SSL connection between Citrix Delivery Controllers and VDA’s with Receiver for HTML 5 or not

March 8, 2018

We live in a very insecure World…wide web. Therefore the Internet police academy created something called SSL Secure Sockets Layer which is “a protocol  which creates a secure connection between a client and the server over which to send information “(source: Lea Pachta)

In a Citrix environment you can launch resources (Desktops and applications) via a client-server model. The client is usually a Windows end point device (Windows 7, 8.1, or Windows 10), a Mac computer, a Linux Desktop, a Thin client device with Windows embedded or not (ThinOS) or even a “Zero Client” and some mobiles devices (iOS and Android devices primarily). In order for a client to launch the resources hosted in a server, you need to install a client software called Citrix Receiver. The Citrix Receiver  (CR) client software is responsible for connecting to the server OS (and also Desktop OS) using an ICA file sent via a Web server (StoreFront for internal connections and Netscaler for external connections). The CR software is also in charge of opening the virtual channels in the client side that are  needed for the communication flow between server and client. There are 32+ virtual channels. The most important ones are keyboard, mouse, and video display, but other channels include print, audio, USB, etc. Another explanation coming from the horse’s mouth is “A virtual channel consists of a client-side virtual driver that communicates with a server-side application” (source: CTX116890)

There may be situations in which the end user is unable to install the CR in the end point device (lock down environments, kiosk devices, non supported OS, etc) In this situations, Citrix developed a “clientless” Receiver solution. It nicknamed “Receiver for HTML 5”. Basically the way it works is this: when an end user connects to a Citrix web server (nowadays it is called “StoreFront” Server) via an URL, and this client doesn’t have the CR software installed, The StoreFront queries the client and if it doesn’t detect the CR software, it automatically activates the Receiver for HTML 5 client (if you configured your StoreFront server to “fall back” to Receiver for HTML 5 (R4H5).  This clientless Receiver is actually an executable  stored in the StoreFront server. It is a java based client and will basically encapsulate all the traffic coming from the end point device to the server and vice versa. The R4H5 is periodically updated by Citrix. Currently as of March 2018 as this post is being written, the current version R4H5 is version 2.6.4. You can check the current version here.  Now the fun part.

I could write you a long story about securing a ICA connection using R4H5, but since I am lazy and ignorant, I am going to point you to a “Must read” blog post from a guy name “Spiers”. It is called “Secure ICA connection to VDA using SSL“.


Now that you are an expert on securing the connection between your Delivery Controller and your VDA, you can also review this Citrix documentation on the same:

SSL Configuration on  VDA

How to Enable SSL on XenDesktop 7.x Controllers to Secure XML Traffic

We will revisit this topic on another post. There is so much to talk about securing connections in a Citrix environment, this is only the tip of the Iceberg.




Using Netsh command to view TCP Chimney Offload in the operating system

February 26, 2018

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer (source: Microsoft)

How to configure TCP Chimney Offload in the operating system

  • To enable TCP Chimney Offload, follow these steps:
    1. Use administrative credentials to open a command prompt.
    2. At the command prompt, type the following command, and then press ENTER:
      netsh int tcp set global chimney=enabled
  • To disable TCP Chimney Offload, follow these steps:
    1. Use administrative credentials to open a command prompt.
    2. At the command prompt, type the following command, and then press ENTER:
      netsh int tcp set global chimney=disabled
  • To determine the current status of TCP Chimney Offload, follow these steps:
    1. Use administrative credentials to open a command prompt.
    2. At the command prompt, type the following command, and then press ENTER:
      netsh int tcp show global

These are the results on Windows 10 version 1709 OS Build 16.299.248:

netsh command to show chimney offload state


On another note

The registry key : Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters   will display

tcpip parameters


Further inside of the TCPiP hive you can see the same information and more details about the DHCP stack associated with the interface ID:


Where the long number starting with 03dc… is the interface id of the NIC . The registry key will display the DHCP information of r card in use:

dhcp domain

additional recommended reading on the topic:

List of Hotfixes for 2008 R2 Servers with RDS Role installed applicable for Citrix environments

November 7, 2017

KB2775511 – KB2647753 – KB2871131 – KB2728738

KB2896256 – KB2778831 – KB2748302 – KB2908190

KB2920289 – KB917607 – KB3014783 – KB2878084 (conn-disc)


Reference Document:

How to enable Host to Client redirection for Server 2012 R2 VDA on XenApp 7.x

August 16, 2017

These are the essential steps:

  1. Enable the Citrix Studio Policy: Host to Client Redirection (on the Deliv. Controller)
  2. Copy the file further below into a notepad text file to generate a reg file (On SVDA)
  3. Copy the file further below into a notepad text file to generate a xml file (On SVDA
  4. Perform a gpupdate /force on a elevated CMD prompt (on the Server VDA)
  5. To test, publish the ICA Desktop for the Server VDA
  6. Launch the SVDA and open a Wordpad document
  7. Type and click on it
  8. It will open the website on the local browser where you launched the ICA Desktop
  9. If it did. Congratulations! You are done!


Let’s say you want to open two web sites on the client and and all other websites on the Server VDA. That is simple:

  1. Log on to the Server VDA  (via RDP or Hypervisor console) and open the registry
  2. Create this key: HKLM\Software\Wow6432Node\Citrix\SFTA
  3. Create a Type: REG_MULTI_SZ  – Name: ValidSites
  4. Click on Modify and type: or * also type
  5. Note: Make sure you completed steps 1 to 9 above before creating this Variation
  6. Repeat steps 6 to 9 above; both sites (google and msn) will open locally on client
  7. If you type a different site in your Wordpad: ex: it should open on SVDA
  8. If it did, congratulations! You just completed a “white list” variation with 2 sites.
  9. Citrix call it: “Enable host to client redirection for a specific set of web sites”

Source: Citrix E-Docs

Reg file to be created as described in step 2 of the “Essential steps” above

Windows Registry Editor Version 5.00
@=”\”C:\\Program Files (x86)\\Citrix\\system32\\iexplore.exe\” %1″
“ApplicationDescription”=”Server FTA URL.”
“ApplicationIcon”=”C:\\Program Files (x86)\\Citrix\\system32\\iexplore.exe,0”

  1. Copy and paste the text above into a Notepad file in the Server VDA
  2. Save the Notepad file with “Save As” as type All Files and the name ServerFTA.reg.
  3. Double click the ServerFTA.reg file on the Server VDA to import into its registry
  4. You are done with this part


XML file to be created as described in step 3 of the “Esential steps” above

<?xml version=”1.0″ encoding=”UTF-8″?>
<Association Identifier=”http” ProgId=”ServerFTAHTML” ApplicationName=”ServerFTA” />
<Association Identifier=”https” ProgId=”ServerFTAHTML” ApplicationName=”ServerFTA” />

  1. Copy and paste the text above into a Notepad file in the Server VDA
  2. Save the Notepad file with “Save As” as type All Files and the name ServerFTAdefaultPolicy.xml.
  3. The XML file should be saved in to Windows\System32 folder in the SVDA
  4. From the current Group Policy Management Console, navigate to: Computer configuration >Administrative Templates Windows Components > File Explorer > Set a default associations configuration file, and provide the ServerFTAdefaultPolicy.xml file you created.
  5. You are done with this part too!


Additional notes:

  • If the server VDA is Windows Server 2008 R2 SP1, you do not need to set registry keys or Group Policy.
  • If the server VDA is Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016, you must set registry keys and Group Policy on the Server VDA (as described in this blog post)
  • This blog post is our version of the official Citrix E-Docs. This blogger tested the above steps and they worked fine in lab environment
  • Good luck testing and using it!


Notes of a App Layering presentation

June 6, 2017

The user layer is married to the OS layers

It is a stack of image templates.

When you publish it all you get is a single VHD image

The elastic layer doesn’t show up until user logs on

We only track the ID of the OS layer

Elastic Layer will work on Windows 7 build 1507 and Windows 7 build 1603

Layers  have an intrinsic priority

The Elastic Layer assigned app has a unique priority based on the the P# or PAckahe ID #

App layer is above  NTFS level

PVS is below NTFS level

CLI command: FLTMC will list the the filter drivers:

  • FSDepends
  • UPMjit (UPM driver)
  • Unitfltr

Version 12.1.6 – It is the most recent version of Symantec EP tested. Version 14 has not been tested

VHD is read in the context of the user

It has Elastic layer but no user layer

Once our filter driver is in we add a 2nd partition

The user writable partition is 10 gb

Unidesk has some internal tools but we also need to know what kind of ammunition our clients have meaning what tools that are available to them

Muting the camera shutter in the Iphone 7

April 9, 2017

It appears that it is illegal to turn off the shutter when you take a picture using a digital phone in the US; I have read that the law states that cell phones containing digital cameras must make a sound when taking a picture (need validation) but there are two easy ways to minimize the annoyance of the shutter:

  1. Put your phone in Mute
  2. Lower the volume to the lowest possible settings

There you have it!


Some components of the Logon process in RDS/Citrix environments

January 30, 2017

smss.exe – Session Manager subsystem – As the name suggests, this process is in charge of  managing the session creation and logoff

Winlogon – “Winlogon handles interface functions that are independent of authentication policy. It creates the desktops for the window station, implements time-out operations, and provides a set of support functions for the GINA.” source: Microsoft MSDN

userinit.exe ( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ): it specifies the programs that Winlogon runs when a user logs on. (

mpnotify.exe ( C:\WINDOWS\system32\mpnotify.exe ): is responsible for loading network providers including the single sign on network provider (pnsson.dll) for the ICA client.

These are not the only processes invoked during logon process.


Read the rest of this entry »

The three types of caches used by IE 10 and IE 11 on Windows 8 and later and Saved Passwords in IE

January 7, 2017

IE 10 and 11 have thre types of cache to be aware:

#1 AppData\Local\Microsoft\Windows\INetCache (temporary Internet files)

#2 AppData\Local\Microsoft\Windows\WebCache (IE browser cache)

# 3 Password folders

#1 The Temporary Internet Files for Windows 8 and later are located here:


This folder contains all the temporary Internet files from Microsoft Windows computers. It  contains files – such as images, HTML pages, executable and script files – that Internet Explorer has downloaded from websites visited by the user.

#2 The WebCache is located here: AppData\Local\Microsoft\Windows\WebCache

It contains the browser cache history and it can grow in size very rapidly

To delete the cache history you can use the Ctrl-Shift-Delete to open the browsing history window

For a complete list of items in the cache check this Microsoft  article.

#3 Password folders –  Internet Explorer contains folders related to Saved passwords

These are the folders for the passwords:


Licensing Diagnosis in 2012 R2

January 7, 2017

Unlike 2008 R@ RDS servers where the RDS Session Host Configuration contains the Licensing diagnosis screen, on 2012 R2 RDs servers , in order to check RDS licenses you need to issue this command:



source: Citrix article

Deleting the WebCache database – The IE browser cache

January 7, 2017

How to delete the webcache file:

Read this blog for a clever way of deleting the webcache file Database, the WebCacheV01.dat file located in the %LocalAppData%\Microsoft\Windows\WebCache\ folder

Create a batch file and paste the content below

echo OFF

net stop COMSysApp

taskkill /F /IM dllhost.exe

taskkill /F /IM taskhost.exe

taskkill /F /IM taskhostex.exe

del /Q %LocalAppData%\Microsoft\Windows\WebCache\*.*

net start COMSysApp

echo ON

Save the batchfile as “ClearIECache.cmd” and add it to the logoff script

Side note: The AppData\Local\Microsoft\Windows\INetCache is where the IE temporary files are located


Reason: Read on:


“…Starting with IE10, IE moves the browser cache to a Jet Blue database(also known as ESC database or .edb file), and the old index.dat memory-mapped file is obsoleted. You may read this blog to learn the benefits of this change, this is not the key topic in our article. With the new cache implementation, the cache files are saved in %LocalAppData%\Microsoft\Windows\WebCache\ folder. And, the cache files will be created when a new user logs on.

Actually, the database is a file named WebCacheV01.dat in the cache folder, and its initial size could be around 20-32MB. The size of this file will keep increasing along with you browse more and more websites. Unfortunately, there’s no way to control the initial size of this database, in another word, the minimal size of this file could be >20MB. Now, let’s suppose there are 1000+ users for this terminal server, then totally >20,000MB space is required for every user’s cache database file at least. In this situation, your C drive space will be probably used up as time goes on.

Then, how to avoid the happening of the subjected issue? Maybe you are thinking about deleting the cache files, right? Exactly, this is the only way to resolve the issue. However, the problem is, you are unable to delete the cache files manually even you are a local admin of this server. Don’t worry, here’s a batch file which can help to delete the cache files. Please save the below contents into ClearIECache.cmd file and try to fun this file.” 

source: AsiaTech: Microsoft APGC Internet Developer Support Team