and added the remediation (which you can configure a myriad of options such as run this script or reboot this server). This allows you to not only alert on the issue, but to do something about it if there is a known fix. This has been a real help with that.

But wait, there’s more! So I’ve just been talking about how to use the basic monitoring alerts. Well, there are also several views that are available for user sessions. One thing I found myself using on the regular, is the “Published Apps and Desktop,” and the “Virtual Desktops” tab. Here is a bunch of user information that can help solve some issues. There is a column you can add of “Connection speed” that quickly has helped identify end user issues at home ISPs. You can also see machine health status and session information over time which is useful to be able to track patterns of issues.

The views contain a lot of useful information on the high level such as ICA RTT and ICA latency. That quick glance can show if there is an issue with user connections or other issues with getting responses back. You can also see the version of the client they are using as well as the method such as client or HTML5 client. You can also modify the view to show a specific user or machine. You can also select a custom time period to see trending information. You can select a session and drill into it for more information. Starting off with the Published Applications and Desktops tab, right off the bat you see a lot of data. You get machine performance and session metrics. The top 5 processes is very useful to see any runaway program or possible scanning issue with things such as A/V.

There are also tabs to select different areas of the session. The Logon tab drills into the GPO processing, which shows which policies were applied and how long it took to process them.

The ICA/HDX tab breaks down things such as ICA performance and connectivity metrics from the client machine. You very quickly can see the available and used bandwidth. This could assist in seeing if their connection is saturated.

The App Server tab shows the metrics on the app hosting server, revealing any bottlenecks in IO, processor, or RAM saturation. An additional tab is there for the Hypervisor Host. This lays out the same metrics but for the underlying host hardware. Getting this tiered information helps you see the whole stack interacting and points out issues with it very efficiently.

You also get the same kind of views related to Virtual Desktops. You see each machine in use and can select the session there as well.

Another aspect of the monitoring is the EUC Scorecard that they helped setup as a daily and a weekly report. This contains a lot of information of the top session issues, connectivity issues, and user experience. Reviewing this on the daily can show if you have some locations that may need upgrades in connectivity or if there is something else going on. This helps you be more proactive in solving an issue. Another good use for trending is reviewing the weekly report and comparing to last week’s report. For example, if you see the same users across weeks, this could point to an issue with a site or possibly a need to upgrade bandwidth at a site. Users don’t always call when something is going on. This lets you get in front of it and users appreciate when they are put first and you contact them and let them know you see there is an issue and that you are going to try and solve it for them BEFORE they call you.

Then comes along new features across upgrades. One that was rather nice, was the addition of Chrome OS device monitoring. You can integrate with a Google tenant and monitor Chrome devices. This is fairly easy to configure and they will walk with you to get it done quickly. You see immediately once you add that, all the RAM / CPU use and network health of the device. Being able to see that could very much help with knowing are you overloading the devices and may need larger resource devices. You could also see if there are connectivity issues with them if they are dropping connection and such.

Then a really neat feature came to the software, Ask Kip! AI integration with the monitoring software. I thought how this would assist in my testing. Well, often you get into a set and forget mindset unless there is something off that requires you to add new monitor rules or changing something with alerts. Very rarely did I need to add any new ones, but I did get an alert that was on repeat as it should have been. I went to the console and entered my question on alert suppression into Ask Kip! and it laid out the steps as to what I needed to do in order to suppress the alert. Was straightforward and it had each step of the rule and setting the alert parameters.

I decided I would see what all it could assist with in relation to the software. I asked it how would I remedy a slow user connection (I know the steps, I just wanted to see what it told me). It walked through the same steps that I would have done to solve it. I asked how to add hardware inventory to manage as well as hide inventory I didn’t want to see. Step by step instructions right there to do it.

Another good feature that is available as part of the suite, is the Application Availability. This is particularly useful if you have multiple sites and want to check availability on a regular basis. You can set it up on a machine at each of your sites and have it launch whatever apps are necessary or mission critical to monitor to assure that uptime. It launches the applications you designate on the schedule you define and reports if there are any issues as well as successful launches. This would be invaluable data if you are wanting to assure that all of your remote sites are able to access and to spot down times as soon as they occur to be able to mitigate as fast as possible. It breaks down the instances to Access, Authentication, Resources, Enumeration, and Launch. By having that quick breakdown, you see where the issue is quickly. You will be able at a glance to see where the communication break down occurs and know where to start looking for resolution. That will save valuable time not wasted on checking things that are working correctly and allow you to focus on the specific area that is broken.

Citrix topology is a really neat feature as well. It takes information from the configuration and lays out a visual mapping to quickly understand dependencies and see them on a diagram. You can do this with multiple sites as well. Alerts are shown on the mapping as well as color coding to show quickly if there are issues.

Another feature that has been added, is Cloud Monitoring. This is a handy feature if you are setup in AWS or Azure and want to be able to view your environments there. For hybrid on-prem / cloud based solutions, this is a wonderful addition. Many customers today are moving into hybrid models and Goliath is keeping up with that trend. This being in the same Goliath console, allows for close to a single pane of glass view into your EUC environments.

Was everything perfect, no. No software exists that doesn’t need some tweaking or code fixes or a setting change to get it back on track. I ran into a couple of issues with the software. I contacted their support and got immediate responses. They issued more than one code fix to address issues that were encountered. They were personable and friendly and assistive even with email questions I would have about the software. They are regularly adding features and working to make it an even better solution.

This is a solution that provides Citrix admins a great tool set to make the job easier and get faster times to resolution! This would be a product I would recommend!

Check That .NET And Install It!

Maybe you need to check the .NET version installed and if it is below a certain version, go install it. When upgrading to 2203LTSR VDA, you have to have 4.8 installed as a prerequisite. This will create a PSSession and remove it when it is done. In your upgrade.txt file, use the FQDN of the target machines. .NET installs seem to take a bit to complete, so be patient in it upgrading. Using the [System.Version] lets you compare major, minor, build, and revision so you can get more granular with checking versions in your test cases.

# Script to check if version is below 4.8 .NET and install 4.8 .NET if so. This requires running from an account that has admin on the destination and also a reboot to complete update.
# Tested on Server 2016 and 2019.
$dotNetSource  = "uncshare\DotNET-48"
$dotNetInstall = "ndp48-x86-x64-allos-enu.exe"
$machineList   = Get-Content "C:\scripts\logs\upgrade.txt"
$dest          = "c$\software\upgrade"
$creds         = Get-Credential

foreach($machine in $machineList){
  $dotnetTest                 = Invoke-Command -ComputerName $machine -ScriptBlock {Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client' | Get-ItemProperty -name Version}
  $dotnetVersion              = $dotnetTest.Version
  [System.Version]$testResult = $dotnetVersion
  if($testResult.Major -eq 4 -and $testResult.Minor -lt 8){

    Write-Host "Working on $machine"
    if (!(Test-Path -Path \\$machine\c$\software\upgrade)) {
        New-Item -ItemType Directory -Path \\$machine\c$\software -Name upgrade
        Copy-Item "\\$dotNetSource\$dotNetInstall" -Destination \\$machine\$dest -Force
    else {
        Copy-Item "\\$dotNetSource\$dotNetInstall" -Destination \\$machine\$dest -Force

    $session       = New-PsSession -ComputerName $machine -Credential $creds
    $remoteSession = Invoke-Command -ScriptBlock {Start-Process -FilePath "c:\software\upgrade\ndp48-x86-x64-allos-enu.exe" -ArgumentList @("/q")  -wait -Verb RunAs} -Session $session
    Remove-PSSession -Id $

A Wild Citrix 2203 LTSR CU1 Appears!

Go and check it out!

Getting And Comparing AgentVersions on VDAs Against Target Version

I was looking at a way to compare versions of VDAs installed on various systems to see what systems needed to be updated. I ran into some issues trying to compare the versions as there are different formats and there was not a consistent numbering system going back to 7.15 that I could discern. So with some assistance from, I was able to get the version check working correctly. This ended up comparing to the target version and returning anything that was less than the target version. I didn’t want to target anything newer than the target as I had reasons for those particular systems to be running a newer VDA. You can combine this with the VDA upgrade script to output the DNSNames of the machines to upgrades machines outside of the target version.

This was first attempt and realized some machines didn’t show HostedMachineName.
This was the second attempt and got it to show the DNSName as well and this helped identify the Linux VDA machines.
Final using [System.Version] to compare the versioning numbers. This was the expected output.
# Script to get VDA versions below target version. This was done in PowerShell ISE 5.1 against 1912LTSRCU5 DDCs.
$adminAddress = "deliverycontroller.fqdn"
$date = Get-Date -Format MMddyyyy
$outputName = "VDAToUpgrade"
$report = @()
[System.Version]$targetVersion = "1912.0.5000.5174"
$getMachines = Get-BrokerMachine -AdminAddress $adminAddress -MaxRecordCount 1000000

foreach($machine in $getMachines){
  $line                   = "" | Select HostedMachineName, DNSName, AgentVersion, WillBeUpgraded
  $testVersion            = $machine.AgentVersion
  $line.HostedMachineName = $machine.HostedMachineName
  $line.DNSName           = $machine.DNSName
  $line.AgentVersion      = $machine.AgentVersion
  if([System.Version]$testVersion -ge [System.Version]($targetVersion)){

    $line.WillBeUpgraded  = "Current Version Or Newer"
  if([System.Version]$testVersion -lt [System.Version]($targetVersion)){

    $line.WillBeUpgraded  = "Yes"
  $report += $line

$report | Export-Csv -Path c:\scripts\logs\$date-$outputName.csv -Append -NoTypeInformation

# To see only the versions that are not matching the target version
$report | Where-Object WillBeUpgraded -eq "Yes"

Are You The Keymaster!? : Script To Change ListOfDDCs in Registry

You have an upcoming change and some new DDCs you brought online. You may be changing out to Citrix Cloud (you better be), and you may need to change the ListofDDCs to you Cloud Connector. Sometimes GPO may take a minute to reflect what you want set. You can use this to change the ListOfDDCs quickly. You can also add the ListofSSIDs if that is something that you use by adding another registry name and value in your script block. I have the Get-ItemProperty used twice to get the result of what was set before the change and to show the reflected change. I just like to doubly confirm something and make sure something hinky was not afoot.

# Script to change DDCs on a group of Citrix servers. You will need access to the remote servers and firewall access with PowerShell.
$listServers = Get-Content c:\scripts\logs\svrlist.txt
$date        = Get-Date -Format MMddyyyy
$report      = @()

foreach($srv in $listServers) {

  $scriptBlock = {
    $regName  = "ListOfDDCs"
    $regValue = "DDC1 DDC2 or CC1 CC2"
    Get-ItemProperty -Path HKLM:\Software\Citrix\VirtualDesktopAgent
    Set-ItemProperty -Path HKLM:\Software\Citrix\VirtualDesktopAgent -Name $regName -Value $regValue
    Get-ItemProperty -Path HKLM:\Software\Citrix\VirtualDesktopAgent

  $ddcUpdate  = Invoke-Command -ComputerName $srv -ScriptBlock $scriptBlock
  $report += $ddcUpdate

$report | Out-File c:\scripts\logs\$date-ddcchange-list.txt

Good Ole Proxy Top, Forward Style

So you want to get that sweet, sweet forward proxy all up there for some kiosks? Well… Have I got a deal for you! If you happen to have the licensing (Premium license requirement), you too can be the proud owner of this actually wonderful product. I have been using this for years now and it works extremely well if you don’t have to constantly add sites to the allowed list. Now… First things first. This is for defining your OWN allow list that YOU have to maintain. Getting Gmail to work will take some effort as there are a LOT of sites you have to add for images. This is not using the URL Threat Intelligence which is a line item purchase. This was completed with the help of Kevin Lofy from Citrix. This also is the GUI way of configuring this. Hope that this is of help. It REALLY solved a couple issues and allowed a good bit of control with using AppLocker on the VDA hosting server that was publishing the Firefox browser that linked to the proxy address.

Logon to Citrix ADC.

You will need to select “System” > “Settings” > “Configure Basic Features.”

If “Integrated Caching” is not enabled, you will need to enable the feature. This WILL require a reboot.

Select “Settings” > “Configure Advanced Features.”

You will need to select “SSL Interception” and “Forward Proxy.”

Navigate to “Traffic Management” > “DNS” > “Name Servers” and select “Add.”

Select “IP Address.”

Enter “IP Address.”

Select “UDP” from “Protocol.”

Click “Create.”

Navigate to “Security” > “SSL Forward Proxy.”

Select “Certificate Bundles.”

Select “SSL Forward Proxy Wizard.”

Click “Get Started.”

Click “Continue.”

Enter “Name” for Proxy.

Select “Explicit” from “Capture Mode.”

Click “Continue.”

Click “Continue.”

Select “SSL Sessions Interception.”

Select “Add.”

Select “Bind.”

Select “Add.”

I used an Ubuntu machine and hosted the text file there and reference it as http://ip/something.txt

This will set it to go to next line.

Click “OK.”


Click “Close.”

Click “OK.”

You will need to set a policy to set the IP and Port defined for the proxy (typically 8080) and apply to the machine that will be using the proxy. Using AppLocker with it will make it harder to pivot out of for machine security.

I’ll gather up a blog post of AppLocker and a way to use it with SSL Forward Proxy.

Windows Terminal On Citrix VDI Keyboard No Worky

So ran into this fun on Citrix VDI with Windows Terminal. You get it installed. You start it up. It’s all shiny. You press a button….. And…… NOTHING! So we saw this issue on Windows Terminal on Windows 10 20H2 running CVAD 1912 CU5 VDA. A little bit of searching and this article pointed to part of what was up.

The fix that had to be done to resolve it in our case was to set the “Touch Keyboard and Handwriting Panel Service” to “Manual” in Services. Then rebooting. After that, it fired right up and worked!

That One Time, You Got SMAPP’d!

So you run SiteManager. And somebody done decided they want to make a new server that will host the security.dat file. And… You already did the work to create custom .ini file locations for the users. NOW you have to change all those smapp.ini files with the updated location of the security.dat file. How dare they?! Well. That could be some fun if you have a lot of users. Wait…. Powershell for the rescue! If you happen to use a profile server to host the user files, you can easily replace it with the new location of the security.dat file.

Update: Not sure what happened, but the code paste didn’t take evidently. I blame gremlins. It has been corrected.

# Replace a line / value in .ini file stored in Citrix UPM folder location when a change to the application is made.
# An example is for SiteManager, if you change the location of the .dat file for security.dat file and you are using a custom .ini
# created and stored with the user profile.

$filePath = "e:\locationofupmfolders"

$Files = Get-ChildItem -Path $filePath -Recurse -File -force -Include "smapp.ini"

foreach($file in $files)
        $find = "value-you-want-to-change"
        $replace = "value-you-want-to-change-to"
        $content = Get-Content $($file.FullName) -Raw
        #write replaced content back to the file
        $content -replace $find,$replace | Out-File $($file.FullName) | write-output

Easy peasy. Now they have the new location of the security.dat file!

EDT / DTLS Insight!?

So ran into something fun with the 13.0-84.11 firmware for the ADC. After moving to this version, we noticed the packet engine crashed and failed over. Then it did it again a few days later. After a call with Citrix, looks like there is a known bug in there that is to be remediated in the next month with a new firmware release. The recommendation to do the fix is to run this command on each node of an HA pair: nsapimgr -ys enable_ica_edtinsight=0. There was a CTX article that was referenced (, but I was unable to view it. There is a caveat if you happen to be using EDT that it won’t show in ADM after you make this change, so you would need to disable HDX Adaptive Transport if you want to see session information in ADM.

What’s New In 2203!? Check It Out!

Page 1 of 3

Powered by WordPress & Theme by Anders Norén