// This is the script to give summary on the main page.
Think IPM

Thursday, December 25, 2014

Happy Holidays from vCloudInfo!

The holidays are upon us.  The year is almost over.  Another one in the books.

imageThank you for readership, support and encouragement in my personal and professional life this year.

Just a quick note to wish my friends, family, colleagues and clients a happy holiday season and prosperous 2015!

Click Here to Continue Reading >>

Wednesday, December 17, 2014

PSA: Watch out for CryptoLocker / CryptoWall emails

With the holiday season here, your users will be getting plenty of packages and tracking emails.  They will also be getting more than their share of malware infested scam emails.  Be a good IT Admin and remind them that vendors do not send attachments with tracking information inside for them to click. 

Curious where your package is?  Visit FedEx, UPS or USPS websites directly.  Or better yet, just paste your tracking number right into Google.

We’ve had a few clients recently where some gullible users have clicked through on these attachments and were hit with encrypted files and ransom notes.  Keeping your antivirus and anti-malware DAT files up to date is a great start but a little education and subtle reminders to the user community will provide a good last defense.

Happy Virus Free Holidays! :)

Click Here to Continue Reading >>

Monday, December 15, 2014

IPM Sponsored - Upcoming VDI Rollout Webinar

A few months back, I helped Phil Alberta (CIO at IPM) with a great onsite VDI workshop called VDI Myths.  It was focused for the hedge fund crowd, hosted at Goldman Sachs and was well received by the audience.   For me, it was also a lot of fun to participate in.   You can read about the details here.

This time, Phil is teaming up with Jim Kannengieser (Program Manager at IPM) for a webinar titled ‘Make your VDI Project Shine’.  With their varied experience, they will talk about how to get the most out of your VDI investment.  This particular talk will be Citrix focused.

The webinar is Thursday December 18th @ 1pm EST so grab a cup of coffee or sandwich and tune in for 30 minutes.  Be sure to register for the event here and get a handy Outlook appointment so you don’t forget. ;)

After watching, head back here and let us know what you thought about it in the comments below.

Click Here to Continue Reading >>

Wednesday, December 3, 2014

VMware Site Recovery Manager – DNS Stalls for 20 minutes.

Chris Monfet sent over a handy setting for those of us leveraging VMware’s Site Recovery Manager (SRM) to protect our Active Directory infrastructures.

I was running a bubble test tonight in preparation for the main bubble test this week.  Ran into an issue with the AD/DNS starting up on the VM that is being replicated for this purpose.  DNS wouldn’t start on the server even after a 2nd reboot. 

Found the MS article below and adding the RegKey they suggest in the first resolution.  It does work after a reboot and AD/DNS functions normally after that.  Useful if you run into that again.


The most obvious symptom of this is DNS Event ID 4013 in a servers Event Log.   You would also encounter a 15 – 25 minute delay while bringing up your Domain Controllers (assuming integrated DNS) during your SRM Recovery process.

The Microsoft kb article is a handy one to go through to make sure your Active Directory DC/DNS servers are set up correctly to avoid issues during failover when all DCs will be unreachable at the same time.

Click Here to Continue Reading >>

Monday, December 1, 2014

Citrix XenDesktop 7.x Internals Cheat Sheet

If your current knowledge of the Citrix XenDesktop processes can be boiled down to the diagram below, check out Bas van Kaam’s Ultimate Citrix XenDesktop 7.x internals cheat sheet!


Bas’ excellent blog post includes a handy write-up and a downloadable PDF guide. Nineteen pages of tech goodness that will help you muscle through any awkward silence at a Citrix Synergy group lunch table.

Thanks to Rajen Das for sending this over!

Click Here to Continue Reading >>

Wednesday, November 26, 2014

Preventing a hung XD session from breaking Storefront DDC Load balancing

image Chris Hahn sent over an incident that happened at a client recently.

Using findings from XenDesktop Scout and Storefront Event logs,  Chris was able to troubleshoot a sporadic reoccurrence of “There are no apps or desktops available” error when users were trying to log into the XenDesktop Environment.

The data indicates a domino effect being triggered by a user trying to reconnect to XenDesktop session that is in a hung state with the following sequence of events:

  • UserA logs in to Storefront server 1 and tries to reconnect to their existing VDA session, but the VDA is hung
  • Desktop Studio shows the VDA session as Active but unregistered
  • The VDA is pingable but not accessible remotely such as when attempting to browse to \\vdamachinename\c$
  • vCenter reports VMTools service is not running on the virtual machine
  • DDC 1 times out trying to prepare the hung VDA for a connection
  • Storefront times out waiting for DDC 1 to respond, removes it from load balancing, and tries the next broker in the load balancing list
  • DDC 2 times out trying to prepare the hung VDA for a connection
  • Storefront times out waiting for DDC 2 to respond, removes it from load balancing, and tries the next broker in the load balancing list
  • DDC 3 times out trying to prepare the hung VDA for a connection
  • Storefront times out waiting for DDC 2 to respond, removes it from load balancing, and tries the next broker in the load balancing list
  • DDC 4 times out trying to prepare the hung VDA for a connection
  • Storefront times out waiting for DDC 2 to respond, removes it from load balancing

At this point, because all brokers for the target XenDesktop farm have been removed from load balancing, Storefront’s next action is determined by the allFailedBypassDuration setting which is set to 5 minutes. When all brokers for a farm are marked as down, Storefront waits 5 minutes before retrying to broker connections. This results in an outage of up to 5 minutes affecting any users attempting to enumerate desktops from the affected farm on the affected Storefront server.

With assistance from the Storefront support team, we are recommending changing allFailedBypassDuration to 0 on all Storefront servers to avoid the artificial outage induced by a single hung virtual machine. As I understand it, 5 minutes is the default setting on Storefront 2.5. On Storefront 2.6 the default is now 0 minutes.

See related eDoc article for additional information on how to Configure server bypass behavior.

Click Here to Continue Reading >>

Wednesday, October 22, 2014

Hi Again! From Gotham to the Sunshine state.

Wow, it’s been 3 months since my last post.  That’s THE longest timeframe I’ve gone without posting anything in the last 6 years.  Yikes!  Here’s the deal for those curious:

imageI recently completed a complete relocation from NYC to Central Florida with my family.  Two kids, spouse and cat. :) If you have never uprooted your family and moved them a state or 2 away, [SPOILER ALERT] IT IS A HECK OF A LOT OF WORK.  A ton of planning, a bunch of research, a lot of coordination and more than a fair share of luck.  Timing real estate transactions, school enrollments (which DON’T always sync up when moving south/north due to weather differences) and of course balancing client engagements. 

Fortunately, I am employed by an awesome company that worked with me and helped enable this move south for me and my family.  The end result was a smooth physical transition with very little interruption to client projects and responsibilities.  The technology (both home and enterprise infrastructure) that we have available to us now allow for the kind of remote working environments which probably weren’t possible even a few years back.  I have been and am extremely lucky to be working for IPM at a time when these types of transitions are possible.

So why the 3 month lapse in posts?  For me, Blogging is a lot like exercising.   When you are on a roll and in a rhythm, it just works.  You hit the gym, feel great afterwards and know you accomplished something.  But stop for a while and it becomes increasingly hard to get back into that mindset of sitting down, typing and posting.  The longer you sit on the sidelines, the harder it is to get back into the game.  I’m sure this is typical for almost any type of habit driven behavior.

So this post (although not technical in nature) is my way of getting back into the routine of posting and blogging and breaking out of my writing dry spell. 

Thanks for reading!

Click Here to Continue Reading >>

Wednesday, July 16, 2014

Some VDI Myths and a PDF!

A couple of weeks ago, I had the opportunity to help present at a Goldman Sachs’ hedge fund event with my CIO, Phil Alberta.  The event brought together about 70- or so CIO/CTOs from various hedge funds that Goldman does business with.  We ran a breakout workshop that spoke about and worked through challenges and some of the decisions involved in a VDI project/deployment.


We ran 3 very interactive sessions and here were some the takeaways we got from the audience (via a show of hands) that I thought were interesting:

  • Almost ALL of the firms were already running a version of Citrix XenApp.
  • All except a single hand were running VMware vSphere as a hypervisor (The lone hand belonged to a Microsoft Hyper-V implementation).
  • It was about a 60/40 split between Citrix XenDesktop and VMware View implementations.

I was actually surprised to see so many View installs with the level of XenApp penetration already in the crowd.  I’ve normally thought that once in bed with Citrix XA, Netscalers, Web Interface etc… XenDesktop becomes the natural progression for most clients.

As a takeaway for the audience, Phil put together a high level list of some of the VDI myths he has come across while talking with clients and engineers alike.  His presentation (which I will try to get him to link via SlideShare) was built around confronting and knocking down a lot of these myths.

You can read the ‘Myth’ paper here.

Click Here to Continue Reading >>

Monday, July 14, 2014

Installing the Citrix Provisioning Services Console on XenApp

-- Great How to by Jacques Bensimon:

First, why would you want to do that?

Well, besides the obvious ability to manage your Provisioning environment directly from your XenApp servers without having to remote into your PVS servers, installing the console also installs the PVS MCLI.exe command line tool and the MCLIPSSnapin PowerShell snap-in that provides a number of PVS-related cmdlets.  This opens up the potential for all sorts of automation ideas, including a server assigning itself a different vDisk (under whatever circumstances you decide) and restarting itself to run that image.  Let your imagination soar!

Okay then, what’s the issue?

The PVS console (MMC snap-in) wants to run under the .NET Framework v4.0, and takes steps via a .config file and a couple of Registry entries to force the use of that Framework both by the Microsoft Management Console mmc.exe (when it must load a .NET-based snap-in) and to some extent by other .NET assemblies installed on the machine, with unpredictable results.  At the very least, it will cause an ugly error message when starting the XenApp console (I believe AppCenter is its name this week, at least in XA 6.5) because one of its components (the Single Sign-on piece) is designed to run under the .NET Framework v2.0, but that’s probably the least of the issues it could potentially cause with other consoles and apps.

So, is there a solution?

I’m insulted you’d even ask that question! J  Here’s what you can do on your XenApp image:

1.       Install the (x64) PVS console.

2.      Copy mmc.exe and the (newly added) mmc.exe.config from %SystemRoot%\System32 to the installed PVS console folder.

3.      Also copy "en-us\mmc.exe.mui" from System32 to the same folder (in a new "en-us" folder).

4.     *Delete* mmc.exe.config from System32!

5.      *Delete* the (newly added) "OnlyUseLatestCLR" entries from "HKLM\SOFTWARE\Microsoft\.NETFramework" *and* from the same Wow6432Node subkey!

6.      Change the PVS console shortcut to explicitly specify the use of the "mmc.exe" copy in the installed PVS console folder.

Then what?

1.       To configure MCLI.exe for remote script execution (after installation of the PVS Console), run:

MCLI.exe run setupconnection -p server=pvs_server_name port=54321

This will create the following Registry entries:





2.      To register the PVS PowerShell snap-in, run:

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\installutil.exe "%ProgramFiles%\Citrix\Provisioning Services Console\McliPSSnapIn.dll"

To set up a connection to your PVS farm within PowerShell (to remotely execute all subsequent PVS cmdlets against the specified server), use the MCLI-Run cmdlet as follows:

MCLI-Run setupconnection -p server= pvs_server_name,port=54321

That’s it!  (Note that all of the above applies equally to any non-PVS machine on which you wish to install the PVS console and execute remote PVS commands via either MCLI.exe or the equivalent PowerShell snap-in, not just to XenApp).


Click Here to Continue Reading >>

Friday, June 13, 2014

First Look: Citrix Provisioning Service Cache size

Although its been out for a while, I know there are still a lot of you that haven’t had a chance to check out Citrix Provisioning Server 7.1 yet so here’s a peek at a neat new feature you can look forward to.


The new Provisioning Services agent now gives you details on the cache being used within a read only session.  How to properly size the cache of a provisioned machine has always been something that comes up when talking to clients so I think being able to run a machine for a while under typical usage and check on the cache being used is a neat little enhancement to the agent.  You could always go to the file system and sniff it out yourself but since the information is so useful, why not put it front and center for display.   Eventually, I’d love to see this information make it up to the central console.

Monitoring cache sizes is useful for determining whether you under or oversized the local hard drives (especially in virtual environments) and also to help determine reboot schedules (to clear the cache).

There’s plenty more enhancements in 7.1 but I liked this one. :)

Click Here to Continue Reading >>

Thursday, June 12, 2014

Safe to upgrade to vSphere 5.5 Update 1 with NFS

After a couple of months of ignoring Update Manager’s rollup patch to vSphere 5.5 Update 1, it is now safe to click install. :)   (Although you might want to wait a week or two for others to test it before deploying into production)

Back in April, a vSphere bug was discovered in Update 1 that would cause an APD (All Paths Down) situation for some NFS datastores.  It was advised by VMware to not upgrade to this latest version if you had NFS datastores. 

They have finally come out with a patch that addresses the ADP issue.  You can read more about it on Duncan’s Blog below.


Click Here to Continue Reading >>

Wednesday, June 11, 2014

Quick Tip on Adding Roles and Features to Windows Server 2012 (and Windows 8?)

Unlike Windows Server 2008 R2 and Windows 7, which pre-stage all available roles and features during setup for easy addition at any later time, Windows Server 2012 (and probably also Windows 8.x) do *not*.  This means that when attempting to add a role or feature (such as .NET Framework 3.5/3.0/2.0 in the first screenshot below), you may get a message to the effect that some of your selections “are missing source files”.  If that happens, mount the Windows installation ISO or insert the installation disk, click “Specify an alternate source path” as shown below, then specify “x:\Sources\SxS” in the resulting dialog (where x: is the ISO mount drive letter or the letter of your optical drive) and click OK before continuing with the wizard (as shown in the second screenshot).

Jacques Bensimon 



Click Here to Continue Reading >>

Monday, June 9, 2014

Citrix PVS Pro Tip : Watch your Slots on VMware!

I was recently creating some new XenDesktop published sets and ran into a Blue Screen on cloned machines via the Provisioning Server XenDesktop Wizard.  I have run into this before and it was normally a Microsoft PnP value gone wrong or something similar.   The familiar 7B error that is also typical of a disk driver mismatch (usually after a P2V) resulting in Windows not finding it’s boot drive.


This time around, it was a VMware SLOT issue.  For some reason, the template machine had an Ethernet slot identity of 33 and the newly created machines were given slot numbers of 32.  Since these machines were streamed, this gave me the 7B BSOD on all machines cloned via the wizard.


Swap the slot number in the VM’s properties and everything booted up just fine. :)

Jan’s excellent blog post here put me on the right track to resolution.

Click Here to Continue Reading >>

Wednesday, May 28, 2014

Have you seen this behavior before?

At two different clients now I’ve come across the following strange IE behavior on Windows 7 (I think IE9, but I don’t know that it’s limited to that version):

You know when you access an https: URL and, because of some certificate issue, get the warning page?  Well, in both environments, the warning page did *not* offer the usual “Continue to this website (not recommended)” option – it was the end of the line, no way to go forward.  I played with all the security options imaginable, made the site Trusted, made it part of the Intranet zone, no go! … until I accidentally discovered that this *only* happens when Internet Explorer was originally launched from a Taskbar pinned item.  If IE is launched from the Start menu, from Run, from a CMD prompt, etc., the warning page does let you continue on to the site.

I can’t recall if this only happens with a redirected AppData (in which case the pinned shortcut is actually in the home directory), but I’m pretty sure that’s not the case – any pinned IE ought to display this behavior.


Jacques Bensimon 

Click Here to Continue Reading >>

Tuesday, May 20, 2014

Caution When Upgrading your SSL Certificate(s)

Post by Sam Jacobs:

clip_image002I received a call from a client recently. They renewed the SSL certificate on their NetScaler, and while their iOS Receiver users could still authenticate and enumerate applications, they could no longer launch applications and desktops. All intermediate certificates were properly installed and linked. The issue turned out to be the encryption method - SHA2 - used to hash the digital signature.


While SHA2 certificates have been around for a while, SHA1 certs had been the standard – until now. Microsoft has announced a new policy for CAs (Certification Authorities) who are members of the Windows Root Certificate Program (who issue publicly trusted certificates). The policy dictates that SHA1 certificates will be deprecated on January 1, 2016. After that date, only SHA2 certificates will be allowed to be issued. Unfortunately, the latest iOS (5.8) and Android (3.4) Citrix Receivers (among others) do not support SHA2 certificates when proxied through the NetScaler. See the full Receiver product matrix. While Citrix has promised a NetScaler upgrade in 2004 Q2 to remedy the issue, if you are supporting remote iOS or Android users through NetScaler and you need to upgrade your SSL certificate, make sure that you purchase a SHA1 cert and not a SHA2 cert.

Note: I do find it curious, however, that Microsoft is still using a SHA1 certificate on their site. ;-)


Click Here to Continue Reading >>

Friday, May 16, 2014

Synergy 2014 – Migrating WI Customizations to StoreFront

Hot off the Press!

Sam Jacobs has made his session material available via our corporate sharefile and also SlideShare.  Be sure to check it out!

Didn’t make it to Citrix Synergy this year? Not to worry! While this year’s session was not videotaped for SynergyTV, you can still download all presentation materials and source code:

image·        Session PowerPoint presentation (includes speaker notes) 

·        Complete session source code:

o   Demo 1 – The Power of jQuery

o   Demo 2 – New StoreFront Skin

o   Demo 3 – Adding Help Desk information

o   Demo 4 – Alternate Application Views

o   Demo 5 – StoreFront Store Customization SDK

You can also view the presentation on SlideShare!
If you have any questions on the above, please email the team at
To learn more about the value IPM can bring to your business, download our company overview.
Click Here to Continue Reading >>

Wednesday, May 14, 2014

Memory Leak in XenDesktop 7.5 Desktop Studio MMC

Chris Hahn sent over this handy warning to be aware of if you are a XenDesktop Admin. 

If you are running XenDesktop 7.5, be sure not to leave the Desktop Studio running or it will eventually consume all the memory on your server.

The following discussion notes the error as BUG0455848.

There is no patch available yet but Citrix is aware of the issue.  So be sure to only open those admin consoles when you are actually viewing them. :)

Click Here to Continue Reading >>

Wednesday, May 7, 2014

Not at a Tech conference this week? Bring the conference to you!

So you aren’t in sunny Los Angeles at Citrix Synergy or sinful Vegas attending EMC World 2014.  No need to worry, there are PLENTY of ways to keep up on the events!  Both vendors are doing a great job streaming their respective keynotes and recaps (since there is a bunch of time overlap unfortunately) online for all to watch.

You can also follow along with the live unbiased commentary on twitter for both conferences.  There are plenty of influential people wandering the halls and broadcasting/tweeting/blogging breaking news and announcements. 
Follow #CitrixSynergy and #EMCWORLD2014 to get started.

Of course, if you ARE at Citrix Synergy, be sure to drop in on IPM’s own Sam Jacobs standing room only (if last year was an indication) session called ‘Best Practices for migrating Web Interface customizations to StoreFront’!

May 7th & May 8th – SYN247


Unfortunately, Sam’s session will not be live streamed so once he get’s back and the slides go public, I’ll publish a wrap up post to the video and source material.

Knock ‘em Dead Sam!

Everyone else, have a great conference week whether in Vegas, LA or the trenches.

Click Here to Continue Reading >>

Tuesday, May 6, 2014

Citrix NetScaler Security Hotfix Update

Since Citrix doesn’t put out a ton of NetScaler Firmware updates, Marcos Velez sent over this heads up on one that addresses a few security vulnerabilities in the appliance’s management console.  This affects all versions of Citrix NetScaler ADC and NetScaler Gateway prior to 10.1-122.17 and 9.3-66.5.


To check on your firmware version, Jason Samuel of jasonsamuel.com has a very handy step by step guide available for verifying the NetScaler’s firmware versions. (Step #9)


Click Here to Continue Reading >>

Monday, May 5, 2014

No video or audio with some media files on XenApp 6.5

image If H.264-encoded video (e.g. security camera recordings) or AAC-encoded audio (frequently found in MPEG4/MP4 videos) don’t play right (no video or no audio) on Windows 2008 R2 / XA 6.x, then you probably need this update to the “Desktop Experience” feature (which you installed to get Media Player, among other things).  Works like a charm, adds the missing decoders, no reboot required (it’s adding stuff, not replacing anything).


FIX: You cannot play back an H.264 video file or an AAC audio file on a computer that is running Windows Server 2008 R2 with the Desktop Experience feature enabled

Strangely enough (or is it?), without this hotfix, the affected media files won’t play right even if they play correctly on your client machine and the XA 6.x Windows Media Redirection feature is enabled and functioning, i.e. XA appears to need the decoder even though it’s in theory only streaming the raw media to the client where the actual decoding is supposedly performed.

Thanks Jacques Bensimon for the tip!

Click Here to Continue Reading >>

Thursday, April 24, 2014

Just because you can, doesn’t mean you should – Custom VMware Update Manager Depots

That’s the gist of the lesson I learned today – :) Again.
A while back, I read about custom depots for VMware Update Manager.  I love VMware Update Manager.  It really does deliver when it comes to keeping the vSphere ESX hosts sparkly and new with the latest patches and fixes officially released by the mothership.  But what about the other vendors parts in the stack? (Specifically Hardware)
Sometimes when working with Dell Servers, I end up going the Dell OEM Route for vSphere Media.  How great would it be if DELL had an online depot that delivered patches via VMware’s Update Manager.  On the internet, I found out you could!  Read all about adding Dell, Cisco, Brocade and others @ PerfectCloud.
Fast forward to today – I am scanning my hosts for updates and am getting a strange error back in vCenter from VUM.  Error 99 :Check the logs.
Logs on the vCenter host are complaining about ‘Cannot merge VIBS”.  Ugh…  Off to the internet again. 
vCrumbs to the rescue. An excellent post with my error exactly.  (and more importantly – a detailed resolution!)
Long story short – The imported patches from one of the custom depots I added brought down a patch that created the issue.  As the article points out, once a patch is imported into VUM, there is no way to remove it.  All I could do was wipe the database and redownload the patches.  Seems extreme but way better than a uninstalling and reinstalling vCenter Update Manager.
No more Custom Depots for me.
Click Here to Continue Reading >>

Tuesday, April 22, 2014

PSA: vSphere 5.5 Update 1 and NFS

Just a quick post for those that may not have heard about this VMware Alert.

If you are running vSphere 5.5 and have NFS datastores, it is advised NOT to upgrade or patch to Update 1.  NFS disconnections have been reported after upgrading and can lead to freezes and crashes on Virtual Machines located on the NFS datastores.

You can read a good write up on the issue by Michael Webster on LongWhiteClouds.com.

The official KB from VMware is here: 
KB 2076392 - Frequent NFS APDs after upgrading ESXi to 5.5 U1

Click Here to Continue Reading >>

Monday, April 21, 2014

Office and IE custom dictionaries -- New IPM utility: SyncMyDICs

Great new utility by Jacques Bensimon:

Juvenile name aside, this one is actually quite useful: (Grab it here)

As you know, as of Office 2007, your custom dictionary entries are stored as a plain Unicode text file, by default %AppData%\Microsoft\UProof\CUSTOM.DIC.  Any time you use “Add to Dictionary” on a word, the dictionary file is updated and re-sorted using the strange AaBbCcDd… collating sequence, which means all the capital “A” words come before the lower-case “a” words, then the “B” words, then “b”, etc. – but the Office apps don’t really care and are just as happy with a normally sorted file (as long as it’s a proper Unicode text file starting with the 0xFF 0xFE signature and containing one word per line).

What you may or may not know is that, as of Windows 8 / 2012 (and in Windows 7 / 2008 R2 with IE 10 or 11 as well), a new *Windows* API for spellchecking has been introduced for use by any app that wants to take advantage of it (as IE 10 and 11 do – you didn’t think that was your WebApp correcting your spelling, did you? :)).  And of course, since there’s still no love lost between the Office and Windows teams, the two spell-check engines are completely distinct and separate (though I’m sure that, if asked, Microsoft would explain that not everybody has Office installed ;)).  One consequence of this is that your custom dictionary for Windows/IE is separate from your Microsoft Office custom dictionary, although happily its format is essentially the same (Unicode text file, one word per line, no sorting imposed at all).  Your default Windows/IE custom dictionary, since you’re all good Yankees (right?), is %AppData%\Microsoft\Spelling\en-us\default.dic.

Which of course is where the new utility comes in:  after backing up the originals, it will merge any two such custom dictionary files (sorting and removing duplicates in the process) and will replace the originals with the merged copy.  As you can read in the screenshot, it will accept full paths to the two files you want to merge & replace but, for simplicity, will assume you mean the two previously mentioned (Office and IE) custom dictionaries if you don’t specify any files.  Run it at logon, or logoff, or whenever and however you like, and you’ll only need to add words once to have them available on both platforms.  (Of course, given how it works, the utility also can be used to combine Office custom dictionaries from your profiles on two different machines, or from two different user accounts, etc.).


And of course you know what word just made it to both my dictionaries, right?  You guessed it, SyncMyDICs! =]


Click Here to Continue Reading >>

Wednesday, April 9, 2014

In NYC? Join us for a PernixData/IPM Breakfast!

Here’s a quick plug for my company IPM who is organizing a great breakfast event on April 17th for Virtualization Enthusiasts.  The event is sponsored by PernixData and will feature guest speaker Frank Denneman.   I’ll be there and am looking forward to hearing Frank’s presentation.

Frank is among the foremost authorities in the world in regard to running optimized VMware environments. He co-wrote with Duncan Epping the authoritative book on VMware HA and DRS. He edits one of the top VMware blogs in the world that is available at http://frankdenneman.nl/.

He will be in NYC for one day to talk about

  • Pros and cons of various flash deployment methodologies
  • Best practices for using flash to accelerate storage performance
  • How to measure results and ROI

Frank was a principal architect at VMware and now works for PernixData. They offer a great product that highly impacts the performance of the VMware hypervisor by implementing low cost SSD in an incredibly cost effective fashion. Clients can leverage this VMware approved reference architecture to optimize their virtualized environments and greatly increase IOPS delivery.

The event will be at the Innovation Loft  @ 151 West 30th Street.

You can register for the event here: Register Here

Click Here to Continue Reading >>

Citrix Netscalers and Heartbleed Bug

Heartbleed logoIf you haven’t heard about the 2 year old OpenSSL security flaw named Heartbleed, check out the official site for information : Heartbleed.com.  Sadly, it was just ‘discovered’ by the good guys a couple days ago.

In a nutshell, it is a vulnerability in some versions of OpenSSL that allows hackers and script kiddies to steal protected information through normal interactions without detection.   It has to do with the heartbeat/handshake process that happens between the server and the client.  The easiest high level explanation I have read is that during the handshaking process, a client normally send 64kb of information to the server that the server then in turn echoes back to the client.  To exploit the vulnerability, a malicious client can send an abnormal 1kb package instead during the handshaking process and then the server will echo that 1k back but fill the rest with server memory (63kb) to make a complete package.  This server memory can contain other user sessions data including usernames, passwords, encryption keys and other privileged information.  Fortunately, it is a simple coding mistake that can be easily rectified through a patch.  Unfortunately, it has been out there for around 2 years and is/was affecting a large part of the internet.

Sam Jacobs opened up a case with Citrix to find out if the Citrix Netscalers that handle SSL VPNs are affected by this bug and was pleased to find out that they are not.  The Netscalers use an older version of OpenSSL that is not vulnerable to this type of attack.  The Netscalers use OpenSSL 0.9.7 and affected versions are 1.0.1 and 1.0.2 versions.

You can check the open ssl version on the Netscaler by following the below steps:

Login to the netscaler using putty.
Go to the shell prompt.
type the command: openssl, press enter.
type the command: version -a, press enter.

This will give detail info about the OpenSSLl version on the Netscaler.

The Netscalers do not support the ‘TLS heartbeat’ extension in the SSL engine that is affected by the Heartbeat Bug.

You can also use the following site to check other web sites for the vulnerability here:

I’ve tested some View Security Servers and some older CSGs using the tester above and they also come back clean.

Update: Citrix has an official link here: http://support.citrix.com/article/CTX140605

Click Here to Continue Reading >>

Monday, April 7, 2014

Rethinking Network Printing (with new PConn2 IPM Utility)

Here is an especially detailed look at Printing, Printer Drivers and Remote sessions by Jacques Bensimon.  Added bonus : New IPM utility PCONN2!

If you’re like me and insist on controlling the printer drivers that are installed and used on your TS/RDS/XenApp servers (you should!), Windows network printing has historically been a nightmare:  print servers only let you connect a printer if you have the exact same driver as the one with which the printer is defined (unlike RDP and ICA client printing which offer driver name substitution mechanisms), attempt to download and install said driver to your server otherwise (sometimes even when you in fact do have an identically named driver, and inexplicably sometimes even if you have the identical driver version), and can reject connections entirely if you attempt to use “Point and Print” or “Packaged Point and Print” Restrictions Policies to prevent driver installations.  This state of affairs is often exacerbated by the fact that your servers’ Windows version does not match that of the (generally older) print server(s), which often means that “in-box” driver names for the same printer models don’t match across platforms (there ought to be a law!) and is further complicated when you have no control over the cowboys who manage the print servers and who sadistically ignore the (much safer) in-box drivers, always installing drivers from vendor downloads.

And yet, preferable though client printing may be (driver substitution feature, universal driver availability, better compression, automatic reconfiguration based on detected client  printers, etc.), providing some network printing capability is often a customer requirement.  For example, if there are thin client devices in use in the environment, creating client-side printer connections can range from absurdly difficult to outright impossible – users of such devices may have no choice but to rely on network printer connections established within their remote sessions (what Citrix calls “session printers” when connected via the XenApp feature by that name).  Another common example is that of home or traveling users who need to print to an office printer, either for later pickup or for immediate use by a colleague or assistant.  (“Are assistants colleagues?”  Discuss. :))

So, with these preliminaries in mind, here are a few items related to resolving the above issues, ranging from mundane to mind-blowing :):

A. Unexpected re-installations of existing printer drivers when establishing network printer connections from a Windows 2008 R2 SP1 RDS/XA server can be at least partially eliminated by installing hotfix “KB2896881 - Long logon time when you use the AddPrinterConnection VBScript command to map printers for users during logon process in Windows Server 2008 R2 SP1”.  Despite the article’s title, the hotfix reduces driver re-installations regardless of the method used to create printer connections, including KiXtart, XenApp “Session Printers” and “manual” network printer additions.  This is a worthwhile hotfix to apply even if you wind up using some of the “fancier” strategies described below.

B. As of Windows Vista and continuing through all current workstation and server versions of Windows, a new network printing method called Client-Side Rendering has become the default, unless disabled via the Always render print jobs on the server” policy setting.  With client-side rendering, the printer’s native command sequence required to get the job onto paper (i.e. the actual PCL or PostScript or whatever commands) is generated entirely on the client side of the printing connection (i.e. within the session in an RDS/XA scenario) via the locally installed printer driver, and is then sent as a RAW stream to the print server which in turn dumps it off to the printer without any further processing by its own printer driverWait a minute!  The print server takes whatever printer commands we send it and passes them on to the printer, no questions asked??  Then why the @#$%&! does it constantly bust our b@##$ about the matching printer driver requirement??  Or is that really a requirement after all?  The following intriguing sentence is found at the bottom of the above-mentioned policy’s description:

Note:  In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy.

Huh?!  Mismatched connection??  Sounds great!  How do I get me one of those?  The answers (there are two) turn out to be buried in a single sparsely detailed MSDN article, and neither one is available via any built-in (or, as far as I can tell, third-party) GUI or command line Windows tool or printer connection method, … until today that is! :)  This seems to be a case of the Windows API having outpaced the user-accessible capabilities of Windows, so the feature lays there, dormant.

Before I describe the two available methods for creating “mismatched” printer connections, let me address something that you may run across regarding Client-Side Rendering and the above “server-side rendering” policy, for example in this Microsoft blog:  “There is one scenario where it may be desirable to offload the rendering policy to the print server - and that would be on a Terminal Server”.  The idea here is that print job rendering can be somewhat processor-intensive, so the suggestion is that it might be best kept on the print server if you fear massive amounts of printing occurring simultaneously on multi-user machines.  That may be true, especially on underpowered machines (<insert VM joke here>), and you can certainly use the policy if you find it beneficial (as you saw above, it won’t affect mismatched printer connections anyway), but I have news for you: you’ve been rendering print jobs on Terminal Servers since long before Windows 2008!  How?  With ICA/RDP client printing!  All client printing (except to printers created with the Citrix Universal Printer Driver) is rendered within the session using a local (possibly substituted) driver and the raw PCL/PostScript/etc. stream is sent to the client for immediate pass-through to the printer – sound familiar?

Okay, back to printer connections with mismatched drivers.  Here are the two ways you can create them:

1. If, for any given shared printer, you create on the print server a REG_SZ value named “DriverPolicy” under the key HKLM\SYSTEM\CurrentControlSet\Control\Print\PrinterName\PrinterDriverData and set it to the name of the driver you would like to use when connecting to this printer (regardless of the driver with which it’s actually defined), then any Windows Vista or above client (including Windows 2008 R2) will only use that particular driver when connecting to that printer, assuming it’s available locally.  There is even a benefit to creating this Registry entry (set to the printer’s “real” driver name) when you in fact do have the matching driver on the client side and are okay with using it:  it dramatically speeds up the establishment of connections to that printer because it completely short circuits all driver name and version comparisons, and eliminates even the possibility of a driver being downloaded from the print server.  But that is both the strength and the (slight) weakness of this technique:  while Windows XP/2003 print clients are oblivious to and unaffected by the DriverPolicy Registry entry (since they don’t support client-side rendering in the first place), it “breaks” Point-and-Print for the more current Windows versions – if they don’t already have the requested driver locally, no attempt will be made to provide them with one and connection attempts to that printer will simply fail.  That’s of course not a problem for you and your carefully managed RDS/XA servers (which will already have the requested drivers and will benefit from the elimination of all the “driver drama”), but print servers usually also support workstations, and their set of installed printer drivers is rarely managed with any sort of care (because Point-and-Print makes that unnecessary).  Workarounds that come to mind include either using separate print servers for RDS/XA sessions (if we could easily have *that*, we probably wouldn’t be having this discussion) *or* creating duplicate printer shares with recognizably different names, one without a DriverPolicy entry (for use on workstations) and one with (for use on RDS/XA).

2. There is a Windows API function called AddPrinterConnection2 that, when correctly used (I had an embarrassingly hard time figuring it out :)), will let you create a printer connection using the specified locally installed driver of your choice.  As in the case of the DriverPolicy Registry entry described above, there is a significant performance benefit to using this function even if you specify the same driver as the print server’s, again because it bypasses all driver version comparisons and never involves a driver download.  But unless you’re building this capability into a custom program, you need a utility that “wraps” the API function in question and makes it available to batch files and other scripts, … which is where the new PConn2 utility comes in.  See the screenshot below for its syntax and usage notes.


Two empirical observations about this API function (and therefore about PConn2):  (a) It creates “mismatched” connections exactly as requested within the current logon session (don’t go by the printer connection’s Properties when confirming the driver it’s using – it’s in the Registry somewhere – ask me if you want to know exactly where), but if the user account has a persistent profile (i.e. local or roaming, not mandatory) and logs off then logs back on, Windows will dutifully reestablish the printer connection *without* employing the correct API function and the requested driver mismatch, so you may still wind up with unexpected driver downloads.  Not a problem with mandatory profiles, but in other scenarios you’ll need to either delete HKCU\Printers\Connections at logoff or exclude it from capture by whatever profile “solution” you’re using.  (b) The function bypasses all policy restrictions on print servers to which you may print – this is actually a great feature:  if you use this function (or PConn2) to create all user printer connections under tight script control, then you can exclude all print servers via policy (by only allowing printing to a single nonexistent “bogus” server) and rest assured than no other mechanism can be used to create printer connections that might result in unwanted driver downloads.

C. If you’re forward-looking, you’ll be interested in a new feature introduced with the Windows 8/2012 “v4” printer driver architecture, the so-called “Class Drivers”:  printer vendors (and Microsoft) can now provide these “super-drivers” that support from a single model to an entire range of printers from any given manufacturer (e.g. “Xerox PCL6 Class Driver” or “Brother PS Class Driver”) and print clients, including Windows 7 and 2008 R2, can connect and print to any shared printer defined with such a class driver using a single client-side printer driver, the “Microsoft Enhanced Point and Print Compatibility Driver”.  Could be a game changer!  At the very least something to consider if you have the option of building (or suggesting) a Windows 2012-based printing environment.

Well, if you aren’t by now as sick of reading about printing as I am of writing about it, you’re in need of serious help.


Click Here to Continue Reading >>