[{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/authorization/","section":"Tags","summary":"","title":"Authorization","type":"tags"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/certificate/","section":"Tags","summary":"","title":"Certificate","type":"tags"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/categories/citrix/","section":"Categories","summary":"","title":"Citrix","type":"categories"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/citrix/","section":"Tags","summary":"","title":"Citrix","type":"tags"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/categories/fas/","section":"Categories","summary":"","title":"FAS","type":"categories"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/fas/","section":"Tags","summary":"","title":"FAS","type":"tags"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/howto/","section":"Tags","summary":"","title":"HowTo","type":"tags"},{"content":"group: \u0026ldquo;Citrix FAS\u0026rdquo;\nWhen you are using Citrix FAS you will also have a Authorization Certificate. Without this certificate Citrix FAS would not be able to function. The same is applicable when the Authorization Certificate is expired, FAS can no longer do it\u0026rsquo;s job. When the Authorization Certificate is expired users are no longer able to login. Because FAS cannot request new smartcard certificates for a user.\nThe best way to make sure this does not happens is to renew the certificate before the current Authorization certificate expires, 30~60 days before for example. If you have a monitoring solution, you could configure a monitor to check the expiration date. One option would be to monitor this via PowerShell.\nAdd-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 Get-FasAuthorizationCertificate -Address localhost -FullCertInfo | Select-Object -ExpandProperty ExpiryDate If the expitation date is near or maybe already expired you need to renew/update this Authoriation certificate to get it up and running again. For this you can follow the next steps. To get you started open the FAS Console and don\u0026rsquo;t forget to \u0026ldquo;Run as Administrator\u0026rdquo;.\nOn the \u0026ldquo;Initial Setup\u0026rdquo; tab, you might see an orange warning sign before \u0026ldquo;Authorize this service\u0026rdquo;, this might be a sign that the Authorization certificate is already expired. If not, it will show a green checkmark icon seen below. To start the renewal proces, click on the \u0026ldquo;Reauthorize\u0026rdquo; button.\nA new window will appear letting you select a Certificate Authority. In my case, the FAS servers are also Issue servers, so I select the Issue CA corresponding with the FAS server I want to renew the certificate for. Next, click \u0026ldquo;OK\u0026rdquo;, to initiate the request.\nNext, you or a CA administrator needs to Issue the certificate. Open \u0026ldquo;certsrv.msc\u0026rdquo; on the Issue CA server or connect to the Issue CA server you selected in the previous step. If all went right, you will see a new pending request in the \u0026ldquo;Pending Requests\u0026rdquo; menu item. Check that is the request from the FAS server (Citrix_RegistrationAuthority_ManualAuthorization Template)\nAfter you have issued the new certificate you can switch back to the Citrix FAS console. You will notice that the spinning wheel wil change to a orange warning sign within a couple of seconds after the new certificate was issued. If not, there might be something wrong in your setup.\nCurrently the new certificate is not yet active. To activate you will need to click the \u0026ldquo;Update the configuration\u0026rdquo; link in the FAS console. This will trigger the update proces, switch the previous Authorization certificate to the new Authorization certificate.\nA confirmation popup will appear with an option to remove the previous certificate after replacement. Make sure this is selected and click \u0026ldquo;OK\u0026rdquo; to trigger the process.\nAfter a couple of seconds this is finished and a new Authorization certificate is active and a green checkmark icon will be showed in the console.\nTo see the details of the Authorization certificate, you can click on the \u0026ldquo;authorization certificate\u0026rdquo; text in the console. The certificate details window will open, allowing you to examine the details.\nIf you want to check the expiration date of the Authorization certificate, you can execute the following command on the FAS server in PowerShell.\nAdd-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 Get-FasAuthorizationCertificate -Address localhost -FullCertInfo | Select-Object -ExpandProperty ExpiryDate ","date":"July 7, 2025","externalUrl":null,"permalink":"/howto/howto-update-the-citrix-fas-authorization-certificate/","section":"HowTo Guides","summary":"group: “Citrix FAS”\nWhen you are using Citrix FAS you will also have a Authorization Certificate. Without this certificate Citrix FAS would not be able to function. The same is applicable when the Authorization Certificate is expired, FAS can no longer do it’s job. When the Authorization Certificate is expired users are no longer able to login. Because FAS cannot request new smartcard certificates for a user.\n","title":"HowTo - Update the Citrix FAS Authorization Certificate","type":"howto"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/howto/","section":"HowTo Guides","summary":"","title":"HowTo Guides","type":"howto"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/","section":"John Billekens | Notes from the field","summary":"","title":"John Billekens | Notes from the field","type":"page"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/powershell/","section":"Tags","summary":"","title":"PowerShell","type":"tags"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/smartcard/","section":"Tags","summary":"","title":"SmartCard","type":"tags"},{"content":"","date":"July 7, 2025","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/categories/adc/","section":"Categories","summary":"","title":"ADC","type":"categories"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/tags/adc/","section":"Tags","summary":"","title":"ADC","type":"tags"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/tags/citrix-adc/","section":"Tags","summary":"","title":"Citrix ADC","type":"tags"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/categories/dns/","section":"Categories","summary":"","title":"DNS","type":"categories"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/tags/dns/","section":"Tags","summary":"","title":"DNS","type":"tags"},{"content":"group: \u0026ldquo;NetScaler\u0026rdquo;\nIn this HowTo article, we’ll walk through the complete process of configuring a Citrix NetScaler HA pair to serve as an authoritative DNS server for a subdomain. This step-by-step guide covers everything from setting up the Authoritative DNS (ADNS) service on the NetScaler to delegating the subdomain in the parent domain’s DNS management panel. Whether you’re looking to improve DNS resolution performance, gain more control over DNS records, or support advanced NetScaler features, this guide will help you get it done efficiently and securely.\nWhat is Authoritative DNS? # The authoritative DNS server plays a crucial role in the process of translating a domain name into an IP address—the unique identifier that computers use to communicate over the internet. Think of it as the ultimate source of truth for the domain you’re trying to reach.\nWhen you type a domain name (like example.com) into your browser, your device sends a DNS query to your internet service provider (ISP). The ISP typically operates a recursive DNS server, which is like a middleman. This recursive server checks if it already knows the answer—maybe it has the IP address cached from a previous request. If it doesn’t, or the cached data is outdated, it needs to track down the correct answer.\nThe recursive server then starts a journey across the DNS hierarchy, asking other servers for the answer. It may query root servers, top-level domain (TLD) servers (like .com or .net), and eventually, if it hasn’t found the answer yet, it ends up at the authoritative DNS server.\nThis is where the authoritative DNS server comes in. Unlike recursive servers, authoritative DNS servers don’t go looking for answers elsewhere. Instead, they provide definitive responses based on the zone records they store. These records—such as A (Address), AAAA (IPv6 Address), CNAME (Canonical Name), NS (Name Server), and SOA (Start of Authority), etc. — have been configured by the domain administrator and represent the original source of truth for that domain.\nBecause authoritative servers only answer queries about the specific zones they manage and don’t perform recursion, they’re highly efficient and fast. They either provide the complete answer directly or, if another server is responsible for a part of the zone, they refer the resolver to that server.\nIn simpler terms, if the DNS system were a kingdom, the authoritative DNS server would be the ruler who has the final say—issuing the definitive address when asked where a particular \u0026ldquo;house\u0026rdquo; (domain) is located. The recursive servers are like messengers running around the kingdom gathering information, but ultimately, it’s the authoritative server that confirms the right answer.\nUnderstanding this process is key when configuring your own DNS infrastructure, ensuring users can reliably and quickly access your services online.\nHow does it work? # Local DNS Server Check:\nThe process begins when the client asks its locally configured DNS server (1) for the IP address of a.adns.it-framework.nl. If the local server has this information cached, it will return the IP address immediately. However, if it doesn’t, it will forward the request to a root server (2). Root Server Response:\nThe root server doesn’t know the complete path to a.adns.it-framework.nl, but it does know where to find the top-level domain (TLD) .com. Therefore, it responds with the location of the .com DNS servers (3). TLD DNS Server Query:\nThe local DNS server now sends the request to one of the .com DNS servers (4). This server doesn’t have the full answer either but knows which name server manages it-framework.nl. It returns the IP address of the authoritative name server responsible for it-framework.nl (5). Domain DNS Server Query:\nNext, the request is forwarded to the DNS server at the hosting provider where it-framework.nl is managed (6). Typically, this server would respond with the IP address for a.adns.it-framework.nl.\nHowever, in this case, because we’re configuring a NetScaler to be authoritative for the adns.it-framework.nl subdomain, the hosting provider’s DNS server will instead respond with the IP address of the NetScaler instance responsible for that zone. NetScaler Query for Final Record:\nThe local DNS server now sends a query directly to the NetScaler (7), asking for the IP address of a.adns.it-framework.nl. Since the NetScaler is configured as authoritative for adns.it-framework.nl and the A record for a exists, it provides the final IP address in response (8). Final Response to the Client:\nThe local DNS server relays this final IP address back to the client, completing the resolution process. How to configure it? # NetScaler configuration # In the next steps we will explain how to configure the NetScaler to be authoritative for a certain zone. We\u0026rsquo;ll start with logging in on the NetScaler, and add a SubNet IP address (SNIP) that we will use as the DNS entrypoint.\nIn the relevant steps we\u0026rsquo;ll add the NetScaler Command line wit the same action.\nGo to System / Network / IPs and click Add.\nAdd the IP Address you want to use for your DNS entry point. Set the Type as Subnet IP.\nIP Address: 10.254.0.10 (configure your Subnet IP here) Netmask: 255.255.255.0 (the Subnet Mask belonging to the configured IP address) IP Type: Subnet IP # NetScaler CLI: add ns ip 10.254.0.10 255.255.255.0 -type SNIP Next go to Traffic Management / Load Balancing / Servers click on the Add button to add a server object.\nName: srv_adns (or a different name depending on your naming convention) IP Address: 10.254.0.10 (use the same address as setup for the SNIP) Enable after Creating: Enabled (default) Comments: SNIP used for ADNS (this step is optional) # NetScaler CLI: add server srv_adns 10.254.0.10 -comment \u0026#34;SNIP used for ADNS\u0026#34; When the server is added, go to Traffic Management / Load Balancing / Services and click Add.\nService Name: svc_adns (or a different name depending on your naming convention) Existing Server: Selected Server: srv_adns (select your earlier created server) Protocol: ADNS Port: 53 # NetScaler CLI: add service svc_adns srv_adns ADNS 53 When you are at this step you have created the ADNS listner, the NetScaler is now listing at port 53 on your configured IP address. When you go back to System / Network / IPs, you will see that an extra type ADNS svc IP was added next to Subnet IP.\nNext we will create the Authoritative Zone on the NetScaler.\nGo to Traffic Management / DNS / Zones and click on the Add button.\nDNS Zone: adns.it-framework.nl\nThe Zone name you want the NetScaler to be Authoritative for. Proxy Mode: Enabled\nThis is default enabled. Click Create.\n# NetScaler CLI: add dns zone adns.it-framework.nl -proxyMode YES Now we must add a SOA record.\nThe DNS ‘start of authority’ (SOA) record stores important information about a domain or zone such as the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes. All DNS zones need an SOA record in order to conform to IETF standards.\nGo to Traffic Management / DNS / Records / SOA Records, and click on the Add button. Next add the details:\nDomain Name: adns.it-framework.nl\nDomain name for which to add the SOA record. Origin Server: it-framework.nl\nDomain name of the name server that responds authoritatively for the domain. Contact: domainadmin.it-framework.nl\nEmail address of the contact to whom domain issues can be addressed. In the email address, replace the @ sign with a period (.). In my case domainadmin@it-framework.nl =\u0026gt; domainadmin.it-framework.nl The rest I will leave default, but if you want you can adjust it to your needs.\n# NetScaler CLI: add dns soaRec adns.it-framework.nl -originServer it-framework.nl -contact domainadmin.it-framework.nl Basically the NetScaler portion of the config is ready. We still need to add records to the zone for now we add one, a test record so we can validate our setup later on if the rest is also configured.\nGo to Traffic Management / DNS / Records / TXT Records and click the Add button.\nDomain: test.adns.it-framework.nl\nThe name of the record you want to add to the zone Text: \u0026ldquo;Test succeeded\u0026rdquo;\nYou can add here what you want, just something so we can test it later on. # NetScaler CLI: add dns txtRec test.dns.it-framework.nl \u0026#34;Test succeeded\u0026#34; -TTL 5 To verify, check the zone—it should now contain two records: an SOA record and a TXT record.\nGo to Traffic Management / DNS / Zones and click on the Zone you created earlier and validate the records.\nNow it\u0026rsquo;s a good time to hit the save button to make sure everything is saved and will not be lost when a reboot or shutdown happens.\n# NetScaler CLI: save ns config Firewall configuration # To enable the NetScaler to respond to requests from the internet, you need to configure Port Forwarding (NAT) to make port 53 (TCP/UDP) accessible externally.\nType Source Destination Port Protocol Description NAT SNIP (ADNS) Internet/WAN 53 TCP/UDP Forwarding port 53 to Internet ACL Internet/WAN Your Public IP 53 TCP/UDP Make sure port 53 is accessible from the internet DNS configuration # The exact steps may vary depending on your DNS hosting provider. Since not all providers use the same interface or configuration options, you’ll need to determine how this example applies to your specific setup.\nWe will add two records, one A and one NS record.\nA-Record:\nName: ns1 (a name we used, you may choose a different one if you want) Type: A Content: 3.3.3.3 *(in your case, the public IP address where the DNS listener is configured.) * TTL: Time To Live, we leave this default NS-Record:\nName: adns (the zone we created on the NetScaler) Type: NS (Name Server) Content: ns1.it-framework.nl (or a different name, depending what A-record you created) TTL: Time To Live, we leave this default Make sure to save everything when ready.\nTesting! # Now it\u0026rsquo;s time to test everything to see if it\u0026rsquo;s working as expected. We can easily use PowerShell for this task. We will try to resolve out TXT record, this must return our configured value (if all goes as planned).\n# PowerShell Resolve-DnsName -Name test.adns.it-framework.nl -Type TXT As you can see, our setup returns the expected value.\nHopefully this HowTo guide was helpful. Please let me know if you have any questions.\n","date":"February 23, 2025","externalUrl":null,"permalink":"/howto/howto-configure-netscaler-adns-as-an-authoritative-dns-server-for-a-subdomain/","section":"HowTo Guides","summary":"group: “NetScaler”\nIn this HowTo article, we’ll walk through the complete process of configuring a Citrix NetScaler HA pair to serve as an authoritative DNS server for a subdomain. This step-by-step guide covers everything from setting up the Authoritative DNS (ADNS) service on the NetScaler to delegating the subdomain in the parent domain’s DNS management panel. Whether you’re looking to improve DNS resolution performance, gain more control over DNS records, or support advanced NetScaler features, this guide will help you get it done efficiently and securely.\n","title":"HowTo - Configure NetScaler ADNS as an Authoritative DNS Server for a Subdomain","type":"howto"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/categories/netscaler/","section":"Categories","summary":"","title":"Netscaler","type":"categories"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/tags/netscaler/","section":"Tags","summary":"","title":"NetScaler","type":"tags"},{"content":"","date":"February 23, 2025","externalUrl":null,"permalink":"/categories/powershell/","section":"Categories","summary":"","title":"PowerShell","type":"categories"},{"content":"","date":"August 28, 2024","externalUrl":null,"permalink":"/posts/","section":"Blog","summary":"","title":"Blog","type":"posts"},{"content":"It\u0026rsquo;s crucial to regularly update your Citrix WorkspaceApp to an up-to date version. Many environments still use outdated versions with significant security vulnerabilities (CVEs). Too often, I encounter environments that are still running old versions, including the antiquated \u0026ldquo;Receiver\u0026rdquo; versions. Not updating to a non-vulnerable or recent supported version poses a real security risk!\nIn many environments, users have company-managed devices, for example managed via Microsoft Intune, which can be updated centrally. These devices are typically kept up to date. The greatest risk lies with non-company-managed devices, such as privately owned laptops or bring-your-own-device (BYOD) systems, where users are responsible for maintaining updates themselves.\nThere’s little you can do for users beyond regularly informing them and providing how-to knowledge. However, we can easily detect the installed Citrix WorkspaceApp (or Receiver) version used by the user without accessing their device. When a user connects to the company Citrix environment, the Citrix WorkspaceApp version is shared with the remote session. This is useful information and can help us check the version and inform the user if they have an unsupported or vulnerable version on their local machine.\nSeveral of my customers have asked how to inform users that they need to update outdated or vulnerable versions. This prompted me to create this script. You can run it as part of a login script or as a task in a tool like Citrix WEM. If the user has a supported or not a vulnerable version, nothing will be displayed. However, if the user has an unsupported or vulnerable version with a known CVE, a customizable popup will appear. Depending on the settings, it can also log off the session. The image shows just an example of what’s possible.\nAn example (test message) when a vulnerable version was detected:\nAn example (test message) when a outdated (EOL) version was detected:\nYou can run the script with parameters or by specifying a customized JSON-file that is up to you. To get an overview of all the parameters and some example just run the following command:\nGet-Help \u0026lt;PathTo\u0026gt;\\CWACLientDetection.ps1 -Full This example runs the script with the specified parameters in test mode, running locally and showing the user EOL and CVE messages. It will only log the user off if a CVE was detected (-LogoffOnCVE ). Leave the -Test parameter when presenting the script to the user.\nNOTE: The -RunLocal parameter allows you to run the script on your laptop for example. Leave this parameter when you run the script in a Citrix Session as a login script!\nC:\\Scripts\\CWACLientDetection.ps1 -EnableLogging -LoggingPath \u0026#34;C:\\Scripts\\Logs\u0026#34; -MessageLogo \u0026#34;C:\\Scripts\\\\Logo.png\u0026#34; -MessageTextEOL \u0026#34;Multiline`r`nEnd of life message\u0026#34; -MessageTextCVE \u0026#34;Multiline`r`nCVE message\u0026#34; -MessageTitle \u0026#34;Title\u0026#34; -RunLocal -LogoffOnCVE -Test The next example wil basically show the same while using splatting. You can optionally use the -Test parameter to run the script in test mode.\n@params = @{ \u0026#34;EnableLogging\u0026#34; = $true \u0026#34;LoggingPath\u0026#34; = \u0026#34;\u0026lt;PathTo\u0026gt;\\\\Logs\u0026#34; \u0026#34;MessageLogo\u0026#34; = \u0026#34;\u0026lt;PathTo\u0026gt;\\Logo.png\u0026#34; \u0026#34;MessageTextEOL\u0026#34; = @\u0026#34; Multiline End of life message \u0026#34;@ # \u0026lt;= It\u0026#39;s very important to add NO spaces in front of the closing tag \u0026#34;MessageTextCVE\u0026#34; = @\u0026#34; Multiline CVE message \u0026#34;@ \u0026#34;MessageTitle\u0026#34; = \u0026#34;Title\u0026#34; \u0026#34;RunLocal\u0026#34; = $true \u0026#34;LogoffOnEOL\u0026#34; = $false \u0026#34;LogoffOnCVE\u0026#34; = $true } CWACLientDetection.ps1 @params [-Test] You can also create a JSON file with the same \u0026ldquo;parameters\u0026rdquo; and save it for example as \u0026ldquo;C:\\Script\\CWACLientDetection.json\u0026rdquo;.\nNOTE: On the PoSH command line a new line in string is defined as \u0026ldquo;`r`n\u0026rdquo; the same in a JSON file is \u0026ldquo;\\r\\n\u0026rdquo;.\nNOTE: Path dividers in JSON need a double \\, e.g.: C:\\Script\\CompanyLogo.png\n{ \u0026#34;MessageTitle\u0026#34;: \u0026#34;Company - Citrix Workspace App versie check\u0026#34;, \u0026#34;MessageTextEOL\u0026#34;: \u0026#34;Multiline\\r\\nEnd of life message\u0026#34;, \u0026#34;MessageTextCVE\u0026#34;: \u0026#34;Multiline\\r\\nCVE message\u0026#34;, \u0026#34;MessageLogo\u0026#34;: \u0026#34;.\\\\CWACLientDetection.png\u0026#34;, \u0026#34;LogoffOnEOL\u0026#34;: false, \u0026#34;LogoffOnCVE\u0026#34;: true, \u0026#34;RunLocal\u0026#34;: false } You can than run the script with the following parameters and you can optionally use the -Test parameter to run the script in test mode.\nC:\\Script\\CWACLientDetection.ps1 -JSONFilename \u0026#34;C:\\Script\\CWACLientDetection.json\u0026#34; [-Test] You can find the latest version here on my GitHub repository. I will try to regularly update the script. Especially when a new CVE will be released or when new versions will be added with new EOL dates.\nPlease send me a message if you miss a CVE or you have suggestions to make it better. I don\u0026rsquo;t use an Apple Mac or Linux client devices. So I haven\u0026rsquo;t really had the opportunity to test those kind of devices. Please contact me if you find something not working correctly.\nHopefully this script can help you keep your environment up-to-date and a little bit safer.\n","date":"August 28, 2024","externalUrl":null,"permalink":"/posts/citrix-workspaceapp-update-script-check-and-alert-for-security-risks/","section":"Blog","summary":"It’s crucial to regularly update your Citrix WorkspaceApp to an up-to date version. Many environments still use outdated versions with significant security vulnerabilities (CVEs). Too often, I encounter environments that are still running old versions, including the antiquated “Receiver” versions. Not updating to a non-vulnerable or recent supported version poses a real security risk!\nIn many environments, users have company-managed devices, for example managed via Microsoft Intune, which can be updated centrally. These devices are typically kept up to date. The greatest risk lies with non-company-managed devices, such as privately owned laptops or bring-your-own-device (BYOD) systems, where users are responsible for maintaining updates themselves.\n","title":"Citrix WorkspaceApp Update Script: Check and Alert for Security Risks","type":"posts"},{"content":"","date":"August 28, 2024","externalUrl":null,"permalink":"/categories/receiver/","section":"Categories","summary":"","title":"Receiver","type":"categories"},{"content":"","date":"August 28, 2024","externalUrl":null,"permalink":"/tags/receiver/","section":"Tags","summary":"","title":"Receiver","type":"tags"},{"content":"","date":"August 28, 2024","externalUrl":null,"permalink":"/categories/workspaceapp/","section":"Categories","summary":"","title":"WorkspaceApp","type":"categories"},{"content":"","date":"August 28, 2024","externalUrl":null,"permalink":"/tags/workspaceapp/","section":"Tags","summary":"","title":"WorkspaceApp","type":"tags"},{"content":"group: \u0026ldquo;NetScaler\u0026rdquo;\nUpgrading firmware on time is crucial for the business continuity. Especially when new firmware become available containing fixes for high CVE\u0026rsquo;s we have seen recently.\nThis how to guide focuses on upgrading the NetScaler manually. If you are using an ADM appliance or ADM service, you can use those as well, to automatically upgrade the node(s). In most cases you can use the GUI to upgrade the NetScaler and if you might run in to an issue or upgrading from a very old version then you might revert to the CLI (Command Line Interface) and execute the upgrade from there. You can also start at the GUI, whatever you feel comfortable with as long as the NetScaler get it upgrade in-time.\nThe first step is something I see a lot of people forget from time to time, is to save the config. If you don\u0026rsquo;t save the config and the NetScaler reboots, you might lose some configuration. Therefore always click the save button or enter \u0026ldquo;save ns conf\u0026rdquo; on the command line before continuing.\nAlways create a (full) backup (you can follow this guide to create a backup) and if you like to play is save, download the backup and store it somewhere save. This way you have the necessary details to restore the NetScaler if something happens that cannot be fixed.\nNext, make a note of all the VIPs that are down or don\u0026rsquo;t have an UP state, this way you can validate if the states are the same after the upgrade.\nIf the NetScaler is a VPX appliance, you might want to create a Snapshot (never create a snapshot with memory in running state). You can create a snapshot while the appliance is on but uncheck the option to \u0026ldquo;Include virtual machines\u0026rsquo;s memory\u0026rdquo; and check the option to \u0026ldquo;Quiesce guest file system\u0026rdquo;.\nBefore continuing, make sure you have enough free space available. You can use the following HowTo guide to help you identify files that can be removed.\nLogin on the NetScaler management page with a user account with enough permissions to perform a cleanup if required.\nMake sure you are on the \u0026ldquo;Configuration\u0026rdquo; tab.\nSelect \u0026ldquo;System\u0026rdquo;. On the \u0026ldquo;System Information\u0026rdquo; tab, click on \u0026ldquo;System Upgrade\u0026rdquo; The NetScaler shows that it needs 4GB of free space, my personal experience is, that you need at least 5GB to run the upgrade. Make sure you have enough free space\nYou can follow this guide to create some free space. When the NetScaler appliance is part of a HA pair, make sure to cleanup also the other appliance before continuing.\nNOTE: If you are upgrading from to a different base version 13.0, 13.1, 14.1 (e.g. from 13.0 to 13.1) you might want to consider using the command line (CLI) upgrade.\nGUI # Login on the NetScaler management page with a user account with enough permissions to perform a upgrade.\nIf the appliance is a member of a HA pair you will be presented with the following Warning message, this is as expected. We want to start the upgrade on the secondary node, not on the primary one.\nMake sure you are on the \u0026ldquo;Configuration\u0026rdquo; tab.\nSelect \u0026ldquo;System\u0026rdquo;. On the \u0026ldquo;System Information\u0026rdquo; tab, click on \u0026ldquo;System Upgrade\u0026rdquo; Select the firmware upgrade file by selecting the \u0026ldquo;Local\u0026rdquo; option.\nAnd browse and select the firmware file \u0026ldquo;build-13.1-51.15_nc_64.tgz\u0026rdquo;\nNext you can (un)check options if you like.\nI like to leave the \u0026ldquo;Reboot after successful installation\u0026rdquo; unchecked. I like to verify the output before rebooting.\nNOTE: If the firmware upgrade should hang, you might want to execute the upgrade via the command line. If you have selected the \u0026ldquo;Reboot after successful installation\u0026rdquo; option, you might want to check if the appliance is restarting before you consider to restart the upgrade via the command line.\nIf you receive the message \u0026ldquo;Installation cancelled; if you wish to run the NSEPEPI tool during installation, then use the -M option; or if you wish to force the installation use the -Y option but invalid configuration will be lost.\u0026rdquo;, close the GUI upgrade and continue the command line upgrade.\nWhen the upgrade is finished, you will be presented with a reboot option, click to reboot.\nIf you left the \u0026ldquo;Reboot after successful installation\u0026rdquo; checked, the NetScaler will automatically reboot.\nWhen the NetScaler is rebooted, logon again.\nIf you had chosen for the -M option to convert the classic expressions, you might want to check this if everything is correctly converted. (Primary and secondary authentication policies on the Gateway are still classic for 13.1)\nIf this is a single node, you can skip the next step to issue a failover.\nNOTE 1: Users may have to clear the browser cache for the Gateway, the cache can contain old data that can give users blank pages or unexpected errors.\nNOTE 2: You may want to change the portal theme on the gateway (and AAA) vip to \u0026ldquo;RfWebUI\u0026rdquo;, all the other themes are deprecated and may be removed in later versions.\nIf this is a HA pair, you need to failover first before you can test everything. You might want to make changes like changing the Portal Theme first, before continuing.\nNOTE: It\u0026rsquo;s normal at this stage that the VIPs are offline, they will become online after the failover.\nTo execute a failover, make sure you are on the \u0026ldquo;Configuration\u0026rdquo; tab.\nOn the Confirm dialog, select \u0026ldquo;Yes\u0026rdquo; to trigger a failover.\nSelect \u0026ldquo;OK\u0026rdquo; to close the Information dialog\nNow is the time to check and validate everything.\nCheck if everything is online that should be online. Validate that all the VIPs have the same state as before. Validate internal and external access to (web) applications, gateways, etc. If all goes well, you are finished with this appliance.\nIf this node is a member of a HA pair, repeat the same upgrade steps on the other node that now will be secondary.\nCommand Line (CLI) # For the Command Line upgrade procedure I will use 2 tools, WinSCP to transfer files and easily browse the filesystem and PuTTY an SSH tool to enter commands and execute the firmware upgrade.\nOpen WinSCP and connect to the node (the secondary if this is an HA pair) logon with a user account with enough permissions to perform a upgrade.\nIn this example we are going to upgrade to version 13.1 build 51.15 (from a 13.0 version)\nMake sure you have around 5GB free space available. Navigate to /var/nsinstall Make sure all (old) \u0026ldquo;build-xx.x-xx.xx\u0026hellip;\u0026rdquo; directory and files are removed. Create a directory (F7) \u0026ldquo;build-13.1-51.15_nc_64\u0026rdquo; and upload \u0026ldquo;build-13.1-51.15_nc_64.tgz\u0026rdquo; to this newly created directory. Start PuTTY and connect to the (secondary) node.\nLogin with an account with enough permissions to execute the upgrade.\nStart the upgrade by entering the following commands\nshell cd /var/nsinstall/build-13.1-51.15_nc_64 tar xvfz build-13.1-51.15_nc_64.tgz To get a litle bit of extra space, you could remove the firmware file \u0026ldquo;build-13.1-51.15_nc_64.tgz\u0026rdquo;\nrm build-13.1-51.15_nc_64.tgz Next we can start the upgrade process. If you want to upgrade for example from 13.0 to 13.1 and still have some classic policies in use, you might want to add the extra parameter \u0026ldquo;-M\u0026rdquo;. The upgrade will try to convert the classic polices to advanced policies.\nNOTE: Only add the -M parameter if you intend to convert classic policies to advanced policies!\nStart the upgrade process with the following command:\n./installns -M On the question \u0026ldquo;Do you wish to delete old signature files and kernel images?\u0026rdquo; you can answer \u0026ldquo;Y\u0026rdquo;, this will cleanup old files.\nWhen the installation is completed, you can answer with \u0026ldquo;Y\u0026rdquo; on the question \u0026ldquo;Reboot NOW?\u0026rdquo;. The NetScaler wil restart directly. When the NetScaler is online again the upgrade is completed.\nLogin again on the NetScaler SSH command line and validate your configuration. If you had chosen for the -M option to convert the classic expressions, you might want to check this if everything is correctly converted. (Primary and secondary authentication policies on the Gateway are still classic for 13.1)\nIf this is a single node, you can skip the next step to issue a failover.\nNOTE 1: Users may have to clear the browser cache for the Gateway, the cache can contain old data that can give users blank pages or unexpected errors.\nNOTE 2: You may want to change the portal theme on the gateway (and AAA) vip to \u0026ldquo;RfWebUI\u0026rdquo;, all the other themes are deprecated and may be removed in later versions.\nIf this is a HA pair, you need to failover first before you can test everything. You might want to make changes like changing the Portal Theme first, before continuing.\nNOTE: It\u0026rsquo;s normal at this stage that the VIPs are offline, they will become online after the failover.\nTo execute a failover, enter the following command:\nforce HA failover On the question \u0026ldquo;Please confirm whether you want force-failover (Y/N)?\u0026rdquo; you can answer \u0026ldquo;Y\u0026rdquo; as this is to be expected. The Secondary node has now a newer version, and we want to activate this node.\nNow is the time to check and validate everything.\nCheck if everything is online that should be online. Validate that all the VIPs have the same state as before. Validate internal and external access to (web) applications, gateways, etc. If all goes well, you are finished with this appliance.\nIf this node is a member of a HA pair, repeat the same upgrade steps on the other node that now will be secondary.\n","date":"February 10, 2024","externalUrl":null,"permalink":"/howto/howto-netscaler-upgrade-firmware/","section":"HowTo Guides","summary":"group: “NetScaler”\nUpgrading firmware on time is crucial for the business continuity. Especially when new firmware become available containing fixes for high CVE’s we have seen recently.\nThis how to guide focuses on upgrading the NetScaler manually. If you are using an ADM appliance or ADM service, you can use those as well, to automatically upgrade the node(s). ","title":"HowTo - NetScaler - Upgrade firmware","type":"howto"},{"content":"","date":"February 10, 2024","externalUrl":null,"permalink":"/tags/cleanup/","section":"Tags","summary":"","title":"Cleanup","type":"tags"},{"content":"","date":"February 10, 2024","externalUrl":null,"permalink":"/categories/files/","section":"Categories","summary":"","title":"Files","type":"categories"},{"content":"group: \u0026ldquo;NetScaler\u0026rdquo;\nBefore you start an upgrade. You must make sure to have enough free space available. Although in the GUI you see sometimes that you must have 5 GB available, in my experience you need at least 6,5 GB free space.\nAfter a while using a NetScaler, certain folders can get full with files. Or you might had a problem and had to create a trace file. Some of these files and folders can be removed and with that action free up some space.\nAlthough it\u0026rsquo;s possible to use the GUI to cleanup files, I prefer WinSCP to browse, backup and remove files. Within the GUI it\u0026rsquo;s not really possible to download (backup) the logfiles first before removing them.\nI leave it up to you what method you like to use. If you are familiar with bash you could also use the command line to remove files and folders.\nWinSCP # When using a tool to manipulate files on a NetScaler, my go-to tool is WinSCP. Free and easy to use. You can also just copy over the folder and it wil run without installation.\nLaunch WinSCP and connect to the NetScaler and login.\nNext you can browse to the folder you want to cleanup and remove files or folders.\nNOTE: Backup your (log) files before removing them from your NetScaler. It might be you need these (log) files for audit purposes!\nCleanup locations # The following paths can be investigated, to be cleaned (source Citrix).\nPath Description /var/nstrace This directory contains trace files. This is the most common reason for HDD being filled on the NetScaler appliance. This is due to an nstrace being left running for indefinite amount of time. All traces that are not of interest can and should be deleted. To stop an nstrace, go back to the CLI and issue stop nstrace command. /var/nslog This directory contains NetScaler log files. /var/log This directory contains system specific log files. /var/tmp/support This directory contains technical support files, also known as, support bundles. All files not of interest should be deleted. /var/core Core dumps are stored in this directory. There will be directories within this directory and they will be labeled with numbers starting with 1. These files can be quite large in size. Clear all files unless the core dumps are recent and investigation is required. /var/crash Crash files, such as process crashes are stored in this directory. Clear all files unless the crashes are recent and investigation is required. /var/nsinstall Firmware is placed in this directory when upgrading. Clear all files, except the firmware that is currently being used. /var/nssynclog Synched (HA) config and logs. /var/nsproflog Performance related logs Path: /var/nstrace # This folder can contain folders with trace files. You can delete all directories with content. Path: /var/nslog # Check for numbered files and or folders like \u0026ldquo;filename.0.gz\u0026rdquo; or \u0026ldquo;filename.0.tar.gz\u0026rdquo;, you can remove these files an folders.\nAlso check subdirectories for date or numbered folders, you can remove these.\nPath: /var/log # Check for numbered files and or folders like \u0026ldquo;filename.0.gz\u0026rdquo; or files with dates in the name, you can remove these files an folders.\nPath: /var/tmp/support # You can remove all \u0026ldquo;collector_callhome_\u0026hellip;.tar.gz\u0026rdquo; files.\nPath: /var/core # You can remove the numbered folders (with content).\nPath: /var/crash # You can remove all subdirectories in this location.\nPath: /var/nsinstall # You can remove all files and folders except \u0026ldquo;adc.version\u0026rdquo;, \u0026ldquo;installns_state\u0026rdquo; and \u0026ldquo;installns_state_post_reboot\u0026rdquo;.\nPath: /var/nssynclog # Check for numbered files and or folders like \u0026ldquo;filename.0\u0026rdquo; or files with dates in the name, you can remove these files an folders.\nPath: /var/nsproflog # Check for numbered files and or folders like \u0026ldquo;filename.0.tar.gz\u0026rdquo; or \u0026ldquo;filename.0.gz\u0026rdquo; or files with dates in the name, you can remove these files an folders.\nSource information: https://docs.netscaler.com/en-us/citrix-adc/13-1/system/troubleshooting-citrix-adc/how-to-free-space-on-var-directory.html\n","date":"February 10, 2024","externalUrl":null,"permalink":"/howto/howto-pre-upgrade-cleanup/","section":"HowTo Guides","summary":"group: “NetScaler”\nBefore you start an upgrade. You must make sure to have enough free space available. Although in the GUI you see sometimes that you must have 5 GB available, in my experience you need at least 6,5 GB free space.\n","title":"HowTo - (Pre upgrade) Cleanup","type":"howto"},{"content":"","date":"October 23, 2023","externalUrl":null,"permalink":"/tags/backup/","section":"Tags","summary":"","title":"Backup","type":"tags"},{"content":"group: \u0026ldquo;NetScaler\u0026rdquo;\nA backup can save you a lot of time in case of emergencies, configuration errors or hacks. You could download and save it in a secure environment. And when needed restore a new appliance with the saved backup.\nGUI # As always, login to the NetScaler by using an account with enough permissions to execute your task.\nOn the \u0026ldquo;Configuration\u0026rdquo; tab, open the menu \u0026ldquo;System\u0026rdquo; (1) and \u0026ldquo;Backup \u0026amp; Restore\u0026rdquo; (2).\nNext click on the button \u0026ldquo;Backup/Import\u0026rdquo; (3).\nNOTE: you will only see the button when no backup is created or available.\nIf there is one or more backups already available, you\u0026rsquo;ll see the following screen/button. Click \u0026ldquo;Backup/Import\u0026rdquo; to create a backup.\nNext make sure \u0026ldquo;Create\u0026rdquo; (1) is selected as option.\nEnter a \u0026ldquo;File Name\u0026rdquo; (2) meaningful for you or your company. I like to specify the type of backup (Full or Basic) the date and time of the backup. The name can be a maximum of 63 characters long.\nSelect the backup \u0026ldquo;Level\u0026rdquo; (3) Full or Basic.\nBasic; You can perform this type of backup if you want to back up files that constantly change. The files that you can back up are in the following table. Directory Sub-Directory or Files /nsconfig/ ns.conf\nZebOS.conf\nrc.netscaler\nsnmpd.conf\nnsbefore.sh\nnsafter.sh\ninetd.conf\nntp.conf\nsyslog.conf\nnewsyslog.conf\ncrontab\nhost.conf\nhosts\nttys\nsshd_config\nhttpd.conf\nmonitrc\nrc.conf\nssh_config\nlocaltime\nissue\nissue.net /var/ download/*\nlog/wicmd.log\nwi/tomcat/webapps/*\nwi/tomcat/logs/*\nwi/tomcat/conf/catalina/localhost/*\nnslw.bin/etc/krb.conf\nnslw.bin/etc/krb.keytab\nnetscaler/locdb/*\nlib/likewise/db/*\nvpn/bookmark/*\nnetscaler/crl\nnstemplates/*\nlearnt_data/* /netscaler/ custom.html\nvsr.htm Full; In addition to the files that are backed up by a basic backup, a full backup has less frequently updated files. The files that are backed up when you use the “Full” backup option are: Directory Sub-Directory or Files nsconfig sl*\nlicense*\nfips* /var/ netscaler/ssl/*\nwi/java_home/jre/lib/security/cacerts/*\nwi/java_home/lib/security/cacerts/* And lastly add a \u0026ldquo;Comment\u0026rdquo; (4). This is a text field where you can add your own description up to 255 characters.\nClick \u0026ldquo;Backup\u0026rdquo; to start the backup.\nIf you want to save created backup, you can download the file.\nSelect the file you want to download and choose \u0026ldquo;Download\u0026rdquo; in the Action menu. Your browser wil initiate the download. Store the file somewhere safe! This unencrypted backup may contain sensitive information and data.\nCLI # You can also initiate a backup from the CLI.\ncreate system backup \u0026#34;Full_20231023_1502\u0026#34; -level full -comment \u0026#34;CLI Backup\u0026#34; And that\u0026rsquo;s it! Make sure to backup your config regularly.\n","date":"October 23, 2023","externalUrl":null,"permalink":"/howto/howto-netscaler-create-a-backup/","section":"HowTo Guides","summary":"group: “NetScaler”\nA backup can save you a lot of time in case of emergencies, configuration errors or hacks. You could download and save it in a secure environment. And when needed restore a new appliance with the saved backup.\n","title":"HowTo - NetScaler - Create a backup","type":"howto"},{"content":"group: \u0026ldquo;NetScaler\u0026rdquo;\nIn this how-to article I will explain the procedure how to update a certificate on a Citrix NetScaler. If you wait until a certificate is expired wil cause a lot of issues for your users or visitors. By being on time with the renewal will save you a lot of trouble.\nThis article assumes you already renewed the certificate and have a pfx (without the root and intermediate) with matching password available.\nYou can also follow this article to export a certificate with private key to a pfx file.\nIf you want to install a certificate on the NetScaler you can follow this guide.\nUpdating an existing certificate is preferred over adding a new certificate. When adding an updated certificate as new, you will have to update all the bindings for all VIP\u0026rsquo;s. You don\u0026rsquo;t have to do this when updating an existing certificate. First login to the NetScaler with enough permissions to update/replace the certificate.\nNext browse to \u0026ldquo;Traffic Management\u0026rdquo; / \u0026ldquo;SSL\u0026rdquo; / \u0026ldquo;Certificates\u0026rdquo; / \u0026ldquo;All Certificates\u0026rdquo;\nSelect the certificate you want to update by clicking on the 3 dots (\u0026hellip;) in front of the certificate.\nIn the context menu that follows, select \u0026ldquo;Update\u0026rdquo;.\nNext, check the checkbox ti \u0026ldquo;Update the certificate and key\u0026rdquo; this will enable you to change the certificate and key file.\nTo select the certificate, click on the down \u0026ldquo;˅\u0026rdquo; symbol and select \u0026ldquo;Local\u0026rdquo;.\nAn open dialog box will appear and you can select the new pfx-file.\nClick \u0026ldquo;Yes\u0026rdquo; on the \u0026ldquo;Confirm\u0026rdquo; dialog prompt that appears.\nMake sure you also change the \u0026ldquo;Key File Name\u0026rdquo; by selecting the new pfx file.\nAnd don\u0026rsquo;t forget to change/update the password for the new pfx file.\nClick \u0026ldquo;OK\u0026rdquo; if you made all the necessary changes.\nNOTE: It\u0026rsquo;s best practice to use unique and long (generated) passwords for your pfx-files.\nIf all goes well, the certificate will be updated without any error\u0026rsquo;s.\nIt can be that you will be shown a message that the link is or will be broken. In the next steps we will validate and update the link if required.\nClick the \u0026ldquo;Link\u0026rdquo; button to update/validate the link.\nYou will see all intermediate and root certificates if they are installed.\nIt might be that the new certificate requires an updated intermediate or root certificate. You can follow this guide to add the new certificate(s).\nClick the \u0026ldquo;Link Certificates\u0026rdquo; button to complete the links.\nWhen all goes well, you will see a full (green) line with certificate symbols under the intermediate and root certificate(s).\nAnd that\u0026rsquo;s it, the certificate is updated.\nThe next time the user initiates a new SSL session the new certificate will be used.\nNOTE: If you have a pre-existing session to the webpage and you refresh (F5) the webpage. You might be presented with the previous (old) certificate. Just open an in-private browser session and start a new session to validate the new certificate.\n","date":"October 18, 2023","externalUrl":null,"permalink":"/howto/howto-netscaler-update-certificate/","section":"HowTo Guides","summary":"group: “NetScaler”\nIn this how-to article I will explain the procedure how to update a certificate on a Citrix NetScaler. If you wait until a certificate is expired wil cause a lot of issues for your users or visitors. By being on time with the renewal will save you a lot of trouble.\n","title":"HowTo - NetScaler - Update Certificate","type":"howto"},{"content":"group: \u0026ldquo;NetScaler\u0026rdquo;\nIn this how-to article I will explain the procedure how to install a new certificate on a Citrix NetScaler. Certificates are an important piece in a secure connection from a client to a server.\nThis article assumes you already have a valid certificate (pfx without the root and intermediate) available with matching password. You can also follow this article to export a certificate with private key to a pfx file from a windows machine.\nFirst login to the NetScaler with enough permissions to install the certificate.\nNext browse to \u0026ldquo;Traffic Management\u0026rdquo; (1) / \u0026ldquo;SSL\u0026rdquo; (2) / \u0026ldquo;Certificates\u0026rdquo; (3) / \u0026ldquo;All Certificates\u0026rdquo; (4)\nNext click on \u0026ldquo;Install\u0026rdquo; to add the new certificate.\nTo select the certificate, click on the down \u0026ldquo;˅\u0026rdquo; symbol and select \u0026ldquo;Local\u0026rdquo;.\nAn open dialog box will appear and you can select the pfx-file.\nEnter a name for your certificate in the \u0026ldquo;Certificate-Key Pair Name\u0026rdquo; field. I typically like to use the same name as in the common name of the certificate. I don\u0026rsquo;t like to add dates or other extra additions. As this can be mis leading next time as you update this certificate.\nSelect the \u0026ldquo;Certificate Format\u0026rdquo; in this case \u0026ldquo;PEM\u0026rdquo;\nEnter the password for the pfx file, this password will be saved in the configuration. The NetScaler will keep the certificate in the pfx format this way.\nYou can leave the \u0026ldquo;Notify When Expires\u0026rdquo; option enabled. This wil only work (notify you) when you have SNMP configured or use an ADM appliance or service.\nFinally click \u0026ldquo;Install\u0026rdquo; to install the certificate.\nIf all goes well, the certificate is added to the list.\nA certificate needs a chain (of trust). In most cases the Root and sometimes the intermediate is already available on your client. There are cases where those are not present. To make sure a full chain is available on the client you can send the intermediate(s) and root to your client by configuring this on the NetScaler.\nTo make the chain available you first have to add the certificates to the NetScaler. Next you have to bind them together.\nThe proces is basically the same as with the pfx with the only difference that we don\u0026rsquo;t specify a key and password.\nEnter a \u0026ldquo;Certificate-Key Pair Name\u0026rdquo;, same as with the pfx I like to use the Common Name of the intermediate or root.\nSelect the certificate file and select \u0026ldquo;Install\u0026rdquo;\nRepeat the proces for all intermediate certificate(s) and root certificate.\nWhen all certificates are added we can continue making the link between the intermediate(s) and root.\nSelect the certificate we added earlier as pfx file and at the end click on the \u0026ldquo;Link\u0026rdquo; button.\nYou will be presented with an overview. If the certificate is not yet linked you see missing certificate symbols for the intermediate(s) and root.\nJust click the \u0026ldquo;Link Certificates\u0026rdquo; button to complete the links.\nWhen all goes well, you will see a full (green) line with certificate symbols under the intermediate and root certificate(s).\nAnd that\u0026rsquo;s it. You can now bind the certificate to your VIP.\n","date":"October 18, 2023","externalUrl":null,"permalink":"/howto/howto-netscaler-install-certificate/","section":"HowTo Guides","summary":"group: “NetScaler”\nIn this how-to article I will explain the procedure how to install a new certificate on a Citrix NetScaler. Certificates are an important piece in a secure connection from a client to a server.\n","title":"HowTo - NetScaler - Install Certificate","type":"howto"},{"content":"group: \u0026ldquo;Windows\u0026rdquo;\nCertificates are an important part of a modern environment. They make communication safer by encrypting the traffic between the client and server. A safe way to move certificates between servers or store them safely is by exporting the certificate (private and public key) to an encrypted format. A commonly used format is \u0026ldquo;pfx\u0026rdquo; (Personal Information Exchange also known as PKCS#12). A pfx file can contain one or more certificates and is encrypted with a password. Without the correct password the pfx is useless. You commonly see that a pfx contains a (web) server certificate and one or more intermediate certificate(s) and a root certificate.\nA Windows machine has two certificate stores\nMachine store\nCan be accessed by opening \u0026ldquo;certlm.msc\u0026rdquo; User store\nCan be accessed by opening \u0026ldquo;certmgr.msc\u0026rdquo; For this example we are opening the machine store, there my private and public key is located. Click on the start menu or press windows key + r and run \u0026ldquo;certlm.msc\u0026rdquo;\nNext, open the folders \u0026ldquo;Personal\u0026rdquo; and \u0026ldquo;Certificates\u0026rdquo;.\nNOTE: Make sure the certificates has a matching private key! You can easily verify it by looking at the icon in front of the certificate. If a key symbol is visible at the left upper corner of the certificate a matching private key is present.\nSelect the certificate you want to export. In the \u0026ldquo;Welcome to the Certificate Export Wizard\u0026rdquo; window, click \u0026ldquo;Next\u0026rdquo;.\nMake sure \u0026ldquo;Yes, export the private key\u0026rdquo; is selected before you click \u0026ldquo;Next\u0026rdquo;.\nNOTE: It might be that you cannot select this option and that it is greyed out. This means that the private key cannot be exported. When the certificate was created or imported the option to export the private key must have been selected. Without that option you cannot export the certificate and continue this procedure.\nBy default the options \u0026ldquo;include all certificates in the certification path if possible\u0026rdquo; (this includes the intermediate certificates and root certificate if present) and \u0026ldquo;enable certificate privacy\u0026rdquo; (If enabled all certificates are encrypted if disabled only the private key is encrypted) are selected. You can leave them on if you want to move these from one Windows server to another. But if you want to use the exported pfx file on a NetScaler I like to disable these options. And additionally I select the option \u0026ldquo;Export all extended properties\u0026rdquo;.\nMake sure you select the checkmark before \u0026ldquo;Password\u0026rdquo; and enter a secure password before clicking on \u0026ldquo;Next\u0026rdquo;.\nEnter a path and name where you want to store the pfx-file. I like to use the \u0026ldquo;Common Name\u0026rdquo; as name for the certificate and append the date (formatted as \u0026ldquo;_MMYYYY\u0026rdquo;) or year (formatted as \u0026ldquo;_YYYY\u0026rdquo;) at the end. This way I easily can see when the certificates are expired and cleanup those files. Click \u0026ldquo;Finish\u0026rdquo; on the final wizard page to finalize the export.\nWhen all goes well you are presented with a \u0026ldquo;The export was successful\u0026rdquo; dialog box.\nYou can now safely transfer or store your certificate!\n","date":"October 18, 2023","externalUrl":null,"permalink":"/howto/howto-windows-export-certificate-pfx/","section":"HowTo Guides","summary":"group: “Windows”\nCertificates are an important part of a modern environment. They make communication safer by encrypting the traffic between the client and server. A safe way to move certificates between servers or store them safely is by exporting the certificate (private and public key) to an encrypted format. A commonly used format is “pfx” (Personal Information Exchange also known as PKCS#12). A pfx file can contain one or more certificates and is encrypted with a password. Without the correct password the pfx is useless. You commonly see that a pfx contains a (web) server certificate and one or more intermediate certificate(s) and a root certificate.\n","title":"HowTo - Windows - Export certificate (pfx)","type":"howto"},{"content":"","date":"October 18, 2023","externalUrl":null,"permalink":"/categories/microsoft/","section":"Categories","summary":"","title":"Microsoft","type":"categories"},{"content":"","date":"October 18, 2023","externalUrl":null,"permalink":"/tags/microsoft/","section":"Tags","summary":"","title":"Microsoft","type":"tags"},{"content":"","date":"October 18, 2023","externalUrl":null,"permalink":"/categories/windows/","section":"Categories","summary":"","title":"Windows","type":"categories"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/categories/active-directory/","section":"Categories","summary":"","title":"Active Directory","type":"categories"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/categories/adfs/","section":"Categories","summary":"","title":"ADFS","type":"categories"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/tags/adfs/","section":"Tags","summary":"","title":"ADFS","type":"tags"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/categories/azuread/","section":"Categories","summary":"","title":"AzureAD","type":"categories"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/tags/azuread/","section":"Tags","summary":"","title":"AzureAD","type":"tags"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/tags/claims/","section":"Tags","summary":"","title":"Claims","type":"tags"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/tags/enterpriseapp/","section":"Tags","summary":"","title":"EnterpriseApp","type":"tags"},{"content":"","date":"October 28, 2021","externalUrl":null,"permalink":"/tags/federation/","section":"Tags","summary":"","title":"Federation","type":"tags"},{"content":"Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain. I will not dive into exactly what Citrix FAS is, just a global overview. This is not a guide how to deploy and configure it (there are a lot of examples out there). What I do want to say about it is that Citrix FAS orchestrates the login for you.\nWhen you login via an external authentication source, an IdP (Identity Provider) for example via SAML. You a SP (Service Provider) hand of the authentication and authorization to the IdP you trust, trust that they verify the users username, password and for example MFA before allowing access. When everything is in order (the user is authenticated and authorized to login) the ADC will receive back one or more attributes. Among the attributes is often a \u0026ldquo;NameID\u0026rdquo; attribute. This \u0026ldquo;NameID\u0026rdquo; attribute will contain the users \u0026ldquo;login\u0026rdquo; name (or what you specify as login name). This will be most likely a UPN or email formatted object (E.g. user.name@domain.com). But the users password is not one of the attributes\u0026hellip; How can the user login to the environment you may ask and that\u0026rsquo;s where Citrix FAS comes in action.\nA Citrix ADC will accept the login (after a successful authentication by the IdP), that\u0026rsquo;s because of the trust you have setup between the ADC and the IdP (configured in a ADC SAML Action). StoreFront also needs a \u0026ldquo;valid\u0026rdquo; username when not using an Anonymous store config. StoreFront wants to use the identity to find out the resources assigned to that user (or group).\nWhen you configured Citrix FAS you had to authorize it (request and approve a certificate). With this authorization (Certificate) Citrix FAS is able to generate a user (smartcard)certificate on behalf of the user and can utilize this certificate to handle the logon to StoreFront and the machine you are trying to logon to. This will only work as long as the user(object) is found in AD (Active Directory), Citrix FAS can only request a certificate for a user that exists in AD. The matching of the user is done via UPN. So if the SAML \u0026ldquo;NameID\u0026rdquo; attribute (more on this later) has the value \u0026ldquo;john.doe@domain.com\u0026rdquo; a user object must exist in AD with the UPN that\u0026rsquo;s equal to \u0026ldquo;john.doe@domain.com\u0026rdquo;. This AD account is sometimes reffered to as a Shadow Account. Now back to the \u0026ldquo;NameID\u0026rdquo; attribute. In most of the deployment guides you will find online is the \u0026ldquo;NameID\u0026rdquo; attribute configured as the attribute used for login (that will contain the users login ID), in this article I will also use that attribute. This attribute must contain the value that matches a UPN in AD. We cannot do a wildcard search or something, it must match exactly. There are several possibilities to achieve that goal.\nNOTE: I assume you got a working setup for ADFS or Azure AD, therefor the next steps are configuration changes on these working configs.\nAs an example we have a Company environment (E.g. AD domain: company.com) and you want your customers (E.g. AD domain: customer.nl - ) to be able to logon and start a desktop or app from your Citrix environment, log on (SSON experience) with their own company account.\nAdd an alternative UPN suffixes to the domain and configure the shadow accounts accordingly Change the content of the \u0026ldquo;Name ID\u0026rdquo; attribute before it\u0026rsquo;s being send by the IdP Send a custom attribute as \u0026ldquo;Name ID\u0026rdquo; For option 1 to work you need to add the domain suffix \u0026ldquo;customer.nl\u0026rdquo; to the \u0026ldquo;company.com\u0026rdquo; domain first. And after that action add users to the \u0026ldquo;company.com\u0026rdquo; domain with the suffix \u0026ldquo;customer.nl\u0026rdquo; that need to logon to the domain (or modify existing accounts by changing the UPN/domain suffix). Now \u0026ldquo;Customer\u0026rdquo; users are able to logon to the domain with their own account.\nAs for option 2 to work the admin (at \u0026ldquo;Customer\u0026rdquo;) needs to configure some additional steps to change the suffix before it\u0026rsquo;s being send. This is possible with ADFS and AAD and those are two configurations I will explain in this article.\nOption 3 will be explained in a different article most likely part 2.\nMicrosoft ADFS # Less and less companies are utilizing Microsoft ADFS (in our case) as most of them are migrating everything to Azure. There are still several companies utilizing Microsoft ADFS. To make it work we need to modify some \u0026ldquo;claim\u0026rdquo; rules. I will only explain the claim rules used for this part, not the complete steps to configure ADFS for use with a Citrix ADC.\nSelect the ADFS Relying Party Trust you are using for the Citrix ADC and edit the \u0026ldquo;Claim Issuance Policy\u0026rdquo;\nBackup (or make a note of the current configuration) and remove your existing claims (except logoff rules)\nAdd a new rule, a Custom Rule.\nGive it a name like \u0026ldquo;Get user UPN from ActiveDirectory\u0026rdquo;\nAdd the following Custom rule.\nc:[Type == \u0026#34;http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\u0026#34;, Issuer == \u0026#34;AD AUTHORITY\u0026#34;] =\u0026gt; add(store = \u0026#34;Active Directory\u0026#34;, types = (\u0026#34;userattrb\u0026#34;), query = \u0026#34;;userPrincipalName;{0}\u0026#34;, param = c.Value); If you want to send the email address instead of the UPN you can change \u0026ldquo;userPrincipalName\u0026rdquo; to \u0026ldquo;mail\u0026rdquo; or any other attribute.\nWith this rule we (temporary) use the type \u0026ldquo;userattrb\u0026rdquo; to store the attribute data we want to edit before it is being send.\nSave the rule and add a new rule, again a Custom Rule.\nGive it a name like \u0026ldquo;Rename attribute and send as NameID\u0026rdquo;\nAdd the following Custom rule.\nc:[Type == \u0026#34;userattrb\u0026#34;] =\u0026gt; issue(Type = \u0026#34;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\u0026#34;, Value = RegexReplace(c.Value, \u0026#34;(?\u0026lt;user\u0026gt;[^\\\\]+)@(?\u0026lt;domain\u0026gt;.+)\u0026#34;, \u0026#34;${user}@company.com\u0026#34;)); In this example we use a RegexReplace (yellow), with this option we need to select the text (with a regex expression: \u0026ldquo;(?\u0026lt;user\u0026gt;[^\\]+)@(?\u0026lt;domain\u0026gt;.+)\u0026rdquo;, in red) and replace it with something we want to send (in blue).\nRegexReplace(Source, Expression, WhatToReplaceWith) Fot this example we want to change \u0026ldquo;john.doe@customer.nl\u0026rdquo; to \u0026ldquo;john.doe@company.com\u0026rdquo;\nValue = RegexReplace(c.Value, \u0026quot;(?\u0026lt;user\u0026gt;[^\\]+)@(?\u0026lt;domain\u0026gt;.+)\u0026quot;, \u0026quot;${user}@company.com\u0026quot;));\u0026quot;\nThis regex (red) selects the complete address the part before the \u0026ldquo;@\u0026rdquo; and temporarily saved in a group named \u0026ldquo;user\u0026rdquo; and the part after @ will be temporarily saved in a group named \u0026ldquo;domain\u0026rdquo; (named capture groups in the regex expression).\nIn the last part (blue) we will build our new \u0026ldquo;NameID\u0026rdquo; content, in our case this will be \u0026ldquo;${user}@company.com\u0026rdquo;\nBut you can change it of course to any format or combination you like.\nWhen finished save \u0026amp; test!\nThis concludes the configuration change required for ADFS.\nAzureAD (Enterprise App) # Unfortunately for AzureAD the configuration is not GUI/Web based (yet). You will need to dive into PowerShell to achieve the same goal. And please note that the option is currently (30-09-2021) still in Preview, therefore we need to install and use the \u0026ldquo;AzureADPreview\u0026rdquo; PowerShell module.\nI will use the same approach, tactics and example as ADFS.\nAs said before, because this feature is currently still in Preview we need to Install and import the AzureADPreview Module\nInstall-Module -Name AzureADPreview [-AllowClobber] Import-Module AzureADPreview If loaded connect to AzureAD\nConnect-AzureAD -Confirm The configuration for AzureAD is based on a JSON structure, here you define the claim (as with the custom claim rules in ADFS)\n{ \u0026#34;ClaimsMappingPolicy\u0026#34;: { \u0026#34;Version\u0026#34;: 1, \u0026#34;IncludeBasicClaimSet\u0026#34;: \u0026#34;false\u0026#34;, \u0026#34;ClaimsSchema\u0026#34;: [ { \u0026#34;Source\u0026#34;: \u0026#34;user\u0026#34;, \u0026#34;ID\u0026#34;: \u0026#34;userprincipalname\u0026#34; }, { \u0026#34;Source\u0026#34;: \u0026#34;transformation\u0026#34;, \u0026#34;ID\u0026#34;: \u0026#34;DataReplace\u0026#34;, \u0026#34;SamlClaimType\u0026#34;: \u0026#34;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\u0026#34;, \u0026#34;TransformationId\u0026#34;: \u0026#34;userattrb\u0026#34; } ], \u0026#34;ClaimsTransformations\u0026#34;: [ { \u0026#34;ID\u0026#34;: \u0026#34;userattrb\u0026#34;, \u0026#34;TransformationMethod\u0026#34;: \u0026#34;RegexReplace\u0026#34;, \u0026#34;InputClaims\u0026#34;: [ { \u0026#34;ClaimTypeReferenceId\u0026#34;: \u0026#34;userPrincipalName\u0026#34;, \u0026#34;TransformationClaimType\u0026#34;: \u0026#34;sourceClaim\u0026#34; } ], \u0026#34;InputParameters\u0026#34;: [ { \u0026#34;ID\u0026#34;: \u0026#34;regex\u0026#34;, \u0026#34;Value\u0026#34;: \u0026#34;@(?\u0026lt;domain\u0026gt;.+)\u0026#34; }, { \u0026#34;ID\u0026#34;: \u0026#34;replacement\u0026#34;, \u0026#34;Value\u0026#34;: \u0026#34;@company.com\u0026#34; } ], \u0026#34;OutputClaims\u0026#34;: [ { \u0026#34;ClaimTypeReferenceId\u0026#34;: \u0026#34;DataReplace\u0026#34;, \u0026#34;TransformationClaimType\u0026#34;: \u0026#34;outputClaim\u0026#34; } ] } ] } } The rename of the attribute ( \u0026ldquo;john.doe@customer.nl\u0026rdquo; to \u0026ldquo;john.doe@company.com\u0026rdquo; ) happens in the \u0026ldquo;ClaimsTransformations\u0026rdquo; section. There you will find the \u0026ldquo;TransformationMethod\u0026rdquo; with the value \u0026ldquo;RegexReplace\u0026rdquo;. The section \u0026ldquo;InputParameters\u0026rdquo; is responsible for the regex what text to select that needs to be replaced. And the next the text value with ID \u0026ldquo;replacement\u0026rdquo; that will replace the \u0026ldquo;selected\u0026rdquo; text.\n$claimDefinition = \u0026#39;{\u0026#34;ClaimsMappingPolicy\u0026#34;:{\u0026#34;Version\u0026#34;:1,\u0026#34;IncludeBasicClaimSet\u0026#34;:\u0026#34;false\u0026#34;,\u0026#34;ClaimsSchema\u0026#34;:[{\u0026#34;Source\u0026#34;:\u0026#34;user\u0026#34;,\u0026#34;ID\u0026#34;:\u0026#34;userprincipalname\u0026#34;},{\u0026#34;Source\u0026#34;:\u0026#34;transformation\u0026#34;,\u0026#34;ID\u0026#34;:\u0026#34;DataReplace\u0026#34;,\u0026#34;SamlClaimType\u0026#34;:\u0026#34;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\u0026#34;,\u0026#34;TransformationId\u0026#34;:\u0026#34;userattrb\u0026#34;}],\u0026#34;ClaimsTransformations\u0026#34;:[{\u0026#34;ID\u0026#34;:\u0026#34;userattrb\u0026#34;,\u0026#34;TransformationMethod\u0026#34;:\u0026#34;RegexReplace\u0026#34;,\u0026#34;InputClaims\u0026#34;:[{\u0026#34;ClaimTypeReferenceId\u0026#34;:\u0026#34;userPrincipalName\u0026#34;,\u0026#34;TransformationClaimType\u0026#34;:\u0026#34;sourceClaim\u0026#34;}],\u0026#34;InputParameters\u0026#34;:[{\u0026#34;ID\u0026#34;:\u0026#34;regex\u0026#34;,\u0026#34;Value\u0026#34;:\u0026#34;@(?\u0026lt;domain\u0026gt;.+)\u0026#34;},{\u0026#34;ID\u0026#34;:\u0026#34;replacement\u0026#34;,\u0026#34;Value\u0026#34;:\u0026#34;@company.com\u0026#34;}],\u0026#34;OutputClaims\u0026#34;:[{\u0026#34;ClaimTypeReferenceId\u0026#34;:\u0026#34;DataReplace\u0026#34;,\u0026#34;TransformationClaimType\u0026#34;:\u0026#34;outputClaim\u0026#34;}]}]}}\u0026#39;\u0026lt;br\u0026gt; Tip: Convert the JSON code to a compressed version via PowerShell, by replacing the part staring with \u0026ldquo;{\u0026rdquo; en ending with \u0026ldquo;}\u0026rdquo;, with the above code:\n$compressedJson = @\u0026#34; { \u0026#34;Code\u0026#34;: \u0026#34;JOSN\u0026#34; } \u0026#34;@ | Convertto-Json -Compress Next you will need to create a new \u0026ldquo;Azure AD Policy\u0026rdquo; with the above specified data (JSON)\n$newAzureADPolicy = New-AzureADPolicy -Definition @($claimDefinition) -DisplayName \u0026#34;TransformClaimsCustomer\u0026#34; -Type \u0026#34;ClaimsMappingPolicy\u0026#34; $newAzureADPolicy To apply (attach) the policy to your Enterprise App you will need to gather the Object ID of your Enterprise App. You can find it in the Manage section in Properties.\nCopy the GUID. You will need this for the next step.\nNext change the ID (\u0026quot;\u0026lt;EnterpriseAppObjectID\u0026gt;\u0026quot;) in the next code accordingly and execute the command\nAdd-AzureADServicePrincipalPolicy -Id \u0026lt;EnterpriseAppObjectID\u0026gt; -RefObjectId $newAzureADPolicy.ID Please note the following, after the policy is applied. If you visit the Enterprise App and select \u0026ldquo;Single sign-on\u0026rdquo; (1) and click \u0026ldquo;Edit\u0026rdquo; (2).\nYou will see a notification that a change was made via PowerShell.\nThis concludes the configuration change required for AzureAD.\nAs you can see there are several options available to manipulate the \u0026ldquo;NameID\u0026rdquo; before it\u0026rsquo;s being send to a SP (Service Provider). In the next part I will show you how you can use a different AD attribute instead of the UPN.\n","date":"October 28, 2021","externalUrl":null,"permalink":"/posts/manipulate-the-nameid-saml-content-part-1/","section":"Blog","summary":"Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain. ","title":"Manipulate the 'NameID' SAML content - part 1","type":"posts"},{"content":"","date":"April 20, 2021","externalUrl":null,"permalink":"/tags/decryption/","section":"Tags","summary":"","title":"Decryption","type":"tags"},{"content":"","date":"April 20, 2021","externalUrl":null,"permalink":"/tags/encryption/","section":"Tags","summary":"","title":"Encryption","type":"tags"},{"content":"A couple weeks ago someone asked me if OTP4ADC could also support encrypted tokens. And at that time I hadn\u0026rsquo;t done anything with encrypted tokens on a Citrix ADC. And if you not have heard of the OTP4ADC tool/script you can read my initial blog article from when I released the first version and the basics of how it works.\nFirst I started with reading the docs at Citrix but very soon after I got stuck\u0026hellip; I could not get the desired results with the by Citrix provided python script. It simply didn\u0026rsquo;t work on my test machines? I could also not run it on the ADC because of the missing requirements. So I could not run the script and convert my pre-existing secrets to the encrypted format. Until today I have not yet figured out what went wrong.\nI reached out to the community and got help from Pat Patterson someone who really knows a lot about Python, PowerShell and encryption, be sure to follow him on Twitter! He helped me with converting the code from python to PowerShell. And after some initial tests I added the functions to the OTP4ADC tool/script.\nThe new functionality will be available as a new tab next to the already pre-existing features to add and manage the secrets for users as already explained in my first article.\nYou can find the new v0.5.0 version at my GitHub repository:\nPublic (stable) version Development version The Basics # There are two formats a secrets can have in a Active Directory user attribute:\nClearText Encrypted ClearText # The clear text format is pretty basic it starts with two characters \u0026ldquo;#@\u0026rdquo; followed by the Device name a string consisting of alpha and numeric characters a \u0026ldquo;=\u0026rdquo; character and again a string of alpha and numeric characters depicting the secret ending with \u0026ldquo;\u0026amp;,\u0026rdquo;. Everything after \u0026ldquo;#@\u0026rdquo; can be repeated when using multiple secrets. This results in a string like:\n#@Mobile=CHYA3NHIW2QPCGS4Z6VYLV6WBY\u0026amp;, Encrypted # The format for an encrypted secret is a bit different. The encrypted secret is JSON formatted. It follows basically the same structure with a device name and a secret (encrypted) but then in JSON format. { \u0026#34;otpdata\u0026#34;: { \u0026#34;devices\u0026#34;: { \u0026#34;Mobile\u0026#34;: \u0026#34;9tdkfHjemvPj0odSbkKOASuvgkQ=.oWZC4ts_iOeLvEvK.0bb0wGYQFrdeL2su6BaEC5-kAgD4wLiBGJPo0j-55om9SKnE5vv-\u0026#34; } } } You can find more info about the encryption in the docs at Citrix.\nEncrypted Secrets # To use Native OTP (with or without encryption) you must have an Advanced (Enterprise) or higher license and configure your ADC\u0026rsquo;s LDAP profiles and nFactor configuration. I won\u0026rsquo;t go into these initial configuration steps as there are many blog articles available like this one at Carl Stalhood that shows you how to configure and setup native OTP. What I will show you is how to enable encrypted secrets and convert the ones already in use. Make sure you configure the correct Active Directory attribute in the LDAP Action(s).\nIt is up to you how to proceed with the following steps. You can start directly with encryption and thus don\u0026rsquo;t need my tool to convert your pre-existing secrets. This new addition of my tool is mainly for the folks that already deployed Native OTP without encryption and want to improve the security. But if you just want to know how to enable secret encryption, skip to the Citrix ADC, enable encryption section near the end of this article.\nMy suggested order would be:\nMake sure Native OTP works with the ClearText secret so you\u0026rsquo;ll have a baseline. Convert the current secrets (for example located in userParameters, let\u0026rsquo;s call this the source attribute) and save the converted (encrypted) secret to a different one (for example unixHomeDirectory, let\u0026rsquo;s call this the target attribute) Configure the ADC to enable encryption. Test the encrypted secrets. You will need a (web) certificate (public \u0026amp; private key) to use use encryption. Without it the secret cannot be encrypted and decrypted. Make sure you have a certificate imported in your ADC. You can use a public or a self signed that makes no difference. And have the certificate in a PFX format ready to import this certificate in your Windows machine to convert your secrets.\nConversion with OTP4ADC # To use the OTP4ADC tool you need a minimum version of 5.1, but to use the encryption functionality you need to use PowerShell version 7.1 or higher. This is because of certain encryption functionalities are not available in version 5.x. When a lower version of PowerShell is detected, the encryption functionality will be disabled.\nYou can find some more information about PowerShell 7 in the Microsoft Docs. You can also use the following one-liner to install PowerShell 7.x.\nInvoke-Expression \u0026#34;\u0026amp; { $(Invoke-RestMethod https://aka.ms/install-powershell.ps1) } -UseMSI\u0026#34; To run the script with PowerShell 7 you can use the following command:\n\u0026amp; \u0026#34;C:\\Program Files\\PowerShell\\7\\pwsh.exe\u0026#34; -ExecutionPolicy bypass \u0026#34;C:\\OTP4ADC\\OTP4ADC.ps1\u0026#34; To start with the conversion of ClearText secrets to Encrypted secrets make sure you import the PFX into your (personal) Windows store and make a note of the certificate Thumbprint.\nNext you need to select an attribute operation **(1) **Here you can select one of the following options:\nConvert plaintext OTP secrets to an encrypted format - Use this option to convert ClearText formatted secrets in the source (current) attribute and save it into the target (new) attribute as an encrypted formatted secret. Convert the encrypted OTP secrets back to plaintext - Use this option to convert the encrypted secret in the source (current)attribute and save it into the target (new) attribute to a ClearText formatted secret. Update the certificate to a new certificate - Use this option to decrypt all source (current) attributes with the current certificate and and encrypt it again with the new certificate and save it into the target (new) attribute. Next select the source/target attribute save option (2). Here you can determine if you want to save the attribute in the current (source = target) or save the changed data to a different attribute.\nSave to same attribute - This will overwrite your previous attribute value with the new converted value. Save to different attribute - This option will save the converted attribute value to a different attribute of your choosing, the safest option! You will still have access to your original secrets. Be sure to remove the original values at some point if everything is good to go. Depending of the previous selections you need to fill the following fields.\nCurrent Attribute (3) - This is the current (source) attribute, where the secrets are currently stored. New Attribute (4) - This is the new (target) attribute location, where the converted secrets are being saved to. Current Certificate (5) - If the source attribute is encrypted, this needs to contain the Thumbprint to decrypt the attribute data. New Certificate (6) - If the target attribute needs to be encrypted, this field must contain the Thumbprint of the new certificate. If you want to save all events to a logfile, select the logfile and location by clicking the Browse button (8) and the path will be shown in the Log File field (7).\nWhen everything is ready you can click the Convert button (9). The status of the conversion will be shown in the progress bar (10).\nWhen all your target attributes are encrypted you will receive a question if you want to save the used (new) Thumbprint into the settings.\nIf you have chosen Yes to the previous choice, you will find the new Certificate Thumbprint in the Settings tab. Here you can also enable if the Secrets in the attribute is encrypted.\nIf everything went well you can continue and change the settings in the ADC configuration.\nCitrix ADC, enable encryption # To enable encryption you need to enable it on the Citrix ADC. As said earlier make sure you added the Certificate to the ADC. You need it in the next steps. Choose either the CLI or GUI steps.\nCLI # bind vpn global -userDataEncryptionKey otp_encryption2 set aaa otpparameter -encryption ON GUI # Log on into the Citrix ADC administration page and go to Security / AAA - Application Traffic. Under Policy Manager click Certificate Bindings. Next click Add next to the User Data Encryption Key field.\nClick Add Binding.\nSelect the Certificate you want to use for the encryption and decryption of the secrets. Click OK when certificate is added.\nNext click Create to finish the action.\nNow you have a certificate and are ready to enable the encryption.\nUnder Authentication Settings click the link Change authentication AAA OTP Parameter.\nCheck the OTP Secret encryption checkbox to enable encryption.\nAnd finally if you might have configured the search filter on your LDAP Action (like George Spiers blogged about) for your verify profile like:\nuserParameters\u0026gt;=#@ You might want to change it to the following string (change your attribute name accordingly):\nuserParameters\u0026gt;={\u0026#34;otpdata\u0026#34; This should be it. If all went well you should be able to use the new encrypted secrets.\nPlease reach out to me via Github, Slack (World of EUC), twitter or contact form if you have issues or ideas.\n","date":"April 20, 2021","externalUrl":null,"permalink":"/posts/manage-native-otp-tokens-via-windows-part-2/","section":"Blog","summary":"A couple weeks ago someone asked me if OTP4ADC could also support encrypted tokens. And at that time I hadn’t done anything with encrypted tokens on a Citrix ADC. And if you not have heard of the OTP4ADC tool/script you can read my initial blog article from when I released the first version and the basics of how it works.\n","title":"Manage Native OTP tokens via Windows, Part 2","type":"posts"},{"content":"","date":"April 20, 2021","externalUrl":null,"permalink":"/tags/native-otp/","section":"Tags","summary":"","title":"Native OTP","type":"tags"},{"content":"","date":"April 20, 2021","externalUrl":null,"permalink":"/tags/otp4adc/","section":"Tags","summary":"","title":"OTP4ADC","type":"tags"},{"content":"","date":"April 20, 2021","externalUrl":null,"permalink":"/tags/secret/","section":"Tags","summary":"","title":"Secret","type":"tags"},{"content":"","date":"April 20, 2021","externalUrl":null,"permalink":"/tags/token/","section":"Tags","summary":"","title":"Token","type":"tags"},{"content":"","date":"September 29, 2020","externalUrl":null,"permalink":"/tags/gui/","section":"Tags","summary":"","title":"GUI","type":"tags"},{"content":"Today I want to release an early (beta) version of a new tool I created, \u0026ldquo;OTP4ADC\u0026rdquo; With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler. It\u0026rsquo;s a powershell script but when you run it a GUI will be shown.\nOTP4ADC There are currently many excellent articles available that explains how to setup the native OTP functionality and how it works. So I won\u0026rsquo;t go into those details here.\nWhile setting up the native OTP functionality you will have to choose an Active Directory user attribute where the native OTP token(s) also called the \u0026ldquo;secret\u0026rdquo; will be stored. Initial suggestion is the \u0026ldquo;userParameters\u0026rdquo; attribute. I\u0026rsquo;ve used this attribute name as default for this script. But you can change it to whatever you are using for example \u0026ldquo;extensionAttribute1\u0026rdquo;.\nPlease note that when managing other users OTP tokens you must have administrative (AD) permissions to read/write the given attribute and run the script on a domain joined member machine, for example your management server/desktop.\nThis script uses two PowerShell modules:\nActiveDirectory; This is a module that must be installed as a feature Install-WindowsFeature RSAT-AD-PowerShell QRCodeGenerator; This is a PowerShell Gallery module that needs to be installed (the script can also install this module). Without this module the script has no ability to generate a QR image. Install-Module -Name QRCodeGenerator To show the GUI you can just run this script without any parameters. You can however specify some parameters. These values will be prefilled in the GUI like the attribute or portal/gateway fqdn name.\nExample:\n.\\OTP4ADC.ps1 -attribute \u0026#34;extensionAttribute1\u0026#34; -GatewayURI \u0026#34;gw.domain.com\u0026#34; Run the script and use \u0026ldquo;extensionAttribute1\u0026rdquo; as attribute name and \u0026ldquo;gw.domain.com\u0026rdquo; as the Gateway URI\nHow to work with the tool?\nThe GUI has 3 groups, \u0026ldquo;User\u0026rdquo; (3) where the user can be found/selected \u0026ldquo;TOTP\u0026rdquo; (4) where a secret can be generated and \u0026ldquo;QR\u0026rdquo; (5) where the QR with the selected secred can be shown/exported.\nTo start using the GUI you will have to find a user, type a (partial) username in the \u0026ldquo;Username\u0026rdquo;-field (6) and press [Enter] or click the \u0026ldquo;Search\u0026rdquo;-button (7). One or more matches will be shown, select the User object you want to manage. If the user has any pre-existing OTP-Secrets they will be shown in the OTP view.\nIf you for example want to delete one OTP-Secret, select the one you want to delete (9) and click the \u0026ldquo;Delete\u0026rdquo;-button (10). To save click the \u0026ldquo;Save\u0026rdquo;-button (11).\nIf you want to load the OTP-Secret, select the one you want to load (9) and click the \u0026ldquo;Load\u0026rdquo;-button (10). The Secret will be shown in the Secret field (14).\nIf you want to generate a new OTP-Secret, click the \u0026ldquo;Generate Secret\u0026rdquo;-button (13) add a \u0026ldquo;Device Name\u0026rdquo; for this secret (15) and click the \u0026ldquo;Add\u0026rdquo;-button (16). The \u0026ldquo;Device Name\u0026rdquo; is the name that will be shown when visiting the manageotp site (e.g. https://portal.domain.com/manageotp).\nTo generate a QR for the new or loaded OTP-Secret you must have filled the \u0026ldquo;Gateway fqdn\u0026rdquo;-field (2) you can do this manually or by parameter as explained earlier. When ready click the \u0026ldquo;Generate QR\u0026rdquo;-button (17) if all goes well a QR Code will be shown (5).\nYou can export the QR by clicking the \u0026ldquo;Export QR\u0026rdquo;-button (18) for example to send to a user if they cannot setup or configure it by themselves.\nMaybe more features will be added on time. But for now this is it.\nYou can find the latest version on GitHub: https://github.com/j81blog/OTP4ADC\nPlease note that everything is on your own risk, test and use this tool carefully as this will make changes to your user! Please don\u0026rsquo;t blame me if anything goes wrong. This tool is in its early (beta) stages and please reach out to me via Github, Slack, twitter or mail if you have issues or ideas. ","date":"September 29, 2020","externalUrl":null,"permalink":"/posts/manage-native-otp-tokens-via-windows/","section":"Blog","summary":"Today I want to release an early (beta) version of a new tool I created, “OTP4ADC” With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler. ","title":"Manage Native OTP tokens via Windows","type":"posts"},{"content":"","date":"September 29, 2020","externalUrl":null,"permalink":"/tags/otp/","section":"Tags","summary":"","title":"OTP","type":"tags"},{"content":"","date":"September 29, 2020","externalUrl":null,"permalink":"/tags/qr/","section":"Tags","summary":"","title":"QR","type":"tags"},{"content":"","date":"September 29, 2020","externalUrl":null,"permalink":"/tags/totp/","section":"Tags","summary":"","title":"TOTP","type":"tags"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/application-masking/","section":"Tags","summary":"","title":"Application Masking","type":"tags"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/categories/fslogix/","section":"Categories","summary":"","title":"FSlogix","type":"categories"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/fslogix/","section":"Tags","summary":"","title":"FSlogix","type":"tags"},{"content":" A while ago I was asked to apply FSLogix App Masking at a company to hide MS Office for certain users. Normally with just Active Directory that’s a done deal. But the targets were Intune managed. And since FSLogix Application Masking Is not yet supporting AzureAD we had to find other options.\nWe found that Hybrid Azure AD-joined offered us the best of both worlds (until Microsoft will support AzureAD in FSLogix App Masking)\nI will not describe in this article how to configure a Hybrid Azure-AD configuration, but this site is a good starting point.\nTo start we will need a copy of FSLogix and a valid license is required. More information about the license requirements can be found here.\nDownload the latest version of FSLogix from this location.\nAt the time of writing the version is 2004.\nExtract the 2 files:\nFSLogixAppsSetup.exe FSLogixAppsRuleEditorSetup.exe Install these two files on a test target device.\nAfter these applications are installed you can get the installation GUIDs for example via PowerShell, we will use these GUID’s later in this article.\nGet-WmiObject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize #MSI GUID for Microsoft FSLogix Apps: {98BEF1EB-609D-4C0F-8FF1-FA0C17CF7108} #MSI GUID for Microsoft FSLogix Apps RuleEditor: {501A1A8E-6628-48AB-9B06-56C0284D1707} EXE files are unfortunately not as easily to distribute as MSI files. But there is a solution, create a Win32 app package of the EXE files. To create a Win32 package (.intunewin file) you will need “Microsoft-Win32-Content-Prep-Tool” (IntuneWinAppUtil.exe) this can be downloaded here. At the time of writing v1.8.1 was the latest version. More information about this tool can be found here.\nDownload the tool and extract “IntuneWinAppUtil.exe”.\nTo create these packages start by creating two folders and place the respective files “FSLogixAppsSetup.exe” and “FSLogixAppsRuleEditorSetup.exe” in those folders.\nStart by opening Command Prompt with administrative privileges.\nYou can create the necessary packages by executing the following command:\nIntuneWinAppUtil.exe -c \u0026#34;\u0026lt;source_folder\u0026gt;\u0026#34; -s \u0026#34;\u0026lt;source_setup_file\u0026gt;\u0026#34; -o \u0026#34;\u0026lt;output_folder\u0026gt;\u0026#34; -q For our FSLogix Agent executable the command will be:\nIntuneWinAppUtil.exe -q -c \u0026#34;C:\\Sources\\FSLogix2004Agent\u0026#34; -s \u0026#34;FSLogixAppsSetup.exe\u0026#34; -o \u0026#34;C:\\Sources\\\u0026#34; And for the FSLogix RulesEditor:\nIntuneWinAppUtil.exe -q -c \u0026#34;C:\\Sources\\FSLogix2004RulesEditor\u0026#34; -s \u0026#34;FSLogixAppsRuleEditorSetup.exe\u0026#34; -o \u0026#34;C:\\Sources\\\u0026#34; We are now ready to import the applications in Intune and distribute it to our test machine.\nGo to Intune and logon.\nSelect “Apps” and select “Windows Apps”.\nNext click “Add” to add.\nClick “Windows app (Win32)” and click the “Select” button.\nClick “Select app package file”\nNext select the created .intunewin file and click “OK” to continue.\nEnter a Name, Description and a Publisher. All other items are optionally.\nClick “Next” when finished.\nNext enter the “Install” and “Uninstall” commands leave install behavior to “System”. Select “Next” when finished.\n#Install: FSLogixAppsSetup.exe /install /quiet /norestart #Uninstall: FSLogixAppsSetup.exe /uninstall /quiet /norestart In our case select 64-bit and Windows build 1903. You can fill the rest but these are also optional. Click “Next” when finished.\nNext we need to add a detection rule this way Intune can verify if the software was installed.\nSelect the rule format “Manually configure detection rules”.\nClick “Add” to add a detection rule.\nSelect the type “MSI” and enter the respective MSI GUID we collected earlier and click “OK”.\n#MSI GUID: {98BEF1EB-609D-4C0F-8FF1-FA0C17CF7108} Click “Next” to continue tot the next step.\nIf you want, you can add Dependencies. As this is not necessary for this application we can click “Next” to continue.\nNext click “Add Group” to add a group. The intention is that you can add computers to that group. Each member will receive the application. You can also skip this for now and configure this later.\nClick “Next” to continue.\nFinally click “Create” to create the application in Intune.\nNext do the same for the FSLogix Rule Editor.\n#Install: FSLogixAppsRuleEditorSetup.exe /install /quiet /norestart #Uninstall: FSLogixAppsRuleEditorSetup.exe /uninstall /quiet /norestart #MSI GUID: {501A1A8E-6628-48AB-9B06-56C0284D1707} Now wait for the Applications to get installed on the test device.\nWhen installed run the FSLogix Apps RuleEditor with Administrative privileges.\nCreate a new Rule Set.\nGive the set a name like “MSOffice365”.\nNOTE: The rules will be saved in the Documents folder by default.\nNext select the application we want to hide, in this case Microsoft Office. Click “Scan”.\nIf you have extra language packs click “Add Another Application”.\nSelect the other application and click “Scan”.\nIf needed you can add extra files, folders or other objects to hide.\nYou can test the rules by selecting “Apply Rules to System”. As soon as this option is selected the rules are active. If you select the option again the rules are disabled.\nSelect “Manage Assignments” in the File menu.\nFrom the documentation:\n“Assignments are executed from top to bottom.\nConsider if two assignments were made for the same Rule Set. The first assignment applies the Rule Set to Everyone, the second specifies the Rule Set does NOT apply to User1. In this case, the Rule Set would apply to everyone except User1.” (More Info)\nIf you want to hide MS Office only for a certain group and allow for anyone else you can configure the following assignments.\nYou can change the “Applies” option by selecting the rule and change the option.\nIf you want to hide MS Office for everyone and only show it to members of a certain group you can configure the following assignment.\nNOTE: In tests this way didn\u0026rsquo;t prove to be reliable. There were issues during first login and the intune deployment.\nI’ve seen that the usage of an Active Directory group directly in the Assignment Rules did not always apply to new users. Until today I haven’t figured out why that happened. Maybe something to do with hybrid joined machines and timing?\nI found out that using a Local group in between did the trick. If you want to configure it for yourself try first without the local group. If this doesn’t give a consistent results try it with the following steps.\nCreate a (new) GPO and link it to the OU where the Hybrid Computer accounts are stored.\nNavigate to “Computer Configuration” / “Preferences” / “Control Panel Settings” / “Local Users and Groups”\nSelect “New” / “Local Group” in the “Action” menu.\nEnter a (Local) Group name and add the AD Group as a member. You can use for example the same name as the Domain Group. This way a Local Group will be added to each (Hybrid) Domain joined target.\nTo use this Local Group we need to make a change to the FSLogix Masking Rules.\nOpen the “File” menu and select the “Manage Assignments” option.\nDouble-click the Domain Group.\nYou can now change it to the Local Group.\nTo distribute the rules to our clients we’ll going to create a MSI file. MSI’s are easily to distribute via Intune. MSI’s can be created with the free version of Advanced Installer.\nStart by creating a “Simple” project.\nSelect “Product Details” and enter Product Name and Publisher. You can leave the version number for now. If you ever want to update the rules simply reopen this project change the rules and update the version for example to v1.0.1.\nYou’ll have to make different packages, one for 32-bit and one for 64-bit to get the files in the right location. As our target OS is 64-bit we are going to make a 64-bit package.\nSet the package to 64-bit under Install Parameters. And optionally you can set the “Limit to basic user interface” option.\nGo to “Files and Folders” right click “Program Files 64” (this will be the “Program Files” directory on a 64-bit OS) and create the folder structure “FSLogix\\Apps\\Rules”\nDo you remember where we created the AppMasking Rules? (Hint, by default in the Documents folder or where you saved it)\nDrag the rules files into the created folder.\nWhen you are finished making the project, save it.\nFinally click the Build button. In the location where you saved the project a new directory will be created, “\u0026lt;Project name\u0026gt;-SetupFiles” where the MSI will be stored.\nInstall the MSI on a test machine and validate if the files are in the expected directory.\nYou can verify and get the MSI install GUID on the installed machine (we going to need this later on)\nGet-WmiObject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize If you have validated the files you can uninstall the MSI so we can import it in Intune and test the deployment.\nGo back to Intune again and add an application.\nThis time add an “Line-of-business app” to add a MSI file.\nClick “Select app package file”.\nSelect the MSI file we created earlier.\nAdd a name for your application and a description. Also add a Publisher for example your company name, because you have created these rules. You can add extra command-line arguments here, but that is not necessary for our created MSI file. The rest is optional. Click “Next” when finished.\nAgain you can add an assignment or do this at a later stage. Click Next when finished.\nFinally click “Create” to create the App.\nAfter you assigned it you can verify in the App Overview\nAnd you can verify it on the target device by checking the Program Files directory.\nAnd that’s it. I know that these are a lot of steps\n","date":"July 5, 2020","externalUrl":null,"permalink":"/posts/how-to-use-fslogix-appmasking-on-intune-managed-devices/","section":"Blog","summary":" A while ago I was asked to apply FSLogix App Masking at a company to hide MS Office for certain users. Normally with just Active Directory that’s a done deal. But the targets were Intune managed. And since FSLogix Application Masking Is not yet supporting AzureAD we had to find other options.\n","title":"How to use FSlogix AppMasking on Intune managed devices","type":"posts"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/categories/intune/","section":"Categories","summary":"","title":"Intune","type":"categories"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/intune/","section":"Tags","summary":"","title":"Intune","type":"tags"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/intunewin/","section":"Tags","summary":"","title":"Intunewin","type":"tags"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/intunewinapputil/","section":"Tags","summary":"","title":"IntuneWinAppUtil","type":"tags"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/rules/","section":"Tags","summary":"","title":"Rules","type":"tags"},{"content":"","date":"July 5, 2020","externalUrl":null,"permalink":"/tags/win32/","section":"Tags","summary":"","title":"Win32","type":"tags"},{"content":"A lot of new users used my script after writing my first blog article for Citrix. Since then I made some improvements and continuing to add new features. Today I released the latest version of my \u0026ldquo;GenLeCertForNS\u0026rdquo; script. Within this version I solved some issues and improved the overall speed (especially with larger orders).\nRelease Notes # FIXED: \u0026ldquo;ERROR: Could not create the order.\u0026rdquo;; While testing (thanks to Roger, Julian, Erik and Andrew) we saw that updating the script wasn\u0026rsquo;t always the complete solution. Specifying the parameter \u0026ldquo;-CleanPoshACMEStorage\u0026rdquo; after updating the script helped fixing this issue completely. This will cleanup the %LOCALAPPDATA%\\Posh-ACME directory. CHANGED: Removed the verbose logging; I didn\u0026rsquo;t liked the output to screen. Therefore I added a logging function to write everything to a log file. Resulting in a cleaner output to the screen. Specifying the \u0026ldquo;-Verbose\u0026rdquo; option has no particular use anymore. CHANGED: Overall speed; Changed internal process of configuring the Citrix ADC thus improving the speed. NEW: Version check to notify you if there is a new (dev) version available: Sometimes I get the question, which name must I specify with the \u0026ldquo;-NSCertNameToUpdate\u0026rdquo; parameter? The name you need to specify is the name you entered when adding the certificate for the first time \u0026ldquo;Certificate-Key Pair Name\u0026rdquo;, now you can reuse this name by updating this object. By updating this certificate you don\u0026rsquo;t have to change the binding on each VIP. Get the new version # Get the new version here: v2.6.3\nDevelopment # I\u0026rsquo;m still developing the script to add new features an improve it. If you experience issues let me know, you can also check the dev channel and verify if you still experience it. The upcoming features currently in dev (v2.7.x):\nNEW: Email functionality; The option to send a mail after the script is finished. Activated by specifying the \u0026ldquo;-SendMail\u0026rdquo; parameter and the following are also required: \u0026ldquo;-SMTPTo, -SMTPFrom, SMTPServer and optionally if required -SMTPCredential\u0026rdquo; IMPROVED: \u0026ldquo;-NSCertNameToUpdate\u0026rdquo;; In previous versions you could only specify this parameter if you had an existing certificate you wanted to update. With newer version you can specify this parameter. If the certificate name doesn\u0026rsquo;t yet exists it will be created. ","date":"February 19, 2020","externalUrl":null,"permalink":"/posts/genlecertforns-new-update/","section":"Blog","summary":"A lot of new users used my script after writing my first blog article for Citrix. Since then I made some improvements and continuing to add new features. Today I released the latest version of my “GenLeCertForNS” script. Within this version I solved some issues and improved the overall speed (especially with larger orders).\n","title":"GenLeCertForNS New Update","type":"posts"},{"content":"","date":"February 19, 2020","externalUrl":null,"permalink":"/categories/lets-encrypt/","section":"Categories","summary":"","title":"Let's Encrypt","type":"categories"},{"content":"","date":"February 19, 2020","externalUrl":null,"permalink":"/tags/lets-encrypt/","section":"Tags","summary":"","title":"Let's Encrypt","type":"tags"},{"content":"","date":"February 19, 2020","externalUrl":null,"permalink":"/categories/uncategorized/","section":"Categories","summary":"","title":"Uncategorized","type":"categories"},{"content":"","date":"January 29, 2019","externalUrl":null,"permalink":"/categories/nutanix/","section":"Categories","summary":"","title":"Nutanix","type":"categories"},{"content":"","date":"January 29, 2019","externalUrl":null,"permalink":"/tags/nutanix/","section":"Tags","summary":"","title":"Nutanix","type":"tags"},{"content":"","date":"January 29, 2019","externalUrl":null,"permalink":"/tags/nutanixcmdletspssnapin/","section":"Tags","summary":"","title":"NutanixCmdletsPSSnapin","type":"tags"},{"content":"Recently I needed to script some actions for a VM on Nutanix AHV. I wanted to share with you some of the commands I found and used. I created a small function (Wait-NTNXTask) that verifies the task and waits until the task is finished. Pleas note that this is optional and not required to run the commands specified in this blog.\nTo start with Nutanix AHV and PowerShell you need to install the PowerShell Cmdlets. You can find the snap-ins when you click on your name and select \u0026ldquo;Download Cmdlets Installer\u0026rdquo; Add the snap-ins to your script or session:\nif ([string]::IsNullOrEmpty($(Get-PSSnapin -Name NutanixCmdletsPSSnapin -Registered -ErrorAction SilentlyContinue))) { if (Test-Path \u0026#34;C:\\Program Files (x86)\\Nutanix Inc\\NutanixCmdlets\\powershell\\import_modules\\ImportModules.PS1\u0026#34;) { . \u0026#34;C:\\Program Files (x86)\\Nutanix Inc\\NutanixCmdlets\\powershell\\import_modules\\ImportModules.PS1\u0026#34; } else { Write-Error \u0026#34;Could not load NutanixCmdletsPSSnapin\u0026#34; } } else { if ([string]::IsNullOrEmpty($(Get-PSSnapin -Name NutanixCmdletsPSSnapin -ErrorAction SilentlyContinue))) { Add-PSSnapin NutanixCmdletsPSSnapin } } If you want to view all the commands associated to \u0026ldquo;NutanixCmdletsPSSnapin\u0026rdquo; run the following command:\nGet-Command -PSSnapin NutanixCmdletsPSSnapin | Group-Object Noun | Select-Object Count,Name,@{Name=\u0026#34;Verb\u0026#34;; Expression = {$_.Group.Verb -join \u0026#34;,\u0026#34;}} | Sort-Object Name View the Cmdlet (version) information:\nGet-NTNXCmdletsInfo Before we can make changes we need to create a connection:\n$hypervisorURI = \u0026#34;nutanixcluster.domain.local\u0026#34; $userName = \u0026#34;john\u0026#34; $password = ConvertTo-SecureString -String \u0026#34;SuperSecretP@ssw0rd\u0026#34; -AsPlainText -Force # Ensure previous Nutanix Sessions are disconnected Disconnect-NTNXCluster * #Connect a new Nutanix Session $connection = Connect-NutanixCluster -Server $hypervisorURI -UserName $username -Password $password -AcceptInvalidSSLCerts -ForcedConnection NOTE: If you receive the following error \u0026ldquo;The remote server returned an error: (401) Unauthorized.\u0026rdquo; You will need to reconnect. May be that the connection has timed out. Get the VM so we can use the ID\u0026rsquo;s:\n$vm = Get-NTNXVM -SearchString $vmName Create a new snapshot for a given VM:\n$snapshotName = \u0026#34;SnapshotName\u0026#34; $newSnapshot = New-NTNXObject -Name SnapshotSpecDTO $newSnapshot.vmuuid = $vm.uuid $newSnapshot.snapshotname = $snapshotName $task = New-NTNXSnapshot -SnapshotSpecs $newSnapshot Wait-NTNXTask -taskUuid $task.taskUuid -silent Retrieve all the available snapshots for a given VM:\n$snapshots = Get-NTNXSnapshot | Where-Object {$_.vmUuid -eq $vm.uuid} Get a particular snapshot for a given VM, if there are multiple snapshots with the same name all will be returned. In this example we will retrieve the last available snapshot:\n$snapshotName = \u0026#34;SnapshotName\u0026#34; $snapshot = Get-NTNXSnapshot | Where-Object {($_.vmUuid -eq $vm.uuid) -and ($_.snapshotname -eq $snapshotName)} | Select-Object -Last 1 Revert back to a snapshot for a given VM:\n$snapshotName = \u0026#34;SnapshotName\u0026#34; $snapshot = Get-NTNXSnapshot | Where-Object {($_.vmUuid -eq $vm.uuid) -and ($_.snapshotname -eq $snapshotName)} | Select-Object -First 1 $task = Restore-NTNXVirtualMachine -Vmid $vm.vmId -SnapshotUuid $snapshot.uuid Wait-NTNXTask -taskUuid $task.taskUuid -silent Removing one or more snapshots for a given VM:\n$snapshotName = \u0026#34;SnapshotName\u0026#34; $snapshots = Get-NTNXSnapshot | Where-Object {($_.vmUuid -eq $vm.uuid) -and ($_.snapshotname -eq $snapshotName)} Foreach ($snapshot in $snapshots){ Write-Verbose \u0026#34;Removing snapshot:$($snapshot | Select-Object snapshotName,uuid | Format-List | Out-String)\u0026#34; -Verbose $task = Remove-NTNXSnapshot -Uuid $snapshot.uuid Wait-NTNXTask -taskUuid $task.taskUuid -silent } You can also add or remove disk to a given VM. Below is a working example how to remove disks and add them again with the same parameters:\n$CurrentDisks = Get-NTNXVMDisk -Vmid $vm.vmId -IncludeDiskSizes | Where-Object {$_.isCdrom -eq $false} $CurrentDisks = $CurrentDisks | Sort-Object id If(-not [string]::IsNullOrEmpty($CurrentDisks)) { #Remove Disk(s) Foreach ($CurrentDisk in $CurrentDisks){ Write-Verbose \u0026#34;Removing disk: $($CurrentDisk.id) with size: $($CurrentDisk.vmDiskSize / 1GB)GB\u0026#34; -Verbose $task = Remove-NTNXVMDisk -Vmid $vm.vmId -Diskaddress $CurrentDisk.id Wait-NTNXTask -taskUuid $task.taskUuid -silent } #Add (new) disks with the same specification Foreach ($CurrentDisk in $CurrentDisks){ Write-Verbose \u0026#34;Creating disk specification. Disksize: $($CurrentDisk.vmDiskSize / 1GB)\u0026#34; -Verbose $diskSpecCreate = New-NTNXObject -Name VmDiskSpecCreateDTO $diskSpecCreate.containerid = $CurrentDisk.containerId $diskSpecCreate.size = $CurrentDisk.vmDiskSize Write-Verbose \u0026#34;Specification:$($diskSpecCreate | Select-Object containerId,size | Format-List | Out-String)\u0026#34; -Verbose $newVMDisk = New-NTNXObject –Name VMDiskDTO $newVMDisk.vmDiskCreate = $diskSpecCreate $task = Add-NTNXVMDisk -Vmid $vm.vmId -Disks $newVMDisk Wait-NTNXTask -taskUuid $task.taskUuid -silent } } You can also manipulate the CD-ROM drive attached to your VM to mount or un-mount an ISO file. First we need to retrieve the details for the CD-ROM drive attached to a given VM:\n$isoDisk = Get-NTNXVMDisk -Vmid $vm.vmId | Where-Object {$_.isCdrom -eq $true} It can be that you have multiple CD-ROM drives attached to a given VM. Make sure you have selected only one. In the next example we will check if there are multiple drives, if so we\u0026rsquo;ll select the first one. (You can make your selection as you see fit)\n$isoDisk = Get-NTNXVMDisk -Vmid $vm.vmId | Where-Object {$_.isCdrom -eq $true} | Select-Object -First 1 To check if a CD-ROM drive already contains an image or is empty:\n$isoDisk.isEmpty To list and get the names of all the available ISO files uploaded you can run the following command\nGet-NTNXImage | Where-Object {$_.imageType -eq \u0026#34;ISO_IMAGE\u0026#34;} | Select-Object name To mount an ISO to a (existing) CD-ROM drive.\n#Specify the name of the ISO and retrieve the object $isoImageName = \u0026#34;Windows 10 Business Editions 1803 EN\u0026#34; $isoImage = (Get-NTNXImage | Where-Object {$_.name -eq $isoImageName}) #Create new objects with the required changes $diskSpecClone = New-NTNXObject -Name VMDiskSpecCloneDTO $diskSpecClone.vmDiskUuid = $isoImage.vmDiskId $diskUpdateSpec = New-NTNXObject -Name VMDiskUpdateSpecDTO $diskUpdateSpec.vmDiskClone = $diskSpecClone #Write the changes to the VM $task = Set-NTNXVMDisk -Vmid $vm.vmId -Diskaddress $isoDisk.id -UpdateSpec $diskUpdateSpec Wait-NTNXTask -taskUuid $task.taskUuid -silent To un-mount an ISO attached the CD-ROM drive:\n$diskUpdateSpec = New-NTNXObject -Name VMDiskUpdateSpecDTO $diskUpdateSpec.isEmpty = $true $task = Set-NTNXVMDisk -Vmid $vm.vmId -Diskaddress $isoDisk.id -UpdateSpec $diskUpdateSpec Wait-NTNXTask -taskUuid $task.taskUuid -silent If you want NIC details, for example if you want to know the MAC Address of a given VM:\nGet-NTNXVMNIC -Vmid $vm.vmId And finally how to turn on or off a given VM. Power on a given VM:\n$task = Set-NTNXVMPowerOn -Vmid $vm.vmId Wait-NTNXTask -taskUuid $task.taskUuid -silent Power off a given VM:\n$task = Set-NTNXVMPowerOff -Vmid $vm.vmId Wait-NTNXTask -taskUuid $task.taskUuid -silent Specifying the transition, for example to nicely shutdown a given VM:\n$task = Set-NTNXVMPowerState -Vmid $vm.vmId -Transition ACPI_SHUTDOWN Wait-NTNXTask -taskUuid $task.taskUuid -silent The following Transitions can be specified:\nACPI_REBOOT ACPI_SHUTDOWN OFF ON PAUSE POWERCYCLE RESET RESUME SUSPEND Recently Kees Baggerman informed me that Nutanix was working on some new PowerShell Cmdlets. Unfortunately I didn\u0026rsquo;t had the time to look at them. Hope this will help you. ","date":"January 29, 2019","externalUrl":null,"permalink":"/posts/some-nutanix-ahv-powershell-commands-i-found-useful/","section":"Blog","summary":"Recently I needed to script some actions for a VM on Nutanix AHV. I wanted to share with you some of the commands I found and used. I created a small function (Wait-NTNXTask) that verifies the task and waits until the task is finished. Pleas note that this is optional and not required to run the commands specified in this blog.\n","title":"Some Nutanix AHV PowerShell Commands I found useful","type":"posts"},{"content":"","date":"November 8, 2018","externalUrl":null,"permalink":"/tags/grid/","section":"Tags","summary":"","title":"GRID","type":"tags"},{"content":"","date":"November 8, 2018","externalUrl":null,"permalink":"/tags/license/","section":"Tags","summary":"","title":"License","type":"tags"},{"content":"","date":"November 8, 2018","externalUrl":null,"permalink":"/categories/nvidia/","section":"Categories","summary":"","title":"NVIDIA","type":"categories"},{"content":"","date":"November 8, 2018","externalUrl":null,"permalink":"/tags/nvidia/","section":"Tags","summary":"","title":"NVIDIA","type":"tags"},{"content":"I recently needed to get some NVIDIA GRID license details in PowerShell for a customers monitoring solution. Unfortunately there was no PowerShell script available and also there is no available api to get these details. But I still needed the data in PowerShell, so I created a script that will just do that. It will retrieve the website with details, clean it up and present you with an object with data. Just run the script on you license server (or from another server, but remember to open the firewall port first) and you will get the details. You can find the script here:\nThank you Rasmus Raun-Nielsen (@RBRConecto) for testing and providing feedback! NOTE: I can not guarantee it will work with all versions, I had only the opportunity to test it with the latest 2 versions.\n","date":"November 8, 2018","externalUrl":null,"permalink":"/posts/view-nvidia-grid-license-details-via-powershell/","section":"Blog","summary":"I recently needed to get some NVIDIA GRID license details in PowerShell for a customers monitoring solution. Unfortunately there was no PowerShell script available and also there is no available api to get these details. But I still needed the data in PowerShell, so I created a script that will just do that. It will retrieve the website with details, clean it up and present you with an object with data. Just run the script on you license server (or from another server, but remember to open the firewall port first) and you will get the details. You can find the script here:\n","title":"View NVIDIA GRID license details via PowerShell","type":"posts"},{"content":"","date":"September 20, 2018","externalUrl":null,"permalink":"/tags/citrix-files/","section":"Tags","summary":"","title":"Citrix Files","type":"tags"},{"content":"","date":"September 20, 2018","externalUrl":null,"permalink":"/tags/office-online/","section":"Tags","summary":"","title":"Office Online","type":"tags"},{"content":"Recently I had to configure a new NetScaler Citrix ADC for a new ShareFile Citrix Files deployment. Two Storage Zone Controllers load balanced via a Citrix ADC with a Content switch. Nothing out of the ordinary. It was when I activated the Office Online functionality on the Storage Zone Controller configuration page the error messages appeared. Each time as we tried to open an office document we got an error \u0026ldquo;Sorry, there was a problem and we can\u0026rsquo;t open this document. If this happens again, try opening the document in Microsoft Word.\u0026rdquo; for Word documents and \u0026ldquo;We couldn\u0026rsquo;t find the file you wanted. It\u0026rsquo;s possible the file was renamed, moved or deleted.\u0026rdquo; for Excel documents. I followed all the necessary checks as described in a Citrix Files Article. But everything turned out okay, it worked as expected. What could it be? As it turned out to be the NetScaler SSL configuration was configured to high!? I always want that A+ on SSL Labs, the same with this setup. It was when I reverted the Content Switch to it\u0026rsquo;s default SSL parameters (TLS1.0 and the default Cipher suite) that Office Online started functioning. It could not retrieve the documents from the Storage Zone Controllers and thus it gave me this error messages. Luckily I had a separate Content Switch for internal and external traffic. I only had to lower the SSL settings on the internal Content Switch, this is the Content Switch the Office Online server was communicating with. So I hope Microsoft will add support for TLS 1.2 in Office Online (and give it some updates)\n","date":"September 20, 2018","externalUrl":null,"permalink":"/posts/office-online-apparently-only-supports-tls-1.0/","section":"Blog","summary":"Recently I had to configure a new NetScaler Citrix ADC for a new ShareFile Citrix Files deployment. Two Storage Zone Controllers load balanced via a Citrix ADC with a Content switch. Nothing out of the ordinary. It was when I activated the Office Online functionality on the Storage Zone Controller configuration page the error messages appeared. Each time as we tried to open an office document we got an error “Sorry, there was a problem and we can’t open this document. If this happens again, try opening the document in Microsoft Word.” for Word documents and “We couldn’t find the file you wanted. It’s possible the file was renamed, moved or deleted.” for Excel documents. I followed all the necessary checks as described in a Citrix Files Article. But everything turned out okay, it worked as expected. What could it be? As it turned out to be the NetScaler SSL configuration was configured to high!? I always want that A+ on SSL Labs, the same with this setup. It was when I reverted the Content Switch to it’s default SSL parameters (TLS1.0 and the default Cipher suite) that Office Online started functioning. It could not retrieve the documents from the Storage Zone Controllers and thus it gave me this error messages. Luckily I had a separate Content Switch for internal and external traffic. I only had to lower the SSL settings on the internal Content Switch, this is the Content Switch the Office Online server was communicating with. So I hope Microsoft will add support for TLS 1.2 in Office Online (and give it some updates)\n","title":"Office Online apparently only supports TLS 1.0","type":"posts"},{"content":"","date":"September 20, 2018","externalUrl":null,"permalink":"/tags/sharefile/","section":"Tags","summary":"","title":"ShareFile","type":"tags"},{"content":"A while ago I wrote a blog about how to change the \u0026ldquo;domain\\user or username@domain.com\u0026rdquo; text in Citrix StoreFront. Now I\u0026rsquo;ve create a small PowerShell script that can do that for you.\nThe Script # The script can be found on Github\nChanging the text # With this script you can change the default text into something else or just empty. If you run the script by default it will first create a backup if it not already exists, then it clears the text (make it empty). If you don\u0026rsquo;t specify the \u0026ldquo;-Store\u0026rdquo; parameter, a choice will be presented.\n.\\CtxClearSTFLoginText.ps1 -Store \u0026#34;Store\u0026#34; You can specify the parameter \u0026ldquo;-InnerText \u0026lt;Custom Text\u0026gt;\u0026rdquo; with your own text for example \u0026ldquo;test\u0026rdquo;:\n.\\CtxClearSTFLoginText.ps1 -Store \u0026#34;Store\u0026#34; -InnerText \u0026#34;test\u0026#34; -RestartIIS This will be the result after IIS is restarted: You can choose to let the script restart IIS by specifying the \u0026ldquo;-RestartIIS\u0026rdquo; parameter. If you want to do this manually, don\u0026rsquo;t specify this parameter.\nNOTE: Make sure to run this on all StoreFront servers!\nAs said before, the original files are back-upped before any changes are made, the backup files will get the extension \u0026ldquo;.orig\u0026rdquo;. Restore the original files # If you want to restore the original files, execute the script with the following parameters (again the \u0026ldquo;-RestartIIS\u0026rdquo; is optional)\n.\\CtxClearSTFLoginText.ps1 -Restore -RestartIIS ","date":"June 26, 2018","externalUrl":null,"permalink":"/posts/hide-or-change-domain-user-or-username@domain.com-text-in-storefront-part-2/","section":"Blog","summary":"A while ago I wrote a blog about how to change the “domain\\user or username@domain.com” text in Citrix StoreFront. Now I’ve create a small PowerShell script that can do that for you.\n","title":"Hide or change \"domain user or username@domain.com\" text in Storefront, part 2","type":"posts"},{"content":"","date":"June 26, 2018","externalUrl":null,"permalink":"/tags/storefront/","section":"Tags","summary":"","title":"StoreFront","type":"tags"},{"content":"","date":"June 26, 2018","externalUrl":null,"permalink":"/categories/storefront-3.x/","section":"Categories","summary":"","title":"StoreFront 3.x","type":"categories"},{"content":"When I started with C# in my spare time I needed a goal, something to build. I have several PowerShell scripts and wanted to add a GUI and so CtxToolbox was born! So what to implement first? I started with the basics and worked up from there, and added the Drain functionality. The idea behind this functionality was born in an 24/7 hospital environment. At that time I was building a new XenDesktop 7.x infra for this customer. And when it went to production they needed a way to gradually get machines into maintenance mode to do maintenance without troubling the users. I created a PowerShell script where you could select the machine catalogs (we had a machine catalog per hyper-visor host) and \u0026ldquo;drain\u0026rdquo; them into maintenance mode\nadd all not used machines in maintenance mode and shut them down leave the machines with users (active and disconnected sessions) on them intact wait a minute or so recheck to repeat the process For example an admin could start it in the evening before he went home and the next morning all the machines on that particular host or hosts where put into maintenance mode and powered off, without harassing the user. And they could perform the planned maintenance. This is one of the modes (default function) of CtxToolbox Drain. The other modes include\ninclude disconnected sessions (the normal, default mode allows a disconnected user to resume the session and continue their work) force all to power off (more like an emergency shutdown) same as before but give the user some time to logoff and save the work by warning them. I will try to add some more functions later on but hey, I have to start somewhere right? The current version is still in an early stage. By releasing it to the public I hope I can find some people who want to test it and give some feedback. In due time I will add some more functionality and also try to fix issues and make it more stable. If you find bugs or have feedback please fill in the feedback form. I still have much to learn and all the input is welcome! Download CtxToolbox\n","date":"April 27, 2018","externalUrl":null,"permalink":"/posts/my-very-first-gui-tool-ctxtoolbox/","section":"Blog","summary":"When I started with C# in my spare time I needed a goal, something to build. I have several PowerShell scripts and wanted to add a GUI and so CtxToolbox was born! So what to implement first? I started with the basics and worked up from there, and added the Drain functionality. The idea behind this functionality was born in an 24/7 hospital environment. At that time I was building a new XenDesktop 7.x infra for this customer. And when it went to production they needed a way to gradually get machines into maintenance mode to do maintenance without troubling the users. I created a PowerShell script where you could select the machine catalogs (we had a machine catalog per hyper-visor host) and “drain” them into maintenance mode\n","title":"My very first GUI tool: CtxToolbox!","type":"posts"},{"content":"Please leave your feedback for CtxToolbox here [contact-form-7 id=\u0026ldquo;748\u0026rdquo; title=\u0026ldquo;CtxToolbox Feedback\u0026rdquo;]\n","date":"April 26, 2018","externalUrl":null,"permalink":"/pages/2018-04-26-ctxtoolbox-feedback/","section":"Pages","summary":"Please leave your feedback for CtxToolbox here [contact-form-7 id=“748” title=“CtxToolbox Feedback”]\n","title":"CtxToolbox - Feedback","type":"pages"},{"content":"","date":"April 26, 2018","externalUrl":null,"permalink":"/pages/","section":"Pages","summary":"","title":"Pages","type":"pages"},{"content":"A multi purpose Toolbox for managing a Citrix environment.\nDownload # [sdm_download id=\u0026ldquo;794\u0026rdquo; fancy=\u0026ldquo;1\u0026rdquo; new_window=\u0026ldquo;1\u0026rdquo; color=\u0026ldquo;blue\u0026rdquo;]\nCtxToolbox Requirements # .Net Framework 4.5.2 Make sure that version 4.5.2 or higher is installed from the .Net Framework Settings (First time use) # When you first start the application, you need to make a selection.\nLocal You can use this mode when running CtxToolbox locally on a delivery controller Remote A remote (PowerShell) connection will be made to a delivery controller Requirements: service account with enough permissions to perform all the tasks. (at the moment Administrator role, more on this later) Note: For a remote connection more configuration might be required. Check this blog article.\nCloud You can use this option to connect to the Citrix Cloud plane. Requirements: SDK installed (Download) name, api and secret code Note: Passwords and api/secret will be stored safely and encrypted. If you made a selection, click the test button to verify the connection. You\u0026rsquo;ll receive a message box with the test result. Save the results when you\u0026rsquo;re done. The other settings that currently can be configured is\nMaximum number of records Typically this does not need to be changed. Maximum number concurrent power actions If the tool shuts the machines down, how many power actions is this tool allowed to trigger (Does not exceed the configured values) User logoff message title You can edit and save your own message title displayed in the session (if selected) User logoff message You can edit and save your own message displayed in the session (if selected) Advanced Settings If you enable this, a menu will become available under \u0026ldquo;Configuration\u0026rdquo; -\u0026gt; \u0026ldquo;Controller\u0026rdquo; Configuration - Controller # If you have enabled the \u0026ldquo;Advanced Settings\u0026rdquo; setting you will be able to change some settings under \u0026ldquo;Configuration\u0026rdquo; -\u0026gt; \u0026ldquo;Controller\u0026rdquo; TrustManagedAnonymousXmlServiceRequests TrustRequestSendToTheXmlServicePort LocalHostCacheEnabled ConnectionLeasingEnabled If one of the settings will be disable this means this item is not available in your environment, this can be version related.\nDrain # The drain function has different options, each option determines how fast the machines will go into maintenance mode and how it will react and interact with a connected user. These are the options\n**default **Nothing selected. (Also the slowest mode) All the machines in the selected catalogs will go into maintenance mode. But it will wait with a machine if it has an active or disconnected session. CtxToolbox will leave those alone. When a user logs off the machine will be put into maintenance. All the machines that are in maintenance mode will also be shut downed. include disconnected sessions Same as the previous one, the only difference is that it also will include disconnected sessions while putting them in maintenance mode and shutting them down. Logged in (active) users will be left alone until they log off (or disconnect their session) force all to power off (more like an emergency shutdown) It does not matter if a user has an active session, it will be put in maintenance and shut down like the rest of the machines. You\u0026rsquo;ll receive a message to verify your decision. Send message to the user first if still logged on Same as \u0026ldquo;force all to power off\u0026rdquo; but the difference is that the user will be given a chance to save the settings and log off. Within 5 minutes about 10 messages will be send to the user. This message can be customized. Cancel active task # If for what reason you need to stop CtxToolbox from executing the current task, you can cancel it by clicking the Cancel Job progress in the bottom right. Bugs, Issues and suggestions # The current version is still in an early stage. By releasing it to the public I hope I can find some people who want to test it and give some feedback. In due time I will add some more functionality and also try to fix issues and make it more stable. If you find bugs or have feedback please fill in the feedback form.\n","date":"April 26, 2018","externalUrl":null,"permalink":"/pages/2018-04-26-ctxtoolbox/","section":"Pages","summary":"A multi purpose Toolbox for managing a Citrix environment.\nDownload # [sdm_download id=“794” fancy=“1” new_window=“1” color=“blue”]\nCtxToolbox Requirements # .Net Framework 4.5.2 Make sure that version 4.5.2 or higher is installed from the .Net Framework Settings (First time use) # When you first start the application, you need to make a selection.\n","title":"CtxToolbox","type":"pages"},{"content":"In this article I will make a short description how to make a remote PowerShell connection. I needed this for a job once, tried to make a remote PowerShell connection from a Non Domain Joined machine to a Domain Joined server. I needed to re-configure the server first before making a connection. With the following code you can try and test the connection:\n$computer = \u0026#34;controller01.domain.local\u0026#34; $credential = get-credential Invoke-Command -ScriptBlock {get-host} -ComputerName $computer -Credential $credential At the popup enter the credentials. If you are lucky, a successful connection can be made, but in my case this wasn\u0026rsquo;t so. I got a nice error. This meant that I needed to make a secure connection (client machine was not Domain Joined). You can create a secure remote connection by adding the -UseSSL option\nInvoke-Command -ScriptBlock {get-host} -ComputerName $computer -Credential $credential -UseSSL But that alone is not enough, you also need to configure the server you are connecting to. You can configure the server to listen to secure connection by running the following command.\nwinrm quickconfig -transport:https Before a secure connection can be setup, you need to have a certificate (in the personal computer store) that matches the fqdn of your server. If you don\u0026rsquo;t have a (correct) certificate you can get an error. If you have the certificate in place, run the following command again.\nwinrm quickconfig -transport:https Note: additional configuration regarding security may be required! These are just the default configuration. Depending on you certificate used you may have to configure the \u0026ldquo;-SkipRevocationCheck\u0026rdquo; and \u0026ldquo;-SkipCACheck\u0026rdquo; to make a successful connection.\n$computer = \u0026#34;controller01.domain.local\u0026#34; $credential = get-credential $sessionOption = New-PSSessionOption -SkipRevocationCheck -SkipCACheck Invoke-Command -ScriptBlock {get-host} -ComputerName $computer -Credential $credential -SessionOption $sessionOption -UseSSL And I had a successful connection. I hope with sharing this knowledge I could help you to.\n","date":"April 26, 2018","externalUrl":null,"permalink":"/posts/making-a-remote-powershell-connection/","section":"Blog","summary":"In this article I will make a short description how to make a remote PowerShell connection. I needed this for a job once, tried to make a remote PowerShell connection from a Non Domain Joined machine to a Domain Joined server. I needed to re-configure the server first before making a connection. With the following code you can try and test the connection:\n","title":"Making a remote PowerShell connection","type":"posts"},{"content":"","date":"April 26, 2018","externalUrl":null,"permalink":"/tags/remote/","section":"Tags","summary":"","title":"Remote","type":"tags"},{"content":"The following was tested om 3.10+ versions, not sure if it works on older or 2.x versions.\nHide the default text # You can hide the default text \u0026ldquo;domain\\user or username@domain.com\u0026rdquo; in the storefront username field. This can be done by simply editing the \u0026ldquo;custom style.css\u0026rdquo; file. This file is located in \u0026ldquo;C:\\inetpub\\wwwroot\\Citrix\\Store\u0026gt;Web\\custom\u0026rdquo;. Replace \u0026ldquo;\u0026lt;Store\u0026gt;\u0026rdquo; with your own store name. You need to edit each store separately. Add the following to hide the text (1):\n/* Hide text username field */ .credentialform span.pseudo-input.show { visibility: hidden; } You can add the custom code at the end of the \u0026ldquo;style.css\u0026rdquo; file after \u0026ldquo;/* You may add custom styles below this line. */\u0026rdquo;. Make sure that when you are finished you replicate the changes to the other StoreFront server(s).\nChange the Default text # To change the text you can edit the language resource files located in \u0026ldquo;C:\\inetpub\\wwwroot\\Citrix\\Store\u0026gt;Auth\\App_Data\\resources\\ExplicitFormsCommon.en.resx\u0026rdquo; Depending on the language you have configured for your browser a corresponding file will be selected. So make sure you change all the files you or your users will use. Search for the text \u0026ldquo;\u0026lt;data name=\u0026ldquo;DomainUserAssistiveText\u0026rdquo; xml:space=\u0026ldquo;preserve\u0026rdquo;\u0026gt;\u0026rdquo; and change the text between \u0026ldquo;\u0026lt;value\u0026gt;TEXT\u0026lt;/value\u0026gt;\u0026rdquo;\n\u0026lt;data name=\u0026#34;DomainUserAssistiveText\u0026#34; xml:space=\u0026#34;preserve\u0026#34;\u0026gt; \u0026lt;value\u0026gt;Your own custom text\u0026lt;/value\u0026gt; \u0026lt;/data\u0026gt; If the text is not directly visible execute a iisreset to force an update. Make sure that when you are finished you replicate the changes to the other StoreFront server(s).\n","date":"January 15, 2018","externalUrl":null,"permalink":"/posts/hide-or-change-domain-user-or-username@domain.com-text-in-storefront./","section":"Blog","summary":"The following was tested om 3.10+ versions, not sure if it works on older or 2.x versions.\nHide the default text # You can hide the default text “domain\\user or username@domain.com” in the storefront username field. This can be done by simply editing the “custom style.css” file. This file is located in “C:\\inetpub\\wwwroot\\Citrix\\Store\u003eWeb\\custom”. Replace “\u003cStore\u003e” with your own store name. You need to edit each store separately. Add the following to hide the text (1):\n","title":"Hide or change \"domain user or username@domain.com\" text in Storefront.","type":"posts"},{"content":"Do you find my posts helpful? Consider a small donation: PayPal )\n","date":"April 16, 2017","externalUrl":null,"permalink":"/pages/2017-04-16-donate/","section":"Pages","summary":"Do you find my posts helpful? Consider a small donation: PayPal )\n","title":"Donate","type":"pages"},{"content":"","date":"April 6, 2017","externalUrl":null,"permalink":"/tags/certificates/","section":"Tags","summary":"","title":"Certificates","type":"tags"},{"content":"For a while now it\u0026rsquo;s possible to use Let\u0026rsquo;s Encrypt certificates, they are trusted (cross signed), secure and most of all FREE! There are already a lot of tools available to generate these certificates. I haven\u0026rsquo;t come across a tool or script to generate these certificates and upload them to a Citrix NetScaler. So I thought why not build it myself. I already tried it in a previous attempt, but I wanted more automation and thus I created this version. To learn more about the Let\u0026rsquo;s Encrypt, check how it works.. What my script does in very basic steps (for example you want a certificate for www.domain.com): Ask LE (Let\u0026rsquo;s Encrypt) to validate \u0026ldquo;www.domain.com\u0026rdquo; (1) LE returns data (2) among them:\nURL To check : \u0026ldquo;http://www.domain.com/.well-known/acme-challenge/34sS6lKqRtmEH6nccSVNF8ifykpA12eVhHz0yvheY0o\" Answer string: \u0026ldquo;34sS6lKqRtmEH6nccSVNF8ifykpA12eVhHz0yvheY0o.3-40nFYEAf5ItpgZuuISW1hg4fNm-vVW3T0R2mdzNkU\u0026rdquo;. This returned data will later be used to validate the requested domain. LE will (when you have everything in place) check the URL and expects to find the provided answer. This validation will prove you are the owner of that requested domain. With the received data we need to configure the Citrix NetScaler (3), for this we will use a responder policy. The policy will contain a expression:\nHTTP.REQ.URL.CONTAINS(\u0026#34;well-known/acme-challenge/34sS6lKqRtmEH6nccSVNF8ifykpA12eVhHz0yvheY0o\u0026#34;) and the response (if this policy is true) will be:\n\u0026#34;HTTP/1.0 200 OK\\r\\n\\r\\n34sS6lKqRtmEH6nccSVNF8ifykpA12eVhHz0yvheY0o.3-40nFYEAf5ItpgZuuISW1hg4fNm-vVW3T0R2mdzNkU\u0026#34; With this in place we can let LE check the validation (4) \u0026amp; (5) and if all goes well we\u0026rsquo;ll get a response: \u0026ldquo;valid\u0026rdquo;. And with a valid response we can retrieve the certificate and upload it to the NetScaler!\nNOTE: You can not create a wildcard certificate at the moment with the current version of my script, but you can create a SAN certificate. All you need to do is validate each hostname through the previous explained steps. (SAN certificates are a better / more secure than wildcards in my opinion)\nTo Achieve this a NetScaler Content Switch is used. A requirement for this is that each dns hostname that needs to be validated must have the same pubic IP Address configured to it. That IP Address must point to the NetScaler Content Switch for example via NAT. The above story visualized: Certificates are (currently) valid for a period of 90 days. After this period the certificate needs to be renewed. At this moment all the above described steps must be taken again. That\u0026rsquo;s why I created an automated way to create the certificate. You can schedule it for example to run every 85 days or so. I hope to add some improvements later on.\nNOTE: You should use the staging environment for testing, before using the production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of hitting the rate limits.\nThere are limits in place, that\u0026rsquo;s why there is a \u0026ldquo;staging\u0026rdquo; (test) environment is available. You can use this server to test and make sure the circle can be completed before you use the Production server to get the \u0026ldquo;real\u0026rdquo; (trusted) certificates. These staging certificates are not publicly trusted. Some rate limits to take into consideration:\nCertificates per Registered Domain (20 per week). 100 Names per Certificate Duplicate Certificate limit of 5 certificates per week More info about rate limits can be found here But enough talked about LE, here are the parameters you need to run this script:\n(Table removed during migration — content was stored in a WordPress plugin database.)\n* Use the -NSCredential parameter OR -NSUsername \u0026amp; -NSPassword ** Use the -Production switch after you did a successful run of the script. This is to make sure you don\u0026rsquo;t hit the limit\u0026rsquo;s of the production servers. For example, if you want to generate a (Production)certificate for hostname \u0026ldquo;domain.com\u0026rdquo; with alternate names : \u0026ldquo;sts.domain.com, www.domain.com, vpn.domain.com\u0026rdquo;. Using the emailaddress \u0026ldquo;hostmaster@domain.com\u0026rdquo;. And at the end storing the certificates in \u0026ldquo;C:\\Certificates\u0026rdquo; and uploading them to the NetScaler. Also Cleaning the vault on the NetScaler the content Switch \u0026ldquo;cs_domain.com_http\u0026rdquo; will be used to validate the certificates.:\n.\\GenLeCertForNS.ps1 -CN \u0026#34;domain.com\u0026#34; ` -EmailAddress \u0026#34;hostmaster@domain.com\u0026#34; ` -SAN \u0026#34;sts.domain.com\u0026#34;,\u0026#34;www.domain.com\u0026#34;,\u0026#34;vpn.domain.com\u0026#34; ` -PfxPassword \u0026#34;P@ssw0rd\u0026#34; ` -CertDir \u0026#34;C:\\Certificates\u0026#34; ` -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; ` -NSCsVipName \u0026#34;cs_domain.com_http\u0026#34; ` -NSPassword \u0026#34;P@ssw0rd\u0026#34; ` -NSUserName \u0026#34;nsroot\u0026#34; ` -NSCertNameToUpdate \u0026#34;san_domain_com\u0026#34; ` -Production ` -CleanVault ` -Verbose If something went wrong during a previous attempt to generate new certificates. You can use for example the following command:\n.\\GenLeCertForNS.ps1 -CleanNS ` -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; ` -NSCsVipName \u0026#34;cs_domain.com_http\u0026#34; ` -NSPassword \u0026#34;P@ssw0rd\u0026#34; ` -NSUserName \u0026#34;nsroot\u0026#34; ` -Verbose And the PowerSchell Script (GenLeCertForNS.ps1), you can also find it on GitHub: https://github.com/j81blog/GenLeCertForNS\n\u0026lt;# .SYNOPSIS Create a new or update an existing Let\u0026#39;s Encrypt certificate for one or more domains and add it to a store then update the SSL bindings for a NetScaler .DESCRIPTION The script will use ACMESharp to create a new or update an existing certificate for one or more domains. If generated successfully the script will add the certificate to the NetScaler and update the SSL binding for a web site. This script is for use with a Citrix NetScaler (v11.x and up). The script will validate the dns records provided. For example, the domain(s) listed must be configured with the same IP Address that is configured (via NAT) to a Content Switch. .PARAMETER Help Display the detailed information about this script .PARAMETER CleanNS Cleanup the NetScaler configuration made within this script, for when somewhere it gone wrong .PARAMETER RemoveTestCertificates Tries to remove all the Test certificates signed by the \u0026#34;Fake LE Intermediate X1\u0026#34; staging intermediate .PARAMETER NSManagementURL Management URL, used to connect to the NetScaler .PARAMETER NSUserName NetScaler username with enough access to configure it .PARAMETER NSPassword NetScaler username password .PARAMETER NSCredential Use a PSCredential object instead of a username or password. Use \u0026#34;Get-Credential\u0026#34; to generate a credential object C:\\PS\u0026gt; $Credential = Get-Credential .PARAMETER NSCsVipName Name of the HTTP NetScaler Content Switch used for the domain validation .PARAMETER NSCsVipBinding NetScaler Content Switch binding used for the validation .PARAMETER NSSvcName NetScaler Load Balance service name .PARAMETER NSSvcDestination IP Address used for the NetScaler Service (leave default 1.2.3.4), only change when already used .PARAMETER NSLbName NetScaler Load Balance VIP name .PARAMETER NSRspName NetScaler Responder Policy name .PARAMETER NSRsaName NetScaler Responder Action name .PARAMETER NSCspName NetScaler Content Switch Policy name .PARAMETER NSCertNameToUpdate NetScaler SSL Certkey name currently in use, that needs to be renewd .PARAMETER CertDir Directory where to store the certificates .PARAMETER PfxPassword Password for the PFX certificate, generated at the end .PARAMETER EmailAddress The email address used to request the certificates and receive a notification when the certificates (almost) expires .PARAMETER cn (Common Name) The Primary (first) dns record for the certificaten .PARAMETER san (Subject Alternate Name) every following domain listed in this certificate. sepatated via an comma , and between quotes \u0026#34;\u0026#34;. E.g.: \u0026#34;sts.domain.com\u0026#34;,\u0026#34;www.domain.com\u0026#34;,\u0026#34;vpn.domain.com\u0026#34; .PARAMETER Production Use the production Let\u0026#39;s encryt server .PARAMETER DisableIPCheck If you want to skip the IP Address verification, specify this parameter .PARAMETER CleanVault Force initialization of the vault before use .PARAMETER SaveNSConfig Save the NetScaler config after all the changes. .PARAMETER ns10x When using v10x, some nitro functions will not work propperly, run the script with this parameter. .EXAMPLE .\\GenLeCertForNS.ps1 -CN \u0026#34;domain.com\u0026#34; -EmailAddress \u0026#34;hostmaster@domain.com\u0026#34; -SAN \u0026#34;sts.domain.com\u0026#34;,\u0026#34;www.domain.com\u0026#34;,\u0026#34;vpn.domain.com\u0026#34; -PfxPassword \u0026#34;P@ssw0rd\u0026#34; -CertDir \u0026#34;C:\\Certificates\u0026#34; -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; -NSCsVipName \u0026#34;cs_domain.com_http\u0026#34; -NSPassword \u0026#34;P@ssw0rd\u0026#34; -NSUserName \u0026#34;nsroot\u0026#34; -NSCertNameToUpdate \u0026#34;san_domain_com\u0026#34; -Production -CleanVault -Verbose Generate a (Production)certificate for hostname \u0026#34;domain.com\u0026#34; with alternate names : \u0026#34;sts.domain.com, www.domain.com, vpn.domain.com\u0026#34;. Using the emailaddress \u0026#34;hostmaster@domain.com\u0026#34;. At the end storing the certificates in \u0026#34;C:\\Certificates\u0026#34; and uploading them to the NetScaler. Also Cleaning the vault on the NetScaler the content Switch \u0026#34;cs_domain.com_http\u0026#34; will be used to validate the certificates. .EXAMPLE .\\GenLeCertForNS.ps1 -CleanNS -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; -NSCsVipName \u0026#34;cs_domain.com_http\u0026#34; -NSPassword \u0026#34;P@ssw0rd\u0026#34; -NSUserName \u0026#34;nsroot\u0026#34; -Verbose Cleaning left over configuration from this schript when something went wrong during a previous attempt to generate new certificates and generating Verbose output. .EXAMPLE .\\GenLeCertForNS.ps1 -RemoveTestCertificates -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; -NSPassword \u0026#34;P@ssw0rd\u0026#34; -NSUserName \u0026#34;nsroot\u0026#34; -Verbose Removing ALL the test certificates from your NetScaler. .NOTES File Name : GenLeCertForNS.ps1 Version : v0.9.4 Author : John Billekens Requires : PowerShell v3 and up NetScaler 11.x and up Run As Administrator ACMESharp 0.9.1.326 (can be installed via this script) .LINK https://blog.j81.nl #\u0026gt; [cmdletbinding(DefaultParametersetName=\u0026#34;ConfigNetScaler\u0026#34;)] param( [Parameter(ParameterSetName=\u0026#34;Help\u0026#34;,Mandatory=$false)] [alias(\u0026#34;h\u0026#34;)] [switch]$Help, [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$true)] [switch]$CleanNS, [Parameter(ParameterSetName=\u0026#34;CleanTestCertificate\u0026#34;,Mandatory=$false)] [alias(\u0026#34;RemTestCert\u0026#34;)] [switch]$RemoveTestCertificates, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$true)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$true)] [Parameter(ParameterSetName=\u0026#34;CleanTestCertificate\u0026#34;,Mandatory=$true)] [ValidateNotNullOrEmpty()] [alias(\u0026#34;URL\u0026#34;)] [string]$NSManagementURL, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanTestCertificate\u0026#34;,Mandatory=$false)] [alias(\u0026#34;User\u0026#34;, \u0026#34;Username\u0026#34;)] [string]$NSUserName, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanTestCertificate\u0026#34;,Mandatory=$false)] [ValidateScript({ if ($_ -is [SecureString]) { return $true } elseif ($_ -is [string]) { $Script:NSPassword=ConvertTo-SecureString -String $_ -AsPlainText -Force return $true } else { Write-Error \u0026#34;You passed an unexpected object type for the credential (-NSPassword)\u0026#34; } })] [alias(\u0026#34;Password\u0026#34;)][object]$NSPassword, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanTestCertificate\u0026#34;,Mandatory=$false)] [ValidateScript({ if ($_ -is [System.Management.Automation.PSCredential]) { return $true } elseif ($_ -is [string]) { $Script:Credential=Get-Credential -Credential $_ return $true } else { Write-Error \u0026#34;You passed an unexpected object type for the credential (-NSCredential)\u0026#34; } })][alias(\u0026#34;Credential\u0026#34;)] [object]$NSCredential, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$true)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$NSCsVipName, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSCsVipBinding = 11, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSSvcName = \u0026#34;svc_letsencrypt_cert_dummy\u0026#34;, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSSvcDestination = \u0026#34;1.2.3.4\u0026#34;, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSLbName = \u0026#34;lb_letsencrypt_cert\u0026#34;, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSRspName = \u0026#34;rsp_letsencrypt\u0026#34;, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSRsaName = \u0026#34;rsa_letsencrypt\u0026#34;, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [string]$NSCspName = \u0026#34;csp_NSCertCsp\u0026#34;, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [string]$NSCertNameToUpdate, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$CertDir, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [ValidateScript({ if (([string]::IsNullOrEmpty($_))) { $Script:PfxPassword=$null return $true } elseif ($_ -is [SecureString]) { return $true } elseif ($_ -is [string]) { $Script:PfxPassword=ConvertTo-SecureString -String $_ -AsPlainText -Force return $true } else { Write-Error \u0026#34;You passed an unexpected object type for the credential (-PfxPassword)\u0026#34; } })][object]$PfxPassword = $null, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$CN, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$true)] [string]$EmailAddress, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [string[]]$SAN=@(), [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [switch]$Production, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [switch]$DisableIPCheck, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [switch]$CleanVault, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [switch]$SaveNSConfig, [Parameter(ParameterSetName=\u0026#34;ConfigNetScaler\u0026#34;,Mandatory=$false)] [Parameter(ParameterSetName=\u0026#34;CleanNetScaler\u0026#34;,Mandatory=$false)] [switch]$ns10x ) #requires -version 3.0 #requires -runasadministrator $ScriptVersion = \u0026#34;v0.9.3\u0026#34; #region Functions function InvokeNSRestApi { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [PSObject]$Session, [Parameter(Mandatory=$true)] [ValidateSet(\u0026#39;DELETE\u0026#39;, \u0026#39;GET\u0026#39;, \u0026#39;POST\u0026#39;, \u0026#39;PUT\u0026#39;)] [string]$Method, [Parameter(Mandatory=$true)] [string]$Type, [string]$Resource, [string]$Action, [hashtable]$Arguments = @{}, [switch]$Stat = $false, [ValidateScript({$Method -eq \u0026#39;GET\u0026#39;})] [hashtable]$Filters = @{}, [ValidateScript({$Method -ne \u0026#39;GET\u0026#39;})] [hashtable]$Payload = @{}, [switch]$GetWarning = $false, [ValidateSet(\u0026#39;EXIT\u0026#39;, \u0026#39;CONTINUE\u0026#39;, \u0026#39;ROLLBACK\u0026#39;)] [string]$OnErrorAction = \u0026#39;EXIT\u0026#39; ) # https://github.com/devblackops/NetScaler if ([string]::IsNullOrEmpty($($Session.ManagementURL))) { throw \u0026#34;ERROR. Probably not logged into the NetScaler\u0026#34; } if ($Stat) { $uri = \u0026#34;$($Session.ManagementURL)/nitro/v1/stat/$Type\u0026#34; } else { $uri = \u0026#34;$($Session.ManagementURL)/nitro/v1/config/$Type\u0026#34; } if (-not ([string]::IsNullOrEmpty($Resource))) { $uri += \u0026#34;/$Resource\u0026#34; } if ($Method -ne \u0026#39;GET\u0026#39;) { if (-not ([string]::IsNullOrEmpty($Action))) { $uri += \u0026#34;?action=$Action\u0026#34; } if ($Arguments.Count -gt 0) { $queryPresent = $true if ($uri -like \u0026#39;*?action*\u0026#39;) { $uri += \u0026#39;\u0026amp;args=\u0026#39; } else { $uri += \u0026#39;?args=\u0026#39; } $argsList = @() foreach ($arg in $Arguments.GetEnumerator()) { $argsList += \u0026#34;$($arg.Name):$([System.Uri]::EscapeDataString($arg.Value))\u0026#34; } $uri += $argsList -join \u0026#39;,\u0026#39; } } else { $queryPresent = $false if ($Arguments.Count -gt 0) { $queryPresent = $true $uri += \u0026#39;?args=\u0026#39; $argsList = @() foreach ($arg in $Arguments.GetEnumerator()) { $argsList += \u0026#34;$($arg.Name):$([System.Uri]::EscapeDataString($arg.Value))\u0026#34; } $uri += $argsList -join \u0026#39;,\u0026#39; } if ($Filters.Count -gt 0) { $uri += if ($queryPresent) { \u0026#39;\u0026amp;filter=\u0026#39; } else { \u0026#39;?filter=\u0026#39; } $filterList = @() foreach ($filter in $Filters.GetEnumerator()) { $filterList += \u0026#34;$($filter.Name):$([System.Uri]::EscapeDataString($filter.Value))\u0026#34; } $uri += $filterList -join \u0026#39;,\u0026#39; } } Write-Verbose -Message \u0026#34;URI: $uri\u0026#34; $jsonPayload = $null if ($Method -ne \u0026#39;GET\u0026#39;) { $warning = if ($GetWarning) { \u0026#39;YES\u0026#39; } else { \u0026#39;NO\u0026#39; } $hashtablePayload = @{} $hashtablePayload.\u0026#39;params\u0026#39; = @{\u0026#39;warning\u0026#39; = $warning; \u0026#39;onerror\u0026#39; = $OnErrorAction; \u0026lt;#\u0026#34;action\u0026#34;=$Action#\u0026gt;} $hashtablePayload.$Type = $Payload $jsonPayload = ConvertTo-Json -InputObject $hashtablePayload -Depth 100 Write-Verbose -Message \u0026#34;JSON Payload:`n$jsonPayload\u0026#34; } $response = $null $restError = $null try { $restError = @() $restParams = @{ Uri = $uri ContentType = \u0026#39;application/json\u0026#39; Method = $Method WebSession = $Session.WebSession ErrorVariable = \u0026#39;restError\u0026#39; Verbose = $false } if ($Method -ne \u0026#39;GET\u0026#39;) { $restParams.Add(\u0026#39;Body\u0026#39;, $jsonPayload) } $response = Invoke-RestMethod @restParams if ($response) { if ($response.severity -eq \u0026#39;ERROR\u0026#39;) { throw \u0026#34;Error. See response: `n$($response | Format-List -Property * | Out-String)\u0026#34; } else { Write-Verbose -Message \u0026#34;Response:`n$(ConvertTo-Json -InputObject $response | Out-String)\u0026#34; if ($Method -eq \u0026#34;GET\u0026#34;) { return $response } } } } catch [Exception] { if ($Type -eq \u0026#39;reboot\u0026#39; -and $restError[0].Message -eq \u0026#39;The underlying connection was closed: The connection was closed unexpectedly.\u0026#39;) { Write-Verbose -Message \u0026#39;Connection closed due to reboot\u0026#39; } else { throw $_ } } } function Connect-NetScaler { [cmdletbinding()] param( [parameter(Mandatory)] [string]$ManagementURL, [parameter(Mandatory)] [pscredential]$Credential = (Get-Credential -Message \u0026#39;NetScaler credential\u0026#39;), [int]$Timeout = 3600, [switch]$PassThru ) # https://github.com/devblackops/NetScaler Write-Verbose -Message \u0026#34;Connecting to $ManagementURL...\u0026#34; try { if ($script:ns10x) { $login = @{ login = @{ username = $Credential.UserName; password = $Credential.GetNetworkCredential().Password } } } else { $login = @{ login = @{ username = $Credential.UserName; password = $Credential.GetNetworkCredential().Password timeout = $Timeout } } } $loginJson = ConvertTo-Json -InputObject $login Write-Verbose \u0026#34;JSON Data:`n$($loginJson | Out-String)\u0026#34; $saveSession = @{} $params = @{ Uri = \u0026#34;$ManagementURL/nitro/v1/config/login\u0026#34; Method = \u0026#39;POST\u0026#39; Body = $loginJson SessionVariable = \u0026#39;saveSession\u0026#39; ContentType = \u0026#39;application/json\u0026#39; ErrorVariable = \u0026#39;restError\u0026#39; Verbose = $false } $response = Invoke-RestMethod @params if ($response.severity -eq \u0026#39;ERROR\u0026#39;) { throw \u0026#34;Error. See response: `n$($response | Format-List -Property * | Out-String)\u0026#34; } else { Write-Verbose -Message \u0026#34;Response:`n$(ConvertTo-Json -InputObject $response | Out-String)\u0026#34; } } catch [Exception] { throw $_ } $session = [PSObject]@{ ManagementURL=[string]$ManagementURL; WebSession=[Microsoft.PowerShell.Commands.WebRequestSession]$saveSession; Username=$Credential.UserName; Version=\u0026#34;UNKNOWN\u0026#34;; } try { Write-Verbose -Message \u0026#34;Trying to retreive the NetScaler version\u0026#34; $params = @{ Uri = \u0026#34;$ManagementURL/nitro/v1/config/nsversion\u0026#34; Method = \u0026#39;GET\u0026#39; WebSession = $Session.WebSession ContentType = \u0026#39;application/json\u0026#39; ErrorVariable = \u0026#39;restError\u0026#39; Verbose = $false } $response = Invoke-RestMethod @params Write-Verbose -Message \u0026#34;Response:`n$(ConvertTo-Json -InputObject $response | Out-String)\u0026#34; $version = $response.nsversion.version.Split(\u0026#34;,\u0026#34;)[0] if (-not ([string]::IsNullOrWhiteSpace($version))) { $session.version = $version } } catch { Write-Verbose -Message \u0026#34;Error. See response: `n$($response | Format-List -Property * | Out-String)\u0026#34; } $Script:NSSession = $session if($PassThru){ return $session } } #endregion Functions #region Help if($Help){ Write-Verbose \u0026#34;Generating help for `\u0026#34;$ScriptFilename`\u0026#34;\u0026#34; Get-Help \u0026#34;$ScriptFilename\u0026#34; -Full Exit(0) } #endregion Help #region Script variables Write-Verbose \u0026#34;Script version: $ScriptVersion\u0026#34; if ($ns10x){ Write-Verbose \u0026#34;ns10x parameter used, some options are now disabled.\u0026#34; } Write-Verbose \u0026#34;Setting session DATE/TIME variable\u0026#34; [datetime]$ScriptDateTime = Get-Date [string]$SessionDateTime = $ScriptDateTime.ToString(\u0026#34;yyyyMMdd-HHmmss\u0026#34;) [string]$IdentifierDate = $ScriptDateTime.ToString(\u0026#34;yyyyMMdd\u0026#34;) Write-Verbose \u0026#34;Session DATE/TIME variable value: `\u0026#34;$SessionDateTime`\u0026#34;\u0026#34; if (-not([string]::IsNullOrWhiteSpace($NSCredential))) { Write-Verbose \u0026#34;Using NSCredential\u0026#34; } elseif ((-not([string]::IsNullOrWhiteSpace($NSUserName))) -and (-not([string]::IsNullOrWhiteSpace($NSPassword)))){ Write-Verbose \u0026#34;Using NSUsername / NSPassword\u0026#34; if (-not ($NSPassword -is [securestring])){ [securestring]$NSPassword = ConvertTo-SecureString -String $NSPassword -AsPlainText -Force } [pscredential]$NSCredential = New-Object System.Management.Automation.PSCredential ($NSUserName, $NSPassword) } else { Write-Verbose \u0026#34;No valid username/password or credential specified. Enter a username and password, e.g. `\u0026#34;nsroot`\u0026#34;\u0026#34; [pscredential]$NSCredential = Get-Credential -Message \u0026#34;NetScaler username and password:\u0026#34; } Write-Verbose \u0026#34;Starting new session\u0026#34; if(-not ([string]::IsNullOrWhiteSpace($SAN))){ [string[]]$SAN = @($SAN.Split(\u0026#34;,\u0026#34;)) } #endregion Script variables #region Load Module if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Load ACMESharp Modules\u0026#34; if (-not(Get-Module ACMESharp)){ try { $ACMEVersions = (get-Module -Name ACMESharp -ListAvailable).Version $ACMEUpdateRequired = $false ForEach ($ACMEVersion in $ACMEVersions) { if (($ACMEVersion.Minor -eq 9) -and ($ACMEVersion.Build -eq 1) -and (-not $ACMEUpdateRequired)) { Write-Verbose \u0026#34;v0.9.1 of ACMESharp is installed, continuing\u0026#34; } else { Write-Verbose \u0026#34;v0.9.1 of ACMESharp is NOT installed, update/downgrade required\u0026#34; $ACMEUpdateRequired = $true } } if ($ACMEUpdateRequired) { Write-Verbose \u0026#34;Trying to update the ACMESharp modules\u0026#34; Install-Module -Name ACMESharp -Scope AllUsers -RequiredVersion 0.9.1 -Force -ErrorAction SilentlyContinue } Write-Verbose \u0026#34;Try loading module ACMESharp\u0026#34; Import-Module ACMESharp -ErrorAction Stop } catch [System.IO.FileNotFoundException] { Write-Verbose \u0026#34;Checking for PackageManagement\u0026#34; if ([string]::IsNullOrWhiteSpace($(Get-Module -ListAvailable -Name PackageManagement))) { Write-Warning \u0026#34;PackageManagement is not available please install this first or manually install ACMESharp\u0026#34; Write-Warning \u0026#34;Visit `\u0026#34;https://docs.microsoft.com/en-us/powershell/gallery/psget/get_psget_module`\u0026#34; to download Package Management\u0026#34; Write-Warning \u0026#34;ACMESharp: https://github.com/ebekker/ACMESharp\u0026#34; Start-Process \u0026#34;https://www.microsoft.com/en-us/download/details.aspx?id=49186\u0026#34; Exit (1) } else { try { if (-not ((Get-PackageProvider -Name NuGet -ErrorAction SilentlyContinue).Version -ge [System.Version]\u0026#34;2.8.5.208\u0026#34;)) { Write-Verbose \u0026#34;Installing Nuget\u0026#34; Get-PackageProvider -Name NuGet -Force -ErrorAction SilentlyContinue | Out-Null } $installationPolicy = (Get-PSRepository -Name PSGallery).InstallationPolicy if (-not ($installationPolicy.ToLower() -eq \u0026#34;trusted\u0026#34;)){ Write-Verbose \u0026#34;Defining PSGallery PSRepository as trusted\u0026#34; Set-PSRepository -Name \u0026#34;PSGallery\u0026#34; -InstallationPolicy Trusted } Write-Verbose \u0026#34;Installing ACMESharp\u0026#34; try { Install-Module -Name ACMESharp -Scope AllUsers -RequiredVersion 0.9.1.326 -Force -AllowClobber } catch { Write-Verbose \u0026#34;Installing ACMESharp again but without the -AllowClobber option\u0026#34; Install-Module -Name ACMESharp -Scope AllUsers -RequiredVersion 0.9.1.326 -Force } if (-not ((Get-PSRepository -Name PSGallery).InstallationPolicy -eq $installationPolicy)){ Write-Verbose \u0026#34;Returning the PSGallery PSRepository InstallationPolicy to previous value\u0026#34; Set-PSRepository -Name \u0026#34;PSGallery\u0026#34; -InstallationPolicy $installationPolicy | Out-Null } Write-Verbose \u0026#34;Try loading module ACMESharp\u0026#34; Import-Module ACMESharp -ErrorAction Stop } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Error \u0026#34;Error while loading and/or installing module\u0026#34; Write-Warning \u0026#34;PackageManagement is not available please install this first or manually install ACMESharp\u0026#34; Write-Warning \u0026#34;Visit `\u0026#34;https://docs.microsoft.com/en-us/powershell/gallery/psget/get_psget_module`\u0026#34; to download Package Management\u0026#34; Write-Warning \u0026#34;ACMESharp: https://github.com/ebekker/ACMESharp\u0026#34; Start-Process \u0026#34;https://www.microsoft.com/en-us/download/details.aspx?id=49186\u0026#34; Exit (1) } } } } } #endregion Load Module #region NetScaler Check if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Login to NetScaler and save session to global variable\u0026#34; Write-Host -ForeGroundColor White \u0026#34;`r`nNetScaler:\u0026#34; $NSSession = Connect-NetScaler -ManagementURL $NSManagementURL -Credential $NSCredential -PassThru Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- URL: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$NSManagementURL\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Username: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$($NSSession.Username)\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Version: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$($NSSession.Version)\u0026#34; try { Write-Verbose \u0026#34;Verifying Content Switch\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type csvserver -Resource $NSCsVipName } catch { $ExcepMessage = $_.Exception.Message Write-Verbose \u0026#34;Error Details: $ExcepMessage\u0026#34; } finally { if (($response.errorcode -eq \u0026#34;0\u0026#34;) -and ` ($response.csvserver.type -eq \u0026#34;CONTENT\u0026#34;) -and ` ($response.csvserver.curstate -eq \u0026#34;UP\u0026#34;) -and ` ($response.csvserver.servicetype -eq \u0026#34;HTTP\u0026#34;) -and ` ($response.csvserver.port -eq \u0026#34;80\u0026#34;) ) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;`\u0026#34;$NSCsVipName`\u0026#34; -\u0026gt; Found\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Connection: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;OK`r`n\u0026#34; } elseif ($ExcepMessage -like \u0026#34;*(404) Not Found*\u0026#34;) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;ERROR: The Content Switch `\u0026#34;$NSCsVipName`\u0026#34; does NOT exist!`r`n\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Error message: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;`\u0026#34;$ExcepMessage`\u0026#34;`r`n\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34; IMPORTANT: Please make sure a HTTP Content Switch is available`r`n\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Connection: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;FAILED!`r`n\u0026#34; Write-Host -ForeGroundColor Red \u0026#34; Exiting now`r`n\u0026#34; Exit (1) } elseif ($ExcepMessage -like \u0026#34;*The remote server returned an error*\u0026#34;) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;ERROR: Unknown error found while checking the Content Switch\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Error message: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;`\u0026#34;$ExcepMessage`\u0026#34;`r`n\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Connection: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;FAILED!`r`n\u0026#34; Write-Host -ForeGroundColor Red \u0026#34; Exiting now`r`n\u0026#34; Exit (1) } elseif (($response.errorcode -eq \u0026#34;0\u0026#34;) -and (-not ($response.csvserver.servicetype -eq \u0026#34;HTTP\u0026#34;))) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;ERROR: Content Switch is $($response.csvserver.servicetype) and NOT HTTP`r`n\u0026#34; if (-not ([string]::IsNullOrWhiteSpace($ExcepMessage))){ Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Error message: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;`\u0026#34;$ExcepMessage`\u0026#34;`r`n\u0026#34; } Write-Host -ForeGroundColor Yellow \u0026#34; IMPORTANT: Please use a HTTP (Port 80) Content Switch!`r`n This is required for the validation.`r`n\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Connection: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;FAILED!`r`n\u0026#34; Write-Host -ForeGroundColor Red \u0026#34; Exiting now`r`n\u0026#34; Exit (1) } else { Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;Found\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch state: \u0026#34; if ($response.csvserver.curstate -eq \u0026#34;UP\u0026#34;) { Write-Host -ForeGroundColor Green \u0026#34;UP\u0026#34; } else { Write-Host -ForeGroundColor RED \u0026#34;$($response.csvserver.curstate)\u0026#34; } Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Content Switch type: \u0026#34; if ($response.csvserver.type -eq \u0026#34;CONTENT\u0026#34;) { Write-Host -ForeGroundColor Green \u0026#34;CONTENT\u0026#34; } else { Write-Host -ForeGroundColor RED \u0026#34;$($response.csvserver.type)\u0026#34; } if (-not ([string]::IsNullOrWhiteSpace($ExcepMessage))){ Write-Host -ForeGroundColor White -NoNewLine \u0026#34;`r`n- Error message: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;`\u0026#34;$ExcepMessage`\u0026#34;`r`n\u0026#34; } Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Data: \u0026#34; $response.csvserver | Format-List -Property * | Out-String Write-Host -ForeGroundColor White -NoNewLine \u0026#34;- Connection: \u0026#34; Write-Host -ForeGroundColor Red \u0026#34;FAILED!`r`n\u0026#34; Write-Host -ForeGroundColor Red \u0026#34; Exiting now`r`n\u0026#34; Exit (1) } } } #endregion NetScaler Check #region Vault if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { if ($Production) { $VaultName = \u0026#34;:sys\u0026#34; $BaseService = \u0026#34;LetsEncrypt\u0026#34; Write-Verbose \u0026#34;Using the vault `\u0026#34;$VaultName`\u0026#34; for production certificates\u0026#34; } else { $VaultName = \u0026#34;:user\u0026#34; $BaseService = \u0026#34;LetsEncrypt-STAGING\u0026#34; Write-Verbose \u0026#34;Using the vault `\u0026#34;$VaultName`\u0026#34; for test/staging purposes\u0026#34; } try { Write-Verbose \u0026#34;Get ACMEVault `\u0026#34;$VaultName`\u0026#34;\u0026#34; $VaultData = ACMESharp\\Get-ACMEVault -VaultProfile $VaultName } catch { Write-Verbose \u0026#34;`\u0026#34;$VaultName`\u0026#34; Vault not available, initialize\u0026#34; $CleanVault = $true } if ($CleanVault) { Write-Verbose \u0026#34;Initializing Vault\u0026#34; ACMESharp\\Initialize-ACMEVault -VaultProfile $VaultName -Force Write-Verbose \u0026#34;Finished initializing\u0026#34; $VaultData = ACMESharp\\Get-ACMEVault -VaultProfile $VaultName } Write-Verbose \u0026#34;Configure vault `\u0026#34;$VaultName`\u0026#34; for `\u0026#34;$BaseService`\u0026#34;\u0026#34; ACMESharp\\Set-ACMEVault -VaultProfile $VaultName -BaseService $BaseService } #endregion Vault #region Registration if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Host -NoNewLine -ForeGroundColor Yellow \u0026#34;`n`nIMPORTANT: \u0026#34; Write-Host -ForeGroundColor White \u0026#34;By running this script you agree with the terms specified by Let\u0026#39;s Encrypt.\u0026#34; try { Write-Verbose \u0026#34;Retreive existing Registration\u0026#34; $Registration = ACMESharp\\Get-ACMERegistration -VaultProfile $VaultName if ($Registration.Contacts -contains \u0026#34;mailto:$($EmailAddress)\u0026#34;){ Write-Verbose \u0026#34;Existing registration found, no changes necessary\u0026#34; } else { Write-Verbose \u0026#34;Current registration `\u0026#34;$($Registration.Contacts)`\u0026#34; is not equal to `\u0026#34;$EmailAddress`\u0026#34;, setting new registration\u0026#34; $Registration = ACMESharp\\New-ACMERegistration -VaultProfile $VaultName -Contacts \u0026#34;mailto:$($EmailAddress)\u0026#34; -AcceptTos } } catch { Write-Verbose \u0026#34;Setting new registration to `\u0026#34;$EmailAddress`\u0026#34;\u0026#34; $Registration = ACMESharp\\New-ACMERegistration -VaultProfile $VaultName -Contacts \u0026#34;mailto:$($EmailAddress)\u0026#34; -AcceptTos } Write-Host -ForeGroundColor Yellow \u0026#34;`n`n`nTerms of Agreement:`n$($Registration.TosLinkUri)`n`n`n\u0026#34; } #endregion Registration #region DNS #region Primary DNS if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Validating DNS record(s)\u0026#34; $DNSObjects = @() Write-Verbose \u0026#34;Checking `\u0026#34;$CN`\u0026#34;\u0026#34; try { if ($DisableIPCheck){ Write-Warning \u0026#34;Skipping IP check, validation might fail\u0026#34; $PrimaryIP = \u0026#34;NoIPCheck\u0026#34; } else { $PublicDnsServer = \u0026#34;208.67.222.222\u0026#34; Write-Verbose \u0026#34;Using public DNS server (OpenDNS, 208.67.222.222) to verify dns records\u0026#34; Write-Verbose \u0026#34;Trying to get IP Address\u0026#34; $PrimaryIP = (Resolve-DnsName -Server $PublicDnsServer -Name $CN -DnsOnly -Type A -ErrorAction SilentlyContinue).IPAddress if ([string]::IsNullOrWhiteSpace($PrimaryIP)) { throw \u0026#34;ERROR: No valid entry found for DNSName:`\u0026#34;$CN`\u0026#34;\u0026#34; } if ($PrimaryIP -is [system.array]){ Write-Warning \u0026#34;More than one ip address found`n$($PrimaryIP | Format-List | Out-String)\u0026#34; $PrimaryIP = $PrimaryIP[0] Write-Warning \u0026#34;using the first one`\u0026#34;$PrimaryIP`\u0026#34;\u0026#34; } } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;`nError while retreiving IP Address,\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;you can try to re-run the script with the -DisableIPCheck parameter.`n\u0026#34; throw \u0026#34;Error while retreiving IP Address, does not exist?\u0026#34; } $Identifier = $null $IdentifierAlias = $null try { Write-Verbose \u0026#34;Find pre-existing registration for `\u0026#34;$CN`\u0026#34;\u0026#34; $IdentifierAlias = \u0026#34;DNS-$($CN)-$IdentifierDate\u0026#34; $Identifier = ACMESharp\\Get-ACMEIdentifier -IdentifierRef $IdentifierAlias -VaultProfile $VaultName } catch { try { Write-Verbose \u0026#34;Registration does not exist, registering `\u0026#34;$CN`\u0026#34;\u0026#34; $Identifier = ACMESharp\\New-ACMEIdentifier -Dns $CN -Alias $IdentifierAlias -VaultProfile $VaultName } catch { Write-Verbose \u0026#34;Registration is invalid\u0026#34; $Identifier = [PSCustomObject]@{ Status = \u0026#34;invalid\u0026#34; Expires = $null } } } try { if ($Identifier.Uri) { Write-Verbose \u0026#34;Extracting data, checking validation\u0026#34; $response = Invoke-RestMethod -Uri $Identifier.Uri -Method Get #$result = $response | Select-Object status,expires if ((-not([string]::IsNullOrWhiteSpace($response.status))) -and (-not([string]::IsNullOrWhiteSpace($response.expires)))) { $httpIdentifier = ($response | Select-Object -expand Challenges | Where-Object {$_.type -eq \u0026#34;http-01\u0026#34;}) } } else { Write-Verbose \u0026#34;No URI available to check...\u0026#34; } }catch{ Write-Verbose \u0026#34;Someting went wrong with the validation:`n$($response | Format-List | Out-String)\u0026#34; } Write-Verbose \u0026#34;Checking if current validation is still valid\u0026#34; if (($response.status -eq \u0026#34;valid\u0026#34;) -and ($([datetime]$response.Expires - $(Get-Date)).TotalDays -gt 1)) { Write-Verbose \u0026#34;Registration for `\u0026#34;$CN`\u0026#34; is still valid\u0026#34; $Validation = $true Write-Verbose \u0026#34;Validation response:`n$($($response | Select-Object Identifier,Status,Expires) | Format-List | Out-String)\u0026#34; } else { Write-Verbose \u0026#34;Registration for `\u0026#34;$CN`\u0026#34; is NOT valid, validation required\u0026#34; $Validation = $false Write-Verbose \u0026#34;Validation response:`n$($($Identifier | Select-Object Identifier,Status,Expires) | Format-List | Out-String)\u0026#34; } Write-Verbose \u0026#34;Storing values for reference\u0026#34; $DNSObjects += [PSCustomObject]@{ DNSName = $CN IPAddress = $PrimaryIP Status = $(if ([string]::IsNullOrWhiteSpace($PrimaryIP)) {$false} else {$true}) Match = $null SAN = $false DNSValid = $Validation Alias = $IdentifierAlias } Write-Verbose \u0026#34;SAN Objects:`n$($DNSObjects | Format-List | Out-String)\u0026#34; } #endregion Primary DNS #region SAN if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { $DNSRecord = $null Write-Verbose \u0026#34;Checking if SAN entries are available\u0026#34; if ([string]::IsNullOrWhiteSpace($SAN)) { Write-Verbose \u0026#34;No SAN entries found\u0026#34; } else { Write-Verbose \u0026#34;$($SAN.Count) found, checking each one\u0026#34; foreach ($DNSRecord in $SAN) { Write-Verbose \u0026#34;Start with SAN: `\u0026#34;$DNSRecord`\u0026#34;\u0026#34; try { if ($DisableIPCheck) { Write-Verbose \u0026#34;Skipping IP check\u0026#34; $SANIP = \u0026#34;NoIPCheck\u0026#34; } else { Write-Verbose \u0026#34;Start basic IP Check for `\u0026#34;$DNSRecord`\u0026#34;, trying to get IP Address\u0026#34; $SANIP = (Resolve-DnsName -Server $PublicDnsServer -Name $DNSRecord -DnsOnly -Type A -ErrorAction SilentlyContinue).IPAddress if ($SANIP -is [system.array]){ Write-Warning \u0026#34;More than one ip address found`n$($SANIP | Format-List | Out-String)\u0026#34; $SANIP = $SANIP[0] Write-Warning \u0026#34;using the first one`\u0026#34;$SANIP`\u0026#34;\u0026#34; } Write-Verbose \u0026#34;Finished, Result: $SANIP\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;`nError while retreiving IP Address,\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;you can try to re-run the script with the -DisableIPCheck parameter.\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;The script will continue but `\u0026#34;$DNSRecord`\u0026#34; will be skipped`n\u0026#34; $SANIP = \u0026#34;Skipped\u0026#34; } if ([string]::IsNullOrWhiteSpace($SANIP)) { Write-Verbose \u0026#34;No valid entry found for DNSName:`\u0026#34;$DNSRecord`\u0026#34;\u0026#34; $SANMatch = $false $SANStatus = $false } else { Write-Verbose \u0026#34;Valid entry found\u0026#34; $SANStatus = $true if ($SANIP -eq \u0026#34;NoIPCheck\u0026#34;) { Write-Verbose \u0026#34;IP address checking was disabled\u0026#34; $SANMatch = $true } elseif ($SANIP -eq \u0026#34;Skipped\u0026#34;) { Write-Verbose \u0026#34;IP address checking failed, `\u0026#34;$DNSRecord`\u0026#34; will be skipped\u0026#34; $SANMatch = $true } else { Write-Verbose \u0026#34;All IP Adressess must match, checking\u0026#34; if ($SANIP -match $($DNSObjects[0].IPAddress)) { Write-Verbose \u0026#34;`\u0026#34;$SANIP ($DNSRecord)`\u0026#34; matches to `\u0026#34;$($DNSObjects[0].IPAddress) ($($DNSObjects[0].DNSName))`\u0026#34;\u0026#34; $SANMatch = $true } else { Write-Verbose \u0026#34;`\u0026#34;$SANIP`\u0026#34; ($DNSRecord) NOT matches to `\u0026#34;$($DNSObjects[0].IPAddress)`\u0026#34; ($($DNSObjects[0].DNSName))\u0026#34; $SANMatch = $false } } } if (-not($SANIP -eq \u0026#34;Skipped\u0026#34;)) { $Identifier = $null $IdentifierAlias = $null try { Write-Verbose \u0026#34;Find pre-existing registration for `\u0026#34;$DNSRecord`\u0026#34;\u0026#34; $IdentifierAlias = \u0026#34;DNS-$($DNSRecord)-$IdentifierDate\u0026#34; $Identifier = ACMESharp\\Get-ACMEIdentifier -IdentifierRef $IdentifierAlias -VaultProfile $VaultName } catch { try { Write-Verbose \u0026#34;Registration does not exist, registering `\u0026#34;$DNSRecord`\u0026#34;\u0026#34; $Identifier = ACMESharp\\New-ACMEIdentifier -Dns $DNSRecord -Alias $IdentifierAlias -VaultProfile $VaultName } catch { Write-Verbose \u0026#34;Registration is invalid\u0026#34; $Identifier = [PSCustomObject]@{ Status = \u0026#34;invalid\u0026#34; Expires = $null } } } try { if ($Identifier.Uri) { Write-Verbose \u0026#34;Extracting data, checking validation\u0026#34; $response = Invoke-RestMethod -Uri $Identifier.Uri -Method Get #$result = $response | Select-Object status,expires if ((-not([string]::IsNullOrWhiteSpace($response.status))) -and (-not([string]::IsNullOrWhiteSpace($response.expires)))) { $httpIdentifier = ($response | Select-Object -expand Challenges | Where-Object {$_.type -eq \u0026#34;http-01\u0026#34;}) } } else { Write-Verbose \u0026#34;No URI available to check...\u0026#34; } }catch{ Write-Verbose \u0026#34;Someting went wrong with the validation:`n$($response | Format-Table | Out-String)\u0026#34; } Write-Verbose \u0026#34;Checking if current validation is still valid\u0026#34; if (($response.status -eq \u0026#34;valid\u0026#34;) -and ($([datetime]$response.Expires - $(Get-Date)).TotalDays -gt 1)) { Write-Verbose \u0026#34;Registration for `\u0026#34;$DNSRecord`\u0026#34; is still valid\u0026#34; $Validation = $true Write-Verbose \u0026#34;Validation response:`n$($($response | Select-Object Identifier,Status,Expires) | Format-Table | Out-String)\u0026#34; } else { Write-Verbose \u0026#34;Registration for `\u0026#34;$DNSRecord`\u0026#34; is NOT valid, validation required\u0026#34; $Validation = $false Write-Verbose \u0026#34;Validation response:`n$($($Identifier | Select-Object Identifier,Status,Expires) | Format-Table | Out-String)\u0026#34; } Write-Verbose \u0026#34;Storing values for reference\u0026#34; $DNSObjects += [PSCustomObject]@{ DNSName = $DNSRecord IPAddress = $SANIP Status = $SANStatus Match = $SANMatch SAN = $true DNSValid = $Validation Alias = $IdentifierAlias } } Write-Verbose \u0026#34;Finished with SAN: `\u0026#34;$DNSRecord`\u0026#34;\u0026#34; } } Write-Verbose \u0026#34;SAN Objects:`n$($DNSObjects | Format-List | Out-String)\u0026#34; } #endregion SAN if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Checking for invalid DNS Records\u0026#34; $InvalidDNS = $DNSObjects | Where-Object {$_.Status -eq $false} $SkippedDNS = $DNSObjects | Where-Object {$_.IPAddress -eq \u0026#34;Skipped\u0026#34;} if ($InvalidDNS) { Write-Verbose \u0026#34;Invalid DNS object(s):`n$($InvalidDNS | Select-Object DNSName,Status | Format-List | Out-String)\u0026#34; $DNSObjects[0] | Select-Object DNSName,IPAddress | Format-List | Out-String | ForEach-Object {Write-Host -ForeGroundColor Green \u0026#34;$_\u0026#34;} $InvalidDNS | Select-Object DNSName,IPAddress | Format-List | Out-String | ForEach-Object {Write-Host -ForeGroundColor Red \u0026#34;$_\u0026#34;} throw \u0026#34;ERROR, invalid (not registered?) DNS Record(s) found!\u0026#34; } else { Write-Verbose \u0026#34;None found, continuing\u0026#34; } if ($SkippedDNS) { Write-Warning \u0026#34;The following DNS object(s) will be skipped:`n$($SkippedDNS | Select-Object DNSName | Format-List | Out-String)\u0026#34; } Write-Verbose \u0026#34;Checking non matching DNS Records\u0026#34; $DNSNoMatch = $DNSObjects | Where-Object {$_.Match -eq $false} if ($DNSNoMatch -and (-not $DisableIPCheck)) { Write-Verbose \u0026#34;$($DNSNoMatch | Select-Object DNSName,Match | Format-List | Out-String)\u0026#34; $DNSObjects[0] | Select-Object DNSName,IPAddress | Format-List | Out-String | ForEach-Object {Write-Host -ForeGroundColor Green \u0026#34;$_\u0026#34;} $DNSNoMatch | Select-Object DNSName,IPAddress | Format-List | Out-String | ForEach-Object {Write-Host -ForeGroundColor Red \u0026#34;$_\u0026#34;} throw \u0026#34;ERROR: Non-matching records found, must match to `\u0026#34;$($DNSObjects[0].DNSName)`\u0026#34; ($($DNSObjects[0].IPAddress))\u0026#34; } elseif ($DisableIPCheck) { Write-Verbose \u0026#34;IP Adressess checking was skipped\u0026#34; } else { Write-Verbose \u0026#34;All IP Adressess match\u0026#34; } } #region ACME DNS Verification if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Checking if validation is required\u0026#34; $DNSValidationRequired = $DNSObjects | Where-Object {$_.DNSValid -eq $false} if ($DNSValidationRequired) { Write-Verbose \u0026#34;Validation NOT required\u0026#34; $NetScalerActionsRequired = $true } else { Write-Verbose \u0026#34;Validation required for the following objects:`n$($DNSValidationRequired | Select-Object DNSName | Format-List | Out-String)\u0026#34; $NetScalerActionsRequired = $false } } #region NetScaler pre dns if ((-not ($CleanNS)) -and ($NetScalerActionsRequired) -and (-not ($RemoveTestCertificates))) { try { Write-Verbose \u0026#34;Login to NetScaler and save session to global variable\u0026#34; $NSSession = Connect-NetScaler -ManagementURL $NSManagementURL -Credential $NSCredential -PassThru Write-Verbose \u0026#34;Enable required NetScaler Features, Load Balancer, Responder, Content Switch and SSL\u0026#34; $payload = @{\u0026#34;feature\u0026#34;=\u0026#34;LB RESPONDER CS SSL\u0026#34;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type nsfeature -Payload $payload -Action enable try { Write-Verbose \u0026#34;Verifying Content Switch\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type csvserver -Resource $NSCsVipName } catch { $ExcepMessage = $_.Exception.Message Write-Verbose \u0026#34;Error Details: $ExcepMessage\u0026#34; throw \u0026#34;Could not find/read out the content switch `\u0026#34;$NSCsVipName`\u0026#34; not available?\u0026#34; } finally { if ($ExcepMessage -like \u0026#34;*(404) Not Found*\u0026#34;) { Write-Host -ForeGroundColor Red \u0026#34;`nThe Content Switch `\u0026#34;$NSCsVipName`\u0026#34; does NOT exist!\u0026#34; Exit (1) } elseif ($ExcepMessage -like \u0026#34;*The remote server returned an error*\u0026#34;) { Write-Host -ForeGroundColor Red \u0026#34;`nUnknown error found while checking the Content Switch: `\u0026#34;$NSCsVipName`\u0026#34;\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;Error message: `\u0026#34;$ExcepMessage`\u0026#34;\u0026#34; Exit (1) } elseif (($response.errorcode -eq \u0026#34;0\u0026#34;) -and (-not ($response.csvserver.servicetype -eq \u0026#34;HTTP\u0026#34;))) { Write-Host -ForeGroundColor Red \u0026#34;`nThe Content Switch is $($response.csvserver.servicetype) and NOT HTTP\u0026#34; Write-Host -ForeGroundColor Red \u0026#34;Please use a HTTP (Port 80) Content Switch this is required for the validation. Exiting now`n\u0026#34; Exit (1) } } try { Write-Verbose \u0026#34;Configuring NetScaler: Check if Load Balancer Service exists\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type service -Resource $NSSvcName Write-Verbose \u0026#34;Yep it exists, continuing\u0026#34; } catch { Write-Verbose \u0026#34;It does not exist, continuing\u0026#34; Write-Verbose \u0026#34;Configuring NetScaler: Create Load Balance Service `\u0026#34;$NSSvcName`\u0026#34;\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSSvcName\u0026#34;;\u0026#34;ip\u0026#34;=\u0026#34;$NSSvcDestination\u0026#34;;\u0026#34;servicetype\u0026#34;=\u0026#34;HTTP\u0026#34;;\u0026#34;port\u0026#34;=\u0026#34;80\u0026#34;;\u0026#34;healthmonitor\u0026#34;=\u0026#34;NO\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type service -Payload $payload -Action add } try { Write-Verbose \u0026#34;Configuring NetScaler: Check if Load Balancer exists\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type lbvserver -Resource $NSLbName Write-Verbose \u0026#34;Yep it exists, continuing\u0026#34; } catch { Write-Verbose \u0026#34;Nope, continuing\u0026#34; Write-Verbose \u0026#34;Configuring NetScaler: Create Load Balance Vip `\u0026#34;$NSLbName`\u0026#34;\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSLbName\u0026#34;;\u0026#34;servicetype\u0026#34;=\u0026#34;HTTP\u0026#34;;\u0026#34;ipv46\u0026#34;=\u0026#34;0.0.0.0\u0026#34;;\u0026#34;Port\u0026#34;=\u0026#34;0\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type lbvserver -Payload $payload -Action add } finally { Write-Verbose \u0026#34;Configuring NetScaler: Bind Service `\u0026#34;$NSSvcName`\u0026#34; to Load Balance Vip `\u0026#34;$NSLbName`\u0026#34;\u0026#34; Write-Verbose \u0026#34;Checking LB Service binding\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type lbvserver_service_binding -Resource $NSLbName if ($response.lbvserver_service_binding.servicename -eq $NSSvcName) { Write-Verbose \u0026#34;LB Service binding is ok\u0026#34; } else { $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSLbName\u0026#34;;\u0026#34;servicename\u0026#34;=\u0026#34;$NSSvcName\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method PUT -Type lbvserver_service_binding -Payload $payload } } try { Write-Verbose \u0026#34;Configuring NetScaler: Check if Responder Action exists\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type responderaction -Resource $NSRsaName try { Write-Verbose \u0026#34;Yep it exists, continuing\u0026#34; Write-Verbose \u0026#34;Configuring NetScaler: Change Responder Action to default values\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSRsaName\u0026#34;;\u0026#34;target\u0026#34;=\u0026#39;\u0026#34;HTTP/1.0 200 OK\u0026#34; +\u0026#34;\\r\\n\\r\\n\u0026#34; + \u0026#34;XXXX\u0026#34;\u0026#39;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type responderaction -Payload $payload -Action set } catch { throw \u0026#34;Something went wrong with reconfiguring the existing action `\u0026#34;$NSRsaName`\u0026#34;, exiting now...\u0026#34; } } catch { $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSRsaName\u0026#34;;\u0026#34;type\u0026#34;=\u0026#34;respondwith\u0026#34;;\u0026#34;target\u0026#34;=\u0026#39;\u0026#34;HTTP/1.0 200 OK\u0026#34; +\u0026#34;\\r\\n\\r\\n\u0026#34; + \u0026#34;XXXX\u0026#34;\u0026#39;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type responderaction -Payload $payload -Action add } try { Write-Verbose \u0026#34;Configuring NetScaler: Check if Responder Policy exists\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type responderpolicy -Resource $NSRspName try { Write-Verbose \u0026#34;Yep it exists, continuing\u0026#34; Write-Verbose \u0026#34;Configuring NetScaler: Change Responder Policy to default values\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSRspName\u0026#34;;\u0026#34;action\u0026#34;=\u0026#34;rsa_letsencrypt\u0026#34;;\u0026#34;rule\u0026#34;=\u0026#39;HTTP.REQ.URL.CONTAINS(\u0026#34;.well-known/acme-challenge/XXXX\u0026#34;)\u0026#39;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type responderpolicy -Payload $payload -Action set } catch { throw \u0026#34;Something went wrong with reconfiguring the existing policy `\u0026#34;$NSRspName`\u0026#34;, exiting now...\u0026#34; } } catch { $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSRspName\u0026#34;;\u0026#34;action\u0026#34;=\u0026#34;$NSRsaName\u0026#34;;\u0026#34;rule\u0026#34;=\u0026#39;HTTP.REQ.URL.CONTAINS(\u0026#34;.well-known/acme-challenge/XXXX\u0026#34;)\u0026#39;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type responderpolicy -Payload $payload -Action add } finally { $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSLbName\u0026#34;;\u0026#34;policyname\u0026#34;=\u0026#34;$NSRspName\u0026#34;;\u0026#34;priority\u0026#34;=100;} $response = InvokeNSRestApi -Session $NSSession -Method PUT -Type lbvserver_responderpolicy_binding -Payload $payload -Resource $NSLbName } try { Write-Verbose \u0026#34;Configuring NetScaler: Check if Content Switch Policy exists\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method GET -Type cspolicy -Resource $NSCspName Write-Verbose \u0026#34;It does, continuing\u0026#34; if (-not($response.cspolicy.rule -eq \u0026#34;HTTP.REQ.URL.CONTAINS(`\u0026#34;well-known/acme-challenge/`\u0026#34;)\u0026#34;)) { $payload = @{\u0026#34;policyname\u0026#34;=\u0026#34;$NSCspName\u0026#34;;\u0026#34;rule\u0026#34;=\u0026#34;HTTP.REQ.URL.CONTAINS(`\u0026#34;well-known/acme-challenge/`\u0026#34;)\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method PUT -Type cspolicy -Payload $payload } } catch { Write-Verbose \u0026#34;Configuring NetScaler: Create Content Switch Policy\u0026#34; $payload = @{\u0026#34;policyname\u0026#34;=\u0026#34;$NSCspName\u0026#34;;\u0026#34;rule\u0026#34;=\u0026#39;HTTP.REQ.URL.CONTAINS(\u0026#34;well-known/acme-challenge/\u0026#34;)\u0026#39;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type cspolicy -Payload $payload -Action add } Write-Verbose \u0026#34;Configuring NetScaler: Bind Load Balancer `\u0026#34;$NSLbName`\u0026#34; to Content Switch `\u0026#34;$NSCsVipName`\u0026#34; with prio: $NSCsVipBinding\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSCsVipName\u0026#34;;\u0026#34;policyname\u0026#34;=\u0026#34;$NSCspName\u0026#34;;\u0026#34;priority\u0026#34;=\u0026#34;$NSCsVipBinding\u0026#34;;\u0026#34;targetlbvserver\u0026#34;=\u0026#34;$NSLbName\u0026#34;;\u0026#34;gotopriorityexpression\u0026#34;=\u0026#34;END\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method PUT -Type csvserver_cspolicy_binding -Payload $payload Write-Verbose \u0026#34;Finished configuring the NetScaler\u0026#34; } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; throw \u0026#34;ERROR: Could not configure the NetScaler, exiting now\u0026#34; } Start-Sleep -Seconds 2 } #endregion NetScaler pre dns #region Test NS CS if ((-not ($CleanNS)) -and ($NetScalerActionsRequired) -and (-not ($RemoveTestCertificates))) { Write-Host -ForeGroundColor White \u0026#34;Executing some tests, can take a couple of seconds/minutes...\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;`r`nPlease note that if a test fails, the script still tries to continue!`r`n\u0026#34; ForEach ($DNSObject in $DNSObjects ) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Checking: =\u0026gt; \u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;`\u0026#34;$($DNSObject.DNSName)`\u0026#34; ($($DNSObject.IPAddress))\u0026#34; $TestURL = \u0026#34;http://$($DNSObject.DNSName)/.well-known/acme-challenge/XXXX\u0026#34; Write-Verbose \u0026#34;Testing if the Content Switch is available on `\u0026#34;$TestURL`\u0026#34; (via internal DNS)\u0026#34; try { Write-Verbose \u0026#34;Retreiving data\u0026#34; $Result = Invoke-WebRequest -URI $TestURL -TimeoutSec 2 Write-Verbose \u0026#34;Success, output: $($Result| Out-String)\u0026#34; } catch { $Result = $null Write-Verbose \u0026#34;Internal check failed, error Details: $($_.Exception.Message)\u0026#34; } if ($Result.RawContent -eq \u0026#34;HTTP/1.0 200 OK\u0026#34; + \u0026#34;`r`n`r`n\u0026#34; + \u0026#34;XXXX\u0026#34;) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Test (Int. DNS): \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;OK\u0026#34; } else { Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Test (Int. DNS): \u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;Not successfull, maybe not resolvable internally?\u0026#34; Write-Verbose \u0026#34;Output: $($Result| Out-String)\u0026#34; } try { Write-Verbose \u0026#34;Checking if Public IP is available for external DNS testing\u0026#34; [ref]$ValidIP = [ipaddress]::None if (([ipaddress]::TryParse(\u0026#34;$($DNSObject.IPAddress)\u0026#34;,$ValidIP)) -and (-not ($DisableIPCheck))) { Write-Verbose \u0026#34;Testing if the Content Switch is available on `\u0026#34;$TestURL`\u0026#34; (via external DNS)\u0026#34; $TestURL = \u0026#34;http://$($DNSObject.IPAddress)/.well-known/acme-challenge/XXXX\u0026#34; $Headers = @{\u0026#34;Host\u0026#34;=\u0026#34;$($DNSObject.DNSName)\u0026#34;} Write-Verbose \u0026#34;Retreiving data\u0026#34; $Result = Invoke-WebRequest -URI $TestURL -Headers $Headers -TimeoutSec 2 Write-Verbose \u0026#34;Success, output: $($Result| Out-String)\u0026#34; } else { Write-Verbose \u0026#34;Public IP is not available for external DNS testing\u0026#34; } } catch { $Result = $null Write-Verbose \u0026#34;External check failed, error Details: $($_.Exception.Message)\u0026#34; } [ref]$ValidIP = [ipaddress]::None if (([ipaddress]::TryParse(\u0026#34;$($DNSObject.IPAddress)\u0026#34;,$ValidIP)) -and (-not ($DisableIPCheck))) { if ($Result.RawContent -eq \u0026#34;HTTP/1.0 200 OK\u0026#34; + \u0026#34;`r`n`r`n\u0026#34; + \u0026#34;XXXX\u0026#34;) { Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Test (Ext. DNS): \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;OK\u0026#34; } else { Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Test (Ext. DNS): \u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;Not successfull, maybe not resolvable externally?\u0026#34; Write-Verbose \u0026#34;Output: $($Result| Out-String)\u0026#34; } } } Write-Host -ForeGroundColor White \u0026#34;`r`nFinished the tests, script will continue again.\u0026#34; } #endregion Test NS CS #region DNS Check if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Check if DNS Records need to be validated\u0026#34; Write-Host -ForeGroundColor White \u0026#34;Verification:\u0026#34; foreach ($DNSObject in $DNSObjects) { $DNSRecord = $DNSObject.DNSName $Challenge = $null $UpdateIdentifier = $null Write-Verbose \u0026#34;Checking validation for `\u0026#34;$DNSRecord`\u0026#34;\u0026#34; if ($DNSObject.DNSValid){ Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -DNS: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;`\u0026#34;$DNSRecord`\u0026#34;\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Status: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;=\u0026gt; Still valid\u0026#34; } else { Write-Verbose \u0026#34;New validation required, Start verifying\u0026#34; $IdentifierAlias = $DNSObject.Alias try { try { $CompletedChallenge = ACMESharp\\Complete-ACMEChallenge -IdentifierRef $IdentifierAlias -ChallengeType http-01 -Handler manual -VaultProfile $VaultName -Force if ($([datetime]$CompletedChallenge.Expires - $(Get-Date)).TotalDays -gt 1) { $Challenge = ($CompletedChallenge.Challenges | Where-Object { $_.Type -eq \u0026#34;http-01\u0026#34; }).Challenge } else { } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; throw \u0026#34;Error while creating the Challenge\u0026#34; } Write-Verbose \u0026#34;Configuring NetScaler: Change Responder Policy `\u0026#34;$NSRspName`\u0026#34; to: `\u0026#34;HTTP.REQ.URL.CONTAINS(`\u0026#34;$($Challenge.FilePath)`\u0026#34;)`\u0026#34;\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSRspName\u0026#34;;\u0026#34;action\u0026#34;=\u0026#34;$NSRsaName\u0026#34;;\u0026#34;rule\u0026#34;=\u0026#34;HTTP.REQ.URL.CONTAINS(`\u0026#34;$($Challenge.FilePath)`\u0026#34;)\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type responderpolicy -Payload $payload -Action set Write-Verbose \u0026#34;Configuring NetScaler: Change Responder Action `\u0026#34;$NSRsaName`\u0026#34; to return \u0026#34; Write-Verbose \u0026#34;`\u0026#34;HTTP/1.0 200 OK\\r\\n\\r\\n$($Challenge.FileContent)`\u0026#34;\u0026#34; $payload = @{\u0026#34;name\u0026#34;=\u0026#34;$NSRsaName\u0026#34;;\u0026#34;target\u0026#34;=\u0026#34;`\u0026#34;HTTP/1.0 200 OK\\r\\n\\r\\n$($Challenge.FileContent)`\u0026#34;\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type responderaction -Payload $payload -Action set Write-Verbose \u0026#34;Wait 1 second\u0026#34; Start-Sleep -Seconds 1 Write-Verbose \u0026#34;Start Submitting Challenge\u0026#34; try { ACMESharp\\Submit-ACMEChallenge -IdentifierRef $IdentifierAlias -ChallengeType http-01 -VaultProfile $VaultName | Out-Null } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; throw \u0026#34;Error while submitting the Challenge\u0026#34; } Write-Verbose \u0026#34;Retreiving validation status\u0026#34; try { $UpdateIdentifier = (ACMESharp\\Update-ACMEIdentifier -IdentifierRef $IdentifierAlias -ChallengeType http-01 -VaultProfile $VaultName).Challenges | Where-Object {$_.Type -eq \u0026#34;http-01\u0026#34;} } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; throw \u0026#34;Error while retreiving validation status\u0026#34; } $i = 0 Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -DNS: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;`\u0026#34;$DNSRecord`\u0026#34;\u0026#34; Write-Host -ForeGroundColor White -NoNewLine \u0026#34; -Status: \u0026#34; while(-NOT ($UpdateIdentifier.Status.ToLower() -eq \u0026#34;valid\u0026#34;)) { Write-Host -ForeGroundColor Yellow -NoNewLine \u0026#34;=\u0026#34; $i++ Write-Verbose \u0026#34;($($i.ToString())) $DNSRecord is not (yet) validated, Wait 2 second\u0026#34; Start-Sleep -Seconds 2 Write-Verbose \u0026#34;Retreiving validation status\u0026#34; try { $UpdateIdentifier = (ACMESharp\\Update-ACMEIdentifier -IdentifierRef $IdentifierAlias -ChallengeType http-01 -VaultProfile $VaultName).Challenges | Where-Object {$_.Type -eq \u0026#34;http-01\u0026#34;} } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; throw \u0026#34;Error while retreiving validation status\u0026#34; } if (($i -ge 60) -or ($UpdateIdentifier.Status.ToLower() -eq \u0026#34;invalid\u0026#34;)) {break} } switch ($UpdateIdentifier.Status.ToLower()) { \u0026#34;pending\u0026#34; { Write-Host -ForeGroundColor Red \u0026#34;ERROR\u0026#34; throw \u0026#34;It took to long for the validation ($DNSRecord) to complete, exiting now.\u0026#34; } \u0026#34;invalid\u0026#34; { Write-Host -ForeGroundColor Red \u0026#34;ERROR\u0026#34; throw \u0026#34;Validation for `\u0026#34;$DNSRecord`\u0026#34; is invalid! Exiting now.\u0026#34; } \u0026#34;valid\u0026#34; { Write-Host -ForeGroundColor Green \u0026#34;\u0026gt; validated successfully\u0026#34; } default { Write-Host -ForeGroundColor Red \u0026#34;ERROR\u0026#34; throw \u0026#34;Unexpected status for `\u0026#34;$DNSRecord`\u0026#34; is `\u0026#34;$($UpdateIdentifier.Status)`\u0026#34;, exiting now.\u0026#34; } } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; throw \u0026#34;Error while verifying `\u0026#34;$DNSRecord`\u0026#34;, exiting now\u0026#34; } } } \u0026#34;`r`n\u0026#34; } #endregion DNS Check #region NetScaler post DNS if (($NetScalerActionsRequired) -or ($CleanNS) -and (-not ($RemoveTestCertificates))) { Write-Verbose \u0026#34;Login to NetScaler and save session to global variable\u0026#34; Connect-NetScaler -ManagementURL $NSManagementURL -Credential $NSCredential try { Write-Verbose \u0026#34;Checking if a binding exists for `\u0026#34;$NSCspName`\u0026#34;\u0026#34; $Filters = @{\u0026#34;policyname\u0026#34;=\u0026#34;$NSCspName\u0026#34;} $response = InvokeNSRestApi -Session $NSSession -Method GET -Type csvserver_cspolicy_binding -Resource \u0026#34;$NSCsVipName\u0026#34; -Filters $Filters if ($response.csvserver_cspolicy_binding.policyname -eq $NSCspName) { Write-Verbose \u0026#34;Removing Content Switch Loadbalance Binding\u0026#34; $Arguments = @{\u0026#34;name\u0026#34;=\u0026#34;$NSCsVipName\u0026#34;;\u0026#34;policyname\u0026#34;=\u0026#34;$NSCspName\u0026#34;;\u0026#34;priority\u0026#34;=\u0026#34;$NSCsVipBinding\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type csvserver_cspolicy_binding -Arguments $Arguments } else { Write-Verbose \u0026#34;No binding found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Content Switch Loadbalance Binding\u0026#34; } try { Write-Verbose \u0026#34;Checking if Content Switch Policy `\u0026#34;$NSCspName`\u0026#34; exists\u0026#34; try { $response = InvokeNSRestApi -Session $NSSession -Method GET -Type cspolicy -Resource \u0026#34;$NSCspName\u0026#34; } catch{} if ($response.cspolicy.policyname -eq $NSCspName) { Write-Verbose \u0026#34;Removing Content Switch Policy\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type cspolicy -Resource \u0026#34;$NSCspName\u0026#34; } else { Write-Verbose \u0026#34;Content Switch Policy not found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Content Switch Policy\u0026#34; } try { Write-Verbose \u0026#34;Checking if Load Balance vServer `\u0026#34;$NSLbName`\u0026#34; exists\u0026#34; try { $response = InvokeNSRestApi -Session $NSSession -Method GET -Type lbvserver -Resource \u0026#34;$NSLbName\u0026#34; } catch{} if ($response.lbvserver.name -eq $NSLbName) { Write-Verbose \u0026#34;Removing the Load Balance vServer\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type lbvserver -Resource \u0026#34;$NSLbName\u0026#34; } else { Write-Verbose \u0026#34;Load Balance vServer not found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Load Balance vserver\u0026#34; } try { Write-Verbose \u0026#34;Checking if Service `\u0026#34;$NSSvcName`\u0026#34; exists\u0026#34; try { $response = InvokeNSRestApi -Session $NSSession -Method GET -Type service -Resource \u0026#34;$NSSvcName\u0026#34; } catch{} if ($response.service.name -eq $NSSvcName) { Write-Verbose \u0026#34;Removing Service `\u0026#34;$NSSvcName`\u0026#34;\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type service -Resource \u0026#34;$NSSvcName\u0026#34; } else { Write-Verbose \u0026#34;Service not found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Service\u0026#34; } try { Write-Verbose \u0026#34;Checking if server `\u0026#34;$NSSvcDestination`\u0026#34; exists\u0026#34; try { $response = InvokeNSRestApi -Session $NSSession -Method GET -Type server -Resource \u0026#34;$NSSvcDestination\u0026#34; } catch{} if ($response.server.name -eq $NSSvcDestination) { Write-Verbose \u0026#34;Removing Server `\u0026#34;$NSSvcDestination`\u0026#34;\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type server -Resource \u0026#34;$NSSvcDestination\u0026#34; } else { Write-Verbose \u0026#34;Server not found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Server\u0026#34; } try { Write-Verbose \u0026#34;Checking if Responder Policy `\u0026#34;$NSRspName`\u0026#34; exists\u0026#34; try { $response = InvokeNSRestApi -Session $NSSession -Method GET -Type responderpolicy -Resource \u0026#34;$NSRspName\u0026#34; } catch{} if ($response.responderpolicy.name -eq $NSRspName) { Write-Verbose \u0026#34;Removing Responder Policy `\u0026#34;$NSRspName`\u0026#34;\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type responderpolicy -Resource \u0026#34;$NSRspName\u0026#34; } else { Write-Verbose \u0026#34;Responder Policy not found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Responder Policy\u0026#34; } try { Write-Verbose \u0026#34;Checking if Responder Action `\u0026#34;$NSRsaName`\u0026#34; exists\u0026#34; try { $response = InvokeNSRestApi -Session $NSSession -Method GET -Type responderaction -Resource \u0026#34;$NSRsaName\u0026#34; } catch{} if ($response.responderaction.name -eq $NSRsaName) { Write-Verbose \u0026#34;Removing Responder Action `\u0026#34;$NSRsaName`\u0026#34;\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type responderaction -Resource $NSRsaName } else { Write-Verbose \u0026#34;Responder Action not found\u0026#34; } } catch { Write-Verbose \u0026#34;Error Details: $($_.Exception.Message)\u0026#34; Write-Warning \u0026#34;Not able to remove the Responder Action\u0026#34; } } #endregion NetScaler Post DNS #endregion ACME DNS Verification #endregion DNS #region Certificates if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { $SANs = $DNSObjects | Where-Object {$_.SAN -eq $true} $IdentifierAlias = $DNSObjects[0].Alias try { $CertificateAlias = \u0026#34;CRT-SAN-$SessionDateTime-$CN\u0026#34; if ($SANs) { Write-Verbose \u0026#34;Get certificate with SANs\u0026#34; Write-Verbose \u0026#34;Domain:`n$($DNSObjects[0] | Select-Object DNSName,Alias | Format-List | Out-String)\u0026#34; Write-Verbose \u0026#34;Subject Alternative Names:`n$(@($SANs) | Select-Object DNSName,Alias | Format-List | Out-String)\u0026#34; $NewCertificate = ACMESharp\\New-ACMECertificate $IdentifierAlias ` -AlternativeIdentifierRefs @($SANs.Alias) ` -Alias $CertificateAlias ` -Generate ` -VaultProfile $VaultName } else { Write-Verbose \u0026#34;Get single DNS Name certificate\u0026#34; Write-Verbose \u0026#34;Domain:`n$($($DNSObjects[0].DNSName) | Format-List * | Out-String)\u0026#34; $NewCertificate = ACMESharp\\New-ACMECertificate $IdentifierAlias ` -Alias $CertificateAlias ` -Generate ` -VaultProfile $VaultName } Write-Verbose \u0026#34;Submit Certificate request\u0026#34; ACMESharp\\Submit-ACMECertificate $CertificateAlias -VaultProfile $VaultName | Out-Null } catch { throw \u0026#34;ERROR. Certificate completion failed, details: $($_.Exception.Message | Out-String)\u0026#34; } $i = 0 while (-not (ACMESharp\\Update-ACMECertificate $CertificateAlias -VaultProfile $VaultName | Select-Object IssuerSerialNumber)) { $i++ $imax = 120 if ($i -ge $imax) { throw \u0026#34;Error: Retreiving certificate failed, took to long to complete\u0026#34; } Write-Host \u0026#34;Will continue $(($imax-$i)*2) more seconds for the certificate to come available...\u0026#34; Start-Sleep -seconds 2 } $CertificateDirectory = Join-Path -Path $CertDir -ChildPath $CertificateAlias Write-Verbose \u0026#34;Create directory `\u0026#34;$CertificateDirectory`\u0026#34; for storing the new certificates\u0026#34; New-Item $CertificateDirectory -ItemType directory -force | Out-Null $CertificateName = \u0026#34;$($ScriptDateTime.ToString(\u0026#34;yyyyMMddHHmm\u0026#34;))-$cn\u0026#34; if (Test-Path $CertificateDirectory){ if ($Production){ Write-Verbose \u0026#34;Writing production certificates\u0026#34; $IntermediateCACertKeyName = \u0026#34;Lets Encrypt Authority X3-int\u0026#34; $IntermediateCAFileName = \u0026#34;$($IntermediateCACertKeyName).crt\u0026#34; $IntermediateCAFullPath = Join-Path -Path $CertificateDirectory -ChildPath $IntermediateCAFileName $IntermediateCASerial = \u0026#34;0a0141420000015385736a0b85eca708\u0026#34; } else { Write-Verbose \u0026#34;Writing test/staging certificates\u0026#34; $IntermediateCACertKeyName = \u0026#34;Fake LE Intermediate X1-int\u0026#34; $IntermediateCAFileName = \u0026#34;$($IntermediateCACertKeyName).crt\u0026#34; $IntermediateCAFullPath = Join-Path -Path $CertificateDirectory -ChildPath $IntermediateCAFileName $IntermediateCASerial = \u0026#34;8be12a0e5944ed3c546431f097614fe5\u0026#34; } Write-Verbose \u0026#34;Intermediate: `\u0026#34;$IntermediateCAFileName`\u0026#34;\u0026#34; ACMESharp\\Get-ACMECertificate $CertificateAlias -ExportIssuerPEM $IntermediateCAFullPath -VaultProfile $VaultName | Out-Null if ($Production){ if ($CertificateName.length -ge 31) { $CertificateName = \u0026#34;$($CertificateName.subString(0,31))\u0026#34; Write-Verbose \u0026#34;CertificateName (new name): `\u0026#34;$CertificateName`\u0026#34; ($($CertificateName.length) max 31)\u0026#34; } else { $CertificateName = \u0026#34;$CertificateName\u0026#34; Write-Verbose \u0026#34;CertificateName: `\u0026#34;$CertificateName`\u0026#34; ($($CertificateName.length) max 31)\u0026#34; } if ($CertificateAlias.length -ge 59) { $CertificateFileName = \u0026#34;$($CertificateAlias.subString(0,59)).crt\u0026#34; Write-Verbose \u0026#34;Certificate (new name): `\u0026#34;$CertificateFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; $CertificateKeyFileName = \u0026#34;$($CertificateAlias.subString(0,59)).key\u0026#34; Write-Verbose \u0026#34;Key (new name): `\u0026#34;$CertificateKeyFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; } else { $CertificateFileName = \u0026#34;$($CertificateAlias).crt\u0026#34; Write-Verbose \u0026#34;Certificate: `\u0026#34;$CertificateFileName`\u0026#34; ($($CertificateFileName.length) max 63)\u0026#34; $CertificateKeyFileName = \u0026#34;$($CertificateAlias).key\u0026#34; Write-Verbose \u0026#34;Key: `\u0026#34;$CertificateKeyFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; } $CertificatePfxFileName = \u0026#34;$CertificateAlias.pfx\u0026#34; } else { if ($CertificateName.length -ge 27) { $CertificateName = \u0026#34;TST-$($CertificateName.subString(0,27))\u0026#34; Write-Verbose \u0026#34;CertificateName (new name): `\u0026#34;$CertificateName`\u0026#34; ($($CertificateName.length) max 31)\u0026#34; } else { $CertificateName = \u0026#34;TST-$($CertificateName)\u0026#34; Write-Verbose \u0026#34;CertificateName: `\u0026#34;$CertificateName`\u0026#34; ($($CertificateName.length) max 31)\u0026#34; } if ($CertificateAlias.length -ge 55) { $CertificateFileName = \u0026#34;TST-$($CertificateAlias.subString(0,55)).crt\u0026#34; Write-Verbose \u0026#34;Certificate (new name): `\u0026#34;$CertificateFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; $CertificateKeyFileName = \u0026#34;TST-$($CertificateAlias.subString(0,55)).key\u0026#34; Write-Verbose \u0026#34;Key (new name): `\u0026#34;$CertificateKeyFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; } else { $CertificateFileName = \u0026#34;TST-$($CertificateAlias).crt\u0026#34; Write-Verbose \u0026#34;Certificate: `\u0026#34;$CertificateFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; $CertificateKeyFileName = \u0026#34;TST-$($CertificateAlias).key\u0026#34; Write-Verbose \u0026#34;Key: `\u0026#34;$CertificateKeyFileName`\u0026#34;($($CertificateFileName.length) max 63)\u0026#34; } $CertificatePfxFileName = \u0026#34;TST-$CertificateAlias.pfx\u0026#34; } $CertificateFullPath = Join-Path -Path $CertificateDirectory -ChildPath $CertificateFileName ACMESharp\\Get-ACMECertificate $CertificateAlias -ExportCertificatePEM $CertificateFullPath -VaultProfile $VaultName | Out-Null $CertificateKeyFullPath = Join-Path -Path $CertificateDirectory -ChildPath $CertificateKeyFileName ACMESharp\\Get-ACMECertificate $CertificateAlias -ExportKeyPEM $CertificateKeyFullPath -VaultProfile $VaultName | Out-Null $CertificatePfxFullPath = Join-Path -Path $CertificateDirectory -ChildPath $CertificatePfxFileName if ($PfxPassword){ Write-Verbose \u0026#34;PFX: `\u0026#34;$CertificatePfxFileName`\u0026#34; ($($CertificatePfxFileName.length))\u0026#34; ACMESharp\\Get-ACMECertificate $CertificateAlias -ExportPkcs12 \u0026#34;$CertificatePfxFullPath\u0026#34; -CertificatePassword \u0026#34;$PfxPassword\u0026#34; -VaultProfile $VaultName | Out-Null } else { try { $length=15 Add-Type -AssemblyName System.Web | Out-Null $PfxPassword = [System.Web.Security.Membership]::GeneratePassword($length,2) Write-Warning \u0026#34;No Password was specified, so a random password was generated!\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;`n***********************\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;* PFX Password: *\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;* *\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;* $PfxPassword *\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;* *\u0026#34; Write-Host -ForeGroundColor Yellow \u0026#34;***********************`n\u0026#34; ACMESharp\\Get-ACMECertificate $CertificateAlias -ExportPkcs12 \u0026#34;$CertificatePfxFullPath\u0026#34; -CertificatePassword \u0026#34;$PfxPassword\u0026#34; -VaultProfile $VaultName | Out-Null } catch { Write-Verbose \u0026#34;An error occured while generating a Password.\u0026#34; } } } } #endregion Certificates #region Upload certificates to NetScaler if ((-not ($CleanNS)) -and (-not ($RemoveTestCertificates))) { try { Write-Verbose \u0026#34;Retreiving existing certificates\u0026#34; $CertDetails = InvokeNSRestApi -Session $NSSession -Method GET -Type sslcertkey Write-Verbose \u0026#34;Checking if IntermediateCA `\u0026#34;$IntermediateCACertKeyName`\u0026#34; already exists\u0026#34; if ($ns10x) { $IntermediateCADetails = $CertDetails.sslcertkey | Where-Object {$_.cert -match $IntermediateCAFileName} } else { $IntermediateCADetails = $CertDetails.sslcertkey | Where-Object {$_.serial -eq $IntermediateCASerial} } if (-not ($IntermediateCADetails)) { Write-Verbose \u0026#34;Uploading `\u0026#34;$IntermediateCAFileName`\u0026#34; to the NetScaler\u0026#34; $IntermediateCABase64 = [System.Convert]::ToBase64String($(Get-Content $IntermediateCAFullPath -Encoding \u0026#34;Byte\u0026#34;)) $payload = @{\u0026#34;filename\u0026#34;=\u0026#34;$IntermediateCAFileName\u0026#34;;\u0026#34;filecontent\u0026#34;=\u0026#34;$IntermediateCABase64\u0026#34;;\u0026#34;filelocation\u0026#34;=\u0026#34;/nsconfig/ssl/\u0026#34;;\u0026#34;fileencoding\u0026#34;=\u0026#34;BASE64\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type systemfile -Payload $payload Write-Verbose \u0026#34;Succeeded\u0026#34; Write-Verbose \u0026#34;Add the certificate to the NetScaler config\u0026#34; $payload = @{\u0026#34;certkey\u0026#34;=\u0026#34;$IntermediateCACertKeyName\u0026#34;;\u0026#34;cert\u0026#34;=\u0026#34;/nsconfig/ssl/$($IntermediateCAFileName)\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type sslcertkey -Payload $payload Write-Verbose \u0026#34;Succeeded\u0026#34; } else { $IntermediateCACertKeyName = $IntermediateCADetails.certkey Write-Verbose \u0026#34;Saving existing name `\u0026#34;$IntermediateCACertKeyName`\u0026#34; for later use\u0026#34; } $ExistingCertificateDetails = $CertDetails.sslcertkey | Where-Object {$_.certkey -eq $NSCertNameToUpdate} if (($NSCertNameToUpdate) -and ($ExistingCertificateDetails)) { $CertificateCertKeyName = $($ExistingCertificateDetails.certkey) Write-Verbose \u0026#34;Existing certificate `\u0026#34;$($ExistingCertificateDetails.certkey)`\u0026#34; found on the netscaler, start updating\u0026#34; try { Write-Verbose \u0026#34;Unlinking certificate\u0026#34; $payload = @{\u0026#34;certkey\u0026#34;=\u0026#34;$($ExistingCertificateDetails.certkey)\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type sslcertkey -Payload $payload -Action unlink } catch { Write-Verbose \u0026#34;Certificate was not linked\u0026#34; } $NSUpdating = $true } else { $CertificateCertKeyName = $CertificateName $ExistingCertificateDetails = $CertDetails.sslcertkey | Where-Object {$_.certkey -eq $CertificateCertKeyName} if ($ExistingCertificateDetails) { Write-Warning \u0026#34;Certificate `\u0026#34;$CertificateCertKeyName`\u0026#34; already exists, please update manually\u0026#34; exit(1) } $NSUpdating = $false } $CertificateCrtBase64 = [System.Convert]::ToBase64String($(Get-Content $CertificateFullPath -Encoding \u0026#34;Byte\u0026#34;)) $CertificateKeyBase64 = [System.Convert]::ToBase64String($(Get-Content $CertificateKeyFullPath -Encoding \u0026#34;Byte\u0026#34;)) Write-Verbose \u0026#34;Uploading the certificate\u0026#34; $payload = @{\u0026#34;filename\u0026#34;=\u0026#34;$CertificateFileName\u0026#34;;\u0026#34;filecontent\u0026#34;=\u0026#34;$CertificateCrtBase64\u0026#34;;\u0026#34;filelocation\u0026#34;=\u0026#34;/nsconfig/ssl/\u0026#34;;\u0026#34;fileencoding\u0026#34;=\u0026#34;BASE64\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type systemfile -Payload $payload Write-Verbose \u0026#34;Uploading the certificate key\u0026#34; $payload = @{\u0026#34;filename\u0026#34;=\u0026#34;$CertificateKeyFileName\u0026#34;;\u0026#34;filecontent\u0026#34;=\u0026#34;$CertificateKeyBase64\u0026#34;;\u0026#34;filelocation\u0026#34;=\u0026#34;/nsconfig/ssl/\u0026#34;;\u0026#34;fileencoding\u0026#34;=\u0026#34;BASE64\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type systemfile -Payload $payload Write-Verbose \u0026#34;Finished uploading\u0026#34; if ($NSUpdating) { Write-Verbose \u0026#34;Update the certificate and key to the NetScaler config\u0026#34; $payload = @{\u0026#34;certkey\u0026#34;=\u0026#34;$CertificateCertKeyName\u0026#34;;\u0026#34;cert\u0026#34;=\u0026#34;$($CertificateFileName)\u0026#34;;\u0026#34;key\u0026#34;=\u0026#34;$($CertificateKeyFileName)\u0026#34;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type sslcertkey -Payload $payload -Action update Write-Verbose \u0026#34;Succeeded\u0026#34; } else { Write-Verbose \u0026#34;Add the certificate and key to the NetScaler config\u0026#34; $payload = @{\u0026#34;certkey\u0026#34;=\u0026#34;$CertificateCertKeyName\u0026#34;;\u0026#34;cert\u0026#34;=\u0026#34;$($CertificateFileName)\u0026#34;;\u0026#34;key\u0026#34;=\u0026#34;$($CertificateKeyFileName)\u0026#34;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type sslcertkey -Payload $payload Write-Verbose \u0026#34;Succeeded\u0026#34; } Write-Verbose \u0026#34;Link `\u0026#34;$CertificateCertKeyName`\u0026#34; to `\u0026#34;$IntermediateCACertKeyName`\u0026#34;\u0026#34; $payload = @{\u0026#34;certkey\u0026#34;=\u0026#34;$CertificateCertKeyName\u0026#34;;\u0026#34;linkcertkeyname\u0026#34;=\u0026#34;$IntermediateCACertKeyName\u0026#34;;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type sslcertkey -Payload $payload -Action link Write-Verbose \u0026#34;Succeeded\u0026#34; if ($SaveNSConfig) { Write-Verbose \u0026#34;Saving NetScaler configuration\u0026#34; InvokeNSRestApi -Session $NSSession -Method POST -Type nsconfig -Action save } \u0026#34;\u0026#34; Write-Host -ForeGroundColor Green \u0026#34;Finished with the certificates!\u0026#34; if (-not $Production){ Write-Host -ForeGroundColor Green \u0026#34;You are now ready for the Production version!\u0026#34; Write-Host -ForeGroundColor Green \u0026#34;Add the `\u0026#34;-Production`\u0026#34; parameter and rerun the same script.\u0026#34; } } catch { throw \u0026#34;ERROR. Certificate completion failed, details: $($_.Exception.Message | Out-String)\u0026#34; } } #endregion Upload certificates to NetScaler #region Remove Test Certificates if ((-not ($CleanNS)) -and $RemoveTestCertificates) { Write-Verbose \u0026#34;Login to NetScaler and save session to global variable\u0026#34; $NSSession = Connect-NetScaler -ManagementURL $NSManagementURL -Credential $NSCredential -PassThru $IntermediateCACertKeyName = \u0026#34;Fake LE Intermediate X1\u0026#34; $IntermediateCASerial = \u0026#34;8be12a0e5944ed3c546431f097614fe5\u0026#34; Write-Verbose \u0026#34;Retreiving existing certificates\u0026#34; $CertDetails = InvokeNSRestApi -Session $NSSession -Method GET -Type sslcertkey Write-Verbose \u0026#34;Checking if IntermediateCA `\u0026#34;$IntermediateCACertKeyName`\u0026#34; already exists\u0026#34; if ($ns10x) { $IntermediateCADetails = $CertDetails.sslcertkey | Where-Object {$_.cert -match $IntermediateCAFileName} } else { $IntermediateCADetails = $CertDetails.sslcertkey | Where-Object {$_.serial -eq $IntermediateCASerial} } $LinkedCertificates = $CertDetails.sslcertkey | Where-Object {$_.linkcertkeyname -eq $IntermediateCADetails.certkey} Write-Verbose \u0026#34;The following certificates were found:`n$($LinkedCertificates | Select-Object certkey,linkcertkeyname,serial | Format-List | Out-String)\u0026#34; ForEach ($LinkedCertificate in $LinkedCertificates) { $payload = @{\u0026#34;certkey\u0026#34;=\u0026#34;$($LinkedCertificate.certkey)\u0026#34;;} try { $response = InvokeNSRestApi -Session $NSSession -Method POST -Type sslcertkey -Payload $payload -Action unlink Write-Host -NoNewLine \u0026#34;NetScaler, unlinked: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$($LinkedCertificate.certkey)\u0026#34; } catch { Write-Warning \u0026#34;Could not unlink certkey `\u0026#34;$($LinkedCertificate.certkey)`\u0026#34;\u0026#34; } } $FakeCerts = $CertDetails.sslcertkey | Where-Object {$_.issuer -match $IntermediateCACertKeyName} ForEach ($FakeCert in $FakeCerts) { try { $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type sslcertkey -Resource $($FakeCert.certkey) Write-Host -NoNewLine \u0026#34;NetScaler, removing: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$($FakeCert.certkey)\u0026#34; } catch { Write-Warning \u0026#34;Could not delete certkey `\u0026#34;$($FakeCert.certkey)`\u0026#34; from the netscaler\u0026#34; } $CertFilePath = (split-path $($FakeCert.cert) -Parent).Replace(\u0026#34;\\\u0026#34;,\u0026#34;/\u0026#34;) if ([string]::IsNullOrEmpty($CertFilePath)) { $CertFilePath = \u0026#34;/nsconfig/ssl/\u0026#34; } $CertFileName = split-path $($FakeCert.cert) -Leaf Write-Host -NoNewLine \u0026#34;NetScaler, deleted: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$(Join-Path -Path $CertFilePath -ChildPath $CertFileName)\u0026#34; $KeyFilePath = (split-path $($FakeCert.key) -Parent).Replace(\u0026#34;\\\u0026#34;,\u0026#34;/\u0026#34;) if ([string]::IsNullOrEmpty($KeyFilePath)) { $KeyFilePath = \u0026#34;/nsconfig/ssl/\u0026#34; } $KeyFileName = split-path $($FakeCert.key) -Leaf Write-Host -NoNewLine \u0026#34;NetScaler, deleted: \u0026#34; Write-Host -ForeGroundColor Green \u0026#34;$(Join-Path -Path $KeyFilePath -ChildPath $KeyFileName)\u0026#34; $Arguments = @{\u0026#34;filelocation\u0026#34;=\u0026#34;$CertFilePath\u0026#34;;} try { $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type systemfile -Resource $CertFileName -Arguments $Arguments } catch { Write-Warning \u0026#34;Could not delete file: `\u0026#34;$CertFileName`\u0026#34; from location: `\u0026#34;$CertFilePath`\u0026#34;\u0026#34; } $Arguments = @{\u0026#34;filelocation\u0026#34;=\u0026#34;$KeyFilePath\u0026#34;;} try { $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type systemfile -Resource $KeyFileName -Arguments $Arguments } catch { Write-Warning \u0026#34;Could not delete file: `\u0026#34;$KeyFileName`\u0026#34; from location: `\u0026#34;$KeyFilePath`\u0026#34;\u0026#34; } } $Arguments = @{\u0026#34;filelocation\u0026#34;=\u0026#34;/nsconfig/ssl\u0026#34;;} $CertFiles = InvokeNSRestApi -Session $NSSession -Method Get -Type systemfile -Arguments $Arguments $CertFilesToRemove = $CertFiles.systemfile | Where-Object {$_.filename -match \u0026#34;TST-\u0026#34;} ForEach ($CertFileToRemove in $CertFilesToRemove) { $Arguments = @{\u0026#34;filelocation\u0026#34;=\u0026#34;$($CertFileToRemove.filelocation)\u0026#34;;} try { Write-Host -NoNewLine \u0026#34;File deleted: \u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type systemfile -Resource $($CertFileToRemove.filename) -Arguments $Arguments Write-Host -ForeGroundColor Green \u0026#34;$($CertFileToRemove.filename)\u0026#34; } catch { Write-Host -ForeGroundColor Red \u0026#34;$($CertFileToRemove.filename) (Error, not removed)\u0026#34; Write-Warning \u0026#34;Could not delete file: `\u0026#34;$($CertFileToRemove.filename)`\u0026#34; from location: `\u0026#34;$($CertFileToRemove.filelocation)`\u0026#34;\u0026#34; } } } #endregion Remove Test Certificates And if you want to schedule it you can use the following batchfile (GenLeCertForNS.cmd):\n@ECHO OFF setlocal EnableDelayedExpansion REM --\u0026gt; Check for permissions \u0026gt;nul 2\u0026gt;\u0026amp;1 \u0026#34;%SYSTEMROOT%\\system32\\cacls.exe\u0026#34; \u0026#34;%SYSTEMROOT%\\system32\\config\\system\u0026#34; REM --\u0026gt; If error flag set, we do not have admin. if \u0026#39;%errorlevel%\u0026#39; NEQ \u0026#39;0\u0026#39; ( echo Requesting administrative privileges... goto UACPrompt ) else ( goto gotAdmin ) :UACPrompt echo Set UAC = CreateObject^(\u0026#34;Shell.Application\u0026#34;^) \u0026gt; \u0026#34;%temp%\\getadmin.vbs\u0026#34; set params = %*:\u0026#34;=\u0026#34;\u0026#34; echo UAC.ShellExecute \u0026#34;cmd.exe\u0026#34;, \u0026#34;/c %~s0 %params%\u0026#34;, \u0026#34;\u0026#34;, \u0026#34;runas\u0026#34;, 1 \u0026gt;\u0026gt; \u0026#34;%temp%\\getadmin.vbs\u0026#34; \u0026#34;%temp%\\getadmin.vbs\u0026#34; del \u0026#34;%temp%\\getadmin.vbs\u0026#34; exit /B :gotAdmin pushd \u0026#34;%CD%\u0026#34; CD /D \u0026#34;%~dp0\u0026#34; goto StartScript rem ===== Help Example ===== SET OPTIONS=-CN \u0026#34;domain.com\u0026#34; SET OPTIONS=%OPTIONS% -EmailAddress \u0026#34;hostmaster@domain.com\u0026#34; SET OPTIONS=%OPTIONS% -SAN \u0026#34;sts.domain.com\u0026#34;,\u0026#34;www.domain.com\u0026#34;,\u0026#34;vpn.domain.com\u0026#34; SET OPTIONS=%OPTIONS% -PfxPassword \u0026#34;P@ssw0rd\u0026#34; SET OPTIONS=%OPTIONS% -CertDir \u0026#34;C:\\Certificates\u0026#34; SET OPTIONS=%OPTIONS% -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; SET OPTIONS=%OPTIONS% -NSCsVipName \u0026#34;cs_domain.com_http\u0026#34; SET OPTIONS=%OPTIONS% -NSPassword \u0026#34;P@ssw0rd\u0026#34; SET OPTIONS=%OPTIONS% -NSUsername \u0026#34;nsroot\u0026#34; SET OPTIONS=%OPTIONS% -NSCertNameToUpdate \u0026#34;san_domain_com\u0026#34; rem SET OPTIONS=%OPTIONS% -Production SET OPTIONS=%OPTIONS% -CleanVault SET OPTIONS=%OPTIONS% -Verbose NOTE: Use the \u0026#34;-Production\u0026#34; only if you\u0026#39;re sure everything works, you can only use the Let\u0026#39;s Encrypt production server 5 times per week. NOTE: Use the \u0026#34;-Verbose\u0026#34; parameter to get diagnostic output rem ===== End Help Example ===== :StartScript SET OPTIONS=-CN \u0026#34;domain.com\u0026#34; SET OPTIONS=%OPTIONS% -EmailAddress \u0026#34;hostmaster@domain.com\u0026#34; SET OPTIONS=%OPTIONS% -SAN \u0026#34;sts.domain.com\u0026#34;,\u0026#34;www.domain.com\u0026#34;,\u0026#34;vpn.domain.com\u0026#34; SET OPTIONS=%OPTIONS% -PfxPassword \u0026#34;P@ssw0rd\u0026#34; SET OPTIONS=%OPTIONS% -CertDir \u0026#34;C:\\Certificates\u0026#34; SET OPTIONS=%OPTIONS% -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; SET OPTIONS=%OPTIONS% -NSCsVipName \u0026#34;cs_domain.com_http\u0026#34; SET OPTIONS=%OPTIONS% -NSPassword \u0026#34;P@ssw0rd\u0026#34; SET OPTIONS=%OPTIONS% -NSUsername \u0026#34;nsroot\u0026#34; SET OPTIONS=%OPTIONS% -NSCertNameToUpdate \u0026#34;san_domain_com\u0026#34; rem SET OPTIONS=%OPTIONS% -Production SET OPTIONS=%OPTIONS% -CleanVault SET OPTIONS=%OPTIONS% -Verbose %SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File \u0026#34;%~dp0GenLeCertForNS.ps1\u0026#34; %OPTIONS% Edit (08-04-2017, v0.6): Removed 2 bugs from the script. Also it currently only supports ipv4 Edit (10-04-2017, v0.7): Changed the \u0026ldquo;Load Module\u0026rdquo; region, to also run smoothly on an Server OS, and removed a bug. (Thank you @MartinZugec for helping me with this one) Edit (23-04-2017, v0.7.1): Changed the \u0026ldquo;Load Module\u0026rdquo; region, sometimes the -AllowClobber parameter is needed when installing modules. Let me know if you have issues with it or have some ideas. Edit (9-11-2017, v0.8.1): Added the script on GitHub, https://github.com/j81blog/GenLeCertForNS Edit (24-06-2018, v0.9.4): Fixed some issues in the scipt, merged dev branch into master.\n","date":"April 6, 2017","externalUrl":null,"permalink":"/posts/lets-encrypt-certificates-on-a-netscaler/","section":"Blog","summary":"For a while now it’s possible to use Let’s Encrypt certificates, they are trusted (cross signed), secure and most of all FREE! There are already a lot of tools available to generate these certificates. I haven’t come across a tool or script to generate these certificates and upload them to a Citrix NetScaler. So I thought why not build it myself. I already tried it in a previous attempt, but I wanted more automation and thus I created this version. To learn more about the Let’s Encrypt, check how it works.. What my script does in very basic steps (for example you want a certificate for www.domain.com): Ask LE (Let’s Encrypt) to validate “www.domain.com” (1) LE returns data (2) among them:\n","title":"Let's Encrypt Certificates on a NetScaler","type":"posts"},{"content":"I\u0026rsquo;ve created a PowerShell script that can be used to generate an (offline) backup of a Citrix NetScaler. If you want you can use the supplied batchfile for example to schedule the backup in Scheduled Tasks to run everyday. Some more information about the parameters used:\n(Table removed during migration — content was stored in a WordPress plugin database.)\n* Use the -NSCredential parameter or -NSUsername \u0026amp; -NSPassword, default is Username \u0026amp; Password ** Make sure to install WinSCP (msi) to use the default values or specify the location to the \u0026ldquo;WinSCPnet.dll\u0026rdquo; .Net assembly. You can download it here If you need to create a user just for the backup purpose, you can give it these minimal rights. This will be enough to create and download the backup.\n(^sftp.*)|(^scp.*)|(^(create|rm)\\s+system\\s+backup)|(^(create|rm)\\s+system\\s+backup\\s+.*)|(^(save|show)\\s+ns\\s+config)|(^(save|show)\\s+ns\\s+config\\s+.*) PowerShell Script (BackupNS.ps1):\n\u0026lt;# .SYNOPSIS Create a backup from the NetScaler and download a copy .DESCRIPTION Create a backup from the NetScaler and download a copy .PARAMETER NSManagementURL Management URL, used to connect to the NetScaler .PARAMETER NSUserName NetScaler username with enough access to configure it .PARAMETER NSPassword NetScaler username password .PARAMETER NSCredential Use a PSCredential object instead of a username or password. Use \u0026#34;Get-Credential\u0026#34; to generate a credential object C:\\PS\u0026gt; $Credential = Get-Credential .PARAMETER WinSCPAssembly Specify the location for the WinSCP .NET assembly (Optional) When not specified the default location in the %ProgramFiles% / %ProgramFiles(x86)% will be used. .PARAMETER BackupTargetLocation Specify the target location where to store the configuration and logfile .PARAMETER NSBackupLevel Level to be used for the Backup. `\u0026#34;basic`\u0026#34; or `\u0026#34;full`\u0026#34; (Optional) .EXAMPLE .\\BackupNS.ps1 -NSManagementURL \u0026#34;http://nsvpx01.domain.local\u0026#34; -NSPassword \u0026#34;P@ssw0rd\u0026#34; -NSUserName \u0026#34;nsroot\u0026#34; -BackupTargetLocation \u0026#34;C:\\Backup\u0026#34; -Verbose Create and download a backup from netscaler `\u0026#34;nsvpx01.domain.local`\u0026#34; and store it in `\u0026#34;C:\\Backup`\u0026#34;. And generate verbose output. .EXAMPLE .\\BackupNS.ps1 -NSManagementURL \u0026#34;http://192.168.100.1\u0026#34; -Credential $(get-credential) -Target \u0026#34;C:\\Backup\u0026#34; -Verbose Create and download a backup from netscaler `\u0026#34;192.168.100.1`\u0026#34; and store it in `\u0026#34;C:\\Backup`\u0026#34;. And generate verbose output. .NOTES File Name : BackupNS.ps1 Version : v0.3 Author : John Billekens Requires : PowerShell v3 and up NetScaler 11.x and up Run As Administrator WinSCP .LINK https://blog.j81.nl #\u0026gt; [cmdletbinding(DefaultParametersetName=\u0026#34;UsernamePassword\u0026#34;)] param( [ValidateNotNullOrEmpty()] [alias(\u0026#34;URL\u0026#34;)] [string]$NSManagementURL, [Parameter(ParameterSetName=\u0026#34;UsernamePassword\u0026#34;,Mandatory=$true)] [alias(\u0026#34;User\u0026#34;, \u0026#34;Username\u0026#34;)] [string]$NSUserName, [Parameter(ParameterSetName=\u0026#34;UsernamePassword\u0026#34;,Mandatory=$true)] [alias(\u0026#34;Password\u0026#34;)] [string]$NSPassword, [Parameter(ParameterSetName=\u0026#34;Credential\u0026#34;,Mandatory=$true)] [alias(\u0026#34;Credential\u0026#34;)] [ValidateScript({ if ($_ -is [System.Management.Automation.PSCredential]) { $true } elseif ($_ -is [string]) { $Script:Credential=Get-Credential -Credential $_ $true } else { Write-Error \u0026#34;You passed an unexpected object type for the credential (-NSCredential)\u0026#34; } })][object]$NSCredential, [Parameter(Mandatory=$true)] [alias(\u0026#34;Target\u0026#34;)] [string]$BackupTargetLocation, [Parameter(Mandatory=$false)] [ValidateSet(\u0026#34;full\u0026#34;, \u0026#34;basic\u0026#34;)] [alias(\u0026#34;Level\u0026#34;)] [string]$NSBackupLevel=\u0026#34;full\u0026#34;, [Parameter(Mandatory=$false)] [string]$WinSCPAssembly = $null ) #requires -version 3.0 #requires -runasadministrator #region Functions function InvokeNSRestApi { [CmdletBinding()] param ( [Parameter(Mandatory=$true)] [PSObject]$Session, [Parameter(Mandatory=$true)] [ValidateSet(\u0026#39;DELETE\u0026#39;, \u0026#39;GET\u0026#39;, \u0026#39;POST\u0026#39;, \u0026#39;PUT\u0026#39;)] [string]$Method, [Parameter(Mandatory=$true)] [string]$Type, [string]$Resource, [string]$Action, [hashtable]$Arguments = @{}, [switch]$Stat = $false, [ValidateScript({$Method -eq \u0026#39;GET\u0026#39;})] [hashtable]$Filters = @{}, [ValidateScript({$Method -ne \u0026#39;GET\u0026#39;})] [hashtable]$Payload = @{}, [switch]$GetWarning = $false, [ValidateSet(\u0026#39;EXIT\u0026#39;, \u0026#39;CONTINUE\u0026#39;, \u0026#39;ROLLBACK\u0026#39;)] [string]$OnErrorAction = \u0026#39;EXIT\u0026#39; ) if ([string]::IsNullOrEmpty($($Session.ManagementURL))) { throw \u0026#34;ERROR. Probably not logged into the NetScaler\u0026#34; } if ($Stat) { $uri = \u0026#34;$($Session.ManagementURL)/nitro/v1/stat/$Type\u0026#34; } else { $uri = \u0026#34;$($Session.ManagementURL)/nitro/v1/config/$Type\u0026#34; } if (-not ([string]::IsNullOrEmpty($Resource))) { $uri += \u0026#34;/$Resource\u0026#34; } if ($Method -ne \u0026#39;GET\u0026#39;) { if (-not ([string]::IsNullOrEmpty($Action))) { $uri += \u0026#34;?action=$Action\u0026#34; } if ($Arguments.Count -gt 0) { $queryPresent = $true if ($uri -like \u0026#39;*?action*\u0026#39;) { $uri += \u0026#39;\u0026amp;args=\u0026#39; } else { $uri += \u0026#39;?args=\u0026#39; } $argsList = @() foreach ($arg in $Arguments.GetEnumerator()) { $argsList += \u0026#34;$($arg.Name):$([System.Uri]::EscapeDataString($arg.Value))\u0026#34; } $uri += $argsList -join \u0026#39;,\u0026#39; } } else { $queryPresent = $false if ($Arguments.Count -gt 0) { $queryPresent = $true $uri += \u0026#39;?args=\u0026#39; $argsList = @() foreach ($arg in $Arguments.GetEnumerator()) { $argsList += \u0026#34;$($arg.Name):$([System.Uri]::EscapeDataString($arg.Value))\u0026#34; } $uri += $argsList -join \u0026#39;,\u0026#39; } if ($Filters.Count -gt 0) { $uri += if ($queryPresent) { \u0026#39;\u0026amp;filter=\u0026#39; } else { \u0026#39;?filter=\u0026#39; } $filterList = @() foreach ($filter in $Filters.GetEnumerator()) { $filterList += \u0026#34;$($filter.Name):$([System.Uri]::EscapeDataString($filter.Value))\u0026#34; } $uri += $filterList -join \u0026#39;,\u0026#39; } } Write-Verbose -Message \u0026#34;URI: $uri\u0026#34; $jsonPayload = $null if ($Method -ne \u0026#39;GET\u0026#39;) { $warning = if ($GetWarning) { \u0026#39;YES\u0026#39; } else { \u0026#39;NO\u0026#39; } $hashtablePayload = @{} $hashtablePayload.\u0026#39;params\u0026#39; = @{\u0026#39;warning\u0026#39; = $warning; \u0026#39;onerror\u0026#39; = $OnErrorAction; \u0026lt;#\u0026#34;action\u0026#34;=$Action#\u0026gt;} $hashtablePayload.$Type = $Payload $jsonPayload = ConvertTo-Json -InputObject $hashtablePayload -Depth 100 Write-Verbose -Message \u0026#34;JSON Payload:`n$jsonPayload\u0026#34; } $response = $null $restError = $null try { $restError = @() $restParams = @{ Uri = $uri ContentType = \u0026#39;application/json\u0026#39; Method = $Method WebSession = $Session.WebSession ErrorVariable = \u0026#39;restError\u0026#39; Verbose = $false } if ($Method -ne \u0026#39;GET\u0026#39;) { $restParams.Add(\u0026#39;Body\u0026#39;, $jsonPayload) } $response = Invoke-RestMethod @restParams if ($response) { if ($response.severity -eq \u0026#39;ERROR\u0026#39;) { throw \u0026#34;Error. See response: `n$($response | Format-List -Property * | Out-String)\u0026#34; } else { Write-Verbose -Message \u0026#34;Response:`n$(ConvertTo-Json -InputObject $response | Out-String)\u0026#34; if ($Method -eq \u0026#34;GET\u0026#34;) { return $response } } } } catch [Exception] { if ($Type -eq \u0026#39;reboot\u0026#39; -and $restError[0].Message -eq \u0026#39;The underlying connection was closed: The connection was closed unexpectedly.\u0026#39;) { Write-Verbose -Message \u0026#39;Connection closed due to reboot\u0026#39; } else { throw $_ } } } function Connect-NetScaler { [cmdletbinding()] param( [parameter(Mandatory)] [string]$ManagementURL, [parameter(Mandatory)] [pscredential]$Credential = (Get-Credential -Message \u0026#39;NetScaler credential\u0026#39;), [int]$Timeout = 3600, [switch]$PassThru ) Write-Verbose -Message \u0026#34;Connecting to $ManagementURL...\u0026#34; try { $login = @{ login = @{ username = $Credential.UserName; password = $Credential.GetNetworkCredential().Password timeout = $Timeout } } $loginJson = ConvertTo-Json -InputObject $login Write-Verbose \u0026#34;JSON Data:`n$($loginJson | Out-String)\u0026#34; $saveSession = @{} $params = @{ Uri = \u0026#34;$ManagementURL/nitro/v1/config/login\u0026#34; Method = \u0026#39;POST\u0026#39; Body = $loginJson SessionVariable = \u0026#39;saveSession\u0026#39; ContentType = \u0026#39;application/json\u0026#39; ErrorVariable = \u0026#39;restError\u0026#39; Verbose = $false } $response = Invoke-RestMethod @params if ($response.severity -eq \u0026#39;ERROR\u0026#39;) { throw \u0026#34;Error. See response: `n$($response | Format-List -Property * | Out-String)\u0026#34; } else { Write-Verbose -Message \u0026#34;Response:`n$(ConvertTo-Json -InputObject $response | Out-String)\u0026#34; } } catch [Exception] { throw $_ } $session = [PSObject]@{ ManagementURL=[string]$ManagementURL; WebSession=[Microsoft.PowerShell.Commands.WebRequestSession]$saveSession; } $Script:NSSession = $session if($PassThru){ return $session } } #endregion Functions #region Script variables [string]$ScriptDateTime = (Get-Date).ToString(\u0026#34;yyyyMMddHHmm\u0026#34;) [string]$WinSCPSite = \u0026#34;https://winscp.net/eng/download.php\u0026#34; [string]$WinSCPErrorSite = \u0026#34;https://winscp.net/eng/docs/message_net_operation_not_supported\u0026#34; [string]$WinSCPAssemblyx86 = \u0026#34;C:\\Program Files\\WinSCP\\WinSCPnet.dll\u0026#34; [string]$WinSCPAssemblyx64 = \u0026#34;C:\\Program Files (x86)\\WinSCP\\WinSCPnet.dll\u0026#34; [string]$WinSCPAssemblyScript = Join-Path $(Split-Path $MyInvocation.MyCommand.Path -Parent) \u0026#34;WinSCPnet.dll\u0026#34; [ipaddress]$NSHostIP = [System.Net.Dns]::GetHostAddresses($NSManagementURL.replace(\u0026#34;https://\u0026#34;,\u0026#34;\u0026#34;).replace(\u0026#34;http://\u0026#34;,\u0026#34;\u0026#34;).replace(\u0026#34;/\u0026#34;,\u0026#34;\u0026#34;)) | select-object IPAddressToString -expandproperty IPAddressToString [string]$BackupFilename = \u0026#34;ns-backup-$($NSHostIP)-$($ScriptDateTime)\u0026#34; [string]$BackupTargetLocation = $BackupTargetLocation.Trim(\u0026#34;\\\u0026#34;) #endregion Script variables #region Target Directory if ( -Not (Test-Path $BackupTargetLocation)) { New-Item -Path $BackupTargetLocation -ItemType Directory -Force | out-null } #endregion Target Directory #region NSCredential if (-not([string]::IsNullOrWhiteSpace($NSCredential))) { Write-Verbose \u0026#34;Using NSCredential\u0026#34; } elseif ((-not([string]::IsNullOrWhiteSpace($NSUserName))) -and (-not([string]::IsNullOrWhiteSpace($NSPassword)))){ Write-Verbose \u0026#34;Using NSUsername / NSPassword\u0026#34; [pscredential]$NSCredential = new-object -typename System.Management.Automation.PSCredential -argumentlist $NSUserName, $(ConvertTo-SecureString -String $NSPassword -AsPlainText -Force) } else { Write-Verbose \u0026#34;No valid username/password or credential specified. Enter a username and password, e.g. `\u0026#34;nsroot`\u0026#34;\u0026#34; [pscredential]$NSCredential = Get-Credential -Message \u0026#34;NetScaler username and password:\u0026#34; } #endregion NSCredential #region Backup try { Write-Verbose \u0026#34;Login to NetScaler and save session to global variable\u0026#34; $NSSession = Connect-NetScaler -ManagementURL $NSManagementURL -Credential $NSCredential -PassThru Write-Verbose \u0026#34;Saving NetScaler configuration\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method POST -Type nsconfig -Action save $payload = @{\u0026#34;filename\u0026#34;=\u0026#34;$($BackupFilename)\u0026#34;;\u0026#34;level\u0026#34;=\u0026#34;$($NSBackupLevel)\u0026#34;;\u0026#34;comment\u0026#34;=\u0026#34;Backup created by BackupNS.ps1 PoSH Script\u0026#34;} $response = InvokeNSRestApi -Session $NSSession -Method POST -Type systembackup -Payload $payload -Action create try { Write-Verbose \u0026#34;Loading WinSCP .NET assembly\u0026#34; if (-not [string]::IsNullOrWhiteSpace($WinSCPAssembly)){ if (Test-Path $WinSCPAssembly) { Write-Verbose \u0026#34;`\u0026#34;$WinSCPAssembly`\u0026#34; will be used\u0026#34; } } else { if (Test-Path $WinSCPAssemblyx64) { $WinSCPAssembly = $WinSCPAssemblyx64 } elseif (Test-Path $WinSCPAssemblyx86) { $WinSCPAssembly = $WinSCPAssemblyx86 } elseif (Test-Path $WinSCPAssemblyScript) { $WinSCPAssembly = $WinSCPAssemblyScript } else { start $WinSCPSite throw \u0026#34;The .NET Assembly could not be found\u0026#34; } Write-Verbose \u0026#34;using: $WinSCPAssembly\u0026#34; } Add-Type -Path \u0026#34;$WinSCPAssembly\u0026#34; Write-Verbose \u0026#34;assembly successfully locaded\u0026#34; Write-Verbose \u0026#34;Setup WinSCP session options\u0026#34; $WinSCPSessionOptions = New-Object WinSCP.SessionOptions $WinSCPSessionOptions.Protocol = [WinSCP.Protocol]::sftp $WinSCPSessionOptions.HostName = \u0026#34;$($NSHostIP.IPAddressToString)\u0026#34; $WinSCPSessionOptions.UserName = \u0026#34;$($NSCredential.UserName)\u0026#34; $WinSCPSessionOptions.Password = \u0026#34;$($NSCredential.GetNetworkCredential().Password)\u0026#34; $WinSCPSessionOptions.GiveUpSecurityAndAcceptAnySshHostKey = $true $WinSCPSession = New-Object WinSCP.Session Write-Verbose \u0026#34;Enable Logging\u0026#34; $WinSCPSession.SessionLogPath = \u0026#34;$($BackupTargetLocation)\\$($BackupFilename)-log.txt\u0026#34; try { Write-Verbose \u0026#34;Connecting\u0026#34; $WinSCPSession.Open($WinSCPSessionOptions) Write-Verbose \u0026#34;Try to download the backup file\u0026#34; $WinSCPTransferOptions = New-Object WinSCP.TransferOptions $WinSCPTransferOptions.TransferMode = [WinSCP.TransferMode]::Binary $WinSCPTransferResult = $WinSCPSession.GetFiles(\u0026#34;/var/ns_sys_backup/$($BackupFilename).tgz\u0026#34;, \u0026#34;$($BackupTargetLocation)\\$($BackupFilename).tgz\u0026#34;, $False, $WinSCPTransferOptions) Write-Verbose \u0026#34;Throw on any error\u0026#34; $WinSCPTransferResult.Check() Write-Verbose \u0026#34;Print results\u0026#34; foreach ($transfer in $WinSCPTransferResult.Transfers) { Write-Host (\u0026#34;Upload of {0} succeeded\u0026#34; -f $transfer.FileName) } } finally { Write-Verbose \u0026#34;Disconnect, clean up\u0026#34; $WinSCPSession.Dispose() } } catch [System.IO.IOException]{ Start $WinSCPErrorSite Write-Error \u0026#34;DLL was probably downloaded with Internet Explorer, unblock before extracting\u0026#34; throw $($_.Exception.Message) } catch { throw $($_.Exception.Message) } } catch { throw $($_.Exception.Message) } finally { Write-Verbose \u0026#34;Removing Backup file from NetScaler\u0026#34; $response = InvokeNSRestApi -Session $NSSession -Method DELETE -Type systembackup -Resource \u0026#34;$($BackupFilename).tgz\u0026#34; } #endregion Backup Batchfile (BackupNS.cmd):\n@ECHO OFF setlocal EnableDelayedExpansion REM --\u0026gt; Check for permissions \u0026gt;nul 2\u0026gt;\u0026amp;1 \u0026#34;%SYSTEMROOT%\\system32\\cacls.exe\u0026#34; \u0026#34;%SYSTEMROOT%\\system32\\config\\system\u0026#34; REM --\u0026gt; If error flag set, we do not have admin. if \u0026#39;%errorlevel%\u0026#39; NEQ \u0026#39;0\u0026#39; ( echo Requesting administrative privileges... goto UACPrompt ) else ( goto gotAdmin ) :UACPrompt echo Set UAC = CreateObject^(\u0026#34;Shell.Application\u0026#34;^) \u0026gt; \u0026#34;%temp%\\getadmin.vbs\u0026#34; set params = %*:\u0026#34;=\u0026#34;\u0026#34; echo UAC.ShellExecute \u0026#34;cmd.exe\u0026#34;, \u0026#34;/c %~s0 %params%\u0026#34;, \u0026#34;\u0026#34;, \u0026#34;runas\u0026#34;, 1 \u0026gt;\u0026gt; \u0026#34;%temp%\\getadmin.vbs\u0026#34; \u0026#34;%temp%\\getadmin.vbs\u0026#34; del \u0026#34;%temp%\\getadmin.vbs\u0026#34; exit /B :gotAdmin pushd \u0026#34;%CD%\u0026#34; CD /D \u0026#34;%~dp0\u0026#34; goto StartScript rem ===== Help Example ===== SET OPTIONS=-NSManagementURL \u0026#34;http://nsvpx01.domain.local\u0026#34; SET OPTIONS=%OPTIONS% -NSPassword \u0026#34;P@ssw0rd\u0026#34; SET OPTIONS=%OPTIONS% -NSUsername \u0026#34;nsroot\u0026#34; SET OPTIONS=%OPTIONS% -BackupTargetLocation \u0026#34;C:\\Backup\u0026#34; SET OPTIONS=%OPTIONS% -Verbose NOTE: Use the \u0026#34;-Verbose\u0026#34; parameter to get diagnostic output rem ===== End Help Example ===== :StartScript SET OPTIONS=-NSManagementURL \u0026#34;http://nsvpx01.domain.local\u0026#34; SET OPTIONS=%OPTIONS% -NSPassword \u0026#34;P@ssw0rd\u0026#34; SET OPTIONS=%OPTIONS% -NSUsername \u0026#34;nsroot\u0026#34; SET OPTIONS=%OPTIONS% -BackupTargetLocation \u0026#34;C:\\Backup\u0026#34; SET OPTIONS=%OPTIONS% -Verbose %SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File \u0026#34;%~dp0BackupNS.ps1\u0026#34; %OPTIONS% Edit (08-04-2017, 0.2) Added extra info for when the dll was downloaded with IE, and returned an error. Edit (29-01-2019, 0.3) Added rights for a possible backup user and changed some typo\u0026rsquo;s, thank you Chris for pointing that out to me. Hope this can help you. If you have questions, please let me know.\n","date":"April 6, 2017","externalUrl":null,"permalink":"/posts/create-offline-backups-of-the-netscaler-config/","section":"Blog","summary":"I’ve created a PowerShell script that can be used to generate an (offline) backup of a Citrix NetScaler. If you want you can use the supplied batchfile for example to schedule the backup in Scheduled Tasks to run everyday. Some more information about the parameters used:\n","title":"Create offline backups of the NetScaler config","type":"posts"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/default-printer/","section":"Tags","summary":"","title":"Default Printer","type":"tags"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/exact/","section":"Tags","summary":"","title":"Exact","type":"tags"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/labelprinter/","section":"Tags","summary":"","title":"Labelprinter","type":"tags"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/labels/","section":"Tags","summary":"","title":"Labels","type":"tags"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/printer/","section":"Tags","summary":"","title":"Printer","type":"tags"},{"content":"Yesterday I was at a Customers location and they had an issue with their printers on the XenDesktop VDI environment. Some users are using Exact to print all kinds of labels, in this case a Zebra label printer. And while they were printing labels, the label printer was set automagically as default. They started noticing this because when they wanted to print other (A4) reports, the layout was wrong and some information fell of the report. They could change the default printer back to the MFP, but when they printed labels again, you\u0026rsquo;ll get it right? I recently helped them move from Windows 10 LTSB 2015 (1507) to Windows 10 LTSB 2016 (1607) and they started noticing this issue after the switch to the new Windows version. So what could it be? Turned out to be a setting in Windows\u0026hellip; After changing this, the issue was gone. You can change it in \u0026ldquo;Settings\u0026rdquo;, \u0026ldquo;Devices\u0026rdquo;, \u0026ldquo;Printers \u0026amp; Scanners\u0026rdquo; and change the setting \u0026ldquo;Let Windows manage my Default printer\u0026rdquo; to off. Or you can set the following registry key:\n[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows] \u0026#34;LegacyDefaultPrinterMode\u0026#34;=dword:00000001 Edit (03-04-2017, Additional notes from the new RES Workspace v10 version)\nNote With the release of Windows 10 version 1511, Microsoft made a change to the way Windows 10 handles the default printer: the printer that was last used by the user becomes the new default printer. If the Printers feature is enabled (at Composition \u0026gt; Actions By Type \u0026gt; Printers, on the Settings tab), RES ONE Workspace now reverts handling of the default printer to the method Windows 10 used before version 1511, using the Microsoft Windows registry value LegacyDefaultPrinterMode. This registry value impacts not only managed default printers, but also user selected default printers.\nHope is can somehow help you to.\n","date":"March 18, 2017","externalUrl":null,"permalink":"/posts/spontaneously-changing-default-printer/","section":"Blog","summary":"Yesterday I was at a Customers location and they had an issue with their printers on the XenDesktop VDI environment. Some users are using Exact to print all kinds of labels, in this case a Zebra label printer. And while they were printing labels, the label printer was set automagically as default. They started noticing this because when they wanted to print other (A4) reports, the layout was wrong and some information fell of the report. They could change the default printer back to the MFP, but when they printed labels again, you’ll get it right? I recently helped them move from Windows 10 LTSB 2015 (1507) to Windows 10 LTSB 2016 (1607) and they started noticing this issue after the switch to the new Windows version. So what could it be? Turned out to be a setting in Windows… After changing this, the issue was gone. You can change it in “Settings”, “Devices”, “Printers \u0026 Scanners” and change the setting “Let Windows manage my Default printer” to off. Or you can set the following registry key:\n","title":"Spontaneously changing default printer","type":"posts"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/windows-10/","section":"Tags","summary":"","title":"Windows 10","type":"tags"},{"content":"","date":"March 18, 2017","externalUrl":null,"permalink":"/tags/zebra/","section":"Tags","summary":"","title":"Zebra","type":"tags"},{"content":"Recently I upgraded a couple of MPX NetScalers to a recent 11.1 build at a customers location. During the following day the customer experienced a lot of disconnecting citrix sessions. I did not experience this issue on a VPX appliance. Turned out to be an issue with the \u0026ldquo;TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\u0026rdquo; cypher. And because I want to strive for an A+ rating at ssllabs (Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update) this one is in the list. After removing this cypher from the cypher group the customer didn\u0026rsquo;t experience any disconnects. So I thought to share this one as you may experience it for your self. Please also note this Citrix article: https://support.citrix.com/article/CTX220994\n","date":"March 3, 2017","externalUrl":null,"permalink":"/posts/disconnect-issues-on-netscaler-mpx/","section":"Blog","summary":"Recently I upgraded a couple of MPX NetScalers to a recent 11.1 build at a customers location. During the following day the customer experienced a lot of disconnecting citrix sessions. I did not experience this issue on a VPX appliance. Turned out to be an issue with the “TLS1.2-ECDHE-RSA-AES256-GCM-SHA384” cypher. And because I want to strive for an A+ rating at ssllabs (Scoring an A+ at SSLlabs.com with Citrix NetScaler – 2016 update) this one is in the list. After removing this cypher from the cypher group the customer didn’t experience any disconnects. So I thought to share this one as you may experience it for your self. Please also note this Citrix article: https://support.citrix.com/article/CTX220994\n","title":"Disconnect issues on NetScaler MPX","type":"posts"},{"content":"While testing with the latest Windows 10 LTSB 2016 version I found out in 9 of 10 logins failed, it was stuck on the message \u0026ldquo;Welcome other user\u0026rdquo;\u0026hellip; I used the same deployment steps as with LTSB 2015 and not working, what was wrong? After reading the Citrix forum I found out that more users were experiencing this issue. After some testing I found out that my issue was caused by a disabled Service named \u0026ldquo;Device Association Service\u0026rdquo;. This is one of the optimizations in the \u0026ldquo;Technical Note – Optimize Windows 10\u0026rdquo; guide from Citrix. Don\u0026rsquo;t disable this service but leave it on Automatic. Since I found out I haven\u0026rsquo;t seen this issue since.\n","date":"January 27, 2017","externalUrl":null,"permalink":"/posts/windows-10-ltsb-2016-build-1607-stuck-at-other-user-while-logging-in/","section":"Blog","summary":"While testing with the latest Windows 10 LTSB 2016 version I found out in 9 of 10 logins failed, it was stuck on the message “Welcome other user”… I used the same deployment steps as with LTSB 2015 and not working, what was wrong? After reading the Citrix forum I found out that more users were experiencing this issue. After some testing I found out that my issue was caused by a disabled Service named “Device Association Service”. This is one of the optimizations in the “Technical Note – Optimize Windows 10” guide from Citrix. Don’t disable this service but leave it on Automatic. Since I found out I haven’t seen this issue since.\n","title":"Windows 10 LTSB 2016 (Build 1607) stuck at Other User while logging in","type":"posts"},{"content":"I\u0026rsquo;ts possible to convert your Server 2016 evaluation version to a production version using one of the following commands depending on your version: Standard:\nDISM /online /Set-Edition:Serverstandard /ProductKey:WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY /AcceptEula /Norestart Datacenter:\nDISM /online /Set-Edition:ServerDatacenter /ProductKey:CB7KF-BWN84-R7R2Y-793K2-8XDDG /AcceptEula /Norestart Source: KMS Client Keys Make sure you\u0026rsquo;ve installed all windows updates first before continuing. Keep in mind that it can take a while to complete. In my case it was stuck at 10% for a long time. Just let it complete and reboot afterwards.\n","date":"January 27, 2017","externalUrl":null,"permalink":"/posts/convert-server-2016-evaluation-version-to-production-version/","section":"Blog","summary":"I’ts possible to convert your Server 2016 evaluation version to a production version using one of the following commands depending on your version: Standard:\nDISM /online /Set-Edition:Serverstandard /ProductKey:WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY /AcceptEula /Norestart Datacenter:\n","title":"Convert Server 2016 Evaluation version to Production version","type":"posts"},{"content":"For questions or remarks, use the form below. I\u0026rsquo;ll try to respond as soon as possible.\nFor CtxToolbox feedback, please use the CtxToolbox Feedback page.\nName Email Message Send message ","date":"August 11, 2016","externalUrl":null,"permalink":"/contact/","section":"John Billekens | Notes from the field","summary":"For questions or remarks, use the form below. I’ll try to respond as soon as possible.\nFor CtxToolbox feedback, please use the CtxToolbox Feedback page.\nName Email Message Send message ","title":"Contact","type":"page"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/categories/one-workspace/","section":"Categories","summary":"","title":"ONE Workspace","type":"categories"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/categories/res/","section":"Categories","summary":"","title":"RES","type":"categories"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/tags/res/","section":"Tags","summary":"","title":"RES","type":"tags"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/tags/res-one-workspace/","section":"Tags","summary":"","title":"RES ONE Workspace","type":"tags"},{"content":"For a while now Windows 10 is supported with RES ONE Workspace 2015 and up. More and more companies are switching from their old versions (Yes, some of them are still using Windows XP) to Windows 10. I\u0026rsquo;ve done a couple of implementation now and thought to share some of the knowledge I found during these implementations.\nPinning tiles to the Start Menu # There are several ways to accomplish this.\nUse a initial Start Menu layout. Use RES ONE Workspace to pin items to the Start Menu GPO The first two options can coexist with each-other and will be explained in detail within this post. The last one I would not recommend when using RES ONE Workspace and will not be discussed within this post.\nInitial Start Menu Layout # You can use a initial Start Menu layout to start with and let the users decide what to keep and what to add. This layout will be applied when the user first logs on. (When the user has no preexisting tile-file) When using multiple versions (RTM / 1511 / 1607) use the lowest version to create the initial start layout file! Using a file created on a newer version and then applying it to a lower version is just not supported. Start with logging on to a Windows 10 machine (can be a normal user account) and customize the layout as you like when finished simply logoff to save everything to your profile. Next go to your profile directory. E.g. \u0026ldquo;%HOMESHARE%\\Personal Settings\u0026rdquo; and copy the layout file \u0026ldquo;res10tiles.xml\u0026rdquo; to a temporary directory. Rename the file to \u0026ldquo;DefaultTileLayout_Windows10.xml\u0026rdquo; and add the file to the root of Custom Resources. (Administration / Custom Resources) You can test the new file simply by removing the \u0026ldquo;res10tiles.xml\u0026rdquo; file from your profile. When no tile-file is found the initial layout file (when available) will be set. If all went well you have a custom Start Menu. NOTE: In some case it can happen you end up with an empty Start Menu even tough you had pinned items or have set an initial tile file. Please read my previous post for more info about this topic. The case of the empty Start Menu (Windows 10).\nPin items to the Start Menu with RES ONE Workspace # Every application (shortcut) added to RES ONE Workspace can technically be pinned on the Start Menu. You have 3 options for pinning items.\nTake no action: No tile will be created on the Start Menu. Set voluntary tile: This option will create a tile on the Start Menu only once. The user can remove the tile and also add it again. The tile will be displayed at the end of the Start screen unless a Group name is specified. Set mandatory tile: This option will recreate the tile on the Start screen each time the user starts a new session. The tile will be displayed at the end of the Start screen unless a Group name is specified. If you later change this setting to Take no action, the tile will be removed from the Start screen. The size can als be set, you have two sizes to choose from.\nMedium: the tile is displayed as a medium sized square on the Start screen. Small: the tile is displayed as a small sized square on the Start screen. Next you can set a Group Name. This name will be shown above the application(s) in the Start Menu. It\u0026rsquo;s a option to group applications together. If the group does not exist, it will be created. If no group is specified, the tile will be added to the end of the Start screen. No sub folders available in the Start Menu # Take for example Windows XP, if you open the start menu you can have a structure like:\nPrograms Accessorizes Administrative Tools System Office Office Tools This isn\u0026rsquo;t possible anymore with Windows 10. This isn\u0026rsquo;t something RES can fix or change. This is by design with Windows 10. You can have only one sub folder any other sub folder (configured in RES ONE Workspace) will be merged with the first sub folder the Start Menu. To show you I configured some sub folders in RES ONE Workspace. And as you can see it\u0026rsquo;s all merged now in the Start Menu in the first (Microsoft Office 2016) sub folder. Internet shortcuts not visible in the Start Menu # When you like to add shortcuts to the start menu you can add a shortcut to Internet Explorer and add the site as parameter. But as you soon find out, no shortcuts (or only one if you haven\u0026rsquo;t added Internet Explorer itself to the Start Menu) will be visible in the Start Menu. And when you investigate this issue you will find out the shortcuts are created in the \u0026ldquo;%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\u0026rdquo; directory. To make them visible in the Start Menu you need to add a registry value. It must be set before login in and before the service was started. It was a known solution for Windows 8(.1) but still valid for Windows 10.\nx86: HKLM\\Software\\RES\\Workspace Manager\\EnableMultipleIE (REG_SZ) = Yes x64: HKLM\\Software\\Wow6432Node\\RES\\Workspace Manager\\EnableMultipleIE(REG_SZ) = Yes Overlapping desktop icons # This also is a know issue for windows 8(.1) in some cases it can happen that the desktop shortcuts could be placed on top of each other. This is not something you want. To change this behavior a registry value must be specified. It must be set before logging in and before the service was started.\nx86: HKLM\\Software\\RES\\Workspace Manager\\DoNotAllowOverlappedDesktopItems (REG_SZ) = Yes x64: HKLM\\Software\\Wow6432Node\\RES\\Workspace Manager\\DoNotAllowOverlappedDesktopItems(REG_SZ) = Yes Empty power menu in the Start Menu # You might notice when you click on the power option in the Start Menu an empty menu and question your self, shouldn\u0026rsquo;t there be an option to logoff? You can change it by disabling the option \u0026ldquo;Disable Shutdown for all users on all computers\u0026rdquo; in the RES ONE Workspace console or when configured set the GPO \u0026ldquo;Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands\u0026rdquo; to disabled or Not Configured. These two are the same. And thus leave you with an empty menu. When the two options aren\u0026rsquo;t configured you\u0026rsquo;ll get an filled power menu. I think that Microsoft should build in the option when the menu is empty, remove it from the start menu\u0026hellip; When using VDI showing Shut down and/or Restart is not preferred. E.g. when using XenDesktop MCS the machine must be turned off to be cleaned up, when it reboots the machine isn\u0026rsquo;t reverted to it\u0026rsquo;s original state. Normally when using remote desktop to connect to a machine, in this menu you\u0026rsquo;ll find disconnect here. So why isn\u0026rsquo;t it showing in the power menu? I think it\u0026rsquo;s because of the combination of Windows 10 with Citrix XenDesktop, it looks like you have the console session not a remote session. When I have more I will add it to this post\u0026hellip; RES Website RES ONE Workspace Administration Guide\n","date":"August 7, 2016","externalUrl":null,"permalink":"/posts/res-one-workspace-on-windows-10-lessons-learned/","section":"Blog","summary":"For a while now Windows 10 is supported with RES ONE Workspace 2015 and up. More and more companies are switching from their old versions (Yes, some of them are still using Windows XP) to Windows 10. I’ve done a couple of implementation now and thought to share some of the knowledge I found during these implementations.\n","title":"RES ONE Workspace on Windows 10 lessons learned","type":"posts"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/tags/start-menu/","section":"Tags","summary":"","title":"Start Menu","type":"tags"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/tags/tile/","section":"Tags","summary":"","title":"Tile","type":"tags"},{"content":"","date":"August 7, 2016","externalUrl":null,"permalink":"/categories/xendesktop/","section":"Categories","summary":"","title":"XenDesktop","type":"categories"},{"content":"","date":"August 6, 2016","externalUrl":null,"permalink":"/tags/7.9/","section":"Tags","summary":"","title":"7.9","type":"tags"},{"content":"During a project I\u0026rsquo;m currently working on, with Windows 10, Citrix Xendesktop 7.9, XenServer 7.0 and RES ONE Workspace 2015 SR2 I stumbled upon a issue with RES ONE Workspace and the pinning of items in the Start Menu. I noticed that sometimes my Start Menu was empty, while I had items pinned when I logged off!? After some investigation with an engineer from RES Software, we managed to reproduce the issue in a closed test environment. At this point RES can try to fix the issue and at the time of writing no known solution is available. We still need to verify but as far as we know the issue is also still in the new version RES ONE Workspace 2016. We still needed a filled Start Menu for the time being, because currently there is no known date for the possible fix\u0026hellip; So I created a PoSh script that will fill the Start Menu. (for the 2nd time, after the RES composer is finished) Yes I know not very pretty solution but it gets the job done and it\u0026rsquo;s a temporary fix. So here is the script I\u0026rsquo;ve made. (Building block is also available at the end for download)\n\u0026lt;# .SYNOPSIS Restore pinned items in Winows 10 Start Menu. .DESCRIPTION This script was build to (temporarily) fix a issue with RES Workspace and pinning items in the Start menu of Windows 10. In some occasions (Non-Persistent environments) it could happen that the Start Menu was empty after login while the xml file contained items. Currently this issue is being examined by RES and while they try to fix this issue this script can fill the Start Menu for you, so the users have a filled Start Menu. .NOTES File Name : PinStartItems.ps1 Author : John Billekens - blog.j81.nl Requires : Windows 10 .LINK http://blog.j81.nl .EXAMPLE .\\PinStartItems.ps1 .EXAMPLE powershell.exe -ExecutionPolicy Bypass .\\PinStartItems.ps1 #\u0026gt; [CmdletBinding()] param () function Query-ShellExperienceHost { [cmdletbinding()] param ( [string]$Username ) # Get ShellExperienceHost process info for the user specified $process = Get-Process -IncludeUserName -ErrorAction SilentlyContinue | Where-Object { ($_.Username -eq $UserName) -AND ($_.ProcessName -like \u0026#34;ShellExperienceHost\u0026#34;)} if (-not ([string]::IsNullOrEmpty($Process.Id))) { # Get thread info and get active threads $query = \u0026#34;SELECT ThreadState,ThreadWaitReason,ProcessHandle FROM Win32_Thread WHERE ProcessHandle = $($process.Id)\u0026#34; $oThread = Get-CimInstance -Query $query $out = New-Object psobject -Property @{ SessionID = $process.SessionId ProcessID = $process.Id ActiveThreads = ($oThread | Where-Object { (-not ($_.ThreadState -eq 5)) -OR (-not ($_.ThreadWaitReason -eq 5)) }).Count } } return $out } # Create eventlog item \u0026#34;PinStartItems\u0026#34; New-EventLog -LogName Application -Source PinStartItems -ErrorAction SilentlyContinue # Get current user $sUserName = \u0026amp; $env:Systemroot\\System32\\whoami.exe try { # Get ShellExperienceHost process data $iBreak=0 while ($iBreak -ne 10){ # Sometimes it can happen the proces isn\u0026#39;t available yet, it will wait until ready (max 30sec) $oOutput = Query-ShellExperienceHost -UserName $sUserName if (-not ([string]::IsNullOrEmpty($oOutput.SessionId))) { Start-Sleep -m 500 Break } else { $iBreak++ Start-Sleep -s 3 } } if ($iBreak -ge 10) { Throw \u0026#34;ShellExperienceHost wasn\u0026#39;t running on time\u0026#34; } # Specify the exported file (when not using RES Workspace, copy the exported start layout file in xml format locally first) $tilefile=\u0026#34;$($env:LOCALAPPDATA)\\RES\\WM\\$($oOutput.SessionId)\\WMTileFile.xml\u0026#34; if (test-path $tilefile) { # Set policy to import the start layout $sRegPath = \u0026#34;HKCU:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\u0026#34; if (-not (Test-Path -Path $sRegPath)) { New-Item -Path $sRegPath -Force | Out-Null } New-ItemProperty -Path $sRegPath -Name LockedStartLayout -Value 1 -PropertyType DWORD -Force | out-null New-ItemProperty -Path $sRegPath -Name StartLayoutFile -Value $tilefile -PropertyType String -Force | out-null # Kill the process so the layout can be applied Stop-Process -Id $oOutput.ProcessID $iBreak=0 while ($iBreak -ne 10){ # Sometimes it can happen the proces isn\u0026#39;t available yet, it will wait until ready (max 30sec) $oOutput = Query-ShellExperienceHost -UserName $sUserName if (($oOutput.ActiveThreads -eq 0) -and (-not ([string]::IsNullOrEmpty($oOutput.ProcessID)))) { Start-Sleep -m 500 Break } else { $iBreak++ Start-Sleep -s 3 } } if ($iBreak -ge 10) { Throw \u0026#34;ShellExperienceHost wasn\u0026#39;t ready in time\u0026#34; } else { # Remove the policy items to make it possible to pin new items Remove-ItemProperty -Path $sRegPath -Name LockedStartLayout -Force | out-null Remove-ItemProperty -Path $sRegPath -Name StartLayoutFile -Force | out-null Stop-Process -Id $oOutput.ProcessID } Write-EventLog -LogName \u0026#34;Application\u0026#34; -Source \u0026#34;PinStartItems\u0026#34; -EventID 1 -EntryType Information -Message \u0026#34;`\u0026#34;$sUserName`\u0026#34; ($($oOutput.SessionId)): Restoring pinned items to the Start Menu was successfull\u0026#34; -Category 0 } else { # The xml file was not found at the given location Write-EventLog -LogName \u0026#34;Application\u0026#34; -Source \u0026#34;PinStartItems\u0026#34; -EventID 2 -EntryType Warning -Message \u0026#34;`\u0026#34;$sUserName`\u0026#34; ($($oOutput.SessionId)): File `\u0026#34;$tilefile`\u0026#34; was not found.\u0026#34; -Category 0 } } catch { # An error was occured, log to eventlog $errmessage = \u0026#34;`\u0026#34;$sUserName`\u0026#34; ($($oOutput.SessionId)): Restoring pinned items (`\u0026#34;$tilefile`\u0026#34;) to the Start Menu was failed.`r`n`r`nError:`r`n$(($_.Exception.Message) -join [Environment]::NewLine)\u0026#34; Write-EventLog -LogName \u0026#34;Application\u0026#34; -Source \u0026#34;PinStartItems\u0026#34; -EventID 5 -EntryType Error -Message $errmessage -Category 0 } I added this script to the Custom Resources in RES ONE Workspace (Administration / Custom Resources) in the directory Scripts. Create a new shortcut under Composition / Applications. It doesn\u0026rsquo;t matter where as we don\u0026rsquo;t create a visible shortcut in the users Start Menu. Add the command-line parameters for PowerShell.\n%systemroot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass %rescustomresources%\\Scripts\\PinStartItems.ps1 Disable the creation of any shortcut in the users environment. Make sure that the application is run automatically and minimized. Run it for all users or change accordingly. Authorize the file when needed. And don\u0026rsquo;t forget to add dynamic privileges. At every login an entry will be made in the Application Event log so you can see if it ran ok (or if an error had occurred). So that\u0026rsquo;s it. Hope I can make somebody happy with this post. Download RES ONE Workspace BuildingBlock EDIT: 18-08-2016 Script updated, added some extra checks.\n","date":"August 6, 2016","externalUrl":null,"permalink":"/posts/the-case-of-the-empty-start-menu-windows-10/","section":"Blog","summary":"During a project I’m currently working on, with Windows 10, Citrix Xendesktop 7.9, XenServer 7.0 and RES ONE Workspace 2015 SR2 I stumbled upon a issue with RES ONE Workspace and the pinning of items in the Start Menu. I noticed that sometimes my Start Menu was empty, while I had items pinned when I logged off!? After some investigation with an engineer from RES Software, we managed to reproduce the issue in a closed test environment. At this point RES can try to fix the issue and at the time of writing no known solution is available. We still need to verify but as far as we know the issue is also still in the new version RES ONE Workspace 2016. We still needed a filled Start Menu for the time being, because currently there is no known date for the possible fix… So I created a PoSh script that will fill the Start Menu. (for the 2nd time, after the RES composer is finished) Yes I know not very pretty solution but it gets the job done and it’s a temporary fix. So here is the script I’ve made. (Building block is also available at the end for download)\n","title":"The case of the empty Start Menu (Windows 10)","type":"posts"},{"content":"","date":"August 6, 2016","externalUrl":null,"permalink":"/tags/workspace/","section":"Tags","summary":"","title":"Workspace","type":"tags"},{"content":"","date":"August 6, 2016","externalUrl":null,"permalink":"/tags/xendesktop/","section":"Tags","summary":"","title":"XenDesktop","type":"tags"},{"content":"Edit 07-04-2017: Check out my new and updated version! I\u0026rsquo;m trying to create an (PowerShell) script to automate the Let\u0026rsquo;s Encrypt certificate creation. Specifically for the Citrix NetScaler. Currently still Work In Progress\u0026hellip; It\u0026rsquo;s not yet finished. The prerequisite is that you have a configured NetScaler (http) Content Switch vServer. The script will present you with the required configuration rules (it will also be copied to your clipboard so you only have to copy it in the cli of the NetScaler) For the meantime you can find it on GitHub: GenCertForNS on GitHub More soon (I hope)\u0026hellip;\n","date":"July 3, 2016","externalUrl":null,"permalink":"/posts/generate-an-lets-encrypt-certificate-what-can-be-used-on-the-netscaler/","section":"Blog","summary":"Edit 07-04-2017: Check out my new and updated version! I’m trying to create an (PowerShell) script to automate the Let’s Encrypt certificate creation. Specifically for the Citrix NetScaler. Currently still Work In Progress… It’s not yet finished. The prerequisite is that you have a configured NetScaler (http) Content Switch vServer. The script will present you with the required configuration rules (it will also be copied to your clipboard so you only have to copy it in the cli of the NetScaler) For the meantime you can find it on GitHub: GenCertForNS on GitHub More soon (I hope)…\n","title":"Generate an Let's Encrypt certificate what can be used on the NetScaler","type":"posts"},{"content":"","date":"May 22, 2016","externalUrl":null,"permalink":"/categories/optimization/","section":"Categories","summary":"","title":"Optimization","type":"categories"},{"content":"With the following PowerShell script you can remove AppX Apps in Windows 8(.1) and 10. Note: The apps will be removed for the Current and New users only!\n\u0026lt;# To skip a AppX app while removing change \u0026#34;Remove\u0026#34; to \u0026#34;NoChange\u0026#34;, the app will not be removed. #\u0026gt; $arrAppxApps = @() $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*3DBuilder*\u0026#39;) # Uninstall 3D Builder $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*Appconnector*\u0026#39;) # Uninstall $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*bingfinance*\u0026#39;) # Uninstall Money $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*BingFoodAndDrink*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*BingHealthAndFitness*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*BingMaps*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*bingnews*\u0026#39;) # Uninstall News $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*bingsports*\u0026#39;) # Uninstall Sports $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*BingTravel*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*bingweather*\u0026#39;) # Uninstall Weather $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*Camera*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*OneDrive*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*getstarted*\u0026#39;) # Uninstall Get Started $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*HelpAndTips*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*officehub*\u0026#39;) # Uninstall Get Office $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*solitairecollection*\u0026#39;) # Uninstall Microsoft Solitaire Collection $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*Media.PlayReadyClient.2*\u0026#39;) # 2x $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*Media.PlayReadyClient.2*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*onenote*\u0026#39;) # Uninstall OneNote $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*people*\u0026#39;) # Uninstall People $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*skypeapp*\u0026#39;) # Uninstall Get Skype $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*photos*\u0026#39;) # Uninstall Photos $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*Reader*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*windowsalarms*\u0026#39;) # Uninstall Alarms and Clock $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*windowscalculator*\u0026#39;) # Uninstall Calculator $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*windowscamera*\u0026#39;) # Uninstall Camera $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*windowscommunicationsapps*\u0026#39;) # Uninstall Calendar and Mail $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*windowsmaps*\u0026#39;) # Uninstall Maps $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*windowsphone*\u0026#39;) # Uninstall Phone Companion $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*WindowsReadingList*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*soundrecorder*\u0026#39;) # Uninstall Voice Recorder $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*WindowsScan*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*windowsstore*\u0026#39;) # Uninstall Store $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.4|10.0\u0026#39;,\u0026#39;*xboxapp*\u0026#39;) # Uninstall Xbox $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3\u0026#39;,\u0026#39;*XboxLIVEGames*\u0026#39;) # $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*zunemusic*\u0026#39;) # Uninstall Groove Music $arrAppxApps += ,@(\u0026#39;Remove\u0026#39;,\u0026#39;6.2|6.3|6.4|10.0\u0026#39;,\u0026#39;*zunevideo*\u0026#39;) # Uninstall Movies \u0026amp; TV Write-Host -ForegroundColor White \u0026#34;Removing Appx Apps\u0026#34; Write-Verbose \u0026#39;\u0026#39; foreach ($AppxApp in $arrAppxApps) { Write-Host -NoNewline -ForegroundColor Gray \u0026#34; -\u0026#34; $AppxApp[2] Switch ($AppxApp[0]) { \u0026#34;NoChange\u0026#34; { Write-Host -ForegroundColor Yellow \u0026#34; (skipped) No changes made\u0026#34; } \u0026#34;Remove\u0026#34; { if ($AppxApp[1] -Match ($varWinVer)) { Try { Get-AppxPackage | Where-Object {$_.PackageFullName -like $AppxApp[2]} | Remove-AppxPackage -ErrorAction SilentlyContinue | Out-Null Get-AppxPackage -allusers | Where-Object {$_.PackageFullName -like $AppxApp[2]} | Remove-AppxPackage -ErrorAction SilentlyContinue | Out-Null Get-AppxProvisionedPackage -Online | Where-Object {$_.packagename -like $AppxApp[2]} | Remove-ProvisionedAppxPackage -Online -ErrorAction SilentlyContinue | Out-Null } Catch { Write-Host -ForegroundColor Red (\u0026#34; (error)\u0026#34;) $FailedItem = $_.Exception.ItemName Write-Verbose (\u0026#39;Caught an error\u0026#39;) Write-Verbose (\u0026#39;ErrorMessage: \u0026#39; + $ErrorMessage) Write-Verbose (\u0026#39;FailedItem: \u0026#39; + $FailedItem) continue } Finally { Write-Host -ForegroundColor Green (\u0026#34; (done)\u0026#34;) } } Else { Write-Host -ForegroundColor Yellow \u0026#34; (skipped) not applicable to this OS\u0026#34; } } } } ","date":"May 22, 2016","externalUrl":null,"permalink":"/posts/remove-appx-modern-apps/","section":"Blog","summary":"With the following PowerShell script you can remove AppX Apps in Windows 8(.1) and 10. Note: The apps will be removed for the Current and New users only!\n\u003c# To skip a AppX app while removing change \"Remove\" to \"NoChange\", the app will not be removed. #\u003e $arrAppxApps = @() $arrAppxApps += ,@('Remove','6.4|10.0','*3DBuilder*') # Uninstall 3D Builder $arrAppxApps += ,@('Remove','6.4|10.0','*Appconnector*') # Uninstall $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*bingfinance*') # Uninstall Money $arrAppxApps += ,@('Remove','6.2|6.3','*BingFoodAndDrink*') # $arrAppxApps += ,@('Remove','6.2|6.3','*BingHealthAndFitness*') # $arrAppxApps += ,@('Remove','6.2|6.3','*BingMaps*') # $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*bingnews*') # Uninstall News $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*bingsports*') # Uninstall Sports $arrAppxApps += ,@('Remove','6.2|6.3','*BingTravel*') # $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*bingweather*') # Uninstall Weather $arrAppxApps += ,@('Remove','6.2|6.3','*Camera*') # $arrAppxApps += ,@('Remove','6.2|6.3','*OneDrive*') # $arrAppxApps += ,@('Remove','6.4|10.0','*getstarted*') # Uninstall Get Started $arrAppxApps += ,@('Remove','6.2|6.3','*HelpAndTips*') # $arrAppxApps += ,@('Remove','6.4|10.0','*officehub*') # Uninstall Get Office $arrAppxApps += ,@('Remove','6.4|10.0','*solitairecollection*') # Uninstall Microsoft Solitaire Collection $arrAppxApps += ,@('Remove','6.2|6.3','*Media.PlayReadyClient.2*') # 2x $arrAppxApps += ,@('Remove','6.2|6.3','*Media.PlayReadyClient.2*') # $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*onenote*') # Uninstall OneNote $arrAppxApps += ,@('Remove','6.4|10.0','*people*') # Uninstall People $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*skypeapp*') # Uninstall Get Skype $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*photos*') # Uninstall Photos $arrAppxApps += ,@('Remove','6.2|6.3','*Reader*') # $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*windowsalarms*') # Uninstall Alarms and Clock $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*windowscalculator*') # Uninstall Calculator $arrAppxApps += ,@('Remove','6.4|10.0','*windowscamera*') # Uninstall Camera $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*windowscommunicationsapps*') # Uninstall Calendar and Mail $arrAppxApps += ,@('Remove','6.4|10.0','*windowsmaps*') # Uninstall Maps $arrAppxApps += ,@('Remove','6.4|10.0','*windowsphone*') # Uninstall Phone Companion $arrAppxApps += ,@('Remove','6.2|6.3','*WindowsReadingList*') # $arrAppxApps += ,@('Remove','6.4|10.0','*soundrecorder*') # Uninstall Voice Recorder $arrAppxApps += ,@('Remove','6.2|6.3','*WindowsScan*') # $arrAppxApps += ,@('Remove','6.4|10.0','*windowsstore*') # Uninstall Store $arrAppxApps += ,@('Remove','6.4|10.0','*xboxapp*') # Uninstall Xbox $arrAppxApps += ,@('Remove','6.2|6.3','*XboxLIVEGames*') # $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*zunemusic*') # Uninstall Groove Music $arrAppxApps += ,@('Remove','6.2|6.3|6.4|10.0','*zunevideo*') # Uninstall Movies \u0026 TV Write-Host -ForegroundColor White \"Removing Appx Apps\" Write-Verbose '' foreach ($AppxApp in $arrAppxApps) { Write-Host -NoNewline -ForegroundColor Gray \" -\" $AppxApp[2] Switch ($AppxApp[0]) { \"NoChange\" { Write-Host -ForegroundColor Yellow \" (skipped) No changes made\" } \"Remove\" { if ($AppxApp[1] -Match ($varWinVer)) { Try { Get-AppxPackage | Where-Object {$_.PackageFullName -like $AppxApp[2]} | Remove-AppxPackage -ErrorAction SilentlyContinue | Out-Null Get-AppxPackage -allusers | Where-Object {$_.PackageFullName -like $AppxApp[2]} | Remove-AppxPackage -ErrorAction SilentlyContinue | Out-Null Get-AppxProvisionedPackage -Online | Where-Object {$_.packagename -like $AppxApp[2]} | Remove-ProvisionedAppxPackage -Online -ErrorAction SilentlyContinue | Out-Null } Catch { Write-Host -ForegroundColor Red (\" (error)\") $FailedItem = $_.Exception.ItemName Write-Verbose ('Caught an error') Write-Verbose ('ErrorMessage: ' + $ErrorMessage) Write-Verbose ('FailedItem: ' + $FailedItem) continue } Finally { Write-Host -ForegroundColor Green (\" (done)\") } } Else { Write-Host -ForegroundColor Yellow \" (skipped) not applicable to this OS\" } } } } ","title":"Remove AppX (Modern) Apps","type":"posts"},{"content":" I\u0026rsquo;m John Billekens born in \u0026lsquo;81, living in North Brabant, The Netherlands. I\u0026rsquo;ve been working in the IT business for quite a while now. Currently I\u0026rsquo;m self employed as a Technical Consultant, mainly in the end user computing area. I\u0026rsquo;ve been using this blog mainly to create notes from the field to myself, I can\u0026rsquo;t remember everything\u0026hellip;? Occasionally I post a blog article to the public when I think some of you can use it as well. If you are interested to hire me, please contact me via https://jobico.nl/#contact Note: The articles on this blog are of my own.\nLinkedIn\n","date":"May 16, 2016","externalUrl":null,"permalink":"/about/","section":"John Billekens | Notes from the field","summary":" I’m John Billekens born in ‘81, living in North Brabant, The Netherlands. I’ve been working in the IT business for quite a while now. Currently I’m self employed as a Technical Consultant, mainly in the end user computing area. I’ve been using this blog mainly to create notes from the field to myself, I can’t remember everything…? Occasionally I post a blog article to the public when I think some of you can use it as well. If you are interested to hire me, please contact me via https://jobico.nl/#contact Note: The articles on this blog are of my own.\n","title":"About me","type":"page"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/tags/optimize/","section":"Tags","summary":"","title":"Optimize","type":"tags"},{"content":"I\u0026rsquo;ve been using my \u0026ldquo;Windows optimize script\u0026rdquo; for a while now. Most issues are resolved and it\u0026rsquo;s been tested thoroughly. So I thought why not give it back to the community, so here it is: OptimizeEndpoint. It can be used to optimize Windows 7, 8, 8.1 and 10. (It can also be used for Windows Server versions, but this is not tested) I used the script made by Ingmar Verheij, and made some changes. It contains most of the Citrix XenDesktop Best Practices. Please don\u0026rsquo;t run the script without reviewing the options, it can damage you master image if you\u0026rsquo;re not careful! At the top of the image there are some parameters that can be set. Read the comments. Run it on your own risk. If you have issues or questions let me know.\n","date":"May 16, 2016","externalUrl":null,"permalink":"/posts/optimizeendpoint/","section":"Blog","summary":"I’ve been using my “Windows optimize script” for a while now. Most issues are resolved and it’s been tested thoroughly. So I thought why not give it back to the community, so here it is: OptimizeEndpoint. It can be used to optimize Windows 7, 8, 8.1 and 10. (It can also be used for Windows Server versions, but this is not tested) I used the script made by Ingmar Verheij, and made some changes. It contains most of the Citrix XenDesktop Best Practices. Please don’t run the script without reviewing the options, it can damage you master image if you’re not careful! At the top of the image there are some parameters that can be set. Read the comments. Run it on your own risk. If you have issues or questions let me know.\n","title":"OptimizeEndpoint","type":"posts"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/tags/optimizeendpoint/","section":"Tags","summary":"","title":"OptimizeEndpoint","type":"tags"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/categories/provisioning-services/","section":"Categories","summary":"","title":"Provisioning Services","type":"categories"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/tags/windows-7/","section":"Tags","summary":"","title":"Windows 7","type":"tags"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/tags/windows-8/","section":"Tags","summary":"","title":"Windows 8","type":"tags"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/tags/windows-8.1/","section":"Tags","summary":"","title":"Windows 8.1","type":"tags"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/tags/xenapp/","section":"Tags","summary":"","title":"XenApp","type":"tags"},{"content":"","date":"May 16, 2016","externalUrl":null,"permalink":"/categories/xenapp-7.x/","section":"Categories","summary":"","title":"XenApp 7.x","type":"categories"},{"content":"","date":"March 5, 2016","externalUrl":null,"permalink":"/tags/citrix-pvs/","section":"Tags","summary":"","title":"Citrix PVS","type":"tags"},{"content":"","date":"March 5, 2016","externalUrl":null,"permalink":"/categories/one-automation/","section":"Categories","summary":"","title":"ONE Automation","type":"categories"},{"content":"When deployoing the Citrix PVS Target Device software with for example SCCM or RES ONE Automation, this fails. As it turns out \u0026ldquo;CFsDep2.sys\u0026rdquo; is missing from the System32\\Drivers directory. This is because during the (unattended) installation of the Target Device software the installation of \u0026ldquo;CFsDep2\u0026rdquo; fails. When you install the software by hand, everything is works as it should. This can be solved to run the following command after the installation of the Target Device Software.\nrundll32.exe setupapi,InstallHinfSection DefaultInstall 128 c:\\Program Files\\Citrix\\Provisioning Services\\drivers\\cfsdep2.inf This could be a installation script for SCCM:\n@echo off START /WAIT PVS_Device.exe /S /v/qn\u0026#34; ALLUSERS=TRUE REBOOT=SUPPRESS\u0026#34; set ERRCODE=%ERRORLEVEL% Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 c:\\Program Files\\Citrix\\Provisioning Services\\drivers\\cfsdep2.inf exit /B %ERRCODE% ","date":"March 5, 2016","externalUrl":null,"permalink":"/posts/provisioning-target-device-unattended-deployment/","section":"Blog","summary":"When deployoing the Citrix PVS Target Device software with for example SCCM or RES ONE Automation, this fails. As it turns out “CFsDep2.sys” is missing from the System32\\Drivers directory. This is because during the (unattended) installation of the Target Device software the installation of “CFsDep2” fails. When you install the software by hand, everything is works as it should. This can be solved to run the following command after the installation of the Target Device Software.\n","title":"Provisioning Target Device Unattended Deployment","type":"posts"},{"content":"","date":"March 5, 2016","externalUrl":null,"permalink":"/tags/res-one-automation/","section":"Tags","summary":"","title":"RES ONE Automation","type":"tags"},{"content":"","date":"March 5, 2016","externalUrl":null,"permalink":"/tags/sccm/","section":"Tags","summary":"","title":"SCCM","type":"tags"},{"content":"","date":"March 5, 2016","externalUrl":null,"permalink":"/tags/target-device/","section":"Tags","summary":"","title":"Target Device","type":"tags"},{"content":"","date":"March 5, 2016","externalUrl":null,"permalink":"/tags/unattended/","section":"Tags","summary":"","title":"Unattended","type":"tags"},{"content":"I released also my CtxVdDrain Script, this script will put any selected XenDesktop Machine catalog in maintenance mode and turn it of where possible. It won\u0026rsquo;t kick users out of their desktops, it will wait and try again. You can download it here\n","date":"January 14, 2016","externalUrl":null,"permalink":"/posts/ctxvddrain-script/","section":"Blog","summary":"I released also my CtxVdDrain Script, this script will put any selected XenDesktop Machine catalog in maintenance mode and turn it of where possible. It won’t kick users out of their desktops, it will wait and try again. You can download it here\n","title":"CtxVdDrain Script","type":"posts"},{"content":"For a customer we needed a solution to recycle \u0026ldquo;old\u0026rdquo; PVS Virtual Desktops. And because Citrix XenDesktop doesn\u0026rsquo;t use the oldest desktops first (without using power options), we had to come up with a solution. And so my Shutdown Script was born. The script basically checks which Virtual Machines are the oldest, puts them in maintenance mode so no user can use it anymore. After this is done the vm\u0026rsquo;s are given a shutdown command. When their down , maintenance mode will be turned off. You can get it here.\n","date":"January 14, 2016","externalUrl":null,"permalink":"/posts/ctxvdcontinuousshutdown-script/","section":"Blog","summary":"For a customer we needed a solution to recycle “old” PVS Virtual Desktops. And because Citrix XenDesktop doesn’t use the oldest desktops first (without using power options), we had to come up with a solution. And so my Shutdown Script was born. The script basically checks which Virtual Machines are the oldest, puts them in maintenance mode so no user can use it anymore. After this is done the vm’s are given a shutdown command. When their down , maintenance mode will be turned off. You can get it here.\n","title":"CtxVdContinuousShutdown Script","type":"posts"},{"content":"","date":"October 22, 2015","externalUrl":null,"permalink":"/tags/ctxvdstatus/","section":"Tags","summary":"","title":"CtxVdStatus","type":"tags"},{"content":"Today I decided to put my CtxVdStatus script on GitHub. With this script you can get an overview of your Citrix XenDesktop environment. It helped me to troubleshoot some issues. You can download/view it here\n","date":"October 22, 2015","externalUrl":null,"permalink":"/posts/ctxvdstatus-script/","section":"Blog","summary":"Today I decided to put my CtxVdStatus script on GitHub. With this script you can get an overview of your Citrix XenDesktop environment. It helped me to troubleshoot some issues. You can download/view it here\n","title":"CtxVdStatus Script","type":"posts"},{"content":"Here you will find a list of the latest Citrix Provisioning Services Updates. I will do my best to update the list as soon as there are new updates available. Citrix Provisioning Services 7.6 (Server) Provisioning Services 7.6 Cumulative Update 1 for Server and Console x86 http://support.citrix.com/article/CTX142613 Replaces: None (yet) Provisioning Services 7.6 Cumulative Update 1 for Server and Console x64 http://support.citrix.com/article/CTX142614 Replaces: None (yet) Citrix Provisioning Services 7.6 (Target) Provisioning Services 7.6 Cumulative Update 1 for Target Device x86 http://support.citrix.com/article/CTX142615 Replaces: None (yet) Provisioning Services 7.6 Cumulative Update 1 for Target Device x64 http://support.citrix.com/article/CTX142616 Replaces: None (yet) Citrix Provisioning Services 7.1 (Server) Hotfix PVS710ServerConsoleWX86004 for PVS Server and Console 7.1 x86 http://support.citrix.com/article/CTX142336 Replaces: All Other Versions Hotfix PVS710ServerConsoleWX64004 for PVS Server and Console 7.1 x64 http://support.citrix.com/article/CTX142406 Replaces: All Other Versions Citrix Provisioning Services 7.1 (Target) Hotfix PVS710TargetDeviceWX86004 for PVS Target Device 7.1 x86 http://support.citrix.com/article/CTX142333 Replaces: All Other Versions Hotfix PVS710TargetDeviceWX64004 for PVS Target Device 7.1 x64 http://support.citrix.com/article/CTX142397 Replaces: All Other Versions\n","date":"October 3, 2015","externalUrl":null,"permalink":"/posts/citrix-provisioning-services-versions-7.x-current-available-updates/","section":"Blog","summary":"Here you will find a list of the latest Citrix Provisioning Services Updates. I will do my best to update the list as soon as there are new updates available. Citrix Provisioning Services 7.6 (Server) Provisioning Services 7.6 Cumulative Update 1 for Server and Console x86 http://support.citrix.com/article/CTX142613 Replaces: None (yet) Provisioning Services 7.6 Cumulative Update 1 for Server and Console x64 http://support.citrix.com/article/CTX142614 Replaces: None (yet) Citrix Provisioning Services 7.6 (Target) Provisioning Services 7.6 Cumulative Update 1 for Target Device x86 http://support.citrix.com/article/CTX142615 Replaces: None (yet) Provisioning Services 7.6 Cumulative Update 1 for Target Device x64 http://support.citrix.com/article/CTX142616 Replaces: None (yet) Citrix Provisioning Services 7.1 (Server) Hotfix PVS710ServerConsoleWX86004 for PVS Server and Console 7.1 x86 http://support.citrix.com/article/CTX142336 Replaces: All Other Versions Hotfix PVS710ServerConsoleWX64004 for PVS Server and Console 7.1 x64 http://support.citrix.com/article/CTX142406 Replaces: All Other Versions Citrix Provisioning Services 7.1 (Target) Hotfix PVS710TargetDeviceWX86004 for PVS Target Device 7.1 x86 http://support.citrix.com/article/CTX142333 Replaces: All Other Versions Hotfix PVS710TargetDeviceWX64004 for PVS Target Device 7.1 x64 http://support.citrix.com/article/CTX142397 Replaces: All Other Versions\n","title":"Citrix Provisioning Services Versions 7.x (current) Available Updates","type":"posts"},{"content":"","date":"October 3, 2015","externalUrl":null,"permalink":"/categories/updates/","section":"Categories","summary":"","title":"Updates","type":"categories"},{"content":"Hex Mask Dec. Description 0001 1 Profile is mandatory. 0002 2 Update the locally cached profile. 0004 4 New local profile. 0008 8 New central profile. 0010 16 Update the central profile. 0020 32 Delete the cached profile. 0040 64 Upgrade the profile. 0080 128 Using Guest user profile. 0100 256 Using Administrator profile. 0200 512 Default net profile is available and ready. 0400 1024 Slow network link identified. 0800 2048 Temporary profile loaded.\n","date":"September 10, 2015","externalUrl":null,"permalink":"/posts/profile/","section":"Blog","summary":"Hex Mask Dec. Description 0001 1 Profile is mandatory. 0002 2 Update the locally cached profile. 0004 4 New local profile. 0008 8 New central profile. 0010 16 Update the central profile. 0020 32 Delete the cached profile. 0040 64 Upgrade the profile. 0080 128 Using Guest user profile. 0100 256 Using Administrator profile. 0200 512 Default net profile is available and ready. 0400 1024 Slow network link identified. 0800 2048 Temporary profile loaded.\n","title":"Profile","type":"posts"},{"content":"#PUT XAML BELOW between the @\u0026#34; \u0026#34;@ $inputXML = @\u0026#34; \u0026lt;Window x:Class=\u0026#34;WpfApplication1.MainWindow\u0026#34; xmlns=\u0026#34;http://schemas.microsoft.com/winfx/2006/xaml/presentation\u0026#34; xmlns:x=\u0026#34;http://schemas.microsoft.com/winfx/2006/xaml\u0026#34; xmlns:d=\u0026#34;http://schemas.microsoft.com/expression/blend/2008\u0026#34; xmlns:mc=\u0026#34;http://schemas.openxmlformats.org/markup-compatibility/2006\u0026#34; xmlns:local=\u0026#34;clr-namespace:WpfApplication1\u0026#34; mc:Ignorable=\u0026#34;d\u0026#34; Title=\u0026#34;MainWindow\u0026#34; Height=\u0026#34;350\u0026#34; Width=\u0026#34;525\u0026#34;\u0026gt; \u0026lt;Grid\u0026gt; \u0026lt;/Grid\u0026gt; \u0026lt;/Window\u0026gt; \u0026#34;@ $inputXML = $inputXML -replace \u0026#39;mc:Ignorable=\u0026#34;d\u0026#34;\u0026#39;,\u0026#39;\u0026#39; -replace \u0026#34;x:N\u0026#34;,\u0026#39;N\u0026#39; -replace \u0026#39;^\u0026lt;Win.*\u0026#39;, \u0026#39;\u0026lt;Window\u0026#39; [void][System.Reflection.Assembly]::LoadWithPartialName(\u0026#39;presentationframework\u0026#39;) [xml]$XAML = $inputXML #Read XAML $reader=(New-Object System.Xml.XmlNodeReader $xaml) try{ $Form=[Windows.Markup.XamlReader]::Load( $reader ) }catch [System.Management.Automation.MethodInvocationException] { Write-Warning \u0026#34;We ran into a problem with the XAML code. Check the syntax for this control...\u0026#34; write-host $error[0].Exception.Message -ForegroundColor Red if ($error[0].Exception.Message -like \u0026#34;*button*\u0026#34;){ write-warning \u0026#34;Ensure your \u0026amp;lt;button in the `$inputXML does NOT have a Click=ButtonClick property. PS can\u0026#39;t handle this`n`n`n`n\u0026#34; } }catch{ Write-Host \u0026#34;Unable to load Windows.Markup.XamlReader. Double-check syntax and ensure .net is installed.\u0026#34; } #=========================================================================== # Store Form Objects In PowerShell #=========================================================================== $xaml.SelectNodes(\u0026#34;//*[@Name]\u0026#34;) | %{Set-Variable -Name \u0026#34;WPF$($_.Name)\u0026#34; -Value $Form.FindName($_.Name)} Function Get-FormVariables{ if ($global:ReadmeDisplay -ne $true){Write-host \u0026#34;If you need to reference this display again, run Get-FormVariables\u0026#34; -ForegroundColor Yellow;$global:ReadmeDisplay=$true} write-host \u0026#34;Found the following interactable elements from our form\u0026#34; -ForegroundColor Cyan get-variable WPF* } Get-FormVariables #=========================================================================== # Use this space to add code to the various form elements in your GUI #=========================================================================== #Reference #Adding items to a dropdown/combo box #$vmpicklistView.items.Add([pscustomobject]@{\u0026#39;VMName\u0026#39;=($_).Name;Status=$_.Status;Other=\u0026#34;Yes\u0026#34;}) #Setting the text of a text box to the current PC name #$WPFtextBox.Text = $env:COMPUTERNAME #Adding code to a button, so that when clicked, it pings a system # $WPFbutton.Add_Click({ Test-connection -count 1 -ComputerName $WPFtextBox.Text # }) #=========================================================================== # Shows the form #=========================================================================== write-host \u0026#34;To show the form, run the following\u0026#34; -ForegroundColor Cyan \u0026#39;$Form.ShowDialog() | out-null\u0026#39; Source\n","date":"August 29, 2015","externalUrl":null,"permalink":"/posts/powershell-gui-basic/","section":"Blog","summary":"#PUT XAML BELOW between the @\" \"@ $inputXML = @\" \u003cWindow x:Class=\"WpfApplication1.MainWindow\" xmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\" xmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\" xmlns:d=\"http://schemas.microsoft.com/expression/blend/2008\" xmlns:mc=\"http://schemas.openxmlformats.org/markup-compatibility/2006\" xmlns:local=\"clr-namespace:WpfApplication1\" mc:Ignorable=\"d\" Title=\"MainWindow\" Height=\"350\" Width=\"525\"\u003e \u003cGrid\u003e \u003c/Grid\u003e \u003c/Window\u003e \"@ $inputXML = $inputXML -replace 'mc:Ignorable=\"d\"','' -replace \"x:N\",'N' -replace '^\u003cWin.*', '\u003cWindow' [void][System.Reflection.Assembly]::LoadWithPartialName('presentationframework') [xml]$XAML = $inputXML #Read XAML $reader=(New-Object System.Xml.XmlNodeReader $xaml) try{ $Form=[Windows.Markup.XamlReader]::Load( $reader ) }catch [System.Management.Automation.MethodInvocationException] { Write-Warning \"We ran into a problem with the XAML code. Check the syntax for this control...\" write-host $error[0].Exception.Message -ForegroundColor Red if ($error[0].Exception.Message -like \"*button*\"){ write-warning \"Ensure your \u0026lt;button in the `$inputXML does NOT have a Click=ButtonClick property. PS can't handle this`n`n`n`n\" } }catch{ Write-Host \"Unable to load Windows.Markup.XamlReader. Double-check syntax and ensure .net is installed.\" } #=========================================================================== # Store Form Objects In PowerShell #=========================================================================== $xaml.SelectNodes(\"//*[@Name]\") | %{Set-Variable -Name \"WPF$($_.Name)\" -Value $Form.FindName($_.Name)} Function Get-FormVariables{ if ($global:ReadmeDisplay -ne $true){Write-host \"If you need to reference this display again, run Get-FormVariables\" -ForegroundColor Yellow;$global:ReadmeDisplay=$true} write-host \"Found the following interactable elements from our form\" -ForegroundColor Cyan get-variable WPF* } Get-FormVariables #=========================================================================== # Use this space to add code to the various form elements in your GUI #=========================================================================== #Reference #Adding items to a dropdown/combo box #$vmpicklistView.items.Add([pscustomobject]@{'VMName'=($_).Name;Status=$_.Status;Other=\"Yes\"}) #Setting the text of a text box to the current PC name #$WPFtextBox.Text = $env:COMPUTERNAME #Adding code to a button, so that when clicked, it pings a system # $WPFbutton.Add_Click({ Test-connection -count 1 -ComputerName $WPFtextBox.Text # }) #=========================================================================== # Shows the form #=========================================================================== write-host \"To show the form, run the following\" -ForegroundColor Cyan '$Form.ShowDialog() | out-null' Source\n","title":"Powershell Gui Basic","type":"posts"},{"content":"\u0026lt;# .SYNOPSIS A summary .DESCRIPTION A more in depth description .NOTES Additional Notes File Name : xx.ps1 Author : First Last - e@mail.com Requires : ... .LINK A hyper link .EXAMPLE The first example .EXAMPLE The second example .PARAMETER xxx text #\u0026gt; [CmdletBinding()] param ( [Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true)][int64] $xxx=42 ) #Script ","date":"August 28, 2015","externalUrl":null,"permalink":"/posts/basic-powershell-start/","section":"Blog","summary":"\u003c# .SYNOPSIS A summary .DESCRIPTION A more in depth description .NOTES Additional Notes File Name : xx.ps1 Author : First Last - e@mail.com Requires : ... .LINK A hyper link .EXAMPLE The first example .EXAMPLE The second example .PARAMETER xxx text #\u003e [CmdletBinding()] param ( [Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true)][int64] $xxx=42 ) #Script ","title":"Basic PowerShell start","type":"posts"},{"content":"","date":"June 21, 2015","externalUrl":null,"permalink":"/categories/no-category/","section":"Categories","summary":"","title":"No Category","type":"categories"},{"content":"1. Make sure a DNS A and PTR record exists for the VC and the ESXi hosts. 2. Create a installation parameter file. E.g. \u0026ldquo;example_embedded.json\u0026rdquo; 3. Run \u0026ldquo;vcsa-deploy \u0026lt;your_json_file_location_and_name\u0026gt;\u0026rdquo; E.g. \u0026ldquo;vcsa-deploy c:/temp/example_embedded.json\u0026rdquo; 4. Wait (20 a 30min) fot the message \u0026quot; Login as: Administrator@vsphere.local\u0026quot; appears \u0026ldquo;example_embedded.json\u0026rdquo; file:\n{ \u0026#34;__comments\u0026#34;: [ \u0026#34;This is J81 personalized template. Make sure a DNS A and PTR record exists for the VC\u0026#34; ], \u0026#34;deployment\u0026#34;: { \u0026#34;esx.hostname\u0026#34;:\u0026#34;\u0026lt;ESX FQDN or IP\u0026gt;\u0026#34;, \u0026#34;esx.datastore\u0026#34;:\u0026#34;\u0026lt;Datastore Naem for VC\u0026gt;\u0026#34;, \u0026#34;esx.username\u0026#34;:\u0026#34;root\u0026#34;, \u0026#34;esx.password\u0026#34;:\u0026#34;\u0026lt;ESX root Password\u0026gt;\u0026#34;, \u0026#34;deployment.option\u0026#34;:\u0026#34;tiny\u0026#34;, \u0026#34;deployment.network\u0026#34;:\u0026#34;\u0026lt;Portgroup Name\u0026gt;\u0026#34;, \u0026#34;appliance.name\u0026#34;:\u0026#34;\u0026lt;VC Hostname\u0026gt;\u0026#34;, \u0026#34;appliance.thin.disk.mode\u0026#34;:true }, \u0026#34;vcsa\u0026#34;: { \u0026#34;system\u0026#34;: { \u0026#34;root.password\u0026#34;:\u0026#34;\u0026lt;VC root Password\u0026gt;\u0026#34;, \u0026#34;ssh.enable\u0026#34;:true }, \u0026#34;sso\u0026#34;: { \u0026#34;password\u0026#34;:\u0026#34;\u0026lt;Administrator@vsphere.local Password\u0026gt;\u0026#34;, \u0026#34;domain-name\u0026#34;:\u0026#34;vsphere.local\u0026#34;, \u0026#34;site-name\u0026#34;:\u0026#34;\u0026lt;SiteName\u0026gt;\u0026#34; }, \u0026#34;networking\u0026#34;: { \u0026#34;ip.family\u0026#34;:\u0026#34;ipv4\u0026#34;, \u0026#34;mode\u0026#34;:\u0026#34;static\u0026#34;, \u0026#34;ip\u0026#34;:\u0026#34;\u0026lt;VC-IP\u0026gt;\u0026#34;, \u0026#34;prefix\u0026#34;:\u0026#34;\u0026lt;MASK BITS\u0026gt;\u0026#34;, \u0026#34;gateway\u0026#34;:\u0026#34;\u0026lt;GATEWAY\u0026gt;\u0026#34;, \u0026#34;dns.servers\u0026#34;:\u0026#34;\u0026lt;DNS IPs\u0026gt;\u0026#34;, \u0026#34;system.name\u0026#34;:\u0026#34;\u0026lt;VC FQDN\u0026gt;\u0026#34; } } } ","date":"June 21, 2015","externalUrl":null,"permalink":"/posts/vcsa-6-cli-install/","section":"Blog","summary":"1. Make sure a DNS A and PTR record exists for the VC and the ESXi hosts. 2. Create a installation parameter file. E.g. “example_embedded.json” 3. Run “vcsa-deploy \u003cyour_json_file_location_and_name\u003e” E.g. “vcsa-deploy c:/temp/example_embedded.json” 4. Wait (20 a 30min) fot the message \" Login as: Administrator@vsphere.local\" appears “example_embedded.json” file:\n","title":"VCSA 6 CLI Install","type":"posts"},{"content":"rundll32.exe keymgr.dll, KRShowKeyMgr * *\n","date":"June 20, 2015","externalUrl":null,"permalink":"/posts/backup-windows-credentials/","section":"Blog","summary":"rundll32.exe keymgr.dll, KRShowKeyMgr * *\n","title":"Backup Windows Credentials","type":"posts"},{"content":"Windows 8 has some new maintenance jobs. These are great when you have an physical machine. But not when you\u0026rsquo;re using Citrix PVS to stream the OS. To disable these tasks enter the following commands:\nschtasks /change /TN \u0026#34;MicrosoftWindowsTaskSchedulerIdle Maintenance\u0026#34; /disable psexec -s schtasks /change /TN \u0026#34;MicrosoftWindowsTaskSchedulerMaintenance Configurator\u0026#34; /disable schtasks /change /TN \u0026#34;MicrosoftWindowsTaskSchedulerManual Maintenance\u0026#34; /disable schtasks /change /TN \u0026#34;MicrosoftWindowsTaskSchedulerRegular Maintenance\u0026#34; /disable psexec can be downloaded here To see if i\u0026rsquo;s dsiabled:\nSCHTASKS /Query Look for \u0026ldquo;Folder: MicrosoftWindowsTaskScheduler\u0026rdquo;\nFolder: MicrosoftWindowsTaskScheduler TaskName Next Run Time Status ======================================== ====================== =============== Idle Maintenance N/A Disabled Maintenance Configurator N/A Disabled Manual Maintenance N/A Disabled Regular Maintenance N/A Disabled ","date":"April 15, 2015","externalUrl":null,"permalink":"/posts/windows-8-maintenance-jobs/","section":"Blog","summary":"Windows 8 has some new maintenance jobs. These are great when you have an physical machine. But not when you’re using Citrix PVS to stream the OS. To disable these tasks enter the following commands:\n","title":"Windows 8 Maintenance jobs","type":"posts"},{"content":"Prerequisites\nRES: .NET 2 only for Cached User Settings is .NET 4 required. Tips\nAlways try to reproduce an issue in an empty database. Always configure re-branding. Best Practices:\nSplit database is new production environments, keep the default name the wizard returns \u0026ldquo;\u0026lt;name pri db\u0026gt;_2nd\u0026rdquo;. Reserve a Named Licenses for laptop users when mixing the licenses. Define the Home drive in AD (user/gpo etc.) even-though it\u0026rsquo;s possible to configure in RES. Email Settings: Always set the setting create once When setting the \u0026ldquo;Enable offline use\u0026rdquo; setting, make sure the folder exists on the target device (E.g. GPO or Automation Manager) Signatures, make sure you select the correct version! Make drive reservations for dives used. (E.g. C: / D: / H:-Home Drive) Set the \u0026ldquo;Do not perform mapping operation\u0026rdquo; Don\u0026rsquo;t redirect AppData When testing with zero profile, make the user member of \u0026ldquo;local guests\u0026rdquo; a temp profile will be used and this wil make your live easier. Try to capture the user settings as much as possible on application level instead of global level. Always enable Memory optimization. Always enable Instant Logoff for XenApp SCCM Deployments Export key HKLM\\SOFTWARE\\RES\\Workspace Manager, this can be used for SCCM deployments. Admin bypass Set the follwoing advanced setting, \u0026ldquo;Bypass composer for accounts matching: DOMAIN*admin*\u0026rdquo;. If the user is member of the local Administrators group RES personalisation will not be applyed. Splash Screen Composition \u0026gt; Desktop \u0026gt; Lockdown and Behavior \u0026gt; \u0026ldquo;splash\u0026rdquo;\nHide main splash screen at session start, end and refresh Hide mini splash screen at application start Environment variables\ndeskpic $adinfo(email), $adinfo(firstname) etc. $autocount(\u0026lt;minimumvalue\u0026gt;-\u0026lt;maximumvalue\u0026gt;) $substring(%var%, start, length) Background options\nAdd pictures to database (Composition \u0026gt; Desktop \u0026gt; Background) and set deskpic variable *.jpg \u0026amp; *.bmp NOT *.png Limit \u0026ldquo;Change Desktop Background\u0026rdquo; in Workspace Preferences to pre-configured pictures (Lockdown and Behavior, \u0026ldquo;back\u0026rdquo;) Emergency Exit (Alleen RES Shell)\nRechtsboven in de hoek, 1x1 pixel klikken. PWRMENU or \u0026ldquo;Personal Settings\u0026rdquo;\nFrom Workspace Manager 2012 and up in new installations the folder \u0026ldquo;Personal Settings\u0026rdquo; is being used. When upgrading from an older version to the latest PWRMENU will still be used. User Settings\nFine-tune as much as possible, only capture the necessary settings. Try to keep the profile \u0026lt; 2MB UPR(2) - Registry Settings UPF(2) - Filesystem changes Remote Assistance\nTo get this working on Server versions make sure to install the remote assistance feature (not installed by default). ","date":"March 24, 2015","externalUrl":null,"permalink":"/posts/res-training-notes/","section":"Blog","summary":"Prerequisites\nRES: .NET 2 only for Cached User Settings is .NET 4 required. Tips\nAlways try to reproduce an issue in an empty database. Always configure re-branding. Best Practices:\nSplit database is new production environments, keep the default name the wizard returns “\u003cname pri db\u003e_2nd”. Reserve a Named Licenses for laptop users when mixing the licenses. Define the Home drive in AD (user/gpo etc.) even-though it’s possible to configure in RES. Email Settings: Always set the setting create once When setting the “Enable offline use” setting, make sure the folder exists on the target device (E.g. GPO or Automation Manager) Signatures, make sure you select the correct version! Make drive reservations for dives used. (E.g. C: / D: / H:-Home Drive) Set the “Do not perform mapping operation” Don’t redirect AppData When testing with zero profile, make the user member of “local guests” a temp profile will be used and this wil make your live easier. Try to capture the user settings as much as possible on application level instead of global level. Always enable Memory optimization. Always enable Instant Logoff for XenApp SCCM Deployments Export key HKLM\\SOFTWARE\\RES\\Workspace Manager, this can be used for SCCM deployments. Admin bypass Set the follwoing advanced setting, “Bypass composer for accounts matching: DOMAIN*admin*”. If the user is member of the local Administrators group RES personalisation will not be applyed. Splash Screen Composition \u003e Desktop \u003e Lockdown and Behavior \u003e “splash”\n","title":"RES Training Notes","type":"posts"},{"content":"http://support.citrix.com/article/CTX129514\n","date":"March 6, 2015","externalUrl":null,"permalink":"/posts/secure-deployment-guide-for-netscaler-mpx-vpx-and-sdx-appliances/","section":"Blog","summary":"http://support.citrix.com/article/CTX129514\n","title":"Secure Deployment Guide for NetScaler MPX, VPX, and SDX Appliances","type":"posts"},{"content":"When using a different base url for storefront than your storefront is member of you might run into this one. When logging on to a machine configured for Domain Passthrough you need to enter the credentials again in Windows. To resolve this issue enter on your StoreFront server the following command:\nSetspn -L \u0026lt;SF HOSTNAME\u0026gt; You might get this result\nC:\u0026gt;Setspn -L SRV-SF-01 Registered ServicePrincipalNames for CN=SRV-SF-01,OU=Storefront,OU=Citrix,OU=Ser vers,DC=DOMAIN,DC=LOCAL: WSMAN/SRV-SF-01 WSMAN/SRV-SF-01.Domain.Local TERMSRV/SRV-SF-01 TERMSRV/SRV-SF-01.Domain.Local RestrictedKrbHost/SRV-SF-01 HOST/SRV-SF-01 RestrictedKrbHost/SRV-SF-01.Domain.Local HOST/SRV-SF-01.Domain.Local You need to add the StoreFront Base URL to this list to make the magic happen.\nSetspn -A HOST/\u0026lt;SF HOST\u0026gt; \u0026lt;SF BASEURL\u0026gt; Afterwards when you check again the Base URL is in the list.\nC:\u0026gt;Setspn -A HOST/SRV-SF-01 storefront.domain.com C:\u0026gt;Setspn -L SRV-SF-01 Registered ServicePrincipalNames for CN=SRV-SF-01,OU=Storefront,OU=Citrix,OU=Ser vers,DC=DOMAIN,DC=LOCAL: HOST/storefront.domain.com WSMAN/SRV-SF-01 WSMAN/SRV-SF-01.Domain.Local TERMSRV/SRV-SF-01 TERMSRV/SRV-SF-01.Domain.Local RestrictedKrbHost/SRV-SF-01 HOST/SRV-SF-01 RestrictedKrbHost/SRV-SF-01.Domain.Local HOST/SRV-SF-01.Domain.Local Good luck!\n","date":"March 3, 2015","externalUrl":null,"permalink":"/posts/citrix-storefront-domain-passthrough-not-working-when-base-url-is-different-from-machine-domain/","section":"Blog","summary":"When using a different base url for storefront than your storefront is member of you might run into this one. When logging on to a machine configured for Domain Passthrough you need to enter the credentials again in Windows. To resolve this issue enter on your StoreFront server the following command:\n","title":"Citrix StoreFront Domain passthrough not working when base url is different from machine domain","type":"posts"},{"content":"","date":"March 3, 2015","externalUrl":null,"permalink":"/categories/storefront-2.x/","section":"Categories","summary":"","title":"StoreFront 2.x","type":"categories"},{"content":" Socket Pooling. # In StoreFront we need to configgure socket polling in the config files, while in Web Interface we could configure this in the console. Storefront maintaines a pool of sockets instead of creating a socket each time a new user connects, when enabled it will give a better performance for SSL traffic. To change this, edit C:inetpubwwwrootCitrix\u0026lt;STORE\u0026gt;web.config (as Administrator) and find:\npooledSockets=\u0026#34;off\u0026#34; Change \u0026ldquo;off\u0026rdquo; to \u0026ldquo;on\u0026rdquo;. When finished, save and reset IIS.\nIISReset NOTE: Make sure you change this on the \u0026ldquo;primary\u0026rdquo; StoreFront Member and replicate changes.\nhttp://support.citrix.com/proddocs/topic/dws-storefront-26/dws-configure-conf-socket.html\nApplication Initialization # In IIS 8 and up (Windows Server 2012) there is a feature called \u0026ldquo;AlwaysRunning\u0026rdquo; on the application pools. When active an application pool is loaded after a restart, before it was loaded when the first user tried to login. This could take a long time. This option can be set in the IIS GUI, default application pool settings.. For IIS 7.5 (Server 2008 R2) is this setting also available (not in the GUI) but only after applying an update. You need to change the config files manually to enable the \u0026ldquo;AlwaysRunning\u0026rdquo; function. Before continuing make sure you have a backup copy of all the files edited in this article. Download and install the update from: http://www.iis.net/downloads/microsoft/application-initialization. Make sure to reboot after installation to continue. open the file C:WindowsSystem32inetsrvconfigapplicationHost.config (as Administrator) Find the following location: configuration / system.applicationHost / applicationPools Add the following to each applicationpool:\nstartMode=\u0026#34;AlwaysRunning\u0026#34; Citrix Delivery Services Citrix Delivery Services Authentication Citrix Delivery Services Resources Citrix Receiver for Web Example:\n\u0026lt;system.applicationHost\u0026gt; \u0026lt;applicationPools\u0026gt; \u0026lt;add name=\u0026#34;DefaultAppPool\u0026#34; /\u0026gt; \u0026lt;add name=\u0026#34;Classic .NET AppPool\u0026#34; managedPipelineMode=\u0026#34;Classic\u0026#34; /\u0026gt; \u0026lt;add name=\u0026#34;ASP.NET v4.0\u0026#34; managedRuntimeVersion=\u0026#34;v4.0\u0026#34; /\u0026gt; \u0026lt;add name=\u0026#34;ASP.NET v4.0 Classic\u0026#34; managedRuntimeVersion=\u0026#34;v4.0\u0026#34; managedPipelineMode=\u0026#34;Classic\u0026#34; /\u0026gt; \u0026lt;add name=\u0026#34;Citrix Delivery Services Authentication\u0026#34; autoStart=\u0026#34;true\u0026#34; managedRuntimeVersion=\u0026#34;v4.0\u0026#34; managedPipelineMode=\u0026#34;Integrated\u0026#34; startMode=\u0026#34;AlwaysRunning\u0026#34;\u0026gt; \u0026lt;processModel identityType=\u0026#34;ApplicationPoolIdentity\u0026#34; idleTimeout=\u0026#34;00:00:00\u0026#34; /\u0026gt; \u0026lt;cpu limit=\u0026#34;0\u0026#34; action=\u0026#34;NoAction\u0026#34; resetInterval=\u0026#34;00:00:00\u0026#34; /\u0026gt; \u0026lt;/add\u0026gt; \u0026lt;add name=\u0026#34;Citrix Delivery Services Resources\u0026#34; autoStart=\u0026#34;true\u0026#34; managedRuntimeVersion=\u0026#34;v4.0\u0026#34; managedPipelineMode=\u0026#34;Integrated\u0026#34; startMode=\u0026#34;AlwaysRunning\u0026#34;\u0026gt; \u0026lt;processModel identityType=\u0026#34;ApplicationPoolIdentity\u0026#34; idleTimeout=\u0026#34;00:00:00\u0026#34; /\u0026gt; \u0026lt;cpu limit=\u0026#34;0\u0026#34; action=\u0026#34;NoAction\u0026#34; resetInterval=\u0026#34;00:00:00\u0026#34; /\u0026gt; \u0026lt;/add\u0026gt; \u0026lt;add name=\u0026#34;Citrix Receiver for Web\u0026#34; autoStart=\u0026#34;true\u0026#34; managedRuntimeVersion=\u0026#34;v4.0\u0026#34; managedPipelineMode=\u0026#34;Integrated\u0026#34; startMode=\u0026#34;AlwaysRunning\u0026#34;\u0026gt; \u0026lt;processModel identityType=\u0026#34;ApplicationPoolIdentity\u0026#34; idleTimeout=\u0026#34;00:00:00\u0026#34; /\u0026gt; \u0026lt;cpu limit=\u0026#34;0\u0026#34; action=\u0026#34;NoAction\u0026#34; resetInterval=\u0026#34;00:00:00\u0026#34; /\u0026gt; \u0026lt;recycling\u0026gt; \u0026lt;periodicRestart time=\u0026#34;00:00:00\u0026#34;\u0026gt; \u0026lt;schedule\u0026gt; \u0026lt;add value=\u0026#34;02:00:00\u0026#34; /\u0026gt; \u0026lt;/schedule\u0026gt; \u0026lt;/periodicRestart\u0026gt; \u0026lt;/recycling\u0026gt; \u0026lt;/add\u0026gt; Now find the following location: configuration / system.applicationHost / sites Add the following to each site:\npreloadEnabled=\u0026#34;true\u0026#34; /AGServices (ony when NetScaler Gateway is configured) /Citrix/Authentication /Citrix/Roaming /Citrix/\u0026lt;STORE\u0026gt; /Citrix/\u0026lt;STORE\u0026gt;Web /Citrix/PNAgent Example:\n\u0026lt;sites\u0026gt; \u0026lt;site name=\u0026#34;Default Web Site\u0026#34; id=\u0026#34;1\u0026#34;\u0026gt; \u0026lt;application path=\u0026#34;/\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;%SystemDrive%inetpubwwwroot\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; \u0026lt;application path=\u0026#34;/Citrix/Authentication\u0026#34; applicationPool=\u0026#34;Citrix Delivery Services Authentication\u0026#34; preloadEnabled=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;C:inetpubwwwrootCitrixAuthentication\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; \u0026lt;application path=\u0026#34;/Citrix/Roaming\u0026#34; applicationPool=\u0026#34;Citrix Delivery Services Resources\u0026#34; preloadEnabled=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;C:inetpubwwwrootCitrixRoaming\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; \u0026lt;application path=\u0026#34;/AGServices\u0026#34; applicationPool=\u0026#34;Citrix Delivery Services Resources\u0026#34; preloadEnabled=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;C:inetpubwwwrootAGServices\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; \u0026lt;application path=\u0026#34;/Citrix/Store\u0026#34; applicationPool=\u0026#34;Citrix Delivery Services Resources\u0026#34; preloadEnabled=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;C:inetpubwwwrootCitrixStore\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; \u0026lt;application path=\u0026#34;/Citrix/PNAgent\u0026#34; applicationPool=\u0026#34;Citrix Delivery Services Resources\u0026#34; preloadEnabled=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;C:inetpubwwwrootCitrixPNAgent\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; \u0026lt;application path=\u0026#34;/Citrix/StoreWeb\u0026#34; applicationPool=\u0026#34;Citrix Receiver for Web\u0026#34; preloadEnabled=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/\u0026#34; physicalPath=\u0026#34;C:inetpubwwwrootCitrixStoreWeb\u0026#34; /\u0026gt; \u0026lt;virtualDirectory path=\u0026#34;/clients\u0026#34; physicalPath=\u0026#34;C:Program FilesCitrixReceiver StoreFrontReceiver Clients\u0026#34; /\u0026gt; \u0026lt;/application\u0026gt; When finished, save and reset IIS, make sure the service is started and no errors are visible in the Windows Event Viewer.\nIISReset NOTE: Make sure you change this on each StoreFront Member.\nOnly edit the following on the primary StoreFront server! Now edit each of the following web.config-files:\nC:inetpubwwwrootAGServicesweb.config C:inetpubwwwrootCitrixAuthenticationweb.config C:inetpubwwwrootCitrixPNAgentweb.config C:inetpubwwwrootCitrixRoamingweb.config C:inetpubwwwrootCitrix\u0026lt;STORE\u0026gt;web.config Add to the section: / configuration / system.webServer\n\u0026lt;applicationInitialization skipManagedModules=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;add initializationPage=\u0026#34;/endpoints/v1\u0026#34;/\u0026gt; \u0026lt;/applicationInitialization\u0026gt; Edit each \u0026ldquo;StoreWeb\u0026rdquo; web.config-file\nC:inetpubwwwrootCitrix\u0026lt;STORE\u0026gt;Webweb.config Add to the section: / configuration / system.webServer\n\u0026lt;applicationInitialization skipManagedModules=\u0026#34;true\u0026#34;\u0026gt; \u0026lt;add initializationPage=\u0026#34;/Home/Index\u0026#34; /\u0026gt; \u0026lt;/applicationInitialization\u0026gt; When finished, test it before you propagate the changes to the other member(s).\nNOTE: Don\u0026rsquo;t forget to propagate the changes when finished!\nhttp://support.citrix.com/article/CTX137400\nDisable CRL Check # CRL checking can add an extra delay while loading StoreFront to disable this edit the following files: 32-bit \u0026amp; 64-bit:\nC:WindowsMicrosoft.NETFrameworkv2.0.50727Aspnet.config C:WindowsMicrosoft.NETFrameworkv4.0.30319Aspnet.config 64-bit only:\nC:WindowsMicrosoft.NETFramework64v2.0.50727\\Aspnet.config C:WindowsMicrosoft.NETFrameworkv4.0.30319Aspnet.config Add to the section: / configuration / runtime\n\u0026lt;generatePublisherEvidence enabled=\u0026#34;false\u0026#34;/\u0026gt; Example:\n\u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34; ?\u0026gt; \u0026lt;configuration\u0026gt; \u0026lt;runtime\u0026gt; \u0026lt;legacyUnhandledExceptionPolicy enabled=\u0026#34;false\u0026#34; /\u0026gt; \u0026lt;legacyImpersonationPolicy enabled=\u0026#34;true\u0026#34;/\u0026gt; \u0026lt;alwaysFlowImpersonationPolicy enabled=\u0026#34;false\u0026#34;/\u0026gt; \u0026lt;SymbolReadingPolicy enabled=\u0026#34;1\u0026#34; /\u0026gt; \u0026lt;generatePublisherEvidence enabled=\u0026#34;false\u0026#34;/\u0026gt; \u0026lt;/runtime\u0026gt; \u0026lt;/configuration\u0026gt; When finished, save and reset IIS.\nIISReset NOTE: Make sure you change this on each StoreFront Member.\nhttp://support.citrix.com/article/CTX139486 Good luck!\n","date":"February 25, 2015","externalUrl":null,"permalink":"/posts/optimize-storefront-2.x/","section":"Blog","summary":"Socket Pooling. # In StoreFront we need to configgure socket polling in the config files, while in Web Interface we could configure this in the console. Storefront maintaines a pool of sockets instead of creating a socket each time a new user connects, when enabled it will give a better performance for SSL traffic. To change this, edit C:inetpubwwwrootCitrix\u003cSTORE\u003eweb.config (as Administrator) and find:\n","title":"Optimize StoreFront 2.x","type":"posts"},{"content":"","date":"February 21, 2015","externalUrl":null,"permalink":"/categories/exchange-2010/","section":"Categories","summary":"","title":"Exchange 2010","type":"categories"},{"content":"","date":"February 21, 2015","externalUrl":null,"permalink":"/categories/exchange-2013/","section":"Categories","summary":"","title":"Exchange 2013","type":"categories"},{"content":"Below is the NetScaler configuration for an Exchange environment. You need a Standard licence for this.\nBelow is the NetScaler configuration for an Exchange environment. You need a Standard licence for this. #--- Replace the text below with the actual data---# #Exchange server hostname and IP \u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH01IP\u0026gt; \u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH02IP\u0026gt; \u0026lt;EXCHANGEWEBMAILURL\u0026gt; #Content Switch IP \u0026lt;CSVIPIP\u0026gt; #Domain FQDN \u0026lt;DOMAIN.LOCAL\u0026gt; #Certiicatename as installed in the NetScaler, e.g. a wildcard certificate \u0026lt;WILDCARDCERTIFICATE\u0026gt; #Test user for the POP monitor \u0026lt;POPTESTUSER\u0026gt; \u0026lt;POPTESTPASSWD\u0026gt; #--- NS Config below this line ---# enable ns feature LB CS CMP SSL REWRITE RESPONDER set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED set ns httpParam -dropInvalReqs ON add server Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH01IP\u0026gt; add server Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH02IP\u0026gt; add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment \u0026#34;Outlook Web Access\u0026#34; add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment \u0026#34;Outlook Anywhere or RPC over HTTPS\u0026#34; add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment \u0026#34;Exchange Web Services\u0026#34; add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment \u0026#34;ActiveSync Service for Mobile Mail clients\u0026#34; add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment \u0026#34;Exchange Control Panel\u0026#34; add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment \u0026#34;Offline Address Book\u0026#34; add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment \u0026#34;Autodiscover Service\u0026#34; add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 add serviceGroup SvcGrp_exchange_imap4 TCP-cltTimeout 9000 -svrTimeout 9000 add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;Outlook Web Access\u0026#34; add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;Exchange Web Service\u0026#34; add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;Autodiscover Service\u0026#34; add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;Exchange Control Panel\u0026#34; add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;ActiveSync Service for Mobile Mail clients\u0026#34; add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;Offline Address Book\u0026#34; add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \u0026#34;Outlook Anywhere or RPC over HTTPS\u0026#34; add lb vserver LbVip_exchange_imap4 SSL_TCP \u0026lt;CSVIPIP\u0026gt; 993 -persistenceType SSLSESSION -cltTimeout 9000 add lb vserver LbVip_exchange_pop3 SSL_TCP \u0026lt;CSVIPIP\u0026gt; 995 -persistenceType SSLSESSION -cltTimeout 9000 add cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; SSL \u0026lt;CSVIPIP\u0026gt; 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs vserver CswVip_http_\u0026lt;DOMAIN.LOCAL\u0026gt; HTTP \u0026lt;CSVIPIP\u0026gt; 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover add cs policy CswPol_ews -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/ews\u0026#34;)\u0026#34; -action CswAct_ews add cs policy CswPol_owa -rule \u0026#34;HTTP.REQ.HEADER(\u0026#34;User-Agent\u0026#34;).SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;Mozilla\u0026#34;)\u0026#34; -action CswAct_owa add cs policy CswPol_ecp -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/ecp\u0026#34;)\u0026#34; -action CswAct_ecp add cs policy CswPol_eas -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/Microsoft-Server-ActiveSync\u0026#34;)\u0026#34; -action CswAct_eas add cs policy CswPol_oab -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/oab\u0026#34;)\u0026#34; -action CswAct_oab add cs policy CswPol_oa -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/rpc\u0026#34;)\u0026#34; -action CswAct_oa add cs policy CswPol_autodiscover -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/AutoDiscover\u0026#34;)\u0026#34; -action CswAct_autodiscover add responder action ResAct_exchange_ToOwa redirect \u0026#34;\u0026#34;/owa\u0026#34;\u0026#34; add responder policy ResPol_exchange_ToOwa \u0026#34;HTTP.REQ.URL.STARTSWITH(\u0026#34;/owa\u0026#34;).NOT\u0026#34; ResAct_exchange_ToOwa add responder action ResAct_ToHTTPS_301 respondwith q{\u0026#34;HTTP/1.1 301 Moved Permanentlyrn\u0026#34; + \u0026#34;Location: https://\u0026#34; + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + \u0026#34;rnrn\u0026#34;} -bypassSafetyCheck YES add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 add responder action ResAct_ToHTTPS_404 respondwith q{\u0026#34;HTTP/1.1 404 Not Foundrn\u0026#34;} -bypassSafetyCheck YES add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_autodiscover -priority 100 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_eas -priority 110 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_ews -priority 120 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_oab -priority 130 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_oa -priority 140 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_ecp -priority 150 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_owa -priority 160 add lb monitor Mon_imap4 TCP-ECV -send \u0026#34;GET /\u0026#34; -recv \u0026#34;The Microsoft Exchange IMAP4 service is ready.\u0026#34; -LRTM ENABLED -interval 30 -destPort 143 add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName \u0026lt;POPTESTUSER\u0026gt; -password \u0026lt;POPTESTPASSWD\u0026gt; -LRTM ENABLED -interval 30 #Not needed for Exchange 2007-2010 add lb monitor Mon_owa TCP-ECV -send \u0026#34;GET /owa/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ecp TCP-ECV -send \u0026#34;GET /ecp/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ews TCP-ECV -send \u0026#34;GET /ews/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_eas TCP-ECV -send \u0026#34;GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oab TCP-ECV -send \u0026#34;GET /oab/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oa TCP-ECV -send \u0026#34;GET /rpc/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_Autodiscover TCP-ECV -send \u0026#34;GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES bind serviceGroup SvcGrp_exchange_owa Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_owa Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oa Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_oa Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ews Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_ews Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv bind serviceGroup SvcGrp_exchange_eas Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_eas Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ecp Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_ecp Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oab Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_oab Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv bind serviceGroup SvcGrp_exchange_pop3 Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 110 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_pop3 Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 110 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 bind serviceGroup SvcGrp_exchange_imap4 Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 143 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_imap4 Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 143 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 set ssl vserver LbVip_exchange_owa -ssl3 DISABLED set ssl vserver LbVip_exchange_ews -ssl3 DISABLED set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED set ssl vserver LbVip_exchange_eas -ssl3 DISABLED set ssl vserver LbVip_exchange_oab -ssl3 DISABLED set ssl vserver LbVip_exchange_oa -ssl3 DISABLED set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED set ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -ssl3 DISABLED add ssl cipher HighSecurity bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA bind ssl vserver LbVip_exchange_owa -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_ews -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_autodiscover -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_ecp -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_eas -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_oab -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_oa -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_imap4 -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_pop3 -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT unbind ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -cipherName DEFAULT unbind ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -cipherName DEFAULT bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity bind ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -cipherName HighSecurity bind ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -cipherName HighSecurity ","date":"February 21, 2015","externalUrl":null,"permalink":"/posts/exchange-config-for-the-netscaler/","section":"Blog","summary":"Below is the NetScaler configuration for an Exchange environment. You need a Standard licence for this.\nBelow is the NetScaler configuration for an Exchange environment. You need a Standard licence for this. #--- Replace the text below with the actual data---# #Exchange server hostname and IP \u003cEXCH01.DOMAIN.LOCAL\u003e \u003cEXCH01IP\u003e \u003cEXCH02.DOMAIN.LOCAL\u003e \u003cEXCH02IP\u003e \u003cEXCHANGEWEBMAILURL\u003e #Content Switch IP \u003cCSVIPIP\u003e #Domain FQDN \u003cDOMAIN.LOCAL\u003e #Certiicatename as installed in the NetScaler, e.g. a wildcard certificate \u003cWILDCARDCERTIFICATE\u003e #Test user for the POP monitor \u003cPOPTESTUSER\u003e \u003cPOPTESTPASSWD\u003e #--- NS Config below this line ---# enable ns feature LB CS CMP SSL REWRITE RESPONDER set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED set ns httpParam -dropInvalReqs ON add server Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e \u003cEXCH01IP\u003e add server Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e \u003cEXCH02IP\u003e add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment \"Outlook Web Access\" add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment \"Outlook Anywhere or RPC over HTTPS\" add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment \"Exchange Web Services\" add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment \"ActiveSync Service for Mobile Mail clients\" add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment \"Exchange Control Panel\" add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment \"Offline Address Book\" add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment \"Autodiscover Service\" add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 add serviceGroup SvcGrp_exchange_imap4 TCP-cltTimeout 9000 -svrTimeout 9000 add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"Outlook Web Access\" add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"Exchange Web Service\" add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"Autodiscover Service\" add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"Exchange Control Panel\" add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"ActiveSync Service for Mobile Mail clients\" add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"Offline Address Book\" add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -comment \"Outlook Anywhere or RPC over HTTPS\" add lb vserver LbVip_exchange_imap4 SSL_TCP \u003cCSVIPIP\u003e 993 -persistenceType SSLSESSION -cltTimeout 9000 add lb vserver LbVip_exchange_pop3 SSL_TCP \u003cCSVIPIP\u003e 995 -persistenceType SSLSESSION -cltTimeout 9000 add cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e SSL \u003cCSVIPIP\u003e 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs vserver CswVip_http_\u003cDOMAIN.LOCAL\u003e HTTP \u003cCSVIPIP\u003e 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover add cs policy CswPol_ews -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/ews\")\" -action CswAct_ews add cs policy CswPol_owa -rule \"HTTP.REQ.HEADER(\"User-Agent\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Mozilla\")\" -action CswAct_owa add cs policy CswPol_ecp -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/ecp\")\" -action CswAct_ecp add cs policy CswPol_eas -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/Microsoft-Server-ActiveSync\")\" -action CswAct_eas add cs policy CswPol_oab -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oab\")\" -action CswAct_oab add cs policy CswPol_oa -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/rpc\")\" -action CswAct_oa add cs policy CswPol_autodiscover -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/AutoDiscover\")\" -action CswAct_autodiscover add responder action ResAct_exchange_ToOwa redirect \"\"/owa\"\" add responder policy ResPol_exchange_ToOwa \"HTTP.REQ.URL.STARTSWITH(\"/owa\").NOT\" ResAct_exchange_ToOwa add responder action ResAct_ToHTTPS_301 respondwith q{\"HTTP/1.1 301 Moved Permanentlyrn\" + \"Location: https://\" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + \"rnrn\"} -bypassSafetyCheck YES add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 add responder action ResAct_ToHTTPS_404 respondwith q{\"HTTP/1.1 404 Not Foundrn\"} -bypassSafetyCheck YES add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u003cDOMAIN.LOCAL\u003e -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u003cDOMAIN.LOCAL\u003e -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_autodiscover -priority 100 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_eas -priority 110 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_ews -priority 120 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_oab -priority 130 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_oa -priority 140 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_ecp -priority 150 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_owa -priority 160 add lb monitor Mon_imap4 TCP-ECV -send \"GET /\" -recv \"The Microsoft Exchange IMAP4 service is ready.\" -LRTM ENABLED -interval 30 -destPort 143 add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName \u003cPOPTESTUSER\u003e -password \u003cPOPTESTPASSWD\u003e -LRTM ENABLED -interval 30 #Not needed for Exchange 2007-2010 add lb monitor Mon_owa TCP-ECV -send \"GET /owa/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ecp TCP-ECV -send \"GET /ecp/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ews TCP-ECV -send \"GET /ews/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_eas TCP-ECV -send \"GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oab TCP-ECV -send \"GET /oab/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oa TCP-ECV -send \"GET /rpc/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_Autodiscover TCP-ECV -send \"GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES bind serviceGroup SvcGrp_exchange_owa Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_owa Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oa Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_oa Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ews Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_ews Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv bind serviceGroup SvcGrp_exchange_eas Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_eas Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ecp Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_ecp Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oab Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_oab Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv bind serviceGroup SvcGrp_exchange_pop3 Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 110 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_pop3 Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 110 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 bind serviceGroup SvcGrp_exchange_imap4 Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 143 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_imap4 Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 143 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 set ssl vserver LbVip_exchange_owa -ssl3 DISABLED set ssl vserver LbVip_exchange_ews -ssl3 DISABLED set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED set ssl vserver LbVip_exchange_eas -ssl3 DISABLED set ssl vserver LbVip_exchange_oab -ssl3 DISABLED set ssl vserver LbVip_exchange_oa -ssl3 DISABLED set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED set ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -ssl3 DISABLED add ssl cipher HighSecurity bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA bind ssl vserver LbVip_exchange_owa -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_ews -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_autodiscover -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_ecp -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_eas -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_oab -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_oa -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_imap4 -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_pop3 -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -certkeyName \"\u003cCERTIFICATE\u003e\" unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT unbind ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -cipherName DEFAULT unbind ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -cipherName DEFAULT bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity bind ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -cipherName HighSecurity bind ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -cipherName HighSecurity ","title":"Exchange config for the NetScaler","type":"posts"},{"content":"Below is the NetScaler configuration for an Exchange environment. You need an Enterprise licence to activate AAA.\n#--- Replace the text below with the actual data---# #Domain Controller hostname and IP \u0026lt;DC01.DOMAIN.LOCAL\u0026gt; \u0026lt;DC01IP\u0026gt; \u0026lt;DC02.DOMAIN.LOCAL\u0026gt; \u0026lt;DC01IP\u0026gt; #Exchange server hostname and IP \u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH01IP\u0026gt; \u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH02IP\u0026gt; #Active Directory data \u0026lt;LDAPPATH\u0026gt; \u0026lt;LDAPREAD@DOAMIN.LOCAL\u0026gt; \u0026lt;LDAPREADPASSWD\u0026gt; #Client subnet marked save for private profile \u0026lt;CLIENTSUBNET\u0026gt; #AD group for always use of the private profile \u0026lt;ADEXCHPRIVATEGRP\u0026gt; #AAA Server FQDN and IP \u0026lt;AUTHVIPFQDN\u0026gt; \u0026lt;AUTHVIPIP\u0026gt; #Content Switch IP \u0026lt;CSVIPIP\u0026gt; #Domain FQDN \u0026lt;DOMAIN.LOCAL\u0026gt; #Certiicatename as installed in the NetScaler \u0026lt;CERTIFICATE\u0026gt; #Test user for the POP monitor \u0026lt;POPTESTUSER\u0026gt; \u0026lt;POPTESTPASSWD\u0026gt; #--- NS Config below this line ---# enable ns feature LB CS CMP SSL AAA REWRITE RESPONDER set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED add server Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH01IP\u0026gt; add server Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; \u0026lt;EXCH02IP\u0026gt; add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment \u0026#34;Outlook Web Access\u0026#34; add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment \u0026#34;Outlook Anywhere or RPC over HTTPS\u0026#34; add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment \u0026#34;Exchange Web Services\u0026#34; add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment \u0026#34;ActiveSync Service for Mobile Mail clients\u0026#34; add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment \u0026#34;Exchange Control Panel\u0026#34; add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment \u0026#34;Offline Address Book\u0026#34; add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment \u0026#34;Autodiscover Service\u0026#34; add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 add serviceGroup SvcGrp_exchange_imap4 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 add authentication ldapAction AuthLdapSrv_\u0026lt;DC01.DOMAIN.LOCAL\u0026gt; -serverIP \u0026lt;DC01IP\u0026gt; -ldapBase \u0026#34;\u0026lt;LDAPPATH\u0026gt;\u0026#34; -ldapBindDn \u0026lt;LDAPREAD@DOAMIN.LOCAL\u0026gt; -ldapBindDnPassword \u0026lt;LDAPREADPASSWD\u0026gt; -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN add authentication ldapAction AuthLdapSrv_\u0026lt;DC02.DOMAIN.LOCAL\u0026gt; -serverIP \u0026lt;DC02IP\u0026gt; -ldapBase \u0026#34;\u0026lt;LDAPPATH\u0026gt;\u0026#34; -ldapBindDn \u0026lt;LDAPREAD@DOAMIN.LOCAL\u0026gt; -ldapBindDnPassword \u0026lt;LDAPREADPASSWD\u0026gt; -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN add tm formSSOAction AaaSsoPro_exchange_public -actionURL \u0026#34;/owa/auth.owa\u0026#34; -userField username -passwdField password -ssoSuccessRule \u0026#34;HTTP.RES.SET_COOKIE.COOKIE(\u0026#34;cadata\u0026#34;).VALUE(\u0026#34;cadata\u0026#34;).LENGTH.GT(70)\u0026#34; -nameValuePair \u0026#34;flags=0\u0026amp;trusted=0\u0026#34; -responsesize 60000 -submitMethod POST add tm formSSOAction AaaSsoPro_exchange_private -actionURL \u0026#34;/owa/auth.owa\u0026#34; -userField username -passwdField password -ssoSuccessRule \u0026#34;HTTP.RES.SET_COOKIE.COOKIE(\u0026#34;cadata\u0026#34;).VALUE(\u0026#34;cadata\u0026#34;).LENGTH.GT(70)\u0026#34; -nameValuePair \u0026#34;flags=4\u0026amp;trusted=0\u0026#34; -responsesize 60000 -submitMethod POST add tm trafficAction AaaTrafPro_exchange_public -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_public -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficAction AaaTrafPro_exchange_private -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_private -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficAction AaaTrafPro_exchange_logoff_global -appTimeout 1 -SSO ON -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE add authentication ldapPolicy AuthLdapPol_\u0026lt;DC01.DOMAIN.LOCAL\u0026gt; ns_true AuthLdapSrv_\u0026lt;DC01.DOMAIN.LOCAL\u0026gt; add authentication ldapPolicy AuthLdapPol_\u0026lt;DC02.DOMAIN.LOCAL\u0026gt; ns_true AuthLdapSrv_\u0026lt;DC02.DOMAIN.LOCAL\u0026gt; add tm trafficPolicy AaaTrafPol_exchange_public \u0026#34;HTTP.REQ.URL.CONTAINS(\u0026#34;owa/auth/logon.aspx\u0026#34;) \u0026amp;\u0026amp; CLIENT.IP.SRC.IN_SUBNET(\u0026lt;CLIENTSUBNET\u0026gt;).NOT\u0026#34; AaaTrafPro_exchange_public add tm trafficPolicy AaaTrafPol_exchange_private \u0026#34;HTTP.REQ.URL.CONTAINS(\u0026#34;owa/auth/logon.aspx\u0026#34;) \u0026amp;\u0026amp; CLIENT.IP.SRC.IN_SUBNET(\u0026lt;CLIENTSUBNET\u0026gt;) || HTTP.REQ.USER.IS_MEMBER_OF(\u0026#34;\u0026lt;ADEXCHPRIVATEGRP\u0026gt;\u0026#34;)\u0026#34; AaaTrafPro_exchange_private add tm trafficPolicy AaaTrafPol_exchange_logoff_global \u0026#34;HTTP.REQ.URL.CONTAINS(\u0026#34;owa/logoff.owa\u0026#34;)\u0026#34; AaaTrafPro_exchange_logoff_global add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost \u0026lt;AUTHVIPFQDN\u0026gt; -Authentication ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;Outlook Web Access\u0026#34; add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;Exchange Web Service\u0026#34; add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;Autodiscover Service\u0026#34; add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost \u0026lt;AUTHVIPFQDN\u0026gt; -Authentication ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;Exchange Control Panel\u0026#34; add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;ActiveSync Service for Mobile Mail clients\u0026#34; add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;Offline Address Book\u0026#34; add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -comment \u0026#34;Outlook Anywhere or RPC over HTTPS\u0026#34; add lb vserver LbVip_exchange_imap4 SSL_TCP \u0026lt;CSVIPIP\u0026gt; 993 -persistenceType SSLSESSION -cltTimeout 9000 add lb vserver LbVip_exchange_pop3 SSL_TCP \u0026lt;CSVIPIP\u0026gt; 995 -persistenceType SSLSESSION -cltTimeout 9000 add authentication vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; SSL \u0026lt;AUTHVIPIP\u0026gt; 443 -AuthenticationDomain \u0026lt;DOMAIN.LOCAL\u0026gt; add cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; SSL \u0026lt;CSVIPIP\u0026gt; 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs vserver CswVip_http_\u0026lt;DOMAIN.LOCAL\u0026gt; HTTP \u0026lt;CSVIPIP\u0026gt; 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover add cs policy CswPol_ews -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/ews\u0026#34;)\u0026#34; -action CswAct_ews add cs policy CswPol_owa -rule \u0026#34;HTTP.REQ.HEADER(\u0026#34;User-Agent\u0026#34;).SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;Mozilla\u0026#34;)\u0026#34; -action CswAct_owa add cs policy CswPol_ecp -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/ecp\u0026#34;)\u0026#34; -action CswAct_ecp add cs policy CswPol_eas -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/Microsoft-Server-ActiveSync\u0026#34;)\u0026#34; -action CswAct_eas add cs policy CswPol_oab -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/oab\u0026#34;)\u0026#34; -action CswAct_oab add cs policy CswPol_oa -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/rpc\u0026#34;)\u0026#34; -action CswAct_oa add cs policy CswPol_autodiscover -rule \u0026#34;HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\u0026#34;/AutoDiscover\u0026#34;)\u0026#34; -action CswAct_autodiscover add rewrite action RewAct_exchange_insert_pback_cookie_1 insert_http_header COOKIE \u0026#34;\u0026#34;PBack=0;\u0026#34;\u0026#34; add rewrite action RewAct_exchange_insert_pback_cookie_2 insert_after \u0026#34;HTTP.REQ.HEADER(\u0026#34;COOKIE\u0026#34;).INSTANCE(0).SUBSTR(\u0026#34;:\u0026#34;)\u0026#34; \u0026#34;\u0026#34; PBack=0;\u0026#34;\u0026#34; add rewrite policy RewPol_exchange_insert_pback_cookie_1 \u0026#34;HTTP.REQ.URL.CONTAINS(\u0026#34;owa/auth/logon.aspx\u0026#34;) \u0026amp;\u0026amp; HTTP.REQ.COOKIE.COUNT.GT(2).NOT\u0026#34; RewAct_exchange_insert_pback_cookie_1 add rewrite policy RewPol_exchange_insert_pback_cookie_2 \u0026#34;HTTP.REQ.URL.CONTAINS(\u0026#34;owa/auth/logon.aspx\u0026#34;) \u0026amp;\u0026amp; HTTP.REQ.COOKIE.COUNT.GT(2)\u0026#34; RewAct_exchange_insert_pback_cookie_2 bind rewrite global RewPol_exchange_insert_pback_cookie_2 100 END -type REQ_DEFAULT bind rewrite global RewPol_exchange_insert_pback_cookie_1 110 END -type REQ_DEFAULT add responder action ResAct_exchange_ToOwa redirect \u0026#34;\u0026#34;/owa\u0026#34;\u0026#34; add responder policy ResPol_exchange_ToOwa \u0026#34;HTTP.REQ.URL.STARTSWITH(\u0026#34;/owa\u0026#34;).NOT\u0026#34; ResAct_exchange_ToOwa add responder action ResAct_ToHTTPS_301 respondwith q{\u0026#34;HTTP/1.1 301 Moved Permanentlyrn\u0026#34; + \u0026#34;Location: https://\u0026#34; + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + \u0026#34;rnrn\u0026#34;} -bypassSafetyCheck YES add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 add responder action ResAct_ToHTTPS_404 respondwith q{\u0026#34;HTTP/1.1 404 Not Foundrn\u0026#34;} -bypassSafetyCheck YES add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_private -priority 100 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_public -priority 110 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_public -priority 100 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_private -priority 110 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_autodiscover -priority 100 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_eas -priority 110 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_ews -priority 120 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_oab -priority 130 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_oa -priority 140 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_ecp -priority 150 bind cs vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -policyName CswPol_owa -priority 160 set ns httpParam -dropInvalReqs ON add lb monitor Mon_imap4 TCP-ECV -send \u0026#34;GET /\u0026#34; -recv \u0026#34;The Microsoft Exchange IMAP4 service is ready.\u0026#34; -LRTM ENABLED -interval 30 -destPort 143 add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName \u0026lt;POPTESTUSER\u0026gt; -password \u0026lt;POPTESTPASSWD\u0026gt; -LRTM ENABLED -interval 30 #Not needed for Exchange 2007-2010 add lb monitor Mon_owa TCP-ECV -send \u0026#34;GET /owa/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ecp TCP-ECV -send \u0026#34;GET /ecp/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ews TCP-ECV -send \u0026#34;GET /ews/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_eas TCP-ECV -send \u0026#34;GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oab TCP-ECV -send \u0026#34;GET /oab/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oa TCP-ECV -send \u0026#34;GET /rpc/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_Autodiscover TCP-ECV -send \u0026#34;GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:\u0026lt;EXCHANGEWEBMAILURL\u0026gt;rnConnection:Closernrn\u0026#34; -recv 200 -LRTM ENABLED -retries 10 -secure YES bind serviceGroup SvcGrp_exchange_owa Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_owa Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oa Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_oa Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ews Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_ews Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv bind serviceGroup SvcGrp_exchange_eas Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_eas Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ecp Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_ecp Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oab Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_oab Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 443 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; #Exchange 2013 bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv bind serviceGroup SvcGrp_exchange_pop3 Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 110 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_pop3 Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 110 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 bind serviceGroup SvcGrp_exchange_imap4 Srv_\u0026lt;EXCH01.DOMAIN.LOCAL\u0026gt; 143 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_imap4 Srv_\u0026lt;EXCH02.DOMAIN.LOCAL\u0026gt; 143 -CustomServerID \u0026#34;\u0026#34;None\u0026#34;\u0026#34; bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 set ssl vserver LbVip_exchange_owa -ssl3 DISABLED set ssl vserver LbVip_exchange_ews -ssl3 DISABLED set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED set ssl vserver LbVip_exchange_eas -ssl3 DISABLED set ssl vserver LbVip_exchange_oab -ssl3 DISABLED set ssl vserver LbVip_exchange_oa -ssl3 DISABLED set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED set ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -ssl3 DISABLED set ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -ssl3 DISABLED add tm sessionAction AaaSesPro_sso_exchange -sessTimeout 60 -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -ssoDomain Domain -httpOnlyCookie NO -persistentCookie ON -persistentCookieValidity 30 add tm sessionPolicy AaaSesPol_sso_exchange ns_true AaaSesPro_sso_exchange bind tm global -policyName AaaTrafPol_exchange_logoff_global -priority 100 bind authentication vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -policy AuthLdapPol_\u0026lt;DC01.DOMAIN.LOCAL\u0026gt; -priority 100 bind authentication vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -policy AuthLdapPol_\u0026lt;DC02.DOMAIN.LOCAL\u0026gt; -priority 110 bind authentication vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -policy AaaSesPol_sso_exchange -priority 100 add ssl cipher HighSecurity bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA bind ssl vserver LbVip_exchange_owa -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_ews -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_autodiscover -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_ecp -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_eas -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_oab -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_oa -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_imap4 -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver LbVip_exchange_pop3 -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; bind ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -certkeyName \u0026#34;\u0026lt;CERTIFICATE\u0026gt;\u0026#34; unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT unbind ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -cipherName DEFAULT unbind ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -cipherName DEFAULT bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity bind ssl vserver AaaVip_\u0026lt;AUTHVIPFQDN\u0026gt; -cipherName HighSecurity bind ssl vserver CswVip_https_\u0026lt;DOMAIN.LOCAL\u0026gt; -cipherName HighSecurity ","date":"February 21, 2015","externalUrl":null,"permalink":"/posts/exchange-config-for-the-netscaler-with-aaa-authentication/","section":"Blog","summary":"Below is the NetScaler configuration for an Exchange environment. You need an Enterprise licence to activate AAA.\n#--- Replace the text below with the actual data---# #Domain Controller hostname and IP \u003cDC01.DOMAIN.LOCAL\u003e \u003cDC01IP\u003e \u003cDC02.DOMAIN.LOCAL\u003e \u003cDC01IP\u003e #Exchange server hostname and IP \u003cEXCH01.DOMAIN.LOCAL\u003e \u003cEXCH01IP\u003e \u003cEXCH02.DOMAIN.LOCAL\u003e \u003cEXCH02IP\u003e #Active Directory data \u003cLDAPPATH\u003e \u003cLDAPREAD@DOAMIN.LOCAL\u003e \u003cLDAPREADPASSWD\u003e #Client subnet marked save for private profile \u003cCLIENTSUBNET\u003e #AD group for always use of the private profile \u003cADEXCHPRIVATEGRP\u003e #AAA Server FQDN and IP \u003cAUTHVIPFQDN\u003e \u003cAUTHVIPIP\u003e #Content Switch IP \u003cCSVIPIP\u003e #Domain FQDN \u003cDOMAIN.LOCAL\u003e #Certiicatename as installed in the NetScaler \u003cCERTIFICATE\u003e #Test user for the POP monitor \u003cPOPTESTUSER\u003e \u003cPOPTESTPASSWD\u003e #--- NS Config below this line ---# enable ns feature LB CS CMP SSL AAA REWRITE RESPONDER set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED add server Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e \u003cEXCH01IP\u003e add server Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e \u003cEXCH02IP\u003e add serviceGroup SvcGrp_exchange_owa SSL -CMP YES -comment \"Outlook Web Access\" add serviceGroup SvcGrp_exchange_oa SSL -CMP YES -comment \"Outlook Anywhere or RPC over HTTPS\" add serviceGroup SvcGrp_exchange_ews SSL -CMP YES -comment \"Exchange Web Services\" add serviceGroup SvcGrp_exchange_eas SSL -CMP YES -comment \"ActiveSync Service for Mobile Mail clients\" add serviceGroup SvcGrp_exchange_ecp SSL -CMP YES -comment \"Exchange Control Panel\" add serviceGroup SvcGrp_exchange_oab SSL -CMP YES -comment \"Offline Address Book\" add serviceGroup SvcGrp_exchange_autodiscover SSL -CMP YES -comment \"Autodiscover Service\" add serviceGroup SvcGrp_exchange_pop3 TCP-cltTimeout 9000 -svrTimeout 9000 add serviceGroup SvcGrp_exchange_imap4 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 add authentication ldapAction AuthLdapSrv_\u003cDC01.DOMAIN.LOCAL\u003e -serverIP \u003cDC01IP\u003e -ldapBase \"\u003cLDAPPATH\u003e\" -ldapBindDn \u003cLDAPREAD@DOAMIN.LOCAL\u003e -ldapBindDnPassword \u003cLDAPREADPASSWD\u003e -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN add authentication ldapAction AuthLdapSrv_\u003cDC02.DOMAIN.LOCAL\u003e -serverIP \u003cDC02IP\u003e -ldapBase \"\u003cLDAPPATH\u003e\" -ldapBindDn \u003cLDAPREAD@DOAMIN.LOCAL\u003e -ldapBindDnPassword \u003cLDAPREADPASSWD\u003e -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN add tm formSSOAction AaaSsoPro_exchange_public -actionURL \"/owa/auth.owa\" -userField username -passwdField password -ssoSuccessRule \"HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)\" -nameValuePair \"flags=0\u0026trusted=0\" -responsesize 60000 -submitMethod POST add tm formSSOAction AaaSsoPro_exchange_private -actionURL \"/owa/auth.owa\" -userField username -passwdField password -ssoSuccessRule \"HTTP.RES.SET_COOKIE.COOKIE(\"cadata\").VALUE(\"cadata\").LENGTH.GT(70)\" -nameValuePair \"flags=4\u0026trusted=0\" -responsesize 60000 -submitMethod POST add tm trafficAction AaaTrafPro_exchange_public -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_public -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficAction AaaTrafPro_exchange_private -appTimeout 1 -SSO ON -formSSOAction AaaSsoPro_exchange_private -persistentCookie OFF -InitiateLogout OFF -kcdAccount NONE add tm trafficAction AaaTrafPro_exchange_logoff_global -appTimeout 1 -SSO ON -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE add authentication ldapPolicy AuthLdapPol_\u003cDC01.DOMAIN.LOCAL\u003e ns_true AuthLdapSrv_\u003cDC01.DOMAIN.LOCAL\u003e add authentication ldapPolicy AuthLdapPol_\u003cDC02.DOMAIN.LOCAL\u003e ns_true AuthLdapSrv_\u003cDC02.DOMAIN.LOCAL\u003e add tm trafficPolicy AaaTrafPol_exchange_public \"HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") \u0026\u0026 CLIENT.IP.SRC.IN_SUBNET(\u003cCLIENTSUBNET\u003e).NOT\" AaaTrafPro_exchange_public add tm trafficPolicy AaaTrafPol_exchange_private \"HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") \u0026\u0026 CLIENT.IP.SRC.IN_SUBNET(\u003cCLIENTSUBNET\u003e) || HTTP.REQ.USER.IS_MEMBER_OF(\"\u003cADEXCHPRIVATEGRP\u003e\")\" AaaTrafPro_exchange_private add tm trafficPolicy AaaTrafPol_exchange_logoff_global \"HTTP.REQ.URL.CONTAINS(\"owa/logoff.owa\")\" AaaTrafPro_exchange_logoff_global add lb vserver LbVip_exchange_owa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost \u003cAUTHVIPFQDN\u003e -Authentication ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"Outlook Web Access\" add lb vserver LbVip_exchange_ews SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"Exchange Web Service\" add lb vserver LbVip_exchange_autodiscover SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"Autodiscover Service\" add lb vserver LbVip_exchange_ecp SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -AuthenticationHost \u003cAUTHVIPFQDN\u003e -Authentication ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"Exchange Control Panel\" add lb vserver LbVip_exchange_eas SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"ActiveSync Service for Mobile Mail clients\" add lb vserver LbVip_exchange_oab SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"Offline Address Book\" add lb vserver LbVip_exchange_oa SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 -authn401 ON -authnVsName AaaVip_\u003cAUTHVIPFQDN\u003e -comment \"Outlook Anywhere or RPC over HTTPS\" add lb vserver LbVip_exchange_imap4 SSL_TCP \u003cCSVIPIP\u003e 993 -persistenceType SSLSESSION -cltTimeout 9000 add lb vserver LbVip_exchange_pop3 SSL_TCP \u003cCSVIPIP\u003e 995 -persistenceType SSLSESSION -cltTimeout 9000 add authentication vserver AaaVip_\u003cAUTHVIPFQDN\u003e SSL \u003cAUTHVIPIP\u003e 443 -AuthenticationDomain \u003cDOMAIN.LOCAL\u003e add cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e SSL \u003cCSVIPIP\u003e 443 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs vserver CswVip_http_\u003cDOMAIN.LOCAL\u003e HTTP \u003cCSVIPIP\u003e 80 -cltTimeout 180 -caseSensitive OFF -httpProfileName nshttp_default_strict_validation add cs action CswAct_ews -targetLBVserver LbVip_exchange_ews add cs action CswAct_owa -targetLBVserver LbVip_exchange_owa add cs action CswAct_ecp -targetLBVserver LbVip_exchange_ecp add cs action CswAct_eas -targetLBVserver LbVip_exchange_eas add cs action CswAct_oab -targetLBVserver LbVip_exchange_oab add cs action CswAct_oa -targetLBVserver LbVip_exchange_oa add cs action CswAct_autodiscover -targetLBVserver LbVip_exchange_autodiscover add cs policy CswPol_ews -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/ews\")\" -action CswAct_ews add cs policy CswPol_owa -rule \"HTTP.REQ.HEADER(\"User-Agent\").SET_TEXT_MODE(IGNORECASE).CONTAINS(\"Mozilla\")\" -action CswAct_owa add cs policy CswPol_ecp -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/ecp\")\" -action CswAct_ecp add cs policy CswPol_eas -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/Microsoft-Server-ActiveSync\")\" -action CswAct_eas add cs policy CswPol_oab -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/oab\")\" -action CswAct_oab add cs policy CswPol_oa -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/rpc\")\" -action CswAct_oa add cs policy CswPol_autodiscover -rule \"HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/AutoDiscover\")\" -action CswAct_autodiscover add rewrite action RewAct_exchange_insert_pback_cookie_1 insert_http_header COOKIE \"\"PBack=0;\"\" add rewrite action RewAct_exchange_insert_pback_cookie_2 insert_after \"HTTP.REQ.HEADER(\"COOKIE\").INSTANCE(0).SUBSTR(\":\")\" \"\" PBack=0;\"\" add rewrite policy RewPol_exchange_insert_pback_cookie_1 \"HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") \u0026\u0026 HTTP.REQ.COOKIE.COUNT.GT(2).NOT\" RewAct_exchange_insert_pback_cookie_1 add rewrite policy RewPol_exchange_insert_pback_cookie_2 \"HTTP.REQ.URL.CONTAINS(\"owa/auth/logon.aspx\") \u0026\u0026 HTTP.REQ.COOKIE.COUNT.GT(2)\" RewAct_exchange_insert_pback_cookie_2 bind rewrite global RewPol_exchange_insert_pback_cookie_2 100 END -type REQ_DEFAULT bind rewrite global RewPol_exchange_insert_pback_cookie_1 110 END -type REQ_DEFAULT add responder action ResAct_exchange_ToOwa redirect \"\"/owa\"\" add responder policy ResPol_exchange_ToOwa \"HTTP.REQ.URL.STARTSWITH(\"/owa\").NOT\" ResAct_exchange_ToOwa add responder action ResAct_ToHTTPS_301 respondwith q{\"HTTP/1.1 301 Moved Permanentlyrn\" + \"Location: https://\" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH_AND_QUERY + \"rnrn\"} -bypassSafetyCheck YES add responder policy ResPol_RedirToHTTPS true ResAct_ToHTTPS_301 add responder action ResAct_ToHTTPS_404 respondwith q{\"HTTP/1.1 404 Not Foundrn\"} -bypassSafetyCheck YES add responder policy ResPol_RespondWith404 true ResAct_ToHTTPS_404 bind lb vserver LbVip_exchange_owa SvcGrp_exchange_owa bind lb vserver LbVip_exchange_oa SvcGrp_exchange_oa bind lb vserver LbVip_exchange_ews SvcGrp_exchange_ews bind lb vserver LbVip_exchange_eas SvcGrp_exchange_eas bind lb vserver LbVip_exchange_ecp SvcGrp_exchange_ecp bind lb vserver LbVip_exchange_oab SvcGrp_exchange_oab bind lb vserver LbVip_exchange_autodiscover SvcGrp_exchange_autodiscover bind lb vserver LbVip_exchange_pop3 SvcGrp_exchange_pop3 bind lb vserver LbVip_exchange_imap4 SvcGrp_exchange_imap4 bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_private -priority 100 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_owa -policyName AaaTrafPol_exchange_public -priority 110 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_public -priority 100 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_ecp -policyName AaaTrafPol_exchange_private -priority 110 -gotoPriorityExpression END -type REQUEST bind lb vserver LbVip_exchange_owa -policyName ResPol_exchange_ToOwa -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u003cDOMAIN.LOCAL\u003e -policyName ResPol_RedirWebmailToHTTPS -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_http_\u003cDOMAIN.LOCAL\u003e -policyName ResPol_RespondWith404 -priority 10000 -gotoPriorityExpression END -type REQUEST bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_autodiscover -priority 100 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_eas -priority 110 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_ews -priority 120 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_oab -priority 130 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_oa -priority 140 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_ecp -priority 150 bind cs vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -policyName CswPol_owa -priority 160 set ns httpParam -dropInvalReqs ON add lb monitor Mon_imap4 TCP-ECV -send \"GET /\" -recv \"The Microsoft Exchange IMAP4 service is ready.\" -LRTM ENABLED -interval 30 -destPort 143 add lb monitor Mon_pop3 POP3 -scriptName nspop3.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -userName \u003cPOPTESTUSER\u003e -password \u003cPOPTESTPASSWD\u003e -LRTM ENABLED -interval 30 #Not needed for Exchange 2007-2010 add lb monitor Mon_owa TCP-ECV -send \"GET /owa/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ecp TCP-ECV -send \"GET /ecp/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_ews TCP-ECV -send \"GET /ews/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_eas TCP-ECV -send \"GET /Microsoft-Server-ActiveSync/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oab TCP-ECV -send \"GET /oab/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_oa TCP-ECV -send \"GET /rpc/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES add lb monitor Mon_Autodiscover TCP-ECV -send \"GET /Autodiscover/healthcheck.htm HTTP/1.1rnHost:\u003cEXCHANGEWEBMAILURL\u003ernConnection:Closernrn\" -recv 200 -LRTM ENABLED -retries 10 -secure YES bind serviceGroup SvcGrp_exchange_owa Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_owa Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_owa -monitorName Mon_owa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_owa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oa Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_oa Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_oa -monitorName Mon_oa #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oa -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ews Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_ews Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_ews -monitorName Mon_ews #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ews -monitorName https-ecv bind serviceGroup SvcGrp_exchange_eas Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_eas Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_eas -monitorName Mon_eas #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_eas -monitorName https-ecv bind serviceGroup SvcGrp_exchange_ecp Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_ecp Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_ecp -monitorName Mon_ecp #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_ecp -monitorName https-ecv bind serviceGroup SvcGrp_exchange_oab Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_oab Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_oab -monitorName Mon_oab #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_oab -monitorName https-ecv bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_autodiscover Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 443 -CustomServerID \"\"None\"\" #Exchange 2013 bind serviceGroup SvcGrp_exchange_autodiscover -monitorName Mon_Autodiscover #Exchange 2007-2010 #bind serviceGroup SvcGrp_exchange_autodiscover -monitorName https-ecv bind serviceGroup SvcGrp_exchange_pop3 Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 110 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_pop3 Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 110 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_pop3 -monitorName Mon_pop3 bind serviceGroup SvcGrp_exchange_imap4 Srv_\u003cEXCH01.DOMAIN.LOCAL\u003e 143 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_imap4 Srv_\u003cEXCH02.DOMAIN.LOCAL\u003e 143 -CustomServerID \"\"None\"\" bind serviceGroup SvcGrp_exchange_imap4 -monitorName Mon_imap4 set ssl vserver LbVip_exchange_owa -ssl3 DISABLED set ssl vserver LbVip_exchange_ews -ssl3 DISABLED set ssl vserver LbVip_exchange_autodiscover -ssl3 DISABLED set ssl vserver LbVip_exchange_ecp -ssl3 DISABLED set ssl vserver LbVip_exchange_eas -ssl3 DISABLED set ssl vserver LbVip_exchange_oab -ssl3 DISABLED set ssl vserver LbVip_exchange_oa -ssl3 DISABLED set ssl vserver LbVip_exchange_imap4 -ssl3 DISABLED set ssl vserver LbVip_exchange_pop3 -ssl3 DISABLED set ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -ssl3 DISABLED set ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -ssl3 DISABLED add tm sessionAction AaaSesPro_sso_exchange -sessTimeout 60 -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -ssoDomain Domain -httpOnlyCookie NO -persistentCookie ON -persistentCookieValidity 30 add tm sessionPolicy AaaSesPol_sso_exchange ns_true AaaSesPro_sso_exchange bind tm global -policyName AaaTrafPol_exchange_logoff_global -priority 100 bind authentication vserver AaaVip_\u003cAUTHVIPFQDN\u003e -policy AuthLdapPol_\u003cDC01.DOMAIN.LOCAL\u003e -priority 100 bind authentication vserver AaaVip_\u003cAUTHVIPFQDN\u003e -policy AuthLdapPol_\u003cDC02.DOMAIN.LOCAL\u003e -priority 110 bind authentication vserver AaaVip_\u003cAUTHVIPFQDN\u003e -policy AaaSesPol_sso_exchange -priority 100 add ssl cipher HighSecurity bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES256-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-AES128-SHA bind ssl cipher HighSecurity -cipherName TLS1-ECDHE-RSA-DES-CBC3-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-DHE-DSS-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-256-CBC-SHA bind ssl cipher HighSecurity -cipherName TLS1-AES-128-CBC-SHA bind ssl cipher HighSecurity -cipherName SSL3-DES-CBC3-SHA bind ssl vserver LbVip_exchange_owa -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_ews -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_autodiscover -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_ecp -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_eas -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_oab -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_oa -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_imap4 -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver LbVip_exchange_pop3 -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -certkeyName \"\u003cCERTIFICATE\u003e\" bind ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -certkeyName \"\u003cCERTIFICATE\u003e\" unbind ssl vserver LbVip_exchange_owa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ews -cipherName DEFAULT unbind ssl vserver LbVip_exchange_autodiscover -cipherName DEFAULT unbind ssl vserver LbVip_exchange_ecp -cipherName DEFAULT unbind ssl vserver LbVip_exchange_eas -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oab -cipherName DEFAULT unbind ssl vserver LbVip_exchange_oa -cipherName DEFAULT unbind ssl vserver LbVip_exchange_imap4 -cipherName DEFAULT unbind ssl vserver LbVip_exchange_pop3 -cipherName DEFAULT unbind ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -cipherName DEFAULT unbind ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -cipherName DEFAULT bind ssl vserver LbVip_exchange_owa -cipherName HighSecurity bind ssl vserver LbVip_exchange_ews -cipherName HighSecurity bind ssl vserver LbVip_exchange_autodiscover -cipherName HighSecurity bind ssl vserver LbVip_exchange_ecp -cipherName HighSecurity bind ssl vserver LbVip_exchange_eas -cipherName HighSecurity bind ssl vserver LbVip_exchange_oab -cipherName HighSecurity bind ssl vserver LbVip_exchange_oa -cipherName HighSecurity bind ssl vserver LbVip_exchange_imap4 -cipherName HighSecurity bind ssl vserver LbVip_exchange_pop3 -cipherName HighSecurity bind ssl vserver AaaVip_\u003cAUTHVIPFQDN\u003e -cipherName HighSecurity bind ssl vserver CswVip_https_\u003cDOMAIN.LOCAL\u003e -cipherName HighSecurity ","title":"Exchange config for the NetScaler with AAA Authentication","type":"posts"},{"content":"There is an undocumented regkey setting required to add PNAgent functionality using the new Citrix Receiver 4.2.\n[HKEY_LOCAL_MACHINESOFTWARECitrixDazzle] \u0026#34;PnaSSONEnabled\u0026#34;=\u0026#34;true\u0026#34; Once applied the Citrix Receiver 4.2 can utilise a PNAgent/config.xml configuration. Source\n","date":"January 26, 2015","externalUrl":null,"permalink":"/posts/citrix-receiver-4.2-pnagent-configuration/","section":"Blog","summary":"There is an undocumented regkey setting required to add PNAgent functionality using the new Citrix Receiver 4.2.\n[HKEY_LOCAL_MACHINESOFTWARECitrixDazzle] \"PnaSSONEnabled\"=\"true\" Once applied the Citrix Receiver 4.2 can utilise a PNAgent/config.xml configuration. Source\n","title":"Citrix Receiver 4.2 \u0026 PNAgent Configuration","type":"posts"},{"content":"To install the StoreFront prerequisites, execute the following PowerShell commands on the StoreFront Server.\nImport-Module ServerManager Add-WindowsFeature –Name Web-Server,Web-WebServer,Web-App-Dev,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Mgmt-Tools,Web-Scripting-Tools,Web-Http-Redirect,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Lgcy-Scripting ","date":"December 8, 2014","externalUrl":null,"permalink":"/posts/install-storefront-prerequisites/","section":"Blog","summary":"To install the StoreFront prerequisites, execute the following PowerShell commands on the StoreFront Server.\nImport-Module ServerManager Add-WindowsFeature –Name Web-Server,Web-WebServer,Web-App-Dev,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Security,Web-Basic-Auth,Web-Windows-Auth,Web-Mgmt-Tools,Web-Scripting-Tools,Web-Http-Redirect,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Lgcy-Scripting ","title":"Install StoreFront prerequisites","type":"posts"},{"content":"","date":"November 5, 2014","externalUrl":null,"permalink":"/categories/adcs/","section":"Categories","summary":"","title":"ADCS","type":"categories"},{"content":"When ADCS uses sha1 for their certificates, you might want to change it to sha254. NOTE: Make sure all your devices support sha256 sha1 sha256 To achieve this enter the following commands in an elivated DOS-box:\ncertutil -setreg cacspCNGHashAlgorithm SHA256 net stop certsvc net start certsvc ","date":"November 5, 2014","externalUrl":null,"permalink":"/posts/changing-microsoft-adcs-from-sha1-to-sha256/","section":"Blog","summary":"When ADCS uses sha1 for their certificates, you might want to change it to sha254. NOTE: Make sure all your devices support sha256 sha1 sha256 To achieve this enter the following commands in an elivated DOS-box:\n","title":"Changing Microsoft ADCS from sha1 to sha256","type":"posts"},{"content":"psexec \\COMPUTERNAME -u domainuser -sd -i 0 \u0026ldquo;c:Procmon.exe\u0026rdquo; /accepteula /backingfile c:output.pml /nofilter /quiet Aanmelden met de gebruiker, en afmelden (kan wat langer duren door de logging) Daarna procmon stoppen (om de log file te sluiten) psexec \\COMPUTERNAME -u domainuser -sd -i 0 \u0026ldquo;c:Procmon.exe\u0026rdquo; Terminate Sysinternals tools benodigd: psexec procmon\n","date":"August 27, 2014","externalUrl":null,"permalink":"/posts/procmon-remote-monitoring/","section":"Blog","summary":"psexec \\COMPUTERNAME -u domainuser -sd -i 0 “c:Procmon.exe” /accepteula /backingfile c:output.pml /nofilter /quiet Aanmelden met de gebruiker, en afmelden (kan wat langer duren door de logging) Daarna procmon stoppen (om de log file te sluiten) psexec \\COMPUTERNAME -u domainuser -sd -i 0 “c:Procmon.exe” Terminate Sysinternals tools benodigd: psexec procmon\n","title":"procmon remote monitoring","type":"posts"},{"content":" Welcome to J81-Blog # ","date":"June 8, 2014","externalUrl":null,"permalink":"/pages/2014-06-08-welcome/","section":"Pages","summary":"Welcome to J81-Blog # ","title":"Welcome","type":"pages"},{"content":"Install Hyper-V Server 2012 Core and log in to the console.\nConfigure date and time (select #9).\nEnable Remote Desktop (select #7). Also select the ‘Less Secure’ option.\nConfigure Remote Management (select #4 then #1).\nAdd local administrator account (select #3). Username and password need to be exactly the same as the account you are going to use on the client computer to manage this Hyper-V Server.\nConfigure network settings (select #8). Configure as a static IP. Same subnet as your home network. Don’t forget to configure the DNS IP.\nSet the computer name (select #2). Rename the server and reboot.\nRemote Desktop to server. On your client machine, remote to the server via the IP address you assigned it. Use the credentials of the local administrator account you created earlier.\nLaunch PowerShell. In the black cmd window, run the following command: [code]start powershell[/code]\nRun the following commands:\nEnable-NetFirewallRule -DisplayGroup “Windows Remote Management” Enable-NetFirewallRule -DisplayGroup “Remote Event Log Management” Enable-NetFirewallRule -DisplayGroup “Remote Volume Management” Set-Service VDS -StartupType Automatic Reboot the server (select #12).\nEnable Client Firewall Rule. On your client machine, launch an elevated PowerShell prompt and type the following command:\nEnable-NetFirewallRule -DisplayGroup “Remote Volume Management” ii c:windowssystem32driversetc Add server hostname and IP to hosts file. Right click hosts and select properties. In the security tab, add your username. Give your account modify rights.This is needed because some remote management tools we need to use rely on the hosts file to resolve the name. Without doing this you are highly likely to encounter some errors while trying to create VHDs and such. Error you might see: There was an unexpected error in configuring the hard disk.\nYou should now be able to remotely manage the Hyper-V server from the client machine. This includes managing the Hyper-V server’s disk from within the disk management console on the client. You should be able to create VHD’s successfully as well from within Hyper-V Manager on the client (assuming you installed the feature). Source\n","date":"June 8, 2014","externalUrl":null,"permalink":"/posts/12-steps-to-remotely-manage-hyper-v-server-2012-core/","section":"Blog","summary":"Install Hyper-V Server 2012 Core and log in to the console.\nConfigure date and time (select #9).\nEnable Remote Desktop (select #7). Also select the ‘Less Secure’ option.\nConfigure Remote Management (select #4 then #1).\n","title":"12 Steps to Remotely Manage Hyper-V Server 2012 Core","type":"posts"},{"content":"","date":"June 8, 2014","externalUrl":null,"permalink":"/categories/hyper-v/","section":"Categories","summary":"","title":"Hyper-V","type":"categories"},{"content":"","date":"June 8, 2014","externalUrl":null,"permalink":"/categories/esxi/","section":"Categories","summary":"","title":"ESXi","type":"categories"},{"content":"VM Hardware version 9 or Higher VM Advanced settings add:\nvhv.enable = \u0026ldquo;true\u0026rdquo; hypervisor.cpuid.v0 = \u0026ldquo;FALSE\u0026rdquo; (Hyper-V) And in vSphere Webclient enable \u0026ldquo;Expose hardware assisted virtualization to the guest OS\u0026rdquo; under CPU.\n","date":"June 8, 2014","externalUrl":null,"permalink":"/posts/nested-hypervisor-on-vsphere/","section":"Blog","summary":"VM Hardware version 9 or Higher VM Advanced settings add:\nvhv.enable = “true” hypervisor.cpuid.v0 = “FALSE” (Hyper-V) And in vSphere Webclient enable “Expose hardware assisted virtualization to the guest OS” under CPU.\n","title":"Nested Hypervisor on vSphere","type":"posts"},{"content":"","date":"June 8, 2014","externalUrl":null,"permalink":"/categories/vmware/","section":"Categories","summary":"","title":"VMware","type":"categories"},{"content":"","date":"June 8, 2014","externalUrl":null,"permalink":"/categories/vsphere/","section":"Categories","summary":"","title":"VSphere","type":"categories"},{"content":"When logging on to the Citrix Director you have to enter the domain name along with the username and password. If you don\u0026rsquo;t want to enter the domain name each time you logon you can have it filled in by default. Edit C:inetpubwwwrootDesktopDirectorLogOn.aspx (With admin rights)\n\u0026lt;asp:TextBox ID=\u0026#34;Domain\u0026#34; runat=\u0026#34;server\u0026#34; CssClass=\u0026#34;text-box\u0026#34; \u0026gt;\u0026lt;/asp:TextBox\u0026gt; \u0026lt;asp:TextBox ID=\u0026#34;Domain\u0026#34; Text=\u0026#34;DOMAIN.LOCAL\u0026#34; readonly=\u0026#34;true\u0026#34; runat=\u0026#34;server\u0026#34; CssClass=\u0026#34;text-box\u0026#34;\u0026gt;\u0026lt;/asp:TextBox\u0026gt; ","date":"April 2, 2014","externalUrl":null,"permalink":"/posts/citrix-desktop-director-auto-fill-domain-name/","section":"Blog","summary":"When logging on to the Citrix Director you have to enter the domain name along with the username and password. If you don’t want to enter the domain name each time you logon you can have it filled in by default. Edit C:inetpubwwwrootDesktopDirectorLogOn.aspx (With admin rights)\n","title":"Citrix Desktop Director Auto Fill Domain Name","type":"posts"},{"content":"","date":"April 2, 2014","externalUrl":null,"permalink":"/categories/director/","section":"Categories","summary":"","title":"Director","type":"categories"},{"content":"I have put together this blog post about Citrix Access Gateway Enterprise Port Configuration to assist people in setting up their firewalls for implementing Access Gateway in one-arm mode. I have found that almost all of Citrix’s documentation covers the Access Gateway / NetScaler straddling the DMZ and the Internal LAN E.G the VIP sits in the DMZ and the SNIP sits in the internal LAN. In Enterprise deployments firewalls are firewalls and NetScalers are NetScalers and security do not like NetScalers trying to be firewalls; although I’m sure they do perfectly fine job of it. So the below article describes what firewall rules you will need to have in place to get a NetScaler working when all its interfaces reside in the DMZ (one-arm single subnet). You should find the diagram useful even if you are not using the model described above. This is a diagram I like to use to explain NetScalers in an HA pair. It shows all the possible routes that traffic could take, not the way traffic flows during normal operation. The VIP and SNIP “float” between the two devices, in reality they exist on both devices but at any given time are only active on whichever node is the primary in the HA pair. Source IP\nDestination IP\nProtocol\nPort\nFunction\nClient IPs Access Gateway VIP TCP 443 Secure traffic from internet clients to AGEE VIP NetScaler NSIP LDAP Servers 1 TCP 389 LDAP authentication traffic from NetScaler IP to LDAP servers. NetScaler NSIP RADIUS servers TCP/UDP 1812 RADIUS traffic from Access Gateway to RADIUS server (for RSA dual factor authentication) NetScaler VIP2 DNS Servers TCP 53 DNS traffic from VIP to DNS servers NetScaler SNIP Web Interface Servers TCP 80/4433 Traffic from Access Gateway to Web Interface servers Web Interface Servers Access Gateway VIP TCP 443 Web Interface call back traffic to Access Gateway VIP4 NetScaler SNIP All XenApp session host servers and all XenDesktop Desktops (virtual, physical etc) TCP 1494 \u0026amp; 25986 ICA traffic from the Access Gateway to all Citrix XenApp or XenDesktop endpoints Management Server NetScaler SNIP TCP 80/3010 Console and Java Applet traffic to NetScaler (for management 1. In most cases these will be your Active Directory domain controllers – always use more than one. 2. Normally this comes from the NSIP but due to the fact that ICMP is used to verify if the DNS servers are available the DNS servers will show as down unless your security team allow ICMP through the firewall which is very unlikely. Therefore, setup an internal DNS load balancer with a DNS lookup monitor and point your NetScalers at the internal load balancer. 3. Normally port 80. Port 443 if you secure your Web Interface servers with a certificate 4. Ensure that from a browser on your Web Interface server you can type the FQDN of the AGEE and get the logon page with NO errors 5. Normally port 80. Port 443 if you secure your Web Interface servers with a certificate. 6. Port 2598 is for session reliability Remember that if you have your NetScalers configured in an HA pair traffic originating from the NSIP can come from either NetScaler depending on which one is hosting the AGEE VIP at the time. For anything that comes from the NSIP you can load balance it using a VIP if you want the traffic to originate from one IP. Source\n","date":"March 30, 2014","externalUrl":null,"permalink":"/posts/citrix-access-gateway-enterprise-port-configuration/","section":"Blog","summary":"I have put together this blog post about Citrix Access Gateway Enterprise Port Configuration to assist people in setting up their firewalls for implementing Access Gateway in one-arm mode. I have found that almost all of Citrix’s documentation covers the Access Gateway / NetScaler straddling the DMZ and the Internal LAN E.G the VIP sits in the DMZ and the SNIP sits in the internal LAN. In Enterprise deployments firewalls are firewalls and NetScalers are NetScalers and security do not like NetScalers trying to be firewalls; although I’m sure they do perfectly fine job of it. So the below article describes what firewall rules you will need to have in place to get a NetScaler working when all its interfaces reside in the DMZ (one-arm single subnet). You should find the diagram useful even if you are not using the model described above. This is a diagram I like to use to explain NetScalers in an HA pair. It shows all the possible routes that traffic could take, not the way traffic flows during normal operation. The VIP and SNIP “float” between the two devices, in reality they exist on both devices but at any given time are only active on whichever node is the primary in the HA pair. ","title":"Citrix Access Gateway Enterprise Port Configuration","type":"posts"},{"content":"The NetScaler Access Gateway uses a number of IP addresses for various purposes. When Access Gateway is deployed in a DMZ, it is important to understand the role of each. The following table summarises the various types of IP addresses and their roles in a deployment: The following diagram illustrates the firewall port requirements for normal operation when the NetScaler Access Gateway platform is deployed in a DMZ in a two arm deployment, where no MIP is required. Source\n","date":"March 30, 2014","externalUrl":null,"permalink":"/posts/citrix-netscaler-for-xendesktop-firewall-considerations/","section":"Blog","summary":"The NetScaler Access Gateway uses a number of IP addresses for various purposes. When Access Gateway is deployed in a DMZ, it is important to understand the role of each. The following table summarises the various types of IP addresses and their roles in a deployment: The following diagram illustrates the firewall port requirements for normal operation when the NetScaler Access Gateway platform is deployed in a DMZ in a two arm deployment, where no MIP is required. Source\n","title":"Citrix NetScaler for XenDesktop Firewall Considerations","type":"posts"},{"content":" NetScaler Network Connections. # At a very high level, considering the actual NetScaler connections to the network, and because of the way that NetScaler functions and can be configured, the NetScaler should be considered a switch, and not a router/firewall. With a switch, you can configure the management IP address on an individual port, responding to just devices reachable through that port, or it can be configured to respond on all ports to devices reachable from every port. With the NetScaler, either in single arm or multi arm deployment scenarios, there is no need to tell the NetScaler that network X is on interface 1/1 and network Y is on interface 1/2 (you can if you wish to, or instructed to by the network security team, by tagging IP addresses to a defined NetScaler VLANs which have specific interfaces assigned), but generally, it will happily use the IP addresses it is configured with on the relevant interfaces. When the NetScaler receives a packet destined for one of its IP addresses, it knows that the network which defines that address is available through the interface on which the request was received. Please Note: I don\u0026rsquo;t claim to be a NetScaler Guru, or to have the knowledge to make all the bells and whistles of the NetScaler sound into a polyphony, there are others on the Internet who can better provide you with that information. The information here is from my own observations during a standard two arm deployment of Virtual and Physical NetScaler 10 Access Gateways.\nNetScaler IP Address type definitions # There are a number of types of IP addresses which can be defined on the NetScaler, all of which have specific usages.\nNSIP - NetScaler IP Address # The NetScaler IP (NSIP) address is the IP address at which you access the NetScaler for management purposes. You must add this IP address when you configure the NetScaler for the first time. You cannot remove the NSIP address. The NetScaler can have only one NSIP. The NSIP is also called the Management IP address. If you modify this address, you must reboot the NetScaler. SNIP - NetScaler Subnet IP Address\nA subnet IP (SNIP) is similar in functionality to a MIP (defined later) A subnet IP (SNIP) address is used in connection management and server monitoring. It is not mandatory to specify a SNIP when you initially configure the NetScaler appliance. In a multiple-subnet scenario, the NetScaler IP (NSIP) address, the mapped IP (MIP) address, and the IP address of a server CAN exist on different subnets. To eliminate the need to configure additional routes on devices such as servers, you can configure subnet IP addresses (SNIPs) on the NetScaler With Use SNIP (USNIP) mode enabled, a SNIP is the source IP address of a packet sent from the NetScaler to the server, and the SNIP is the IP address that the server uses to access the NetScaler. This mode is enabled by default. When you add a SNIP, a route corresponding to the SNIP is added to the routing table. The NetScaler determines the next hop for a service from the routing table, and if the IP address of the hop is within the range of a SNIP, the NetScaler uses the SNIP to source traffic to the service. When multiple SNIPs cover the IP addresses of the next hops, the SNIPs are used in round robin manner. MIP - Mapped IP Address # A Mapped IP address is similar in functionality to a MIP (defined above) Mapped IP addresses (MIP) are used for server-side connections. A MIP can be considered a default subnet IP (SNIP) address, because MIPs are used when a SNIP is not available or Use SNIP (USNIP) mode is disabled. If the mapped IP address is the first in the subnet, the NetScaler appliance adds a route entry, with this IP address as the gateway to reach the subnet You can create or delete a MIP during run time without rebooting the appliance. As an alternative to creating MIPs one at a time, you can specify a consecutive range of MIPs. VIP - Virtual IP Address # The Virtual IP address is where the external users will be authenticated. A VIP is an IP address assigned to multiple domain names, servers or applications residing on a single server instead of connected to a specific server or network interface card (NIC) on a server Incoming data packets are sent to the VIP address which are routed to actual network interfaces. A server IP address depends on the Media Access Control (MAC) address of the attached NIC, and only one logical IP address may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address. VIP have several variations and implementation scenarios, including Common Address Redundancy Protocol (CARP) and Proxy Address Resolution Protocol (Proxy ARP). VIPs are mostly used to consolidate resources through the allocation of one network interface per hosted application. It is also used for connection redundancy by providing alternative fail-over options on one machine; A VIP address may still be available if a computer or NIC fails, because an alternative computer or NIC replies to connections. A VIP is the only IP address which can be disabled, causing any attached devices or services to go down. NetScaler IP Address communication Usage # With the NetScaler, certain traffic will be sent using a specific type of IP address as the source address. Ensure that when you are deploying a NetScaler between firewall(s) that the correct traffic is permitted to run from the correct IP address.\nLDAP, RADIUS, and other authentication traffic will use the NetScaler IP (NSIP). DNS / WINS traffic will use the mapped IP (MIP) or Subnet IP (SNIP), depending on the route to the destination host. VPN Traffic (from the Access Gateway Enterprise Edition to internal resources) uses the MIP, SNIP, or Intranet IP depending on which configuration you have chosen. File System Portal, which is the “File Transfer” button on Access Gateway Enterprise Edition, uses the NSIP. If ICA PROXY is switched ON, the MIP or SNIP is used, depending on the route to the destination host. Example Firewall Rules # Usage Source Target Port Numbers Management Internal Network NSIP Address TCP 443 (HTTPS)TCP 80 (HTTP) TCP 22 (SSH) TCP 3008 (JAVA) TCP 3010 (JAVA) External User Access Client Machine / Internet VIP Address TCP 443 (HTTPS) DNS Lookup MIP / SNIP DNS Server TCP 53 (DNS)ICMP Echo (PING) DNS Servers MUST be PING-able to be reported as UP and for the NetScaler to use them. Authentication -Active Directory / LDAP NSIP Domain Controller(s) / LDAP Server(s) TCP 389 (LDAP) and/orTCP 636 (LDAPS) Authentication -RADIUS MIP / SNIP RADIUS Server(s) TCP 1812 (RADIUS) NTP Time Sync NSIP Time Server UDP 123 (NTP) Citrix Edgesight Monitoring In Internal Network / Edgesight Server NSIP TCP 9307 (Edgesight Agent) Citrix Edgesight Monitoring Out NSIP Internal Network / Edgesight Server TCP 9307 (Edgesight Agent) SCOM Monitoring In Internal Network / Management Server NSIP TCP 5723 (SCOM Agent) SCOM Monitoring Out NSIP Internal Network / Management Server TCP 5723 (SCOM Agent) Web Interface Access MIP / SNIP Web Interface Server TCP 443 (HTTPS) Web Interface SSO Call Back Web Interface Server VIP TCP 443 (HTTPS) ICA / XenApp Access MIP / SNIP XenApp Servers TCP 443 (HTTPS)TCP 1494 (Citrix ICA) TCP 2598 (Citrix ICA with session reliability) Licence Server Access (If Needed) NSIP Licence Server TCP 27001 (Citrix Licence) BackEnd Communications (MIP or SNIP) # The following are the different scenarios where a NetScaler appliance selects the IP address to initiate the backend server connections using a MIP or a SNIP (depending on which you are configured for).\nMIP and SNIP Address Available and USNIP Disabled # A NetScaler appliance uses MIP address to open a backend server connections and SNIP addresses are not used. MIP and SNIP Address Available, USNIP Disabled, and SNIP is Bound to VLAN and L3 Interface # A NetScaler appliance uses MIP address to open backend server connections and SNIP addresses are not used. SNIP address is used only for L3 connectivity. MIP and SNIP Address Available and USNIP Enabled # A NetScaler appliance uses SNIP address to open backend server connections and MIP addresses are not used. If the MIP address is configured in the same subnet as that of SNIP address, then MIP address is also used. When you enable USNIP the NetScaler appliance selects the IP address. The appliance looks up for a route or subnet for the destination IP address and selects the IP address regardless of whether it is SNIP or MIP address. MIP and SNIP Address Available, USNIP Enabled, and SNIP is Bound to VLAN and L3 Interface # A NetScaler appliance uses SNIP address to open backend server connections and MIP address is not used. The SNIP address is also used for L3 connectivity. If you configure the MIP address in the same subnet as that of SNIP address, then MIP address is also used. When you enable USNIP the NetScaler appliance selects the IP address. The appliance looks up for a route or subnet for the destination IP address and selects the IP address regardless of whether it is SNIP or MIP address. VLAN binding does not affect the source IP address selection. Source\n","date":"March 30, 2014","externalUrl":null,"permalink":"/posts/citrix-netscaler-access-gateway-10-basic-fundamentals/","section":"Blog","summary":"NetScaler Network Connections. # At a very high level, considering the actual NetScaler connections to the network, and because of the way that NetScaler functions and can be configured, the NetScaler should be considered a switch, and not a router/firewall. With a switch, you can configure the management IP address on an individual port, responding to just devices reachable through that port, or it can be configured to respond on all ports to devices reachable from every port. With the NetScaler, either in single arm or multi arm deployment scenarios, there is no need to tell the NetScaler that network X is on interface 1/1 and network Y is on interface 1/2 (you can if you wish to, or instructed to by the network security team, by tagging IP addresses to a defined NetScaler VLANs which have specific interfaces assigned), but generally, it will happily use the IP addresses it is configured with on the relevant interfaces. When the NetScaler receives a packet destined for one of its IP addresses, it knows that the network which defines that address is available through the interface on which the request was received. Please Note: I don’t claim to be a NetScaler Guru, or to have the knowledge to make all the bells and whistles of the NetScaler sound into a polyphony, there are others on the Internet who can better provide you with that information. The information here is from my own observations during a standard two arm deployment of Virtual and Physical NetScaler 10 Access Gateways.\n","title":"Citrix NetScaler Access Gateway 10 - Basic Fundamentals","type":"posts"},{"content":"Requirements:\nAt least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled. All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher. The Forest must be running at Windows Server 2008 R2 functional level. Import the Active Directory modules in PowerShell\nImport-Module ActiveDirectory Forest Functional Level\nGet-ADForest yourdomain.local Set-ADForestMode -Identity yourdomain.local -ForestMode Windows2008R2Forest Enable RecycleBin\nEnable-ADOptionalFeature –Identity \u0026#39;CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DC01,DC=yourdomain,DC=local\u0026#39; –Scope ForestOrConfigurationSet –Target \u0026#39;dc01.yourdomain.local\u0026#39; Enable-ADOptionalFeature \u0026#34;Recycle Bin Feature\u0026#34; -Scope ForestOrConfigurationSet -Target (Get-ADDomain).DnsRoot.ToString() ","date":"February 23, 2014","externalUrl":null,"permalink":"/posts/active-directory-recyclebin/","section":"Blog","summary":"Requirements:\nAt least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled. All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher. The Forest must be running at Windows Server 2008 R2 functional level. Import the Active Directory modules in PowerShell\n","title":"Active Directory RecycleBin","type":"posts"},{"content":"","date":"November 12, 2013","externalUrl":null,"permalink":"/categories/dhcp/","section":"Categories","summary":"","title":"DHCP","type":"categories"},{"content":"netsh dhcp server mySRV scope 192.168.1.0 add reservedip 192.168.1.111 XXXXXXXXXXXX host.domain.local\n","date":"November 12, 2013","externalUrl":null,"permalink":"/posts/via-netsh-dhcp-reserveringen-toevoegen/","section":"Blog","summary":"netsh dhcp server mySRV scope 192.168.1.0 add reservedip 192.168.1.111 XXXXXXXXXXXX host.domain.local\n","title":"Via NETSH DHCP reserveringen toevoegen","type":"posts"},{"content":"A USB drive can be set up to boot into any LInux distribution using UNetBootin. Fortunately, ESXi is a Linux distribution. The steps are surprisingly easy.\nDownload ESXi from VMWare Download UNetbootin from Sourceforge Plug your USB drive into your computer. Double click on the downloaded exe file. UNetbootin is a stand alone executable. No installation is needed. Select the second radio button, Diskimage. Click the button with the ellipses on it, browse to and select the ESXi iso you just downloaded. Once UNetbootin is finished, remove your USB drive from your current system. Plug it into the computer you want to install ESXi onto, restart the system and you are off and running. Everything will work just as if you were installing from any other media.\n","date":"November 11, 2013","externalUrl":null,"permalink":"/posts/esxi-from-usb/","section":"Blog","summary":"A USB drive can be set up to boot into any LInux distribution using UNetBootin. Fortunately, ESXi is a Linux distribution. The steps are surprisingly easy.\nDownload ESXi from VMWare Download UNetbootin from Sourceforge Plug your USB drive into your computer. Double click on the downloaded exe file. UNetbootin is a stand alone executable. No installation is needed. Select the second radio button, Diskimage. Click the button with the ellipses on it, browse to and select the ESXi iso you just downloaded. Once UNetbootin is finished, remove your USB drive from your current system. Plug it into the computer you want to install ESXi onto, restart the system and you are off and running. Everything will work just as if you were installing from any other media.\n","title":"ESXi from USB","type":"posts"},{"content":"","date":"November 3, 2013","externalUrl":null,"permalink":"/categories/p4000/","section":"Categories","summary":"","title":"P4000","type":"categories"},{"content":"","date":"November 3, 2013","externalUrl":null,"permalink":"/categories/vsa/","section":"Categories","summary":"","title":"VSA","type":"categories"},{"content":" edit the vmx file /vmfs/volumes/50bf4d82-31b73571-5543-001e4f378eac/MAS # vi MAS.vmx ensure you are using generated MACs: ethernet0.addressType = \u0026ldquo;generated\u0026rdquo; ethernet1.addressType = \u0026ldquo;generated\u0026rdquo; edit these 3 lines to reflect the MAC you want. this assumes you want to use one of the \u0026ldquo;VMWARE automagic (00:0c:29)\u0026rdquo; ones, notice the last 6 chars of the first two lines match the last 3 octets of your MAC uuid.location = \u0026ldquo;56 4d 74 53 f4 52 bf 03-02 fb 39 13 6b 2b 6c fc\u0026rdquo; uuid.bios = \u0026ldquo;56 4d 74 53 f4 52 bf 03-02 fb 39 13 6b 2b 6c fc\u0026rdquo; ethernet0.generatedAddress = \u0026ldquo;00:0c:29:2b:6c:fc\u0026rdquo; if you want ethernet1 to match something specific instead, you need to subtract 10 (0x0A) from the last octet of the ethernet0 MAC because of this line: ethernet1.generatedAddressOffset = \u0026ldquo;10\u0026rdquo; This will create ethernet1\u0026rsquo;s MAC with a value of 10 more than ethernet0. I didn\u0026rsquo;t play around with different values here, but presumably you could calculate \u0026amp; edit this number to get both MACs to match your needs. remove the VM from inventory, and re-import it (by browsing the datastore to the vmx file) When starting the VM, answer \u0026ldquo;I moved it\u0026rdquo; to the dialog box asking about what happened to your machine ","date":"November 3, 2013","externalUrl":null,"permalink":"/posts/vsa-change-mac-vsphere-5.1/","section":"Blog","summary":" edit the vmx file /vmfs/volumes/50bf4d82-31b73571-5543-001e4f378eac/MAS # vi MAS.vmx ensure you are using generated MACs: ethernet0.addressType = “generated” ethernet1.addressType = “generated” edit these 3 lines to reflect the MAC you want. this assumes you want to use one of the “VMWARE automagic (00:0c:29)” ones, notice the last 6 chars of the first two lines match the last 3 octets of your MAC uuid.location = “56 4d 74 53 f4 52 bf 03-02 fb 39 13 6b 2b 6c fc” uuid.bios = “56 4d 74 53 f4 52 bf 03-02 fb 39 13 6b 2b 6c fc” ethernet0.generatedAddress = “00:0c:29:2b:6c:fc” if you want ethernet1 to match something specific instead, you need to subtract 10 (0x0A) from the last octet of the ethernet0 MAC because of this line: ethernet1.generatedAddressOffset = “10” This will create ethernet1’s MAC with a value of 10 more than ethernet0. I didn’t play around with different values here, but presumably you could calculate \u0026 edit this number to get both MACs to match your needs. remove the VM from inventory, and re-import it (by browsing the datastore to the vmx file) When starting the VM, answer “I moved it” to the dialog box asking about what happened to your machine ","title":"VSA change MAC vSphere 5.1","type":"posts"},{"content":"","date":"August 1, 2013","externalUrl":null,"permalink":"/categories/c7000/","section":"Categories","summary":"","title":"C7000","type":"categories"},{"content":"","date":"August 1, 2013","externalUrl":null,"permalink":"/categories/hp/","section":"Categories","summary":"","title":"HP","type":"categories"},{"content":"","date":"August 1, 2013","externalUrl":null,"permalink":"/categories/oa/","section":"Categories","summary":"","title":"OA","type":"categories"},{"content":"If you have some guys which makes fun to change password on a virtual connect there is a procedure to reset administrator password to it original setting. This procedure comes from c00865618.pdf file page 28 HP Virtual Connect for c-Class BladeSystem User Guide Resetting the Administrator password and DNS settings \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash; If the system maintenance switch 1 is in the ON position on a VC-Enet module, the firmware restores the Administrator account password and DNS settings to the original factory defaults as found on the module label (without disturbing any other local user accounts), and also displays the password on the VC-Enet module management console. For information on accessing the VC-Enet module management console, see the OA user guide. The default password is no longer displayed after switch 1 is in the OFF position. Password restoration is done during each power-up sequence while switch 1 is in the ON position (and reserved switches are in the OFF position) and does not allow changes until the switch is placed back into the OFF position. For switch locations, see the appropriate system maintenance switch (\u0026ldquo;HP 1/10Gb VCEnet Module system maintenance switch\u0026rdquo; on page 15, \u0026ldquo;HP 1/10Gb-F VC-Enet Module system maintenance switch\u0026rdquo; on page 18, \u0026ldquo;HP Virtual Connect Flex-10 10Gb Ethernet Module system maintenance switch\u0026rdquo; on page 22). After switch 1 is returned to the OFF position, users with appropriate privileges can then change the Administrator password. Only reset the password on the module running the Virtual Connect Manager (and/or its backup), and not other modules in the domain. The recommended password recovery procedure is as follows: 1. Remove the Virtual Connect Ethernet module from interconnect bay 1. 2. Remove the access panel from the Virtual Connect Ethernet module. 3. Set switch 1 to the ON position. Ensure that all other switches remain in the OFF position. 4. Install the access panel. 5. Insert the Virtual Connect Ethernet module into bay 1 and allow the module to power up and reach a fully booted and operational state (approximately 1 minute). 6. Remove the Virtual Connect Ethernet module from interconnect bay 2. This causes interconnect bay 1 to become the module running the active VC Manager. Because switch 1 is set, the Administrator password remains at the factory default for interconnect bay 1 (not overwritten by the change of state because of the failover). 7. Wait to ensure that the VC Manager has had time to become active on interconnect bay 1. Log into the VC Manager to confirm it is up and functional on interconnect bay 1. 8. Insert the Virtual Connect Ethernet module into interconnect bay 2 and allow the module to power on and reach a fully booted and operational state (approximately 1 minute). 9. Remove the Virtual Connect Ethernet module from interconnect bay 1. 10. Remove the access panel from the Virtual Connect Ethernet module. 11. Set switch 1 to the OFF position. Ensure that all other switches remain in the OFF position. 12. Install the access panel. 13. Insert the Virtual Connect Ethernet module into interconnect bay 1 and allow the module to power up and reach a fully booted and operation state (approximately 1 minute). 14. Log into the VC Manager using the factory default user name and password to log in to the module (regardless of whether it is running on the module [EDIT MARCH 12 2012] FOR ONBOARD ADMINISTRATOR FOR OA this link http://h30499.www3.hp.com/t5/HP-BladeSystem-Management/Resetting-the-Onboard-Administrator-password/td-p/2304569 explain how to do on OA I re-copy it for everyone: Brian had an Onboard Administrator question: ********************** I have two chassis were the customer has lost the passwords. They are not set to the default. Does anyone have password recovery procedures. Downtime and configuration is not any concern as this is a new install. ********************** Bill had the process down: ******************** From the OA 3.10 user Guide, page 19\u0026hellip; Recovering the administrator password If the administrator password has been lost, you can reset the administrator password to the factory default that shipped on the tag with the Onboard Administrator module. The Onboard Administrator resets a lost password to Lost Password/Flash Disaster Recovery (LP/FDR) mode. To recover the password and reset the administrator password to the factory default: 1. Connect a computer to the serial port of the Active Onboard Administrator using a null-modem cable. 2. With a null-modem cable (9600 N, 8, 1, VT100, locally connect to the Onboard Administrator). 3. Open HyperTerminal (in Microsoft(r) Windows(r)) or a suitable terminal window (in Linux), and then connect to the Active Onboard Administrator. 4. Press and hold in the Onboard Administrator reset button for 5 seconds. 5. To boot the system into Lost Password modem Press L. The password appears as the system reboots. ************************ from Ken: ********************* I prefer to use a script on a thumb drive to recover lost OA passwords. I’ve attached 2 scripts. ResetPW resets the “Administrator” account password to “password”. The OA-Add-admin script adds use “admin” password “hpinvent” to the OA, and all ILOs in the enclosure. To run the scripts: Copy the scripts to a thumb drive Place the thumb drive in the active OA Run the script from the Insight Display o USB Menu o Restore Configuration o usb://d1/script-name.cfg Script 1: ADD USER admin hpinvent SET USER ACCESS admin ADMINISTRATOR ASSIGN SERVER ALL admin ASSIGN INTERCONNECT ALL admin ASSIGN OA admin ENABLE USER admin HPONCFG all \u0026lt;\u0026lt; end_marker end_marker Script 2: SET USER PASSWORD \u0026ldquo;Administrator\u0026rdquo; \u0026ldquo;password\u0026rdquo;\n","date":"August 1, 2013","externalUrl":null,"permalink":"/posts/reset-administrator-password-from-hp-virtual-connect-and-onbord-administrator/","section":"Blog","summary":"If you have some guys which makes fun to change password on a virtual connect there is a procedure to reset administrator password to it original setting. This procedure comes from c00865618.pdf file page 28 HP Virtual Connect for c-Class BladeSystem User Guide Resetting the Administrator password and DNS settings —————————————————– If the system maintenance switch 1 is in the ON position on a VC-Enet module, the firmware restores the Administrator account password and DNS settings to the original factory defaults as found on the module label (without disturbing any other local user accounts), and also displays the password on the VC-Enet module management console. For information on accessing the VC-Enet module management console, see the OA user guide. The default password is no longer displayed after switch 1 is in the OFF position. Password restoration is done during each power-up sequence while switch 1 is in the ON position (and reserved switches are in the OFF position) and does not allow changes until the switch is placed back into the OFF position. For switch locations, see the appropriate system maintenance switch (“HP 1/10Gb VCEnet Module system maintenance switch” on page 15, “HP 1/10Gb-F VC-Enet Module system maintenance switch” on page 18, “HP Virtual Connect Flex-10 10Gb Ethernet Module system maintenance switch” on page 22). After switch 1 is returned to the OFF position, users with appropriate privileges can then change the Administrator password. Only reset the password on the module running the Virtual Connect Manager (and/or its backup), and not other modules in the domain. The recommended password recovery procedure is as follows: 1. Remove the Virtual Connect Ethernet module from interconnect bay 1. 2. Remove the access panel from the Virtual Connect Ethernet module. 3. Set switch 1 to the ON position. Ensure that all other switches remain in the OFF position. 4. Install the access panel. 5. Insert the Virtual Connect Ethernet module into bay 1 and allow the module to power up and reach a fully booted and operational state (approximately 1 minute). 6. Remove the Virtual Connect Ethernet module from interconnect bay 2. This causes interconnect bay 1 to become the module running the active VC Manager. Because switch 1 is set, the Administrator password remains at the factory default for interconnect bay 1 (not overwritten by the change of state because of the failover). 7. Wait to ensure that the VC Manager has had time to become active on interconnect bay 1. Log into the VC Manager to confirm it is up and functional on interconnect bay 1. 8. Insert the Virtual Connect Ethernet module into interconnect bay 2 and allow the module to power on and reach a fully booted and operational state (approximately 1 minute). 9. Remove the Virtual Connect Ethernet module from interconnect bay 1. 10. Remove the access panel from the Virtual Connect Ethernet module. 11. Set switch 1 to the OFF position. Ensure that all other switches remain in the OFF position. 12. Install the access panel. 13. Insert the Virtual Connect Ethernet module into interconnect bay 1 and allow the module to power up and reach a fully booted and operation state (approximately 1 minute). 14. Log into the VC Manager using the factory default user name and password to log in to the module (regardless of whether it is running on the module [EDIT MARCH 12 2012] FOR ONBOARD ADMINISTRATOR FOR OA this link http://h30499.www3.hp.com/t5/HP-BladeSystem-Management/Resetting-the-Onboard-Administrator-password/td-p/2304569 explain how to do on OA I re-copy it for everyone: Brian had an Onboard Administrator question: ********************** I have two chassis were the customer has lost the passwords. They are not set to the default. Does anyone have password recovery procedures. Downtime and configuration is not any concern as this is a new install. ********************** Bill had the process down: ******************** From the OA 3.10 user Guide, page 19… Recovering the administrator password If the administrator password has been lost, you can reset the administrator password to the factory default that shipped on the tag with the Onboard Administrator module. The Onboard Administrator resets a lost password to Lost Password/Flash Disaster Recovery (LP/FDR) mode. To recover the password and reset the administrator password to the factory default: 1. Connect a computer to the serial port of the Active Onboard Administrator using a null-modem cable. 2. With a null-modem cable (9600 N, 8, 1, VT100, locally connect to the Onboard Administrator). 3. Open HyperTerminal (in Microsoft(r) Windows(r)) or a suitable terminal window (in Linux), and then connect to the Active Onboard Administrator. 4. Press and hold in the Onboard Administrator reset button for 5 seconds. 5. To boot the system into Lost Password modem Press L. The password appears as the system reboots. ************************ from Ken: ********************* I prefer to use a script on a thumb drive to recover lost OA passwords. I’ve attached 2 scripts. ResetPW resets the “Administrator” account password to “password”. The OA-Add-admin script adds use “admin” password “hpinvent” to the OA, and all ILOs in the enclosure. To run the scripts: Copy the scripts to a thumb drive Place the thumb drive in the active OA Run the script from the Insight Display o USB Menu o Restore Configuration o usb://d1/script-name.cfg Script 1: ADD USER admin hpinvent SET USER ACCESS admin ADMINISTRATOR ASSIGN SERVER ALL admin ASSIGN INTERCONNECT ALL admin ASSIGN OA admin ENABLE USER admin HPONCFG all \u003c\u003c end_marker end_marker Script 2: SET USER PASSWORD “Administrator” “password”\n","title":"Reset Administrator password from HP Virtual Connect and Onbord Administrator","type":"posts"},{"content":"","date":"August 1, 2013","externalUrl":null,"permalink":"/categories/virtualconnect/","section":"Categories","summary":"","title":"VirtualConnect","type":"categories"},{"content":"add rewrite action AD_delete_rewrite_action delete_all \u0026quot;http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)\u0026quot; -pattern \u0026quot;document.write(' 1');\u0026quot; -bypassSafetyCheck YES add rewrite action AD_replace_rewrite_action replace_all \u0026quot;http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)\u0026quot; \u0026quot;\u0026quot;AD Password'\u0026quot;\u0026quot; -pattern \u0026quot;\u0026quot;Password\u0026quot;\u0026quot; -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*'[ ]*+[ ]*_(\u0026quot;Password\u0026quot;)[ ]*!)/ add rewrite action RSA_replace_rewrite_action replace_all \u0026quot;http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)\u0026quot; \u0026quot;\u0026quot;Secure token:'\u0026quot;\u0026quot; -pattern \u0026quot;\u0026quot;Password2\u0026quot;\u0026quot; -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*'[ ]*+[ ]*_(\u0026quot;Password2\u0026quot;)[ ]*!)/ add rewrite policy AD_rewrite_pol \u0026quot;http.req.url.path.endswith(\u0026quot;vpn/login.js\u0026quot;)\u0026quot; AD_replace_rewrite_action add rewrite policy RSA_rewrite_pol \u0026quot;http.req.url.path.endswith(\u0026quot;vpn/login.js\u0026quot;)\u0026quot; RSA_replace_rewrite_action add rewrite policy AD_delete_pol \u0026quot;http.req.url.path.endswith(\u0026quot;vpn/login.js\u0026quot;)\u0026quot; AD_delete_rewrite_action bind rewrite global AD_rewrite_pol 100 NEXT -type RES_OVERRIDE bind rewrite global RSA_rewrite_pol 110 NEXT -type RES_OVERRIDE bind rewrite global AD_delete_pol 120 NEXT -type RES_OVERRIDE\n","date":"July 5, 2013","externalUrl":null,"permalink":"/posts/change-text-password-1-password-2-on-netscaler-ag/","section":"Blog","summary":"add rewrite action AD_delete_rewrite_action delete_all \"http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)\" -pattern \"document.write(' 1');\" -bypassSafetyCheck YES add rewrite action AD_replace_rewrite_action replace_all \"http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)\" \"\"AD Password'\"\" -pattern \"\"Password\"\" -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*'[ ]*+[ ]*_(\"Password\")[ ]*!)/ add rewrite action RSA_replace_rewrite_action replace_all \"http.RES.BODY(120000).SET_TEXT_MODE(ignorecase)\" \"\"Secure token:'\"\" -pattern \"\"Password2\"\" -bypassSafetyCheck YES -refineSearch q/extend(50,50).REGEX_SELECT(re![ ]*'[ ]*+[ ]*_(\"Password2\")[ ]*!)/ add rewrite policy AD_rewrite_pol \"http.req.url.path.endswith(\"vpn/login.js\")\" AD_replace_rewrite_action add rewrite policy RSA_rewrite_pol \"http.req.url.path.endswith(\"vpn/login.js\")\" RSA_replace_rewrite_action add rewrite policy AD_delete_pol \"http.req.url.path.endswith(\"vpn/login.js\")\" AD_delete_rewrite_action bind rewrite global AD_rewrite_pol 100 NEXT -type RES_OVERRIDE bind rewrite global RSA_rewrite_pol 110 NEXT -type RES_OVERRIDE bind rewrite global AD_delete_pol 120 NEXT -type RES_OVERRIDE\n","title":"Change text password 1 \u0026 password 2 on netscaler AG","type":"posts"},{"content":"","date":"June 26, 2013","externalUrl":null,"permalink":"/categories/brocade/","section":"Categories","summary":"","title":"Brocade","type":"categories"},{"content":"1. Log into the switch as root (not admin) and execute /fabos/libexec/webdconfigure and answer \u0026lsquo;yes\u0026rsquo; to the HTTP Restart question. Example: (note: answer yes to http atributes and HTTP Restart, then take defaults for the rest of the prompts) fabbd70:root\u0026gt; /fabos/libexec/webdconfigure http attributes (yes, y, no, n): [no] yes HTTP Restart (yes, y, no, n): [no] yes HTTP enabled (yes, y, no, n): [yes] ErrorLog Enabled (yes, y, no, n): [no] AccessLog Enabled (yes, y, no, n): [no] SSLLog Enabled (yes, y, no, n): [no] HTTP Port: (1..60000) [80] Secure HTTP Port: (1..60000) [443] HTTP IsAlive Check Enabled (yes, y, no, n): [yes] HTTP Max HeapSize: (256..1024) [512] webtools attributes (yes, y, no, n): [no] cal attributes (yes, y, no, n): [no] Now wait a minute or two and do the following command to see if the HTTP processes are restarted: fabbd70:root\u0026gt; ps -ef | grep http root 23369 1 0 10:08 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 nobody 23370 23369 0 10:08 ? 00:00:00 /usr/apache/bin/fcgi-pm -f /fabos/webtools/bin/httpd.conf.0 nobody 23938 23369 0 10:53 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 nobody 23949 23369 0 10:54 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 nobody 23960 23369 0 10:55 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 root 24060 23978 0 10:55 pts/0 00:00:00 grep http\n","date":"June 26, 2013","externalUrl":null,"permalink":"/posts/reboot-management-brocade-fc-switch/","section":"Blog","summary":"1. Log into the switch as root (not admin) and execute /fabos/libexec/webdconfigure and answer ‘yes’ to the HTTP Restart question. Example: (note: answer yes to http atributes and HTTP Restart, then take defaults for the rest of the prompts) fabbd70:root\u003e /fabos/libexec/webdconfigure http attributes (yes, y, no, n): [no] yes HTTP Restart (yes, y, no, n): [no] yes HTTP enabled (yes, y, no, n): [yes] ErrorLog Enabled (yes, y, no, n): [no] AccessLog Enabled (yes, y, no, n): [no] SSLLog Enabled (yes, y, no, n): [no] HTTP Port: (1..60000) [80] Secure HTTP Port: (1..60000) [443] HTTP IsAlive Check Enabled (yes, y, no, n): [yes] HTTP Max HeapSize: (256..1024) [512] webtools attributes (yes, y, no, n): [no] cal attributes (yes, y, no, n): [no] Now wait a minute or two and do the following command to see if the HTTP processes are restarted: fabbd70:root\u003e ps -ef | grep http root 23369 1 0 10:08 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 nobody 23370 23369 0 10:08 ? 00:00:00 /usr/apache/bin/fcgi-pm -f /fabos/webtools/bin/httpd.conf.0 nobody 23938 23369 0 10:53 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 nobody 23949 23369 0 10:54 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 nobody 23960 23369 0 10:55 ? 00:00:00 /usr/apache/bin/httpd.0 -f /fabos/webtools/bin/httpd.conf.0 root 24060 23978 0 10:55 pts/0 00:00:00 grep http\n","title":"reboot management brocade fc switch","type":"posts"},{"content":" Before upgrading any individual components, check the latest compatibility matrix ( in attachment ) Check if a SAN/iQ patch is available for your firmware. This method is always preferred. Download the Smart Update Firmware DVD 10.10 If additional files need to be added to the Smart Firmware DVD, download the HP USB Key Utility for Windows to create a bootable USB stick instead. Update de CMC ( eerste beschikbare update in de huidige CMC) Download all the upgrades from the CMC ( als dit te traag gaat kan u de volgende FTP gebruiken ftp://up_p4k_5:Extreme1@ftp.usa.hp.com/ ) Igv maintenance window had met complete downtime van de iSCSI sessies kan er gewoon in normale modus de upgrade uit gevoerd worden. Worst case scenario, indien de update failed updaten in support mode. http://blog.j81.nl/?p=81 Bijkomende informatie + release notes vindt u op: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StoreVirtualSW\n","date":"May 31, 2013","externalUrl":null,"permalink":"/posts/firmware-for-individual-components/","section":"Blog","summary":" Before upgrading any individual components, check the latest compatibility matrix ( in attachment ) Check if a SAN/iQ patch is available for your firmware. This method is always preferred. Download the Smart Update Firmware DVD 10.10 If additional files need to be added to the Smart Firmware DVD, download the HP USB Key Utility for Windows to create a bootable USB stick instead. Update de CMC ( eerste beschikbare update in de huidige CMC) Download all the upgrades from the CMC ( als dit te traag gaat kan u de volgende FTP gebruiken ftp://up_p4k_5:Extreme1@ftp.usa.hp.com/ ) Igv maintenance window had met complete downtime van de iSCSI sessies kan er gewoon in normale modus de upgrade uit gevoerd worden. Worst case scenario, indien de update failed updaten in support mode. http://blog.j81.nl/?p=81 Bijkomende informatie + release notes vindt u op: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StoreVirtualSW\n","title":"Firmware for individual components","type":"posts"},{"content":" Shutdown the CMC Open Users[user].storage_systempreferences.txt At the top of the file, add the following: CmcSystemPreference.supportMode=true CmcUpgradePreference.useOldUpgrades=true CmcUpgradePreference.userUpgrade=true Start CMC, under Configuration Summary there will now be a “Support Upgrades” tab. Browse to the patch Select the node you want to update Apply update ","date":"May 31, 2013","externalUrl":null,"permalink":"/posts/apply-patches-and-updates-in-support-mode/","section":"Blog","summary":" Shutdown the CMC Open Users[user].storage_systempreferences.txt At the top of the file, add the following: CmcSystemPreference.supportMode=true CmcUpgradePreference.useOldUpgrades=true CmcUpgradePreference.userUpgrade=true Start CMC, under Configuration Summary there will now be a “Support Upgrades” tab. Browse to the patch Select the node you want to update Apply update ","title":"Apply patches and updates in Support Mode","type":"posts"},{"content":"Stop de ADDS Service\nntdsutil activate instance ntds files compact to c: copy \u0026#34;c:ntds.dit\u0026#34; \u0026#34;c:WindowsNTDSntds.dit\u0026#34; del c:WindowsNTDS*.log Start de ADDS Service ","date":"May 14, 2013","externalUrl":null,"permalink":"/posts/ad-defragmentatie-server-2012/","section":"Blog","summary":"Stop de ADDS Service\nntdsutil activate instance ntds files compact to c: copy \"c:ntds.dit\" \"c:WindowsNTDSntds.dit\" del c:WindowsNTDS*.log Start de ADDS Service ","title":"AD Defragmentatie (Server 2012)","type":"posts"},{"content":"","date":"May 14, 2013","externalUrl":null,"permalink":"/categories/server-2012/","section":"Categories","summary":"","title":"Server 2012","type":"categories"},{"content":"Bij CVE ga naar de fieldservice page: -\u0026gt; https://localhost:2372/fieldservice en log in. Kies de juiste EVA. Klik op: Open Command line interface Kies uit de dropdown box : FCS show config. En klik on execute. Op de management server staat in: C:program files(x86)hewlett packardsanworkselement manager for storageworks hsvcacheWWWN van EVAfcs_show_config.txt \u0026lt;- hierin staal alle serienummers van de disken Maar ook met SSSU is met show disk full alle serienummers op te vragen. En in CVE staan ook de juiste. (Dit was vroeger niet zo, maar met de laatste versie CVE en XCS wel)\n","date":"May 7, 2013","externalUrl":null,"permalink":"/posts/hp-eva-p6000-service/","section":"Blog","summary":"Bij CVE ga naar de fieldservice page: -\u003e https://localhost:2372/fieldservice en log in. Kies de juiste EVA. Klik op: Open Command line interface Kies uit de dropdown box : FCS show config. En klik on execute. Op de management server staat in: C:program files(x86)hewlett packardsanworkselement manager for storageworks hsvcacheWWWN van EVAfcs_show_config.txt \u003c- hierin staal alle serienummers van de disken Maar ook met SSSU is met show disk full alle serienummers op te vragen. En in CVE staan ook de juiste. (Dit was vroeger niet zo, maar met de laatste versie CVE en XCS wel)\n","title":"HP EVA P6000 Service","type":"posts"},{"content":"","date":"May 7, 2013","externalUrl":null,"permalink":"/categories/p6000/","section":"Categories","summary":"","title":"P6000","type":"categories"},{"content":"I have heard that lots off people are missing the startmenu in Windows 8. I don’t miss it because I normally use the “Run” to enter my command/application and I have pinned my mosy used apps in the taskbar. What I do recommend to my customers is to start using Windows+X. In Windows 7 this would open the Mobility center, but in Windows 8 this opens a smal menu in the bottom left corner: This provides a lot of options for the most. But if you still miss the startmenu and don’t like the new one, I would recommend Classic Shell (http://www.classicshell.net/). This installs a startmenu that you could customize after your needs. If you like the Windows XP look, then just change to that skin. All settings are stored per user in the registry under HKCUSoftwareIvoSoftClassicStartMenu This is a screenshot of my startmenu with Windows 8 look. Notice that is has two folders, one for the Windows 8 apps and one for the classic apps: ","date":"April 29, 2013","externalUrl":null,"permalink":"/posts/startmenu-in-windows-8-or-not/","section":"Blog","summary":"I have heard that lots off people are missing the startmenu in Windows 8. I don’t miss it because I normally use the “Run” to enter my command/application and I have pinned my mosy used apps in the taskbar. What I do recommend to my customers is to start using Windows+X. In Windows 7 this would open the Mobility center, but in Windows 8 this opens a smal menu in the bottom left corner: This provides a lot of options for the most. But if you still miss the startmenu and don’t like the new one, I would recommend Classic Shell (http://www.classicshell.net/). This installs a startmenu that you could customize after your needs. If you like the Windows XP look, then just change to that skin. All settings are stored per user in the registry under HKCUSoftwareIvoSoftClassicStartMenu This is a screenshot of my startmenu with Windows 8 look. Notice that is has two folders, one for the Windows 8 apps and one for the classic apps: ","title":"Startmenu in Windows 8 or not?","type":"posts"},{"content":"NTFS Permissions for Roaming Profile Parent Folder User Account : Minimum Permissions Required Creator Owner : Full Control, Subfolders and Files Only Administrator : Full Control (Microsoft actually recommends none but it simplifies things if you give admins full control) Security group of users needing to put data on share : List Folder/Read Data, Create Folders/Append Data - This Folder Only Everyone : No permissions Local System : Full Control, This Folder, Subfolders and Files Share level (SMB) Permissions for Roaming Profile Share User Account : Minimum Permissions Required Everyone : No permissions Security group of users needing to put data on share : Full Control\n","date":"March 18, 2013","externalUrl":null,"permalink":"/posts/profile-permissions/","section":"Blog","summary":"NTFS Permissions for Roaming Profile Parent Folder User Account : Minimum Permissions Required Creator Owner : Full Control, Subfolders and Files Only Administrator : Full Control (Microsoft actually recommends none but it simplifies things if you give admins full control) Security group of users needing to put data on share : List Folder/Read Data, Create Folders/Append Data - This Folder Only Everyone : No permissions Local System : Full Control, This Folder, Subfolders and Files Share level (SMB) Permissions for Roaming Profile Share User Account : Minimum Permissions Required Everyone : No permissions Security group of users needing to put data on share : Full Control\n","title":"Profile Permissions","type":"posts"},{"content":"hello smtp.server.nl mail from:\u0026lt;test@domain.nl\u0026gt; rcpt to:\u0026lt;to@domain.nl\u0026gt; data subject: This is a test mail to: to@domain.nl This is the text of my test mail. . quit\n","date":"February 25, 2013","externalUrl":null,"permalink":"/posts/send-mail-through-telnet/","section":"Blog","summary":"hello smtp.server.nl mail from:\u003ctest@domain.nl\u003e rcpt to:\u003cto@domain.nl\u003e data subject: This is a test mail to: to@domain.nl This is the text of my test mail. . quit\n","title":"Send mail through telnet","type":"posts"},{"content":" Failed to start VM # After upgrading an ESX cluster from vSphere 5.0 to vSphere 5.1 a VM failed to reboot.. Instead, an error message was issued: Failed to start the virtual machine. Module DevicePowerOn power on failed. Could not set up “macAddress” for ethernet0. Invalid MAC address specified. 00:0C:29:A0:B0:1D is not an allowed static Ethernet address. It conflicts with VMware reserved MACs. Troubleshooting # The VM used to run on VMware Server and was transferred later to the ESX infrastructure. It acts as a license server. The services installed are tied to the MAC address of the LAN adapter, Therefore, in the past, the virtual MAC address was assigned statically. Unfortunately the selected MAC address was in the range of VMware\u0026rsquo;s dynamically assigned addresses. That wasn\u0026rsquo;t a problem for previous ESX versions, although the method is not recommended. Since version 5.1 addresses in the range 00:0c:29\u0026#x274c;x:x are strictly reserved for dynamic allocation. In the VMX file of the VM, however, was the following entry: I first put the adapter address in the vSphere Client to “dynamic” and on the next reboot I got an address from the range 00:50:56\u0026#x274c;x:x. The VM did start, but the license service stopped working. So I shut down the VM and edited the VMX file, by entering the original value for the MAC address.\nethernet0.address = \u0026#34;00:0C:29:A0:B0:1D\u0026#34; Bug exchange # So I got a new error: “00:0c:29:xx:xx:xx is not an allowed VPX assigned Ethernet address. Invalid MAC address specified. Failed to configure ethernet0.” The problem was, that the changing from “static” to “dynamic” in the virtual machine settings the addresstype changed to “vpx” automatically.\nethernet0.addressType = \u0026#34;vpx\u0026#34; ethernet0.generatedAddress = \u0026#34;00:0c:29:xx:xx:xx\u0026#34; At this point one has to understand, how addresses are generated.\ngenerated : automatically generated by the MUI (MAC address starts with 00:0c:29) vpx : generated automatically by vCenter (MAC address starts with 00:50:56) static : manually assigned MAC address A correct configuration must look like this:\nethernet0.addressType = \u0026#34;generated\u0026#34; ethernet0.generatedAddress = \u0026#34;00:0c:29:xx:xx:xx\u0026#34; (*) Please replace xx:xx:xx with desired bytes. Don\u0026rsquo;t enter xx:xx:xx into your VMX file! (Thanks for the hint, Al) After that, you can boot the VM normally again. If you look at the settings, you\u0026rsquo;ll see the correct MAC address.\n# MAC is still being generated # In some cases I could see, the correct MAC in the VM settings (while the VM was powered off) in the first place (as shown above), but after starting the VM the MAC has been regenerated. This was due to the UUID of the VM. Here you have to adjust the last three bytes of uuid.bios to the last three bytes of the desired MAC address. On next boot of the VM you\u0026rsquo;ll be asked, whether you have copied or moved the VM. Here you have to choose the “I moved it” selection, because otherwise a UUID and a MAC will be generated on random.\n","date":"February 24, 2013","externalUrl":null,"permalink":"/posts/vsphere-5.1-static-mac/","section":"Blog","summary":"Failed to start VM # After upgrading an ESX cluster from vSphere 5.0 to vSphere 5.1 a VM failed to reboot.. Instead, an error message was issued: Failed to start the virtual machine. Module DevicePowerOn power on failed. Could not set up “macAddress” for ethernet0. Invalid MAC address specified. 00:0C:29:A0:B0:1D is not an allowed static Ethernet address. It conflicts with VMware reserved MACs. ","title":"vSphere 5.1 static MAC","type":"posts"},{"content":"Find (disconnected) mailbox: Get-MailboxServer | Get-MailboxStatistics | where { $_.DisconnectDate } | fl DisplayName, DisconnectDate Recconnect mailbox: Get-MailboxDatabase | Get-MailboxStatistics | Where-Object {$_.DisconnectDate –and $_.DisplayName –eq “Personal Archive - Tinnus Est”} | Connect-Mailbox –user T.Est –archive\n","date":"February 21, 2013","externalUrl":null,"permalink":"/posts/exchange-2010-reconnect-archive-mailbox/","section":"Blog","summary":"Find (disconnected) mailbox: Get-MailboxServer | Get-MailboxStatistics | where { $_.DisconnectDate } | fl DisplayName, DisconnectDate Recconnect mailbox: Get-MailboxDatabase | Get-MailboxStatistics | Where-Object {$_.DisconnectDate –and $_.DisplayName –eq “Personal Archive - Tinnus Est”} | Connect-Mailbox –user T.Est –archive\n","title":"Exchange 2010 reconnect archive mailbox","type":"posts"},{"content":"Good qual­ity icons and images, espe­cially ones with an alpha trans­par­ency can be time con­sum­ing to make, and are often also hard to find. One source of lots of high qual­ity icons in a range of sizes is Win­dows. Win­dows 7 includes lots of icons which can be use­ful as the major­ity are avail­able in sizes from 16×16 up to 256×256, and come with alpha trans­par­ency. You may have noticed that we use some on our down­loads page — they’re handy to quickly indic­ate file type. Win­dows stores most of its icons inside exe and dll files which makes them inac­cess­ible to stand­ard image manip­u­la­tion applic­a­tions like Pho­toshop. How­ever, once they have been loc­ated they can eas­ily be extrac­ted with the free­ware util­ity IcoFX. Track­ing some of them down seems to be the trick­ier part. Below is a quick ref­er­ence for the loc­a­tions of many of the icons avail­able on Win­dows 7. I will peri­od­ic­ally add more details and any extra icon lib­rar­ies I dis­cover to this list.\nIcoFX can be used to extract the images. It sup­ports all icon sizes, from 16×16 up to 256×256. It sup­ports the full range of col­our depths — 8bit, 16bit and 32bit. It also sup­ports alpha trans­par­ency. Icons can be extrac­ted to bmp, jpg, png, gif and jp2. IcoFX 2 is free­ware. More details are avail­able on the down­loads page. Loc­a­tions of com­mon win­dows icons\nFile Type Asso­ci­ated Extensions Built-in? Loc­a­tion \u0026#10; Audio MP3 mp3 yes %windir%system32wmploc.dll 60 Free Lossless Audio Codec flac no Included in FLAC Raw Wave File wav yes %windir%system32wmploc.dll 62 Ogg Vor­bis off no Included in Xiph Codecs Midi mid yes %windir%system32imageres.dll 18 Monkey’s Audio ape no Included in Monkey’s Audio Apple Lossless alac ale no Included in Itunes / Quicktime Video Matroska mkv mka no Down­load from Devi­antArt Win­dows Recor­ded TV wtv yes %windir%system32sberes.dll 0 Audio-Video Inter­leave avi yes %windir%system32wmploc.dll 59 Motion Pic­ture Experts Group mpg mpeg yes %windir%system32wmploc.dll 61 Flash Video flv no Included in Adobe Flash Player Win­dows Media Video wmv yes %windir%system32wmploc.dll 64 Apple Movie mov no Included in Itunes / Quicktime Image Joint Pic­ture Experts Group jpg jpeg yes %windir%system32imageres.dll 68 Port­able Net­work Graphic png yes %windir%system32imageres.dll 79 Bit­map bmp yes %windir%system32imageres.dll 66 Graph­ics Inter­change Format gif yes %windir%system32imageres.dll 67 Tagged Image File Format tif tiff yes %windir%system32imageres.dll 160 Pho­toshop Image psd no Included in Adobe Pho­toshop Paint­shop Pro Image psp pspim­age no Included in Corel Paint­shop Pro Scal­able Vec­tor Graphics svg no Unknown Web Hyper­Text Markup Language html htm yes %windir%system32ieframe.dll 10 PHP Hyper­text Preprocessor php yes Included in Dream­Weaver Extens­ible Markup Language xml yes Included in Dream­Weaver Cas­cad­ing Style Sheets css yes Included in Dream­Weaver Java Archive jar no Included in Java JavaS­cript js jscript yes %windir%system32wscript.exe 4 VB Script vbs yes %windir%system32wscript.exe 3 Really Simple Syndication rss yes %windir%system32ieframe.dll 66 Doc­u­ments Plain Text txt yes %windir%system32imageres.dll 98 Microsoft Word doc docx no Included in Microsoft Office Microsoft Excel xls xlsx no Included in Microsoft Office Microsoft Power­point ppt pptx no Included in Microsoft Office Microsoft Pub­lisher pub pubx no Included in Microsoft Office Adobe Port­able Doc­u­ment Format pdf no Included in Microsoft Office Com­pres­sion Rar Archive rar no Included in Win­RAR Zip Archive zip no Included in Win­ZIP 7Zip Archive 7z no Included in 7Zip Other HTML Help hlp yes %windir%hh.exe 0 Execut­able exe yes %windir%system32imageres.dll 12 Ini­tial­isa­tion / Con­fig­ur­a­tion File ini yes %windir%system32imageres.dll 65 Setup Inform­a­tion File inf yes %windir%system32imageres.dll 65 Dynamic Link Library dll yes %windir%system32imageres.dll 63 Home / House yes %windir%system32ieframe.dll 0 16bit DOS Com­mand Script cmd bat yes %windir%system32imageres.dll 64 Registry Frag­ment reg yes %windir%system32regedit.exe 2 True Type Font ttf yes %windir%system32imageres.dll 150 Microsoft Installer msi yes %windir%system32imageres.dll 163 Ref­er­ence list of Win­dows Icons con­tained in dll and exe icon libraries The num­bers below each icon refer to the icon num­ber of the file, and the num­ber in brack­ets indic­ates how many vari­ants of the icon there are (there could be up to a the­or­et­ical max­imum of 20, with dif­fer­ent col­our depths and sizes. All the icon screen­shots shown below are of 32×32 icons in their highest avail­able colour-depth. %windir%system32compstui.dll (Com­mon Prop­erty Sheet User Interface) %windir%system32ddores.dll (Device Cat­egory Inform­a­tion and Resources) %windir%system32ieframe.dll (Inter­net Explorer) %windir%system32imageres.dll (Win­dows Image Resource) %windir%system32mmcndmgr.dll (Microsoft Man­age­ment Con­sole Node Manager) %windir%system32moricons.dll (Win­dows NT Setup Icon Resources) %windir%system32netshell.dll (Net­work Con­nec­tions Shell) %windir%system32pnidui.dll (Net­work Sys­tem Icons) %windir%system32shell32.dll (Win­dows Shell Common) %windir%system32wmploc.dll (Win­dows Media Player Resources) %windir%system32pifmgr.dll (Win­dows NT PIF Man­ager Icon Resource Library) %windir%system32wpdshext.dll (Port­able Devices Shell Extension) %windir%system32comres.dll (COM+ Resources) %windir%system32dmdskres.dll (Disk Man­age­ment Sup­port Snap-In) %windir%system32dsuiext.dll (Dir­ect­ory Ser­vice Com­mon UI) %windir%system32inetcplc.dll (Inter­net Con­trol Panel) %windir%system32mstsc.exe (Remote Desktop Con­nec­tion Client) %windir%system32mstscax.dll (Remote Desktop Ser­vices Act­iveX Client) %windir%system32setupapi.dll (Win­dows Setup API) %windir%system32shdocvw.dll (Shell Doc Object and Con­trol Library) %windir%system32urlmon.dll (OLE32 Exten­sion for Win32) %windir%system32wiashext.dll (Ima­ging Devices Shell Folder UI) ","date":"February 18, 2013","externalUrl":null,"permalink":"/posts/windows-icons-full-list-with-details-locations-images/","section":"Blog","summary":"Good qual­ity icons and images, espe­cially ones with an alpha trans­par­ency can be time con­sum­ing to make, and are often also hard to find. One source of lots of high qual­ity icons in a range of sizes is Win­dows. Win­dows 7 includes lots of icons which can be use­ful as the major­ity are avail­able in sizes from 16×16 up to 256×256, and come with alpha trans­par­ency. You may have noticed that we use some on our down­loads page — they’re handy to quickly indic­ate file type. Win­dows stores most of its icons inside exe and dll files which makes them inac­cess­ible to stand­ard image manip­u­la­tion applic­a­tions like Pho­toshop. How­ever, once they have been loc­ated they can eas­ily be extrac­ted with the free­ware util­ity IcoFX. Track­ing some of them down seems to be the trick­ier part. Below is a quick ref­er­ence for the loc­a­tions of many of the icons avail­able on Win­dows 7. I will peri­od­ic­ally add more details and any extra icon lib­rar­ies I dis­cover to this list.\n","title":"Windows Icons: Full list with details, locations \u0026 images","type":"posts"},{"content":"This is an updated script that creates computer accounts in Active Directory. This script uses a comma separated values file as an input instead of two text files.\n\u0026#39;**************************************Heading********************************* \u0026#39;create.vbs \u0026#39; \u0026#39;Jason Hofferle \u0026#39;04/12/2007 \u0026#39; \u0026#39;Script to create AD computer accounts from file \u0026#39;****************************************************************************** option explicit \u0026#39;************************************************************************** \u0026#39;Variable Declarations \u0026#39;************************************************************************** Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = \u0026amp;h1000 Const ForReading = 1 dim strInputFile, strOU dim arrTemp dim objFSO, objInputFile, objRootDSE, objContainer, objComputer \u0026#39;************************************************************************** \u0026#39;************************************************************************** \u0026#39;Configuration \u0026#39;************************************************************************** strInputFile = \u0026#34;input.csv\u0026#34; \u0026#39;specifies name of csv input file strOU = \u0026#34;OU=YourOU,OU=YourOU,OU=YourOU,\u0026#34; \u0026#39;The root will be appended \u0026#39;************************************************************************** \u0026#39;************************************************************************** \u0026#39;Global Object Initialization \u0026#39;************************************************************************** Set objFSO = CreateObject(\u0026#34;Scripting.FileSystemObject\u0026#34;) Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading) Set objRootDSE = GetObject(\u0026#34;LDAP://rootDSE\u0026#34;) Set objContainer = GetObject(\u0026#34;LDAP://\u0026#34; \u0026amp; strOU \u0026amp; objRootDSE.Get(\u0026#34;defaultNamingContext\u0026#34;)) \u0026#39;************************************************************************** \u0026#39;************************************************************************** \u0026#39;Main Script Execution \u0026#39;************************************************************************** Do Until objInputFile.AtEndOfStream on error resume next err.Clear arrTemp = Split(objInputFile.Readline, \u0026#34;,\u0026#34;, -1, 1) if err \u0026lt;\u0026gt; 0 then wscript.echo \u0026#34;Error reading line from input file.\u0026#34; err.Clear end if set objComputer = objContainer.Create(\u0026#34;Computer\u0026#34;, \u0026#34;cn=\u0026#34; \u0026amp; arrTemp(0)) if err \u0026lt;\u0026gt; 0 then wscript.echo \u0026#34;Error creating computer account \u0026#34; \u0026amp; arrTemp(0) err.Clear end if objComputer.Put \u0026#34;sAMAccountName\u0026#34;, arrTemp(0) \u0026amp; \u0026#34;$\u0026#34; objComputer.Put \u0026#34;description\u0026#34;, arrTemp(1) objComputer.Put \u0026#34;userAccountControl\u0026#34;, ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo if err \u0026lt;\u0026gt; 0 then wscript.echo \u0026#34;Error creating computer account \u0026#34; \u0026amp; arrTemp(0) err.Clear end if set objComputer = nothing on error goto 0 Loop objInputFile.Close set objFSO = nothing set objInputFile = nothing set objRootDSE = nothing \u0026#39;************************************************************************** ","date":"February 9, 2013","externalUrl":null,"permalink":"/posts/creating-ad-computer-accounts-from-a-csv/","section":"Blog","summary":"This is an updated script that creates computer accounts in Active Directory. This script uses a comma separated values file as an input instead of two text files.\n'**************************************Heading********************************* 'create.vbs ' 'Jason Hofferle '04/12/2007 ' 'Script to create AD computer accounts from file '****************************************************************************** option explicit '************************************************************************** 'Variable Declarations '************************************************************************** Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = \u0026h1000 Const ForReading = 1 dim strInputFile, strOU dim arrTemp dim objFSO, objInputFile, objRootDSE, objContainer, objComputer '************************************************************************** '************************************************************************** 'Configuration '************************************************************************** strInputFile = \"input.csv\" 'specifies name of csv input file strOU = \"OU=YourOU,OU=YourOU,OU=YourOU,\" 'The root will be appended '************************************************************************** '************************************************************************** 'Global Object Initialization '************************************************************************** Set objFSO = CreateObject(\"Scripting.FileSystemObject\") Set objInputFile = objFSO.OpenTextFile(strInputFile, ForReading) Set objRootDSE = GetObject(\"LDAP://rootDSE\") Set objContainer = GetObject(\"LDAP://\" \u0026 strOU \u0026 objRootDSE.Get(\"defaultNamingContext\")) '************************************************************************** '************************************************************************** 'Main Script Execution '************************************************************************** Do Until objInputFile.AtEndOfStream on error resume next err.Clear arrTemp = Split(objInputFile.Readline, \",\", -1, 1) if err \u003c\u003e 0 then wscript.echo \"Error reading line from input file.\" err.Clear end if set objComputer = objContainer.Create(\"Computer\", \"cn=\" \u0026 arrTemp(0)) if err \u003c\u003e 0 then wscript.echo \"Error creating computer account \" \u0026 arrTemp(0) err.Clear end if objComputer.Put \"sAMAccountName\", arrTemp(0) \u0026 \"$\" objComputer.Put \"description\", arrTemp(1) objComputer.Put \"userAccountControl\", ADS_UF_WORKSTATION_TRUST_ACCOUNT objComputer.SetInfo if err \u003c\u003e 0 then wscript.echo \"Error creating computer account \" \u0026 arrTemp(0) err.Clear end if set objComputer = nothing on error goto 0 Loop objInputFile.Close set objFSO = nothing set objInputFile = nothing set objRootDSE = nothing '**************************************************************************","title":"Creating AD computer accounts from a CSV","type":"posts"},{"content":"","date":"February 9, 2013","externalUrl":null,"permalink":"/categories/vbs/","section":"Categories","summary":"","title":"VBS","type":"categories"},{"content":" List of Control Panel Commands in Windows 8, 7, Vista, and XP\nSometimes it\u0026rsquo;s easier, or maybe even necessary, to open a Control Panel applet from a command line in Windows. Each Control Panel applet can be opened by executing a command, you just have to know what that command is. Control Panel itself can be accessed by executing control from a command line in Windows 8, Windows 7, Windows Vsta, and Windows XP. If you want a way to start a Control Panel applet from a script or from the Command Prompt, the following list of commands for Control Panel applets should help: Note: See my List of Control Panel Applets in Windows for Control Panel applet descriptions and information about changes in applets between the Windows operating systems.\nControl Panel Command Line Commands in Windows # Control Panel Applet Command OS Accessibility Options control access.cpl XP Action Center control /name Microsoft.ActionCenter 8, 7 control wscui.cpl 8, 7 Add Features to Windows 8 control /name Microsoft.WindowsAnytimeUpgrade 8 Add Hardware control /name Microsoft.AddHardware Vista control hdwwiz.cpl XP Add or Remove Programs control appwiz.cpl XP Administrative Tools control /name Microsoft.AdministrativeTools 8, 7, Vista control admintools 8, 7, Vista, XP Automatic Updates control wuaucpl.cpl XP AutoPlay control /name Microsoft.AutoPlay 8, 7, Vista Backup and Restore Center control /name Microsoft.BackupAndRestoreCenter Vista Backup and Restore control /name Microsoft.BackupAndRestore 7 Biometric Devices control /name Microsoft.BiometricDevices 8, 7 BitLocker Drive Encryption control /name Microsoft.BitLockerDriveEncryption 8, 7, Vista Bluetooth Devices control bthprops.cpl13 8, 7, Vista control /name Microsoft.BluetoothDevices Vista Color Management control /name Microsoft.ColorManagement 8, 7, Vista Color1 WinColor.exe2 XP Credential Manager control /name Microsoft.CredentialManager 8, 7 Client Service for NetWare control nwc.cpl XP Date and Time control /name Microsoft.DateAndTime 8, 7, Vista control timedate.cpl 8, 7, Vista control date/time 8, 7, Vista, XP Default Location control /name Microsoft.DefaultLocation 7 Default Programs control /name Microsoft.DefaultPrograms 8, 7, Vista Desktop Gadgets control /name Microsoft.DesktopGadgets 7 Device Manager control /name Microsoft.DeviceManager 8, 7, Vista control hdwwiz.cpl 8, 7, Vista devmgmt.msc 8, 7, Vista, XP3 Devices and Printers control /name Microsoft.DevicesAndPrinters 8, 7 control printers 8, 7 Display control /name Microsoft.Display 8, 7 control desk.cpl XP control desktop XP Ease of Access Center control /name Microsoft.EaseOfAccessCenter 8, 7, Vista control access.cpl 8, 7, Vista Family Safety control /name Microsoft.ParentalControls 8 File History control /name Microsoft.FileHistory 8 Flash Player Settings Manager control flashplayercplapp.cpl 8 Folder Options control /name Microsoft.FolderOptions 8, 7, Vista control folders 8, 7, Vista, XP Fonts control /name Microsoft.Fonts 8, 7, Vista control fonts 8, 7, Vista, XP Game Controllers control /name Microsoft.GameControllers 8, 7, Vista control joy.cpl 8, 7, Vista, XP Get Programs control /name Microsoft.GetPrograms 8, 7, Vista Getting Started control /name Microsoft.GettingStarted 7 Home Group control /name Microsoft.HomeGroup 8, 7 Indexing Options control /name Microsoft.IndexingOptions 8, 7, Vista rundll32.exe shell32.dll,Control_RunDLL srchadmin.dll 8, 7, Vista, XP Infrared control /name Microsoft.Infrared 8, 7 control irprops.cpl 8, 7, Vista control /name Microsoft.InfraredOptions Vista Internet Options control /name Microsoft.InternetOptions 8, 7, Vista control inetcpl.cpl 8, 7, Vista, XP iSCSI Initiator control /name Microsoft.iSCSIInitiator 8, 7, Vista Keyboard control /name Microsoft.Keyboard 8, 7, Vista control keyboard 8, 7, Vista, XP Language control /name Microsoft.Language 8 Location and Other Sensors control /name Microsoft.LocationAndOtherSensors 7 Location Settings control /name Microsoft.LocationSettings 8 Mail4 control mlcfg32.cpl5 8, 7, Vista, XP Mouse control /name Microsoft.Mouse 8, 7, Vista control main.cpl 8, 7, Vista control mouse 8, 7, Vista, XP Network and Sharing Center control /name Microsoft.NetworkAndSharingCenter 8, 7, Vista Network Connections control ncpa.cpl 8, 7, Vista control netconnections 8, 7, Vista, XP Network Setup Wizard control netsetup.cpl 8, 7, Vista, XP Notification Area Icons control /name Microsoft.NotificationAreaIcons 8, 7 ODBC Data Source Administrator control odbccp32.cpl XP6 Offline Files control /name Microsoft.OfflineFiles 8, 7, Vista Parental Controls control /name Microsoft.ParentalControls 7, Vista Pen and Input Devices control /name Microsoft.PenAndInputDevices Vista control tabletpc.cpl Vista Pen and Touch control /name Microsoft.PenAndTouch 8, 7 control tabletpc.cpl 8, 7 People Near Me control /name Microsoft.PeopleNearMe 7, Vista control collab.cpl 7, Vista Performance Information and Tools control /name Microsoft.PerformanceInformationAndTools 8, 7, Vista Personalization control /name Microsoft.Personalization 8, 7, Vista control desktop 8, 7, Vista Phone and Modem Options control /name Microsoft.PhoneAndModemOptions Vista control telephon.cpl Vista, XP Phone and Modem control /name Microsoft.PhoneAndModem 8, 7 control telephon.cpl 8, 7 Power Options control /name Microsoft.PowerOptions 8, 7, Vista control powercfg.cpl 8, 7, Vista, XP Printers and Faxes control printers XP Printers control /name Microsoft.Printers Vista control printers Vista Problem Reports and Solutions control /name Microsoft.ProblemReportsAndSolutions Vista Programs and Features control /name Microsoft.ProgramsAndFeatures 8, 7, Vista control appwiz.cpl 8, 7, Vista Recovery control /name Microsoft.Recovery 8, 7 Region control /name Microsoft.RegionAndLanguage 8 control intl.cpl 8 control international 8 Region and Language control /name Microsoft.RegionAndLanguage 7 control intl.cpl 7 control international 7 Regional and Language Options control /name Microsoft.RegionalAndLanguageOptions Vista control intl.cpl Vista control international Vista, XP RemoteApp and Desktop Connections control /name Microsoft.RemoteAppAndDesktopConnections 8, 7 Scanners and Cameras control /name Microsoft.ScannersAndCameras 8, 7, Vista control sticpl.cpl XP Scheduled Tasks control schedtasks XP7 Screen Resolution control desk.cpl 8, 7 Security Center control /name Microsoft.SecurityCenter Vista control wscui.cpl XP Software Explorers8 msascui.exe9 XP Sound control /name Microsoft.Sound 8, 7 control /name Microsoft.AudioDevicesAndSoundThemes Vista control mmsys.cpl 8, 7, Vista Sounds and Audio Devices control mmsys.cpl XP Speech Recognition Options control /name Microsoft.SpeechRecognitionOptions Vista Speech Recognition control /name Microsoft.SpeechRecognition 8, 7 Speech control sapi.cpl10 XP Storage Spaces control /name Microsoft.StorageSpaces 8 Sync Center control /name Microsoft.SyncCenter 8, 7, Vista System control /name Microsoft.System 8, 7, Vista control sysdm.cpl XP System Properties control sysdm.cpl 8, 7, Vista Tablet PC Settings control /name Microsoft.TabletPCSettings 8, 7, Vista Task Scheduler7 control schedtasks 8, 7, Vista Taskbar control /name Microsoft.Taskbar 8 rundll32.exe shell32.dll,Options_RunDLL 1 8 Taskbar and Start Menu control /name Microsoft.TaskbarAndStartMenu 7, Vista rundll32.exe shell32.dll,Options_RunDLL 1 7, Vista, XP Text to Speech control /name Microsoft.TextToSpeech 8, 7, Vista Troubleshooting control /name Microsoft.Troubleshooting 8, 7 User Accounts control /name Microsoft.UserAccounts 8, 7, Vista control userpasswords 8, 7, Vista, XP Welcome Center control /name Microsoft.WelcomeCenter Vista Windows 7 File Recovery control /name Microsoft.BackupAndRestore 8 Windows Anytime Upgrade control /name Microsoft.WindowsAnytimeUpgrade 7, Vista Windows CardSpace control /name Microsoft.CardSpace 7, Vista control infocardcpl.cpl 7, Vista Windows Defender control /name Microsoft.WindowsDefender 8, 7, Vista11 Windows Firewall control /name Microsoft.WindowsFirewall 8, 7, Vista control firewall.cpl 8, 7, Vista, XP Windows Marketplace control /name Microsoft.GetProgramsOnline Vista Windows Mobility Center control /name Microsoft.MobilityCenter 8, 7, Vista Windows Sidebar Properties control /name Microsoft.WindowsSidebarProperties Vista Windows SideShow control /name Microsoft.WindowsSideShow 8,7, Vista Windows Update control /name Microsoft.WindowsUpdate 8, 7, Vista12 Wireless Link control irprops.cpl XP Wireless Network Setup Wizard ? XP [1] Color is not available by default but is available for free from Microsoft here. [2] WinColor.exe must be run from the C:Program FilesPro Imaging PowertoysMicrosoft Color Control Panel Applet for Windows XP folder. [3] I\u0026rsquo;ve listed Device Manager here because it\u0026rsquo;s such a commonly used feature of Windows but please know that it is not a true Control Panel applet in Windows XP. See How To Open Windows XP Device Manager for more information. [4] The Mail applet is only available if a version of Microsoft Office Outlook is installed. [5] The control mlcfg32.cpl command must be run from the C:Programs FilesMicrosoft OfficeOfficeXX folder, replacing OfficeXX with the folder pertaining to the Microsoft Office version you have installed. [6] ODBC Data Source Administrator was removed from Control Panel after Windows XP but is still available from Administrative Tools. [7] In Windows 8, 7, and Vista, task scheduling is performed by Task Scheduler which is not directly accessible from Control Panel. However, executing this command in those versions of Windows will forward to Task Scheduler. [8] Software Explorers is the name for the Control Panel applet for Windows Defender, available for free from Microsoft here. [9] Msascui.exe must be run from the C:Program FilesWindows Defender folder. [10] The control sapi.cpl command must be run from the C:Program FilesCommon FilesMicrosoft SharedSpeech folder. [11] Windows Defender is available in Windows XP but the Control Panel applet is instead called Software Explorers. [12] Windows Update is also used in Windows XP but only via the Windows Update website, not via a Control Panel applet like in later versions of Windows. [13] In Windows 8, bthprops.cpl opens Devices in PC Settings which will list any Bluetooth Devices. In Windows 7, bthprops.cpl opens athe Bluetooth Devices list under Devices and Printers. In Windows Vista, bthprops.cpl opens a true Control Panel applet called Bluetooth Devices.\n","date":"February 8, 2013","externalUrl":null,"permalink":"/posts/command-line-commands-for-control-panel-applets/","section":"Blog","summary":" List of Control Panel Commands in Windows 8, 7, Vista, and XP\nSometimes it’s easier, or maybe even necessary, to open a Control Panel applet from a command line in Windows. Each Control Panel applet can be opened by executing a command, you just have to know what that command is. Control Panel itself can be accessed by executing control from a command line in Windows 8, Windows 7, Windows Vsta, and Windows XP. If you want a way to start a Control Panel applet from a script or from the Command Prompt, the following list of commands for Control Panel applets should help: Note: See my List of Control Panel Applets in Windows for Control Panel applet descriptions and information about changes in applets between the Windows operating systems.\n","title":"Command Line Commands for Control  Panel Applets","type":"posts"},{"content":"http://technet.microsoft.com/en-us/library/cc786409%28WS.10%29.aspx\n","date":"February 2, 2013","externalUrl":null,"permalink":"/posts/disable-win-l-on-client/","section":"Blog","summary":"http://technet.microsoft.com/en-us/library/cc786409%28WS.10%29.aspx\n","title":"Disable Win+L on client","type":"posts"},{"content":"","date":"January 31, 2013","externalUrl":null,"permalink":"/categories/cisco/","section":"Categories","summary":"","title":"Cisco","type":"categories"},{"content":"enable session\u0026gt; logging in putty using connection properties, then term len 0 sh run In this way all the file is placed without need to press for next page then you stop logging and you have your file. To have again pages type: term len 25 Putty saves an header with date and time at the beginning after that you have clean text file.\n","date":"January 31, 2013","externalUrl":null,"permalink":"/posts/get-cisco-config-through-putty/","section":"Blog","summary":"enable session\u003e logging in putty using connection properties, then term len 0 sh run In this way all the file is placed without need to press for next page then you stop logging and you have your file. To have again pages type: term len 25 Putty saves an header with date and time at the beginning after that you have clean text file.\n","title":"get Cisco config through putty","type":"posts"},{"content":"","date":"January 23, 2013","externalUrl":null,"permalink":"/categories/dfs/","section":"Categories","summary":"","title":"DFS","type":"categories"},{"content":"There is a very well known “trick” to hide shares with Windows and that is to put a $ sign at the end of the share name. The problem is that this doesn’t work if you are using DFS Namespaces (DFSN). The reason why it doesn’t work is because DFSN doesn’t advertise shares – it advertises folders and there is an underlying mechanism to transparently redirect computers trying to connect to those folders to the underpinning shares. So if you have folders in your DFS Namespace that you want to hide just as if they were a share, how do you do it? The answer lies in the fact that they are, indeed, folders. Go to the DFSN root server and open up the folder for your namespace. Right-click on the folder you want to hide and choose Properties. Then select the Hidden attribute and click OK. You will be asked if you want to apply the change to this folder only or to this folder, subfolders and files. You only need to apply the change to this folder only. Be mindful of the fact, though, that this trick of hiding the folders only works so long as users aren’t showing hidden files and folders on their computers. If they are, these folders will still show up. To make it even harder for users to find these “hidden” folders, it is necessary to set the System attribute on the folder. This then prevents the folders from being seen unless the user has unticked “Hide protected operating system files”. Setting the system attribute on a folder requires the use of the attrib command with a very specific sequence of flags: attrib –r +h +s \u0026lt;folder path\u0026gt; The –r flag removes the read-only setting which is normally used by Windows on folders as an indicator that the folder might have customisation on it. Since we are talking about folders in the DFS Namespace, that isn’t going to apply here. The +h flag applies the hidden setting. You need to do this as part of the same command as +s in order to make sure that the folder does actually get hidden and not just set as a system folder. You cannot apply the hidden flag after the folder has got the system flag set. The +s flag applies the system setting. Bron\n","date":"January 23, 2013","externalUrl":null,"permalink":"/posts/how-to-hide-shared-folders-under-dfs-namespaces/","section":"Blog","summary":"There is a very well known “trick” to hide shares with Windows and that is to put a $ sign at the end of the share name. The problem is that this doesn’t work if you are using DFS Namespaces (DFSN). The reason why it doesn’t work is because DFSN doesn’t advertise shares – it advertises folders and there is an underlying mechanism to transparently redirect computers trying to connect to those folders to the underpinning shares. So if you have folders in your DFS Namespace that you want to hide just as if they were a share, how do you do it? The answer lies in the fact that they are, indeed, folders. Go to the DFSN root server and open up the folder for your namespace. Right-click on the folder you want to hide and choose Properties. Then select the Hidden attribute and click OK. You will be asked if you want to apply the change to this folder only or to this folder, subfolders and files. You only need to apply the change to this folder only. Be mindful of the fact, though, that this trick of hiding the folders only works so long as users aren’t showing hidden files and folders on their computers. If they are, these folders will still show up. To make it even harder for users to find these “hidden” folders, it is necessary to set the System attribute on the folder. This then prevents the folders from being seen unless the user has unticked “Hide protected operating system files”. Setting the system attribute on a folder requires the use of the attrib command with a very specific sequence of flags: attrib –r +h +s \u003cfolder path\u003e The –r flag removes the read-only setting which is normally used by Windows on folders as an indicator that the folder might have customisation on it. Since we are talking about folders in the DFS Namespace, that isn’t going to apply here. The +h flag applies the hidden setting. You need to do this as part of the same command as +s in order to make sure that the folder does actually get hidden and not just set as a system folder. You cannot apply the hidden flag after the folder has got the system flag set. The +s flag applies the system setting. Bron\n","title":"How to hide shared folders under DFS Namespaces","type":"posts"},{"content":"QNAP - Headphones Updating:\n/etc/init.d/Headphones.sh stop cd /share/MD0_DATA/.qpkg/Headphones/ mv headphones/__init__.py headphones/__init__.py.bak git remote set-url origin git://github.com/rembo10/headphones.git git pull git checkout master /etc/init.d/Headphones.sh start rm -rf headphones/__init__.py.bak ","date":"January 1, 2013","externalUrl":null,"permalink":"/posts/headphones/","section":"Blog","summary":"QNAP - Headphones Updating:\n/etc/init.d/Headphones.sh stop cd /share/MD0_DATA/.qpkg/Headphones/ mv headphones/__init__.py headphones/__init__.py.bak git remote set-url origin git://github.com/rembo10/headphones.git git pull git checkout master /etc/init.d/Headphones.sh start rm -rf headphones/__init__.py.bak ","title":"Headphones","type":"posts"},{"content":"","date":"January 1, 2013","externalUrl":null,"permalink":"/categories/qnap/","section":"Categories","summary":"","title":"QNAP","type":"categories"},{"content":"How to place FSMO and Global Catalog roles in Active Directory During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers. If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server. It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server. Recommended Best Practice setup of FSMO roles. Domain Controller #1 Place the two forest roles on this server.\nSchema Master Domain Master Domain Controller #2 Place the domain roles on this server.\nRID Master Infrastructure Master PDC Emulator If more domains exist in the forest, place the domain roles on a server in theese domains like Domain Controller #2 Global Catalog configuration. In Windows 2008 Active Directory all Domain Controllers are by default Global Catalog servers, personally I would recommend using the same configuration in most Active Directory Setups, unless special needs and loads with multiple domains and quite a few Domain Controllers exist. Remember do not place the Infrastructure Master FSMO role on a server with Global Catalog enabled, unless ALL Domain Controllers is Global Catalog enabled! Global Catalog servers have information about their own domain and a subset of often used information from all domains in the forest. This allows a Global Catalog Domain Controller to give information about other domains in the forest much faster to the client. It also means the server will use more ressources (mostly memory) in a multiple domain configuration. Tools to administrate FSMO roles. FSMO roles can be administrated from a GUI in the Active Directory tools or from command line with the NTDSUTIL command. If a Domain Controller is down and unable to be restored, only NTDSUTIL can be used to Seize the role on to a new server. Microsoft have a guide to doing this here: http://support.microsoft.com/kb/324801 Global Catalog settings can be administrated with the Active Directory Sites \u0026amp; Services GUI, by selecting Sites/SiteName/Servers/ServerName, right click NTDS Settings and select Properties, on the General Tab click to enable or disable Global Catalog. Microsoft have a guide to doing this here: http://support.microsoft.com/kb/313994 List FSMO Roles (NETDOM)\nnetdom query /domain:\u0026lt;domain\u0026gt; fsmo List FSMO Roles (NTDSUTIL)\nOn any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. Type roles, and then press ENTER. Type connections, and then press ENTER. Type connect to server \u0026lt;servername\u0026gt;, where \u0026lt;servername\u0026gt; is the name of the server you want to use, and then press ENTER. At the server connections: prompt, type q, and then press ENTER again. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again. At the select operation target: prompt, type List roles for connected server, and then press ENTER again. Type q 3 times to exit the Ntdsutil prompt. Transferring the FSMO Roles via Ntdsutil To transfer the FSMO roles from the Ntdsutil command: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.\nOn any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:WINDOWS\u0026gt;ntdsutil ntdsutil: Type roles, and then press ENTER. ntdsutil: roles fsmo maintenance: Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.\nType connections, and then press ENTER. fsmo maintenance: connections server connections: Type connect to server \u0026lt;servername\u0026gt;, where \u0026lt;servername\u0026gt; is the name of the server you want to use, and then press ENTER. server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections: At the server connections: prompt, type q, and then press ENTER again. server connections: q fsmo maintenance: Type transfer \u0026lt;role\u0026gt;. where \u0026lt;role\u0026gt; is the role you want to transfer. For example, to transfer the RID Master role, you would type transfer rid master: Options are:\nTransfer naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master You will receive a warning window asking if you want to perform the transfer. Click on Yes. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe. Restart the server and make sure you update your backup. ","date":"December 29, 2012","externalUrl":null,"permalink":"/posts/fsmo/","section":"Blog","summary":"How to place FSMO and Global Catalog roles in Active Directory During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers. If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server. It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server. Recommended Best Practice setup of FSMO roles. Domain Controller #1 Place the two forest roles on this server.\n","title":"FSMO","type":"posts"},{"content":" Getting Ready # Install Windows 7 from scratch on to your test machine. DO NOT upgrade from Windows XP, this needs to be a fresh install. Customise Windows 7 with any software, security settings or general settings you wish. When you install from this image all the settings as well as user accounts will be installed by default. Install WAIK for 7/2008 on the test PC. Download from here (1.7GB). Create WINPE Disk # Right click command prompt run as admin Change to directory “C:Program FilesWindows AIKToolsPETools” run command “copype x86 c:winpe” run command “imagex /mountrw c:winpewinpe.wim 1 c:winpemount” copy imagex.exe from “C:Program FilesWindows AIKToolsx86imagex.exe” to “c:winpemountwindowssystem32″ Create wimscript.ini in “c:winpemountwindowssystem32″ with following inside [ExclusionList] ntfs.log hiberfil.sys pagefile.sys \u0026quot;System Volume Information\u0026quot; RECYCLER WindowsCSC [CompressionExclusionList] *.mp3 *.zip *.cab WINDOWSinf*.pnf Run Command “imagex.exe /unmount /commit c:winpemount” Run Command “copy c:winpewinpe.wim c:winpeisosourcesboot.wim /y” Run Command “oscdimg -n -h -bc:winpeetfsboot.com c:winpeiso c:winpewinpe.iso” This will create an ISO in c:winpewinpe.iso. Burn this and keep. Now we need to sysprep our machine. (You can remove WAIK and any files you don’t need, test your iso first!) Sysprep Your Machine\nchange to the folder “c:windowssystem32sysprep” run command “sysprep /generalize /oobe /shutdown” If you want to use run an unattended installation you can run the following command sysprep /generalize /oobe /shutdown /unattend:unattend.xml(The unattend.xml will need to be in the sysprep folder). Check out theunattend.xml generator Sysprep will remove any unique information and reseal the OS. Then the system will shutdown Now boot the ISO we created previously and load into WinPE Capture Image # Once WinPE is booted you will be in a Command Prompt window Run Command “diskpart” Run Command “select disk 0″ Run Command “list volume” Note the letter of the drive you are imaging. C: in WinPE is set as the running OS not as the internal HDD Run Command “exit” Run Command “imagex /capture d: d:install.wim “My Windows partition”\u0026quot; where d: is the drive you are copying This will create a file called install.wim in the root of your HDD. This is the custom image and will need to be added to the Windows 7 Install DVD Create Installation Media # You will probably need to install from USB as the image will probably be to large for a DVD. Here is a guide for Windows 7 USB Install overwrite install.wim to sources on the windows 7 install source If you didn’t use the sysprep to include unattend.xml you can also add it directly to the root of the install media. You can easily Generate an unattend.xml here Install Windows 7 as normal. Your changes will be installed along with Windows 7\nSource\n","date":"December 4, 2012","externalUrl":null,"permalink":"/posts/how-to-image-sysprep-and-deploy-windows-7-a-complete-guide-using-sysprep-and-imagex/","section":"Blog","summary":"Getting Ready # Install Windows 7 from scratch on to your test machine. DO NOT upgrade from Windows XP, this needs to be a fresh install. Customise Windows 7 with any software, security settings or general settings you wish. When you install from this image all the settings as well as user accounts will be installed by default. Install WAIK for 7/2008 on the test PC. Download from here (1.7GB). Create WINPE Disk # Right click command prompt run as admin Change to directory “C:Program FilesWindows AIKToolsPETools” run command “copype x86 c:winpe” run command “imagex /mountrw c:winpewinpe.wim 1 c:winpemount” copy imagex.exe from “C:Program FilesWindows AIKToolsx86imagex.exe” to “c:winpemountwindowssystem32″ Create wimscript.ini in “c:winpemountwindowssystem32″ with following inside [ExclusionList] ntfs.log hiberfil.sys pagefile.sys \"System Volume Information\" RECYCLER WindowsCSC [CompressionExclusionList] *.mp3 *.zip *.cab WINDOWSinf*.pnf Run Command “imagex.exe /unmount /commit c:winpemount” Run Command “copy c:winpewinpe.wim c:winpeisosourcesboot.wim /y” Run Command “oscdimg -n -h -bc:winpeetfsboot.com c:winpeiso c:winpewinpe.iso” This will create an ISO in c:winpewinpe.iso. Burn this and keep. Now we need to sysprep our machine. (You can remove WAIK and any files you don’t need, test your iso first!) Sysprep Your Machine\n","title":"How To Image, Sysprep and Deploy Windows 7 a Complete Guide – Using sysprep and Imagex","type":"posts"},{"content":"ReceiverInstall.exe /addlocal=\u0026ldquo;ICA_Client,ReceiverInside,SSON,Flash,USB,DesktopViewer,HDX,Vd3d\u0026rdquo;\n","date":"November 28, 2012","externalUrl":null,"permalink":"/posts/citrix-receiver-3.3-installatie/","section":"Blog","summary":"ReceiverInstall.exe /addlocal=“ICA_Client,ReceiverInside,SSON,Flash,USB,DesktopViewer,HDX,Vd3d”\n","title":"Citrix Receiver 3.3 installatie","type":"posts"},{"content":"Best Practices for Oversubscription of CPU, Memory and Storage in vSphere Virtual Environments Pros and cons of oversubscription and how far it should be taken before it becomes dangerous Scott D. Lowe http://www.vkernel.com/files/docs/white-papers/vsphere-oversubscription-best-practices.pdf vSphere Oversubscription Best Practices\n","date":"November 28, 2012","externalUrl":null,"permalink":"/posts/oversubscription-pros-cons--how-far-it-should-go-before-it-becomes-dangerous/","section":"Blog","summary":"Best Practices for Oversubscription of CPU, Memory and Storage in vSphere Virtual Environments Pros and cons of oversubscription and how far it should be taken before it becomes dangerous Scott D. Lowe http://www.vkernel.com/files/docs/white-papers/vsphere-oversubscription-best-practices.pdf vSphere Oversubscription Best Practices\n","title":"Oversubscription Pros \u0026 Cons + how far it should go before it becomes dangerous","type":"posts"},{"content":"Windows Crash Dump analysis is a fairly expansive topic that ranges from simple post mortem analysis of small memory dump files to remote debugging of a live system and probing the failure as it occurs in the operating system. This series of posts will cover analysis and troubleshooting of many common failures faced by end users on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8. This specific post examines memory dumps, how to install/use the tools to analyze them, crashes that appear when KeBugCheckEx is called, and initial steps with most dumps. The blue screen of death in Windows 7 and earlier versions of Windows: \u0026ldquo;A problem has been detected and Windows has been shut down to prevent damage to your computer.\u0026rdquo; The blue screen of death in Windows 8 Developer Preview: \u0026ldquo;Your PC ran into a problem that it couldn\u0026rsquo;t handle, and now it needs to restart. You can search for the error online: %s.\u0026rdquo; Why Does Windows Crash? # Pundits and comedians aside, Windows crashes to help protect the system from suffering further corruption after a major error occurs with kernel mode code (often device drivers). Bug checks, Blue Screens of Death (BSOD), bugcheck, and stop errors are all words used to describe the same class of unhandled exception that occurs in kernel mode execution and causes the system to shut down (and possibly reboot). The source of the issue can be anything from a power fluctuation in the system to a damaged component or a software/hardware bug. The world is full of good programmers that make errors, and bad programmers that never really get it right. With all of the finger pointing that happens, sometimes it\u0026rsquo;s Microsoft, and sometimes it is the independent hardware or software vendor.\nHow To Collect a Kernel-Mode Crash Dump? # Most modern desktop installations of Windows are configured to collect small memory dumps automatically. Some earlier versions of Windows server create complete dumps by default, and modern server operating systems dump the kernel memory on crash. This is generally configured in the advanced system settings. The easiest way to access these is to click Start, Right Click \u0026ldquo;Computer\u0026rdquo;, select properties and navigate to the Startup and Recovery settings on the advanced tab. Small memory dumps are often sufficient for most post-mortem analysis, but occasionally vendors are interested in kernel memory dumps or full memory dumps where they can use their own debugging symbols to try to identify the source of the problem. Typically vendors do not publish debugging symbols, so the result of most debugging activity on small memory dumps is focused on identifying the misbehaving driver, device, or BIOS to make a change that will alleviate the issue. By default memory dumps are stored in the following locations and page file requirements (see KB254649).\nMemory Dump Type Default Location (variable) Default Location (typical) Paging File Requirements Small memory dump %systemroot%Minidump c:WindowsMinidump \u0026gt;2 MB Kernel memory dump %systemroot%Memory.dmp c:WindowsMemory.dmp Large enough for kernel memory Complete memory dump %systemroot%Memory.dmp c:WindowsMemory.dmp All physical RAM + 1 MB Once you have the dump, the question becomes what to do with it. This is where the Debugging Tools for Windows come in handy\u0026hellip;\nGet the Tools\u0026hellip; For Windows 7 and Before # Older versions of the Debugging Tools for Windows were included as standalone installers, but modern versions are included with the Windows SDK. Currently the SDK comes as an ISO image and a web based installer. Installation is fairly straightforward. The only part of the SDK that is needed is the actual Debugging Tools for Windows (pictured in the screenshot below). The debuggers included are robust in that 32/64 bit hosts/targets are not important, meaning that a 32 bit host can debug a 64 bit target and vice versa. After installation, the symbols path needs to be set to ensure that there are enough symbols for the debugger to determine what actually occurred and what was loaded. The entire symbol collection offered to the public can be downloaded and placed on a local drive, or an Internet location can be specified to pull the symbols on demand. My recommendation is to pull them from the Internet, since the correct version of the symbols will be downloaded on demand and will not become outdated by installation of hotfixes and service packs. The instructions on setting the symbol path can be found in KB311503. This can be summarized to creating a folder (in my case c:Symbols) and setting the environment variable: _NT_SYMBOL_PATH = srv*c:Symbols*http://msdl.microsoft.com/download/symbols After this step, debugging can begin.\nGet the Tools\u0026hellip; For Windows 8 and Server 2012 # Download the latest version of the Windows SDK from Microsoft and launch the installer. Complete the first few screens until you reach the feature selection page of the wizard. All that is needed is the \u0026ldquo;Debugging Tools for Windows\u0026rdquo;\nLaunch WinDbg and Load Memory Dump # Launch WinDbg from the start menu. or Select file -\u0026gt; Open crash dump and select the appropriate .dmp file. From here, the typical starting point is to use the !analyze -v debugger command and look at the error that generated the crash dump. Further troubleshooting is dependent on the specific error. Some errors may require the driver verifier to be enabled to determine a root cause.\nPossible Errors # The following are a list of \u0026ldquo;standard\u0026rdquo; bug codes in Windows and links to posts that describe error-specific debugging techniques. This list is available on MSDN and in the built-in debugger help file (Debugging Tools for WindowsDebugging TechniquesBug Checks (Blue Screens)Bug Check Code Reference). I will update links as I make more posts showing live examples. 0x1: APC_INDEX_MISMATCH 0x2: DEVICE_QUEUE_NOT_BUSY 0x3: INVALID_AFFINITY_SET 0x4: INVALID_DATA_ACCESS_TRAP 0x5: INVALID_PROCESS_ATTACH_ATTEMPT 0x6: INVALID_PROCESS_DETACH_ATTEMPT 0x7: INVALID_SOFTWARE_INTERRUPT 0x8: IRQL_NOT_DISPATCH_LEVEL 0x9: IRQL_NOT_GREATER_OR_EQUAL 0xA: IRQL_NOT_LESS_OR_EQUAL 0xB: NO_EXCEPTION_HANDLING_SUPPORT 0xC: MAXIMUM_WAIT_OBJECTS_EXCEEDED 0xD: MUTEX_LEVEL_NUMBER_VIOLATION 0xE: NO_USER_MODE_CONTEXT 0xF: SPIN_LOCK_ALREADY_OWNED 0x10: SPIN_LOCK_NOT_OWNED 0x11: THREAD_NOT_MUTEX_OWNER 0x12: TRAP_CAUSE_UNKNOWN 0x13: EMPTY_THREAD_REAPER_LIST 0x14: CREATE_DELETE_LOCK_NOT_LOCKED 0x15: LAST_CHANCE_CALLED_FROM_KMODE 0x16: CID_HANDLE_CREATION 0x17: CID_HANDLE_DELETION 0x18: REFERENCE_BY_POINTER 0x19: BAD_POOL_HEADER 0x1A: MEMORY_MANAGEMENT 0x1B: PFN_SHARE_COUNT 0x1C: PFN_REFERENCE_COUNT 0x1D: NO_SPIN_LOCK_AVAILABLE 0x1E: KMODE_EXCEPTION_NOT_HANDLED 0x1F: SHARED_RESOURCE_CONV_ERROR 0x20: KERNEL_APC_PENDING_DURING_EXIT 0x21: QUOTA_UNDERFLOW 0x22: FILE_SYSTEM 0x23: FAT_FILE_SYSTEM 0x24: NTFS_FILE_SYSTEM 0x25: NPFS_FILE_SYSTEM 0x26: CDFS_FILE_SYSTEM 0x27: RDR_FILE_SYSTEM 0x28: CORRUPT_ACCESS_TOKEN 0x29: SECURITY_SYSTEM 0x2A: INCONSISTENT_IRP 0x2B: PANIC_STACK_SWITCH 0x2C: PORT_DRIVER_INTERNAL 0x2D: SCSI_DISK_DRIVER_INTERNAL 0x2E: DATA_BUS_ERROR 0x2F: INSTRUCTION_BUS_ERROR 0x30: SET_OF_INVALID_CONTEXT 0x31: PHASE0_INITIALIZATION_FAILED 0x32: PHASE1_INITIALIZATION_FAILED 0x33: UNEXPECTED_INITIALIZATION_CALL 0x34: CACHE_MANAGER 0x35: NO_MORE_IRP_STACK_LOCATIONS 0x36: DEVICE_REFERENCE_COUNT_NOT_ZERO 0x37: FLOPPY_INTERNAL_ERROR 0x38: SERIAL_DRIVER_INTERNAL 0x39: SYSTEM_EXIT_OWNED_MUTEX 0x3A: SYSTEM_UNWIND_PREVIOUS_USER 0x3B: SYSTEM_SERVICE_EXCEPTION 0x3C: INTERRUPT_UNWIND_ATTEMPTED 0x3D: INTERRUPT_EXCEPTION_NOT_HANDLED 0x3E: MULTIPROCESSOR_CONFIGURATION_NOT_SUPPORTED 0x3F: NO_MORE_SYSTEM_PTES 0x40: TARGET_MDL_TOO_SMALL 0x41: MUST_SUCCEED_POOL_EMPTY 0x42: ATDISK_DRIVER_INTERNAL 0x43: NO_SUCH_PARTITION 0x44: MULTIPLE_IRP_COMPLETE_REQUESTS 0x45: INSUFFICIENT_SYSTEM_MAP_REGS 0x46: DEREF_UNKNOWN_LOGON_SESSION 0x47: REF_UNKNOWN_LOGON_SESSION 0x48: CANCEL_STATE_IN_COMPLETED_IRP 0x49: PAGE_FAULT_WITH_INTERRUPTS_OFF 0x4A: IRQL_GT_ZERO_AT_SYSTEM_SERVICE 0x4B: STREAMS_INTERNAL_ERROR 0x4C: FATAL_UNHANDLED_HARD_ERROR 0x4D: NO_PAGES_AVAILABLE 0x4E: PFN_LIST_CORRUPT 0x4F: NDIS_INTERNAL_ERROR 0x50: PAGE_FAULT_IN_NONPAGED_AREA 0x51: REGISTRY_ERROR 0x52: MAILSLOT_FILE_SYSTEM 0x53: NO_BOOT_DEVICE 0x54: LM_SERVER_INTERNAL_ERROR 0x55: DATA_COHERENCY_EXCEPTION 0x56: INSTRUCTION_COHERENCY_EXCEPTION 0x57: XNS_INTERNAL_ERROR 0x58: FTDISK_INTERNAL_ERROR 0x59: PINBALL_FILE_SYSTEM 0x5A: CRITICAL_SERVICE_FAILED 0x5B: SET_ENV_VAR_FAILED 0x5C: HAL_INITIALIZATION_FAILED 0x5D: UNSUPPORTED_PROCESSOR 0x5E: OBJECT_INITIALIZATION_FAILED 0x5F: SECURITY_INITIALIZATION_FAILED 0x60: PROCESS_INITIALIZATION_FAILED 0x61: HAL1_INITIALIZATION_FAILED 0x62: OBJECT1_INITIALIZATION_FAILED 0x63: SECURITY1_INITIALIZATION_FAILED 0x64: SYMBOLIC_INITIALIZATION_FAILED 0x65: MEMORY1_INITIALIZATION_FAILED 0x66: CACHE_INITIALIZATION_FAILED 0x67: CONFIG_INITIALIZATION_FAILED 0x68: FILE_INITIALIZATION_FAILED 0x69: IO1_INITIALIZATION_FAILED 0x6A: LPC_INITIALIZATION_FAILED 0x6B: PROCESS1_INITIALIZATION_FAILED 0x6C: REFMON_INITIALIZATION_FAILED 0x6D: SESSION1_INITIALIZATION_FAILED 0x6E: SESSION2_INITIALIZATION_FAILED 0x6F: SESSION3_INITIALIZATION_FAILED 0x70: SESSION4_INITIALIZATION_FAILED 0x71: SESSION5_INITIALIZATION_FAILED 0x72: ASSIGN_DRIVE_LETTERS_FAILED 0x73: CONFIG_LIST_FAILED 0x74: BAD_SYSTEM_CONFIG_INFO 0x75: CANNOT_WRITE_CONFIGURATION 0x76: PROCESS_HAS_LOCKED_PAGES 0x77: KERNEL_STACK_INPAGE_ERROR 0x78: PHASE0_EXCEPTION 0x79: MISMATCHED_HAL 0x7A: KERNEL_DATA_INPAGE_ERROR 0x7B: INACCESSIBLE_BOOT_DEVICE 0x7C: BUGCODE_NDIS_DRIVER 0x7D: INSTALL_MORE_MEMORY 0x7E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 0x7F: UNEXPECTED_KERNEL_MODE_TRAP 0x80: NMI_HARDWARE_FAILURE 0x81: SPIN_LOCK_INIT_FAILURE 0x82: DFS_FILE_SYSTEM 0x85: SETUP_FAILURE 0x8B: MBR_CHECKSUM_MISMATCH 0x8E: KERNEL_MODE_EXCEPTION_NOT_HANDLED 0x8F: PP0_INITIALIZATION_FAILED 0x90: PP1_INITIALIZATION_FAILED 0x92: UP_DRIVER_ON_MP_SYSTEM 0x93: INVALID_KERNEL_HANDLE 0x94: KERNEL_STACK_LOCKED_AT_EXIT 0x96: INVALID_WORK_QUEUE_ITEM 0x97: BOUND_IMAGE_UNSUPPORTED 0x98: END_OF_NT_EVALUATION_PERIOD 0x99: INVALID_REGION_OR_SEGMENT 0x9A: SYSTEM_LICENSE_VIOLATION 0x9B: UDFS_FILE_SYSTEM 0x9C: MACHINE_CHECK_EXCEPTION 0x9E: USER_MODE_HEALTH_MONITOR 0x9F: DRIVER_POWER_STATE_FAILURE 0xA0: INTERNAL_POWER_ERROR 0xA1: PCI_BUS_DRIVER_INTERNAL 0xA2: MEMORY_IMAGE_CORRUPT 0xA3: ACPI_DRIVER_INTERNAL 0xA4: CNSS_FILE_SYSTEM_FILTER 0xA5: ACPI_BIOS_ERROR 0xA7: BAD_EXHANDLE 0xAB: SESSION_HAS_VALID_POOL_ON_EXIT 0xAC: HAL_MEMORY_ALLOCATION 0xAD: VIDEO_DRIVER_DEBUG_REPORT_REQUEST 0xB4: VIDEO_DRIVER_INIT_FAILURE 0xB8: ATTEMPTED_SWITCH_FROM_DPC 0xB9: CHIPSET_DETECTED_ERROR 0xBA: SESSION_HAS_VALID_VIEWS_ON_EXIT 0xBB: NETWORK_BOOT_INITIALIZATION_FAILED 0xBC: NETWORK_BOOT_DUPLICATE_ADDRESS 0xBE: ATTEMPTED_WRITE_TO_READONLY_MEMORY 0xBF: MUTEX_ALREADY_OWNED 0xC1: SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION 0xC2: BAD_POOL_CALLER 0xC4: DRIVER_VERIFIER_DETECTED_VIOLATION 0xC5: DRIVER_CORRUPTED_EXPOOL 0xC6: DRIVER_CAUGHT_MODIFYING_FREED_POOL 0xC7: TIMER_OR_DPC_INVALID 0xC8: IRQL_UNEXPECTED_VALUE 0xC9: DRIVER_VERIFIER_IOMANAGER_VIOLATION 0xCA: PNP_DETECTED_FATAL_ERROR 0xCB: DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS 0xCC: PAGE_FAULT_IN_FREED_SPECIAL_POOL 0xCD: PAGE_FAULT_BEYOND_END_OF_ALLOCATION 0xCE: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS 0xCF: TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE 0xD0: DRIVER_CORRUPTED_MMPOOL 0xD1: DRIVER_IRQL_NOT_LESS_OR_EQUAL 0xD2: BUGCODE_ID_DRIVER 0xD3: DRIVER_PORTION_MUST_BE_NONPAGED 0xD4: SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD 0xD5: DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL 0xD6: DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION 0xD7: DRIVER_UNMAPPING_INVALID_VIEW 0xD8: DRIVER_USED_EXCESSIVE_PTES 0xD9: LOCKED_PAGES_TRACKER_CORRUPTION 0xDA: SYSTEM_PTE_MISUSE 0xDB: DRIVER_CORRUPTED_SYSPTES 0xDC: DRIVER_INVALID_STACK_ACCESS 0xDE: POOL_CORRUPTION_IN_FILE_AREA 0xDF: IMPERSONATING_WORKER_THREAD 0xE0: ACPI_BIOS_FATAL_ERROR 0xE1: WORKER_THREAD_RETURNED_AT_BAD_IRQL 0xE2: MANUALLY_INITIATED_CRASH 0xE3: RESOURCE_NOT_OWNED 0xE4: WORKER_INVALID 0xE6: DRIVER_VERIFIER_DMA_VIOLATION 0xE7: INVALID_FLOATING_POINT_STATE 0xE8: INVALID_CANCEL_OF_FILE_OPEN 0xE9: ACTIVE_EX_WORKER_THREAD_TERMINATION 0xEA: THREAD_STUCK_IN_DEVICE_DRIVER 0xEB: DIRTY_MAPPED_PAGES_CONGESTION 0xEC: SESSION_HAS_VALID_SPECIAL_POOL_ON_EXIT 0xED: UNMOUNTABLE_BOOT_VOLUME 0xEF: CRITICAL_PROCESS_DIED 0xF1: SCSI_VERIFIER_DETECTED_VIOLATION 0xF3: DISORDERLY_SHUTDOWN 0xF4: CRITICAL_OBJECT_TERMINATION 0xF5: FLTMGR_FILE_SYSTEM 0xF6: PCI_VERIFIER_DETECTED_VIOLATION 0xF7: DRIVER_OVERRAN_STACK_BUFFER 0xF8: RAMDISK_BOOT_INITIALIZATION_FAILED 0xF9: DRIVER_RETURNED_STATUS_REPARSE_FOR_VOLUME_OPEN 0xFA: HTTP_DRIVER_CORRUPTED 0xFC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY 0xFD: DIRTY_NOWRITE_PAGES_CONGESTION 0xFE: BUGCODE_USB_DRIVER 0xFF: RESERVE_QUEUE_OVERFLOW 0x100: LOADER_BLOCK_MISMATCH 0x101: CLOCK_WATCHDOG_TIMEOUT 0x103: MUP_FILE_SYSTEM 0x104: AGP_INVALID_ACCESS 0x105: AGP_GART_CORRUPTION 0x106: AGP_ILLEGALLY_REPROGRAMMED 0x108: THIRD_PARTY_FILE_SYSTEM_FAILURE 0x109: CRITICAL_STRUCTURE_CORRUPTION 0x10A: APP_TAGGING_INITIALIZATION_FAILED 0x10C: FSRTL_EXTRA_CREATE_PARAMETER_VIOLATION 0x10D: WDF_VIOLATION 0x10E: VIDEO_MEMORY_MANAGEMENT_INTERNAL 0x10F: RESOURCE_MANAGER_EXCEPTION_NOT_HANDLED 0x111: RECURSIVE_NMI 0x112: MSRPC_STATE_VIOLATION 0x113: VIDEO_DXGKRNL_FATAL_ERROR 0x114: VIDEO_SHADOW_DRIVER_FATAL_ERROR 0x115: AGP_INTERNAL 0x116: VIDEO_TDR_ERROR 0x117: VIDEO_TDR_TIMEOUT_DETECTED 0x119: VIDEO_SCHEDULER_INTERNAL_ERROR 0x11A: EM_INITIALIZATION_FAILURE 0x11B: DRIVER_RETURNED_HOLDING_CANCEL_LOCK 0x11C: ATTEMPTED_WRITE_TO_CM_PROTECTED_STORAGE 0x11D: EVENT_TRACING_FATAL_ERROR 0x121: DRIVER_VIOLATION 0x122: WHEA_INTERNAL_ERROR 0x124: WHEA_UNCORRECTABLE_ERROR 0x127: PAGE_NOT_ZERO 0x12B: FAULTY_HARDWARE_CORRUPTED_PAGE 0x12C: EXFAT_FILE_SYSTEM 0x144: BUGCODE_USB3_DRIVER 0x1000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M 0x1000007F: UNEXPECTED_KERNEL_MODE_TRAP_M 0x1000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M 0x100000EA: THREAD_STUCK_IN_DEVICE_DRIVER_M 0xC0000135 STATUS_DLL_NOT_FOUND 0xC0000218: STATUS_CANNOT_LOAD_REGISTRY_FILE 0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED 0xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH 0xDEADDEAD: MANUALLY_INITIATED_CRASH Source: Mike\u0026rsquo;s Technology and Finance Blog\n","date":"November 19, 2012","externalUrl":null,"permalink":"/posts/windows-crash-dump-analysis/","section":"Blog","summary":"Windows Crash Dump analysis is a fairly expansive topic that ranges from simple post mortem analysis of small memory dump files to remote debugging of a live system and probing the failure as it occurs in the operating system. This series of posts will cover analysis and troubleshooting of many common failures faced by end users on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8. This specific post examines memory dumps, how to install/use the tools to analyze them, crashes that appear when KeBugCheckEx is called, and initial steps with most dumps. The blue screen of death in Windows 7 and earlier versions of Windows: “A problem has been detected and Windows has been shut down to prevent damage to your computer.” The blue screen of death in Windows 8 Developer Preview: “Your PC ran into a problem that it couldn’t handle, and now it needs to restart. You can search for the error online: %s.” ","title":"Windows Crash Dump Analysis","type":"posts"},{"content":"","externalUrl":null,"permalink":"/archives/","section":"Archives","summary":"","title":"Archives","type":"archives"},{"content":"","externalUrl":null,"permalink":"/search/","section":"Search","summary":"","title":"Search","type":"search"}]