How to Configure XenDesktop to Use Custom SQL Port

Background

Delivery Controller is a collection of services, each of which has its own SQL connection string. To change the SQL connection strings, you use PowerShell to change each service. Some points to keep in mind:

  • Most of the Delivery Controller services connect to the same database (Site database), so you can set the same connection string for almost all of them
  • Monitoring has two connection strings: one for the Site database, and another for the separate Monitoring database
  • Logging has two connection strings: one for the Site database, and another for the separate Logging database

Getting Started

  • Before changing the database port: Follow: CTX139447 How to Disable or Enable Configuration Logging Service in XenDesktop 7 using PowerShell https://support.citrix.com/article/CTX139447/how-to-disable-or-enable-configuration-logging-service-in-xendesktop-7-using-powershell
  • Make the required port changes on SQL server and then make a note of the port number configured on SQL server
  • Back up the Citrix Site, Monitoring and Logging databases
  • Take a snapshot of the Delivery Controller virtual machine(s)
  • It is expected that the Citrix databases are unavailable until the procedure is complete. Therefore, connections to the Site may be temporarily unavailable. It is best to complete all the steps in the following procedure within the same change window
  • All Management Consoles should be closed. Citrix strongly recommends that no administrative changes be attempted until the Databases are back online and verified

Retrieve the existing Database connections

Run the following commands to see the existing database connection strings

## Load the Citrix snap-ins

asnp Citrix.*

## ## Get the current Delivery Controller database connections

Get-ConfigDBConnection

Get-AcctDBConnection

Get-AnalyticsDBConnection # 7.6 and newer

Get-AppLibDBConnection # 7.8 and newer

Get-OrchDBConnection # 7.11 and newer

Get-TrustDBConnection # 7.11 and newer

Get-HypDBConnection

Get-ProvDBConnection

Get-BrokerDBConnection

Get-EnvTestDBConnection

Get-SfDBConnection

Get-MonitorDBConnection

Get-MonitorDBConnection -DataStore Monitor

Get-LogDBConnection

Get-LogDBConnection -DataStore Logging

Get-AdminDBConnection

Test the new Database connection strings

1. Run the following commands to verify connectivity to the database

Adjust the variables to match your desired connection string. For example, to add custom port to the connection strings, then set the $ServerName variable to “DBServernameInstance,CustomPortNumber”.

asnp citrix.*

$ServerName = “<DBServernameInstance,CustomPortNumber>

$SiteDBName = “<SiteDbName>”

$LogDBName = “<LoggingDbName>”

$MonitorDBName = “<MonitorDbName>”

$csSite = “Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True”

$csLogging = “Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True”

$csMonitoring = “Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True”

Test-AcctDBConnection -DBConnection $csSite

Test-AdminDBConnection -DBConnection $csSite

Test-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer

Test-AppLibDBConnection -DBConnection $csSite # 7.8 and newer

Test-BrokerDBConnection -DBConnection $csSite

Test-ConfigDBConnection -DBConnection $csSite

Test-EnvTestDBConnection -DBConnection $csSite

Test-HypDBConnection -DBConnection $csSite

Test-LogDBConnection -DBConnection $csSite

Test-LogDBConnection -DataStore Logging -DBConnection $csLogging

Test-MonitorDBConnection -DBConnection $csSite

Test-MonitorDBConnection -Datastore Monitor -DBConnection $csMonitoring

Test-OrchDBConnection -DBConnection $csSite # 7.11 and newer

Test-ProvDBConnection -DBConnection $csSite

Test-SfDBConnection -DBConnection $csSite

Test-TrustDBConnection -DBConnection $csSite # 7.11 and newer

User-added image

Remove the existing Database connections

  • At the Delivery Controller, open PowerShell as Administrator and run the following commands. This process clears the existing database connections.

## Load the Citrix snap-ins

asnp Citrix.*

## ## Clear the current Delivery Controller database connections

## Note: AdminDBConnection must be the last command

Set-ConfigDBConnection -DBConnection $null

Set-AcctDBConnection -DBConnection $null

Set-AnalyticsDBConnection -DBConnection $null # 7.6 and newer

Set-AppLibDBConnection -DBConnection $null # 7.8 and newer

Set-OrchDBConnection -DBConnection $null # 7.11 and newer

Set-TrustDBConnection -DBConnection $null # 7.11 and newer

Set-HypDBConnection -DBConnection $null

Set-ProvDBConnection -DBConnection $null

Set-BrokerDBConnection -DBConnection $null

Set-EnvTestDBConnection -DBConnection $null

Set-SfDBConnection -DBConnection $null

Set-MonitorDBConnection -DataStore Monitor -DBConnection $null

Set-MonitorDBConnection -DBConnection $null

Set-LogDBConnection -DataStore Logging -DBConnection $null

Set-LogDBConnection -DBConnection $null

Set-AdminDBConnection -DBConnection $null -force

  • If you see the errors relating to unable to stop the Service or unable to change the connection strings, you must restart all the Citrix services.

Get-Service Citrix* | Stop-Service -Force

Get-Service Citrix* | Start-Service


After restarting all the Citrix services, if you still see the errors, you must restart the server.

  • Rerun the original set of commands to confirm that the existing connection is properly removed.
  • These cmdlets should not return anything:

## Load the Citrix snap-ins

asnp Citrix.*

## ## Get the current Delivery Controller database connections

Get-ConfigDBConnection

Get-AcctDBConnection

Get-AnalyticsDBConnection # 7.6 and newer

Get-AppLibDBConnection # 7.8 and newer

Get-OrchDBConnection # 7.11 and newer

Get-TrustDBConnection # 7.11 and newer

Get-HypDBConnection

Get-ProvDBConnection

Get-BrokerDBConnection

Get-EnvTestDBConnection

Get-SfDBConnection

Get-MonitorDBConnection

Get-LogDBConnection

Get-AdminDBConnection

Specify the new Database connection strings

  • Run the following commands to set the new connection strings.
  • Adjust the variables to match your desired connection string. For example, to to add custom port to the connection strings, then set the $ServerName variable to “DBServernameInstance,CustomPortNumber”.
  • Repeat this for the $csLogging and $csMonitoring variables

## Replace <dbserver> with the SQL server name,custom port and instance if present

## Replace <dbname> with the name of your restored Database

## Note: AdminDBConnection should be first

$ServerName = “<DBServernameInstance,CustomPortNumber>

$SiteDBName = “<SiteDbName>”

$LogDBName = “<LoggingDbName>”

$MonitorDBName = “<MonitorDbName>”

$csSite = “Server=$ServerName;Initial Catalog=$SiteDBName;Integrated Security=True”

$csLogging = “Server=$ServerName;Initial Catalog=$LogDBName;Integrated Security=True”

$csMonitoring = “Server=$ServerName;Initial Catalog=$MonitorDBName;Integrated Security=True”


Set-AdminDBConnection -DBConnection $csSite

Set-ConfigDBConnection -DBConnection $csSite

Set-AcctDBConnection -DBConnection $csSite

Set-AnalyticsDBConnection -DBConnection $csSite # 7.6 and newer

Set-HypDBConnection -DBConnection $csSite

Set-ProvDBConnection -DBConnection $csSite

Set-AppLibDBConnection –DBConnection $csSite # 7.8 and newer

Set-OrchDBConnection –DBConnection $csSite # 7.11 and newer

Set-TrustDBConnection –DBConnection $csSite # 7.11 and newer

Set-BrokerDBConnection -DBConnection $csSite

Set-EnvTestDBConnection -DBConnection $csSite

Set-SfDBConnection -DBConnection $csSite

Set-LogDBConnection -DBConnection $csSite

Set-LogDBConnection -DataStore Logging -DBConnection $null

Set-LogDBConnection -DBConnection $null

Set-LogDBConnection -DBConnection $csSite

Set-LogDBConnection -DataStore Logging -DBConnection $csLogging

Set-MonitorDBConnection -DBConnection $csSite

Set-MonitorDBConnection -DataStore Monitor -DBConnection $null

Set-MonitorDBConnection -DBConnection $null

Set-MonitorDBConnection -DBConnection $csSite

Set-MonitorDBConnection -DataStore Monitor -DBConnection $csMonitoring

Note: It is important to verify that all the preceding Set-<service>DBConnection commands have returned a result of OK. If the result is other than OK for any of these commands, it might be necessary to enable logging or tracing to determine the cause of the connection failure.

Note: The Set-LogDBConnection -DBConnection $null and Set-MonitorDBConnection -DBConnection $null will return DBUnconfigured instead of OK.

Related:

Citrix UPS Network printers missing in the Unified Print Dialog

In a Citrix session running on a Windows 11 22H2 Virtual Delivery Agent, the user might not see Universal Print Server (UPS) network printers in the unified print dialog that is displayed by Notepad and Wordpad.

Certain applications, such as Adobe Reader, Microsoft Word, and Microsoft Excel, that do not use the unified print dialog are not affected by this issue.

Related:

  • No Related Posts

High Availability Failovers Due to Missed HA HeartBeats of NetScaler VPX on VMware ESX Hypervisor

Using newslog event to confirm that VPX has scheduling issues

Check the failover event in the /var/nslog/newnslog*.

nsconmsg -K newnslog -d event | grep -E “node|heartbeat” | more

Here is an example of what is seen for an HA failover due to missed HA heartbeats.

Primary Device:

(The Primary device is now Secondary due to the Secondary device not receiving HA heartbeats)

 2077 7537 PPE-0 self node 192.168.1.10: INIT due to REQUEST from HA peer node Tue Jul 26 10:20:25 2016 2062 0 PPE-1 self node 192.168.1.10: INIT due to REQUEST from HA peer node Tue Jul 26 10:20:25 2016 2064 0 PPE-2 self node 192.168.1.10: INIT due to REQUEST from HA peer node Tue Jul 26 10:20:25 2016 2085 0 PPE-2 self node 192.168.1.10: Secondary Tue Jul 26 10:20:25 2016

Secondary Device:

(This Secondary Device did not miss the required HA heartbeats causing an HA failover and now it’s Primary)

 2630 7529 PPE-0 interface(0/1): No HA heartbeats (Last received: Tue Jul 26 10:20:24 2016; Missed 15 heartbeats) Tue Jul 26 10:20:27 2016 2631 0 PPE-0 interface(1/1): No HA heartbeats (Last received: Tue Jul 26 10:20:24 2016; Missed 15 heartbeats) Tue Jul 26 10:20:27 2016 2632 0 PPE-0 interface(1/2): No HA heartbeats (Last received: Tue Jul 26 10:20:24 2016; Missed 15 heartbeats) Tue Jul 26 10:20:27 2016 2633 0 PPE-0 interface(1/3): No HA heartbeats (Last received: Tue Jul 26 10:20:24 2016; Missed 15 heartbeats) Tue Jul 26 10:20:27 2016 2634 0 PPE-0 remote node 192.168.1.10: DOWN Tue Jul 26 10:20:27 2016 2635 0 PPE-0 self node 192.168.1.20: Claiming Tue Jul 26 10:20:27 2016 2636 0 PPE-0 self node 192.168.1.20: Primary Tue Jul 26 10:20:27 2016

Examining the netio_tot_called counter to confirm that VPX has scheduling issues

In the following logs we see that counter logging is stopped for few seconds on both VPXs during the HA failover, which means that the VPX Virtual Machine was scheduled out.

netio_tot_called – This is the number of times the function netio is called. This function is called every time NetScaler needs to start packet processing; ideally the gap should be seven (7) seconds.

Collector bundle for 192.168.1.10 – /var/nslog/

nsconmsg -g netio_tot_called -d current -K newnslog -s time=26Jul2016:10:20 -s disptime=1 |more

 Index rtime totalcount-val delta rate/sec symbol-name&device-no&time 0 3585223 287355050 56748 8105 netio_tot_called Tue Jul 26 10:20:08 2016 1 7002 287381927 26877 3838 netio_tot_called Tue Jul 26 10:20:15 2016 2 7002 287408841 26914 3843 netio_tot_called Tue Jul 26 10:20:22 2016 3 7002 287554531 85636 12230 netio_tot_called Tue Jul 26 10:20:34 2016 à Here we have a 12 second gap; ideally it should have been just 7 seconds 4 7002 287593240 38709 5528 netio_tot_called Tue Jul 26 10:20:41 2016 5 7003 287621530 28290 4039 netio_tot_called Tue Jul 26 10:20:48 2016 6 7003 287648373 26843 3833 netio_tot_called Tue Jul 26 10:20:55 2016 7 7001 287676102 27729 3960 netio_tot_called Tue Jul 26 10:21:02 2016 8 7004 287703248 27146 3875 netio_tot_called Tue Jul 26 10:21:09 2016 9 7004 287730415 27167 3878 netio_tot_called Tue Jul 26 10:21:16 2016

Collector bundle for 192.168.1.20 – /var/nslog/

nsconmsg -g netio_tot_called -d current -K newnslog -s time=26Jul2016:10:20 -s disptime=1 |more

 Index rtime totalcount-val delta rate/sec symbol-name&device-no&time 0 343090 246967167 26729 3817 netio_tot_called Tue Jul 26 10:20:07 2016 1 7001 246994115 26948 3849 netio_tot_called Tue Jul 26 10:20:14 2016 2 7003 247019658 25543 3647 netio_tot_called Tue Jul 26 10:20:21 2016 3 12698 247055240 35582 2802 netio_tot_called Tue Jul 26 10:20:33 2016 à Here is the 12 seconds gap 4 7012 247125542 70302 10025 netio_tot_called Tue Jul 26 10:20:40 2016 5 7001 247200102 25784 3682 netio_tot_called Tue Jul 26 10:20:55 2016

Examining the sys_cur_duration_since_start counter to confirm that VPX has scheduling issues

You can also verify this issue using sys_cur_duration_since_start counter which should also be updated every second and thus have a delta of seven (7) seconds in ideal case. If there is gaps in uptime reporting counter then it clearly indicates issue with lost CPU time.

 9 7001 163.21:23:31 7 0 sys_cur_duration_sincestart Mon Aug 14 13:32:12 2017 10 12201 163.21:23:43 12 0 sys_cur_duration_sincestart Mon Aug 14 13:32:25 2017------Delta value more than 7 11 7002 163.21:23:50 7 0 sys_cur_duration_sincestart Mon Aug 14 13:32:32 2017

Citrix Documentation –Managing High Availability Heartbeat Messages on a NetScaler Appliance

Related:

  • No Related Posts

ADM Click Jack Vulnerability: X-Frame-Option/ Content-Security-Policy’s frame ancestor entry missing

In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the ADM builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :

  • To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.

[# 706431, 705731]

Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html

If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

Configuration :

And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

2023-01-30 16_16_07-Window.png

Result :

To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related:

  • No Related Posts

ADM Click Jack Vulnerability: X-Frame-Option/ Content-Security-Policy’s frame ancestor entry missing

In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the ADM builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :

  • To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.

[# 706431, 705731]

Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html

If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

Configuration :

And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

2023-01-30 16_16_07-Window.png

Result :

To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related:

  • No Related Posts

ADM Click Jack Vulnerability: X-Frame-Option/ Content-Security-Policy’s frame ancestor entry missing

In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the ADM builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :

  • To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.

[# 706431, 705731]

Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html

If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

Configuration :

And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

2023-01-30 16_16_07-Window.png

Result :

To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related:

  • No Related Posts

ADM Click Jack Vulnerability: X-Frame-Option/ Content-Security-Policy’s frame ancestor entry missing

In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the ADM builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :

  • To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.

[# 706431, 705731]

Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html

If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

Configuration :

And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

2023-01-30 16_16_07-Window.png

Result :

To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related:

  • No Related Posts

ADM Click Jack Vulnerability: X-Frame-Option/ Content-Security-Policy’s frame ancestor entry missing

In the earlier builds, we did use the X-Frame-Options header to prevent this vulnerability. However, it got dropped because of some design changes on the ADM builds. To fix this issue, a new option has been added from build 12.1-49.23, where you can mention the allowed hosts :

  • To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.

[# 706431, 705731]

Reference Link : https://docs.citrix.com/en-us/citrix-application-delivery-management-software/12-1/downloads/NetScaler-MAS-12-1-49-23.html

If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

Configuration :

And for 13.0 and 13.1, you can go under “System-> Administration-> System Administration-> System Configurations -> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :

2023-01-30 16_16_07-Window.png

Result :

To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Related:

  • No Related Posts