SSL and TLS under Citrix

November 13, 2016


In  Citrix  environments the theme security is always considered a top priority. As a matter in fact one of the mottos of the company is “We securely Deliver application and data”

Citrix flagship product: XenApp/XenDesktop focuses on delivering applications and desktops securely as this white paper suggests:

“XenApp keeps sensitive corporate information protected in the data center, but employees still need secure access to the XenApp infrastructure. Applications published using XenApp are accessible through Citrix Receiver™—a lightweight client that can be installed on any type of device,”

Citrix has two backend software packages to handle web authentication: Web Interface (5.4 was the latest and last version available) and StoreFront (3.7 is the latest version as of November 2016)

Web Interface 5.4 — – Is TLS 1.2, 1.1 supported?

No it’s not. Upgrade to StoreFront 3.x.
On page 173 of the product documentation guide for Web Interface 5.4 you will find the following paragraph:

” Transport Layer Security –
Transport Layer Security (TLS) is the latest, standardized version of the SSL protocol. The
Internet Engineering Taskforce (IETF) renamed it TLS when they took over responsibility for
the development of SSL as an open standard. Like SSL, TLS provides server authentication,
encryption of the data stream, and message integrity checks.
Support for TLS Version 1.0 is included in all supported versions of XenApp for Windows and
XenDesktop. Because there are only minor technical differences between SSL Version 3.0
and TLS Version 1.0, the server certificates you use for SSL in your installation also work
with TLS.
Some organizations, including U.S. government organizations, require the use of TLS to
secure data communications. These organizations may also require the use of validated
cryptography, such as Federal Information Processing Standard (FIPS) 140. FIPS is a standard
for cryptography.
Note: The maximum SSL/TLS certificate key size supported by the Web Interface for Java
Application Servers is 2048 bits.”

Here TLS 1.2 or 1.1 is nowhere mentioned, hence upgrade is highly recommended.
Also since WI 5.4 was designed in C# and support for C# has ended by Microsoft nearly two years ago any enhancement request will not be possible

The Wikipedia explanation:

“Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.[1]Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites use TLS to secure all communications between their servers and web browsers.”

Why using TLS and not SSL:

The TLS (Transport Layer Security) protocol has superseded SSL. Although many products support both SSL and TLS, and the term “SSL” is often used to describe both, the difference between SSL and TLS is crucial. Use TLS. SSL is no longer secure.

Cryptography in the TLS protocol:

Cryptography in the TLS protocol is selected by a TLS cipher suite, which is negotiated between the client and server. This defines the cryptographic algorithms that are used for the connection.

Cipher suites are named in the form TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. This can be interpreted as follows:

• TLS is the protocol (Transport Layer Security)

• ECDHE_RSA is the key exchange algorithm (Elliptic Curve Diffe-Hellman)

• AES_256_CBC is the cipher (Advanced Encryption Standard, Cipher Block Chaining)

• SHA384 is the (MAC) message authentication code (Secure Hash Algorithm)

Examining the key exchange algorithm, ECDHE indicates that this cipher suite offers forward security. RSA indicates that a RSA digital certifcate must be used.

Examining the cipher, AES_256_CBC indicates that this cipher suite uses a 256-bit key in CBC mode.

Examining the MAC, SHA384 indicates that this cipher suite uses the HMAC-SHA386 algorithm.

The cipher suite does not identify the version of the TLS protocol and many cipher suites are common to different TLS versions. Note: The naming scheme above is the one from the TLS standards. Some implementations, including OpenSSL and Citrix NetScaler, use a slightly different naming scheme for historical reasons. (For example, TLS1.2-ECDHE-RSA-AES-256-CBC-SHA384 corresponds to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.)

Strong and weak cipher suites

In this context, a weak cipher suite is one that can be attacked successfully now or projected in the next few years. (An attack may be diffcult, but is at least possible.) Advances in technology, tools and techniques may weaken ciphers well before their initially projected lifespan and the known strength of ciphers should be periodically verifed through NIST and other trusted sources.

Cipher suites containing the following algorithms are generally considered weak:

• DES (although 3DES—also known as TripleDES or TDEA—is not generally considered weak)

• RC2

• RC4

Additionally, the so-called ‘export’ or ‘step-down’ cipher suites are weak. These cipher suites limit the length of the signing key to 512 bits, which can be broken by brute force. These weak ‘export’ cipher suites were devised to satisfy export considerations that have not applied for many years. Strong cipher suites can and should be used instead.

Hashing algorithms including the SHA1 and MD5 are also considered weak for signatures in digital certifcates, with SHA-256 being specifed as the minimum standard. The usage of previous algorithms is so weak that public certifcate authorities will no longer issue certifcates that use them. Digital certifcates using MD5 or SHA1 should be replaced. Some platforms, including Microsoft Windows, are already preventing their use.

In summary, for TLS today, the following are considered weak:


source: Citrix White Paper on SSL and TLS

Preferred cipher suites AES is a block cipher: every block cipher is used in a particular mode of operation. Three of these modes have been standardized within TLS, as part of the cipher defnition: • AES-CBC (Cipher Block Chaining) • AES-CCM (Counter with Cipher Block Chaining-Message Authentication Code). This mode is rarely used. • AES-GCM (Galois Counter Mode) The CBC mode is more widely supported than GCM, including in TLS version 1.0 and version 1.1. The GCM mode is often preferred to CBC mode, because: • It is higher-performance • It is resistant to side-channel attacks, specifcally padding oracle attacks such as Lucky Thirteen. (However, such attacks against CBC mode can be mitigated in other ways.) • It is resistant to adaptive plaintext attacks, specifcally the BEAST (Browser Exploit Against SSL/TLS) attack. (Again, this attack against CBC mode is mitigated in version TLS 1.1 or in other ways.) Some authorities prefer GCM: others nevertheless still prefer CBC

SSL/TLs in XenApp 7.x:

SSL 7.6:

“Configuring a XenApp or XenDesktop Site to use the Secure Sockets Layer (SSL) security protocol includes the following procedures:

  • Obtain, install, and register a server certificate on all Delivery Controllers, and configure a port with the SSL certificate. For details, see Install SSL server certificates on Controllers.

    Optionally, you can change the ports the Controller uses to listen for HTTP and HTTPS traffic.

  • Enable SSL connections between users and Virtual Delivery Agents (VDAs) by completing the following tasks:
    Requirements and considerations:

    • Enabling SSL connections between users and VDAs is valid only for XenApp 7.6 and XenDesktop 7.6 Sites, plus later supported releases.
    • Configure SSL in the Delivery Groups and on the VDAs after you install components, create a Site, create Machine Catalogs, and create Delivery Groups.
    • To configure SSL in the Delivery Groups, you must have permission to change Controller access rules; a Full Administrator has this permission.
    • To configure SSL on the VDAs, you must be a Windows administrator on the machine where the VDA is installed.
    • If you intend to configure SSL on VDAs that have been upgraded from earlier versions, uninstall any SSL relay software on those machines before upgrading them.
    • The PowerShell script configures SSL on static VDAs; it does not configure SSL on pooled VDAs that are provisioned by Machine Creation Services or Provisioning Services, where the machine image resets on each restart.

For tasks that include working in the Windows registry:

Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.”

Positional Parameters in Power Shell: understand them but don’t over use them

October 30, 2016



This PosH guru blog makes a good point; use Positional parameters in a interactive PoSh console but don’t use in scripts. Your goal is to write a better, clear and consistent code and positional parameters is more of a shortcut if you are in a worry but not considered best practices.

“Explanation: Positional and partial parameter names can be used for the interactive Powershell console to speed up our work, but not in scripts.

It takes more time to write the named parameter but your code will be more clear and consistent.

Positional parameters can be more difficult to read especially with cmdlets supporting multiple parameters.
Besides, the command will fail if the correct order is not respected (parameter order mixed up).

Moreover, with future versions of Powershell there is no guarantee that these parameters keep the same position.
A script created using positional parameters in the past could have a different behaviour in the future, but with named parameters there is no issue.

You can use Show-Command to see the Best Practice action as it will use the full cmdlet name and the named parameter.” source: PoSh guru

How to enable debug view for Android Logs

October 30, 2016

Android devices  have a unique way of providing USB debugging mode

See this link for complete article including nice screenshots:

How to Enable USB Debugging Mode on Android

This is a summary of the article above:

The ways to enable USB Debugging mode, which is accounted for the key step in Android rooting process, vary from one Android version to another. USB Debugging is required by adb, which is used for rooting, backing up, installing a custom ROM, tacking screenshots from computer and more.

For older version of Android (Android 2.0-2.3.x):Settings > Applications > Development > USB Debugging.

For newer versions of Android devices (Android 3.0- 4.1.x) Settings > Developer Options > USB Debugging

For the newest versions of Android devices (Android 4.2.x and higher.): In Android 4.2 and higher versions, the Developer Options menu and USB Debugging option have been hidden. In former 4.X versions of Android, USB Debugging option is under Developer Options menu

First, you need to enable “Developer Options Menu”.

  1. Click Menu button to enter into App drawer.
  2. Go to “Settings”.
  3. Scroll down to the bottom and tap “About phone” or “About tablet”,
  4. Scroll down to the bottom of the “About phone” and locate the “Build Number” field.

Now the fun part:

    1. Tap the Build number field seven times to enable Developer Options. Tap a few times and you’ll see a countdown that reads “You are now 3 steps away from being a developer.”
    2. When you are done, you’ll see the message “You are now a developer!”.
    3. Tap the Back button and you’ll see the Developer options menu under System on your Settings screen.

Now, you can enable USB Debugging mode.

4. Go to Settings>Developer Options>USB Debugging. Tap the USB Debugging checkbox

Android 5.0 Lollipop

To enable USB Debugging on Android 5.0 Lollipop is the same as Android 4.2.x.

  1. Settings > About Phone > Build number > Tap it 7 times to become developer;
  2. Settings > Developer Options > USB Debugging.

Warning USB Debugging should only be enabled when you need it. Leaving it enabled all the time is kind of a security risk for that this mode grants you high-level access to your device. Say if you connect your Android phone to a USB charging port in a public location, the port could use the USB access to your phone to access data on your phone or install malware. This could happen when and only when USB debugging mode is enabled.

To disable USB Debugging and other developer options when you don’t need them, slide the switch at the top of the screen to OFF.


source: Kingo Root –

The 98 verbs of Power Shell

October 30, 2016

Powershell contains 7 different groups of commands, as follows:

Common commands: 34 verbs

Data Commands: 24 verbs

Lifecycle Commands: 20 verbs

Diagnostics commands: 7 verbs

Communication commands: 6 verbs

Security commands: 6 verbs

Other commands: 1 verb (use)

This is the complete list as of October 29, 2016 when typing the command:



This list is based on the following version of PowerShell installed on my Windows 10 Desktop workstation:


Receiver Android Logs

September 20, 2016


When it comes to Citrix  Receiver Android logs, the collection of the logs per say, may not  provide any insights or  conclusive evidence of a connection issue between an Android device and a Store Front Server or Netscaler appliance. Sometimes you may need these logs too:

  • StoreFront debug view traces
  •  CDF (an event tracing controller/consumer utility from Citrix) from all the DDCs
  •  CDF from the application server (Citrix Scout can be used on the DDC and on the Server VDA or Desktop VDI in lieu of the CDF Trace (Scout has the CDF utility built-in)
  • Receiver Logs


Android Connection Issues to Store Front

This is a related article for Android devices not being able to add first store in Store Front

when connecting to Store Front using TLS 1.2 protocol. If you are using TLS 1.2 in your Store Front Server you can try (pasted here for convenience):


If your StoreFront Server is using TLS 1.2, you can force Receiver for Android to use the same TLS protocol as the StoreFront Server using the following workaround:

Create a text file named receiverconfig.txt with the following content:


Place the text file in the /sdcard/ directory on the device.

Stop Receiver for Android via the App Manager. (On Android 4.4.2, go to Settings > Application Manager > Receiver > Force Stop.)

Relaunch Receiver and add the account again.

More details about this procedure and the possible values for SslSdkProtocolNumber can be found in the Citrix Receiver for Android 3.8 OEM Reference Guide

Here’s an example that shows how to generate messages in thread output format using LogCat with thread format:  adb logcat v thread

Other Documents related to the topic

Citrix Docs

LogCat – Android Studio (Developer site)

adb logcat -v thread Controlling Log Output Format

What is a leap second?

September 13, 2016

Leap Seconds – Leap seconds have been added 26 times since 1972. They’re inserted at the end of the last day of either June or December. The leap second will be added to the world’s clocks at 23 hours, 59 minutes and 59 seconds Coordinated Universal Time (UTC) on December 31 2016. This corresponds to 6:59:59 p.m. Eastern Standard Time, when the extra second will be inserted at the U.S. Naval Observatory’s Master Clock Facility in Washington, DC

Does it affect CitrixxenApp/XenDesktop?

Answer here from last occurrence:

I don’t think it has changed

Does it affect Citrix Netscaler?

Answer here from the last Citrix update in June 2015:

Potential problems related to the leap second issue:

What is a Citrix Roll UP Pack?

September 11, 2016

Have you heard of Microsoft Service Packs?

Citrix Roll UP Packs are  the same equivalent, but  in the Citrix world.

Citrix provides several types of hotfixes for its line of products

Private release hotfixes, which are of very limited range, they address specific issues for a small subset of customers. Only offline and escalation engineers are allowed to provide those hotfixes, so you need to open a support case with Citrix

Limited release hotfixes. These are broader range type of hotfixes but not available to the general public, unless you sign on to account (which is free, but you need to register to get one). Some customers and partners can download these, but those customers who don’t see the “download” button on the page, they need to call Citrix Support and the front line engineer should be able to provide them with the hotfix

Public release Hotfixes. As the name suggests, they are available to the general public. Citrix Roll UP Pack packs are examples of public hotfixes. However, not all public hotfixes are roll up pack hotfixes; they can be individual hotfixes that usually contain fixes  for  specific components. Example: Printing related, performance related, (BSOD, slowness), USB related, graphics related, and so on so forth.

In the IMA (Independent Management Architecture) based line of products, the latest rollup pack is Roll Up Pack 07 (R07 for short)

Note: currently, as of September 2016,  only XenApp 6.5 is supported in the IMA based architecture. The support should end in August 2018 (source: Citrix page )

Private hotfixes can become limited release hotfixes or public release hotfixes, depending how “popular” they become.

Roll up pack hotfixes may contain past private (or formerly private), limited and  public release hotfixes or even  hotfixes never released before and obviously, were not part of any previous release hotfixes or roll up packs


R07 contain 20 hotfixes post R06

R07 contains 8 hotfixes post R05

R07 contains all previous rollup pack hotfixes (from R01 to R06)

R07 contains 28 unique hotfixes


To identify which Roll Up pack is installed in your Citrix environment, the easiest way is to open the XenApp 6.5 Apps Center console, open the “Servers” container and on the right pane click on the Hotfix Details page. It will list the current Roll UP Pack hotfix installed on each server. As best practices all servers should be n the latest Roll UP pack. If not doable for any reason, at least the Zone Data Collectors should be on the latest version of the Roll up pack.



What about Citrix FMA (Flexcast Management Architecture) based hotfixes?

FMA is  a newer technology used on newer version of Citrix Products

Usually called the 7.x family of products, which includes the following versions

XenDesktop 7.0

XenDesktop 7.0 Apps Edition

XenApp/XenDesktop 7.1

XenApp/XenDesktop 7.5

XenApp/XenDesktop 7.6

XenApp/XenDesktop 7.6.300

XenApp/XenDesktop 7.6 LTSR (currently 7.1.1000)

XenApp/XenDesktop 7.7

XenApp/XenDesktop 7.8

XenApp/XenDesktop 7.9

XenApp/XenDesktop 7.11 (coming between Sep and Dec 2016 (source)

Note: When you install XenApp/Xendesktop you re installing the exact same binaries. The main difference between the two is the type of license in use. The XenDesktop license will allow both Desktops (Server and Desktop OS’s) and apps to be launched; The XenApp license alone won’t allow you to launch Server OS’s  and apps published on these Server OS’s. (see the features differences here). The licenses are divided in concurrent and user/device

See this FAQ for detailed info on licenses: FAQ XA/XD Licensing

One of the reasons for so many “SUB” releases is the inclusion of hotfixes plus new features combined. As one of the Citrix blogs put it:

“…Each release also contains hotfixes from previous releases, making it a better quality release. There are dedicated engineering resources on upgrades who have helped increase upgrade test and automation coverage to 100% of the upgrade path table above, which has added significantly to confidence in the upgrade quality.”

and some more reasoning:

“…The inclusion of hotfixes, plus full end-to-end testing during releases, reduces the risk of errors. Being able to upgrade directly (for example, from 7.1 to 7.8) without intermediate upgrades, reduces administrative costs and lowers the probability and risk of unknown failures….” (source: Citrix blog: XenApp & XenDesktop Upgrades are Now Easy as Pie )

I hope you have enjoyed this article!







Differences between Citrix UPM Folder Redirection and Microsoft Folder Redirection

September 8, 2016

First a quick intro:

When users logon to a Windows machine, they need to have a profile loaded

By default if you logon to a windows workstation (Windows 7, 8, 8.1 or 10) you get a local profile

If you logon to a Windows Server (2008 R2, 2012 R2, 2016) you also get a local profile on the server

Microsoft also has different profile options such as:

  • Roaming (as the name suggests, it roams as you move from machine to machine)
  • Mandatory (every one receives the same profile when they log on to a machine)
  • Temporary (this is an indication of a problem)
  • So basically these are the four profiles that most of us know: Local/Roaming/Mandatory and Temporary

Other companies also provide some other Profile Management solutions

In this post, we will be focusing on a Citrix  profile solution called UPM.

Citrix User Profile Manager or simply Citrix UPM is a profile management solution offered by Citrix

IMPORTANT NOTE: Keep in mind that Citrix UPM is a free product and can be used in Windows environments that don’t have the Citrix flagship products such as XenApp and XenDesktop installed

Citrix UPM is not required in Citrix environments either, but it certainly helps.

A Citrix UPM profile is very similar to Microsoft Roaming profile

The major difference is on the number of policy settings available for Citrix UPM solution versus Microsoft Roaming solution

Basically, Citrix UPM is more robust  and flexible and allows for more granular configuration

Since the focus of this post is on the Folder Redirection component, I will not focus on the main differences between Citrix UPM and Microsoft Roaming profiles, however, I will focus on the main differences between  Citrix Folder Redirection and Microsoft Folder Redirection


  1. Citrix UPM Folder Redirection is enabled via policy
  2. Citrix UPM Folder Redirection is a “USER ” Configuration policy setting (unlike all the other Citrix UPM policy settings, which are under  COMPUTER Configuration)
  3. Citrix UPM Folder Redirection can be enabled by Citrix Studio Policies (XenApp or XenDesktop 7.x – meaning any versions like 7.6; 7.7; 7.8; 7.9 or 7.11 will contain a policy node for UPM and UPM Folder Redirection
  4. Citrix UPM Folder Redirection can also be enabled via Active Directoty GPO’s
  5. You can enable Citrix UPM Folder Redirection policies either via Studio or via AD GPO but not via both methods. Honestly, it could be done but it is not considered BEST PRACTICES and it is usually a disaster waiting to happen (hard to troubleshoot when your company changes Citrix Admin employees or AD employees/admins. -this is primarily a documentation issue. So, Don’t do it!
  6. Use Citrix Studio to enable Citrix UPM Folder Redirection if you don’t have  access to AD GPO’s (in large organizations a Citrix admin doesn’t necessary have access to AD GPO’s Mgmt console)  or if you want to make Citrix Administration easier (in my personal case that is the reason why I like to manage Citrix UPM  and UPM Folder Redirection in Studio, I like it better and find it extremely easy to configure)
  7. It is easy to identify if you are using Studio or AD to mange Citrix UPM: Open the registry in a Server or Desktop  VDA and navigate to HKLM-Software-Policies-Citrix; if Studio was used you will see User Profile Manager-HDX; if AD GPO was used, you will see User Profile Manager. It is that simple!
  8. GOTCHA note! Read important note #2 above again: The UPM Folder Redirection is a “USER” policy setting, so you won’t see UPM Folder Redirection under: HKLM-Software-Policies-Citrix but under HKLM-Software-Policies-Citrix-[Session ID]-User

Now, the judgmental question and answer you are waiting for:

Which one is better, faster? Citrix UPM Folder Redirection or Microsoft Folder Redirection?

The quick answer: Microsoft Folder redirection is better/faster!

The politically correct  answer: It depends!

The slow, technical and more elaborate answer:

Citrix UPM Folder Redirection  adds an extra level of complexity or processing by using the JIT driver (Just in Time). The JIT drive… (to be continued)




What is “Zettabyte era” ?

September 8, 2016

Definition: Zettabyte is a unit of information equal to one sextillion (1021) or, strictly, 270 bytes. (source: define:zettabyte – Google)

The zettabyte is a multiple of the unit byte for digital information. The prefix zetta indicates multiplication by the seventh power of 1000 or 1021 in the International System of Units (SI). A zettabyte is onesextillion (one long scale trilliard) bytes.[1][2][3][4][5] The unit symbol is ZB.

1 ZB = 10007bytes = 1021bytes = 1000000000000000000000bytes = 1000exabytes = 1millionpetabytes = 1billionterabytes = 1trilliongigabytes.

A related unit, the zebibyte (ZiB), using a binary prefix, is equal to 10247bytes.

source: Wikipedia

When we talk about Zettabyte era is worth mentioning:

“In 2016 the world has entered the “zettabyte era”:The Global IP traffic will reach 1.1 zettabytes, or over 1 trillion gigabytes.
By 2020 global IP traffic will reach 2.3 zettabytes” source: The Global Technology Report

Important Points: We are at the dawn of the Fourth Industrial Revolution,
which represents a transition to a new set of systems, bringing together digital, biological, and physical technologies in new and powerful combinations

The Networked Readiness Index 2016 or NRI:

“…The composition of the group of top 10 performers is unchanged from last year. The group consists of a mix of high-income Southeast Asian (Singapore and Japan)
and European countries (Finland, Sweden, Norway, the Netherlands, Switzerland, the United Kingdom, and Luxembourg) as well as the United States. Networked
readiness therefore remains highly correlated with per capita income.
Europe remains at the technology frontier with seven out of the top 10 NRI countries being European. Yet the performance range is wide, with Greece dropping four places to 70th position and Bosnia and Herzegovina closing the group at 97. Several Eastern
European countries—notably the Slovak Republic, Poland, and the Czech Republic—are making big strides, landing spots in the top 50 of the NRI; better affordability
and large improvements in economic and social impacts are contributing to this success in these three countries in a major way. Italy is another notable mover this year,
improving 10 places to reach 45th position as economic and social impacts of ICTs are starting to be realized (up 18 in the global impact rankings).

The Eurasia region continues its upward trajectory, with the average NRI score for the region increasing significantly since 2012. In particular, it is notable that the improvement is observed across all four elements that make up the Index: Environment, Readiness, Usage, and Impact. The region is led by Kazakhstan, which The Global Information Technology Report 2016 | xiii Executive Summary continues on its positive trajectory of recent years to land in 39th position this year. Leading the Emerging and Developing Asian economies in 2016 is Malaysia, which continues to perform strongly and moves up one spot to 31st position overall; this performance is supported by a government that is fully committed to the digital agenda. The top five in the region in terms of overall ICT readiness remain China, Malaysia, Mongolia, Sri Lanka, and Thailand, as in 2015. The group of Emerging and Developing Asian countries has been both moving up and converging since 2012. Individual usage in the region is still one of the lowest in the world, but has been growing strongly in recent years. The performance range of countries in the Latin America and Caribbean region remains widely dispersed with almost 100 places between Chile (38th) and Haiti (137th). There was no clear trend from 2015 to 2016 in terms of relative performance, with Chile and Haiti staying put; of the remaining group, half of the countries improve their ranking and the other half drop. Considering the absolute NRI score, however, the region has been moving up and converging since 2012. In order to foster the innovation forces that are key for thriving in the digitized world and the emerging Fourth Industrial Revolution, many governments in the region will urgently need to reinforce efforts to improve the regulatory and innovation environment in their countries. The UAE (26th) and Qatar (27th) continue to lead the Arab world when it comes to networked readiness. The MENAP region (Middle East, North Africa, and Pakistan) is home to two of the biggest movers in this year’s rankings: Kuwait (61st, up 11) and Lebanon (88th, also up 11). In both cases, individuals are leading the charge with the business sector catching up and strongly contributing to the successful performance. Although governments are lagging behind in terms of digital adoption (81st in Kuwait, 124th in Lebanon), the business community in both countries is registering an increased weight on ICTs in government vision and efforts to improve the regulatory environment. This year’s NRI also sees several sub-Saharan African countries among the top upward movers, including South Africa (65th, up 10), Ethiopia (120th, up 10), and Côte d’Ivoire (106th, up 9). Leadership in terms of digital adoption is coming from different groups of stakeholders. Although efforts are very much government-driven in Ethiopia and Côte d’Ivoire, the business sector is providing the most momentum in South Africa. Going forward, the largest barriers to tackle for Côte d’Ivoire will be infrastructure and affordability; reversing the trend of a deteriorating business and innovation environment for South Africa; and individual usage and skills for Ethiopia…”

You can read the full 306 page long report here:

Setting UP Remote PC Access using XenApp/XenDesktop 7.9

September 2, 2016


Let’s say Mr Jones, the accountant for your company, works from home once a week and decides to access his work machine while at home.

You could have him using one of these good 3rd party applications out there such as GotoMyPC, Logmein, TeamViewer, Dameware,, RealVNC, WebEx, SecureLink, etc


If your company has XenApp or XenDesktop  (XA/XD) 7.x infrastructure that allows external connectivity from your home machine to your company applications. You could try the following:

Proposed Solution:

You can use a nice feature in XA/XD called Remote PC Access to access your work machine  from home


If you are the Citrix Administrator, and Mr Jones, the accountant would like to access his office machine at work from home, here are the steps for you to configure Remote PC Access on Mr Jones computer.

Assumptions: Mr Jones PC is  a domain joined Windows based PC.

  1. Install the Desktop VDA software on the physical workstation in Mr Jones’ office(as of September 1st 2016, the most current version of the VDA is 7.9)
  2. desktop VDA remote pc screenshot

Note: If the OS running on Mr Jones machine is a desktop OS such as Windows 7 , Windows 8 or Windows 10, download the Desktop OS VDA software from here.

Then, open Citrix Studio on the Delivery Controller (DDC), click on the Machine Catalog Node and select the option to create a Machine Catalog and follow the prompts

remote pc screenshot