What do we need for a Citrix Virtual Apps and Desktops (XenApp and XenDesktop) deployment?

• Active Directory
• Citrix Delivery Controller
• Citrix Storefront
• One Citrix Virtual Delivery Agent (VDA)
• Citrix License Server
• A Database Server (SQL Server)

I will be consolidating Citrix Delivery Controller, Storefront, and License Server into one VM since this is a lab environment. In a production environment, you would use 2 VMs for Citrix Delivery Controller (for High Availability – HA), two for Citrix Storefront, and one for the License Server. The VDA count depends on user size.

Using the same two VMs for Delivery Controller and Storefront is also viable.

In my lab, all the servers are housing Windows Server 2019 Datacenter.

First, download the ISO on citrix.com. You will need an account and if you don’t have any partnership with Citrix, it is very difficult to get those files. There is a form you can fill and all you can do afterward is hope that they give you the files. Otherwise, there is no way of getting them publicly.

After mounting the ISO Autoselect.exe can be run.

Select Virtual Apps and Desktops. Virtuals Apps would just publish single programs as apps.

Start by installing Delivery Controller and other components.

Just in case you are wondering: Some obvious steps will not be shown.

We are installing all the features on the same server. Like I said, Delivery Controller and Director should be on one server, License Server on another, and Storefront on another. Storefront and Delivery Controller should have 2 VMs each for High Availability.

I am also using SQL Express on the same server. Normally you would use a dedicated instance on a separate database server.

The server will be restarted. You will need to mount the ISO again and select the target folder:

And after some time…

Our main tool is going to be Citrix Studio.

Make sure you a logged in with a domain user. Local users are not supported.

Configuring a new site.

These parameters will be automatically populated if SQL Express is being used. If using a separate database server a script can be generated to create the databases and tables.

My license server is hosted on the same server.

A connection to VMware or Hyper-V can be made. I am using Azure.

I will select “Other Tools” this time, I’ll make a post about Citrix MCS another time.

Enter your Azure Subscription ID and any name and then select “Create New”.

You will log in to Azure AD. This process creates a new Service Principal in Azure AD that allows Citrix to start, stop, create, and delete VMs in Azure.

In your Subscription under Access control (IAM) you will see a new App Principal as a Contributor.

App-V and AppDNA is not our focus right now.

Here is the summary of my settings.

To deliver a desktop we need at least one server to connect to.

Create a new VM, join it to the domain, and install the Virtual Delivery Agent (VDA).

Run autoselect.exe inside the ISO again.

We are not creating a Master Image for MCS. The Delivery Group will have a catalog of one machine.

Citrix Workspace App is not needed. You can de-select it.

I did not select any additional components.

Add the Delivery Controller.

Enable both features

Leave Firewall Rules to automatic.

Prerequisites will be installed.

Server will restart twice.

Create a Machine Catalog containing the Remote Desktop Session Host.

This is a server with multiple users connecting to it.

Select the VM and the computer account.

Give it a name.

Create a Delivery Group.

Select the Machine Catalog we just created

You should probably create a custom group to limit the users.

Add a new desktop and give it a name. I use “TreatAsApp” to show both Desktops and Apps in one tab.

Under Search, we can see if the server has successfully registered with the Delivery Controller.

Now the Desktop can be started through http://ctx01.company.lab/Citrix/StoreWeb/

Configure Storefront to use SSL

Open Internet Information Services (IIS)

Create a self-signed certificate (I do not have Active Directory Certificate Services on my lab environment). I might do a post about that in the future.

Run through the wizard (easy).

Make sure you select the personal certificate store.

Add a new Binding on port 443.

Select the certificate you just signed.

Now both 80 and 443 are active:

Change the Base URL to HTTPS

Now HTTPS is being shown:

Configure Passthrough authentication

The storefront URL should be added to the intranet zone for pass-through authentication to function properly.

Also, configure pass-through authentication for Receiver for Web Sites.

Change loopback communication to OnUsingHttp:

Change “Enable loopback communication” to OnUsingHttp

Set this Site as default in IIS:

Configure Delivery Controller to use SSL

Storefront does not accept self-signed certificates, so an internal Certificate Authority is needed for SSL communication between Storefront and Delivery Controller.

That's it! It was a long but very interesting post.

Saving credentials and secrets inside your code is a very bad idea and should be avoided. PowerShell has built-in commands to export and import encrypted data in your code.

There might be a lot of ways to achieve this, but this is how I like to do it. This is very elegant and easy to implement.

Let’s say we have a secret password that we want to secure and avoid saving in the source code.

$secretPW = "SecretPassword" | ConvertTo-SecureString -AsPlainText -Force

We can export this variable to an encrypted XML file with

$secretPW | Export-Clixml -Path .\secret.xml

The password is not human readable:

To import this file use

$secretPW = Import-Clixml -Path .\secret.xml

The plain-text password can be obtained through (I had to split the command into two lines)

[System.Runtime.InteropServices.Marshal]::
PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secretPW))

Just outputting the variable won’t show the password, because the variable is a System.Security.SecureString object.

Credentials can also be saved this way:

$credentials = Get-Credential

You can show the plain-text password with

$credentials.GetNetworkCredential().password

$credentials | Export-Clixml -Path .\credentials.xml

Only the username is shown in clear text.

Same thing again with the import

$credentials = Import-Clixml -Path .\credentials.xml

$credentials.GetNetworkCredential().password

The password can be decrypted by the same user that created the XML file on that specific computer.

References:

https://devblogs.microsoft.com/scripting/decrypt-powershell-secure-string-password/

https://pscustomobject.github.io/powershell/functions/PowerShell-SecureString-To-String/

A while ago I wrote an article that described all the steps necessary to obtain a free SSL certificate with a validity of 90 days. Check it out: https://www.ajni.it/2019/06/claiming-a-free-ssl-certificate-for-your-website/

While it's good to know how things work, the task gets boring and repetitive if you have to do it every 3 months and in my case for two different domains. This is why I wrote a small and straightforward script in Python3 that does that all for me.

ZeroSSL offers an API that allows us to automate this task by making some HTTP calls with an API key obtainable after registering.

I have uploaded the script on GitHub, check it out:

https://github.com/ajnik/ZeroSSL-CertRenew

There are some variables that must be changed:

• Line 19: API key
• Line 20: Domain name
• Line 43 to 52: Request paramteres (O, OU, L, ST, C)

Execute the script with

python3 ZeroSSL_CertRenew.py

The script does no exception handling. I might improve it in the future.

Let me know if you have any suggestions. I am pretty new to Python programming so every tip is welcome.

Today I got a new Linux VPS, therefore I decided to show you all the steps I took to migrate to my WordPress site to the new server.

The VPS is hosted on Evolution Host, if you are looking for a server, check them out at https://evolution-host.com/vps-hosting.php. The cheapest one goes for 5€/month.

So let's get started.

Firstly, it is always good practice to update the OS.

apt update

apt upgrade

Install apache2

apt install apache2

Install php7.3. By default, version 7.3 will not be detected. The repository PPA must be added. You might need the first command if the "add-apt-repository" is not available.

apt install software-properties-common

add-apt-repository ppa:ondrej/apache2

apt-get install php7.3

You should see the Apache2 default site if you enter the IP address in your browser:

Now enable the MySQL extension in the PHP config file:

nano /etc/php/7.3/apache2/php.ini

Remove the comment (semicolon) at extension=pdo_mysql. You can search with CTRL+W in Nano GNU editor.

CTRL+X saves the file.

Now install php7.3-mysql

apt-get install php7.3-mysql

The root directory of your WordPress files can be created:

mkdir -p /var/www/website

Make a config file for Apache2 from the default config.

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/website.conf

Change the config file. ServerName and ServerAlias should be your site name along with the DocumentRoot.

I use https exclusively, check my tutorial if you want to know how it is done (I highly recommend using https): https://www.ajni.it/2019/06/claiming-a-free-ssl-certificate-for-your-website/

nano /etc/apache2/sites-available/website.conf

Enable the site:

a2ensite website.conf

Reload the service like advised.

service apache2 reload

Download the latest WordPress version from https://wordpress.org/latest.tar.gz.

Since I am doing a migration, I just unzipped the files from my backup.

cd /var/www/website

wget https://wordpress.org/latest.tar.gz -O wordpress.tar.zip && tar -xzvf wordpress.tar.zip

mv wordpress/* .

Install MySQL server

apt-get install mysql-server

Now create a new database and a user in MySQL. As root you don’t have to enter a password.

mysql -u root -p

CREATE DATABASE wordpress;

CREATE USER 'someusername'@'localhost' IDENTIFIED BY 'somepassword';

GRANT ALL PRIVILEGES ON wordpress . * TO 'someusername'@'localhost';

I have to import the WordPress database from backup:

mysql -u root -D wordpress < db_20-05-2020.db

exit

Now you can access the WordPress through a browser, you will be asked to enter a site name, username with a password, etc.

You might also need to enable URL rewriting for Permalinks.

a2enmod rewrite

Disabling the default site is also a good idea

a2dissite 000-default.conf

There are some other important things you should enable in order to secure your server properly.

nano /etc/apache2/apache2.conf

These lines will not advertise the Apache2 version, enforce TLS 1.2 and strong ciphers, while unsafe ones (like MD5) are discarded.

ServerTokens Prod

SSLProtocol TLSv1.2

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM

service apache2 restart

That's it. If you have questions, just comment down here!

What is DNS over HTTPS ? Well it's basically an encrypted way of querying DNS. Normally DNS uses port 53 to communicate with the server and query the name we want. But all of that traffic is in plain-text and thus it is very easy to poison that communication. DNS over HTTPS is secure because it uses certificates to encrypt traffic (just like HTTPS websites).

Mozilla Firefox makes it very easy to enable this feature. Just open the settings and search for "DNS over HTTPS":

In the connection settings enable DNS over HTTPS. You could also add a custom provider. Here is a good list: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

Microsoft Edge does not have a user-friendly way of activating the feature (yet).

In the edge://flags/ search for "DNS" and you will find the corresponding setting:

Unfortunately Microsoft Edge does not allow custom providers. Hopefully they will one day.