Microsoft Edge on Server 2019/2016 (and Citrix)

KB ID 0001657

Problem

In a fit of lunacy Microsoft have called ‘their’ new browser Microsoft Edge, so we can spend the next few months confusing it with Edge. Plus every Google search for GPO settings, error messages etc will all now show search results for the old Edge Browser not the new Microsoft Edge browser! Perhaps the same doofus at Microsoft who called the Exchange sync Active Sync when Microsoft already had a product called Active Sync was involved?

Anyway I got a request from a client this week to have Microsoft Edge on their Citrix environment, there was some confusion (imagine that), because Edge does not work on server 2016, (and it’s not shipped as part of server 2016), but would Microsoft Edge work?

Installing Microsoft Edge on Server 2019/2016 (With IE11)

Why is Internet explorer still alive? Anyway If you want to install Edge on a modern Windows server firstly ensure you are fully up to date with updates! Then open IE. Internet Options > Security > Custom > Scripting > Enable Active Scripting > OK > Yes > Apply > OK.

 Then go to https://www.microsoft.com/en-us/edge/business and install it manually.

Microsoft Edge on Server 2019/2016

The first test was, ‘would it run on Server 2016’, it detected the OS as Windows 10 (unsurprisingly), and installed fine;

Microsoft Edge on Remote Desktop Services

Well Citrix is really just Remote Desktop Services in a leather jacket, so the next test was,’ would it work in RDS?’ I span up an RDS farm on the bench, and was pleased to see I could select Microsoft Edge as a RemoteApp, (not that I needed to deploy it using RemoteApp, but it being detected was promising).

And in an RDS session it worked faultlessly.

Deploy Microsoft Edge on Citrix (Server 2016)

Here’s where we had a problem, it installed fine, but every time I went to open it, all I got was a ‘white screen’ for about 5 minutes, after this it burst into life, which I couldn’t really ask the client to put up with!

As this was happening when I launched the browser I ‘wrongly’ assumed it was a ‘first run‘ problem (for the uninitiated, previous Microsoft browsers got an annoying ‘how do you want to set the browser up’ routine, then finally dumped you on the MSN webpage, (does anyone actually use the MSN webpage?) While it didn’t cure my problem it’s worth mentioning how I stopped the first run dialog happening);

Controlling Microsoft Edge with Group Policies

If you are used to importing ADMX and ADML files then this will be a breeze to you. If you are really interested I cover the subject in great deal in the following post;

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Essentially download the latest msedge.adml and msedgeupdate.adml files and (on a Domain controller,) copy them to;

[box]

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions\en-US

[/box]

Note: Other Input locales are available, my servers are using English (US).

Then copy the msedge.admx and msedgeupdates.admx files to;

[box]

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions

[/box]

Microsoft Edge Stop ‘First Run’ With Group Policy

The two policies I used are both located at;

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge

[/box]

Microsoft Edge: Stop Importing of Bookmarks/Favourites

Locate: ‘Automatically import another browser’s data and settings at first run‘ > Enable the policy, and select ‘Disable automatic import and the import section of the first run experience is skipped‘ > Apply > OK.

Microsoft Edge: First Run

This will disable the entire first run dialog;

Locate: ‘Hide the First-run experience and splash screen‘ > Enable the policy > Apply > OK.

Then either wait or force a policy refresh.

Deploy Microsoft Edge on Citrix

As it was working in RDS and not working on Citrix, then the problem was probably Citrix*. Citrix is one of my weaker subjects, so credit for the actual fix should go to my colleague (Dan Brookes). 

*After I had discounted existing group policies, and other installed applications.

Running Microsoft Edge while it was ‘hanging’ and looking at what was going on in ‘Process Monitor’ showed a lot of hook64.dll entries;

This pointed to the culprit, open the registry Editor (regedit) and navigate to;

[box]

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > CtxUvi

[/box]

Locate the UviProcesExcludes REG_SZ value, edit it and add ‘msedge.exe;‘ to the end.

Theres probably one service you can restart, but I simply rebooted the server, (problem solved).

FSLogix and Microsoft Edge

If you are running FSLogix you should also add an ‘exclusion’ to the Redirections.xml file, (located in your \\{domain-name}\NETLOGON folder).

[box]

<Exclude>AppData\Local\Microsoft\Edge Dev\User Data\Default\Cache</Exclude>

[/box]

 

Related Articles, References, Credits, or External Links

Microsoft Edge (macOS) Migrate Bookmarks from Safari

XenServer: Enable SNMP

KB ID 0001629

Problem

We had to enable SNMP on a XenServer today, I’d never even logged onto one, but it turns out, much like ESX, it’s just a Linux server, at least the good folk at Citrix included nano on there so I didn’t have to struggle with the vi editor!

Solution

First from the web console ensure that SSH access is enabled > Remote Services Configuration > Enable/Disable Remote Shell.

SSH into the host and execute the following commands to start the SNMP daemon,  take a backup of the config file, and finally edit the ‘live’ config file.

[box]

chkconfig snmpd
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.backup
nano /etc/snmp/snmpd.conf

[/box]

You can delete EVERYTHING (At the beginning of the file press CTRL+6 to mark the file, then Press ALT+Shif+T (or ALT+T) to cut the text away). Then type in;

[box]

rocommunity {SNMP-String} {IP address or range with /{bits}}

i.e.
rocommunity public 192.168.1.0/24

[/box] 

Save and Exit (CTRL+X > ‘Y’ > {Enter}). Now you need to edit the firewall on the host (iptables). To allow the IP addresses of your SNMP collector(s).

[box]

nano /etc/sysconfig/iptables

[/box]

At the bottom, (usually) you will see a deny for ICMP, put an entry for each collector BEFORE that in the following format;

[box]

-A RH-Firewall-1-INPUT -s {Collector-IP-Address} -p udp -m udp --dport 161 -j ACCEPT

[/box]

Save and Exit (CTRL+X > ‘Y’ > {Enter}). then restart iptables and the snmp daemon.

[box]

service iptables restart
service snmpd restart

[/box]

If you are polling it though a firewall you can test it locally using this piece of freeware, (I use this to test, but remember to add the local IP you are testing from to the sump config and the iptables!)

Related Articles, References, Credits, or External Links

NA

Citrix: mac OSX ‘You have chosen not to trust…’

KB ID 0001520

Problem

After a colleague deployed Citrix for a customer the other day, they complained that they had a mac user that was getting certificate errors. They had a publicly signed wildcard certificate, but this user was still having problems.

After I  heard a few “tell him to stop using a mac” comments, I said, “I’m using a MacBook here, would you like me to test it?” The URL opened fine in Safari, and the certificate looked good (all green), I was prompted to install the Citrix receiver, and was presented with a session to open, when I did so, I got this;

You have chosen not to trust {Certificate-Name} the issuer of the servers security certificate.

Solution

Head over to https://www.sslchecker.com and put your Citrix URL in and check it, I found this. So I downloaded the two certificates it said I was missing.

Note: For someone who works with certificates, this makes no sense, (as I got to the portal without an error). I had to trust the root CA, and its intermediate CA, (what’s being called a Chain Cert below). But I thought I’d play along to see what happened.

‘Double Click’ each downloaded certificate, then choose ‘Add’, (repeat for each certificate in the chain).

Close any open Citrix receiver sessions, restart you browser, and try again.

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – SSL Offloading

KB ID 0001192 

Problem

What is SSL Offloading?

If you run https services (Note: I say services, this does not have to be a website), the actual security is handled by SSL/TLS, one of the things this does is encrypt the traffic between the client and server. (This is why your online banking and shopping is done over https and not http.)

Thats great, but encrypting and decrypting all that traffic takes a lot of processing cycles, if you have http servers doing that work it will divert a lot of CPU/vCPU time away from its normal job of providing web services. If you have a very busy site, you may start to scale those servers out, and load balance them, but the http servers themselves will still need the extra grunt to do the decryption/encryption work.

You can install SSL accelerators, (often refereed to as Crypto Offload Cards,) into your servers to hand-off that workload, but in a modern virtual datacenter, that does not scale well at all.

So what if you get your ‘load-balancer’ to decrypt the traffic coming in, and re-encrypt it on its way out? The https servers no longer have to do the ‘heavy lifting’. Whats more, if you put an SSL accelerator in your load balancer, that makes it run more efficiently. Thats exactly what Citrix have done, their hardware NetScalers have a Cavium CN1620-NFBE3- 2.0-G or Cavium CN1120-NFB accelerator card in them, to take this job on. (Note: This does not apply to the virtual appliance, (obviously) but that can still perform SSL offloading).

Put Simply: Your forward facing services are HTTPS, your ‘back-end’ services are HTTP.

Solution

Before you start, I’m assuming you already have your back end servers setup in NetScaler, and have those servers presented as either a ‘service group’ or as individual ‘services’. If you are unsure how to do this, follow the article below, (all the way to setting up the Virtual Server.)

Citrix NetScaler – Simple HTTP Site Load Balancing

I’m also assuming you have uploaded into the NetScaler, the certificate you are going to present publicly, and the CA-Root certificate, (and any intermediate CA certificates if required).  If you are using ‘self-signed’ certificates you might want to see the following article;

Citrix NetScaler – ‘Certificate is not a server certificate’

Citrix NetScaler Deploying SSL Offload

Log into the NetScaler > Configuration > Traffic Management > Virtual Servers > Add.

Give the Virtual Server a name > Protocol will be SSL > Set the IP (VIP) > The port will be 443 > OK.

Now add in your service group (or service(s)). I have two http servers setup in a service group, (see the article above). Click ‘No Load Balancing Virtual Server Service Group (or Service) Binding.

Search arrow.

Locate and tick your back end service group > Select.

Bind

Continue.

At this point you can upload the certificate and CA certificate.

Done.

It can take a little while to ‘go-green’ if there is a problem, click the drop down error on the left for more information. If this is a new deployment you may encounter the following problem;

NetScaler – SSL Virtual Server State: Down Effective State: Down

So now if you hit the VIP the NetScaler is presenting on https, it converts it to http and load balances across the back end servers for you.

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – ‘Certificate is not a server certificate’

KB ID 0001191 

Problem

While attempting to bind a certificate to a Virtual Server on my NetScaler this happened;

Error
Certificate is not a server certificate

 

Solution

Before you proceed, delete the problem certificate to avoid confusion!

I had generated this certificate with Microsoft Certificate Services, and I had made a wildcard certificate like so;

Certificate Services – Create a ‘Wildcard Certificate’

Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.

Open the certificate on a Windows machine  > Install Certificate.

Select ‘Local Machine’  > Next.

Manually put the certificate in the ‘Personal’ container > OK > Next.

Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.

Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.

Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).

Export as PKCS 12 (PFX) > Next.

Set a password, (you will need this in a minute, so don’t forget it) > Next.

Save the exported cert with a pfx extension > Next.

OK

Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.

So now you should have two exported certificates like this;

Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.

Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.

Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.

 

Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.

You can now assign this certificate without error.

 

Related Articles, References, Credits, or External Links

NA

NetScaler – SSL Virtual Server State: Down Effective State: Down

KB ID 0001190

Problem

When trying to setup SSL Offloading on a NetScaler Virtual Server. I was unable to get the State and Effective State to ‘go green’.

Solution

If you hit the ‘down arrow’ to the left it will give you a little more information, it also says  ‘SSL feature disabled’.

Log directly into the appliance and issue the following command;

[box]

enable feature SSL

[/box]

Hit the ‘refresh’ button and, (providing you set it up correctly,) it should burst into life.

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – Simple HTTP Site Load Balancing

KB ID 0001188 

Problem

Here is the simplest load balancing scenario I can think of, I’ve got two web servers, (on http port 80) and I’m presenting them though my NetScaler as an HTTP (Virtual Server).

 

Solution

First we add the ‘back-end’ servers. Connect to the management IP of your NetScaler and login > Configuration > Traffic Management  > Load Balancing > Servers > Add.

Define a name for the first server and enter its IP address > Create.

Repeat to add the second internal web server. 

Now I’m going to group these servers together in a ‘service group’, (you don’t have to, you can present them individually to the virtual server you will create in a minute if you prefer). Configuration > Traffic Management  > Load Balancing > Service Groups > Add.

Name the group and set the protocol to HTTP  > OK.

When created, you will see it says ‘No Service Group members’  > Click there.

Select ‘Server Based’ > Click the search arrow.

Tick them all > Select.

Set the port (HTTP is TCP port 80) > Create.

OK.

Now we need to add a monitor, this is what the NetScaler will use to monitor the service availability of your ‘back-end’ servers on TCP port 80 (HTTP). Click Monitors.

This confused me for a while, selecting things on the right, drops them at the bottom of the main page > Click ‘No service Group Monitor Binding’.

NetScaler has a monitor for http pre-configured, so I’m going to use that > Click the search arrow.

Click ‘http’  > Select.

Bind.

Done.

Now we tie all that together in a ‘Virtual Server’ > Configuration > Traffic Management  > Load Balancing > Virtual Servers > Add.

Give the Virtual Server a name > Protocol is HTTP > Specify the IP address (this will be the VIP the NetScaler presents to the outside world)  > Port 80 > OK.

Now we need the add the group we created earlier, click where it says ‘No load balancing Virtual Servers Service Group Binding’.

 

Click the search arrow.

Click the group you created earlier > Select.

Bind.

Continue.

Done.

Save your hard work.

You should be green across the board.

To test this I put a different web ‘welcome’ page on both of the servers, that way as I refresh the page I can see that the NetScaler is doing its job and balancing the requests across both back-end web servers.

 

Related Articles, References, Credits, or External Links

NA

NetScaler – Locate the Host ID

KB ID 0001187 

Problem

To apply a license to your NetScaler you need the supply the Host ID to the licensing portal. A quick internet search yielded the commands, but the were not working?

Solution

Note: If this is a new installation, the username and password will both be set to nsroot.

Whatever I was reading, didn’t tell me I needed to drop to shell mode!

[box]

shell
lmutil lmhostid

[/box]

As you can see this ones 0050569d5a96, (which I saw listed elsewhere are the appliances MAC address, however pinging the device yelled a different (similar) MAC address.

 

Related Articles, References, Credits, or External Links

NA