// This is the script to give summary on the main page.
Think IPM

Wednesday, October 23, 2013

Not so new Cool Utility: Update the Default User profile in Windows 7/2008

This one is pretty self explanatory in it’s usefulness to VDI folk who leverage profiles to roll out customizations and default settings.  Even though you configure to use the mandatory profile, applying to the Default User Profile is a great insurance for any user who might not get the appropriate configuration.

DefProf updates the Default Windows User Profile with the documents and settings from another user profile that you specify. You can use DefProf on Windows 7/8 where the "Copy To" button is grayed out in the "User Profiles" dialog box.

Let’s say you use a ‘setup’ user account to create a user profile that you want everyone logging onto a machine to inherit. When you logon as setup, Windows creates a C:\Users\setup profile folder. To make ‘setup’ the default profile, you just type defprof setup at a command prompt.

Download DefProf:  http://www.forensit.com/support-downloads.html


Click Here to Continue Reading >>

Friday, October 18, 2013

XenServer to VMware Jingle [to the tune of Fresh Prince of Bel-Air]

I’m currently on a project converting from XenServer hosts over to VMware vSphere and while doing some routine research, ran across this clever (although nerdy) lyric parody on a forum.

Click for Karaoke Version

Now this is the story all about how
Our life got flipped, turned upside down
And we'd like to take a minute, so just sit right there
And we’ll tell you how all how we moved to VMware.

In Xenserver Enterprise, born and raised
In the server room where we spent most of our days
Chilling out, maxing, relaxing all cool
And all shooting all the servers into the pool
When a couple of updates, they were up to no good
Started making trouble in our neighborhood
We had numerous crashes and the users got scared
So we said "We’re moving all the servers onto VMware"

We asked for advice and it became clear
VMware is the game that we should play here
If anything I could say that this software was rare
But I thought nah, forget it, let’s get on VMware!

We started moving servers about seven or eight
And couple of days later we were almost straight
Looked at our kingdom we were finally there
Sitting all our servers on VMware!

The original posting was on a SpiceWorks forum here a couple months ago:

Feel free to vote it up on Reddit if you liked it.   I thought it was really clever stuff and wanted to share.  It was also pretty timely for me since I’m in the midst of this project which probably upped it’s entertainment value for me a bit more.

-Happy Friday!

Click Here to Continue Reading >>

Thursday, October 17, 2013

Provisioning Server and Firewalls

By Aaron Silber:

Provisioning Server is here to stay and I think we can all agree that this is a great thing. Recently while installing a new environment I started to run into a few issues which I immediately realized was a Firewall issue. The system was configured using Windows 2008, so I immediately went to look at the configuration and like a good consultant was about to turn it off, when the client says to me, we use the Windows Firewall and it must stay on! The nerve, right? I know, I agree!

In any case, I now had to actually look into what needed to be open to make this work which doesn’t sound too difficult, look up the Citrix Doc, get the port numbers, create a rule and I’m done. Problem is that depending on what version of Provisioning Server you are using determines which ports you need to open as they changed it in 5.6 and I found references to different ports in three different documents from Citrix. In the end, there was no single document that had all of the ports listed. 

Here is a nice document from Citrix (http://support.citrix.com/servlet/KbServlet/download/2389-102-648658/CitrixPorts_by_Port_0333.pdf) on ports used by Citrix Technologies, sounds pretty complete, but is definitely missing some, like 6969, which is listed on this page: http://support.citrix.com/article/CTX125744 and is used for the TSB; anyone care to guess what that one is? (no peeking!)

In order to save everyone from what I went through tracking this down, I present to you a script which when run will modify the Provisioning Server firewall with all of the ports necessary to make Provisioning Server work. It uses the NETSH (A very powerful command indeed) to add in the rules and even includes the description pulled from the various Citrix documents.

Enjoy and feel free to comment.


@Echo Off

ECHO This script will modify the Firewall with rules necessary for proper Provisioning Server Communication

netsh advfirewall firewall add rule name="Citrix (DHCP,PXE)" description="The DHCP server will offer an IP address to the target server. The DHCP server also offers other parameters, including: Option 60: PXE Client Address" protocol=UDP profile=domain,private,public dir=in localport=67,68 action=allow

netsh advfirewall firewall add rule name="Citrix (PXE Server)" description="The Target server will make a request to the PXE server for startup information. The PXE server will respond with Option 66: Boot Server Host Name Option 67: Bootfile Name" protocol=UDP profile=domain,private,public dir=in localport=67,4011 action=allow

netsh advfirewall firewall add rule name="Citrix (TFTP Server)" description="The target server will use the information sent back from the DHCP server to obtain the bootfile. Once the target server obtains the bootfile from the TFTP server, it launches the file, which allows the target server to begin the boot process. The bootfile contains information about contacting Provisioning Services." protocol=UDP profile=domain,private,public dir=in localport=69 action=allow

netsh advfirewall firewall add rule name="Citrix (Stream Service)" description="The target server contacts Provisioning Services requesting a vDisk." protocol=UDP profile=domain,private,public dir=in localport=6910-6930 action=allow

netsh advfirewall firewall add rule name="Citrix (License Server)" description="When the target server is online, Provisioning Services contacts the License Server to obtain a connection license." protocol=TCP profile=domain,private,public dir=in localport=27000 action=allow

netsh advfirewall firewall add rule name="Citrix (Console Communication)" description="This port allows the provisioning Server to connect to the PVS Farm." protocol=TCP profile=domain,private,public dir=in localport=54321-54322 action=allow

netsh advfirewall firewall add rule name="Citrix (Provisioning Server Farm Communication)" description="This port allows the operating system to be streamed to the targets." protocol=UDP profile=domain,private,public dir=in localport=6890-6909 action=allow

netsh advfirewall firewall add rule name="Citrix (TSB)" description="This Port is used in the boot-up process" protocol=UDP profile=domain,private,public dir=in localport=6969 action=allow

netsh advfirewall firewall add rule name="Citrix (Write Cache Communication)" description="This is for communincations between the target and the write cache" protocol=UDP profile=domain,private,public dir=in localport=10802-10803 action=allow

Click Here to Continue Reading >>

Monday, October 14, 2013

Upgrading to VMware Tools 5.1 can cause log spew

It’s not everyday you get a KB article with LOG SPEW in it’s title … 
This particular one was spotted by Aaron Silber after upgrading VMware Tools on a XenApp Server and subsequently researching the noted RPC errors.  If you look at the event log below, you will notice a warning event every SECOND or so in the Application log.  SPEW seems to be a pretty good classification for that type of behavior.
The quick fix is to disable logging on the Virtual Machine but the better long term fix is to upgrade your ESXi servers to 5.1 Update 1.  I think it is also interesting to note that you can trigger the change for logging by changing the settings for the Virtual Machine and then rebooting the VM (expected), but also by just vMotioning it to another host (unexpected).
You can check out the KB article here: http://kb.vmware.com/kb/2036350?src=vmw_so_vex_ccost_793
Click Here to Continue Reading >>

Wednesday, October 9, 2013

Citrix SSL Error 61 : Resolving Trust in a Security Certificate

By Sam Jacobs:

The Issue: While able to launch XenDesktop sessions from IE, Chrome and iOS, using Firefox or Safari would cause:clip_image002

This was a bit tricky, since I had made sure to test out the certificate chain with Digicert’s SSL tester, and all came up fine:

When I’m on the forums, I always tell users to make sure to use BOTH certificate checkers (SSLShopper, as well as DigiCert). So, I decided to follow my own advice, and, voila!


Looks like an intermediate certificate might be missing.
Now, you cannot rely on IIS or the certificate snap-in, as they report everything as A-OK:


However, as you can see above, the server certificate links to an intermediate certificate issued to RapidSSL CA, and looking at the intermediate certificate store, that certificate is nowhere to be found:


So, we simply need to import it there (no password is needed here):







… and now there it is!


Now, after all of this, I expected to get a clean bill of health from both certificate checkers, but SSLShopper still complained about the intermediate cert. Then I realized that you need to rerun the CSG Configuration Utility whenever you change the certificate, or anything in the chain.

After running through the CSG Config Utility, we finally received SSLShopper’s blessing:


Click Here to Continue Reading >>