This article describes how to enable SSL on XenDesktop 5 controllers to secure XML traffic from Web Interface or Access Gateway, and how to configure Web Interface site to secure the XML traffic. Note: For Access Gateway communication, this secures the Secure Ticket Authority (STA) ticket that uses the XML service as well.
Note: For this article, XenDesktop 5 Service Pack 1 was used along with Web Interface 5.4.
Instructions
From XenDesktop Controller
IIS Installed on XenDesktop Controller
In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.
There are two ways to generate Server Certificates on IIS 7.x:
Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)
Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.
After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:
Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.
Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.
Open Registry Editor on XenDesktop Controller and look for the following key name. HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.
Change the XML service port. You can do this using PowerShell by running the following command: BrokerService –WiSslPort <port number> Note: If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.
IIS is not Installed on XenDesktop Controller
In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:
Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.
You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax. Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.
After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate
The following is the command that you must use: netsh http add sslcert ipport=0.0.0.0:<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID} To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates
An alternative to obtain this certificate hash
Open the Server Certificate and under the Details tab, select Thumprint:
Obtain the GUID of the XenDesktop controller Citrix Broker Service.
Open Registry Editor and select Find.
Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOT\Installer\Products\ (see the following example):
Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:
Here is command to get the GUID
Run the below command in Elevated command prompt on the DDC
wmic product where "Name like 'Citrix Broker Service'" get Name,identifyingnumber IdentifyingNumber
C:\ >netsh http add sslcert ipport=10.12.37.231:443 certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7} Note: For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.
Note:
certhash : Thumbprint of Certificate
Command to find appid : wmic product where "Name like 'Citrix Broker Service'" get Name,identifyingnumber
A successful bind looks as displayed in the following screen shot:
From the Web Interface server
Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.
Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).
There are no apps or desktops available to you at this time
Successfully logging onto Citrix StoreFront displays the message: "There are no apps or desktops available to you at this time."
Problem
Users have complained that they no longer see published apps and desktops after successfully logging onto Citrix as they only see the message:
There are no apps or desktops available to you at this time.
Reviewing the Citrix Delivery Services event logs on the Citrix StoreFront server displays the following errors:
None of the Citrix XML Services configured for farm Controller are in the list of active services, so none were contacted.
Log Name: Citrix Delivery Services Source: Citrix Store Service EventID: 4012 Level: Error
Failed to launch the resource 'Controller.GP' as it was not found.
Log Name: Citrix Delivery Services Source: Citrix Store Service EventID: 28 Level: Warning
None of the Citrix XML Services configured for farm Controller are in the list of active services, so none were contacted.
Log Name: Citrix Delivery Services Source: Citrix Store Service EventID: 4012 Level: Error
Solution
The most important entry in the event logs written for this issue could easily be missed because the entry that provides the cause of the issue is actually labeled as Information. Continuing to move to earlier logs will reveal the following entry indicating that the SSL certificate on the Delivery Controller has expired:
The Citrix XML Service at address svr-ctxdc-02.ccs.int:443 has failed the background health check and has been temporarily removed from the list of active services. Failure details: An SSL connection could not be established: The server sent an expired security certificate. The certificate *.ccs.int, *.ccs.int is valid from 10/29/2018 9:37:20 AM until 10/28/2020 9:37:20 AM.. This message was reported from the Citrix XML Service at address https://svr-ctxdc-02.ccs.int/scripts/wpnbr.dll[UnknownRequest].
You would not be able to see this entry if you are reviewing the logs in the Administrative Events, which does not display Information entries.
To correct the issue, simply issue a new SSL certificate to replace the expired certificate on the Delivery Controller (or controllers if there are more than one), then update the bindings in IIS Manager:
Successfully updating the SSL certificate will re-establish communication between the StoreFront server and the Delivery Controller(s).
This is a guide on how I upgraded my site from 7.15 flat, all the way up to 1912. I also included moving off 2012R2 to 2016 DDCs with some troubleshooting situations you might run into. I covered the basics of upgrading licensing, DDC upgrades, Storefront upgrades with NS VIP configuration, PVS upgrades, WEM upgrades, VDA upgrades, and some re-configuration of Snap-ins with Citrix Director for ADM and session recording.
Upgrade the licensing Server: Go download the version you need. In this case, it’s 11.16.3.0, Build 29000.
Run the CTX_licensing installer.
Check the box to agree.
After upgrading Citrix Licensing Server, in Citrix Studio, go to Configuration and Licensing.
On the right, click Authenticate Certificate.
Open Citrix licensing Manager.
I was prompted to register my licensing server with Citrix Cloud.
Licensing Manager might prompt you to register with Citrix Cloud.
On the Settings > Usage and Statistics page, in the "Share usage statistics with Citrix" section, click Register.
You’ll see a screen with a registration code. Click the Copy button and then click Register to be taken to Citrix Cloud.
After logging in to Citrix Cloud, on the top left, click the menu (hamburger) icon and then click License & Usage. If you don’t see this link, you might have to log out and log back in.
In the License & Usage service, switch to the Registrations tab.
Click the blue Register button in the middle of the page to register.
Paste in the copied code and then click Continue. Click Register.
In the On-premises Licensing Manager, it will eventually show as Registered.
On the same Usage & Statistics page, scroll down, and then click Upload now. This should cause data to upload to Citrix Cloud and show up in Citrix Cloud License & Usage.
Citrix.cloud.com reporting:
*Note* I always check and make sure it shows as activated within Studio and is set to the right product edition.
Upgrade VDA to 1912.
I also upgrade my VDAs ahead of time. It’s easy, and something I just do. Depending on your provision side, PVS, MCS, or old fashion servers (which is still used).
Mount ISO and upgrade.
Upgrade Delivery Controllers 7.15.5000.
Snapshot your Delivery controller.
Backup your SQL databases.
Attach the 7.15 CU5 media.
Run the Studio and Server Components for the upgrade.
Read and Accept.
Read and make sure you take the correct actions you need in your environment.
Start your Preliminary Test and make sure you are good!
Firewall Ports:
Summary:
Upgraded process started.
Connect to Call home if you need to.
Launch Studio.
**NOTE** If you already have two controllers, in Load Balancing, reactivate the servers with the new Delivery Controller version and set the second half of the servers to Down. Follow the top steps on the second half of the Delivery Controller Server. Activate each server with the new Delivery Controller Server version in Load Balancing again.
I am adding a 2016 server to move off 2012R2. I will add the Second 2016 server in, then make sure 2016 is handling the connections. Then Decom 2012R2 and add a new second (replacement of 2012R2 as 2016 server.
Attach the 7.15.5000 ISO, click on XenDesktop or XenApp (depending on your deployment).
XenDesktop allows for both XenApp and XenDesktop. XenApp is only XenApp.
Select Delivery Controller.
Read and Understand, accept.
We only want: Delivery Controller, Studio, and Director.
I don’t want SQL express in the step – uncheck it.
Review and make sure the firewall is configured based on your environment.
Installs:
This will take about 5-7 minutes.
Select Call Home options:
Finish, reboot, and then launch Studio.
After Studio is opened, select “Connect this Delivery Controller to an existing site.”
Add the primary DDC.
It will ask to update the DB automatically. I select "yes" and will put in my SQL creds.
Studio will open and show the Site.
Run a Site check to make sure it’s good.
This will take 10 minutes.
Looks good.
At this point, I have the following:
2012R2 715.5000 Deliver Controller
2016 7.15.5000 Delivery Controller.
Both are upgraded from 7.15 to 7.15.500.
Now we will begin the 7.15.500 upgrade to 1912 LTSR.
Snapshot your Delivery controller.
Backup your SQL databases.
Attach the 1912 media.
Run the Studio and Server Components for the upgrade.
Read and accept.
Make sure the following has been completed to ensure an upgrade will go smooth:
Licensing Error I received when I clicked "next." Even though I upgraded my licensing version to 11.16.3.0 build 29000, I had to update my licensing files past November 2019. I logged into my Citrix Licensing manager,https://yourCTXlicServer.FQDN:8083, then selected "check for available renewals." Follow the prompts to get an updated timestamp.
Before:
After:
Being as this is not production; my specs are lower than what it wants. However, I will meet the minimum to ensure the upgrade is solid.
Let's pick back up where I left off. Preliminary Site Test (Run this to ensure no errors exist).
Test in progress.
Two tests will not run, as they don’t apply.
Results: go through and test all the orchestrations of the environment.
Firewall ports.
Summary, then click upgrade.
Upgrade progress:
Upgraded, but Reboot needed.
After Reboot it will resume. Now on Post Install….
Connect to Citrix Cloud for Diagnostics data if needed in your environment.
Finish and now open Studio.
Now upgrade the Database through Studio (my service account has permissions).
It will ask you again about backing up the DB.
Add the credentials, unless you are logged into the server as the account (account needs proper permissions, in Citrix, and on the servers).
It’s now started.
Going, 9 successful… GOOOD so far.
Still going well.
Finished.
You now need to do the second Delivery controller we added early in the process. It’s the 2016 server.
Remote to the Server, attach the Media, and I double-click on the mounted ISO from my hypervisor.
Click "Upgrade" on Studio and Server components.
Read and Agree.
Ensure the following is completed, although it’s a second DDC.
Firewall for DDC and Director:
Summary:
Warning pop up about not being able to stop it once it starts.
Upgrading has started (the time says 13 minutes). Sometimes it’s accurate, or not accurate.
The machine needs to be rebooted to apply some .Net settings/updates.
Rebooted, and now it’s still applying them.
Log back in, and it will resume back to the place it was at. Be patient!
Connect to Citrix Cloud for Diagnostics data if needed in your environment.
Now launch Studio.
Start the automatic site upgrade.
Being this has already ran, it shouldn’t take long.
Studio is now launched.
Lets do a site Test on the Delivery controller.
Things passed, and look good.
Let’s do a Machine Catalog and Delivery group test. (Failed)?!! Looks like my Delivery controllers don’t have the updated vCenter cert. Let me fix this. I simulated a failure to show the value of running the tests.
Once both have updated 1912 software, go into the first Delivery Controller and finish the “upgrade remaining delivery Controllers.”
Once all the Delivery Controllers and VDAs are upgraded, within Citrix Studio, view your Catalog for the current functional level. (Set to VDA version you have in the catalogs.) Citrix Virtual Apps and Desktops (CVAD) 1912 lets you upgrade your Catalogs and Delivery Groups to functional level 1811 if needed.
**WARNING****
Don’t upgrade the Catalog or Delivery Group until all VDAs with the Catalog and Delivery Group are VDA version 1811 or newer.
Then upgrade the Delivery Groups by right-clicking on a Delivery Group and clicking Upgrade Delivery Group.
This concludes the upgrade for the Delivery controller.
Now let’s Decom one Delivery controller, which is 2012R2.
Active connections should not be dropped if you remove a delivery controller from the site. Remove the controllers from Storefront first, then from Citrix studio. Any VDAs registered to the controller should re-register with the remaining controllers, however, this may take a few minutes, so a resource that hasn’t registered yet might be unavailable for a relatively short time.
You could also stop the Broker service on the redundant controllers, which would also cause any registered VDAs to de-register.
Whilst doing this during business hours should be OK, there’s always a risk that for some reason a VDA doesn’t register with the remaining controllers, so unless you can’t avoid it, doing it out of hours, or during low use phases is always preferable.
Remove the controllers from Storefront first.
Then from studio.
Make sure the Controller is powered on so that Studio loads in less than one hour. Once Studio loads the Controller you want to remove, power off the Controller when prompted to do so.
Select Configuration > Controllers in the Studio navigation pane and then select the Controller you want to remove.
Select Remove Controller in the Actions pane. If you do not have the correct database roles and permissions, you are offered the option of generating a script that allows your database administrator to remove the Controller for you.
This errored out. So, I did it and selected "No" here.
Then it asked to generate a DB script, for the Database guys.
This still didn’t remove it. So, at this time I found the CTX link:
If you use Citrix ADM, and Citrix Session Recorder you will need to register the Snapin back after all the upgrades. This is so you can control the feature in Director.
Register Director ADM MAS back.
If using HTTPS to connect to Insight Center, the Insight Center certificate must be valid and trusted by both the Director Server and the Director user’s browser. To link Citrix Director with NetScaler HDX Insight, on the Director server run:
When upgrading Delivery Controllers to Citrix Virtual Apps and Desktops version 1912 or 2003: Upgrading SQL Server Express LocalDB is optional. Local Host Cache works properly, with no loss of functionality, regardless of whether you upgrade SQL Server Express LocalDB. We added the option to move to a newer version of SQL Server Express LocalDB in case there are concerns about the end of support from Microsoft for SQL Server Express LocalDB 2014.
When upgrading Delivery Controllers to Citrix Virtual Apps and Desktops versions newer than 2003: The minimum supported version is SQL Server Express 2017 LocalDB Cumulative Update (CU) 16. If you originally installed a Delivery Controller earlier than version 1912, and have not replaced SQL Server Express LocalDB with a newer version since then, you must replace that database software now. Otherwise, Local Host Cache will not work.
As you can see here, at one time it stated you needed to upgrade, or it would not work. However, it doesn’t seem that is 100% anymore. I think that’s why Citrix updated the doc.
As you can see here, some had the same concerns or questions around it. I most certainly did.
So, let’s get started. I always do a snapshot first, which is completed.
Complete the upgrade of your Citrix Virtual Apps and Desktops components, databases, and site. (Those database upgrades affect the site, monitoring, and configuration logging databases. They do not affect the Local Host Cache database that uses SQL Server Express LocalDB.)
As you can see, I am on 1912 CU1 and have MSQL Express 2014.
On the Delivery Controller, download PsExec from Microsoft. See the Microsoft document PsExec v2.2.
Stop the Citrix High Availability Service.
Open CMD as Admin and open PsExec.exe
psexec -i -u “NT AUTHORITY\NETWORK SERVICE” cm
Move to the folder containing SqlLocalDB.
cd “C:\Program Files\Microsoft SQL Server\120\Tools\Binn”
Stop and delete CitrixHA (LocalDB). If you don’t stop it, you will get this error (me not paying attention):
SqlLocalDB stop CitrixHA.
SqlLocalDB delete CitrixHA.
Remove the related files in C:\Windows\ServiceProfiles\NetworkService
Uninstall SQL Server Express LocalDB 2014 from the server, using the Windows feature for removing programs.
Install SQL Server Express LocalDB 2017. In the Support > SQLLocalDB folder on the Citrix Virtual Apps and Desktops installation media, double-click sqllocaldb.msi.
Reboot the server and make sure this is started: “Citrix High Availability Service.”
Logged on and it took about 15 seconds to show up.
Then 60 seconds or so on this.
Check if the CitrixHA Db is created.
CitrixHA is re-created the next time configuration sync occurs. After a minute or two, use the SqlLocalDB utility to confirm that CitrixHA has been re-created.
SqlLocalDB i
CitrixHA
MSSQLLocalDB
Example:
While still in the PsExec session run this:
C:\Program Files\Microsoft SQL Server\120\Tools\Binn>SqlLocalDB i
CitrixHA
MSSQLLocalDB
You will see this until you do the second broker.
After I did my second broker this was in the logs:
But then I see this almost every two minutes. I remember reading about this. But I thought it was fixed many versions ago.
Did some Googling on the errors and came up with the two links below.
Went into Studio and deleted them from the location it displayed above, which was in Published Application Visibility.
Then, based on CTX230775, had needed to redo the LHC DB. So, quickly ran through the process and it fixed the error.
In summary, this is how I upgraded the LHC DB and some minor troubleshooting. Hope it helps someone.
Citrix StoreFront 7.15 to 1912 (example I did on one SF server on the upgrade, but you would want 2 servers).
If you have a load balancer, disable it in your load balancer. This way traffic doesn’t route to it. (Assuming you have two or more storefront servers.)
In my case, I have an LB Vserver and IP is X.X.X.X and back end servers are A.A.A.A and B.B.B.B
Server A.A.A.A is disabled.
Browse the ISO.
Accept the terms.
Ready to install.
Installing.
Upgrade has finished.
I am adding a new StoreFront Server, so this will be a new install and add to the Storefront store. I just browse to the StoreFront application and run it.
License agreement.
Review prerequisites.
Ready to install.
Installing Software.
Successfully installed Storefront.
Join existing server group.
On the Primary StoreFront Server click “Add Server” here to get an Authorization Code.
Take this information and input it on the secondary StoreFront Server.
Input information on the Second server.
Joining.
Sever joined.
Now add IIS Cert and bind it to 443 in IIS.
Add this second server into NetScaler LB (I already have the one added in NS).
Now you will see the monitor come alive on the Service.
Now bind it to the main Vserver.
Provisioning Server 1808 to 1912.
Please check to see if the previous version needs to be uninstalled first. In some versions, Citrix wants you to uninstall the older version first. But most of the time you don’t need to.
We are updating 1808 to 1912 so an in-place upgrade is good.
Before I start, I make sure I use a service account that is tied to the database so it can upgrade the database.
I put the account in the local admin of the PVS servers and use it to do the upgrades
After the uninstall has completed, restart the server. When it comes back up, log back in with the service account.
Attach the ISO. Run Server installation.
Click “Install,” the process will begin and then the window will disappear for a couple of minutes while it installs some of the pre-requisites.
When the window pops back up Click “Next.”
Accept the License Agreement and click “Next.”
Enter “Something” in the User Name and Organization fields, then click “Next.”
Click “Next.”
Click “Install.”
Installing.
Click Finish.
The configuration wizard will start.
For this screenshot, I have 2 PVS servers. Depending on your farm, you could have one or more. The PVS server IP address will show here. If you have one server then one Ip will show. If you have two, then two will show.
Backup your database before starting.
PVS console upgrade
Log in to the server with the service account.
In C:\SRC\1906 open the “Console” Folder.
Right-click on “PVS_Console_x64.exe” and run as administrator.
Once the .exe has launched Click next through the installation.
You need to re-register those PowerShell snap-ins. Reregistering Citrix.PVS.Snapin.dll is well-known. Here are five other snap-ins that are necessary as well.
You will need to go to the PVS server that you are working on the upgrades and open the PVS console.
Then go to vDisk Pools and create new versions. If you have five versions, then the sixth version will need to be merged with the last base and updates or updates only and needs to be Maintenance mode. It will take some time to create the merge-base.
Now go into your Hypervisor and power on the Master VM up that has the new version.
Open the console so you can see the VM.
It will ask you to press 1 for the new Maintenance version. Press 1, and it will boot into windows.
Now bring over the PVS software, and put it on the C or D drive of the Target.
Click Next at "Welcome to the Installation Wizard for Citrix Provisioning Service Target Device x64."
Select "I accept the terms in the license agreement," Click Next.
Leave as default, Click Next.
Leave as default, Click Next.
At "Ready to install the program," click Install.
Installation will begin and take a few minutes to complete.
Click Finish at "Installation Wizard Completed."
At this stage, the vDisk should be re-sealed (based on your sealing techniques) and re-distributed/copied to each Provisioning Server.
Update the BDM ISO.
We use the BDM ISO.
Information:
Remember don’t check this unless your troubleshooting:
Upload to your hypervisor storage. Datastor/Container
Now attach that ISO to the PVS Targets you upgraded on 4c. It will need to new ARDBIN file. (If you forget this step, it will still boot. But will be slower and could get stuck in a loop.)
Citrix WEM 1811 upgrade to 1912 LTSR
Upgrade Deployments.
The data below is from Citrix Workspace Environment Manager 1912 Citrix Systems.
Check Database parameters (open the WEM Infrastructure Service Configurations).
You will notice the Port and old name (1811).
You will notice the Port and new name -1912.
*One thing to note on Port*
Cache synchronization port. (Applicable to Workspace Environment Management 1909 and earlier; replaced by Cached data synchronization port in Workspace Environment Management 1912 and later.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cache synchronization port must be the same as the port you configured for the cache synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8285 and corresponds to the AgentCacheSyncPort command-line argument.
Cached data synchronization port. (Applicable to Workspace Environment Management 1912 and later; replaces Cache synchronization port of Workspace Environment Management 1909 and earlier.) The port on which the agent cache synchronization process connects to the infrastructure service to synchronize the agent cache with the infrastructure server. The cached data synchronization port must be the same as the port you configured for the cached data synchronization port (WEM Infrastructure Service Configuration > Network Settings) during the infrastructure services configuration. The port defaults to 8288 and corresponds to the CachedDataSyncPort command-line argument. Alternatively, you can specify the port using a command-line option in the silent installation of the WEM agent
Wayne Lui states it's backward compatible and still listens, but I would add this into your Firewall Ruleset.
Admin Console.
Agents
Upgrade the Agent on the machines. I did this with the GUI, but I do this in production.
Then it’s called it the same name as my older script was (RefreshWEMAgentonReboot.bat), does an xcopy, and placed it in the same location. This way the scheduled task will still have the same name when it runs. The CLI parameters are different but will do the same deal.
We use BISF to handle this during our sealing process.
