Monthly Archives: March 2013

Excalibur and Orchestrator Magic

When Citrix released Excalibur they also included a whole bunch of Powershell which allows you to run Powershell cmdlets to alter anything.
If you are inside the Studio console you can see that there is a PowerShell window there, which shows all of the cmdlets that you have run.

and how does this help ? With the combination of Orchestrator, we can add automation to the equation.
What if we could automate the assignment of application to users via Orchestrator? and we could also add an approval workflow if we used it with Service Manager.
If a new users want a set of 20 new desktop for his or hers company we could create a new workflow which would run a PowerShell script against MCS and do this automatically.
However, I’m not going to go ahead of myself here, this is a start post to show what we can do with the provided PowerShell modules.

First I’m going to show how to import the modules that Citrix provides in this release.
Head over to the Studio server and open Powershell ISE
From there you can run this import commands.

There are more modules but these cover most of the administrative tasks.
If you refresh the ISE modules list now, the Citrix components will show up.

If we created a simple “Publish Application task” We can use the New-BrokerApplication to publish notepad.

New-brokerApplication -CommandLineExecutable C:windowsnotepad -displayname notepad -Applicationtype HostedonDesktop

NOTE: A bit of advice if you are unsure of how the cmd should look like, create an application with the wizard and extract the info after using the get-brokerapplication cmdlet.
Now we have a functional PowerShell cmd to publish Notepad to the studio.

So we know now that we have to import the modules first, then we can run the command to publish notepad, but how do to this via Orchestrator?
First set set-executionpolicy unrestricted on the Studio server.

And your script should be saved.

Now we simplest way is to use the Run Command activity in Orchestrator

I saved the script file locally on the Studio server, and the script looks like the output from the PowerShell ISE above.
So when I run this runbook what happens ?

This just publishes the application in Desktop Studio, it still isn’t assigned a user yet, that requires a bit more in PowerShell ill come back to that later this is just to show the abilities you have with Excalibur and PowerShell

Excalibur and Configuration Manager

Now Citrix released a beta build of Excalibur a couple of months ago, which shows the next generation of XenDesktop and XenApp architecture. (Well actually just XenDestkop, since the XenApp architecture is disappearing)
In addition, with this release we have some fancy choices for how to manage the machines within XenDesktop.

Excalibur will add additional WMI classes to all its desktop.
Which are listed here à

This allows you to create collections based upon if it’s VDI or Session host based, and even if it is assigned to a user or not.
Now in order to make these attributes available in Configuration Manager we have to add some WMI classes.

Go into Client Settings -> and alter the clients policy -> Go into hardware inventory and choose add classes. And from the list choose Add Hardware inventory class. From there you can browse to a remote computer that is installed as a VDA and in the namespace you can type rootcitrixdesktopinformation

And choose “Citrix_VirtualDesktopInfo”
Then Press OK

This will give you some more attributes on that WMI class

Which you can again use to create collections based on the variables.

Since Excalibur does not have any direct integration with for instance App-V you can now create user-based assignments to delivery groups.
So the user has multiple options of application deliveries.

Either via Software Portal and Configuration or Storefront with Citrix.

Slow start this year – Certifications

Been busy the last couple of months so therefore it has been a bit quiet here. I am having a huge focus on certifications forward since I want to expand my horizon, the last month I have focused a lot of Windows Server 2012 and Citrix Netscaler.
Right now, I have a couple of other certifications planned as well.
And I might be adding some resources and study guides to these eventually

CCEE – Citirix Certified Enterprise Engineer (This is the second highest rank you can get in Citrix)
CCE Netscaler 10 – (This was just released and since I have the previous one for Netscaler it’s the logical choice )
MSCE 70-414 (Server Infrastructure which is part of the new exams for Windows Server 2012)
MSCE 70-415 (Desktop Infrastructure) This one and 416 is part of the MSCE Desktop Infrastructure exam.
MSCE 70-416 (Desktop Infrastructure)
Comptia Advanced Security Practitioner (I have been reading for this once for a while but I haven’t man up yet to book it.
Comptia Server+ (Just because It seems achievable enough)
Cisco CCNP Security (All the 4 below are a part of the CCNP security stack)
Cisco CCNP Firewall
Cisco CCNP Secure
And or probably EXIN Cloud or Comptia Cloud since it is proven that IT skills are shifting towards the cloud and we have to be prepared.
So why do I have such a huge list of certifications? First of my main job focus is mostly on Microsoft and Citrix therefore they are just a natural choice, but also because that there is much needed knowledge in the gap between Microsoft and Citrix, with the release of WS2012 and Excalibur new opportunities are opening for IT people. However, on the top I also have the security and network certifications, not because I work a lot around network stuff, but more because I have a curious mind and for me having the knowledge needed to troubleshoot or design a larger solution then just the Citrix and Microsoft make me more versatile.

So it might be quite for a bit more ahead, but I’m trying to fit my schedule with more info regarding Netscaler on this blog.

70-413 Study guide

This exam is part of the Server Infrastructure MSCE exam and is the first of two exams. I have added some resources for those that wish to study to this exam down below J
If you wish you should buy this book as well it is a complete study guide book for the exam

(I have this book and its okay, it covers the exam objectives and nothing more)

CBTNuggets also has a video series for the certification as well

You can also reach out to the study group community on Microsoft

DHCP resources:

AD DS Powershell & Management


Radius NPS 2012





Read-Only Domain Controllers:

Active Directory cloning:

WDS 2012:

DNS 2012:





Group Policy


Configuration Manager and hierarchy planning

With 2012 release of System Center Configuration Manager, planning and designing a hierarchy became a bit more difficult.
Not because of the limitations, but because of the huge mix of different possibilities you have.
For instance with the introduction of CAS role (Which sits on the top of the hierarchy and is used for management purposes of many primary sites) you have even more options of how to manage your infrastructure.

In addition, with SP1 you have even more options, for instance you can now have more than one SUP for a primary site. (Which you could not have before SP1) and that the CAS SUP now doesn’t need to sync directly with Windows Update as well) so this post is what factors you need to think of in terms of planning and how to manage the devices. In addition, for many which have multiple domains, trusted and untrusted, and in different forests and depending on how you want the flow of traffic to go it takes a lot of planning!

This post is meant as a guideline and might not always present the best options but just to show some possible examples of how you deploy Configuration Manager 2012 SP1.

Now first I am going to define how the hierarchy in Configuration Manager looks like.
In the first picture we have a stand-alone site (Primary Site) in the secondary picture we have a Primary site with two secondary sites.
In addition, in the last picture we have the CAS with three primary sites and with their secondary sites.


First I’m going to specify the limits of each hierarchy role:

CAS: (Does not process client data, and does not support clients assignments.
400.000 clients (If you use SQL Enterprise) 50,000 if you use standard.
25 Child Primary Sites
Asset Intelligence synchronization point (Can only be one in the hierarchy)
Endpoint Protection point (Can only be one in the hierarchy)
Reporting services point
Software update point
System Health Validator point
Windows Intune connector

Primary Site:
250 secondary sites
100,000 clients (50,000 clients if the SQL is installed on the same computer as the site server)
10,000 WES clients
50,000 Mac
Application Catalog web service point
Application Catalog website point
Asset Intelligence synchronization point (not if it’s a child primary site)
Distribution point
Fallback status point
Management point
Endpoint Protection point (not if it’s a child primary site)
Enrollment point
Enrollment proxy point
Out of band service point
Reporting services point
Software update point
State migration point
System Health Validator point
Windows Intune connector (not if it’s a child primary site)

Secondary Site: (Must be linked to a primary site, MP and DP are installed automatically, installs SQL Express if nothing else is available)
5,000 clients.
Distribution point
Management point
Software update point
State migration point

Software Update Point:
25,000 clients (That is installed on the same server as the site server 100,000 else)
After SP1 (Supports multiple SUP per Site)

Distribution Point:
4,000 clients
250 DP per Primary Site
250 DP per secondary site
10,000 packages and applications

Management Point:
25,000 clients
10,000 Mac computers
10 MP per primary site

Now there are some roles that cannot be deployed in a untrusted domain:
These are out of band service point and the Application Catalog web service point.

But always think simplicity, so if it is possible avoid the CAS role where it seems logical.

(1 domain) ( 1 location ) 1 Primary Site

Depending on how many clients you have in your infrastructure, but with one location and one domain this is only and easiest way to go ahead, for high-availability purposes you should have 2 of each system role and a clustered SQL server for the site server.

( 1 domain ) ( 2 locations) 1 Primary Site 1 Secondary Site (Slow link)
Lets for the purpose of this post say that you have 1 location where you have most of your infrastructure, you have one remote site with 200 clients which has a limited connection to the primary site, one secondary site on the remote location would be the best approach. Clients there would talk directly to the management point and the distribution point of the secondary site.

(1 domain) ( 2 locations) 1 Primary Site and 1 Distribution Point (Fast link for secondary site)
In this case we have also a remote location but we have a fast wan link so we don’t need a secondary site which has the agents and the applications and packages. Therefore, we have a distribution point at the remote location and clients communicate with a MP in the central location.

(1 domain) (2 locations) ( one small branch office )
I would recommend using branch cache on a distribution point and for the clients, when the first client requests content from the DP it will download it and cache it for other clients on the same subnet. This requires a DP installed with Branch cache.

NOTE: Remember that for a remote domain installation to work properly you would need to install the management point with an account that has access to the Configuration Manager database. You configure this during the installation of the Management Point.

( 2 domains untrusted forest ) ( 1 locations) 1 Primary Site in Primary (1 Management Point 1 Distribution Point)

Now we cannot install a primary or secondary site in a untrusted domain, we can only install user facing system roles in a untrusted domain. So therefore, we install a management point and a distribution point in the untrusted domain.
And we can also publish the site in AD for the untrusted domain as well.

( 2 domains trusted forest ) ( 1 location )

This depends on the number of clients but again a solution with a distribution point and a management point in the other domain could be a solution. In case there are too many clients, you would need to expand the hierarchy with a CAS and a primary site in each forest.

(Multiple domains untrusted) (Multiple domains)

Primary site or depending on how many clients. Use Primary Site in one domain (Pref the largest one) and deploy a distribution point and a management point in the other domains.

Here I will also link to some example hierarchy scenarios from Microsoft

Identify requirements to plan for a hierarchy

I would also recommend that you read Microsoft’s own hierarchy for their internal Configuration Manager solution

Social Engineering – Web phishing

A change of subject for my matter, but security has always been a huge interest of mine.
However, I thought that I would write about phishing attacks.
Now the art of phishing is just about trying to fetch information from people (and in there useful information such as social ID, bank card information and or username & password)

Think of the hacker as the fisherman and the user as the innocent fish just waiting to bite the lure.

Web phishing is not a new phenomenon; it has been with us since the beginning of the nineties, but with the later years it has become more and more advanced and the hackers go to further lengths in order to get information from the user.
Now I had a friend that was looking to by some new dresses online, and she happened to come across this website.

She was about to start buying some dresses but something seemed fishy about the website and asked if I could give it a quick look before she continued her shopping spree.

and as you see from the first page on the site there are multiple focus areas that draws people’s attention.
1: “Free Shipping” makes it more appealing to buy these clothes online since they don’t have to think about the shipping fee.
2: “70% sale off” people love to buy things on sale, why ? people are mostly greedy J

3: Logos from known paying solutions “MasterCard, VISA” gives the user false hope that the website is secure.
4: Buzzwords like “Secure, Free, Fast, Best” again to lure the user.

Now at the first glimse the website looks “good” enough. Many people that think about web frauds think that they would see a poorly written website with a bad setup but as I said earlier, the attacks have become more and more complex.
And therefore hackers spend more time on making their websites look authentic.

And when we choose something we want to add to the cart, we also get a logo of PayPal to ensure the user of the security

And when we proceed with the login and sign-up of a new account on the web site it never switches to https so the signup and sign in process is never encrypted which most web shops have.

So lets proceed,

I also received an e-mail from a gmail account when I registered with the site.

Interesting that they have actually created a google plus account for the user as well, lets figure out more J

Looks like they have created a fake profile with a fake picture as well, when I do an image search on google on the same picture I get numerous hits on the same picture used in loads of different online e-shops.

For instance (Which is much of the same web shop design as the other one)

So let’s continue with the order on the previous site.     

Next I receive an email that the order is complete and I am redirected to a VISA web site where I am to enter my information

And if you look at the URL there is an valid certificate there as well.

What happens if we enter some bogus information?

What no support for my bogus card ? L
This is also another trick, since it might happen that I try multiple cards since there is not support supposedly for the first card J
In the background there are some intelligent javascripts that are running and collects all the information that you are typing in.

This one collects a lot of information regarding your clients and os.
But what happens if I press Cancel on the process?

wow! Didn’t even have to pay for the dress now that’s good business. J
Now other things we can look at to find out more about

We can also see that the authoritative DNS server for the site is located in China

If we run an nslookup we can see that it shares IP with another site. ? that sounds fishy.

They apparently haven’t finished building their websites yet… L
And if I run a whois on the domain I get a lot of bogus information.

Apparently, I looks to origin from China, with no apparent information to where it is located.
A quick nmap scan shows OpenSSH, WebServer and MySQL port open (tisk tisk..)

Just for information OpenSSH 4.3 was released in 2006 and can be exploited.
And I did a similar scan on the other site and found numerous ports and older services that could be exploited.

So in the end I think that we concluded with that this site is a scam.

Things to look for:

1: Look at the written language of the websites (Often there is poorly written language on web scams)
2: When you login and sign-up remember to look after an encrypted login and that you don’t receive e-mail from a gmail / Hotmail / yahoo etc)

ß This padlock ensures that all communication is encrypted.
3: To many logoes from known payment companies on the front page (This is mostly to give the user fake sense of security )
4: Do a whois on the domain, you can see for instance in my case that the domain was created in 2012 and had bogus information. You can do a whois here à
5: Gives you an “approval” e-mail, most websites have an approval function that sends an e-mail to the email account that was entered in the account info page that makes sense, this site however did not.
6: Google the site! In many cases you can see others written of forums about the site and have fallen into the trap.
7: Use the force. Use some common sense in the matter J and follow the points above before entering ANY sensitive information to a website you have never been on before.

Configuration Manager and Cloud Distribution Point

With Service Pack 1 of Configuration Manager it allows you to create a distribution point in Windows Azure, in case you lack the hardware needed to meet the needs or because of security, limitations that you would want all your clients to download content from the internet rather from your infrastructure.

Now this type of distribution point has its limitations.
* It cannot be used as a PXE point
* It does not allow applications to run directly from the DP
* It does not allow for streamed applications (via App-V) to be run from the DP
* cannot be configured as a pull distribution point

And benefits:
Content that is sent to the cloud-based distribution point is encrypted by Configuration Manager before sending to Windows Azure.
In Windows Azure, you can manually scale the cloud service to meet changing demands for content request by clients, without the requirement to install and provision additional distribution points.
The cloud-based distribution point supports the download of content by clients that are configured for Windows BranchCache.

So what do we need to get in place before we can create a DP?

* Subscription to Azure
* Management Certificate (look at my previous post) à
* A service certificate (PKI) that Configuration Manager clients use to connect to cloud-based distribution points.
* You have to configure the agent settings for Cloud Services to allow users / devices to access the cloud DP
* Clients must be able to resolve the name of the cloud service, (In this case a CNAME in our DNS namespace )

After you have created the certifiate and uploaded it into Azure you have to install the DP in ConfigMgr

And from there you have to enter the Subscription ID and the Management Certificate that was uploaded to Azure in the my previous post regarding Azure Management.

And here we enter the Service Name (What region the DP should be located in and which Primary Site it should be accociated with)

And here we also need to upload the Certificate file that we created for our server.
NOTE from technet:
The Service FQDN box is automatically populated from the certificate Subject Name and in most cases, you do not have to edit it. The exception is if you are using a wildcard certificate in a testing environment, where the host name is not specified so that multiple computers that have the same DNS suffix can use the certificate. In this scenario, the certificate Subject contains a value similar to CN=* and Configuration Manager displays a message that you must specify the correct FQDN. Click OK to close the message, and then enter a specific name before the DNS suffix to provide a complete FQDN. For example, you might add clouddp1 to specify the complete service FQDN of

Wildcard certificates are supported for testing environments only.

Click next then alter the alert setup,

You would want to specify a quota so you don’t get a sky-high bill from Azure.
After that click finish! And you are done.

It might take up to 30 min before the DP appears in Azure.
But if you look under Cloud pane in ConfigMgr you can see status ready

After this is done you also need to create a DNS record in your zone so your users can find the DP, now in order to do so you have to go into the Azure Portal and find the complete URL for the Cloud Service.
Add a CNAME record in your DNS that matches the FQDN of the certificate that you created and that points to the IP in Azure.

You can also read more about this neat new function here à