What do we need for a Citrix Virtual Apps and Desktops (XenApp and XenDesktop) deployment?
I will be consolidating Citrix Delivery Controller, Storefront, and License Server into one VM since this is a lab environment. In a production environment, you would use 2 VMs for Citrix Delivery Controller (for High Availability – HA), two for Citrix Storefront, and one for the License Server. The VDA count depends on user size.
Using the same two VMs for Delivery Controller and Storefront is also viable.
In my lab, all the servers are housing Windows Server 2019 Datacenter.
First, download the ISO on citrix.com. You will need an account and if you don’t have any partnership with Citrix, it is very difficult to get those files. There is a form you can fill and all you can do afterward is hope that they give you the files. Otherwise, there is no way of getting them publicly.
After mounting the ISO Autoselect.exe can be run.
Select Virtual Apps and Desktops. Virtuals Apps would just publish single programs as apps.
Just in case you are wondering: Some obvious steps will not be shown.
We are installing all the features on the same server. Like I said, Delivery Controller and Director should be on one server, License Server on another, and Storefront on another. Storefront and Delivery Controller should have 2 VMs each for High Availability.
I am also using SQL Express on the same server. Normally you would use a dedicated instance on a separate database server.
The server will be restarted. You will need to mount the ISO again and select the target folder:
And after some time…
Our main tool is going to be Citrix Studio.
Make sure you a logged in with a domain user. Local users are not supported.
These parameters will be automatically populated if SQL Express is being used. If using a separate database server a script can be generated to create the databases and tables.
My license server is hosted on the same server.
A connection to VMware or Hyper-V can be made. I am using Azure.
I will select “Other Tools” this time, I’ll make a post about Citrix MCS another time.
Enter your Azure Subscription ID and any name and then select “Create New”.
You will log in to Azure AD. This process creates a new Service Principal in Azure AD that allows Citrix to start, stop, create, and delete VMs in Azure.
In your Subscription under Access control (IAM) you will see a new App Principal as a Contributor.
App-V and AppDNA is not our focus right now.
Here is the summary of my settings.
To deliver a desktop we need at least one server to connect to.
Run autoselect.exe inside the ISO again.
We are not creating a Master Image for MCS. The Delivery Group will have a catalog of one machine.
Citrix Workspace App is not needed. You can de-select it.
I did not select any additional components.
Add the Delivery Controller.
Enable both features
Leave Firewall Rules to automatic.
Prerequisites will be installed.
Server will restart twice.
This is a server with multiple users connecting to it.
Select the VM and the computer account.
Give it a name.
Select the Machine Catalog we just created
You should probably create a custom group to limit the users.
Add a new desktop and give it a name. I use “TreatAsApp” to show both Desktops and Apps in one tab.
Under Search, we can see if the server has successfully registered with the Delivery Controller.
Now the Desktop can be started through http://ctx01.company.lab/Citrix/StoreWeb/
Open Internet Information Services (IIS)
Create a self-signed certificate (I do not have Active Directory Certificate Services on my lab environment). I might do a post about that in the future.
Run through the wizard (easy).
Make sure you select the personal certificate store.
Add a new Binding on port 443.
Select the certificate you just signed.
Now both 80 and 443 are active:
Now HTTPS is being shown:
The storefront URL should be added to the Trusted Sites for pass-through authentication to function properly. Make sure to change “User Authentication” to “Automatic logon with current username and password”. The default setting is “Automatic logon only in Intranet Zone”
Also, configure pass-through authentication for Receiver for Web Sites.
Set this Site as default in IIS:
Storefront does not accept self-signed certificates, so an internal Certificate Authority is needed for SSL communication between Storefront and Delivery Controller.
That’s it! It was a long but very interesting post.
Today I got a new Linux VPS, therefore I decided to show you all the steps I took to migrate to my WordPress site to the new server.
So let’s get started.
Firstly, it is always good practice to update the OS.
apt update
apt upgrade
Install apache2
apt install apache2
Install php7.3. By default, version 7.3 will not be detected. The repository PPA must be added. You might need the first command if the “add-apt-repository” is not available.
apt install software-properties-common
add-apt-repository ppa:ondrej/apache2
apt-get install php7.3
You should see the Apache2 default site if you enter the IP address in your browser:
Now enable the MySQL extension in the PHP config file:
nano /etc/php/7.3/apache2/php.ini
Remove the comment (semicolon) at extension=pdo_mysql. You can search with CTRL+W in Nano GNU editor.
CTRL+X saves the file.
Now install php7.3-mysql
apt-get install php7.3-mysql
The root directory of your WordPress files can be created:
mkdir -p /var/www/website
Make a config file for Apache2 from the default config.
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/website.conf
Change the config file. ServerName and ServerAlias should be your site name along with the DocumentRoot.
I use https exclusively, check my tutorial if you want to know how it is done (I highly recommend using https): https://www.ajni.it/2019/06/claiming-a-free-ssl-certificate-for-your-website/
nano /etc/apache2/sites-available/website.conf
Enable the site:
a2ensite website.conf
Reload the service like advised.
service apache2 reload
Download the latest WordPress version from https://wordpress.org/latest.tar.gz.
Since I am doing a migration, I just unzipped the files from my backup.
cd /var/www/website
wget https://wordpress.org/latest.tar.gz -O wordpress.tar.zip && tar -xzvf wordpress.tar.zip
mv wordpress/* .
Install MySQL server
apt-get install mysql-server
Now create a new database and a user in MySQL. As root you don’t have to enter a password.
mysql -u root -p
CREATE DATABASE wordpress;
CREATE USER ‘someusername’@’localhost’ IDENTIFIED BY ‘somepassword’;
GRANT ALL PRIVILEGES ON wordpress . * TO ‘someusername’@’localhost’;
I have to import the WordPress database from backup:
mysql -u root -D wordpress < db_20-05-2020.db
exit
Now you can access the WordPress through a browser, you will be asked to enter a site name, username with a password, etc.
You might also need to enable URL rewriting for Permalinks.
a2enmod rewrite
Disabling the default site is also a good idea
a2dissite 000-default.conf
There are some other important things you should enable in order to secure your server properly.
nano /etc/apache2/apache2.conf
These lines will not advertise the Apache2 version, enforce TLS 1.2 and strong ciphers, while unsafe ones (like MD5) are discarded.
ServerTokens Prod
SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
service apache2 restart
That’s it. If you have questions, just comment down here!
A few days ago I bought a very cheap Virtual Private Server (VPS) – check my post here: https://www.ajni.it/2020/03/quick-tip-cheap-private-servers-on-the-cloud/
It was very cheap (4$ or 3.75€ annually), but with a lot of gotchas.
One of them is Ubuntu 18.04 Minimal, which means a lot of packages will not be pre-installed, causing a lot of pain when installing services like in my example OpenVPN.
Here is how I managed to install OpenVPN on Ubuntu 18.04 Minimal.
Updating the system:
apt update
apt upgrade
Install OpenVPN
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
The first problem occurs with the root CA certificates:
Install the root certificates in order to trust them:
apt-get install ca-certificates
After re-running the command, another error shows up:
Install the next package (iptables):
apt-get install iptables
And finally, the OpenVPN setup can be run:
I had to set a custom port, because only specific ones were NAT’d to my server. You might leave the port to default. I am also using 1.1.1.1 for DNS.
After the setup is finished, a configuration file will be created. This file contains the public certificates and private key that are mandatory for the connection. It can be imported into the OpenVPN client (Windows) through the GUI.
On Linux, a simple
openvpn configfile.ovpn
does the trick.
If you are looking for a VPS with good performance, check out Evolution Host at https://evolution-host.com/vps-hosting.php.
They offer virtual servers starting at 5€ per month.
By default, Linux systems allow both password-based and key-based authentication over SSH. If you have a server with SSH open to the world, password-based authentication shouldn’t be allowed at all.
To disable password-based authentication, edit the SSH config file:
nano /etc/ssh/sshd_config
Add the following lines:
PasswordAuthentication no
PubkeyAuthentication yes
Now generate a new private/public key pair:
ssh-keygen
id_rsa is your private key
id_rsa.pub is the public certificate thumbprint that must be added to ~/.ssh/authorized_keys
nano ~/.ssh/authorized_keys
The SSH service must be restarted.
service ssh restart
Now you can connect to your server with key-based authentication only. If connecting from a Linux system the file’s permissions must be set to 600.
chmod 600 id_rsa
ssh -i id_rsa ip@username
If you like using Putty, you’ll have to load the file with PuttyGen and save the private key as .ppk.
PuttyGen can be downloaded here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Links:
https://askubuntu.com/questions/346857/how-do-i-force-ssh-to-only-allow-users-with-a-key-to-log-in