Category Archives: Citrix

Citrix Security Advisory Bulletins – March 2015

Here is a handy table listing the various Citrix Security bulletins for March 2015, including SSLv3, FREAK, NTP, GHOST, RSA and ShellShock advisories.
 

Security Bulletin: Updated: Products:
Citrix Security Advisory for CVE-2014-3566 – SSLv3 Protocol Flawhttps://support.citrix.com/article/CTX200238 March 19, 2015 NetScaler ADC NetScaler Gateway Secure Gateway

Storefront, Web Interface

XenMobile

 

Citrix Security Advisory for NTP Vulnerabilitieshttps://support.citrix.com/article/CTX200355  March 19, 2015 NetScaler ADC NetScaler Gateway
Citrix Security Advisory for glibc GHOST Vulnerability(CVE-2015-0235)https://support.citrix.com/article/CTX200391

 

March 19, 2015 Netscaler SDXXenServer 
Citrix Security Advisory for RSA Export Key FREAK Vulnerabilityhttps://support.citrix.com/article/CTX200491  March 13, 2015 NetScaler ADC NetScaler Gateway
Citrix Security Advisory for GNU Bash Shellshock Vulnerabilitieshttps://support.citrix.com/article/CTX200217  March 2, 2015 NetScaler ADC NetScaler Gateway Netscaler SDX

XenApp, XenDesktop

XenMobile

Thanks to Michael Pahl [Virtualization Sales Engineer – Rockies] for assembling this list of recent Citrix security bulletins into a single table.
 
 

After Performing a DSMAINT /RECREATELHC the IMAService Does Not Start

Problem:

After running a DSMAINT /RECREATLHC on a XenApp server, the IMAService  does not restart.  Error messages in the log indicate the following:

EventID 3609 IMAService

Failed to load plugin MfSrvSs.dll with error IMA_RESULT_REGISTRY_ERROR

EventID 3601 IMAService

Failed to load initial plugins with error IMA_RESULT_REGISTRY_ERROR

EventID 7024 Service Control Manager

The Independent Management Architecture service terminated with service-specific error 2147483690 (0x8000002A).

Solution:

Make the following change to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\PSRequired

Value=0

The IMAService should now start normally.

Reference:

https://support.citrix.com/article/CTX759510

 

 

How To Increase Space on an iSCSI XenServer LUN

When increasing the size of iSCSI SR, this change is not reflected by default within XenServer.  To resolve this, follow the procedure outlined here.  I am including one minor change to original article CTX126473 (addition of your host-uuid in step 3):

 

Note: This procedure does not cover any activities that must be performed on the storage array itself. Consult the storage array documentation for information on modifying the size of a LUN. Also, the LUN size modifications must be completed prior to performing the instructions below. Note also that this example applies to a XenServer iSCSI Storage Repository only.

Note: UUIDs for Master XenServer and target SR can also be found within XenCenter – command line for this is not necessarily required to obtain these.

Steps:

Identify the SR Universally Unique Identifier (UUID)

#xe sr-list type=lvmoiscsi name-label=<Name of your SR> –minimal

 

Identify the device this SR is using:

#pvs | grep <UUID from step 1>

 

Identify the iSCSI target name to rescan:

#xe pbd-param-get uuid=$(xe pbd-list sr-uuid={UUID from step 1} –minimal host-uuid={master UUID}) param-name=device-config param-key=targetIQN

 

Extract the content of the image

# iscsiadm -m node –targetname < targetIQN from step 3> -R

 

Update the Physical Volume size:

# pvresize /dev/<device from step 2>

 

Update the SR size:

#xe sr-scan uuid=<UUID from step 1>

 

Reference:

https://support.citrix.com/article/CTX126473

https://forums.citrix.com/thread.jspa?threadID=283888&tstart=0

 

 

Attempt to Boot PVS Target with BDM ISO Results in “No ARP Reply”

I recently ran into a problem booting a provisioned XenApp target using Provisioning Services 6.1. The target was set to boot a maintenance version of a known good vDisk. The resulting error was “No ARP Reply”.

noarpreply

This target was using a BDM .iso boot configuration, running under XenServer 6.02, and we were using Provisioning Server 6.1 with all latest available hotfixes.

If this same target was set to boot a Production/Testing version of the image, it would boot fine. At first it seemed the obvious problem was that there was a problem with the associated .avhd, but this exact problem was able to be replicated using another target device, and another .vhd image altogether.

It appears this may be a bug in the Provisioning Server 6.x product, but this problem can be worked around by adding the following registry entry on all your Provisioning Servers:

HKLM\Software\Citrix\ProvisioningServices\SkipBootMenu [DWORD]

Value Behavior

  • 0 Not Defined, normal behavior (default)
  • 1 Don’t send a boot menu to device. Automatically pick the first item that would been on menu and act as if it was the only version assigned, ignoring the device type.
This will eliminate the boot menu altogether, so may only be a usable workaround if this menu is not required in your environment.

Citrix also states that another client worked around this by using PXE instead of BDM.

 

 

EdgeSight Error "Citrix System Monitoring Agent has detected that the database is potentially corrupt. Database maintenance and restart will be attempted."

Problem:

You see the above error in the Event Viewer logs on the Citrix Server or XenDesktop PC.

Potential Solution:

This error means that for some reason, the database cannot be read, synchronized, or written to.  Quite often this is referring to the inability to write data to the local files located in:

C:\Documents and Settings\All Users\Application Data\Citrix\System Monitoring\Data

1)  Ensure that your Anti Virus real-time protection has proper EdgeSight exclusions, including all files in the above directory, and services that run within:

C:\Program Files\Citrix\System Monitoring\Agent

See:  https://support.citrix.com/article/ctx111062

2)  In the event of an architecture using XenDesktop and the EdgeSight VDA agents, this error may also be caused by similar exclusions not being made, or working properly, on the EdgeSight Firebird (Agent) server.

3)  Also check the EdgeSight server exclusions.

See:  https://support.citrix.com/article/CTX114906

4)  Check other potential problems such as communication between your EdgeSight agents, servers, ensure there are no network problems.

 

 

Reconciling XenServer VM with Exact Disk File in XenServer

Scenario:

You are deleting XenServer VMs and notice that the attached disk name is the same for various VMs, and want to ensure that you are deleting only that VMs disk, and this disk is not being used by other VMs.

How can you verify the exact disk file connected to a certain VM?

 

Explanation:

If you want to double-check this link, you can do a "xe vm-list" and using the UUID of the VM in question, run the following command:

xe vbd-list vm-uuid=<uuid of vm>

This will show you all VDIs associated with that VM, as well as their name labels.

If you change the name-label (can be done via XenCenter, for instance) you can then also see which is associated with which particular VM by its label as an added check.

 

 

How to Save Access Management Console Settings

 

Problem:

You have installed the Access Management Console (AMC) on a Citrix server, or a management PC, and wish to save the settings.   By default, you have to reconfigure it each time it's run.

Solution:

To improve efficiency and minimize per-user configuration, you can modify this behavior. The following steps outline the process required to deliver a preconfigured and discovered console to support personnel such as help desk analysts.

1. On a XenApp server, run mmc.exe (for 64-bit, use mmc /32 so you bring up the 32-bit version if the MMC). Under the File menu, select Add/Remove Snap-in.

2. Within the Add/Remove Snap-in dialog, click Add. Select Citrix Access Management Console and then click Add, Close, and OK.

3. Within the Microsoft Management Console (MMC) tree, expand the Citrix Access Management Console node. The discovery wizard should launch, however if it does not, right-click on the node and select Configure and run discovery.

4. Complete the discovery wizard as applicable, but specify LOCALHOST as the Citrix XenApp Server to discover, if you intend to manage a XenApp farm.

5. Once the discovery wizard has completed, under the File menu within the MMC, select Options. In the Options dialog, under the Console mode dropdown, select User mode – limited access, single window. Leave the rest of the options unchanged and click OK.

6. Save the modified MMC window using the Save As option in the File menu. You can choose any name and location. For example, custom_amc.msc.

7. To deliver your custom Access Management Console to your administrators, copy the MSC file saved in step 6 to your desired XenApp server. Publish the console using the publish application wizard. The command line path should be as follows:

<WINDIR>\System32\mmc.exe “<path>\custom_amc.msc

Where <path> is the location to which you copied the custom_amc.msc file.

More Information:

CTX114692 – The Access Management Console Discovery Process Runs Each Time the Access Management Console Opens
CTX115866 – How to Customize the Access Management Console

 

 

Useful XenApp 6 Hotfix & Patch Resources

 

There are a lot of followup hotfixes and patches for XenApp 6.0.   If you are unable to upgrade to XenApp 6.5, here are some very useful links for XenApp 6.0.

These links include necessary hotfixes, patches, and update scripts.

 

Various Sources Regarding Maintenance @ Citrix Links
https://www.citrix-links.com/xenapp/xenapp-6/xenapp-6-maintenance/

Great Resources from Thomas Koetzing, including an automatic XenApp Update Script
https://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=287&Itemid=299

Recommended Citrix and Microsoft Hotfixes for XenApp 6 and Windows Server 2008 R2
https://support.citrix.com/article/CTX129229

 

 

Citrix System Monitoring Agent Service is stuck "Stopping" or Failing to Run

 

Problem:

You notice problems with the EdgeSight agent and/or database reporting, such as:

1)  real time data is not available from the endpoint/agents

2)  the 'citrix system monitoring agent' service is not running, or stuck in a 'stopping' mode

3)  you see the error message in the event log reporting "The Citrix System Monitoring Agent has detected that the database is potentially corrupt. Database maintenance and restart will be attempted."

 

Potential Solution:

1)  Ensure that your anti-virus solution settings are properly set.   This problem can occur when AV is scanning the local EdgeSight .exe's, log files, or on the EdgeSight servers.

2)  The following Citrix articles may help:

 

Recommended AV Settings for EdgeSight:

https://support.citrix.com/article/CTX111062

https://support.citrix.com/article/CTX114906

 

Additional information:

https://support.citrix.com/article/CTX112971

 

 

XenApp IMAService Failed: "Error while connecting to database….login failed"

 

Problem:

IMAService fails to start with the following error:

Citrix XenApp failed to connect to the Data Store. ODBC error while connecting to the database: 37000 -> [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot open database "MF20" requested by the login. The login failed.

Solution:

Check to see if account used to connect to SQL database credentials/password has recently changed. This may be a username/password issue.

To input new credentials on server, execute the following command:

DSMAINT CONFIG /USER:<domain>\<username> /pwd:<password>

After executing this command, restart the IMA service on the XenApp server, and re-check services.