Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix ... · Whitepaper: Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix Storefront Page 2 Task If you setup a new Citrix XenApp

Whitepaper: Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix Storefront Page 1

Whitepaper

Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix

Storefront

Version 1.02

Sponsored by:

Blog: blog.cloud-client.info

Website: www.cloud-client.info

This document can be distributed / used free of charge and has no commercial background.

It’s not allowed to use parts of this document in other documentations, articles or any other way without the permission by the

author. For questions related to the document contact [email protected]

The author is not responsible for any damage related to this document incl. usage of 3rd Party Software or configuration

suggestions provided by this document. Please test any provided information in advance!

© Michael Hoting 2015

http://blog.cloud-client.info/

http://www.cloud-client.info/

mailto:[email protected]

http://www.xing.com

http://www.cloud-client.info

http://www.bcd-sintrag.ch


Task

If you setup a new Citrix XenApp / XenDesktop environment you might want to go with Citrix Storefront as

Web frontend. What is important to know, what ways can be used to provide the User a connection to your

XenDesktop / XenApp environment?

Requirements

1) A working XenApp / XenDesktop environment.

2) One or more IGEL Thin Clients running firmware 5.04.100 and higher or 4.14.100 and higher.

3) A working IGEL Universal Management Suite Server running Version 4.07.110 or higher, I will use

the Linux Version of the UMS=No Windows paths are shown in the screenshots but this should be

no issue at all.

4) A working Citrix Storefront environment.

5) Certificates configured and enabled to be used in the XenApp/XenDesktop and Storefront

infrastructure.

6) The used CA certificate as .cer file (base64 / pem certificate!)

7) A DNS Host entry “igelrmserver” which points to the IGEL Universal Management Suite Server,

required to make sure that the certificate transfer to the client will work. As alternative you can

also use the DHCP Option 224 (String/Text), see also IGEL Universal Management Suite manual.

Please Note

This Whitepaper is provided for free without any warranty or support from Citrix, IGEL Technology, BCD-

Sintrag AG or cloud-client.info. All configuration tasks are done at your own risk, we are not responsible for

any damage related to the use of this whitepaper.

Do not perform these configurations in a running production environment! User might by disconnected from

session or the infrastructure cannot be available during the configuration steps.

This Whitepaper covers only the basic and most important configuration settings which are required to get it

running. Special configurations, Tweaks and similar are not part of this Whitepaper.


Citrix Receiver 13, what you should know

To get the best results together with Citrix Receiver 13 and Citrix Storefront you must be aware a couple

of things.

1) IGEL Firmware’s do now offer support for two Citrix Receiver Version, Version 12 and 13 are

available. You can configure this setting in the GUI or in System->Registry-> ica.useversion13.

2) Citrix Receiver 13 will not work in a Citrix environment that didn’t use SSL Certificates, you have to

use them. There is no option to disable the use of SSL certificates. HTTP connections like used with

older Citrix Receivers and the Citrix Webinterface are not possible! No way around, no hidden

switch and no tweak.

3) You should use at least IGEL Firmware 5.04.100 and higher or 4.14.100 and higher, older Versions

from IGEL coming with the Citrix Receiver 13 without SHA2 certificate support. That’s why I

strongly recommend to have at min. the 5.04.100/4.14.100 version. SHA1 certificates which are

very common in Company environments will be end of life if they expire after the 01.01.2016, see

also http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx.

4) Some old registry/wfclient receiver settings/tweaks/features will not work anymore with the Citrix

Receiver 13, currently known expired settings/features are:

- Serial Port (RS232) mappings will not work.

- WebCam redirection (HDX Realtime) will not work with enabled H264 deep compression

codec.

- Only Username/Password authentication can be used with Citrix Receiver 13.

- Kerberos is not supported.

- The Deferred update mode setting will not work with Citrix Receiver 13.

- The window options for the XenApp/Storefront setup will not work.

- Smart Card authentication might not work, depending on the Server OS and how you

connect to the environment. This Whitepaper will not cover any Smart Card related

setup.

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx


5) Some new settings are available to configure/tweak the Citrix Receiver 13, these settings will not

work with the Citrix Receiver 12, all settings can be found in System->Registry:

- H264 deep compression codec, requires Multimedia Codec(!)

- ica.wfclient.h264enabled (disabled by default)

- ica.wfclient.texttrackingenabled

- ica.wfclient.smallframesenabled

- JPEG codec registry keys

- ica.wfclient.directdecode

- ica.wfclient.batchdecode (enabled by default)

6) Refer always to the last IGEL Firmware release notes, there might be changes after a new

Firmware / Citrix Storefront / Citrix Receiver release is available.

Why do you need to deploy certificates?

Since XenDesktop 7 and Storefront Citrix requires the use of certificates. For the IGEL Linux you have to

deploy two certificates, mostly all none Windows OS’s have more than one certificate Store.

First of all a Webbrowser certificate, this one is used to get information’s / access to the Storefront Store,

this certificate is used for all Firefox based tasks.

The second certificate is the SSL certificate, this one is used by the Citrix Receiver to secure the

connection to the Desktop or Application you want to connect to.

1 Browser Certificate + 1 SSL Certificate = 2 certificates to deploy or 2 times the same certificate needs to

be deployed. Remember: Use the base64/pem format!

It could be that you want to use different CA certificates like used in scenarios with an internal CA for

internal access and an external CA for access via the Internet (Sample: Internal = mydomain.local and

external mydomain.com). Depending on how you want to use the Thin Clients you may have to deploy 2

Certificates for 2 Times, I only want to mention this.

Certificates is always a big task and I focus only on the basics here, let’s start to deploy some certificates

to the IGEL.


Deploying the certificates (required for all connection variants)

As already mentioned you “have” to use a SSL certificate together with Citrix Receiver 13 and Storefront,

no way around but very often people get struggled already in this important step. So how to do it right?

First of all make sure that you have setup the DHCP Option 224 or the Host entry “igelrmserver” in your

environment, this is required to announce the IGEL Universal Management Suite Server to the Thin Clients

and that they know “where to get the files”. This is mistake No.1 and very often the setup fails already

here.

Now make sure to have the CA certificate in the “right” format, it must be a *.cer file in X.509 PEM

Format. If you have a pfx file it will not work, ask your CA Administrators to provide you the right file type

and do not try to “just” rename the pfx file: It will not work because the format is still wrong.

If you are using the Citrix Access Gateway you can follow these steps to generate the right certificate file:

1. Open your Citrix Access Gateway website with a Mozilla Firefox Browser.

2. Click on the Lock left of https://… and choose “More Information”.

3. Click on “View Certificate”.

4. Change to the tab “Details”.

5. Highlight your CA certificate in the Certificate Hierarchy field and click the “Export” button

6. Save the certificate as X.509 (PEM) format to your Desktop and give it the file extension .crt

7. Follow the next steps to deploy the certificate via IGEL Universal Management Suite.

After you got the right certificate file open the IGEL Universal Management Suite Console, we will now

perform the deployment for the certificate.

Open the UMS Console and expand the files menu on the left side, right click on files and select “New File”

to open the file assistant. In my case I will deploy the root certificate for the Route66 CA but it can be also

any other CA Certificate depending on the CA used in your environment. Configure it like shown below,

please note I use the Linux Version of the UMS so no Windows Paths are shown in my samples.


Click on “OK” and the file will be shown in the UMS GUI. Now repeat this step with the same certificate but

configure it like shown below.

The final result should look like this in the UMS GUI->Files configuration:

Now you can assign the files like profiles via Drag & Drop to the Thin Client folder you want to use with

this certificate and you are set for the certificate setup.

You need to deploy the certificate two times regarding the fact that the Webbrowser and the Citrix

Receiver are using different certificate stores, mostly Admininistrator’s deploy the certificate only one time

and receive certificate errors as result.


Enable Citrix Receiver 13

Create a new Profile to enable the Citrix Receiver 13, I recommend to do this configuration in a separate

profile.

Make sure the Profile is optimized for a Firmware 5.03.100 or higher and 4.14.100 or higher, if you take a

“lower” Firmware the setting to enable the Citrix Receiver 13 will be not available.

Select “Ok” and now browse to Sessions->Citrix->Citrix Receiver Selection and enable the configuration

and set the option to enable Citrix Receiver 13 like shown below.

Click on save and assign the configuration to the Thin Clients where you want to use the Citrix Receiver

13, I recommend to perform a Client reboot now.


How to use Citrix Receiver 13?

You have four ways how you can use the Citrix Receiver 13 now:

1) Using the Webbrowser to access the Storefront Website.

2) Using the XenApp/Storefront configuration in the IGEL Setup configured to use the

XenApp/XenDesktop 7.x Store.

3) Using the XenApp/Storefront configuration in the IGEL Setup configured to use the

XenApp/XenDesktop 7.x Legacy Mode (this will not work thru Citrix Netscaler!).

4) Using a regular ICA Session (ICA File), this is only “partly” supported by Citrix anymore.

In this Whitepaper we will focus on 1), 2) and 3). Step 4) is tricky and you are required to perform some

more configuration. If you want to use 4) please refer to http://blog.cloud-client.info/?p=1155 now.

Please Note: Make sure that you all always use a Profile optimized for a Firmware coming with Citrix

Receiver 13, otherwise used configurations shown in this Whitepaper will be not available and the setup

will not work. In the samples I will not perform “any” special configuration, it’s only the basic setup to get

it running. All 4 ways do require a previous deployed CA certificate, refer to Page 5 and 6.

In the screenshots you will also see an assigned “Basic Thin Client setup” profile, this profile has nothing

to do with the Citrix Receiver configuration and contains only some basic configurations like “Shadowing”,

“Language Setup”, “Storage devices” and so on. I only mention this before you get confused where this

profile is coming from.

http://blog.cloud-client.info/?p=1155


Way 1: Using the Webbrowser

Using the Webbrowser is a very simple way to use Storefront, just create a new Profile and call it

“Storefront Webbrowser access” or similar.

In the profile browse to Sessions->Browser->Browser Sessions and create a new session. In the now

created session select “Settings” and configure following settings:

1) When Firefox starts = “Show my home page”

2) Startuppage = Your Store URL like shown in the sample configuration below. Make sure that you

enter https://*storefront server as FQDN/Citrix/*yourstore*” otherwise it will not work!

That’s it, close the profile and assign it to the Thin Clients.

You can now open the new created Firefox session on the Thin Client Desktop, after you start the session

make sure that no certificate issue is shown in the Webbrowser window. The “Lock” should look like below

(marked in red):

If the Lock doesn’t look like shown above the deployed certificates are wrong and you can start to deploy

the “right” certificates. A wrong Lock could be also related to a “wrong” FQDN/Webserver Hostname,

verify for what Domain the certificate is created and deploy the right “Certificate”, this happens sometimes

if you have two certificates used for Internal and External Access. In any way, the certificate must fit to

the used Hostname in the Browser URL configuration.


Now the user can login with his credentials and start the applications/desktop like required.

This way is quite simple and straight forward but you should be aware that some local thin client

configurations will be overwritten by the Storefront Server, it might be required that you perform

configurations thru the default.ica file hosted on the Storefront Server.

You can also configure the Webbrowser to work in Kiosk mode / full screen and so on, this variant will also

work if you are using the Citrix Netscaler/Access Gateway in your environment.


Way 2) XenApp/Storefront together with the Store

This way now demonstrates how you can use the IGEL together with the XenDesktop/XenApp 7.x Store.

In advance you also need to deploy the certificates to the Thin Client and make sure that Citrix Receiver

13 is enabled.

Now create a new Profile and call it “Citrix thru Store” or similar, make sure the Profile is optimized for a

Firmware that contains the Citrix Receiver 13.

After the profile is opened browse to Sessions->Citrix->Citrix XenApp/Storefront and configure the Login

Page, this means where the logon icon appears to be visible for the user (see red marks below as

sample).

Sometimes people forget to configure this and don’t see any icon to start the login.


Now browse to the Server settings page and setup up your store URL, make also sure here that the FQDN

for the server location fit’s to the certificate! If not it will not work, quite simple; do never use the IP here.

To be able to configure the Store settings you have also to enable the Citrix Receiver Selection setting in

this profile, it’s a limitation coming from IGEL in the Profile configuration. My store settings will look like

this:

The final configuration for the server settings should look like my sample below:

I repeat: You must use the FQDN coming with the previous deployed certificate or it will not work!


Now you can configure the other Options or the appearance settings like required, for example I have a lot

of Applications so I don’t want to see all these Application Icons on the Desktop and I disable the settings

in the Appearance Tab.

Also I recommend to disable the “Use server settings for all options” setting in the Options tab, I want to

configure the ICA Client thru the IGEL Management Tools and not thru the Citrix Storefront Server.

Reason for this is quite simple, Storefront don’t offer all these settings or I’ve to handle the default.ica file

at the Storefront Server.

After you’ve finished your configurations you can close the profile and assign it to the Thin Clients.


You will now get a Login Icon on the desktop, launch this and the Login Screen comes up.

Login now with your user credentials, depending on how much Applications/Desktop you have available it

might take a couple of seconds.

My result in the IGEL Start menu like configured, you can now select an

Application or Desktop to start it. It’s quite simple or not?

If you get this view but you get a certificate issue make sure what SSL

certificate is deployed to the Thin Client. Mostly an issue here is related to

the use of a wrong certificate.

When I now select my Win81HDX3D Session the Desktop comes up and I

can start to work, see below. That’s it, we’re done with the Store access;

this way will also work thru a Citrix Netscaler/Access Gateway.


Way 3) XenApp/Storefront together with the Legacy Mode

First of all the Legacy Mode will currently not work thru the Citrix Netscaler, this seems to be a Limitation

coming with the Netscaler or maybe I am too stupid to get it to work..

To use this mode you have to make sure that the Legacy Mode is enabled in the Storefront configuration.

Open the Storefront Management Console and browse to Stores, select the Store where the Legacy Mode

should be enabled and verify the configuration like shown below. This configurations site will provide you

also the URL which is needed for the Thin Client configuration (marked in red).

Write down the URL now and open the IGEL Universal Management Suite console, create a new Profile

with the Name “Citrix thru Legacy Mode” or similar. Make sure that you optimize the Profile for a Firmware

which contains the Citrix Receiver 13 and maybe I did not mention it: You have to deploy the required

certificates in advance and always work only with the FQDN Names the certificates are assigned to!


In the new profile browse to Sessions->Citrix->Citrix XenApp/StoreFront and configure where the Login

Icon should appear.

Now browse to the Server configuration page and select XenApp/XenDesktop 7.x Legacy Mode as Citrix Server Version.

Click on the Start to create a new Server location, the configuration should look similar to my configuration (remember

the URL from the Storefront Legacy Support Page (Page 15). Remember: FQDN must be used and fit to the deployed

certificates, I will repeat this everytime.


Click OK and add your Domain to the Server configuration, the final result should look like this:

In this configuration I wll also configure to not use the Storefront configuration for the Citrix Receiver (marked in red),

it’s my personal best practice to use the IGEL Universal Management Suite to configure the Thin Client Receiver.


As final step I configure the Appearance again, I don’t want to get all Icons on the Desktop regarding the fact that I’ve a

bunch of Applications/Desktops available.

When you have finished your configuration you can “Save” the profile and assign it to the Thin Clients.

At the client you can now start the Login session and the Citrix Login Mask comes up, you can now Login with your

credentials. The Login requires a couple of seconds, depending on how much Applications/Desktops are available to the

user.


After I select one of the icons the Application comes up and we’re done.

Documents

Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix ... · Whitepaper: Setup Guide IGEL Linux, Citrix Receiver 13 and Citrix Storefront Page 2 Task If you setup a new Citrix XenApp