Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Archive for the ‘Citrix’ Category

Bring Your Own Device (BYOD) with Hyper-V and Citrix

leave a comment »

During last week’s System Center Universe Asia Pacific, there was a question raised during the Ask the Experts portion on how Microsoft can address BYOD while ensuring that corporate security is still maintained, the Experts in the panel were not really able to address the required architecture.

I was formerly connected with Citrix, and right there I immediately thought of Citrix XenDesktop. However being in a Microsoft event I decided to keep my mouth shut and just decided to share the solution by writing about it. So here it is!

Bring Your Own Device (BYOD) Architecture

Bring Your Own Device (BYOD) Architecture

The solution is to allow the personal devices to connect to VMs. These VMs are connected to the corporate network, while the personal devices are in some sort of protected network which is separate from the corporate network, and is only allowed to use the protocols necessary to allow the client to connect to the VMs.

Since the solution requires VMs. using Hyper-V is the way to go. No discussion here.

For this solution to work, there must be some technology that does VM provisioning. This is where the Citrix XenDesktop product comes in. You can dynamically provision VMs as needed.

The VMs can be shared VMs deployed with the same apps, or app deployment can be performed dynamically as the VM is being provisioned using either Citrix XenApp, or using Configuration Manager.

Just to be sure, some sort of health checking is prudent before the personal devices can be connected to the personal devices network. Also, they have to be enrolled to allow for authentication and encryption.

So does this solution work? Yes it does, and one great experience I had with Citrix is that BYOD and non domain joined devices are the norm!

Running Windows 8 on an iPad Mini with Citrix XenDesktop.

Running Windows 8 on an iPad Mini with Citrix XenDesktop.


Written by jpaloma

March 8, 2015 at 8:18 PM

Posted in Citrix, Hyper-V, Microsoft

Configuring Citrix AppDNA 6.3 Integration with Microsoft App-V Sequencer 5.0

leave a comment »

This video explains how to configure Citrix AppDNA 6.3 to create a Microsoft App-V Sequence using App-V 5 Sequencer.

Written by jpaloma

September 20, 2013 at 1:10 AM

Posted in AppDNA, Citrix

Tagged with , , ,

Installing Citrix AppDNA 6.3 Part 2 – Implementing Install Capture

leave a comment »

Written by jpaloma

August 9, 2013 at 7:47 AM

Posted in AppDNA, Citrix

Tagged with , ,

Installing Citrix AppDNA 6.3 Part 1 – Installing AppDNA Core Functionality

leave a comment »

Written by jpaloma

August 9, 2013 at 7:44 AM

Posted in AppDNA, Citrix

Tagged with , ,

Citrix AppDNA will be in the Microsoft Community Technology Update 2013!

leave a comment »

This 27th July 2013, I will share with the Microsoft Singapore technical community how our technology AppDNA 6.3 can help accelerate the migration out of Windows XP, given that XP end of life is slated April 2014.

Details and registration can be found here. See you!

Written by jpaloma

July 24, 2013 at 8:46 AM

Demistifying Citrix AppDNA Forward Path and Task Sequences

with one comment

One of the more interesting features of Citrix AppDNA application compatibility software is Forward Path. Not only can one customize the logic and really go beyond what AppDNA provides out of the box, but on top of that assign certain actions based on the results.

What makes Forward Path so mysterious to some (aside from the required scripting skills), is that to be able to appreciate its full potential, one must make several components of AppDNA work together harmoniously. Simply put, Forward Path logic is simply a set of conditions based on results of one or more of the AppDNA algorithms, and assigns either a RAG value, or an Outcome value or both.  But Forward Path can be more than just providing a report, because one can assign Task Sequences based on Outcomes, say if the application is OK for App-V, then proceed in making an App-V Sequence, and if the application is OK for Windows 8, then use a third party packager to create a .MSI package for later deployment in your XenDesktop infrastructure. Or if it’s ok for XenApp, then create a .MSI package specific to Windows Server 2008 R2 so that all XenApp servers will use the same .MSI file during installation, ensuring uniformity across all XenApp servers. The possibilities are only limited by your imagination — and scripting skills!

Let’s now strip away all the mystery.

Before we dig into the details, let’s step back for a minute and get a bird’s eye view of the entire picture of Forward Path The illustration below best provides a high level idea of Forward Path and the different AppDNA components it works on:

Forward Path in a nutshell

Forward Path in a nutshell

As the illustration shows, there are items that we configure under Forward Path, and there would be items that we configure under Install Capture. This is where a newbie would be lost, especially if we’re not in the habit of RTFM (“Read the fluffy manual,” which most techies are guilty of), until we get lost and search what we did wrong.

Forward Path can be divided into two parts: Forward Path that results in the Report, and Forward Path that proceeds to create packages via Task Sequences. The second part requires knowledge in working with the Install Capture portion of AppDNA. Key things to remember are as follows:

Forward Path Report

  • Forward Path Logic is a set of conditions. Don’t panic, because out of the box, AppDNA includes very useful logic which we can use as is, or make minor modifications to the code.
  • These conditions are based on RAG values of the AppDNA Modules or Custom Reports
  • Forward Path Logic results in a set of Outcomes

So out of the box, we can already produce the Forward Path report similar to the illustration below:

The Forward Path report

The Forward Path report

But if we want Forward Path to perform tasks in addition to creating the Forward Path Report, we will proceed as follows:

Forward Path Task Sequence  

  • Each Outcome is then assigned a Task Script
  • The Task Scripts call the Virtual Machine and an Execution Profile. The Virtual Machine in this context is a VM configured in AppDNA which refers to an actual VM running in a hypervisor. Setting that up would be another story, maybe a future blog post or video from yours truly.
  • The Execution Profile does the following: calls a third party .MSI packager to create a package, run the Microsoft App-V Sequencer to create an App-V Sequence, or run the XenApp Streaming Profiler to create an application streaming profile, and more depending on one’s scripting skills and what needs to be done.

Forward Path Logic

In its simplicity, the core of the Forward Path logic is a set of conditions generally based on the different testing modules available in AppDNA. Below is a typical Forward Path logic:

Sample forward Path logic flowchart

Sample forward Path logic flowchart

The example in this illustration indicates that if the App-V RAG is Green or Amber, then assign “App-V Ok” to Outcome, and other values depending on Windows 8 RAG. That simple (there are additional conditions further down the script but for purposes of this discussion, let’s keep it simple)! This portion gets more complicated the more – and deeper – conditions are applied. But to describe it in one line, the Forward Path Logic is simply: assign a specific value to Outcome based on the RAG value(s) of one or more Modules.

Snippet of the Forward Path logic

Snippet of the Forward Path logic

Task Scripts

Each Outcome value can now be assigned its corresponding Task Script. This Task Script actually calls two things that were created under Install Capture: the Virtual Machine and an associated Execution Profile (what the VM will do once it fires up). In this example, the Task Script fires up a Virtual Machine called App-V Sequencer – Windows 7 and runs the App-V 5.0 Sequencer Execution Profile. The App-V 5.0 Sequencer Execution Profile is built into AppDNA. Meanwhile the App-V Sequencer – Windows 7 VM is a Windows 7 VM that has the Microsoft App-V 5.0 Sequencer installed. If run properly, the result is an App-V 5 sequence of the application.

Task script code snippet

Task script code snippet

Creating Virtual Machines and Execution Profiles in Install Capture

I created a Windows 7 VM with the App-V 5 Sequencer installed, and then configured this VM as a VM in AppDNA. Note that one needs to be familiar with how to create an Install Capture VM in AppDNA to be able to do this.

Virtual Machine configuration in AppDNA.

Virtual Machine configuration in AppDNA.

Both the Virtual Machine and Execution Profile are created in Install Capture, under Edit menu > Settings. Meanwhile, the App-V 5.0 Sequencer Execution Profile is part of the AppDNA package; we just need to import it. I did not have to edit anything in the App-V 5.0 Sequencer Execution Profile. However, you are free to create your own Execution Profile that, say, launches your organization’s .MSI packager and creates the .MSI package of the application with its corresponding transform files.

Execution Profile configuration in AppDNA

Execution Profile configuration in AppDNA

Go try out this very interesting feature and see the power of Citrix AppDNA! Download your FREE copy of Citrix AppDNA from http://www.citrix.com/products/appdna/overview.html. This free version is a fully functional copy of Citrix AppDNA that allows for UNLIMITED application imports, and detailed remediation reports for 5 applications.

Written by jpaloma

July 20, 2013 at 1:14 AM

Top 10 Application Compatibility Issues that still affect Windows XP to Windows 8 Migration

leave a comment »

RAG - RApril 8, 2014 marks the end of Windows XP Support. According to Microsoft:

It means you should take action. After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

One of the first things you will do to address your Windows XP to Windows 8 Migration is to test your current applications for compatibility to the planned new Windows client platform. I have compiled a list of the Top 10 Issues that will, and still, affect Windows 8 deployment in your organization. I used Citrix AppDNA 6.3 Application Compatibility Software to gather information based on 35 randomly selected apps that run on Windows XP. Note that I have deliberately omitted the remediation actions for most of these issues, and only included those commonly known and obvious ones.

These issues don’t just affect migration to a new Windows client platform. Companies currently on Windows XP and are deploying Citrix XenApp or Citrix XenDesktop will sooner or later encounter these issues, and more.  For XenApp 6.5, we need to ensure that the application runs on Windows Server 2008 R2 (which is 64-bit adding another layer of compatibility issues not addressed in this article), as well as have the ability to run in a remote desktop/TS capacity. For XenDesktop, we need to consider that the application should be able to run on the target Windows platform that will be used and if this platform will be 64-bit.

And here they are:

# 10 – .NET 3.5 Framework Dependency

.NET 3.5 Framework is not available in Windows 8 by default, and applications that require this will not be installed, or if installed successfully, not function on Windows 8 unless installed prior to the application or is redistributed with the application installer.

For more information, check out this MSDN article .NET Framework 4.5 is default and .NET 3.5 is optional http://msdn.microsoft.com/en-us/library/windows/desktop/hh848079(v=vs.85).aspx

# 9 – VideoPortInt10

The VideoPortInt10 function performs the equivalent of the MS-DOS INT10 function. Some legacy drivers use this function to communicate with the system BIOS for example, to change the video mode. This is no longer supported in the Windows 8 Device Driver Model (WDDM).

# 8 – Attempting to access protected registry keys

During installation, some applications designed for Windows XP attempt to write to certain registry keys that are already protected in Windows 8. Only installers with the TrustedInstaller status can write to these protected locations, but this is limited to certain Microsoft installers like Windows Update.

Elevating privileges may provide a quick remedy to this issue, but ensure that UAC prompts are suppressed as well.

# 7 – Session 0 Isolation: installing an interactive service

In Windows XP and earlier, Windows services and applications run in the same session as the one who first logged into Windows XP. This is called Session 0, and services and applications running together in the same session poses a serious security risk since services run with elevated privileges while user apps run with the user security context. These services become targets for malicious code that intends to hijack them to gain their elevated privileges. In Windows Vista onwards, only the services are allowed to run in Session 0, and user applications run in subsequent sessions, e.g., Session 1, Session 2, etc.

The problem therein lies when a supposedly interactive application running as a service (running in Session 0) presents a UI to its user. The user will not be able to see the UI he/she does not have access to Session 0. The application would appear as hanged because it will indefinitely wait for the user reply which will never come because the user did not see the prompt.

More information on Session 0 can be found in this MSDN article Session 0 Isolation http://blogs.windows.com/windows/archive/b/developers/archive/2009/10/01/session-0-isolation.aspx

# 6 – Unsigned Kernel Mode Drivers

In Windows 8 Secure Boot feature enabled as well as 64-bit implementations, the kernel is locked preventing malware to be introduced via rootkits attempting to go around Windows OS security requirements. This affects kernel mode drivers, not user mode drivers.

To be able to properly function, kernel mode drivers need to support the Unified Extensible Firmware Interface (UEFI) Secure Boot, which mandates that kernel mode drivers be signed by a trusted certification authority (CA).

More information can be found in this MSDN article http://msdn.microsoft.com/en-us/library/windows/desktop/hh848062(v=vs.85).aspx

# 5 – Operating System Version prevents installation launch

The installation routine/MSI package will not install because it indicated a launch condition that requires one or more Windows versions which do not include Windows 8. The simple solution to this issue is the Version Lie shim or modify the installation to remove the OS version checking. Though the remediation is simple, this issue is still a Red because application installation will not continue until remediation is performed.

# 4 – User Account Control: Custom Action in MSI launches known administrative executable

Microsoft Installer (MSI) packages always run in the System context with administrative privileges that allow them to install apps, make changes to registry, etc. However, any custom action that the MSI launches does not inherit those privileges, and will fail during launch.

# 3 – User Account Control: Calling Windows administrative functions without requesting administrative privileges

We really love UAC so much that we have two of them! Calling administrative functions will cause UAC to prompt even though we may already be logged on with administrative credentials. If not logged on with administrative credentials, then UAC will prompt for administrative credentials. Either way UAC will still prompt, and since Windows XP does not have UAC yet, an application written for Windows XP is therefore not designed to handle UAC prompts.

For more information on User Account Control, go to http://msdn.microsoft.com/en-us/library/bb530410.aspx

# 2 – Setting the Color Depth

The Desktop Windows Manager (DWM), previously known as the Desktop Compositing Engine (DCE) is used in desktop composition. In Windows Vista and Windows 7, only themes utilizing AERO Glass use DWM, thereby only these themes can use experiences that use desktop composition like Windows Flip, thumbnail view, etc. In Windows 8, desktop composition is available for all themes to simplify coding. DWM requires that color depth set to 32 bits per pixel, and any application calling APIs that attempt to change this will not work as expected.

For more information on the Desktop Windows Manager, check out this MSDN article Desktop Windows Manager is always on http://msdn.microsoft.com/en-us/library/windows/desktop/hh848042(v=vs.85).aspx

# 1 – GINA

Well, she’s still there, and we did choose applications that run on Windows XP didn’t we?  Even though the Graphical Identification and Authentication (GINA) and its corresponding APIs had been deprecated since Windows Vista, organizations that still have a high usage of Windows XP may rely on applications that provide authentication services like Single Sign On, or applications that authenticate from the Windows logon that run on Windows XP. As such they require GINA, and these applications will not run or may behave differently on Windows 8.

Applying a shim, even though it may be available, may not provide the expected outcome since the shim will just ignore any GINA API calls. I mean, authentication is a must for the application to run, right? Ignore authentication, and the application will wait forever until authentication and subsequent authorization is addressed.

Personally, if it’s an SSO or an application that customizes/uses the Windows logon dialog box to authenticate, I don’t bother testing at all. Warning though: don’t mistake GINA (key: it involves the logon UI) with apps that rely on Kerberos or NTLM to authenticate. Because these may run, but their ultimate outcome depends on whether you Active Directory infrastructure is properly configured or if NTLM is still in use should the app require it.

Go try!

Go try out this very interesting feature and see the power of Citrix AppDNA! Download your FREE copy of Citrix AppDNA from http://www.citrix.com/products/appdna/overview.html. This free version is a fully functional copy of Citrix AppDNA that allows for UNLIMITED application imports, and detailed remediation reports for 5 applications.