Sunday, July 31, 2016

Configuring Duo Integration With NetScaler

The purpose of this blog post is to explain the two modes of Duo integration with the NetScaler, to point out the pros and cons of each method, and to explain the different configurations needed for NetScaler and StoreFront when using each mode. I will not go into the configuration of the Duo proxy itself, as that is covered quite well (except where noted – see below) in the online Duo documentation (links below).

Having said that, there is one extremely important Duo configuration issue that I must mention. Do NOT use Notepad when editing the authproxy.cfg file! Use either Notepad++ or Wordpad. The impetus in creating this document was caused by wasting a good portion of the day bouncing back and forth between Citrix Tech Support and Duo Tech Support, when the only thing wrong was that Notepad inserted extra line breaks (one right in the middle of the RADIUS secret key!) in the config file.

Mode 1 – ad_client
In this mode, Duo performs ALL authentication. It communicates with Active Directory to validate the AD password, and, once validated, sends the user the push, call, or SMS. Duo configuration for this mode is explained here:

In this configuration, the NetScaler needs only 2 RADIUS profiles and policies – one for Web access, and the other for Receiver access. Both are defined as PRIMARY - there are no secondary profiles/policies. The above link explains the profiles and policies in detail. Take note that the port for the Receiver authentication server should be different (e.g. 18120) than the standard RADIUS port (1812) used for the Web authentication server, and must match the port defined in the Duo config file.

One important point omitted by the Duo documentation is the configuration of StoreFront. When using ad_client mode, you must ensure that the Logon Type in the StoreFront Gateway Appliance Authentication Settings is set to Domain.


Users see only a single password field for both web and Receiver, so you do not need to hide the second password field (for the web), and there is much less confusion when using Receiver.

You also only need to define 2 RADIUS policies, making configuration slightly easier.

Since authentication is not being handled by the NetScaler, users cannot change passwords using this method.

Mode 2 – duo_only_client (referred to in Duo documentation as the Alternate Configuration)

In this mode, the NetScaler performs Active Directory authentication, with Duo handling only the 2nd factor (RADIUS) authentication – hence the name duo_only_client. This mode is a bit more complicated to set up on the NetScaler. While the Duo documentation of this mode ( explains the Duo portion of the setup well, do NOT use this document to set up your NetScaler policies. This document describes setting up two SECONDARY RADIUS policies, which will NOT work if you are using Receiver. Instead, refer to the following Duo article: (see the section: Why might mobile Receiver clients have issues authenticating with Duo?). This will refer you to the following Citrix KB article:, which explains how and why you need to set up 2 LDAP and 2 RADIUS policies and profiles. Note that the session profile for the Receiver must have the Credential Index set to SECONDARY.

Again, the Duo documentation omits the setup of StoreFront. When using duo_only_client mode, you must ensure that the Logon Type in the StoreFront Gateway Appliance Authentication Settings is set to Domain and security token.

If you leave the Logon Type at the default Domain setting, logon via the web will work (since this setting is not used by the NetScaler), but Receiver (which does use this setting) will not work.


Since the NetScaler is performing Active Directory authentication, users may change their password (as long as the LDAP authentication server is using either TLS or SSL – not PLAINTEXT).


Using this mode, users will see two password prompts for web and Receiver:

While the unused second password field may be hidden for the web (see the Duo alternate configuration link above), this requires modification of the NetScaler source files - unsupported by Citrix, and, if not done carefully, may corrupt your NetScaler configuration.  The second password field for the Receiver may NOT be hidden, and the user must enter a valid Duo factor name (push – recommended, or phone) into that field. This can get quite confusing for users. The NetScaler configuration for this mode is also a bit more complicated.

Monday, June 27, 2016

Synergy 2016 CTP Swag

It's hard to believe that Citrix Synergy 2016 is now behind us! It seems like it was only a few weeks ago that I was submitting my abstracts. It was an amazing event, and it seemed like there were quite a bit more new/updated product announcements than usual.

 NetScaler MAS

One of the most exciting announcements for me was NetScaler MAS (Management and Analytics System). If you haven't yet heard about NetScaler MAS, check out this excerpt from the Day Two General Session by CTO Abishek Chauhan.

HDX Ready Raspberry Pi

Another announcement that's shaking up the thin client world was the introduction of the HDX Ready Raspberry Pi. At $70 (plus the cost of a keyboard, mouse, and monitor), you don't need staff to maintain these devices. Should one fail, simply dump it, and replace it with another! Look at how small the device is - it's barely longer than a room key card:  


As impressive as the announcements were, I enjoy Synergy mostly for the networking. As a CTP, I get to spend two precious days prior to Synergy networking with 50 of the most Citrix-savvy individuals, as well as Citrix product managers, discussing technologies and product updates. Check out this link for more information on the Citrix Technology Professionals program. Recognizing that there are other individuals who may wish to contribute to the community, this year at Synergy, Citrix launched another tier of professionals - Citrix Technology Advocates.


I also enjoyed participation in the Match.Geek program at Synergy, during which I was able to connect with 4-6 attendees in 30-minute discussions (much along the lines of technology speed-dating!) . Although my areas of expertise are gateway products (NetScaler, StoreFront, Web Interface) and development, any and all questions were still welcomed.

Breakout Session

I was also honored to present a breakout session this year on NetScaler Debugging and Troubleshooting Best Practices. If you missed it in person, have no fear. You can still view the event on SynergyTV, or via YouTube. The SynergyTV recordings this year have swappable picture-in-picture technology, which you can control. I hope you filled out your survey if you were at the session, as I take all feedback to heart (yep, even the constructive criticism). As promised during the session, here is some swag from Synergy - CTP style - a ShareFile link containing my full session presentation (including speaker notes), as well as the NSBackup utility (for backing up critical NetScaler files) discussed during the session:

SYN317 - NetScaler Debugging and Troubleshooting Best Practices - Full Presentation and NSBackup Utility. (please refer to the package contents document contained within).

Thursday, February 4, 2016

Welcome Citrix Technology Professional (CTP) Class of 2016!

Wow! It's hard to believe that a whole year has passed since I was honored by being elected to the CTP Class of 2015. I am also thrilled to have been re-accepted to the program for 2016. It’s been a fantastic year!

What is the CTP Program?

For those who may not be aware, the CTP Program is a group of only 50 individuals worldwide who have invested a significant amount of time and resources to become experts in Citrix products and solutions. The wealth of knowledge they have developed - and more importantly, openly shared - has proven invaluable to the Citrix technology community.  They have consistently demonstrated their real-world knowledge by:

  • Sharing insights (blogging) on web sites and contributing to online discussions (e.g. Citrix forums, Citrix Developer Network)
  • Sharing ideas and code with the Citrix developer community
  • Creating or fostering communities of Citrix users (e.g. CUGC)
  • Publishing technical documentation, articles, or books
  • Offering technical expertise in the field
  • Speaking at IT conferences

CTP members engage with Citrix product teams via in-person meetings and private webinars for detailed discussions on current technologies and product roadmaps. They help shape the future of Citrix technologies by providing valuable input on business needs and feedback on product strategy.

We are proud to welcome the CTP Class of 2016 to the group:

By their continued contributions to the Citrix community, each of the above has proven that they are deserving of the CTP designation. 

Congratulations to the new awardees, as well as to all the CTP members.
You can see the full list of CTP awardees here: CTP Awardees.

CTP accomplishments are reviewed annually, and are evaluated based on recent community contributions. If you have what it takes, I encourage you to apply for the program. You can review benefits and eligibility here: 
Citrix Technology Professionals Program.


I would like to thank the following, whose invaluable support has enabled me to continue giving back to the community: 
  • My family
  • The management team and my colleagues at IPM
  • Current and previous CTP members
  • Perrine Crampton and Brad Nunn, CTP Program Managers
  • Citrix 

Tuesday, January 26, 2016

How to Change the Page Title in Citrix Receiver 3.x

During my consulting engagements, I'm always coming across little tips and tricks, which might benefit others in similar situations. Over the course of the coming months, as time allows, I hope to share some of those tips with the community. Feedback is always welcomed.

My first tip is rather a simple one, yet was something that was quite a bit frustrating. In earlier versions of StoreFront, you could change the page title by adding the following code snippet into the JavaScript override file (custom.script.js in the contrib directory):

$(document).ready(function() {
 document.title = "My page title";

For StoreFront 3.x, the above script would be placed in the file script.js in the custom directory. If you attempt to do the same thing in StoreFront 3.x, however, you will see your updated title for a fraction of a second, and then it gets replaced by the default text of Citrix Receiver. Obviously, something was being called after script.js.

My next step was to check ctxs.wrstrings.js in <store>web\scripts\<lang code>. This is the template file that you would use to override text string within StoreFront. For example, I would frequently change the StoreFront dropdown from:


To do so, I simply copy the following line from <store>web\scripts\en\ctxs.wrstrings.js:

ActivateReceiver: "Activate ...",

... and copy it to <store>web\custom\strings.en.js, changing the line to read:

ActivateReceiver: "Configure Receiver ...",

Before I continue, I must stress that you do not want to change the template file itself for two reasons. First of all, a StoreFront upgrade would wipe out your changes, and secondly, changes to the template file would not propagate to other servers in the StoreFront server group.
I was hoping to find a line that could be overridden for the page title, but unfortunately, could not find one that fit. Not ready to give up, I searched through the Receiver Customization Extensions and APIs to see if there was something that could help. I came across the afterDisplayHomeScreen() function. So, I added the following to the script.js file in the custom directory:

CTXS.Extensions.afterDisplayHomeScreen = function () {
    document.title = 'My page title';

Voila! It worked... sort of. While it did work for the StoreFront applications screen, the logon screen still reverted back to Citrix Receiver. At this point, I reached out to one of my StoreFront gurus, Feng Huang, who graciously provided me with the correct answer. While I was correct in assuming that I would need to add an override string, it wasn't a string that already existed in ctxs.wrstrings.js. I simply needed to add the following into strings.en.js:

AppStore: "My page title",

Problem solved! (and the afterDisplayHomeScreen() function was no longer needed)

Thursday, October 22, 2015

TechTip: Microsoft TS/RDS Updates for Windows Server 2008 and 2012

My colleague Aaron Silber sent over a handy-dandy table with hyperlinks to the Microsoft pages of patches and updates available for Windows Server 2008 and Windows Server 2012.

Terminal Services (Remote Desktop Services) in Windows Server 2008
Remote Desktop Services (Terminal Services) on Windows Server 2008 R2 SP1
Remote Desktop Services in Windows Server   2012
Remote Desktop Services in Windows Server   2012 R2

Friday, October 16, 2015

StoreFront 2.6 and Windows 10 Edge Browser

If you've been following Feng Huang's blog on customizing Receiver, you've probably seen StoreFront 3.0 and Windows 10 Edge Browser. In it, Feng explains how StoreFront 3.0 has been given the smarts to allow you to use the native Receiver with Edge.
What if you are still running StoreFront 2.6 (or 2.5)? Since Edge cannot run the ActiveX controls necessary for client detection, only the HTML5 Receiver would be used (see: Receiver Feature Matrix for HTML5 Receiver limitations).

This post will use a slightly modified version of another one of Feng's posts - Preparing for NPAPI Being Disabled by Google Chrome - to give you the ability to use the native Receiver with Edge.
In that post, Feng discusses how to:

  • Disable the prompt to install the Receiver
  • Provide a permanent link for downloading the Receiver
  • Provide a link to switch between the native (full) Receiver and the HTML5 Receiver (referred to as the 'Lite' version of the Receiver).

However, the modifications discussed in the post are specific to Chrome. With just a bit of tweaking, we can add the above features for any browser.

We begin by adding the following strings to custom.wrstrings.en.js and a localized version for every language you need to support to custom.wrstrings.[language].js. 

Next, we need to add the code below to custom.script.js (in the contrib folder of the StoreWeb site).

The code above adds the following links to the dropdown next to the user's name:

Sunday, September 20, 2015

How to Add a Domain Name Drop-Down for NetScaler Gateway 11

You may have a scenario where users might need to authenticate to different authentication servers (LDAP Domain Controllers) based on their domain. This article describes how to add a drop-down menu with domain names on the logon page for NetScaler Gateway version 11, and have the NetScaler send the authentication request to the appropriate server. While Citrix Support Article CTX118657 describes a procedure to add domain names to the NetScaler logon page, the article is targeted for NetScaler firmware version 10.x, and will not work with version 11.
Citrix has actually added built-in support for a domain drop-down in version 11, but it is not quite fully functional. With a little bit of tweaking, however, it can be up and running in no time.
Note: The following modifications are provided as-is, and are not officially supported by Citrix Tech Support. You may be asked to reverse these changes when calling in for support.
CTX118657 contains four sections:
  • Create the drop-down menu with the list of domain names
  • Create a cookie on the user’s computer with the domain selected by the user
  • Create a procedure to ensure that the modifications will survive a reboot
  • Modify the authentication policy to be selected based on the cookie created
In this post, we will deal with the first two sections. Please refer to the support article for the remaining two sections.

Create the drop-down menu with the list of domain names
The first step is to give NetScaler the list of domain names. To do that, open PuTTY session to the NSIP of your NetScaler, and issue the following command:
> set vpn vServer "<AG vServer>" –userDomains Domain1,Domain2,Domain3

Now fire up WinSCP and go to the directory /netscaler/ns_gui/vpn/js.
Make a backup copy of gateway_login_form_view.js, and search for:
The correct cookie name should be userDomains:
At this point, if you saved the file, and refreshed the NetScaler logon screen, you would see the domain drop-down:
You may notice that there are still two issues … while the drop-down is now being displayed (and there is an entry corresponding to each domain), all the entries are blank!
The second issue is more of a cosmetic issue … the screen would look a lot better if the length of the drop-down was the same as the text boxes above it.
To correct the first issue, go back to gateway_login_form_view.js and search for:
The reason that the entries are blank is because the second attribute is incorrect. It should be “text”:
Alternatively, either of the following lines would also work:

var option = '<option value="' + domains[j] + '">' + domains[j] + '</option>';
var option = $("<option></option>").val(domains[j]).html(domains[j]);  
Now save the file and refresh the logon page. We now have our drop-down populated with our domains:
However, we want to stretch the drop-down to match the length of the text boxes above. We can do that by adding cascading style sheet (CSS) overrides for the height and width of the drop-down. There are 3 built-in themes with NetScaler 11 – Default, Greenbubble, and X1, and the overrides are different for each theme.
In WinSCP, browse to each theme directory, /var/netscaler/logon/themes/<theme>/css/, and create a file called custom.css. Insert the appropriate override values for each theme.
For the default theme, insert:
.domain_select {
       width: 176px;
       height: 23px;

For the Greenbubble theme, insert:
.domain_select {
       width: 208px;
       height: 28px;

For the X1 theme, insert:
.domain_select {
      width: 361px;
      height: 42px;

After saving custom.css, our domain drop-down is now aligned with the rest of the input fields:
Default theme
Greenbubble theme

X1 Theme

Now that we’ve completed the drop down, let’s move on to the next section.
Create a cookie on the user’s computer with the domain selected by the user
Fire up WinSCP and make a backup of /netscaler/ns_gui/vpn/login.js.

Add the following JavaScript functions after the first line where indicated above:
 function getCookie(name) {
    // use: getCookie("name");
    var re = new RegExp(name + "=([^;]+)");
    var value = re.exec(document.cookie);
    return (value != null) ? unescape(value[1]) : null;  }

  var today = new Date();
  var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // +28 days
  var expired = new Date(today.getTime() - 24 * 3600 * 1000); // less 24 hours

  function setCookie(name, value) { 
    // use: setCookie("name", value);
    document.cookie=name + "=" + escape(value) + "; path=/; expires=" + 

  function setDomainCookie(form) {
    setCookie("domainvalue", form.domainvalue.value);
    return true;
Save the file. Now go back to gateway_login_form_view.js (in the js directory).
Look for the line beginning var form = …  At the end of the line, you should see:
Add setDomainCookie(this); right before clean_name_cookie(); (you can optionally also correct the ‘margin’ typo!). This tells the NetScaler to save the user's domain selection before submitting the page.
Save the file.
Now go back to CTX118657, and follow the last 2 sections to complete the modification.