Xendesktop: Force USB redirection for Webcams

HDX Realtime video compression was a feature that Citrix added to their XenApp/Xendesktop. It uses compression and its blend of herbs and spices to lower the bandwidth requirement for webcams, while keeping fidelity.

While this sounds all good, it some cases you need to use good ol USB plug in play for compatibility. By default, Xendesktop will try to use the HDX Realtime video compression (which shows up as ‘optimized’ under Devices in citrix receiver). In our case, when using the HDX realtime compression, the recording software would complain that the device wasn’t available. However, switching to Generic (ie USB plug n play) everything would work just fine.

There is not an easy way to force the Generic method over the Optimized method. The user can switch it, sure, but we want the users to log in and go, not fiddle with settings every time they log in.

It may be that the web camera was unsupported (is that possible nowadays?)  but in any case, administrators need a way to force this via Citrix HDX policies.  There wasn’t, at least not that I could find.

After searching, we found the answer.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\GenericUSB\Devices]

This settings forces Generic usb redirection first, before trying to use the Optimized metho.



Edit: Updated the key path, typos

Disclaimer:  Usual stuff, I’m not responsible if this breaks things, be sure to back up your Registry just in case.

james gonzales / October 5, 2016 / Citrix, Registry, XenApp / 0 Comments

Restore deleted mailbox Exchange 2013

Recently we had a customer accidentally delete a mailbox while in the ECP.

Going to Recipients -> mailboxes -> connect a mailbox showed no results

Using the following management shell commands were also fruitless

Get-MailboxStatistics | Where {$._DisconnectReason -eq "SoftDeleted" fl DisplayName,MailboxGUID,LegacyDN,Database

Get-MailboxStatistics | Where {$._DisconnectReason -eq "Disabled" fl DisplayName,MailboxGUID,LegacyDN,Database

I know I needed the GUID of this mysterious mailbox so I ran

Get-MailboxDatabase | Get-MailboxStatistics | Format-list DisplayName,MailboxGuid,Database,DisconnectReason,DisconnectDate > usermail.txt

In here I was able to locate the users mailbox in the text file
DisplayName : First Last
MailboxGuid : xxxxxxxxx-xxxx-xxxx-xxxxxxxxxxx
Database : DB02
DisconnectReason :
DisconnectDate :

I took note of the mailbox guid and ran

Update-storemailboxstate -database "DB02" -Identity "xxxxxxxxx-xxxx-xxxx-xxxxxxxxxxx"

After this the mailbox now appeared in the ECP under connect to mailbox.
I was then able to confirm that the mailbox was reconnected to the user.

I did have to recreate the users alias in the users properties.

casey jones / July 7, 2016 / Active Directory, Exchange / 0 Comments

SSL Certificate Revocation lists when using Internal CA

Recently, we were making some changes to eliminate some of the pop ups when using Remote Desktop Web Access.  Certificates on an RDP deployment have to be on point, the article over at http://www.rdsgurus.com/ssl-certificates/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment/ is an awesome resource on the topic.

Well when using an Internal CA (certificate authority) for certificate signing, one thing that can be easily overlooked  is the CRL Distribution Point (CDP).  The Certificate Revocation List is essentially a text file of certificates that the issuing CA has revoked.  Certificate revocation allows for the quick repeal of an otherwise valid certificate.  If you take a look at the extensions in any SSL certificate, you’ll see an entry for the CDP (the method in how this list is distributed).

When using an Internal CA, by default it will use an ldap path for the CDP. And it will work just fine for domain joined computers.  However, non domain joined computer can’t navigate to the ldap path (lack of computer credentials) and the checking for the revocation list prompts an error.  If using RDP, you’ll get the familiar yellow error pop up stating as such.  Accepting the error will allow the connection to be made.

The fix is to configure the CDP to point to an http:// site  (its supposed to use Http, not https).  Using an https:// site will create a “chicken and egg” issue, how can you check the revocation status of a site that it itself might be on that list hosted by that very site. In other words, just use http, its supposed to be reachable.

http://www.esebenza.com/certificate-services/microsoft-pki-certificate-revocation-distribution-point-a-working-example/ is another great resource that walks you through these steps.  Configure the http CDP and then you’ll have to reissue the certificate in question.  Reapply to whatever resources and now non domain joined won’t get prompted for that revocation error!

Happy troubleshooting,


james gonzales / June 13, 2016 / Active Directory, Certificates, Remote Desktop Services / 0 Comments

Private VLANs in vSphere

PVLANs is one of those features that everyone should have in their mental “toolbox”.  We were looking for a way to fence off portions of a network with minimal effort, but they didn’t really require a whole separate subnet. For example, maybe to enhance security, or for pre-production VMs.  (Obviously, this is assuming properly configured switches)  For those that are unfamiliar with PVLANs, check out VMware’s KB on the subject. Essentially, it allows you to further segment a VLAN using different groups (promiscuous, isolated, community)

The promiscuous group can talk to all other groups.  The community group can talk among itself and the promiscuous group, and isolated can only talk with promiscuous (not even other members in the isolated group!)

Traditionally, if I had two servers in the the same subnet and same vlan, I may have had to create firewall rules to stop traffic or some other means.  Maybe reconfigure the network or addressing.  Maybe not such a big deal, but what if I added 10 more servers.  50 more servers?  Rules and firewall configuration could get kinda hairy.

Using PVLANs in vSphere, I would create the PVLAN, PVLAN groups, and then create the port group associated with the PVLAN groups.  Then, assign the VM to the required port group. In our case, infrastructure servers like the Domain controller were set to the promiscuous group.  But, we wanted to restrict traffic between all RDS servers, which were assigned to the Isolated group.

I will note that the behavior of PVLANs can be achieved through other means, depending on what exactly your trying to accomplish.  Also, they are not a replacement for firewall rules in most cases, you will still want to restrict traffic as needed to those VMs in the promiscuous group.  However, PVLANs seem to be a great broad solution and should be considered to augment such designs.



james gonzales / March 29, 2016 / Networking, Virtualization, vmware / 0 Comments

Google Mail to Office 365 Migration

Office 365 has made email migration pretty simple.  In most cases, you just set a migration endpoint, enter in the mailbox/passwords in a batch and away you go.  https://support.office.com/en-us/article/Migrate-Google-Apps-mailboxes-to-Office-365-665dc56c-581c-4e35-8028-6bc1e8497016

With that said, migrating from Gmail can be a little bit of a headache.  I understand there are security needs to be addressed, and we can never be too safe.  However, I did get the feeling that what needed to happen to achieve a successful migration (not using 3rd party tools) seems a bit superfluous.

1) Gmail can have an admin account that controls some settings for users.
2)The admin account needs to allow two-factor authentication globally. This is just a toggle switch
3)Individual users needed to set up two factor authentication individually. (this tied their email to a phone, what if the user doesn’t want to tie a work gmail account to a personal phone?).   If the global toggle setting was turn off, users could not configure this setting. https://www.google.com/landing/2step/
4) IMAP needed to be enabled for all users individually (did not see a global setting for this). By default, IMAP is disabled.
5) Gmail considers Outlook/Exchange as an “unsecured” program. Therefore, a special app password needs to be created for each user. This is a one time use password that is per application.

5a) You can permit google to allow “unsecured” programs.  But this only halfway works. If the computer is an untrusted computer, the connection to the mailbox via Outlook will still fail.
6) If using the Office 365 migration wizard https://support.office.com/en-us/article/Migrate-Google-Apps-mailboxes-to-Office-365-665dc56c-581c-4e35-8028-6bc1e8497016 , IMAP does not transfer contacts and calendar items.

There were two methods to move over email.
1)Tie their Outlook to their gmail account and export/import psts into their O365 account.
2)Use the migration wizard in O365 to connect to mailboxs directly.

This means that we can do through the manual process of two factor authentication, imap setting, and app password to tie the mailbox to outlook.  Once that’s done your golden, do a export/import and your done.  But, have to do it ad nauseum.

Or, we do it the O365 way with a migration endpoint, and have to do the same thing (sorta), but end up with contact and calendar items not syncing.

Thoughts:  While I agree that we do need these settings, it would be nice if it was easier and less hoops to jump through.  Maybe, a time limited “Deployment Toggle” in which IMAP is allowed for all users, and connections from unsecured apps (or allow Outlook) is allowed.   I imagne contacts and calendar items not syncing may be a limitation of IMAP, but there needs to be a way to mass export import.  That could cause some serious headaches with a user base in the double digits.

It’s no wonder 3rd party apps for things like email migration still have to exist.

Happy troubleshooting,



james gonzales / March 7, 2016 / Uncategorized / 0 Comments

Recover VM’s from a permanently down XenServer host.


We recently had a XenServer node crash to the point it was not possible to recover.

The VM’s that had been operating on the host were no longer visible in XenCenter and had seemingly disappeared.

The first you need to do is locate the UUID of the down host with




Then display a list of all the VM’s on the failed host with

This will output all the VM’s on that host and indicate that they are in a “running” state.

We need to reset the powerstate of each VM.

Once you run this command you will notice the VM appear in XenCenter.  You will more than likely not be able to start the VM due to the VDI being in use by the downed host.

you’ll need to reset the locks on the VDI, this can be done by forgetting the UUID of the VDI and reattaching it to the VM.

One way to do this is to run


This will gernate an error but more importanly it will also tell you the UUID of the VDI that is in use.

Then you need to “forget” the VDI


this will cause the VM to “lose” the disk, rescan the SR and you’ll see the disk without a VM.

Go to the storage tab of the VM and reattach the VDI and then restart the VM either with XenCenter or


note: if the VM has more than one disk youll need to repeat the process of running


and each time it will show you the VDI causing the issue.


There is a way to reset the VDI’s on a given SR as the above can be time consuming with a large number of virtual machines but this post will not cover that method.




casey jones / March 7, 2016 / Citrix, Virtualization, XenServer / 0 Comments

Server 2012R2 RDP sessions disconnect at periodic intervals

When users get disconnected from a Remote Desktop Server, the cause can be a hundred different things.  Maybe a blip on their internet connection, or a wayward GPO, or incorrect licensing.  Do a quick google search and more than likely you will read 50 different posts with 50 different causes.

A little bit about the RDP environment in question:

All Server 2012 R2, all licensed (windows and RDS CALs, all updated fully, etc)

1 RD Gateway (properly installed certificates)

1 RD Web Access (role installed on same machine as RD Gateway

1 RD Connection Broker

1 RD Session Host in collection

For us, we had a customer who had a seemingly unique problem, with a not so unique symptom.  Users (about 10 total) would get disconnected, one by one, every 700 seconds.  (700 seconds was the time connected in the event log).  Their session would go black and the “Reconnecting…” box would pop up, and then the session would reconnect a couple of seconds later.  This happened to all users every 700 seconds or so, give or take a few seconds. During the time they were connected, there were no problems to report, other than the aforementioned issue.

All users were using different flavors of Windows, 7, 8,8.1 at varying patch levels.  The only unifying characteristic was their LAN.

We could see the event id signaling the disconnects, but just reason codes were given. (which we never found out what they mean). This was the error on the Session host, TerminalServices-LocalSessionManager event id 40


We could also see the corresponding disconnect messages on the RD Gateway. The session duration always ranged in 700-706 range, for every user. The connection protocol was UDP and sometimes HTTP.   TerminalServices-Gateway event id 303.


We eventually made our way to their firewall to look at their rules.  They had a HTTPS proxy rule setup, but it wasn’t really doing anything.   The HTTPS web blocker feature was expired but the rule was still in place.(remember, since we are using a Gateway, RDP goes over port 443 instead of 3389)

And of particular note, in the HTTPS proxy rule, there was a “Idle Timeout Timer” set to 10 minutes.  I removed the rule, and everything is now working!  Sessions can now stay connected longer than 10 minutes at a time.

I figure, 30 some seconds for the firewall to signal the connection is idle, 10 minutes of idle time for disconnect, 30 some seconds for RDP to signal network connectivity lost, and that would roughly equal the 700-706 seconds session duration we were seeing.  Not exact but you see where I’m going with this.

So, if the user was in an active RDP session, why would the firewall treat it as idle?  Well my best guess is this. The gateway (and RDP for that matter) doesn’t use just 1 protocol stream in Server 2012 R2.  It can use a few depending on the version of the client being used.  You can verify this by the monitoring tab in the Remote Desktop Gateway Manager tool on the gateway. Once the connection is made, additional streams are opened and my guess is they were timing out (HTTPS proxy idle). The session then freaks out and the user is disconnected.  Only to be reconnect again and the timer reset.  Without getting into the underbelly and details of the protocol itself, this is my best guesstimate.

The secondary ports that RDP uses is discussed here http://blogs.msdn.com/b/rds/archive/2013/03/14/what-s-new-in-windows-server-2012-remote-desktop-gateway.aspx

I hope this post helps someone along the way, I found a whole bunch of posts out there regarding disconnections.  But most ended up being abandoned or no solution ever found.

Happy troubleshooting!


james gonzales / December 2, 2015 / Remote Desktop Services / 0 Comments

Removing pinned shortcuts from taskbar Server Manager and Powershell on Server 2012 R2

Sometimes, it’s those little nuances that can drive you crazy.  Most of the time our templates are pretty spot on but every now and then, we need to create a RDS machine from scratch. In doing so, all those little tweaks have to be rediscovered.   One such tweak is removing the Server Manager and Powershell shortcuts from the taskbar on Server 2012 R2 for non-admin RDP users.

Now, prior to 2012R2, there was a Group Policy setting to remove these items.  However, in R2, it seems that is gone (I havn’t been able to find it again).  There was also another way, by changing permissions on the source .lnk so that users didn’t have permission to the shortcut and it wouldnt be copied over to their profile upon creation.  But again, in R2 the exact paths got changed and muddled, so where exactly do you change permissions?

I googled the question and eventually ended up at http://clintboessen.blogspot.com/2014/12/remove-power-shell-and-server-manager.html which solved the issue for me.

By deleting the source .lnk from C:\ProgramData…, a new user won’t get the pinned shortcut.  Of course, it won’t retroactively apply either, but helps when first setting up the server.  Also, it won’t create the shortcuts for admins either, but surely, hopefully, your admin users will be able to do that manually =)

james gonzales / October 22, 2015 / Remote Desktop Services / 0 Comments

Citrix XenApp 6.5 Printer Woes, Bloated Registry

I wanted to share an interesting case in hopes that it would save an admin out there from an unnecessary headache.

The environment was a small XenApp 6.5 farm, maybe 1-2 servers on Server 2008 R2.  It had maybe 30-35 users.  One day, users started getting Temporary Profiles.  Looking in the event log there was numerous “<> took too long to respond…” events.  Every so often, connections would come back with a server is low on resources message.  Though, all performance metrics were seemingly normal.

Before I logged a support case, I came across this website. http://carlwebster.com/the-curious-case-of-the-bloated-default-profile/

This described our problem and when I looked at the size of the registry, it was 1.5 GB in size!  Navigating to below registry keys, the screen would hang, there were hundreds of entries, if not more!



Deleting the keys seemed to help, the screen would no longer hang, but the registry was still the same size. We ended up compressing the registry, and the problem went away.  There are quite a few resources that should be able to help if looking to compress the registry.

The issue stemmed from some registry keys being created  for each printer, each time the user logged in.  This occurred over and over again.  Over time, I suspect the issue would have reoccurred.  Citrix provides a tool to stress test printer drivers, http://support.citrix.com/article/CTX109374   We switched out most drivers for the Citrix Universal Drivers.  After that, the registry didn’t grow as it did before and after watching it for about a couple of weeks, stayed about the same size, ~100MB.   After that I called the problem fixed.


Hope this Helps if your experiencing a similar issue!

james gonzales / September 28, 2015 / Citrix, Printers, Registry, XenApp / 0 Comments

Deep Security 9.6 w/NSX 6.2, DSVA offline

Cant tell you how many times I overlooked this very easy and obvious step.

Change the hostname from localhost.localdomain to a hostname.yourodmain on the deep security appliances.

Also to note that once activated the appliance will update itself from 9.5 to 9.6 (assuming you have the 64 bit RedHat agent imported on the manager)



casey jones / September 24, 2015 / TrendMicro, vmware / 0 Comments