Recommended Hotfixes for XenServer 7.x

Citrix Hypervisor, formerly XenServer, is powered by the Xen Project hypervisor.

This article contains the complete set of recommended updates/hotfixes for XenServer 7.x .

For List of XenServer Tools/Management Agent/Windows Driver Updates refer toCTX235403-Updates to Management Agent – For XenServer 7.0 and later​

For XenServer 6.x hotfixes, refer to CTX138115 – Recommended Hotfixes for XenServer 6.x

XenServer 7.5 XenServer 7.4 XenServer 7.3 XenServer 7.2 XenServer 7.1 CU1 XenServer 7.0

For more information, refer to the following Knowledge Center articles

Note: Citrix recommends updating the XenServer Console before updating any new hotfixes. All XenServer hotfixes can be applied at the same time and the hotfixes in the article are not relevant to the installation order

Hotfix XS75E003 –

For XenServer 7.5
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** No
Hotfix XS75E004 –

For XenServer 7.5
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No
Hotfix XS75E005 –

For XenServer 7.5
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** No
Hotfix XS74E005 –

For XenServer 7.4
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** No
Hotfix XS74E006 –

For XenServer 7.4
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix..

This hotfix also includes the following previously released hotfixes:

Content live patchable** No
Hotfix XS74E007 –

For XenServer 7.4
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable** No
XenServer 7.3.0 Update The link contains XenServer 7.3 Current Release as an update package. This update can be applied by using XenCenter to an existing XenServer 7.2 installation.

For more information, see the XenServer 7.3 Release Notes and Installation Guide.
XenCenter 7.3.0

This release of XenCenter is for customers who use XenCenter as the management console for XenServer 7.3.

Hotfix XS73E007 –

For XenServer 7.3
All customers who are affected by the issues described in CTX235748 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** Yes
XenCenter

This hotfix is for customers who use XenCenter as the management console for XenServer 7.2.0. It constitutes two deliverables:

File Name Description Download Link
XenServer-7.2.0-XenCenterSetup-7.2.0.exe This file updates the XenCenter Windows Management Console DOWNLOAD
Hotfix XS72E005-

For XenServer 7.2

All customers who are affected by the issues described in CTX225941 – Citrix XenServer Multiple Security Updates should install this hotfix.

In addition, it resolves the following issue:

  • When large number of VMs are booted together, a kernel softlockup can occur resulting in kernel crash.

Content live patchable* Yes

This hotfix also includes the following previously released hotfix:

Hotfix XS72E010-

For XenServer 7.2
All customers who are affected by the issues described in CTX230138 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable* No
Hotfix XS72E014-

For XenServer 7.2
This is a hotfix for customers running XenServer 7.2. All customers who are affected by the issues described in CTX233832: Citrix XenServer 7.2 Multiple Security Vulnerabilities should install this hotfix.

Content live patchable* No
Hotfix XS72E017-

For XenServer 7.2

All customers who are affected by the issues described in CTX234679 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable* No

XenServer 7.1 Cumulative Update 1 (XS71ECU1) should be installed by customers running XenServer 7.1. It includes all previously released XenServer 7.1 hotfixes. Installation of XS71ECU1 is required for all future functional hotfixes for XenServer 7.1 LTSR. XenServer 7.1 Cumulative Update 1 and its subsequent hotfixes are available only to customers on the Customer Success Services program.

Citrix will continue to provide security updates to the base XenServer 7.1 product for a period of three months from the release date of the XenServer 7.1 Cumulative Update 1 (until December 11, 2017). After this three month period elapses, any new hotfixes released will only support XenServer 7.1 with CU1 applied.

XenCenter 7.1.2

This release of XenCenter is for customers who use XenCenter as the management console for XenServer 7.1.

XenCenter 7.1.2 is available on the Citrix downloads site as a restricted download. You must sign in to the site and have active membership of the Customer Success Services (CSS) program to access these downloads.

Hotfix XS71ECU1006-

For XenServer 7.1CU1
This is a hotfix for customers running XenServer 7.1 Cumulative Update 1. All customers who are affected by the issues described in CTX230138 – Citrix XenServer Multiple Security Updates should install this hotfix.

Content live patchable* No
Hotfix XS71ECU1013-

For XenServer 7.1CU1
This is a hotfix for customers running XenServer 7.1 Cumulative Update 1. All customers who are affected by the issues described in CTX232655 – Citrix XenServer Multiple Security Updates should install this hotfix.

This security hotfix addresses the vulnerabilities as described in the Security Bulletin above. In addition, it resolves the following issue:

  • If SNMP configuration is modified to request interface statistics Object Identifiers (OIDs) and when SNMP service happens to start before Openvswitch service, all further statistics requests to SNMP returns incorrect data.
Content live patchable* No
Hotfix XS71ECU1014-

For XenServer 7.1CU1

This hotfix addresses following issues:

  • After rebooting, a XenServer host can fail to connect to iSCSI targets on Compellent arrays.
  • When shutting down, the XenServer host can hang at ‘reached target shutdown’. This happens if XAPI is unable to cleanly unplug PBDs to iSCSI SRs before shutdown.

This hotfix also includes the following previously released hotfix:

Content live patchable* No
Hotfix XS71ECU1015-

For XenServer 7.1CU1

This hotfix addresses following issues:

Customers using Active Directory (AD) with XenCenter are unable to log on to XenCenter, or get disconnected intermittently. In some cases, XenCenter displays incorrect AD group membership details. This hotfix resolves this issue.

Content live patchable* No
Hotfix XS71ECU1019-

For XenServer 7.1CU1

This hotfix resolves the following issues:

  • A race condition in XenBus can cause pauses in Windows VM operation, which lead to Timeout Detection and Recovery (TDR) events. The TDR can cause the VM to crash.
  • Under low resource situations, Xennet can consume all of the RAM on a Windows VM. This causes the VM to crash.
  • XenVBD can consume 100% of a vCPU and can block other processes from using that vCPU.
Content live patchable* No

This hotfix also includes the following previously released hotfixes:

Hotfix XS71ECU1024-

For XenServer 7.1CU1
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No
Hotfix XS71ECU1026-

For XenServer 7.1CU1
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Content live patchable** No
Hotfix XS71ECU1027-

For XenServer 7.1CU1
All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfix:

Apply the following hotfixes for XenServer 7.0 and restart XenServer when the hotfix installation is complete.

Hotfix XS70E001 –

For XenServer 7.0
This is a XenCenter update (a .exe file) and not a host side Hotfix. This package needs to be installed

on the Windows Machine Running XenCenter
Hotfix XS70E002 – For XenServer 7.0 All customers who are affected by the CVE-2016-2107 issue described in

CTX212736: Citrix XenServer Multiple Security Updates should install this hotfix.
Hotfix XS70E004 – For XenServer 7.0 Important: This is a critical hotfix for customers running XenServer 7.0. All XenServer 7.0

customers must apply this hotfix.
Hotfix XS70E009 – For XenServer 7.0

This hotfix resolves the following issue:

  • In rare circumstances when a XenServer host is enabling HA, or during a host reboot with HA enabled, the host can fail to establish HA communication with the other hosts. This is due to another process on the host using the listening port required by the HA software.
Update XS70EU001 – Management Agent for XenServer 7.0 The Management Agent update resolves the following issues:

  • Installation of Management Agent can fail after installing newer I/O drivers through Windows Update.
  • Failure to reboot a Windows VM after installing XenServer Tools can result in excessive log entries being written to xensource.log and xenstored-access.log until the VM is rebooted. If customers do not reboot the VM, or delay the reboot, excess logs can fill up the XenServer host log partition.
  • The Management Agent can crash and respawn on systems without a terminal services Windows Management Instrumentation (WMI) object causing high CPU usage and excessive logging in /var/log/daemon.
  • If the Management Agent auto update is enabled after installing XenServer Tools, and a new update is available, the initial auto-update can fail due to a race condition that can cause multiple update attempts to occur simultaneously.
Update XS70EU002 – Management Agent for XenServer 7.0 New versions of the I/O drivers, compatible with Microsoft Windows Server 2016 have been released.
Update XS70EU003 – Management Agent for XenServer 7.0
  • The default behavior of the Management Agent has been improved to enable customers to configure whether any I/O driver updates included in the Management Agent should be applied automatically. For more information, see section 4.3.1 Installing XenServer Tools in the XenServer 7.0 Virtual Machine User’s Guide.
  • This version (v7.1.844) of the Management Agent includes new versions of the I/O drivers that are compatible with Microsoft Windows Server 2016. These drivers have been released previously through the Microsoft Windows Server Update Service. For more information, see Update XS70EU002 – Windows I/O Drivers for XenServer 7.0.
Hotfix XS70E018 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX220112: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX219378: Citrix XenServer Multiple Security Updates should install this hotfix.
  • This hotfix supports the improvements to XenServer’s Direct Inspect APIs.
Hotfix XS70E024 – For XenServer 7.0
  • When booting a vGPU provisioned Virtual Machine (VM) from network, an interaction between VGA BIOS and VGA emulation code in the vGPU device model can result in the corruption of the VM console in XenCenter.
Hotfix XS70E027 – For XenServer 7.0
  • When Installing XenServer or upgrading XenServer to a newer version, PBIS services get enabled (even when Role-based access control (RBAC) is not used) and display a lot of error messages. Also, this issue consumes a lot of control domain (dom0) resources.
Hotfix XS70E028 – For XenServer 7.0 This hotfix supports the following new guest operating systems.

  • Oracle Linux 6.8
  • Red Hat Enterprise Linux 6.8
  • CentOS 6.8
  • NeoKylin Linux Advanced Server 6.5 ( only 64 bit )
  • NeoKylin Linux Advanced Server 7.2 ( Only 64 bit )
  • SUSE Linux Enterprise Server 11 SP4
Hotfix XS70E037 – For XenServer 7.0

This hotfix addresses the following issue:

  • When attempting to use XenServer Conversion Manager (XCM) Console to connect to an XCM Virtual Appliance that runs on a slave host, the connection fails and the following message is displayed by the console: “There was a failure communicating with the plugin.” This hotfix ensures that the XCM Console can connect to a XCM Virtual Appliance that runs on any XenServer host.
Hotfix XS70E041 – For XenServer 7.0

This hotfix resolves the following issue:

  • When using SSH to connect to XenServer, a user might experience a memory leak in systemd on XenServer.
Hotfix XS70E042 – For XenServer 7.0

This hotfix resolves the following issues:

  • Excessive input/output from a process could trigger a SCSI target reset while the process is still ongoing. This leads to tapdisk logs reporting invalid request type and/or invalid number of segments, and filling up the Dom0 log partition. This issue occurs due to a race condition that leads to an incorrect reference count.
  • When running XenDesktop on XenServer, if you have logged on to the console session using terminal services, then, multiple XenDpriv.exe processes are seen running. This issue occurs when VMs treat all logins as if they were console logins.
  • When installing windows PV tools on Windows 10 and Windows Server 2016, users are not notified to reboot the VM in order to continue with the driver installation.
  • If the clipboard buffer on a VM contains the “%s” format specifier, the VM can bug check with error SYSTEM_SERVICE_EXCEPTION 0x3B (c0000005).
  • When a Virtual Network Interface (VIF) receives malformed packets, the virtual CPU (vCPU) can cause Windows VMs to rise to 100% CPU usage and become unresponsive at the console.

This hotfix also includes the following previously released hotfix:

Hotfix XS70E043 – For XenServer 7.0

This hotfix resolves the following issue:

  • Under certain workloads on Skylake and Kaby Lake processors with Hyper-Threading enabled, applications can crash or incorrect program behavior can be observed. Microcode update fixes this issue.
Hotfix XS70E048 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX230138 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E052 – For XenServer 7.0 This is a hotfix for customers running XenServer 7.0. All customers who are affected by the issues described in CTX232655 – Citrix XenServer Multiple Security Updates should install this hotfix.This security hotfix addresses the vulnerabilities as described in the Security Bulletin above.
Hotfix XS70E060 – For XenServer 7.0

This is a hotfix for customers running XenServer 7.0.

All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E061 – For XenServer 7.0

This is a hotfix for customers running XenServer 7.0.

All customers who are affected by the issues described in CTX236548 – Citrix XenServer Multiple Security Updates should install this hotfix.

Hotfix XS70E062 – For XenServer 7.0

This hotfix resolves the following issues:

  • Virtual machines (VMs) configured with in-guest software RAID may fail to cleanly shut down or restart.
  • After taking a disk-only snapshot for a VM running in the pool, users randomly fail to access the Virtual Hard Disk (VHD) when trying to unpause the VM, and the VM stops responding. This is caused by time racing in Linux Logical Volume Manager (LVM).
  • After rebooting, a XenServer host can fail to connect to iSCSI targets on Compellent arrays.
  • When Intellicache mirroring fails due to ENOSPC on shared storage, the VBD image list gets truncated to point to itself. This causes an infinite loop and can lead to the I/O datapath stopping and subsequently VMs freezing.
  • When a pool master node executes multi-step plugins on the pool member nodes after important events such as coalesce, the plugin continues to execute through all its steps even if one of the previous ones have failed. This can lead to complications such that the other VDI operations are permanently blocked with OTHER_OPERATION_IN_PROGRESS.
  • After deleting a snapshot on a pool member that is not the pool master, a coalesce operation may not succeed. In such cases, the coalesce process can constantly retry to complete the operation, resulting in the creation of multiple RefCounts that can consume a lot of space on the pool member.
  • The storage cleanup process initiated after a VDI destroy can conflict with ongoing VDI copy processes (including Storage XenMotion), causing subsequent operations on the SR to fail.

This hotfix also includes the following previously released hotfixes:

Hotfix XS70E063 – For XenServer 7.0

This hotfix resolves the following issues:

  • High Availability (HA) enabled VMs can take longer to restart after a HA failover.
  • In rare cases, when a XenServer host in a pool is restarted, it may not be able to rejoin the pool.
  • In rare cases, attempts to shut down a XenServer host in a pool may not succeed.
  • On HA-enabled pools, when a task is initiated after a XenServer host has failed, VMs running on the host can take longer (about 10 minutes) to restart. This issue occurs when a task is assigned to the host after it has failed, but before XAPI is aware of the host failure. In such cases, the task doesn’t get cancelled even when XAPI is notified about the failure, causing delays in restarting the VMs.
  • When migrating VMs that have Dynamic Memory Control (DMC) enabled, the VMs shutdown operation can unexpectedly fail. This is caused by reducing memory allocation before shutdown and this operation taking longer than expected.
  • On Nutanix hosts, the host’s memory-overhead is miscalculated after first boot. This is because XAPI calculates the available host RAM on startup assuming no domains other than the XenServer Control Domain are running. On first boot this is true but on subsequent boots, the Nutanix Controller VM (CVM) is started before XAPI.

This hotfix also includes the following previously released hotfixes:

Related:

  • No Related Posts

Getting an error “fatal error 9: general protection fault while in kernel mode”while installing the NMAS 12.0 58

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Citrix ADC Software Release Dates

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Citrix Workspace App Launcher is unable to launch applications automatically with Apple Safari 12


Solution 1:


1. Open web.config using your preferred text editor and locate the line : <protocolHandler enabled=”true” platforms=”(Macintosh|Windows NT).*((Firefox/((5[2-9]|[6789][0-9])|ddd))|(Chrome/((4[2-9]|[56789][0-9])|ddd)))” skipDoubleHopCheckWhenDisabled=”false” />

2. The value of the platforms attribute is a regular expression specifying the browsers that Citrix Receiver Launcher is used for client detection and HDX launches. Change the regular expression to:

“(Macintosh|Windows NT).*((Firefox/((5[2-9]|[6789][0-9])|ddd))|(Chrome/((4[2-9]|[56789][0-9])|ddd)))|Macintosh.*Version/(1[2-9]|[2-9][0-9]).*Safari/

3. This will add Safari 12 and later to the list of browsers that Citrix Receiver Launcher will be used.


Solution 2 :


1. Clean Uninstall the Citrix Workspace App using the Uninstall option inside the downloaded .dmg file.

2. Reboot the client machine.

3. Install the Citrix Workspace App for Mac

Note :

Apple have announced they’re removing support for NPAPI from Safari 12. This will affect the user experience for users accessing Citrix Receiver for Web using Safari on Mac. We’ll address this by turning on the Citrix Receiver Launcher / Citrix Workspace App Launcher for Safari 12+ in future releases of Citrix StoreFront.

However, for existing StoreFront deployments, you will have to modify web.config under the Receiver for Web (RfWeb) site (typically C:inetpubwwwrootCitrixStoreWeb) to activate the Citrix Receiver Launcher / Citrix Workspace App Launcher for Safari 12 and later.

Related:

  • No Related Posts

Browser Content Redirection: whitelisting websites

Browser Content Redirection is a technology built around a URL whitelisting mechanism. Two policies are exposed in Studio for that purpose:

i. Browser content redirection Access Control List (ACL) policy settings (a.k.a the ACL policy)

ii. Browser content redirection authentication sites (a.k.a the authentication sites policy)

While the description in edocs tries to cover the general cases, there are some websites using intrinsic redirection mechanisms that make the whitelisting process more difficult.

As an example we will look in Microsoft Teams.

It is essential that the Developer Tools is used to understand the website’s behavior before configuring any policy.

The ‘Preserve Log’ check-box should be ticked, otherwise entries are cleared automatically.

User-added image

Microsoft Teams

A user typing http://teams.microsoft.com will get an HTTP 307 response from the webserver, repointing the browser to https://teams.microsoft.com

(Hence it is critical that the right syntax is used when whitelisting a website, like http or https, with or without www, etc – otherwise redirection might fail).

From that URL, the resource https://teams.microsoft.com/auth/prelogin is contacted by the browser, which eventually ends up being redirected to:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&state=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&&client-request-id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&x-client-SKU=Js&x-client-Ver=1.0.9&nonce=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1&domain_hint=

These redirections occur very fast, and the HdxVideo.js javascript that the Browser Content Redirection Chrome Extension needs to inject is not done in time.

In this case, the url https://login.microsoftonline.com/* needs to be whitelisted in the ACL policy in Studio.

Better granularity can be achieved by leveraging a common parameter in OAuth 2.0 (redirect_uri, where the App name is embedded in the URL). Therefore, whitelisting the following URL in the ACL policy in Studio will achieve the objective:

https://login.microsoftonline.com/*teams*

The Chrome Extension will now be able to inject HdxVideo.js, and redirection happens. The user will end up being redirected to an Office 365 Authentication website that is linked to Teams, but this time the website will be running locally on the endpoint’s overlay browser that is part of Workspace app (HdxBrowserCef.exe)

After a successful authentication, the browser is pointed back to https://teams.microsoft.com

This URL (https://teams.microsoft.com/*) should now be whitelisted also in the ‘Authentication Sites’ policy in Studio.

Note: This might be somehow counter intuitive as the Authentication site is login.microsoftonline.com, not teams.microsoft.com – yet the problem in Teams is that the Chrome Extension is not loaded fast enough by the Browser and therefore injection fails on teams.microsoft.com.

Browser Content Redirection treats websites whitelisted under the Authentication sites policy as child websites that must remain redirected if the parent website was in the ACL whitelist policy. In the Teams case then, teams.microsoft.com is the child website of the parent login.microsoft

Related:

  • No Related Posts

ShareFile Connector SSO to Network Shares and SharePoint using Kerberos (KCD)

Summary of items

  1. Configure SharePoint for KCD
  2. Create an additional “Internal Content Switch” on the NetScaler
  3. Configure SplitDNS to resolve to the new Internal Content Switch
  4. StorageZone Controller IIS changes
  5. AD Delegation
  6. Web Browsers configs

1. Configure SharePoint for KCD

SharePoint config steps:

  1. On the Central Administration page, on the Quick Launch click Security, and in the General Security section click Specify authentication providers.
  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
  3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
  4. In the IIS Authentication Settings section, select Negotiate (Kerberos).

    NOTE: If you selectNegotiate (Kerberos)you must perform additional steps to configure authentication (below).
  5. Click Save.

Set the SPN to the service account for SharePoint config steps:

NOTE:this is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

  1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
  2. Type the following:

    SetSPN -S HTTP/SharePoint domainserviceaccountname

    SetSPN -S HTTP/SharePoint.citrix.lab domainserviceaccountname

2. Create an additional “Internal Content Switch” on the NetScaler

Before creating this, you should have run the wizard to create an External Content Switch as you would need to split the traffic, to split External and Internal traffic. The main reason being is to have AAA configured for Connectors externally, but for Internal use, not to have AAA enabled on the Connectors, especially if you would like to enable Web Access to Connectors and have a seamless SSO in all web browsers.

NOTE: AAA requires a NetScaler Enterprise license to use.

External Content Switch (usually created by the inbuilt ShareFile wizard on the NS).

NOTE: If Web Access to Connectors are required then additional configuration is needed in addition to the wizard. Please see this
article in section “Configure NetScaler for restricted zones or web access to Connectors”.

The External config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 3 x LBVIP’s
    • ShareFile Data LBVIP.
    • Connectors LBVIP with AAA enabled.
    • OPTIONS LBVIP.

Internal Content Switch (in this scenario, created manually)

The internal config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 2 x LBVIP’s
    • ShareFile Data LBVIP.
    • Connectors LBVIP (No AAA enabled).
    • No OPTIONS LBVIP required (even if SSO to “Web Access to Connectors” is needed).

Create the Internal Content Switch config steps:

Create the Virtual Servers (one for ShareFile Data and another for Connectors)

  1. Log onto the NetScaler and browse to:

    +Traffic Management

    +Load Balancing

    Virtual Servers
  2. Click Add to create the ShareFile Data LBVIP:

    Name: _SF_SZ_LB_INT

    Protocol: SSL or HTTP

    IP Address Type: Non Addressable
  3. Click OK.
  4. Click on the “No Load Balancing Virtual Server Binding”
  5. On the Select Server option click the arrow next to Click to select field
  6. Select the appropriate StorageZone Controller node(s) and click Bind
  7. Select the Certificate and click Bind, click Continue
  8. Click on the +Method option, change the Load Balancing Method to Token
  9. Add the expression REQ.URL.QUERY.VALUE(“uploadid”), click OK
  10. Click on the +Persistence option, and change the Persistence field to SSLSESSION
  11. Click OK
  12. Click Add to create the ShareFile Connector LBVIP:

    Name: _SF_CIF_SP_LB_INT

    Protocol: SSL or HTTP

    IP Address Type: Non Addressable
  13. Click OK
  14. Click on the “No Load Balancing Virtual Server Binding”
  15. On the Select Server option click the arrow next to Click to select field
  16. Select the appropriate StorageZone Controller node(s) and click Bind
  17. Select the Certificate and click Bind, click Continue
  18. Click on the +Method option, change the Load Balancing Method to LEASTCONNECTION
  19. Click on the +Persistence option, and change the Persistence field to COOKIEINSERT
  20. Click OK

Create the HTTP Callouts

  1. Browse to :

    +AppExpert

    HTTP Callouts
  2. Click Add to create the first callout:

    Name: _SF_CALLOUT_INT

    Server to receive callout request:

    Virtual Server and choose _SF_SZ_LB_INT

    Request to send to the server:

    Request Type:Attribute-Based

    Method: GET

    HostExpression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

    URLStemExpression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.BEFORE_STR(“&h”).HTTP_URL_SAFE.B64ENCODE + “&h=”+ HTTP.REQ.URL.QUERY.VALUE(“h”)

    Parameter:

    Scheme: HTTP

    ServerResponse

    ReturnType: BOOL

    Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
  3. Click Create:

    Name: _SF_CALLOUT_INT_Y

    Server to receive callout request:

    Virtual Server and choose _SF_SZ_LB_INT

    Request to send to the server:

    Request Type:Attribute-Based

    Method: GET

    HostExpression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

    URLStemExpression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + “&h=”

    Parameter:

    Scheme: HTTP

    ServerResponse

    ReturnType: BOOL

    Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
  4. Click Create.
  5. Click Add to create the second callout (note: this is the same as the other except for the Name and URL Stem Expression)
  6. Click Add to create the first callout:

    Name: _SF_CALLOUT_INT_Y

    Server to receive callout request:

    Virtual Server and choose _SF_SZ_LB_INT

    Request to send to the server:

    Request Type: Attribute-Based

    Method: GET

    Host Expression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

    URL Stem Expression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + “&h=”

    Parameter:

    Scheme: HTTP

    Server Response


    Return Type: BOOL

    Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
  7. Click Create.

Create the Responder policy

  1. Browse to :

    +AppExpert

    +Responder

    Policies
  2. Click Add to create the responder:

    Name: _SF_RESPONDERPOL_INT

    Action: DROP

    Expression: HTTP.REQ.URL.CONTAINS(“&h=”) && HTTP.REQ.URL.CONTAINS(“/crossdomain.xml”).NOT&& HTTP.REQ.URL.CONTAINS(“/validate.ashx?requri”).NOT&& SYS.HTTP_CALLOUT(_SF_CALLOUT_INT) || HTTP.REQ.URL.CONTAINS(“&h=”).NOT && HTTP.REQ.URL.CONTAINS(“/crossdomain.xml”).NOT&& HTTP.REQ.URL.CONTAINS(“/validate.ashx?requri”).NOT&& SYS.HTTP_CALLOUT(_SF_CALLOUT_INT_Y)
  3. Click Create:

    Bind the Responder policy


    +Traffic Management

    +Load Balancing

    Virtual Servers
  4. Open _SF_SZ_LB_INT
  5. Click on the +Policies option
  6. Click Add Binding, Select the policy _SF_RESPONDERPOL_INT
  7. Click Bind, then Close.
  8. Click Done to complete.

Create the Content Switch policies

+Traffic Management

+Content Switching

Policies

  1. Click Add.

    Name: _SF_SZ_CSPOL_INT

    Expression: HTTP.REQ.HOSTNAME.CONTAINS(“sz.company.com”) && HTTP.REQ.URL.CONTAINS(“/cifs/”).NOT && HTTP.REQ.URL.CONTAINS(“/sp/”).NOT

    Note: DON’T FORGET TO CHANGE TO THE CORRECT EXTERNAL FQDN
  2. Click Create and then Add.

    Name: _SF_CIF_SP_CSPOL_INT

    Expression: HTTP.REQ.HOSTNAME.CONTAINS(“sz.company.com”) && (HTTP.REQ.URL.CONTAINS(“/cifs/”) || HTTP.REQ.URL.CONTAINS(“/sp/”))

    NOTE: Don’t forget to change to the correct external FQDN.
  3. Click Create.

Create the Content Switch vServer

+Traffic Management

+Content Switching

Virtual Server

  1. Click Add to create the Content Switch vServer:

    Name: _SF_CS_ShareFile_INT

    Protocol: SSL

    IP Address: Internal IP of DNS name

    Port:443
  2. Click OK
  3. Under Content Switching Policy Binding click on the No Content Switching Bound option:

    Select Policy:_SF_SZ_CSPOL_INT

    Target Load Balancing Virtual Server: _SF_SZ_LB_INT

    Click Bind

    Select Policy:_SF_CIF_SP_CSPOL_INT

    Target Load Balancing Virtual Server: _SF_CIF_SP_LB_INT

    Click Bind
  4. Click OK
  5. Click on the +Certificates option, add a certificate by clicking the No Server Certificate option
  6. Select the Certificate and click Bind, click Continue.

3. Configure SplitDNS to resolve to the new Internal Content Switch

This is important as you need to direct traffic internally to the NetScaler for internal clients. Create a Host A entry for the StorageZone FQDN to point to the IP of the Internal Content Switch created in section 2.

  1. Log into the Domain Controller and open dsa.msc.
  2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (sz.company.com)
  3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
  4. Enter the IP, this should be the one of the Internal Content Switch created in section 2.
  5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

4. StorageZone Controller IIS changes

Config steps:

  1. Log onto the StorageZone Controller(s) and open IIS.
  2. Click on the Default web site then to the SP virtual directory.
  3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
  4. Right-click on the WindowsAuthentication option and select Providers
  5. Highlight Negotiate and Move Up to the top of the list. Click
  6. Ensure Basic Authentication is set to Disabled.
  7. Click on the CIFS virtual directory, then on Authentication.
  8. Ensure Anonymous and Windows Authentication are Enabled.
  9. Right-click on the WindowsAuthentication option and select Providers.
  10. Highlight Negotiate and Move Up to the top of the list. Click
  11. Ensure Basic Authentication is Disabled.

    NOTE: If Using port 80 on your StorageZone Controller for Load Balancing communication, see section 5 of this article.
  12. Then right-click the Default Web Site and select Edit Bindings.
  13. Add a new binding on port 80, assign the IP address and insert a host header (which is the fqdn of storagezone).

    NOTE: Editing the existing binding on port 80 will upset the NTLM Path configured within the NetScaler IdP
    article on page 14 .
  14. On the StorageZone Controller, run CMD, then type:

    setspn –a http/sz.company.com SZCServer1

    setspn –a http/”fqdn of storagezone”hostname of storagezone controller”

    where “fqdn of storagezone” = sz.company.com

    and “hostname of storagezone controller” = SZCServer1)

5. AD DELEGATION

Changes need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added. Config steps shown in this procedure.

NOTE:

  • Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.
  • Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.

6. Browsers

Config steps:

Internet Explorer

  1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:

    ShareFile site – subdomain.sharefile.com

    FQDN StorageZone – sz.company.com

    FQDN of AAAVIP – aaavip.company.com

    Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
  2. Open GPMC and select the GPO controlling the behavior of IE.
  3. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
  4. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:

    User-added image

    NOTE: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

    1 – Intranet zone – sites on your local network.

    2 – Trusted Sites zone – sites that have been added to your trusted sites.

    3 – Internet zone – sites that are on the Internet.

    4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.

  5. For external IE browsers, extra configuration is required as follows:

    Click on the Internet/Custom Level and ensure that:

    Miscellaneous/Access data sources across domains is Enabled.

    User Authentication/Log on/Prompt for Username and Password is selected.
  6. Click OK twice.

Firefox

  1. Launch Firefox. In the Address Bar, instead of typing a URL, enter:

    about:config
  2. This will open the configuration interface. You may need to agree to a security warning in order to proceed.
  3. Double-click the line labeled automatic-ntlm-auth.trusted-uris and enter the following:

    ShareFile site – subdomain.sharefile.com

    FQDN StorageZone – sz.company.com

    FQDN of AAAVIP – aaavip.company.com

    NOTE: Separate individual URLs with commas, but do not put spaces between them, for example:

    subdomain.sharefile.com, sz.company.com
  4. Click OK when you’re finished.
  5. Double-click the line labeled negotiate-auth.trusted-uris. Enter the same information you entered in the previous step, with the URLs separated by commas and with no spaces. Click OK.

Chrome

This should work. CORS should be enabled by default on Chrome but you can add the plugin into Chrome here.

Opera

This should work.

Related:

  • No Related Posts

Browser Out of Date Error When Logging Into the ShareFile Plugin for Microsoft Outlook

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

LIMITED RELEASE – Hotfix BrokerSvcWX64_7_15_2001 – For Citrix Broker Service 7.15 LTSR CU2 – English

Hotfix package name: BrokerSvcWX64_7_15_2001.zip

For: XenApp and XenDesktop 7.15 Long Term Service Release (LTSR) Cumulative Update 2 (CU2) for Citrix Broker Service (7.15.2000.243)

Replaces: None

Date: August, 2018

Languages supported: English (US), Japanese (JA), Simplified Chinese (SC)

Readme version: 1.00

Readme Revision History

Version Date Change Description
1.00 August, 2018 Initial release

Note: This hotfix is no longer available for download. Citrix plans to include the fix in an upcoming release.

Important Notes about This Release

  • Important: This hotfix can only be applied to a XenApp and XenDesktop 7.15 LTSR CU2 Desktop Delivery Controller.

  • Caution: The Broker Service hotfix (Broker_Service_x64.msi) included in this update also modifies the Broker DbSchema of the Site data store.* These modifications are permanent and irreversible. Should you decide, for any reason, to uninstall this update at a later time, these modifications do not revert automatically. As a result and as a matter of precaution, Citrix recommends strongly that you back up your Site data store as described below before installing this update. Doing so allows you to manually restore your Site data store to the backed up version. Even so, any changes you make to your Site data store between backing up and restoring it are lost. For information about backing up and restoring data stores, see Knowledge Center article CTX135207.

    For an automatic database upgrade, the Studio user needs permissions to update the SQL Server database schema (for example, the db_securityadmin or db_owner database role). If the Studio user does not have those permissions, initiating a manual database upgrade will generate scripts. The Studio user runs some of the scipts from Studio; the database administrator runs other scripts using a tool such as SQL Server Management Studio. If the SQL scripts are run manually, they should be run using either the SQLCMD utility or SQL Management Studio in SQLCMD mode. Inaccurate errors can result otherwise.

  • After the upgrade to this release, a prompt might appear for the License Server compatibility check in Desktop Studio that makes sure that your License server is the required version. If you are using the License server released with XenDesktop 7.15 or from a more recent version, you do not need to upgrade the License server. Click Continue to proceed with the DBschema upgrade.

Important Disclaimer – Limited Release Hotfix

If the Download link is not available on this page and you wish to obtain this limited distribution release, visit our support site at http://www.citrix.com/support and open a support case using your Citrix account credentials, or contact your reseller at http://www.citrix.com/partners/locator.

Testing of this release was targeted only at the affected functionality, and regression and stress testing were minimal. Introduce this release to a test environment for evaluation before deploying it to a production environment.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CITRIX AND ITS SUPPLIERS MAKE AND YOU RECEIVE NO WARRANTIES OR CONDITIONS, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND CITRIX AND ITS SUPPLIERS SPECIFICALLY DISCLAIM WITH RESPECT TO THE HOTFIX ANY CONDITIONS OF QUALITY, AVAILABILITY, RELIABILITY, SECURITY, LACK OF VIRUSES, BUGS OR ERRORS, OR SUPPORT AND ANY IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER CITRIX, NOR ITS SUPPLIERS SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, MULTIPLE, PUNITIVE OR OTHER DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF DATA, LOSS OF INCOME, LOSS OF OPPORTUNITY, LOST PROFITS, COSTS OF RECOVERY OR ANY OTHER DAMAGES), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, AND WHETHER OR NOT FOR BREACH OF CONTRACT, NEGLIGENCE OR OTHERWISE, AND WHETHER OR NOT CITRIX, ITS SUPPLIERS, OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Where to Find Documentation

  • This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, including supported operating systems and system requirements, see XenApp and XenDesktop 7.15 Long Term Service Release (LTSR) CU2 on the Citrix Product Documentation site.
  • For information about XenApp and XenDesktop upgrade best practices, see Upgrade a deployment on the Citrix Product Documentation site.
  • For information about installing 7.x Controller update, see Knowledge Center article CTX201988.

New Fixes in This Release

  1. You import changes from the principal broker to the Local Host Cache (LHC) database and remove a user or machine from the Active Directory without removing it from Citrix Studio. As a result, errors might occur and the LHC isn’t updated.

    [From BrokerSvcWX64_7_15_2001][#LC9054]]

Fixes from Replaced Hotfixes

No hotfixes were replaced by this release.

Component Versions

Component Hotfix Name Version MSI Name

Citrix Broker Service

BrokerSvcWX64_7_15_2001

7.15.2001.1

Broker_Service_x64.msi

Installing and Uninstalling this Release

Notes:

  • Important Notes: This release is packaged as a .zip file containing the replacement .msi files for the Broker components of XenApp and XenDesktop 7.15 LTSR CU2 Controller. For more information about deploying msi files, see Microsoft article 884016 or visit the Microsoft Web Site and search on keyword msiexec.

  • Caution: The Broker Service hotfix (Broker_Service_x64.msi) included in this update also modifies the Broker DbSchema of the Site data store.* These modifications are permanent and irreversible. Should you decide, for any reason, to uninstall this update at a later time, these modifications do not revert automatically. As a result and as a matter of precaution, Citrix recommends strongly that you back up your Site data store as described below before installing this update. Doing so allows you to manually restore your Site data store to the backed up version. Even so, any changes you make to your Site data store between backing up and restoring it are lost. For information about backing up and restoring data stores, see Knowledge Center article CTX135207.

    For an automatic database upgrade, the Studio user needs permissions to update the SQL Server database schema (for example, the db_securityadmin or db_owner database role). If the Studio user does not have those permissions, initiating a manual database upgrade will generate scripts. The Studio user runs some of the scipts from Studio; the database administrator runs other scripts using a tool such as SQL Server Management Studio. If the SQL scripts are run manually, they should be run using either the SQLCMD utility or SQL Management Studio in SQLCMD mode. Inaccurate errors can result otherwise.

  • Caution: Downgrades, also known as rollbacks, from individual component update in this release are not supported and might leave your systems in an unstable state. The component update in this release do not patch the existing installations of the components – each fully replaces the original component with a new installation. As a result, uninstalling a component update removes the entire component from the Controller. If the need arises to revert to an earlier version of the product, you must uninstall each component update of this release and then reinstall the earlier versions of each component. Reverting to an earlier version of a component might result in the loss of settings you configure while this upgrade is installed.

  • To install the component updates in the release successfully, servers must not have registry modification restrictions in place.

  • For information about installing XenDesktop/XenApp 7.x Controller updates, see Knowledge Center article CTX201988.

To install the component updates in this release:

  1. Copy the compressed hotfix package to a shared folder on the network.
  2. Extract the compressed hotfix package and save the component msi file(s) on the Delivery Controller you want to update.
  3. Run the .msi file(s).
  4. Restart the Delivery Controller even if not prompted to do so.
  5. To upgrade to the latest DbSchema installed by this release, go to the Desktop Studio Dashboard and click Upgrade.

To uninstall this hotfix and revert to an earlier level of the component and the data store:

  1. Uninstall the component from ARP/Programs and Features.
  2. Restore the data store as described in Knowledge Center article CTX135207.
  3. Install the desired level of the component (base or other hotfix).
  4. Restart the Controller even if not prompted to do so.

Related:

  • No Related Posts

NetScaler with AppFirewall Enabled Resets Client Request with RST Code 9856 When Cookie Name Contains “c”

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts

Office 365 installation with ODT or other App installer(i.e. python) fails to create files

Tradução automática

Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.

Related:

  • No Related Posts