Documentation made easy

I want to start this year and the first post to explain the use and need of NetBox!

Netbox is a free and amazing tool to help you with control and documentation of your system. Netbox can help you with IPAM(IP address management), DCIM(Data Center Infrastructure Management)

To get your infrastructure and network automated, one of the most important things is to have single SOT (source of truth). How is the infrastructure looks like right now? To have some of the network documented in excel and other just in vCenter, it will be hard or not possible to automate it. This works good for your home network of for big enterprise companies. Netbox comes from the network engineering team at DigitalOcean.

Netbox is easy to install and use. I don’t explain the process of install here since it’s a lot of good documentations and videos on the web. But I want to just spread the word of this tool. Its has helped me a lot in different project to get control of the network and to start automate the inventory. Netbox come with REST API that you can use with other tool or create your own scripts. Also, NAPALM is 100% integrated that help you with automate the network automation. (Network as Code). NAPLAM stands for “Network Automation and Programmability Abstraction Layer with Multivendor support”. The name is far too long, but the functions give Netbox a flying start that’s absolutely worth to try.

I have tried with successes integrated Netbox with following:

  • Cisco IOS Switches and Routers
  • Cisco Nexus Switches
  • Vmware vCenter

Hope this short information give interest to install Netbox and explore all the possibility it gives.


Read more of the documents for Netbox and NAPALM on the links here:

Citrix VAD Database migration

Citrix Virtual Apps and Desktops contains of 3 databases, Logging, Monitoring and site database. Logging and Monitoring can be moved with GUI(Studio) but Site need to be done by PowerShell. After some struggling and no good documentation or guides I finally found a solution that a want to share.

Logging and Monitoring

As mention this databases can be moved within Studio. Do it like this:

  1. Stopp database logging and monitoring
    1. Stop Logging with this PowerShell command: “Set-LogSite -State Disabled”
    2. Stop monitoring with this PowerShell command: “Set-MonitorConfiguration -DataCollectionEnabled $False”
  2. Take full SQL backup of both database
  3. Logg into Studio and click “Configuration”. Mark Logging or Monitoring database and choose “Change Database” on right side. Repeat this operation for both databases.

4. After both database i created on new SQL you need to restore backup to get old data. If you dont need old data can you skip this step.

Site Database

This database need to be moved with PowerShell. Start on first DDC and complete this before start on second DDC.

  1. Backup old database and restore on new SQL. Remember to control that ACL on database is correct. (Same as old server)
  2. First step is to remove DBConnection on DDC with following PowerShell command:
## Load the Citrix snap-ins
asnp Citrix.*

## Disable configuration logging for the XD site:
Set-LogSite -State Disabled

## Clear the current DDC database connections
Set-ConfigDBConnection -DBConnection $null
Set-AppLibDBConnection -DBConnection $null    #7.8 and newer
Set-OrchDBConnection -DBConnection $null      #7.11 and newer
Set-TrustDBConnection -DBConnection $null     #7.11 and newer
Set-AcctDBConnection -DBConnection $null
Set-AnalyticsDBConnection -DBConnection $null # 7.6 and newer
Set-HypDBConnection -DBConnection $null
Set-ProvDBConnection -DBConnection $null
Set-BrokerDBConnection -DBConnection $null
Set-EnvTestDBConnection -DBConnection $null
Set-SfDBConnection -DBConnection $null
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null   #Monitoring Database
Set-MonitorDBConnection -DBConnection $null                      #Site Database
Set-LogDBConnection -DataStore Logging -DBConnection $null       #Logging Database
Set-LogDBConnection -DBConnection $null                          #Site Database
Set-AdminDBConnection -DBConnection $null -force

2. Next you need to restart all Citrix services. This can be done with PowerShell:

Get-Service Citrix* | Stop-Service -Force
Get-Service Citrix* | Start-Service

3. Before add new connection, control that DBConnection is clean. Output of this command should be “Empty filed”:

Get-ConfigDBConnection
Get-AcctDBConnection
Get-AnalyticsDBConnection              #  for 7.6 and newer
Get-AppLibDBConnection                 #  for 7.8 and newer
Get-OrchDBConnection                   #  for 7.11 and newer
Get-TrustDBConnection                  #  for 7.11 and newer
Get-HypDBConnection
Get-ProvDBConnection
Get-BrokerDBConnection
Get-EnvTestDBConnection
Get-SfDBConnection
Get-MonitorDBConnection
Get-LogDBConnection
Get-AdminDBConnection

4. To set new DBConnection value, run following commands. Remember to correct db Servername and DBName before you run.

$ServerName = "NEW SQL SERVER FQDN"
$SiteDBName = "CTX_Site"
$LogDBName = "CTX_Log"
$MonitorDBName = "CTX_Mon"
$csSite = "Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True"
$csLogging = "Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True"
$csMonitoring = "Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True"

Set-AdminDBConnection -DBConnection $csSite
Set-ConfigDBConnection -DBConnection $csSite
Set-AcctDBConnection -DBConnection $csSite
Set-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer
Set-HypDBConnection -DBConnection $csSite 
Set-ProvDBConnection -DBConnection $csSite
Set-AppLibDBConnection –DBConnection $csSite # 7.8 and newer
Set-OrchDBConnection –DBConnection $csSite # 7.11 and newer
Set-TrustDBConnection –DBConnection $csSite # 7.11 and newer
Set-BrokerDBConnection -DBConnection $csSite
Set-EnvTestDBConnection -DBConnection $csSite
Set-SfDBConnection -DBConnection $csSite
Set-LogDBConnection -DBConnection $csSite
Set-LogDBConnection -DataStore Logging -DBConnection $null
Set-LogDBConnection -DBConnection $null
Set-LogDBConnection -DBConnection $csSite
Set-LogDBConnection -DataStore Logging -DBConnection $csLogging
Set-MonitorDBConnection -DBConnection $csSite
Set-MonitorDBConnection -DataStore Monitor -DBConnection $null
Set-MonitorDBConnection -DBConnection $null
Set-MonitorDBConnection -DBConnection $csSite
Set-MonitorDBConnection -DataStore Monitor -DBConnection $csMonitoring
Set-LogSite -State Enabled

5. Finally run the check again to control that all field has value. (Same as point 3) Also control Studio that is starts normal and show that Site database also has been moved.

Another good article that cover some other detailed can be read here.

Finally CCU in Citrix Cloud

Today Citrix announced that Citrix Virtual Apps and Desktops service in Citrix Cloud is now available for purchase under a Concurrent licensing model.

https://www.citrix.com/blogs/2020/04/08/concurrent-licensing-is-here-for-citrix-virtual-apps-and-desktops-service/

Almost all installation i have done on-prem use CCU license model. Citrix Cloud only had pr. user/device license in cloud was a big drawback. With CCU in place many more customer can go over to Citrix cloud. With same license model and with new feature from the Cloud, I think this can be a point where Citrix Cloud could take over the share for on-prem and maybe be the biggest product for Citrix in 2020?

With this change, license and all feature are in place and its now time to take a deeper look into the Citrix Cloud. Not sure how Citrix will handle convert from On-prem CCU to Cloud CCU, since this was released today but I think it will come more info within the next weeks.

Netscaler vulnerability permanent fixes

Yesterday Citrix released remaining permanent firmware fixes for the previously identified vulnerability, CVE-2019-19781. To help everyone Citrix has made it available to all customers, regardless of their maintenance entitlement.

Permanent fixes for CVE-2019-19781 ADC versions 13.0, 12.1, 12.0 and 11.1 are available now:
These fixes also apply to Citrix ADC/Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).

It is necessary to upgrade all Citrix ADC/Gateway for instances running 13.0 (MPX or VPX) to build 13.0.47.24, for instances running 12.1 (MPX or VPX) to build 12.1.55.18, for instances running 12.0 (MPX or VPX) to build 12.0.63.13, for instances running 11.1 (MPX or VPX) to build 11.1.63.15 and for instances running 10.5 (MPX or VPX) to build 10.5.70.12 to install the security vulnerability fixes.

For more details, please refer to CVE KB

If you want more info about this vulnerability I recommend read this article from Thomas Poppelgaard

Vulnerability in Netscaler – from 10.5 today

In October Citrix released a fix versions for a lot of Netscaler (ADC). Since the vulnerability is critical I wanted to mention on my blog.

A vulnerability has been identified in the management interface of Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an attacker with access to the management interface to gain administrative access to the appliance.

Citrix support : https://support.citrix.com/article/CTX261055

This vulnerability has been assigned the following CVE number:

  • CVE-2019-18225: Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway

This vulnerability affects the following product versions:

  • Citrix ADC and Citrix Gateway version 13.0 earlier than and including build 41.20
  • Citrix ADC and NetScaler Gateway version 12.1 earlier than and including build 54.13
  • Citrix ADC and NetScaler Gateway version 12.0 earlier than and including build 62.8
  • Citrix ADC and NetScaler Gateway version 11.1 earlier than and including build 62.8
  • Citrix ADC and NetScaler Gateway version 10.5 earlier than and including build 70.5

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix ADC or Citrix Gateway that contains a fix for this issue as soon as possible.

Citrix AppDNA is dead

Almost dead, but from version 1909 AppDNA is deprecated. Citrix purchased App-DNA in October 2011, now 8 years later the story ends.

Microsoft App Assure / FastTrack

The FastTrack Center Benefit for Windows Alternative to Citrix AppDNA is Microsoft App Assurance.(New name is FastTrack)

10 provides access to Desktop App Assure – a new service designed to address issues with Windows 10 and Office 365 ProPlus app compatibility. When you request the Desktop App Assure service, a FastTrack Specialist works with you throughout your migration to Windows 10 and Office 365 ProPlus and when you consume feature updates.

A Microsoft engineer works with you to address valid app issues at no additional cost to you with an eligible subscription. We also provide guidance to customers who face compatibility issues transitioning from Office clients to Office 365 ProPlus. This is a service provided by FastTrack and not a software package.

Its also own FastTrack for 365 migration as showed under. For more information see Microsoft own sites.

Enable 2FA for O365 users

Use of 2FA is something everyone should use on all services in 2019. 2FA will stops a lot of the mayor attack that has happened the last month. Example from Norway is attack on Visma, Maersk, Hydro. I don’t say that 2FA will solve everything, but helps a lot with the work. Everyone that has O365 license has free 2FA, admin just need to enable it.

App Password is default allowed; this give no extra security when users can create static password for apps like Outlook, OneDrive etc. When App Password is disabled, you need to activate modern authentication to get apps to work.

Default is modern authentication not enabled in Exchange Online. Modern authentication cannot be enabled in O365 portal, just possible to do with PowerShell. Has created an example how you can do this under:

  1. Connect to Exchange Online PowerShell.
  2. Run the following: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
  3. Run the following to verify that modern authentication is enabled: Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Entire code together here:

# Setup PSSession to O365 (Step 1)
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

# Enable modern authentication (OAuth)(Step 2)
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

# Verify value for for modern authentication (OAuth)(Step 3)
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto 

# Close PSSession
Remove-PSSession $Session

Citrix change name again of products

Synergy 2018, Citrix announced that the change all products name. This is not first time we have heard that. It has taken over 6 months to change all documentation and installation ISO.  If you plan to upgrade some of your Citrix product you need to know the new names. 

For those of you that has not heard about the change, I have created a list of the most common used products:

Old ProductName
New ProductName
XenApp
Citrix Virtual Apps
XenDesktop
Citrix Virtual Desktops
XenServer
Citrix Hypervisor
Receiver
Citrix Workspace App
XenMobile
Citrix Endpoint Management
NetScaler
Citrix ADC
Citrix Unified GatewayCitrix Gateway

Its two name change I want to highlight, XenServer and NetScaler. WHY? XenServer is now Citrix Hypervisor and NetScaler is Citrix ADC. 

First, Citrix Hypervisor, isn’t this a bit to obelus? Boeing does not call the newest flight model for Boeing Airplane. XenServer is well known name and have good reputation. 

Citrix. ADC. I understand. Less, NetScaler is something EVERYONE associate with something good and a product that work well. The Name has been with Citrix since 2005 when Citrix bought NetScaler. NetScaler has been the begin of Citrix Network product and has over all this year been one of the most known Gateway, Load balancing and ADC in the marked. I hope the name will get a comeback in the next 1-2 year as XenApp did 🙂

Self-Service Password Reset on Netscaler

From 12.1 build 50.28 version of Citrix ADC, SSPR can be activated on N-faktor flow. This gives users the ability to reset their own Active Directory passwords securely, from remote.

Prerequisites

Before you configure the self-service password reset, review the following prerequisites:

  • Citrix ADC feature release 12.1, build 50.28.
  • Supported version is minimum 2008 AD domain function level.
  • The ldapBind username bound to the Citrix ADC needs to have write access to the users AD OU.
  • Self-service password reset is supported in nFactor authentication flow only. (Require Enterprise license)

Installation

Citrix has done an great job with the documentation, so I will not create own and only redirect you to Citrix Docs: Citrix Docs – Self-service password reset

Registration flow

Under I try to explain the flow of user registration. It require that you have done all setup steps from Citrix Docs. Go to you login page https://portal.citrixblog.no or something like that. Normal logon form with username and password is shown.

Depend if user has registered personal information earlier or not, it will popup for new user only. If old user want to change or check the information, they can use https://portal.citrixblog.no/register

Both URL will open this form:

User need to choose some questions and add answers. This will be used to reset password if needed.

Password reset flow

This chapter will cover a Password reset workflow. User go to the portal and try to logon. If they has forgotten the password, user can Click Forgot Password.

1. User need to answer question added in the registration and click Log On
2. Enter the email OTP. Once the email OTP validation is successful, the password reset page is displayed.
3. User can now choose a new password and finish with Submit.