Tuesday 27 July 2010

Disabling IE ESC – Internet Explorer Enhanced Security Configuration on Windows Server 2008 R2 for XenApp 6

IEESC (IE Enhanced Security Mode) is a very good feature on most servers – you shouldn’t be doing much web surfing from your server’s desktop anyway and this helps protect you from malware, which is the last thing you want on a Windows Server system.

Of course if Microsoft had any guts IE would be disabled by default, but I digress.

On a Citrix server of course IEESC is a pain in the neck since general web surfing is exactly what you want to do.  There are manual ways (below), but you don’t want to do this on every server, so Microsoft provided a way on Windows 2003 Server to set it via group policy.  There does not appear to be an equivalent on Server 2008 and R2 but oddly the 2003 way still works! 

Turning off IE ESC via Group Policy for Windows Server 2008 R2 (and R1 and 2003)

  • First, download the Windows Server 2003 Resource Kit Tools (yes, I know you are not using Server 2003 anymore…) from here:
    http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
  • Install them somewhere temporary, go to that folder and find the file “inetesc.adm”.
  • Load the GPMC (Group Policy Management Console) on a Windows Server 2008 R2 server.
  • Expand your Forest, your domain and find the OU your XenApp servers are within.
  • Edit or create a group policy that will apply Computer settings to that OU and its contents.
  • Expand Computer Configuration and Policies and right click on Administrative Templates

image

  • Click Add/Remove Templates
  • Click Add and find your inetesc.adm template.  Import it.
  • Expand Computer Configuration, Policies, Administrative Templates, Classic Administrative Templates, Windows Components, Internet Explorer, Enhanced Security Configuration.

image 

  • Set the two policies to be disabled.  When you reboot your servers in that OU (any servers of course, not just XenApp ones…) will have Internet Explorer fully enabled.

Just in case you just want to do this once, here’s how to do it on each individual server…

 

Turning off IE ESC Manually

On Windows 2003 Server it was easy – just open up Add/Remove Programs and remove the component from the server – IE becomes fully opened up.

image 

 

Windows Server 2008 and 2008 R2 had a nice easy way to do this as well.  Just load up Server Manager (you know, that annoying screen that pops up every time you log in… okay, its in Administrative Tools if you have never used a computer before).  About a third down, see the Configure IE ESC link. 

image

Click it and you should see this box – by default a XenApp 6 server will have IE ESC turned off the users (cleverly) but on for administrators (annoyingly, especially if you are an administrator and you actually use Citrix).  Configure as you see fit – personally its Off for both for me on all Citrix servers.

image

Thursday 22 July 2010

UPDATED: Profiling Office 2010, Visio 2010 and Project 2010 for XenApp Streaming

This is a fully working and tested guide to streaming Office 2010 to XenApp 6 (streamed to server), activating with a KMS server. 

It has taken me a couple of months on and off messing about with getting Office 2010 applications to stream on XenApp 6, with all the problems coming from the Office Software Protection Platform service that Office uses to activate now.  The problems I was having were not with the capturing of the stream (as you might assume) but with the setup of the XenApp servers to host the stream.

So, this guide should work – providing you are activating with a KMS server rather than MAK keys, which I am afraid I have not tried. 

NEW - Install a KMS server

The installation of your Key Management Server to activate Office 2010 isn’t something I am going to cover and many people will want to use MAK keys, but for this guide to work you should have KMS server.  Check you can actually install the apps you want to stream on a PC and that they activate (go to File > Help to see if they are activated – you should also see events in the KMS server’s event log)

NEW – Install a fresh XenApp Server

If you have previously tried and failed to stream Office 2010 to a XenApp server, just rebuild it.  Same if you have EVER installed any Office 2010 products (including Outlook, Project and Visio 2010) to that server.  Flatten it.  It should be a server that has never activated an Office product, or tried.

NEW – Use the Office 2010 Deployment tool for App-v

Yes, I know you’re not using app-v.  Just do it, it is essential if you ever want to host more than one SKU on this server.  So you might not need to do this if you are only going to use the main Office media, but be aware that the Outlook 2010 standalone media, Project 2010 or Visio 2010 won’t stream to it. 

Download the tool from:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=479f12f2-5678-493e-bce1-682b3ece5431

There are instructions on how to use it here:

http://support.microsoft.com/kb/983462

For instance, if you were to want to host Office Professional Plus 2010 and Project Professional 2010, extract the main download (the x64 one for Server 2008 R2) and run this command on the extracted files:

msiexec /i OffVirt.msi PROPLUS=1 OUTLOOK=1 PROJECTPRO=1

You should see a couple of events on the KMS server almost immediately containing the name of the new XenApp server.  The main problem is that after a reboot this will stop working, so if you are going to use this app to activate your servers with the KMS for Office licenses you should put this command in a startup script for the server.

If someone else has a better way of keeping these applications activated I would love to hear it!

Add the AppHubWhiteList entry to the XenApp server’s registry

If you will not sign your profile, you will need to add a registry key fix in order for the service that is a necessary part of the product’s activation system to work.

For details on this registry fix see this: http://community.citrix.com/x/RQLUBw

Basically, you have to create a REG_SZ registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Rade called AppHubWhiteList containing a list of the names of the file servers your streams will be served from, separated by semicolons if needed.

Install a profiler

  • Install a Profiler machine.  This should be the same OS as the one you are going to stream to. 
    • This needs to be at least v6 of the Streaming Profiler, the version that ships with XenApp 6.  Microsoft Office 2010 includes Services that will not work with previous versions of the Profiler.
    • If using Streamed To Server in XenApp 6, it should be a Windows Server 2008 R2 server and ideally be an member of the XenApp 6 farm (but don’t publish apps to it…)
    • It should not have the streaming client installed. 
    • The Streaming Profiler can be downloaded from My Citrix or from the XenApp 6 DVD.

Run the Microsoft Office Customization Tool

  • Copy the installer to your Profiler
  • Run setup.exe with the /admin switch (so if it is in c:\office14, click Start > Run > “c:\office14\setup.exe /admin”)
  • The Customization Tool should launch.  Pick your product edition or select an existing customization file if you’ve been here before and are making changes:

image

  • You get a popup about the OpenDocument file format.  What you choose here might depend on your company policy.  I selected Keep current settings but will look at the settings later.

image

  • On the left hand side, select “Install Location and Organization Name” in the Setup section.  Enter your company name.

image

  • Select “Licensing and user interface”.  Enter your MAK key if you are using one, otherwise select “Use KMS Client key”.  Accept the license agreement, select “Basic” and “Suppress modal”.

image

  • Click Features > Modify User Settings.  There are loads of settings here!  This is a screenshot of my completed settings (with “show configured settings only” selected"), the actual settings are below.  Look through the other settings, there may be other things you need.
    • Microsoft Office 2010 > Global Options > User Clear Type (enabled, set to “Office will use ClearType for text display”)
    • Microsoft Office 2010 > Global Options > Customize > Menu animations (disabled)
    • Microsoft Office 2010 > Tools | Autocorrect Options > Correct Two Initial Capitals (enabled)
    • Microsoft Office 2010 > Tools | Autocorrect Options > Capitalize first letter of sentence (enabled)
    • Microsoft Office 2010 > Tools | Autocorrect Options > Capitalize names of days (enabled)
    • Microsoft Office 2010 > Tools | Autocorrect Options > Correct accidental use of Caps Lock key (enabled)
    • Microsoft Office 2010 > Help > Office.com (disabled)
    • Microsoft Office 2010 > Privacy > Trust Center > Disable Opt-in Wizard on first run (enabled)
    • Microsoft Office 2010 > Privacy > Trust Center > Enable Customer Experience Improvement Program (disabled)
    • Microsoft Office 2010 > Privacy > Trust Center > Automatically receive small updates to improve reliability (disabled)
    • Microsoft Office 2010 > Language Settings > Primary Editing Language (enabled – choose your language!)
    • Microsoft Office 2010 > Services > Fax > Disable Internet Fax Feature (enabled)
    • Microsoft Outlook 2010 > Account Settings > Exchange > Cached Exchange Mode > Cached Exchange Mode (File | Cached Exchange Mode) (disabled)
    • Microsoft Outlook 2010 > Account Settings > Exchange > Cached Exchange Mode > Use Cached Exchange Mode for new and existing Outlook profiles (disabled)
    • Microsoft Outlook 2010 > Account Settings > Exchange > RSS Feeds > Turn off RSS feature (enabled)
    • Microsoft Outlook 2010 > Account Settings > Exchange > RSS Feeds > Default RSS feeds (disabled)
    • Microsoft Outlook 2010 > Account Settings > Exchange > SharePoint Lists > Default SharePoint lists (disabled)
    • Microsoft Outlook 2010 > Outlook Today Settings > Outlook Today availability (disabled)
    • Microsoft Outlook 2010 > Outlook Social Connector > Turn off Outlook Social Connector (enabled)
    • Microsoft Outlook 2010 > Outlook Options > Other > AutoArchive > Disable File|Archive (enabled)
    • Microsoft Outlook 2010 > Outlook Options > Other > AutoArchive > AutoArchive Settings (disabled)

 

  • Click Features > Set Feature Installation States.  For any Office applications you do not need, click the grey box by the application and select Not Available.  In my case, Access, OneNote, InfoPath and Publisher are not required.  For everything else, set them to run all from the computer.
  • Click Additional Content > Add Registry Entries.  Add the entries below (change the server name and port to the actual name and port of your KMS server.  If you don’t use a KMS server, you don’t need those). The ShowOptIn is a REG_DWORD, the PONT_STRING is a REG_SZ. 

image

  • Click Outlook > Outlook Profile (this is assuming you are using Microsoft Exchange and want to auto configure accounts)
    • Select Modify Profile
    • Click Add accounts
    • Select “Customize additional Outlook profile and account information”
    • Click Add
    • Enter something for Account Name (like “exchange”)
    • Enter an Exchange server
    • Leave User Name as %username%
    • Click More Settings
    • Click Cached Mode
    • Click Configure Cached Exchange Mode.
    • If you are going to disable Cached Exchange Mode on the XenApp servers (I would – but maybe not if streamed Offline to client PCs), leave this as is.  Otherwise, click the “User Cached Exchange Mode” checkbox.

image

    • Click OK and Finish.
  • Click File > Save As and save it to the Updates folder within your Office 2010 installer folder.  Give it a name starting with a “1” so it always installs before other updates you may put here in the future.
  • Close the Customization Tool and confirm.

Profiling

  • Open the Streaming Profiler and click New Profile.
  • Click Next and give it a name (it can be changed later, but I would include a date or profile version number when saving it)
  • Click Next and do not Enable User Updates
  • Link Profiles if you wish – up to you.  It can be changed later as well.
  • Click Next past the Operating System screen, assuming the OS you want is selected.  Best practice is to have a new stream for every client you are streaming to – which if you are streaming to server is nice and easy as its just one OS to support. Assuming you are streaming to server and you are using the same OS as the servers you are streaming to, just click Next.
  • Choose Advanced Install
  • Select Run install program or command line script
  • Find and select Setup.exe in your Office14 folder
  • Click Next and Launch Installer
  • Click Customize and you should see any options you disabled (such as Microsoft Access) in the customization as disabled.  This is a good easy way of double checking your customization has been picked up okay.
  • Click Install Now.
  • Installation takes some time…

image

  • Click Close at the end of the install, then Next.
  • Click Next to Finish Installations if you have nothing else you know needs doing to your profile.  In this basic guide, we’re now done.
  • Run some of your key applications to check they perform as needed but DON’T run Outlook.  I’ve seen this cause everyone to get the same mailbox!
  • Click next and remove any shortcuts you don’t want.  This is a good place to add any switches you want to your applications, for example Outlook to configure it with a prf file.  Delete any shortcuts you will not use.
  • Click next (terminating applications if needed) until you get to the end, then click Finish to build the profile.
  • Save the profile to a file share – you will need at least about 1.75gb free to do this.

Publishing Applications

  • You should now be able to set up application shortcuts on your XenApp 6 farm
  • Run the Citrix Delivery Services Console (installed by default on a farm server)
  • Run Discovery as needed.
  • Expand your farm and right click Applications, click Publish Application
  • Enter Word 2010 as the name and click Next
  • Change the drop-down to Streamed To Server and click next
  • Locate the folder you saved the profile to and double click its .profile file.
  • Select Microsoft Word 2010 in the drop down and Next
  • Click Add to add servers.  Click next when done.
  • Click Add to add users.  Click Next when done.
  • Enter a folder for the shortcuts if needed.
  • Click Next and Finish.
  • If you now right click the new application and select Duplicate Application you can create copies.  With these, right click each one and select Application Properties.  In the Name and Location sections, rename them to Excel 2010, Outlook 2010, etc and change the dropdown to the right application.

Running the profile

Once you have your Profile, create a new application (Streamed to server in this example), pointing at your XenApp server and use the stream you just made.

Before you launch them for the first time, remember to check the AppHubWhiteList reg key (see above) is there and right, unless you signed the profile.  Also check you have used the Office 2010 Deployment Tool for app-v on it if you want to stream multiple SKUs to the server.  It should ideally be activated for Office 2010 on the KMS before your stream ever runs.

When you launch them for the first time you should see a new service start with some random characters at the start, like q2qwerqfq-osppsvc.  That’s the streamed service, and it should be running when your apps are.  Multiple logons will create multiple services. 

When they are launched, you should not see Setup continuing (that’s it trying to activate), it should just load the application.  You should also be able to go to File > Help and see those lovely words, Product Activated…

image

Thursday 15 July 2010

Unattended\Scripted Installation of XenApp 6

This is the end of a 5 part guide to making a simple XenApp 6 farm.  These are the other sections:

  1. Installing a server manually
  2. Creating a XenApp 6 farm
  3. Citrix Licensing
  4. Web Interface
  5. Unattended installations

 

I imagine that Citrix will tell you that you don’t need to do unattended or scripted installations, just buy Provisioning Server!  But back in the real world you’re likely to be installing XenApp 6 on hundreds of servers in even a medium sized farm and unattended scripts are the way forward.

In this I am making the assumption that you already have an established XenApp 6 farm and you are just joining servers to it, though its only the “XenAppConfigConsole.exe” step below that would need to be changed to create the farm instead, assuming you also created the SQL database manually.  This is also quite a simple farm with everything in the same Zone, but you get the idea.  I’m also making the assumption you have a Data Store database already created on a full SQL Server which you know the details for and that you have a working license server.

Citrix have changed the way that scripted installations work since XenApp 5 incidentally, so you can forget MSTs and mps.msi, its all different now!

Finally, you’ll have to decide how you are going to actually copy the files and run the commands listed here – I used Altiris, which worked fine.  I’m sure you have your own ways and means.  If you are installing the XenApp Server steps manually by logging onto the server’s desktop, don’t use Terminal Services.  I haven’t actually tried this over a TS session but it didn’t work in XenApp 5 and I doubt its changed.

  1. Install Windows Server 2008 R2 on a server.  Join it to the domain, install anti-virus (if that’s your thing), sort the networking, etc.  I’m assuming here you’ve turned off UAC which might not be a great idea but make the instructions more simple. 
  2. The command to turn off the Windows Firewall (should you be doing this – if not, you’re going to have to open ports) is:

    netsh advfirewall set allprofiles state off

    image
  3. Add the required server roles.  These are the GPMC (required to support the admin tool – this might not be needed on servers without the admin tools) and Remote Desktop Services.  Other roles required will be added automatically.  To do this execute the following commands, which will grumble about servermanagercmd being deprecated but will work fine:

    servermanagercmd -install GPMC –restart
    servermanagercmd -install AS-NET-Framework –restart
    servermanagercmd -install RDS-RD-Server –restart

    The last command will cause a reboot.
     image
  4. Install a XenApp client.  I installed our standard v12.0 client by downloading the full Online Plug-in, copying it to the C:\ drive of the new server and executing this command:

    c:\CitrixOnlinePluginFull.exe  /silent ADDLOCAL="ICA_Client,PN_Agent,SSON" SERVER_LOCATION=http://xenapp/Citrix/PNAgent/config.xml ENABLE_SSON="Yes" ENABLE_DYNAMIC_CLIENT_NAME="Yes" ENABLE_KERBEROS="No"

    The precise options will depend on your environment. 
  5. Copy the XenApp 6 DVD to your server or make it available on your network.  In this I copied the extracted ISO to c:\XA6_2008R2_ML\
  6. Execute the command to install an unconfigured XenApp 6 installation by using the XenAppSetupConsole.exe from the DVD.  This is a valid string which will install just XenApp (not web interface, licensing server, etc, etc) but exclude the administration tools, which are included with XenApp by default.  Miss the /exclude option out if you want the admin tools on this server. Set your product edition as well - my edition is Enterprise.  This example logs to the root of the C: drive too.  For a full list of switches for this part, see this http://support.citrix.com/proddocs/index.jsp?topic=/xenapp6-w2k8-install/ps-install-command-line.html

    "c:\XA6_2008R2_ML\XenApp Server Setup\bin\XenAppSetupConsole.exe" /install:XenApp /exclude:XA_Console /Enterprise /logfile:c:\ctxsetup.log

    This is silent – if you are logged on you should see things happening in Task Manager such as msiexec.exe and XenAppSetupConsole.exe itself 
     image

    EDIT 19 July 2010 - I originally posted this command wrong.  I gave the edition switch as “/edition:Enterprise” for an Enterprise farm.  Actually I misread the instructions, it should be /Enterprise for an Enterprise farm or /Advanced for an advanced farm.  Any other setting will give you the default of Platinum.  I’ve corrected the line above and the screenshot. 
  7. Once the command above completes, reboot your server to complete installation.  If you are scripting this in a batch file, use this as the next command:

    shutdown –r –t 0
  8. Copy or create a DSN file for your data store as c:\sql.dsn.  This doesn’t need the password of the SQL user you’re connecting with but will need everything else.  If you don’t know what you’re doing with this, its a text file which you can create manually – this is an example, obviously replace the values for DATABASE, UID and SERVER with your real values:

    image 
  9. You now have an unconfigured XenApp 6 installation and must configure it with the XenAppConfigConsole.exe tool from the DVD.  Again, tailor the command to your own environment, especially the farm name, SQL Server username and password and the name of your License server.  It should take a couple of seconds and end with Exit Code: Successful.  Note the “/ExecutionMode:Join” part – this could be changed to create the farm.

    "c:\XA6_2008R2_ML\XenApp Server Configuration Tool\XenAppConfigConsole.exe" /ExecutionMode:Join /FarmName:"XenApp 6 Farm" /LicenseServerName:licenseServerName.domain.local /LicenseServerPort:27000 /ZoneName:"Default Zone" /AddUsersGroupToRemoteDesktopUserGroup:True /AuthenticationType:sql /DsnFile:c:\sql.dsn /OdbcUsername:sqlusername /odbcPassword:sqlpassword /log:c:\joinfarm%1.log 

      image
  10. Reboot to complete the operation – it will not appear in your list of servers in the XenApp DSC admin tools until you do this.
  11. If you are using the User Profile Manager you will need to install this too.  Download the latest MSI and copy to the C: drive:

    msiexec /i c:\profilemgt3.1.1_x64.msi /qn
  12. One last possible change – if you are streaming applications that use Services (Office 2010 being the obvious example) and you don’t sign your profiles, you will need to run this to add a registry key to allow the service to start.  Replace “fileserver” with the name of the file server that stores your profiles.  This can be multiple entries separated by semicolons.

    REG ADD "HKLM\SOFTWARE\Citrix\Rade" /v AppHubWhiteList /t REG_SZ /d fileserver

 

You should now see the new server in the DSC and be able to publish applications to it.  Obviously these instructions have not been a fully unattended installation as such but providing you have a system such as Altiris to copy files and execute commands remotely they should be enough for you to build such a process.

Friday 9 July 2010

Citrix Client v12.0 install fails with: Error 1606 Could not access network location components.

imageI’ve had this error a few times now with a big PC rollout I’ve been doing of v12.0 client (that’s why I’ve not posted anything for ages!  5000 machines down, 2000 to go…) and thought it might be useful to share.   A scripted install of the client crashes out with the useless error “Could not access network location components”, event ID 11606.

Each time this has been because someone has previously installed Firefox and then uninstalled it (tsk – non-Enterprise ready software!  And users with local admin rights, always a dangerous combination).

To solve, check whether Firefox is installed (probably not – remove it if so) and blow away this registry key that it fails to tidy up:

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla

The install should now sail through just fine.

I’m sure there are other things that could cause this error of course, but I’ve had it a few times now and its been a badly removed Firefox installation every time.