2 Şubat 2012 Perşembe

Installing and Configuring Citrix XenApp 6

Installing and Configuring Citrix XenApp 6

With the recent release of Citrix XenApp 6 I’ve begun testing this version as we prepare to upgrade our Windows terminal server environment.  Probably the biggest reason for upgrading is that XenApp 6 offers support for Windows Server 2008 R2.  There are also a number of changes in the tools used to administer your Citrix farm.  In the recent past you had to use multiple tools for administration as Citrix migrated functionality into the MMC.  This seems to now be mostly complete.  The updates to the tools are welcome, but include a bit of relearning to find all the new methods and places to make configuration changes.

1 Şubat 2012 Çarşamba

How to install and configure Citrix XenApp 6.5

How to Configure Application Pre-Launch in Citrix XenApp 6.5

Using PVS Boot Device Manger with XenDesktop and Xenserver

Boot device manager (bdm.exe)  is a utility that has been around a while with Provisioning server  but in the new release of PVS 5.0 sp1a major  improvements have been made to allow you to have a great alternative to using PXE(Dhcp, tftp, Bootp, etc) to deliver the Bootstrap to Diskless client(Xenserver VMs, VmwareESX Vms, HyperV VMs , PCs, Servers, TCs). The bdm.exe utility allows you to burn the bootstrap to a  USB, CD-ROM (ISO), and  Hard Disk Partitions.

In this blog I will go through specifically using BDM in a Xendesktop/PVS  with VMs hosted on Xenserver 5.0 

1.       From the Provisioning Server run  C:\Program Files\Citrix\Provisioning Server\ BDM.exe


2.       I usually set it to verbose mode initially.


3.  You have the option to use a static IP address or use DHCP with this tool. In this use case we are creating a template in XS that we will be creating a POOL from using the xendesktop setup tool so I am using DHCP and then I am choosing the citrix ISO recorder.


4.  Click Burn and Save ISO file locally.

5.  Move the iso file to your ISO share in Xen Center.
6.  Now modify our target Virtual Machine template  by going to the storage tab and selecting the ISO file that was created with BDM and copied to the ISO share configured for your Xenserver.




 7.  Next we need to edit the startup options on the Virtual Machine properties page and move the DVD/CD  object to the top of the boot list. See screenshot below. ****


 ***** Make Sure to place Network second in the boot order.


8. We have a XenServer Virtual Machine with little or no disk assigned, set to boot from a DVD/CD ISO file and now we just right-click on the Virtual Machine and click ‘convert to template’ in XenCenter.

9.  So now that we have a Template we can run the Xendesktop Setup Tool to create a pool of Virtual desktops in minutes and not use terabytes of storage.






In the next few weeks I will be posting a similar process for ESX and HYPERV
by the way if you havent heard Xenserver Enterprise is Free.

Symantec Entpoint Protection on XenDesktop : (XenDesktop)

Symantec Endpoint Protection on XENDesktop and PVS target devices

By:Rick Rohne
I’ve recently come across a couple of companies trying to install Symantec Endpoint Protection on their XENDesktop PC’s, and finding a very annoying outcome. First of all, the SEP client does not update completely or not at all, the SEP client blue screens during the installation, and/or the SEP manager display multiple entries in the database for the same host. There are a few root problems when installing the SEP client to a PXE booted shared image, and I was determined to find the answers…

Problem

After installing Symantec on a base image in XENDesktop, the client computers appear more than once in the Symantec console. This continues to happen after every boot. Alternatively, if you try to install Symantec SEP while booted to the network, you may receive a blue screen after the first reboot.
Solution
Boot your VM using Microsoft Hyper-V or perform a reverse image when performing Symantec Endpoint Protection Installation.  This is required because SEP modifies the NIC drivers during installation.  Next, Clean up the registry after the first boot as to allow the image to re-register with a unique Hardware ID for each Virtual Desktop.

Step by Step

1. Import your XENDesktop OU
To ensure that your Virtual Desktops get the policies that are assigned, I recommend using the Symantec Endpoint Protection Manager Active Directory Import tool to import the OU for your XENDesktop computers. This will allow the OU to have custom policies and that will tailor to the XENDesktop farm.
Once you have the XENDesktop OU imported, you will see existing clients, and you can have the option to scan for new clients as they are added. The main reason for creating this OU is to ensure that the clients get a specific policy.
2. Configure your policies
I found that the High performance policy Template gives you the best policy for your Virtual Desktops. After duplicating the policy, you can modify the new policy with a few additional settings.
  • In the File System Auto Protect, change the default settings of “Load Auto-Protect” to Symantec Endpoint Protection Start.

  • Exclude the .vdiskcache file if you are performing the write cache on the computer’s hard disk.
  • Since these Virtual desktops will always come up with the default image, you can exclude any scheduled scans. This will ensure that your virtual desktops have the best performance possible.

3. Next, assign the policy to the new XENDesktop Group:


Using the SEP Manager Tool, you can right click on the policy and assign it to your XENDesktop group.

4. Prepare your image
NOW you are ready to boot the client and install the SEP client software.

First, boot the client using Microsoft Hyper-V. (For information on how to use Hyper-V to update offline vDisks, see http://www.thegenerationv.com/2010/02/using-hyper-v-for-pvs-vdisk-offline.html

5. Deploy the client to your Virtual PC
Perform the client deployment manually, ensure that the client deployment is visible to the end user as to ensure that you do not shut down before the client is finished installing.

Once installed, perform a reboot and allow the client to come back online. Then you must manually delete the unique registry keys and xml files that associate this computer name to Symantec SEP Manager.

6. Perform Registry and file system cleanup
  • Install the Symantec Endpoint Protection Client after all of the other installations are complete.
  • Before you save the image, start the "Registry Editor."
  • Locate and delete the following registry key:
          HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
Reference:
http://service1.symantec.com/support/on-technology.nsf/854fa02b4f5013678825731a007d06af/0e2c1c8989fe2a268825748a004a565c?OpenDocument











  • Exit the "Registry Editor."
  • Delete the C:\program Files\Common Files\Symantec Shared\HWID\sephwid.xml file
  • Shut down the VM and publish the vDisk as a standard image.
  • Create a batch file for your XENDesktop PC’s that will delete these entries. You can publish this batch file as a shut down script to ensure that the PC removes these entries every time the machine is shut down. Alternatively, you can just run these scripts when you are running in private mode before transitioning to standard mode.
  • You will most likely see new entries show up for the Virtual Desktops in the Endpoint Protection Manager. This is because the hardware is virtual and will continue to change after every reboot. Therefore, it is important for you to perform a Desktop Group Sync when you are running reports. If this is completely un-manageable for your organization, you can also setup personalities for each of your virtual desktops that include the same hardware ID. This process will require you to run a script to import the Hardware ID into the registry on each boot.

 
 
 
 
 
 
 
 
 
 
 
 
 
 

7. Verify Functionality
After you perform these procedures, you should see that all updates take place and that the correct policies are assigned to the desktops


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Reference:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/7c87b2b11e0d18c48025765000518741?OpenDocument

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110510364248

How to Enable or Disable Citrix Desktop Toolbar in Web Interface

An administrator of a XenDesktop farm can enable or disable the Citrix Desktop Toolbar for all users of a particular Web Interface site by editing the default.ica file used by that site.
  1. Backup the default.ica file before editing it.
  2. In the default.ica file, add the following parameter to enable the Citrix Desktop Toolbar functionality:
    [Application]
    ConnectionBar=1
Setting this parameter to 0 disables the Citrix Desktop Toolbar and causes the Virtual Desktop Agent desktop to appear across all available client monitors in a full screen mode.

How to Add a Persistent Volume to Your Provisioned Virtual Machine in XenServer

XenDesktop How to Add an Additional Disk to VM : (XenDesktop)

To achieve this goal, perform the following steps:
  1. Create a new VM in your XenCenter console.
  2. Install a Windows server (2003 X86 in this example) on a VM with one logical disk. On this VM you have to install XenTools and Target device software (with Provisioning Services 5.6 when you install Target Device, XenConvert is installed too).
    In this example, all the Windows updates are installed, disk part auto mount enabled (CTX122143 - How To Enable Automount to Automatically Assign a Drive Letter to a vDisk).
  3. Create a vDisk on your Provisioning Services server.
  4. Mount your vDisk.
  1. In the Disk management menu, format the disk that you have just mounted.
  1. Unmount your vDisk.
  1. On your Provisioning Services server, create a new device. Put the MAC address of your VM (installed at step 1), Set boot from hard disk and attach your vDisk.
  1. On your installed VM server, after a reboot, launch XenConvert (verify that your vDisk is in private mode). Your vDisk is filled.
  2. In the XenCenter console, create a new VM without any disk. That VM will be converted into XenServer template later.
  3. In Provisioning Services server, create a new device with the MAC address of your VM just created, set boot from vDisk and attach your vDisk.
  1. Create the AD machine account.
  1. In XenCenter console, on this VM, go to the Storage tab and add a local storage.
  1. Boot your VM.
  2. In the Disk management menu, assign a drive letter and format the new logical disk.
  3. Stop your VM and convert it into a template.
  4. Set your vDisk in standard mode.
You now have all the requirements to stream a target device with a logical disk which you can store data on that cannot be erased after a reboot. With the Xenserver template, create all the VMs. With Provisioning Services stream the vDisk. As result you have VMs with a logical disk which can store all the data that you wish to remain persistent .

XenDesktop ESX Windows 7 Blank Screen : (XenDesktop)

Windows 7 sanallastirma yaparken, ozellikle Vmware Additions update ettikten sonra Windows 7’ye baglanilamayabilir. Birkac dakika siyah ekran verdikten sonra sanal makina restart eder ve kullanilamaz. Bunun cozumu icin,

1. Open Device Manager from Control Panel, expand Display Adapters entry.
2. Right click on VMWare SVGA 3D (WDDM) and click properties, click on Uninstall Button.
3. Check the “Delete the driver software for this device” option, click OK.
4. Your screen may flicker as the driver is removed.
5. Close Device Manager and reboot Windows 7.
6. Windows will default to the Standard VGA device.
7. Open Device Manager, expand Display Adapters.
8. Right Click Standard VGA and select Properties, click on Update Driver, click on Browse my Computer.
9. Browse to directory C:\Program Files\Common Files\VMware\Drivers\video, click Next.
10. Confirm driver installation, close window and reboot.

XenDesktop - HyperV Entegrasyonu : (XenDesktop)

Xendesktop 4 icin, XenDesktop ve Provisioning Server kurmadan once, SCVMM kurulu olmali (Oncesinde Powershell istiyor!!). Sonra kurarsan, XD Add/Remove Programs’dan Citrix Pool Management icerisinden Modify/Add Microsoft SCVMM.

XenDesktop 5 icin,
- Hyper-V ve VMM sunucunun tüm updateleri gecilmis olarak hazır olmalı.
- VMM updateleri Windows Update’ten degil Microsoft Update’ten yapılmalı.
- Once XenDesktop 5, sonra VMM kurulmali XenDesktop 5 sanal makinasinin uzerine (XD5 kurulumundaki SQL Express daha yeni)
- VMM üzerinde VMM servisi için bir domain hesabı kullanılmalı, VMM yönetimi için ayrı bir domain hesabı kullanılmalı.

- Hyper-V üzerinde Antivirüs varsa bazı exclusionlar koymak lazım. Hatta PoC esnasında AV hiç olmazsa daha bile iyi.
- http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-scvmm-rho.html
- Yukaridaki linkte bahsedilen share’leri acarken sadece Sharing açmak yeterli degil, VMM administrator için de Change yetkisi vermek lazım : (Virtual Machines – Virtual Disks Folders)

Graceful Logoff from a Published Application Renders the Session in Active State : (XenApp)

When publishing an application, only the main executable file is specified. However, some applications might spawn additional processes that run in the background and are not closed by the corresponding main executable file. Additional processes might also be created, from scripts that are executed, or from specific registry keys, such as the RunOnceKey:
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\RunOnce
Some processes might create a visible window for added functionality, and others might not.
Because the Explorer.exe Desktop is not running when launching an application in one of these ways, there is no default mechanism in either Presentation Server or Windows to terminate these background processes when a user has exited the main application.
Presentation Server has a hard coded list of what are considered ‘System’ type secondary processes that are checked for and terminated once all user application processes have terminated, these include:

atok1*.exe
clipsrv.exe
conime.exe
csrss.exe
ctfmon.exe
ddhelp.exe
eventlog.exe
iatokik*.exe
iatokqb*.exe
iatqb1*.exe
ibdbsch.exe
imejp98m.exe
imejpmgr.exe
imepadsv.exe
jsvschvw.exe
lmsvcs.exe
lsass.exe
msgsvc.exe
nddeagent.exe
nddeagnt.exe
netdde.exe
netstrs.exe
os2srv.exe
proquota.exe
screg.exe
smss.exe
spoolss.exe
ssonsvr.exe
wfshell.exe
win.com
winlogon.exe
wpabaln.exe
wuauclt.exe
Note: To specify additional processes specific to your environment, see the Resolution section of this article for more information.
Examples of Secondary Processes
Cwbprovd.exe is a process initiated by IBM Client Access. If you have IBM Client Access on your system and observe the same behavior as stated above, complete the following tasks:
  1. Verify the sessionID, which is experiencing this issue.
  2. Before logoff, type the following command from the command prompt to manually kill Cwbprovd.exe:
    kill cwbprovd.exe session id
  3. Gracefully exit the published application.
  4. The Cwbprovd.exe process (among two other processes) is being launched at logon by IBM Client Access (even if you do not run it) through the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Contact IBM for a utility called CWBCFWTS to remove these processes from the registry.
    Note:
    Servers running IBM’s Client Access Express ARE NOT known to exhibit this behavior.
Proquota.exe is a process initiated by having a Windows 2000 policy, Limit Profile Size, enabled. This might conflict with the Seamgr.exe process. Manually terminating either of these two processes temporarily fixes the problem and allows the session to reset. This issue is resolved by installing Service Pack 2 for MetaFrame 1.8 for Windows 2000.
Sxplog32.exe is a process initiated by the Software Delivery Agent by Computer Associates and can be found in the userinit value of the winlogon registry key. Manually terminating the process temporarily fixes the problem and allows the session to reset.
Etlits.exe and Entell50.exe are processes initiated by Entrust 6.1 and can be found in the userinit value of the winlogon registry key. Manually terminating the process temporarily fixes the problem and allows the session to reset.
Wisptis.exe is a process that runs as a system service that provides pen-data collection for other components of the SDK. When a component needs to interact with the pen (for example, to collect ink or to detect gestures), this executable is spawned as a service to communicate directly with the input device. On a Tablet PC, Wisptis.exe interacts with the digitizer, whereas on a desktop it interacts with the mouse as well. The executable’s name is an acronym that references an outdated internal name for the team that developed it (Windows Ink Services Platform Tablet Input Subsystem). You cannot remove wisptis.exe by renaming or deleting it: Windows File Protection would reinstall the file the next time Adobe Acrobat 6.0 started. In general, the ways in which wisptis.exe can get installed on the system are by installing Journal Viewer using the Windows Update or installing Microsoft Office 2003.
Ssonsvr.exe
If a starting program was specified under the Environment tab in the User Account Properties and if the ICA pass-through Client had pass through authentication enabled, Ssonsvr.exe was running in the ICA session of the user. When the user exited the application (specified in the Environment tab in User Account Properties), the ICA session could not be logged off; the administrator had to manually stop the Ssonsvr.exe process. The thread that caused the Ssonsvr.exe process to exit when the user logged off from the application was not being started.
Now the thread that causes the Ssonsvr.exe process to exit is started when the user logs off from the application.
From Hotfix XE103W2K030:
Ssoshell.exe,Ssobho.exe,Ssomho.exe
Refer to the following Knowledge Center articles:
Resolution
The following registry key is valid on:
  • XenApp 6.0
  • XenApp 5.0
  • Citrix Presentation Server 4.5
  • Citrix Presentation Server 4.0
  • MetaFrame Presentation Server 3.0
  • MetaFrame XP Service Pack 2/Feature Release 2 or later
  • MetaFrame 1.8 Service Pack 3 for Windows 2000 or later
  • MetaFrame 1.8 for Terminal Server 4.0 with hotfixes ME183W030 and ME183T032 or later.
It is best to first determine if the application in question and its associated processes correctly exit on a windows workstation outside of a Terminal Services environment.
If they do not, then it is possible that this mechanism might not work or it might be necessary to contact the application manufacturer.
Add the process file name to the following registry key:
Caution! This fix requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
Value Name:LogoffCheckSysModules
Type:
REG_SZ
String:
MyAppName.exe
Note 1: Do not place the executable name of the main published application in this key because this might result in failure to properly launch the published application. There is an issue if the main executable for the specified published application is not terminating correctly.
Note 2: Do not place the executable name of a secondary process that has a visible window in this key. This mechanism is designed to exit secondary processes that do not have a visible window, as it is expected that if an application window is visible, then it is intended for the user to see it, and therefore close it themselves.
The application might not appear to present a visible window or a system tray icon in a seamless session. Run the application in a fixed window, perform the function within the application that spawns the secondary process and minimize the main application window. The spawned window is displayed in the background. An RDP initial application session configured on the RDP listener exhibits the same behavior. If a customer uses a logoff script, the logoff script could be used to check for the spawned process and terminate the process. Ideally, the application should close all child process that it spawns.
Note 3: Enter the list of executable names with a comma and NO spaces between them, for example:
App1.exe,app2.exe,app3.exe

Data Store Migration Strategies

Migrating Server Farms and the Data Store
Use the Dsmaint command to migrate a Presentation Server farm to a different type of data store. For example; from Access to Microsoft SQL Server or from Microsoft SQL Server to Oracle.
Migration Between Different Database Versions
Refer to the appropriate Presentation Server Administrator Guide.
Refer to the following articles for more information on migrating from one database platform to another:
• Migrating to SQL Server on page 410
• Migrating to Oracle on page 413
• Migrating to IBM DB2 on page 417
• Migrating to SQL Server on page 58
• Migrating to Oracle on page 61
• Migrating to IBM DB2 on page 66
The dsmaint command can migrate farm data between databases (dsmaint migrate) and reconfigure servers to use the new database (dsmaint config).
The following examples show the syntax for the dsmaint migrate and dsmaint config commands:
Note
: Type the respective command as one continuous string at a command prompt.
dsmaint migrate /srcdsn:dsnfile /srcuser:user /srcpwd:password /dstdsn:dsnfile /dstuser:user /dstpwd:password
dsmaint config /user:username /pwd:password /dsn:dsnfilename
Where:
dsnfilename is the DSN file for the database, including the full path. Refer to CTX108699 - Error: Failed to connect to the data store....during DSMAINT CONFIG for more information.
username is the user name for the database.
password is the password for the database.
Migration can be performed with users logged on to the farm. Stopping and restarting the IMA Service does not affect currently connected sessions. However, no new connections are allowed until the IMA Service is completely restarted.
Important: Restarting the IMA Service on more than 10 servers simultaneously can cause the database server to become a bottleneck, resulting in startup delays.
Migrating from Access to Microsoft SQL Server or Oracle
Note: Migration from an Access indirect database to a Microsoft SQL Server 2000 direct database using the dsmaint migrate command is supported only with MDAC 2.5.
To migrate from Access to Microsoft SQL Server or Oracle, complete the following steps:
  1. Create a new database on Oracle or Microsoft SQL server.
  2. Create a new Mf20.dsn file pointing to the new database created in Step 1. By default, the DSN file is located in the following directory: <ProgramFiles>\Citrix\Independent Management Architecture
  3. On the host server, run the dsmaint migrate command, entering the current DSN file as the source and the new DSN file created in Step 2 as the destination. If the password for the old database is not changed, the default user name/password is citrix/citrix.
    Tip
    : Enter the complete path of the DSN file (inside quotation marks if the path contains spaces) when required as a parameter for the dsmaint migrate command.
  4. Run the dsmaint config command on the original host server to point to the new DSN file.
  5. Stop and restart the IMA Service on the host server. When the IMA Service on the host server is restarted, the remaining indirect servers begin accessing the new data store indirectly through the host server.

    Important
    : Restarting the IMA Service instead of restarting the server might cause the SNMP service to Dr. Watson if SNMP is enabled. This error is benign.
  6. Copy the DSN file created in Step 2 to all remaining indirect servers in the farm.
  7. Execute dsmaint config on all remaining indirect servers to establish a direct connection to the new database through the DSN copied in Step 6.
  8. Stop and restart the IMA Service on all remaining indirect servers in the farm.
    Tip
    : You can complete Steps 6 through 8 on all the servers by using a simple batch file placed in a central location. For information about data store migration, refer to DSMAINT on page 368 in CTX106319 – MetaFrame Presentation Server 4.0 Administrator's Guide.
Migrating from Microsoft SQL Server or Oracle to the Other
This section contains information about migrating data store information between different versions of Microsoft SQL Server and Oracle.
To migrate the database, complete the following steps. For the best performance, complete this procedure on the data collectors after all other servers are reconfigured.
  1. Create a new database on the destination server (Oracle or Microsoft SQL Server).
  2. Create a new DSN file that points to the new database.
  3. Run the dsmaint migrate command on the server with the new DSN file.
  4. Run the dsmaint config command on the server.
  5. Stop and restart the IMA Service on the server.

    Important
    : Restarting the IMA Service instead of restarting the server might cause the SNMP service to initiate Dr. Watson if SNMP is enabled. This error is benign.
  6. Ensure that the server is using the correct DSN by checking the following registry settings:
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DatabaseDriver
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName
  7. If the IMA Service started successfully, copy the new DSN file from to all servers in the farm.
  8. Run the dsmaint config command to change the IMA Service configuration on all servers in the farm.
  9. Stop and restart the IMA Service on all servers in the farm.
    Tip
    : You can run Steps 7 through 9 on all the servers by using a simple batch file placed in a central location.
Migrating the Database to the Same Version such as SQL 2005 to SQL 2008
Migrating from one database version to the other might be necessary to move the data store to a more powerful server. The best method for migrating between versions of the database is to back up and restore the database using the utilities provided by the database software vendor.
To point a Presentation Server farm to a new database complete the following steps. For the best performance, complete this procedure on the data collectors after all other servers are reconfigured.
  1. Back up the existing farm database and restore the database to the new server.
  2. Create a new DSN file that points to the restored database.
  3. Run the dsmaint config command on the server with the new DSN file.
  4. Stop and restart the IMA Service.

    Important
    : Restarting the IMA Service instead of restarting the server might cause the SNMP service to initiate Dr. Watson if SNMP is enabled. This error is benign.
  5. Ensure that the server is pointing to the new data store by checking the following registry setting:
    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName
  6. If the IMA Service started successfully, copy the new DSN file to all servers in the farm.
  7. Run the dsmaint config command to change the IMA Service configuration on all remaining servers in the farm.
  8. Stop and restart the IMA Service on all servers in the farm.
    Tip
    : You can execute Steps 6 through 8 on all the servers from a simple batch file placed in a central location.
Migrating to Access
Migration from Microsoft SQL Server or Oracle to Access is not supported.

31 Ocak 2012 Salı

Access Gateway Software Updates

How to Determine the Version of the Software on the Access Gateway Appliance
Complete the following steps to identify the version of the Access Gateway installed:
  1. Point a Web browser to the Access Gateway server on HTTPS port 9001:
    https://gateway-FQDN-or-IP:9001/
  2. Log on with the user name root. The default password is rootadmin.
  3. Click the Logging link at the top of the page. The version number and build date appears under the Software Version heading, as shown in the following screen shot:
How to Upgrade the Appliance
The following two options are available to upgrad the software image on the appliance:
Option 1: Download and Install an Upgrade File
Important: If you have currently installed a version of Access Gateway earlier than version 4.6.x, then you cannot upgrade to version 4.6.x, 5.x or later using an upgrade file, use Option 2. To upgrade the Access Gateway to version 5.x, you must have the Access Gateway 2010 platform model. This version does not run on Access Gateway 2000 platform models.
An upgrade file contains only the software binaries that are updated. When an upgrade file is installed, the version is updated but all configuration settings, licenses, and certificates are maintained on the appliance.
Note: Ensure that you back up the current configuration before upgrading, by using the procedure outlined in the Save Your Current Configuration section in this article.
For Access Gateway 4.5.x/4.6.x
To upgrade an Access Gateway from 4.5.x to a later 4.5.x release – or – 4.6.x to a later release of 4.6.x, follow these instructions:
Note: You can upgrade the Access Gateway 2010 hardware model from 4.6.x to 5.x with upgrade (.upg) file. You cannot upgrade the Access Gateway 4.5.x to 5.x with an upgrade file.
  1. Download the Citrix Access Gateway Upgrade Software file by logging on to My Citrix. From the download page, click the appropriate upgrade software download link.
  2. Open the Access Gateway server on HTTPS port 9001 in a Web browser:
    https://gateway-FQDN-or-IP:9001/
  3. Log on with the user name root. The default password is rootadmin.
  4. Click Maintenance.
  5. Click Browse shown after the Upload Server Upgrade or Saved Config field, as shown in the following screen shot:
  1. Browse the local file system, locate the upgrade file and click Open.
  2. Click Upload on the Maintenance page. After approximately three minutes, you are prompted to restart the Access Gateway appliance.
For Access Gateway 5.x
To upgrade an Access Gateway from 5.x to a later 5.x release, follow these instructions:
  1. Download the Citrix Access Gateway Upgrade Software file by logging on to My Citrix. From the download page, click the appropriate upgrade software download link.
  2. Open the Access Gateway server on HTTPS in a Web browser:
    https://gateway-FQDN-or-IP/lp/AdminlogonPoint
  3. Log on with the user name admin. The default password is admin.
  4. Click Snapshots.
  5. Click Import.
  6. Select the .bin file with the latest release of Access Gateway 5.x.
  7. Click on the latest Software Version uploaded and either select Initialize or Migrate.
  8. Click on Initialize if you want to revert back to default settings using the latest release.
  9. Click on Migrate if you would like to transfer the old configuration to the new release.
Option 2: Create a Bootable Installation CD-ROM/USB
WARNING! Booting from the installation media erases the hard drive on the appliance and installs the Access Gateway software image. Prior to upgrading, be sure to back up the current configuration using the procedure outlined in the Save Your Current Configuration section in this article.
An ISO image file is available to create a bootable installation disk. To re-image the appliance, insert the CD (or plug-in the USB key in the back of the appliance) and then restart the Access Gateway appliance. The imaging process takes approximately 20 minutes, after which you can remove the CD or USB and restart with factory default settings.
IMPORTANT: Booting from the installation media erases the current certificate, license file, and all configuration settings.
Record the CD-ROM image
  1. Log on to My Citrix and click the Standard Edition - Appliance Software link to go to the download page, where you can start the download.
  2. Extract the downloaded archive to obtain the ISO file.
  3. Record the ISO CD-ROM image to disk using CD-ROM recording software. Users working with the 2010 model appliance (without CD-ROM drives) need to download the appliance imaging tool to create a bootable image on a USB Flash Drive.
  4. If you are planning to create a USB key to re-image the Access Gateway appliance to 5.0.3, you must use the Citrix Access Gateway 5.0.3.227000 of the Access Gateway 2010 Appliance Imaging Tool. This imaging tool contains already the appliance firmware. There is no need to download separately an .ISO file for this version. To create an USB image, click Browse to locate the USB store device, and then, click Image.

    The version of the appliance imaging tool can be identified after running imaging_tool.exe as shown in the following screen shot:
  1. If you are planning to create a USB key to re-image the Access Gateway appliance to 5.0.2, you must use the Citrix Access Gateway 5.0.2179500 of the Access Gateway 2010 Appliance Imaging Tool. This imaging tool contains already the appliance firmware. There is no need to download separately an .ISO file for this version. To create an USB image, click Browse to locate the USB store device, and then, click Image.

    The version of the appliance imaging tool can be identified after running imaging_tool.exe as shown in the following screen shot:
  1. If you are planning to create a USB key to re-image the Access Gateway appliance to 5.0.1, you must use the Built on 03/18/2010 of the Access Gateway 2010 Appliance Imaging Tool.

    The version of the appliance imaging tool can be identified after running imaging_tool.exe as shown in the following screen shot:
  1. If you are planning to create a USB key to re-image the Access Gateway appliance to the latest version of 4.6.x, you must use the v4.6 (build 3 or later) of the Access Gateway 2010 Appliance Imaging Tool.

    The version of the appliance imaging tool can be identified after running imaging_tool.exe as shown in the following screen shot:
  1. If you are planning to create a USB key to re-image the Access Gateway appliance to a 4.5.x version, you must use the v1.0 (build 21) of the Access Gateway 2010 Appliance Imaging Tool.

    The version of the appliance imaging tool can be identified after running imaging_tool.exe as shown in the following screen shot:
Note: Dragging the .iso image onto the CD-RW drive results in creating an invalid CD-ROM with just the CD-image file stored on it. Make sure that you record the image with recording software that recognizes the ISO format.
Save Your Current Configuration
For Access Gateway 4.5.x/4.6.x:
Note: Before re-imaging the Access Gateway appliance, ensure that you save the configuration settings. The configuration settings are not retained when performing the following steps.
  1. Open the Access Gateway server on HTTPS port 9001 in the Web browser:
    https://gateway-FQDN-or-IP:9001/
  2. Log on with the user name root. The default password is rootadmin.
  3. On the Maintenance page, click Save Config. You are prompted to save a file named config.restore. This file includes all current settings, local user accounts, and certificate files.
For Access Gateway 5.x:
  1. Open the Access Gateway server on HTTPS in the Web browser:
    https://gateway-FQDN-or-IP/lp/AdminlogonPoint
  2. Log on with the user name admin. The default password is admin.
  3. Click Snapshots.
  4. Click Import.
  5. Select the .bin file with the latest release of Access Gateway 5.x.
  6. Click on the current Software Version, click on Create and then Export. The configuration settings including licenses and certificates are exported.
Re-image the Access Gateway
  1. Shut down the Access Gateway appliance.
  2. Connect a client computer to the serial port using the null modem cable provided. Use Hyperterminal or any other terminal emulation software and connect using the following settings:

    Bits per second: 9600
    Data bits: 8
    Parity: None
    Stop bits: 1
    Flow control: Hardware
  3. Remove the bezel (only Access Gateway 2000 hardware models) from the front panel of the Access Gateway appliance to reveal the CD-ROM drive. Put the recorded CD into the Access Gateway CD drive and then power on the device. Approximately one minute after it restarts, you should see information about the progress of the installation through the serial console. For hardware models without CD-ROM drives you should insert USB Flash Drive at this point.
  4. Once the installation is complete, remove all installation media and restart the appliance.
  5. Log on through a serial console and enter the basic network configuration settings through the serial console or use the default configured IP address of 10.20.30.40.
  6. When you are able to connect to the Administration Tool, you can upload the saved configuration and the settings are restored.
How to Obtain a License for an Access Gateway Appliance
Customers who purchase Access Gateway appliance receive an e-mail from licenses@citrix.com containing instructions for how to download a license file.
Customers who upgrade from Access Gateway 4.2 or earlier should obtain their license file through MyCitrix.
If the Access Gateway deployment includes the Advanced Access Control Option, then it is not necessary to install a separate license on the appliance. Instead, the Advanced Access Control server manages licenses for all Access Gateway users using a Citrix License server installed on the trusted network. For more information, see the Access Suite Licensing Guide:
For standalone Access Gateway deployments that do not include the Advanced Access Control option, a license must be uploaded onto the appliance using the Access Gateway Administration Tool. Refer to the Access Gateway Administrators Guide for more information.
Important: For Access Gateway 5.x (Standalone or Controller mode), licenses are stored now on the appliance or Citrix License server. When running the Access Gateway in Controller mode, licenses are not configured anymore on the Access Controller server but instead on the Access Gateway Management Console.

Common SSL Error Messages, and Respective Cause and Resolution

Various SSL Related Error Messages and the Resolution for the Same
The following is the list of some of the SSL-related error messages that an ICA client might return when attempting to connect to a MetaFrame server or published application using SSL:
  • Error Message: Troubleshooting SSL Error 4 with Secure Gateway
    Resolution
    : Refer to CTX105390 - Troubleshooting SSL Error 4 with Secure Gateway
  • Error Message: SSL security context is invalid or expired (SSL 15).
    Resolution
    : Upgrade the Win32 ICA client to version 6.30.1050 or later.
  • Error Message: Cannot connect to the Citrix MetaFrame server. There is no route from the Citrix SSL Relay to the specified subnet address (SSL error 37).
    Resolution
    : Refer to CTX103203 - Error: Cannot connect to the Citrix MetaFrame server. There is no route from the Citrix SSL Relay to the specified subnet address (SSL error 37).
  • Error Message: SSL Error 37: The proxy could not connect to ;10; (STA server);(sid) port 1494”
    Cause:
    This problems seems to occur only when the XenApp server and ICA Client are using different DNS servers
    Resolution:
    Enabling XML Service DNS address resolution allows a XenApp server to return the Fully Qualified Domain Name (FQDN) to ICA Clients using the Citrix XML Service
  • Error Message: The Citrix SSL Relay sent a close alert (SSL Error 43)” or SSL Error 4.
    Resolution
    : Refer to the following Knowledge Center articles:
    CTX101685 - �The Citrix SSL Relay sent a close alert (SSL Error 43)� or SSL Error 4
    CTX116743 - Error: Cannot connect to the Citrix Presentation Server. SSL Error 43
  • Error Message: The Remote SSL peer sent a bad certificate alert. (SSL Error 49).
    Resolution
    : Upgrade the Macintosh ICA client to version 6. 20.142.
  • Error Message: The remote SSL peer sent an unrecognized alert (SSL Error 55)....Error : 132
    Reason
    : The SSL Error 55 is caused by an invalid certificate or a missing root certificate.
    Resolution
    : Install an appropriate certificate.
  • Error Message: Security alert: The name on the security certificate does not match the name of the server (SSL error 59).
    Reason
    : The ICA Client is attempting to connect to the server using its NetBIOS name, IP address, or a fully-qualified domain name (FQDN) that does not match the subject of the server's certificate. To connect successfully, the ICA Client must connect using the DNS name of the server exactly as it appears on the server certificate.
    Resolution
    : In the NFuse scenarios, you must set AddressResolutionType=dns or dns-port in nfuse.conf and enable DNS name resolution on the farm properties panel in the Citrix Management Console. Refer to the following documents for more information about DNS name resolution:
    Page 65 of the Administrator's Guide for MetaFrame XP with Feature Release 1.
  • Error Message: Any of the following error messages:
    • The server certificate received is not trusted (SSL error 61).
    • Cannot connect to the Citrix (XenApp or Presentation) Server.
    • SSL Error 61: You have not chosen to trust “Common”, the issuer of the server’s security certificate.
    • The following are the probable reasons for these error messages:
    • The required Certificate Authority (CA) Root certificate is not installed on the client device.
    • If the server certificate was issued by an intermediate certification authority, the Win32 ICA Client version 6.20.985 does not connect using SSL. This is a client-side issue that affects the 32-bit ICA Client Version 6.20.985 connecting through the Citrix SSL Relay Service or Citrix Secure Gateway.
    • The validity of the server certificate presented also relies on the client date and time. The SSL error 61 has is also displayed if the client time is outside the validity period (date time stamp) of the server certificate.
    • Administrator might have configure Citrix Secure Gateway to have the client log in to the Web Interface site, which then redirects the client to the Citrix Secure Gateway appliance after the application has started. The Secure Gateway appliance proxies the connection. If DNS is not correct, the client machine might be directed or resolved to a site that it actually does not trust. When directly accessing the Citrix Secure Gateway Server from the client machine, the client displays the following security alert:
    If you display the certificate, it indicates that it was not from the Citrix Secure gateway site.
    Resolutions: The following are the probable resolutions for these error messages:
    • If you are using a well-known public certification authority, such as VeriSign, Baltimore, Thawte, or RSA, then the required root certificate already exists on the client devices running a recent copy of Windows. However, if you either are using your own certificate server to generate server certificates or a trial certificate from a CA, you need to install the CA Root certificate on all client devices for them to connect. For more information about CA Root certificates and the necessity of the same, refer to the white paper CTX16830 - Using the Citrix SSL Relay.
    • If the issue related to the client-side affecting the 32-bit ICA Client Version 6.20.985 connecting through the Citrix SSL Relay Service or Citrix Secure Gateway is resolved in versions 6.20.986 and later of the Win32 ICA Client. You can download the latest version of the Win32 ICA client from the Citrix Web site.
    • If the issue related to the client date and time being invalid, then adjust the client time to reflect the current and date.
    • For the DNS resolution issue, ensure that the DNS is properly configured between the client computer and the FQDN of the Citrix Secure Gateway Server.
  • Error Message: The connection was rejected. The SSL certificate is no longer valid. Please contact your Citrix Administrator (SSL error 70).
    Reason
    : The server certificate installed on the MetaFrame server is not yet valid or has expired. A common problem observed when using Microsoft Certificate Services to generate digital certificates in-house is that the period of validity might not begin until the day after the certificate is generated.
    Resolution
    : The SSL server certificates typically have a fixed set of valid dates. The system clock of the client devices as well as the server must be set to a time that falls within that range for an SSL connection to succeed. To determine the validity date of your server certificate, double-click the certificate file and notice the Valid from and Valid to fields.
  • Error Message: On the Macintosh computer, one or more of the root certificates in the keystore are not valid (SSL error 73).
    Reason
    : The Macintosh root certificate might to be in a CER format.
    Resolution
    : The Macintosh certificates need to be in a DER format with the .crt extension. If the root certificate is copied properly to the keystore/cacerts folder and the user still gets this error when trying to connect, then refer to CTX104638 - Error: One or more of the certificates in the keystore directory are not trusted (SSL Error 73) to resolve the issue.
  • Error Message: SSL Error 82: The Security certificate (TheNameOfYourCertificateAuthority) is not suitable for use in SSL connections. Reason: Unsuitable Netscape Usage Extension field.
    Resolution
    : Refer to CTX113002 - SSL Error 82: The Security certificate (TheNameOfYourCertificateAuthority) is not suitable for use in SSL connections. Reason: Unsuitable Netscape Usage Extension field.
  • Error Message: Cannot connect to the Citrix (XenApp or Presentation) Server. There in no Citrix SSL server configured on the specified address.
    Resolution
    : Refer to CTX115468 - Error: Cannot connect to the Citrix Presentation Server. There is no Citrix SSL server configured on the specified address..
  • Error Message: Cannot connect to the Citrix (XenApp or Presentation) Server.
    The Citrix SSL Server you have selected is not accepting connections.
    Reason
    : The Citrix server default port number might have been changed from 1494 to another port number.
    Resolutions
    : The following are the probable solutions for this issue:
    • Ensure that the ipv4-port address resolution is configured on the NFuse server.
    • Check and ensure that the wfclient.ini file has the appropriate ProxyType=Auto setting.
    • Ensure that the STA UID listed in the Access Management Console and Secure Gateway Configuration Wizard is valid. An in-place upgrade of Presentation Server 4.0 to Presentation Server 4.5 or XenApp 5.0 modifies the UID value in the CTXSTA.config file. Reconfigure a valid STA using the Secure Gateway Configuration Wizard and the Access Management Console.
      Note
      : For Presentation Server 4.0 and later, append the :<port number> entry for the XML Service port, which must match the STA port.
    • Use other standard troubleshooting methods, such as telnet, to ensure that the port 1494 is open between the Secure Gateway or Access Gateway and the XenApp or Presentation servers.

Issues Fixed in XenApp, XenDesktop, and Component Technologies

For a list of issues fixed in your version of the product, locate the product listing and click the appropriate version number. Translations of the lists, where available, can be accessed from the Language menu on the individual lists.
XenDesktop XenApp *
  V. 5.5 XenApp 6.5 for Windows Server 2008 R2
V. 5 Service Pack 1 XenApp 6 for Windows Server 2008 R2 :
V. 5   Hotfix Rollup Pack 1 *
V. 4 Service Pack 1 x86 | x64 XenApp 5 for Windows Server 2008:
V. 4 x64 Edition: Hotfix Rollup Pack 1 *
V. 3 Feature Pack 1   x86 Edition: Hotfix Rollup Pack 1 *
V. 3 XenApp 5 for Windows Server 2003:
  x64 Edition: Hotfix Rollup Pack 7 *
    x86 Edition: Hotfix Rollup Pack 7*
  Presentation Server 4 for Windows Server 2003:
  Hotfix Rollup Pack 6 *
Presentation Server 4 for Windows 2000 Server:
  Hotfix Rollup Pack 6 *
  * For Presentation Server 4 and XenApp 5 and 6, links point to the readmes of the latest hotfix rollup packs, which include lists of issues fixed.
Technologies Receiver and Plug-Ins
Application Streaming / Streaming Profiler; Offline plug-in: Receiver for Linux:

V. 6.5 V. 12.0
Delivery Services Console (Access Management Console): Receiver for Windows:

V. 4.6 V. 3.0
EasyCall Gateway: Offline Plug-in for Windows:
V. 3.0 V. 6.5
V. 2.2.1 V. 6.0
  V. 2.2Q   V. 5.2
V. 2.1Q Online Plug-in for Macintosh:
  V. 2.1 V. 11.2
  V. 1.2   V. 11.1
EdgeSight: Online Plug-in for Windows:
V. 5.4 V. 12.1
Profile Management: V. 12.0.3
V. 4.0 Single Sign-on (Password Manager):
V. 3.2   V. 5.0
Web Interface:   V. 4.8
  V. 5.4   V. 4.6 Service Pack 1
V. 5.3   V. 4.6
    V. 4.1

Application Launch Fails with Web Interface using Internet Explorer 9

After upgrading to Internet Explorer 9, users are unable to launch applications once authenticated into Web Interface. Users are given a prompt to Open, Save, or Cancel the launch.ica connection file. Clicking Open to run the application is not successful.
If the option to save the file is selected, it is created with a temporary name with a ".partial" extension.
Cause
The issue occurs because Internet Explorer cannot access the cached ICA file. After upgrading a client device with Version 12.1 on the online plug-in installed to Windows Internet Explorer 9, attempts to launch applications from the Web Interface fail and a "Sharing Violation" error occurs.
Resolution
Install the latest Citrix Receiver version which can be downloaded from this location – Download Citrix Clients
A fix is also available with a special release of the following 12.1.44 version of the Citrix Online Plug-in.
Workaround
Configure Internet Explorer 9 as follows to allow successful application launching:
Caution! This fix requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it
  1. Disable ActiveX filtering feature for the Web Interface site, either by:

    Disabling ActiveX filtering globally:
    Click on Gear icon, select Safety, de-select ActiveX Filtering. Or alternative this can be reached in the same way by pressing Alt key followed by Tools menu (ActiveX filtering is enabled if a “tick” appears next to it and is disabled it the “tick” disappears next to it)
- Or -
Disabling ActiveX filtering for an individual site when ActiveX filtering is enabled globally:
Log on to the Web Interface site and attempt to launch an application, at the end of the address bar a blue warning sign will appear indicating filtered content:
    Click the blue warning sign and select Turn off ActiveX Filtering
  1. Enable ICA launch, either by:

    Add the site to the Trusted sites list: In the Security tab of Internet Options, add the Web Interface site to Trusted Sites list to allow the use of the ActiveX ICA client object for the launch

    - Or -

    Disable the MIME filter: by renaming the following registry key: HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-ica
  2. Log off Web Interface and close then restart the browser after making this change.

Recommended Citrix and Microsoft Hotfixes for XenApp 6 and Windows Server 2008 R2

Recommended Citrix Hotfixes
Hotfix Rollup Pack 1 for Citrix XenApp 6 for Microsoft Windows Server 2008 R2 contains most of the following Hotfixes (exceptions noted inline). For a list of all New Fixes, Enhancements, Replaced Hotfixes, and Fixes from Previously Released Hotfixes included in XenApp 6 Rollup Pack 1 for Windows Server 2008 R2, refer to: Documentation for Hotfix Rollup Pack 1 for Citrix XenApp 6 for Microsoft Windows Server 2008 R2 (CTX130473) (Added 12/1/2011) NEW
XA600W2K8R2X64R01 (Included in Rollup Pack 1)
  • This hotfix rollup pack contains Fix #241756, which addresses security vulnerability. For more information, see Knowledge Center article CTX128169
XA600W2K8R2X64012 (Included in Rollup Pack 1)
  • This fix addresses security vulnerability. For more information, see Knowledge Center article CTX123359.
XA600W2K8R2X64017 (Included in Rollup Pack 1)
  • This fix addresses session reliability issues that can occur when using multiple, disparate, client devices to reconnect to the same session.
XA600W2K8R2X64021 (Included in Rollup Pack 1)
  • This fix addresses security vulnerability. For more information, see Knowledge Center article CTX128169
XA600W2K8R2X64029 (Included in Rollup Pack 1)
  • Servers might experience a fatal exception, displaying a blue screen, with bugcheck code 0xf4 on IMAAdvanceSrv.exe.
  • Servers attempt to launch Windows Internet Explorer from an http, https, or mms hyperlink embedded in a streamed application failure. The issue occurs because XenApp 6 does not create the HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command_backup registry key as part of the server file type association.
XA600W2K8R2X64046 (Added 7/16/11, replaces XA600W2K8R2X64018) (Included in Rollup Pack 1)
  • Servers running XenApp 6 can become unresponsive when shutting down. The issue occurs when the picadm.sys driver encounters certain error conditions that prevent it from shutting down in an orderly fashion. Also, servers might experience a fatal exception, displaying a blue screen on picadm.sys with bugcheck code 0x22 (FILE_SYSTEM).
  • If a session is disconnected while it is still reading or writing a Client Drive Mapping (CDM) file, the resulting deadlock condition can prevent servers from accepting new session requests.
  • Servers might experience a fatal exception, displaying a blue screen, on picadm.sys. The issue occurs when the user removes a thumb drive from a client device while connected to a session. Dumps indicate that picadm.sys is referencing invalid, possibly disconnected volumes.
  • When the ReadOnlyMappedDrive registry key (HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\services\picadm\Parameters) is set to 1, published applications can no longer access and browse mapped client drives.
  • With folder redirection enabled, servers can experience a fatal exception, displaying a blue screen, on picadm.sys. The issue can be observed when attempting to save a file that was introduced into the session on a USB device attached to and then removed from a thin client device.
  • Servers with Hotfix XA600W2K8R2X64018 installed can become unresponsive intermittently. The issue occurs when a scheduled reboot is triggered by a Citrix policy while there are active sessions on the server.
  • Unplugging a USB device from a thin client while a file is being copied to or from the USB device, can cause the following error message to appear: "An error has occurred. The destination you have specified does not exist. It might be an offline network location or an empty CD or DVD drive. Check the location and try again."
XA600W2K8R2X64058 (Added 9/21/2011) NEW (Included in Rollup Pack 1)
  • With Session Reliability enabled, ICA connection attempts fail if the ICA Listener is bound to a single NIC in a multi-homed environment.
  • The Citrix SSL Relay Configuration tool can fail to correctly create the outbound connection policies defined in its Connection tab. After applying this fix on affected deployments, the policies are modified to disallow all outgoing connections. As a result, SSL connections can stop working. In order to recreate the correct policies and allow SSL connections to work again, you must rerun the Citrix SSL Relay Configuration tool, verify the policies in its Connection tab and click Apply. The next time the server restarts, the correct policies are in place.
XA600W2K8R2X64060 (Added 8/23/2011, replaces XA600W2K8R2X64002) (Included in Rollup Pack 1)
  • This fix addresses two installation issues:
    § Hotfixes fail to install on a XA6 server that has not yet had the XenApp Server Role configured.
    § Installing hotfixes or performing a repair on the base product for Citrix XenApp 6 for Windows Server 2008 R2 can inadvertently remove the Citrix Licensing component, if present, from the system. This fix prevents the Citrix Licensing component from being removed when installing subsequent hotfixes.
  • Installing hotfixes or performing a Repair on the base product for Citrix XenApp 6 for Windows Server 2008 R2 can inadvertently remove the Citrix Licensing component from the system, if present. This fix prevents the Citrix Licensing component from being removed when installing subsequent hotfixes.
XA600W2K8R2X64062 (Included in Rollup Pack 1)
  • Servers might experience a fatal exception, displaying a blue screen while shadowing is started.
XA600W2K8R2X64063 (Included in Rollup Pack 1)
  • This fix addresses security vulnerability. For more information, see Knowledge Center article CTX129430.
XA600W2K8R2X64068 (Added 7/2/11, replaces XA600W2K8R2X64056) (Included in Rollup Pack 1)
  • Certain applications fail to launch when Administrator Approval Mode is enabled in User Account Control.
  • This fix addresses the following issues for sessions launched as streamed to server or by a script: 1) The application name can be missing from the session information of the Delivery Services Console Session and not appear under the Applications folder of the Delivery Services Console. 2) Application limits might be ignored. 3) Attempts to reconnect to disconnected sessions might fail.
  • Certain applications can perform slowly when run in seamless mode
  • The CPU consumption of the winlogon.exe process can be higher than usual and it might cause new connection attempts to fail once a server hosts 70 connections or more. Eventually, servers can experience a fatal exception and need to be restarted.
XA600W2K8R2X64077 (Added 8/23/2011, replaces XA600W2K8R2X64026) (Included in Rollup Pack 1)
  • Attempts to log on to a XenApp 6 server using Version 7 or earlier versions of the clients can cause svchost.exe to exit unexpectedly. As a result, further connection attempts to the server fail until it is restarted.
  • The CPU consumption of the CitrixCseEngine.exe process can spike unexpectedly and cause logon delays.
  • Attempts to launch a published application that resides on a mapped network drive rather than on a XenApp server failure
  • When connecting to a server running Windows Server 2008 R2 with Service Pack 1, Terminal Services can exit unexpectedly. This causes users to experience a black screen when logging on and the logon process fails to complete.
  • A rare race condition that occurs when a shadowee disconnects at roughly the same time a shadower connects can cause servers to experience a fatal exception, displaying a blue screen on RPM.dll.
  • The shadow logging policies might not log events to the Event viewer properly.
  • The fix addresses an issue where the IMA Service exits unexpectedly when a network adapter is not bound to an IP address.
  • Servers might become unresponsive or experience a fatal exception on rpm.dll when an administrator initiates a shadowing session.
  • Pass-through authentication fails after applying Hotfix XA600W2K8R2X64048.
XA600W2K8R2X64079 (Added 8/17/11, replaces XA600W2K8R2X64010) (Included in Rollup Pack 1)
  • This enhancement is a part of the XenApp Printing Optimization Pack. The Printing Optimization Pack improves the user experience and printing speed by reducing the printer bandwidth required. For more information, including system requirements, required components, and known issues, see XenApp Printing Optimization Pack in eDocs, the Citrix Product Documentation Library.
  • This enhancement allows printing within a session using ICA Proxy through Branch Repeater.
XA600W2K8R2X64089 (Added 9/21/11) NEW (Included in Rollup Pack 1)
  • During times of heavy logon/logoff activity, sessions can become unresponsive while connecting. The "Starting <application name>" message appears but the connection attempt fails to complete.
For XenApp 6 Fundamentals Edition
XA600W2K8R2X64044 (Included in Rollup Pack 1)
  • When a server running Access Fundamentals/XenApp 6 Fundamentals Edition is in a workgroup, the Citrix license cannot be retrieved and application launch fails, resulting in the following error message: "License Acquisition failed..."
Other Citrix Hotfixes
XASCTW2K8R2X64003 (Added 8/17/11, replaces XASCTW2K8R2X64001) - (Not Included in Rollup Pack 1)
  • This hotfix contains an updated version of the XenApp Server Configuration Tool, which is used to configure XenApp 6 for Windows Server 2008 R2 server role installations. The XenApp image can be prepared for imaging and provisioning before, during, or after configuring XenApp.
  • Version 1.0 of the Server Configuration Tool exits unexpectedly in the XenApp Server Role manager wizard when entering credentials for SQL server if the policy, "Require trusted path for credential entry" is enabled by way of a GPO.
  • XenApp server configuration fails when using Version 1.1 of the Server Configuration Tool if you chose not to install XenApp Management as part of the XenApp 6 installation. Instead, the following error message appears: "A parameter cannot be found that matches parameter name 'localgpo'.
DSCXAGPMX100WX64001 (Not Included in Rollup Pack 1)
  • This enhancement is a part of the XenApp Printing Optimization Pack. The Printing Optimization Pack improves the user experience and printing speed by reducing the printer bandwidth required. For more information, including system requirements and required components, see XenApp Printing Optimization Pack in eDocs, the Citrix Product Documentation Library.
Recommended Microsoft Hotfixes
Windows Server 2008 R2 SP1 contains most of the following hotfixes (exceptions noted inline). For a list of all Microsoft Hotfixes included in Windows Server 2008 R2 SP1, refer to: Documentation for Windows 7 and Windows Server 2008 R2 Service Pack 1 (KB976932) and click the download link for “WS08R2 SP1.xls”. Microsoft has published the following KB article specific to Remote Desktop Services: Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008 R2
  • A Windows Server 2008 R2-based Remote Desktop server denies some connection requests randomly under heavy logon or logoff conditions.
  • There is a delay when you shut down, restart, or log off on a Windows Server 2008 R2.
  • If a heavy load situation exists or if connectivity issues exist, there is a stop error message in Windows 7 and in Windows Server 2008 R2 as follows:
    "STOP: 0x000000B8"
  • A computer that is running Windows Server 2008 R2 stops responding randomly.
  • An application or service that uses Winsock API or Winsock Kernel API might randomly stop responding in Windows Server 2008 R2 (Not included in SP1).
  • Installing a 32-bit help System 2008R2 might be required if hosting 32-bit applications (Not included in SP1).
  • Remote desktop sessions do not exit completely and you cannot establish new remote desktop sessions to a computer that is running Windows Server 2008 R2.
  • Startup takes a long time on a Windows 7 or Windows Server 2008 R2-based computer that has an Intel Nehalem-EX CPU installed.
  • A computer that is running Windows 7 or Windows Server 2008 R2 intermittently cannot use a shared network printer to print.
KB2444328 (Added 7/16/11)
  • You cannot access shared files or shared printers in Windows 7 or in Windows Server 2008 R2 (Not included in SP1)
KB2551503 (Added 8/23/11)
  • A mapped drive that has the non-persistent flag set is displayed as a disconnected drive in Windows 7 or in Windows Server 2008 R2 (Not included in SP1)
KB2578159 (Added 9/21/11)
  • The logon process stops responding in Windows Server 2008 R2 or in Windows 7 (Not included in SP1)
KB2620656 (Added 10/27/11)
  • Invalid redirected printers may be available in a Remote Desktop Services session that connects to a RD Session Host server that is running Windows Server 2008 R2 (Not included in SP1)
KB2617858 (Added 12/29/11) NEW
  • Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7 (Not included in SP1)