• Heartbleed – OpenSSL Vulnerability in a Citrix Enviornment

    Posted on by Phillip Jones 2 Comments

    There is a lot of news and chatter going on around right now about the OpenSSL vulnerability Heartbleed. This is a critical issue. as documented here. So what is Heartbleed and what makes it so dangerous.

    The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

    This is a very wide reaching issue and considered critical. Patching OpenSSL or products alone will not be enough to solve the issue. Your certificates would have to either be regenerated or rekeyed and depending on how your programs interact this may require additional work for programs that connect to each other such as XenDesktop connecting to a vSphere instance as it imports the certificate for trust so if you update vSphere certificate you also need to import your new vCenter certificate into XenDesktop.

    Citrix has released a Security Advisory detailing the products affected by Heartbleed. Other vendors are also coming out with articles detailing their products affected such as VMware EMC and Cisco.  Per the Security Advisory released from Citrix most of the products that Citrix has in its portfolio are unaffected but check the article to confirm and they are still researching some of their products.

    Many Citrix environments run on VMware vSphere and some versions such as vSphere 5.5 are affected by Heartbleed. XenDesktop (any version) as well as XenApp 7.x and higher are dependent on the certificate that vCenter uses. If you resolve the issue and regenerate the certificate for your vCenter, you will need to import the certificate into XenDesktop following these instructions again that were completed on the initial setup.

    My general advice is to find and document the items in your environment that are affected and map out any dependencies and create an attack plan to resolve these as this is a major compromise in your security. If you aren’t sure of what those may be, reach out to your partners who may have detailed information on what to look for.


    📂This entry was posted in Citrix Heartbleed Security vCenter VMware XenApp XenDesktop

  • Consultative Approach for IT

    Posted on by Phillip Jones 1 Comment

    April of last year I blogged about the transition from engineering on the customer side of IT to consulting in my vMotion to Consulting blog post. I still consider myself an engineer at heart with a focus on technology and consulting is something that I do.  

    When a meeting begins, it may be instinctual for a consultant to dive right into the data or technology. While this approach may seem logical, it may not be the right choice for many reasons. I am going to share with you a Consultative Approach that may help you build better relationships with your customers and help determine the right solution for a problem but it may require changing your approach and maybe even how you think.

    It’s also important to remember while you may be an expert in your field that may only be a small piece of what you are there to do as there are people involved and processes the customer is in place so there has to be a balance. We deliver technology but also balance the people and process side of the equation, if any one of these is out of balance we may not be actually helping the customer.

    It is also important to consider that the confident tone of an expert  may come across as overbearing or even intimidating to the client. The engineer who doesn’t take a Consultative Approach may risk the client leaving the meeting feeling frustrated or worse, discontented with the person who is supposed to be his or her trusted advisor. 

    There are three critical dimensions to working consultatively.

    1. Knowing how to work effectively with all types of people.
    2. Using a strategic and collaborative process.
    3. Apply your expertise in ways that show you and your companies value.

    This is why a Consultative Approach is so important.

    Taking this Consultative Approach is often the better way to solve the actual problem and to help build a trusted relationship with your client. As a consultant, your advice and expertise is what your typically delivering. 

    Lets go back to the definition of consultant that I established in my vMotion to Consulting blog post.

    A consultant (from Latin: consultare “to discuss”) is a professional who provides professional or expert advice[1] in a particular area such as security (electronic or physical), management, accountancy, law(tax law, in particular), human resources, marketing (and public relations), finance, engineering, or any of many other specialized fields.

    I think the key piece of that definition is “a professional who provides professional or expert advice”. This requires the customer to trust your advice and expertise (sensing a theme..?).  Establishing that trust in the relationship is very important. This is established through discussion and interaction, not reviewing data. Many engineers and people want to go right to the data but many times that won’t tell you the real problem or lead you to the right solution. 


    On the right is a list of things that I think go into the Consultative Approach and help drive the mindset of a consultant. I will break each of these down in more detail further down in the post.

    1. Do your homework first. Do some research before your meeting or project, this will help prepare you and may drive some of the questions you ask. Even if you know the industry or sector, do the due diligence and research on the client to reaffirm your understand of the client’s history, customers, goals and competition. 

    2. Listen before you talk. This is probably the most critical piece of advice I can give you because each client is unique and circumstances change, take care not to make assumptions that you know a particular clients challenges or motivations. Spend a few minutes at the beginning of a meeting or project asking questions about their business and actively listening to what the client says. Take notes and let the client know you’ll be taking notes, which indicates you care about what he or she is saying. The notes will also serve as a reminder for items that require you to follow up after the meeting.

    3. Learn about your clients’ vision of the future.Ask clients where they expect to be in one, five, or maybe even ten years into the future. At the rate technology changes, it more than likely will be different however if the customer says they want to be into cloud and automation in the near term, why would we implement a large complicated on premise solution. This information will allow you to provide relevant advice that will help the client realize their vision.

    4. Provide anecdotes and examples. The Client needs to understand the basics of what you may do for them and how it relates to their business, but if they aren’t the Engineer or specialist, that may not be their favorite subject to talk about. Take care not to inundate them with obscure acronyms or details surrounding the technology. Always try to relate your message specifically to your clients through conversation and with a storytelling approach. Describe similar situations and offer examples of how others handled situations successfully.

    5. Save your clients time and effort. Like you, your clients are busy. Focus on solutions and recommendations for your clients that will save them time and money. Offering advice on ways they might lower expenses or increase ROI if possible will go a long way in building a relationship and increasing trust.

    6. Use technology. I am a technologist at heart so this one is near and dear to me. Again, like you; Your clients are busy so help them increase productivity by using technology and tools to run their business or manage simple tasks perhaps through automation such as scripting with PowerShell, health check scripts such as the VMware vCheck. This could be any tool, maybe even mobile applications. If its a free tool or something you can share with your clients, share it. While many of these tools and technologies may be known to most in your circle, that does not mean your client knows about or uses them.

    7. Build a team approach.If possible offer your clients an alternative contact if you’re not available and there’s an urgent matter that needs to be addressed. Don’t be a one man show,unless you really are and if you are a one man show, be honest and realistic on expectations for turnarounds with the client. The practice of building a team approach will help improve customer service, increase timeliness of response to urgent client requests, and give clients a sense of continuity.

    8. Find out how clients prefer to be contacted. While some clients may like e-mail, others prefer a telephone call instead. Don’t make assumptions; rather, ask your clients how they prefer to be contacted. Make note of their preferences in their file and do as they prefer. If you prefer one over the other, ask for their approval to be contacted by phone or e-mail, whichever you prefer. 

    9. Follow up. After a client meeting, make it a practice to follow up with clients to thank them for their time. This relationship-building exercise is also an opportunity to share any additional information that was indicated as a follow-up item during the meeting. 

    Taking a Consultative Approach focuses on asking questions, actively listening, and providing advice based on clients’ specific needs, rather than focusing solely on the services you offer. Adopting this approach may require an engineer to change how client meetings are managed, but ultimately, the payoff will result in strengthened client relationships.


    📂This entry was posted in Consultative Approach Consulting People Process Technology

  • vExpert for 2014 – Three Years Running

    Posted on by Phillip Jones Comment

    Today VMware announced the vExperts for 2014 on the VMTN blog today. I was proud, honored and humbled to be awarded this for the third year running and even prouder to see my many of fellow Varrowites awarded this distinction. Varrow now has ten vExperts for 2014 as Jason Nash, our CTO and Chief Evangelist at Varrow announced on his blog today. Definitely check out Jason’s post and see who all of the Varrow vExperts are this year. But I thought I would take a minute to talk about the vExpert program and community in general.

    So what is a vExpert – it may not be what you think.

    From the vExpert Community Site

    The annual VMware vExpert title is given to individuals who have significantly contributed to the community of VMware users over the past year. The title is awarded to individuals (not employers) for their commitment to sharing their knowledge and passion for VMware technology above and beyond their job requirements.

    The vExpert award is not about technical expertise, though many of the awardees are technical in nature. There are many great technical minds that are not members of the vExpert program. There is a wide mixture of folks in the community who share their knowledge in various ways and I think this is a part of the strength of community and allows each person to contribute and raise the level of the community at large with it. There are even multiple paths to achieving your vExpert award, Evangelist Path, Customer Path and Partner Path when you apply so you can choose which method best suits your type of activity or contributions to the community and are reviewed each year so awardees for 2014 were reviewed against their contributions for 2013 across various platforms depending on which path you choose to follow.

    Most of the major vendors have their own community programs but I think the VMware vExpert program is one of the most successful and well known at this point other than maybe the Microsoft MVP program which has been around forever. Cisco now has the #CiscoChampion for different practices such as Datacenter which I am a member of as well. Citrix has their CTP program, EMC has the EMC Elect program of which Varrow has a high number of members proportionally speaking to company size. Even smaller partners and vendors are creating their own programs modeling programs like the vExpert which I believe to now be setting the standard for community programs.

    So what is Community

    I think in this case the definition definitely falls in category #2 above “a feeling of fellowship with others, as a result of sharing common attitudes, interests, and goals.” So the VMware vExpert community brings people who have an interest in VMware products sharing that interest creating this fellowship feeling. 

    Being a part of this community for several years, I definitely feel that feeling of fellowship. Some of the people in the community I only know virtually through their blogs and twitter and then we meet and its like we have always been friends. Its funny how that works at conferences and events when you meet folks you only know through the virtual channels like twitter. This happened to me several times recently at our own conference Varrow Madness we just put on where I met quite a few folks in person I knew from twitter. Some of my customers even know me from twitter and even requested me personally (Thank you) based upon those virtual community based interactions.

    Community is important for everyone, here are some examples but by no means inclusive on how each person in the chain may use the community or contribute to it

    • The User – Self service support on how to fix some client side issues, gain information, how tos
    • The HelpDesk – Solve support issues quickly through blog post fixes
    • The Administrator – Support, Scripts, may blog or speak at events themselves, lead or be a part of user groups
    • The VARs or Partner  – Support, Consuming information, sharing information through social media, speaking at events
    • The Vendor – it magnifies their message, products, knowledge of their products which expands their usage 

    Knowledge is power and sharing it expands both your knowledge as well as those seeking it.  Community is immensely powerful and the stronger your community the more likely you are to succeed. Community isn’t just for programs like vExpert its also an important aspect of an employer in my opinion. Varrow has a strong, vibrant community as part of its culture and that is one of the aspects that drew me here and will keep me here.

    If you want to be part of a community and I encourage it whether it be where you live, where you work or things you are interested in such as technology platforms like VMware, go for it. They are immensely rewarding in many ways. I know that these multiple communities I am in personally and professionally have been very beneficial and rewarding to me and others I know as well.


    📂This entry was posted in 2014 community vExpert VMware

  • Ultimate XenDesktop / XenApp 7.5 Landing Page

    Posted on by Phillip Jones 3 Comments

    Citrix has recently released XenDesktop and XenApp 7.5. This page was created to mainly link content directly related to this latest release. As this post has grown, it will be adding some relavent 7.x content as well that may still apply to the 7.5 release. The purpose of this post is an easy referance or jump point to some of the content released officially from Citrix and the greater Citrix community including CTPs, bloggers and analysts. Most of the posts linked below will be of a technical nature.

    I will be updating this page regularly and if you find an article worth adding. Please let me know by commenting or messaging me. All comments are welcome.

    Last Update: 04/11/2014

    Recent Changes

    General 

    Installation Posts

      Upgrade Posts

      EdgeSight in XenDesktop / XenApp 7.x

      StoreFront 2.5

        Product Downloads

        Platinum Promotions with XenDesktop / XenApp 7.5 Platinum

        Third Party Integrations 

        Cloud and CSP Links

        Feel free to post new links or suggestions in the comments. This will be an evolving page over the life of the product and I will be linking issues, hotfixes, articles, how tos, videos etc.


        📂This entry was posted in AppDNA AWS Citrix Cloud StoreFront 2.5 XenApp 7.5 XenDesktop 7.5 XenMobile

      • Wfica32 Application State “Application not running” workaround

        Posted on by Phillip Jones Comment

        Recently I ran into an issue with double hop ICA session from a XenApp server. For those not aware of this, this is a situation where you launch xenapp from a local farm and connect to another farm through that XenApp session, hence Double Hop.

        The issue is that with changes in Windows 2008 architecture, when processes are changed. In the Citrix Management Console this represents itself as Application Status “Application not running” and no Application name listed. This will prevent XenApp application limits from taking hold.

        This issue is very similar to the Citrix KB article here documenting a resolution on how to use VBscript to launch Internet Explorer. I tried that resolution and in my case it did not fix the issue. I was launching wfica32.exe to launch a remote session using an ICA file. Even when launching wfica32.exe as a published application with no script, I saw the above symptoms.
        I found that if I put a pause and hid the script with ctxhide.exe as long as the script was running it would show the Application name and the correct Application State but this caused a different issue, user would close the double hop ICA application and the script would stay resident keeping the session open until it idled out and giving the user the idle timeout warning well after the user closed the actual session. This simply will not work so back to the drawing board.

        This message also cannot be turned off as documented here.

        So my resolution was to come up with a way to detect if the process was running or not running and logoff the session based upon that. I tried several methods but wanted to keep it simple (KISS principle) so I stuck with the batch file that I was already using to launch the file anyway and added error detection into that script using tasklist to detect if the process was running.
        It is published with the following app settings in Xenapp
        ctxhide.exe C:adminapplaunch.cmd ICAfile.ica
        The Script
        REM —Copy all of this text into a notepad and save it as a batch file

        REM —to see if a program is running
        @echo off

        sleep 1
        REM – This will launch the ICA file. Publish the App in XenApp and call the paramater for the ICA file in c:Admin

        “C:Program Files (x86)CitrixICA Clientwfica32.exe” c:admin%1

        sleep 30

        :loop
        set runningprocess=wfica32.exe
        rem —- 1: all one line —-
        tasklist /FI “IMAGENAME eq %runningprocess%” /FI “Username eq %username%” | find /I “%runningprocess%” > nul
        rem —- 1: end of line
        IF %ERRORLEVEL% equ 0 echo %errorlevel%
        IF %ERRORLEVEL% equ 1 logoff
        sleep 300
        goto loop

         This script should be pretty easy to edit. Tasklist does not provide errorlevel so I used find to find the process and create the errorlevel. The script will stay resident until the wfica32.exe process is closed and within five minutes of ending the remote ICA session under that user context it will then do a logoff for that user. 


        📂This entry was posted in 6.5 Appcenter application not running application state Citrix missing application name Script wfica32.exe Windows 2008 R2 XenApp

      • SHA2 Certificates and Citrix Receiver Support

        Posted on by Phillip Jones 1 Comment

        Please be advised of a SSL certificate issue when updating or purchasing new SSL Certificates for your Citrix implementations. You will want to ensure that you purchase a SHA1 Cert and not a SHA2 cert which is currently being sold by Vendors for a cert set to expire in three (3) years or that expire during or after 2017. You will more than likely have to call your vendor and have them reissue a SHA1 cert that expires at the end of 2016 to ensure that you are functional until Citrix updates their Citrix Receivers to support SHA2 across all products.

        Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only.

        The following Citrix Receiver models do not support SHA2 as of 2/25/2014 – This mostly affects the mobile receiver.

        • Linux 13.0
        • IOS 5.8.3
        • Android 3.4.13
        • HTML 5 1.2
        • Playbook 1.0
        • Blackberry 2.2 / BlackBerry 1.0 Tech Preview

         The following Citrix Receiver models do support SHA2 as of 2/25/2014

        • Windows 4.1 (std)
        • Windows 3.4 (ent)
        • Windows 8/RT (1.4)
        • Windows Phone 8 (1.1)
        • Mac 11.8.2 

        Please see the Citrix Receiver Feature Matrix for an updated list

        For more information on the deprecation of SHA1 from Microsoft, please visit the following link from Microsoft.

        You can view the algorithm of the Certificate by viewing the Certificate and looking at the Details tab.


        📂This entry was posted in Certificate Citrix Mobile devices Netscaler receiver SHA1 SHA2 SSL StoreFront

      • Varrow Madness 2014 – Better than ever

        Posted on by Phillip Jones Comment

        Warning: Awesome event coming

        Our annual technical conference Varrow Madness for 2014 is coming. This is the fourth Varrow Madness and last year was definitely an experience being behind the scenes and a part of the event. This year promises even more great content and quality speakers and oh by the way I will be there too but don’t let that stop you from coming.

        This is a free technical event focusing on sharing technical knowledge and networking with your peers centered around March Madness and having a good time. Did I mention that its also FREE

        Register here – Put Jason Nash as your referral… 

        With the speaker and session list this year, I wish I could go as an attendee and just listen in. Some of the distinguished guest & speakers this year will include:

        Our morning Keynote Speaker:

        Shawn Achor: The happy secret to better work http://on.ted.com/i00bF  TED > This is our Keynote Speaker for #VM14 for #Varrow Madness #excited

        Other distinguished guests and speakers

        • Chad Sakacc
        • Scott Lowe
        • Rick Scherer
        • Mike Zolla
        • Chris Colloti 
        • Andre Leibovici 
        • And more.. this is just the beginning, there are over 37 sessions to choose from and lots of opportunities to meet industry experts and peers

        For the full agenda, hit our Varrow Madness Website and register today

        I will be doing an updated version of my Citrix Provisioning session and broadening that to include MCS at a bit deeper level. There will be more coming on this event as we get closer and I hope to see you there.


        📂This entry was posted in 2014 Conference Madness Varrow

      • Cannot Upgrade StoreFront 2.0 to 2.1

        Posted on by Phillip Jones 2 Comments

        Today I was upgrading a StoreFront 2.0 installation to 2.1.0.17 and I get the following error message.

        An error occured during installation. Please ensure all the required prerequisites have been installed and run the installer again.

        I checked and all prerequisites were listed.

        The Windows Application event log also logged the following entry

        Event ID: 0
        Source: Citrix Extensible Meta-Installer

        Timestamp: 2/6/2014 2:32:27 PM
        Category:Error, WinError
        Message:Installation of ‘..CitrixStoreFront-x64.msi’ failed with error code 1603. Fatal error during installation

        After a little fancy googling, I was able to come up with two things that solved my issue.

        Resolution:

        • Delete C:ProgramDataCitrixStorefront Install2.0.0.90FrameworkFramework.xml
        • Delete any and all thumbs.db files from c:inetpubwwwrootCitrix
          • In my case it was C:inetpubwwwrootCitrixstoreWebmedia


        📂This entry was posted in 2.0 2.1 Citrix StoreFront Upgrade

      • VMware Log Insight 1.5 is now Generally Available (GA)

        Posted on by Phillip Jones Comment

        VMware announced yesterday (Jan 7th) that Log Insight 1.5 is now GA. I blogged about Log Insight a while back here. You should read that for some detailed information. I have been using the product in my lab for some time and believe this could be a powerful product and the vendors and partners are building some great content packs for this product.


        VMware vCenter Log Insight delivers automated log management through
        aggregation, analytics and search, enabling operational intelligence and
        enterprise-wide visibility in dynamic hybrid cloud environments.


        VMware Product Page
        VMware vCenter Log Insight Community – Great resource
        VMware Blog on Release

        New Features in 1.5

        • Enterprise Readiness
          • Active Directory Support
          • Query Performance Optimization
          • Query Scheduling
          • Better support for vSphere & vC Ops
        • Analytics
          • Richer Visualizations
          • Scales to 1000s of fields
          • Field Auto-complete Query
          • Columnar Event View
          • Content Pack Framework
        • Platform & Usability Improvements
          • Improved Health Monitoring
          • Auto-sized Virtual Appliance
          • Simple Upgrades

        Content Packs – Extend your log analytics and monitoring to third party vendors. Currently there are 12 available content packs as of today with more more on the way.

        Content packs enable users to consume unstructured data from a wide variety of sources while providing insights to more precisely and accurately identify and troubleshoot issues in dynamic virtual and cloud environments.

        Available Content Packs (as of 01/08/2013)

        • VCE Vision Intelligent Operations
        • Netflow Logic
        • NetApp ONTAP
        • HyTrust Appliance
        • Puppet Enterprise
        • VMware Horizon View 
        • EMC VMAX
        • vCOPS
        • ExtraHop Wire Data
        • Cisco UCS 
        • EMC VNX
        • vSphere


        📂This entry was posted in 1.5 GA Log Insight VMware

      • 2014 Certifications Goals

        Posted on by Phillip Jones Comment

        Many folks are doing their end of year predictions or reviewing the previous year. I haven’t done these in the past, this year I am going to put up a goal for myself and list out the certifications that I would like to obtain next year. Its a pretty aggresive list I believe but achievable. They are listed in no particular order and pretty heavy on the VMware side. I am looking at going for the VCDX in 2015.

        • VCAP-DCA
        • VCAP-DCD
        • VCAP-DTA
        • VCAP-DTD
        • Citrix Certtfied Professional – Networking
        • Citrix Certified Professional – Mobility
        • Microsoft Certification – work back toward MCSE

        That’s a pretty big list for a single year. I may only do the Datacenter Virtualization or the Desktop VCAPs… I havent decided which route to go there yet but ultimately it will depend on which VCDX route I wish to achieve first.

        2015  Certification list (tentative)

        • VCDX
        • CCNA
        • MCSE

        📂This entry was posted in 2014 Certifications Citrix VCAP VCDX VMware