Do you need a network expert?

Cannot open hyperlinks from Outlook emails in Citrix Xenapp session - Citrix Xenapp Support

Saturday, March 31, 2012 by Greg Bock

Recently I ran into a strange problem with hyperlinks not launching Internet Explorer from Outlook 2010.  Upon clicking on any hyperlink in any email, the system would prompt the user asking what program to use to open this file.  My first thought was this was an Outlook issue, since Outlook can prevent certain files and hyperlinks from opening.  However, after checking the default programs on the server, I discovered the HTTP and HTTP protocols had no association to Internet Explorer, and listed "unknown application" to open them.  Additionally I could not even choose an application to re-associate these protocols.

The Citrix Xenapp Installation is a Windows 2008 64 bit OS running Citrix Xenapp 5.  It turned out to be a known bug in Xenapp 5.  The IMAAdvanceSrv.exe service apparently removes a critical registry entry for Internet Explorer.  The registry key entries located here were both missing:

HKEY_LOCAL_MACHINESOFTWAREClassesIE.HTTPshellopencommand

HKEY_LOCAL_MACHINESOFTWAREClassesIE.HTTPSshellopencommand

By default, the command should be: "C:Program Files (x86)Internet Exploreriexplore.exe" -nohome

I replaced the keys and immediately hyperlinks were working again, however, after about an hour the keys I entered mysteriously disappeared.  Thankfully Citrix has identified the issue and has a resolution involving adding a registry entry found here: http://support.citrix.com/article/CTX107424.  After entering this key, the registry entry for Internet Explorer remained intact.

 

For x86 servers, add the following key below.  For x64 servers, the key belongs under WOW6432Node.

HKEY_LOCAL_MACHINE/Software/Citrix/SFTA

Valuename: DisableServerFTA REG_DWORD value decimal 1

 

SkyByte Consulting is committed to excellent Citrix Xenapp support!  Contact us today!

Symantec Endpoint Protection App Crash errors in Citrix Xenapp - Citrix Xenapp Support

Tuesday, March 20, 2012 by Greg Bock

After installing Symantec Endpoint Protection to a Citrix Xenapp Installation, I noticed several repetitive errors appearing in the Application event log.  About every minute, a service or application part of Symantec Endpoint would crash.  These crashes were causing Symantec Endpoint to malfunction and update definitions properly.  We also believe this caused a decrease in system performance across our entire farm.  Several executables were failing and would log an error such as this:

 

Faulting application name: SescLU.exe, version: 11.0.7000.49, time stamp: 0x4db8fae2

Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f

Exception code: 0xc0000005

Fault offset: 0x0002e8f4

Faulting process id: 0x15e4

Faulting application start time: 0x01ccffa2c6db522a

Faulting application path: C:Program Files (x86)SymantecSymantec Endpoint ProtectionSescLU.exe

Faulting module path: C:WindowsSysWOW64ntdll.dll

 

We are running Citrix Xenapp 6 on Windows 2008 R2 servers part of a healthy VMware Vsphere cluster.  I installed Symantec Endpoint 11 RU7 from our SEPM server and had applied Symantec's recommendations for terminal environments.  We were very shocked to hear about performance issues with the hardware it resides on.  Considering how Symantec interacts with the system and its files, such errors could very well cause stability issues for users logged in.

This problem was related to the Citrix Application Programming Interface.  Thankfully this can be disabled for any executable or service experiencing a problem.  The procedure can be found on Symantec's website: http://www.symantec.com/business/support/index?page=content&id=TECH150373

 

Its recommended to add the entry in both locations 32 and 64 bit servers.

For the 32-bit version

Key: HKEY_LOCAL_MACHINESOFTWARECitrixCtxHook

Value Name
: ExcludedImageNames
Type: REG_SZ
Value: rtvscan.exe,smc.exe,sesclu.exe,smcgui.exe,ccsvchst.exe

 

For the 64-bit version

Keys: HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixCtxHook and HKEY_LOCAL_MACHINESOFTWAREWow6432NodeCitrixCtxHook64

Value Name
: ExcludedImageNames
Type: REG_SZ
Value: rtvscan.exe,smc.exe,sesclu.exe,smcgui.exe,ccsvchst.exe

 

In addition to these applications, I also added symdelta.exe which was occasionally crashing.  After a reboot, Symantec was functioning normally and the system performance had increased.  An antivirus software is essential to network security.  Configuring it properly on a terminal server is very important to ensure efficiency and functionality are in check.

Outlook 2010 Additional Mailboxes Persistent and Can't Remove - Microsoft Server Support

Tuesday, March 20, 2012 by Mario McGuire

In working with Outlook 2010, I had a client who had Exchange mailboxes that he needed to get rid of because they no longer needed. The user tried removing the mailbox from Outlook by simply launching the "Mail" (Outlook profiles) from control panel. When the user would re-open Outlook the account was still there. After some looking around it was found that the user had been given the "Manage Full  Access Permission" in Exchange 2010 to this specific mailbox. This was causing Outlook for some reason to hold on to the mailbox in the left pane.

In order to get rid of the mailbox the "Manage Full  Access Permission" had to be removed from the specified users on this function of the mailbox in the Exchange management console.  You can also use the Exchange Power Shell to perform this by using this command - Remove-MailboxPermission -Identity Mailbox -User -useraccessing Fullaccess

After removing the user from the full access permissions, Outlook was closed and opened back up and the users were then removed. It is unclear if this is issue is caused by a Microsoft Exchange upgrade or if this is just one of those little issues that slipped through the cracks on patching either system. SkyByte Consulting supports clients large and small with issues like this and many others. 

VDI and BYOD - Bring your own device

Wednesday, March 7, 2012 by Darren Sieck

VDI (BYOD) Bring your own device

As many SMB’s rise slowly out of the recession and have begun to invest in the latest technologies, they are finding their new software and IT systems may support iPhone, iPad, Android, PC  or Mac. All this connectivity ushers in a new ways to conduct business. The variety of these devices can be used to provide better communication and flexibility in the workplace and thus improve business agility. BYOD can also provide both hard and soft returns for the organization’s IT investments. The hard returns of BYOD materialize as savings to your organization simply because it no longer has to shell out funds for the latest and greatest devices. The soft return may be happier employees and morale because they can leverage their device of choice to connect to company resources, instead of having IT and corporate dictate specific devices. It is important to point out BYOD also brings with it a host of cons that must be considered and controlled by the corporations acceptable use policy and IT security experts.

The first and foremost consideration is data security: A company must consider the pros and cons before they allow company data on an employee’s personal device. Once a company allows an employee to download data to a personal device, the company has little or no control or management of its data. This may also bring up legal issues over ownership of the data should the employer or employee relationship turn sour. For example a company’s intellectual property or contact lists could easily be harvested and brought to a competing business. There are many other variables to consider, such as a well-intentioned employee device may malfunction, damaging or deleting email or contacts on the company mail server. The employee may load an unsecure app whose goal is to leach or damage corporate data. The employee may load an app then walk into the business, connect to WiFi with a potential Trojan horse causing a devastating data loss.  For some organizations this is an acceptable risk, and steps can be taken to help mitigate some of these concerns, however for most organizations this is not tolerable.

BYOD introduces a fine line to saving money. There are additional IT and business costs in supporting multiple platforms. For example; IT must configure the company mail server to support Blackberry, iPhone, iPad and Android. IT must track and try to enforcesuggest a baseline of mobile security. This was a difficult enough task on a single platform, with BYOD this becomes 3X more difficult and time consuming. Fixing one issue for iPhone users may break something for the others.   There are also support and security benefits of supporting a single corporate platform. This conservative thinking brought stability and security to organizations for years.

So where does that leave us? Should an organization allow BYOD or not? There is no right or wrong and only an organization can choose whether the benefits can outweigh the risks. Chances are in a small organization this can be managed on an individual basis. Anything beyond a small business or a business that lives or dies by its data needs to seriously consider the implications of introducing unmanaged personal devices into their organization. However what we have discussed so far assumes an organization allows an employee devices to directly connect, sync, and interface with company assets.

Are there other options or solutions? Absolutely! VDI (Virtual Desktop Infrastructure). The industry has been virtualizing servers for years, VDI technologies are one of the hottest topics in IT. VDI leverages the benefits and investments in server virtualization and extends them to the desktop and mobile device space.  VDI software such as VMware View, Citrix XenAPP or Citrix XenDesktop allows secure data access for BYOD’s users. The biggest VDI benefit is that corporate data can be extended to all main stream devices and no actual copy of the data is stored on the device. Rather all data is stored, maintained, and secured in the organizations IT system. The VDI software client is also agnostic to the device or platform it runs on, thus eliminating the actual work in configuring the entire system to work with multiple platforms.  VDI allows the organization to maintain control over its data while still leveraging the benefits of BYOD.

SkyByte is a VMware Professional Partner and a Citrix Solution Provider.  Contact us today for a server virtualization or VDI evaluation.

You can't send a message on behalf of this user unless you have permission to do so - Chicago Network Support

Sunday, February 26, 2012 by Greg Bock

Last week I ran into a bizarre email sending problem which ultimately was caused by Microsoft Outlook 2010.  All of a sudden a user could no longer send email from their Outlook, but could receive.  The user would immediately receive this undeliverable bounce-back after sending any emails:
 

 
"Delivery has failed to these recipients or groups:
user@domain.com

You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk."


This error is typically seen when a user attempts to send an email on behalf of another user without the proper permissions.  This was not the case, the user was trying to just send email as himself.  The first obvious check was if his Exchange permissions were set correctly.  The user was running a fairly new box, running Windows 7 Professional 64 bit with Microsoft Office 2010 Home and Business edition.  Their Outlook was connected to an on-premise Exchange 2010 server, and no other users on the network were experiencing this problem.  While we had performed a Microsoft Exchange Upgrade recently, he had been running normally for several months.  The next step I took was see if he could send from OWA, and he could.  Additionally, he could send from his Android phone connected to his Exchange account.

To confirm the problem was isolated to his machine as a possible network security or software issue, he logged in as himself on another similar machine, created an Outlook profile and was able to send email just fine.  So, the next step I took was recreating his Outlook profile.  Recreating the Outlook profile will resolve many Outlook abnormalities, unfortunately this time it did not help.  Then I backed up the user's profile, and recreated it.  To my disbelief, the problem remained.  My next step was to fully remove and reinstall Office, not a repair install.  This finally fixed the issue, and he was able to send email again.

Symantec Endpoint Protection Manager not receiving definition updates - Network Security

Monday, February 6, 2012 by Greg Bock

SkyByte Consulting has recommended Symantec Endpoint Protection and its managing capabilities to it's clients for a variety of reasons.  From the ease of deploying clients to end users and the ability to manage them all from one console makes Symantec Endpoint Protection a great Antivirus and Antimalware solution.  The Symantec Endpoint Protection Manager (SEPM) downloads definition updates from Live Update on a regular basis and then deploys the updates to each endpoint client connected to your network infrastructure.  Symantec releases several revisions throughout the day, so by only having to download one copy of the definitions to the SEPM rather than each individual client, you save bandwidth for other needs.

Recently I discovered a SEPM that had stopped receiving updates.  Rebooting the server had not helped and manually running LiveUpdate inside the SEPM would reply with "Error: LiveUpdate encountered one or more errors. Return code = 4".  According to Symantec, this could be a variety of reasons from network firewall security, IE's Enhanced Security, or a proxy.  I knew this was not the case and I was able to resolve this by following these steps:

1.  Stop the SEPM and SEP Embedded Database in Services.
2.  Uninstall Live Update from Programs and Features or Add/Remove programs
3.  Install Live Update from the SEP setup CD
4.  Open a command window, then browse to:
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin
Type lucatalog -update and press Enter.
5. Start the SEP Embedded Database service and then the SEPM service
6. Login into the SEPM and retry downloading updates from Live Update.

How can I use Group Calendars to see when multiple people are free? Outlook 2010

Monday, February 6, 2012 by Mario McGuire
Outlook 2010's Group Calendars are very similar to those found in Outlook 2007 and it is possible to view multiple users' calendars in one place using the free/busy information in Exchange. This is very helpful if you do not have the rights to view a person's calendar but still want to see if someone is available in conjunction with other people and resources when planning meetings. I will provide the steps in setting this up below.
  1. In outlook 2010, click on your calendar.
  2. From the Home tab, Select Calendar Groups.
  3. In the drop-down list, click one of the following-

    1. To create a new group calendar, click Create New Group Calendar, and continue to step 4.
    2. If you have multiple Calendars open ( For example: You are viewing other peoples calendars along with your own), you can save the the calendars in the current view as a new calendar group in the navigation pane by clicking Save as New Calendar Group.
    3. To display team calendars in the navigation pane, click Show Team Calendars. Team calendars contain calendars for your manager, direct reports, and peers as determined from information in Active Directory.
  4. In the Create New Calendar Group dialog box, type the name for the grouping, and click OK.
  5. In the Select Name: Global Address List dialog box, find the individuals or resources you wish to add to the grouping. Click the Group Members -> button to add them (or double click their name). You can add multiple people or rooms by finding another person and clicking the button again.

    If you have a server-side distribution list (For example - a mail-enabled group, not a LISTSERV list or a personal distribution list), you may find that group and add it.
  6. When you are done adding the people and rooms click OK and the calendar group is saved in your navigation pane. In it, you can see each of members or resources availability. If the individual or resource room doesn't allow people or a specific set of people to view the free/busy information, you will not see any details listed.
  7. To add more people or resources, right-click on the calendar group in the navigation pane and click Add Calendar. Choose one of the following methods  to add the calendar-

    1. From Address Book
    2. From Room List
    3. From Internet
    4. Open Shared Calendar
  8. To delete a calendar group, right-click the calendar group in the navigation pane and select Delete Group.
This topic came up after a recent Microsoft Exchange Upgrade from 2003 to 2010. I wanted to share this information to help with people new to Outlook 2007/2010. SkyByte Consulting works with many of our clients to provide server upgrades, Blackberry Enterprise Server support and many other services.

Installing full feature print drivers onto a Citrix Xenapp Server - Citrix Xenapp Support

Tuesday, January 17, 2012 by Greg Bock
SkyByte Consulting knows the benefits of using Citrix XenApp, and one of those benefits our clients cant live without is the ability to print to a locally attached printer such as a home or personal printer.  Citrix admins know printing can make or break Citrix, so installing printer drivers should always be performed with caution.  The majority of our clients with a Citrix Xenapp installation, use Citrix to access their company resources securely and enjoy the ability to print to their home or personal printers.  When printers are mapped during logon, any client created printer will attempt to match your local print driver with the same driver if its available on the Citrix server.  If a matching driver is not available, it will default to use the Citrix Universal Driver.  The Citrix Universal Driver has been refined with every new release, and is almost compatible with virtually any printer.  But occasionally there are times when the Citrix Universal Driver performance just cannot match the native print driver.  Whenever possible I recommend using native print drivers to minimize print problems.

Printer manufacturers offer downloadable drivers on their website.  When installing a print driver to a Citrix XenApp server, you only need the basic print driver.  Keep in mind, most home printers come with alot of extras that are not needed on the Citrix server.  To make things more difficult, the entire software package is only available.  Extracting the driver can be difficult but can be performed.

Recently I was asked to install a driver for an HP Officejet 8600.  HP offers the full software, but also the basic print driver on their website.  I downloaded the basic driver which was a single .exe self extracting file.  After the automatic extraction was complete, a setup wizard began and immediately told me my OS (Windows Server 2008 R2) was not supported.  This was very disappointing, but I found a work around to getting the driver installed.  The self extraction extracted all of the files including the driver into the C:\users\username\appdata\local\temp directory.  Simply pointing the add printer driver wizard to that directory made installing the driver extremely easy.

If you find no choice but to install the full feature driver there are ways to getting just the basic driver installed.  If you are installing from a disk, there may be a folder containing the drivers.  Also check out my other blog explaining how to remotely install print drivers from another machine here.

Virtualization Success: VMware vSphere transforms a Chicago area park district

Monday, January 16, 2012 by Darren Sieck

SkyByte Consulting is a premier provider of Virtualization solutions and technologies.


Recently SkyByte won an RFP for a major suburban park district near Chicago. SkyByte successfully beat out four other Chicago IT firms with our design and project pricing. The park district had approximately thirty aging physical servers well beyond their effective service life. Their server room consisted of two 42U racks full of old server equipment. SkyByte proposed a four server VMware vSphere Cluster connected to a NetApp 2040 SAN. Cisco switches were chosen and NFS was utilized for the storage area network. SkyByte architected a secure DMZ along with multiple production internal networks. The project had the added benefit of centralizing all of the organizations data within the new NetApp SAN. This further improved the organizations disaster recovery options.

SkyByte installed the new VMware vSphere cluster and virtualized all the old servers from P to V. The virtualization candidates were Microsoft Exchange, four Microsoft SQL database servers, file and print servers, application servers and many F5 load balanced web servers.  Upon completion of the project all old server equipment was removed, and a complete 42U rack was removed from the room. 84U U’s of space were reduced to 15U’s. Power and cooling requirements for the data room were reduced by more then 50%. The park district gained fault tolerance, and high availability; the system is designed to continue business operations with a two host failure. The organization also gained much more flexibility within their system to meet the public's needs. Other benefits have been much better performance logging and reporting. The organization has acknowledged system performance was dramatically improved across all servers.

SkyByte has been working with Virtualization technologies since 2003. Over the last several years we have focused our infrastructure practice on server virtualization and server consolidation through the use of VMware vSphere Clusters and standalone ESX and ESXi hosts. He have aligned ourselves with NetApp and EMC for storage solutions. SkyByte has found VMware’s virtualization product suite to be vastly superior to the competing server Virtualization software such as Hyper-V and Citrix XenServer. Specifically the levels of refinement, flexibility, reliability and support are much better with the VMware products.

Contact us today for a free evaluation of what Virtualization can do for your organization. 847.574.6256 or info@skybyte.com

 

Symantec Backup Exec 2010 R3 Remote Agent Service Fails To Start With Error

Sunday, January 15, 2012 by Mario McGuire

Yesterday I was setting up Backup Exec 2010 R3 as part of disaster recovery solutions initiative for a client. Installing the media server was the easy part, but installing the remote agent on one of the servers proved to much more of a pain. Using the utility built into Backup Exec, I deployed the agent to the server. I then logged into the server to verify that the agent had indeed installed. I noticed a red "X" on the tray icon, so I investigated. Upon looking into the error it said that the service did not start so I opened the services MMC and tried to start it manually. The service started then stopped immediately with the error -

"The Backup Exec Remote Agent for Windows Systems service on Local Computer started and then stopped. Some services stop automatically if they have no work to do for example, the Performance Logs and Alerts service."

I also looked in the event logs and found an error with the event ID: 58117 - The application failed to listen on the NDMP TCP/IP port. Check the network configuration.

After digging around on the Internet I found a support document from Symantec that explained the issue. Backup Exec's remote agent requires port 10000 to operate. For those of you who may not know port 10000 is a very commonly used port. Because the administration site for the software running on this particular server was also running on port 10000 the service was failing to start and I was receiving that vague error message (Thanks Symantec!).

Solution to the issue -

  1. Confirm that there is another application using port 10000 by first opening a command prompt: Goto Start -> Run -> Type "CMD" and press Enter
  2. At the command prompt type:
    NETSTAT -abno
    Then press ENTER
     
    This will give a list of all ports that are in use on the system along with the name of the process that is utilizing the port.  The ports are listed in the format of IP
Address:Port.
Example:
127.0.0.1:10000 would indicate that a process is listening on port 10000.
 
Look through the list generated by the NETSTAT command in the Local Address column for any process displaying 10000 after the IP address.. If there is another process that is using the port 10000, one of the following must be done:
Change the port used by this application/process or remove it if not needed

OR

Change the NDMP port for the Backup Exec Remote Agent service by doing the following steps:
  1.  Edit the SERVICES file located in C:\WINDOWS\system32\drivers\etc\ using  Notepad
  2.  Add an entry that reads like the following example (12000 is just an example port.  Pick any available port that did not show as in use in the NETSTAT results):
    ndmp          12000/tcp
     
    At the end of the line press ENTER so that the cursor goes down to the next blank line.  If the ENTER key is not pressed at the end of the NDMP line, the change will not take effect.
  3. After making the change, save the file and restart the Backup Exec Remote Agent for Windows Servers service.
Before making any changes to ports on servers please make sure you consult your Domain Administrator or Network Administrator before changing any ports of programs as this could violate your companies Network Security Policy. Skybyte consulting provides information technology disaster recovery plans for small offices up to large enterprises.

10 Ways To Protect Your Computer From Trojans/Viruses

Saturday, January 14, 2012 by Mario McGuire
For the better part of 15 years I have been working with computers on a technical level. I've cleaned more viruses from computers than I would like to admit, so I decided to put together a list of very helpful tips. Please note that even though this is fun to read that these tips should be taken seriously.
  1. First and most importantly! - Create an admin account on your computer and change your everyday user to a standard account. If you do get infected, the virus will not have admin rights to your machine! It won't be able to install anything or modify any critical systems in your machine. This tip is the most critical by far!
  2. Uninstall Adobe Flash Player. I know your probably saying "Why would I do that? I can't watch Youtube or play Farmville on Facebook!!" Well what you may not know is that Adobe flash has more holes than a piece of Swiss cheese and no matter how many updates the put out for it, you just can't fix bad code/programming.
  3. Install an Anti virus client! They can be found for free and there is no excuse for not having one.. Microsoft offers Security Essentials (Microsoft Security Essentials)
  4. Download an Anti Mal-ware program like Malwarebytes - This is by far one of the best tools for keeping you computer clean and spy ware/malware free. (Malwarebytes)
  5. Don't just click because you can.... Just because it's on Facebook doesn't mean it's safe. No one is really going to sell you Viagra for 25 cents a pill, so stop clicking on the links. This type of attack is called click jacking and it's one of the most common ways PC's get infected!
  6. If it sounds to good to be true.. It probably is. Like watching "The Big Bang Theory" episodes for free a week before they come out. Do not install anything on your machine that's not from a reputable source. This includes Active X controls and "plug-ins".
  7.  Update your computer the Windows Updates and also keep your browser/s (Chrome, Firefox, Opera, Internet Explorer) up to date. Windows, Linux, or even Mac OS X all get updated regularly to plug holes in security that the programming and support teams find.
  8. Spam isn't just for eating. Spam is something in the corporate world that plagues many companies and users. If some prince in Nigeria says he has 5 million dollars for you, that should be your best clue that the email is bad news. Who it's from- Emails from sdc2@#dd@misseddeliveries.dhl.com is not a real email address. Before I forget if you get an email from a friend with a link or a file with a .exe at the end, delete it and call the person to inform them that their E-mail has been hijacked or they are now a spam bot. 
  9. Don't turn off you're Windows Firewall unless you know what your doing. I know it can get in the way of your Torrent downloads which 99% of the time are illegal anyway and filled with Viruses and Malware... Your firewall is the first line of defense in a PC so learn to use exceptions and that can be learned from some simple googling...
  10. Common sense is key. If you think before you click you won't have to spend $50 to $200+ getting you PC cleaned off or wiped and reloaded. Also don't get mad at the computer repair person because you have to shell out the money. He didn't infect the computer, but he might be able to help you prevent it from happening again.
Hopefully this serious but light hearted post will help some people. Home and business network security should be taken very seriously. Billions of dollars are spent every year dealing with the aftermath of viruses and spyware. One of the most expensive repercussions is identity theft, which can be one of the most damaging things to your credit and your family's well being. Web content filtering is another way to keep your children and or employees from going to those unwanted sites. SkyByte consulting provides network firewall security services and also works with clients to provide disaster recovery solutions.

Lync Server 2010 Mobility Installation Information And Guide

Saturday, January 14, 2012 by Mario McGuire
This is a follow up to a previous post announcing the release of the Lync 2010 mobility server side bits. Before deploying these updates remember to test them in your lab. Make sure and take the time to read the documentation fully before installing. I just wanted to share these links in-case people were looking around on the Internet for them:


Links to Microsoft Server Support: 

Mobility and Auto Discover Services:
http://www.microsoft.com/download/en/details.aspx?id=28356

Mobility Deployment Guide:
http://www.microsoft.com/download/en/details.aspx?id=28355

Hardware Load Balancer Requirements For Lync After Cumulative Update 4:
http://blogs.technet.com/b/nexthop/archive/2011/11/03/hardware-load-balancer-requirements-for-lync-server-2010.aspx


Tip - Make sure you consult you network security admin about this update as it will require some ports to be added to your firewall access rules.

Configuring file associations in Citrix Xenapp 6 enviornments - Citrix Xenapp Support

Friday, January 13, 2012 by Greg Bock

I recently installed a CAD viewer as a published application in a Citrix Xenapp installation.  The Xenapp environment is running Windows Server 2008 R2 across all servers in the farm.  The goal was to be able to open .DWG files in this application by double clicking on any .DWG file.   Unfortunately this specific CAD viewer application did not associate itself to any file extensions in the system's registry  Instead, double clicking the file opens the window asking you how you would like to open the file, which would have been a problem.

There are a few ways you can associate a file in Windows Server 2008 R2.  You can choose manually select the program to open and select always open this type of file with this program, or you can associate the file type under default programs in the Control Panel.  Since we are using roaming profiles, these user settings are immediately lost upon log off.  Attempting to associate the file under the administrator account will not apply to all users either.

Furthermore, under the Citrix console you can associate files for published applications within the Content Redirection properties in the published application.  This useful feature applies specific file types to always open with the published application.  The only downside to this is Citrix searches the registry of your Xenapp servers to determine what file extensions can be associated.  The resolution is to manually associate the file type using the assoc and ftype commands on the Xenapp server.

The assoc command allows you to associate the file type with a description:  

assoc .dwg=Drawing Files

The ftype command configures the file type to open with a program:

ftype Drawing Files="Program file path\program.exe" "%1"

Once these commands are entered, update your farm with the new file types.  Right click on the Xenapp server > Other tasks > Update file types from the registry.   The file type will then show up under Content Redirection for the published application and you can apply it to all servers publishing this application.

SkyByte Consulting has many years of experience with Citrix Xenapp installations and support.  Call or email us today!

How To: Adding "Trusted Sites" to Internet Explorer, with VB and .Reg files

Friday, January 13, 2012 by Mario McGuire
With the ever growing popularity of web server based products from Microsoft and other vendors I have seen more and more clients require sites to be added to their "Trusted Sites" list. For domains it's as easy as making a few Group Policy changes and viola! For individual non domain joined machines it's a bit more involved. Internet Explorers  "Enhanced Security Configuration" or ESC is not on by default for Windows 7 clients, which I recommend turning on due to the rampant virus and spyware that plagues users of the open Internet.

I've explained many times to users how to manually add the sites they require to their trusted sites. This is very difficult as it's time consuming to do and some users don't have the level of knowledge required to make the changes. I came up with a script that will allow the sites to be added easily by just filling in the sites and deploying the script and having the user execute(requires local admin access). Remember to be careful and only add sites you truly know are safe as this can have unintended consequences for users who require the use of websites that employ ActiveX, javascript.

The registry key for adding sites is located here -
  • Per User -
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
  • The Whole Machine (Globally)
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

If you are working on specific users needs than you will want to edit the HKCU(HKEY_CURRENT_USER), but if you need the same sites or domains trusted then use the HKLM(HKEY_LOCAL_MACHINE). Below I will give two different approaches to making this an easy add for your users or for you as the admin.

The first way is using the following Visual Basic script:

Option Explicit

Dim DomainArray(5), strComputer, strHTTP, strHTTPS
Dim dwordZone, regPath, objReg, counter, subkeyPath
Dim subkeyValue
Const HKEY_LOCAL_MACHINE = &H80000002

DomainArray(0) = "trusteddomain0.com"
DomainArray(1) = "trusteddomain1.com"
DomainArray(2) = "trusteddomain2.com"
DomainArray(3) = "trusteddomain3.com"
DomainArray(4) = "trusteddomain4.com"

strComputer = "."
strHTTP = "http"
strHTTPS = "https"
dwordZone = "2"
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" &_
        "\ZoneMap\EscDomains\"
Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & _
        strComputer & "\root\default:StdRegProv")

For counter = 0 to 4
        subkeyPath = regPath & DomainArray(counter)
        objReg.CreateKey HKEY_LOCAL_MACHINE,subkeyPath
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTP,dwordZone
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTPS,dwordZone
Next

The above script when executed will insert 'trusted domain0.com', 'trusteddomain1.com' and etc to Internet Explorers trusted sites zone when run on any machine. To run this script the user running it will need to be a local admin on the machine or any user that has access to write to the HKEY_LOCAL_MACHINE registry hive and any other changes that are global to the machine.

The next way involves creating a "Registry Entries" (.reg) file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\trusteddomain0.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\trusteddomain1.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\trusteddomain2.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\trusteddomain3.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\trusteddomain4.com]
"http"=dword:00000002
"https"=dword:00000002

Just like the previous script, this must also be run by a user with administrator privileges and any changes will be global on all users of the machine. You can customize this code to fit your needs. Please also make sure before deploying these that the changes will not violate your network security policy.

SkyByte Consulting  provides support for many clients from small to large and everywhere in between. In the case of Microsoft SharePoint, Dynamics, and other MS enterprise products you can deploy Microsofts Threat Management Gateway (TMG) or Unified Access Gateway (UAG) which can perform reverse proxy to the sites. I hope this post will help a few admins out there with authentication annoyances and prevent un-needed service tickets.

All information presented on this blog is for informational purposes only and is provided on an as-is basis.

Microsoft Lync 2010 Android and iOS clients released

Saturday, December 24, 2011 by Mario McGuire
Good news as of December 2011 it's now possible to have your Android, Windows and iOS based mobile devices attach to your companies Lync 2010 environment. More and more it seems that companies like Microsoft and many others are supporting these devices.

To get the applications please go to the following -

Android - https://market.android.com/details?id=com.microsoft.office.lync

iPad - http://itunes.apple.com/us/app/microsoft-lync-2010-for-ipad/id484222449?mt=8

iPhone - http://itunes.apple.com/us/app/microsoft-lync-2010-for-iphone/id484293461?mt=8

Beware of problems after installing this new software as it seems to have issues with connecting. This apparently is caused by certain network security settings. I am currently working with a client to figure out what is needed to fix these issues. I will follow up this blog with another explaining my findings. Keep in mind this is the first release and I'm sure there will be revisions to these applications to provide better functionality.

Lync continues to be a bright spot in Microsoft's recent history. Now more than ever Microsoft seems to have a very aggressive mobile platform support imitative. With the release of Windows 8 and a few other software's I'd say Microsoft will be very busy in 2012!

Is Gmail Challenging Microsoft's Exchange for Corporate E-mail?

Saturday, December 24, 2011 by Mario McGuire
In today's market Microsoft's Exchange controls the enterprise e-mail market. But according to a recent report from Gartner says Google's Gmail could possibly make a dent in that market share. Gmail has become the most popular consumer email service, but in the enterprise market it only sits with approximately 1%. Although Google does control about one half of the market for cloud based enterprise email which is in its infant stages. Currently cloud based email accounts for only about 3 - 4% of the overall enterprise e-mail market, but Gartner projects exponential growth in this segment. It estimates about a 20% increase by the end of 2016 and 55% by 2020.

Many have tried and few have succeeded -

Many companies have tried to jump into the enterprise market with little or no success. Novell, IBM and Cisco have been losing ground in their collective cloud attempts, but can Google rise to the challenge? The problem with hosting your companies e-mail on Googles servers is.... Google is a data mining company! With that being said, it makes you wonder how many times your emails and documents have been indexed and scanned for usable content? 

How many companies will be willing to switch? - 

I have a feeling that Google will be fighting an uphill battle on this one. I will provide some examples.
  • The URL for accessing Gmail (mail.google.com) is blocked by many organizations because they don't want personnel accessing their e-mail while on company time.
  • There is now Global Address List functionality. This means that you wouldn't be able to have a single "Marketing Contacts" address book shared by all of your marketing people. The "shared contacts" functionality only really mans that things are shared within your domain.
  • Contact sync to mobile devices - at least with the iPhone there is no way to sync a subset of Gmail contacts. Most people don't want all of their email contacts added to their phones address book.
  • Having the reassurance of Microsoft Server Support specialists or Public Forums when your company runs into problems?
 Final Thoughts -

There is a lot of talk on the Internet about Google challenging Microsoft on Office and Exchange. Often I hear things like "It's free! Microsoft is in trouble!!", but Google isn't even close to offering what an enterprise would need. At least for now they don't seem to be trying anyway. I can't stress the importance of the Microsoft server support and administration aspect. A Microsoft environment is more expensive but it has the flexibility to create a structure you want and both locally certified administrators providing in-person support. If you compare that against forcing your business into a cookie-cutter administrative template and not having support, most businesses that I deal with consider G-Mail more expensive.

Apple iPad/iPhone SSL certificate connection error using Citrix Receiver - Citrix Xenapp Support

Sunday, December 18, 2011 by Greg Bock

We recently created a brand new Citrix Xenapp 6.0 environment with four Windows 2008 R2 servers in our farm.  40 users will be connecting into the environment with a variety of platforms including thin client technology, mobile PCs, and now mobile tablets and phones.  One of the goals in our Citrix Xenapp installation was to support as many platforms as possible.  With Citrix, that is entirely possible with a few tweaks to get things working right.  With mobile devices becoming the preferred computing device, especially tablet PCs, Citrix access has become a frequent request in recent years.

Citrix offers an lightweight application available for iOS, Android, and Blackberry devices called the Citrix Receiver.  This simple app provides you secure access into your companies Xenapp environment.  You can stream published apps and use your desktop on the convenience of a tablet.

During our testing phase, we ran into an issue with iOS 5 devices not accepting our SSL certificate installed on the Secure Gateway server running Windows IIS6.  We experienced the problem on both the iPad1 and iPad2 and also the iPhone 4 and more than likely it affected all iOS devices.  We had reason to believe it was due to our standard SSL certificate authorized through GoDaddy since we had other environments working but with an SSL certificate through another SA.  The problem occured when an iOS device attempted to launch an app or published desktop.  The connection would fail half way and say:

Connection Error:  You have not chosen to trust "Go Daddy Secure Certification Authority", the issuer of the server's security certificate.  Error Number: 183

After researching the problem I found the following video from Citrix, walking you through the fix step by step.  This resolved the issue entirely.

http://www.citrix.com/tv/#videos/2699

Android OS Enterprise Security Considerations - Are you at risk?

Sunday, December 18, 2011 by Mario McGuire
Is having an Android phone on your corporate network going to cause any substantial security risks? Well let me give you some information that can calm the waters a bit.

Spike in Malware -

A recent report showed a 400% annual growth in Android malware. This stat is a bit misleading though considering that it started from near zero. A group of anti-malware vendors have reported a rapid rise in Android malware a fast moving upward trend is clear. What most people don't know is that the hundreds of Android apps infected by malware is dwarfed by the millions of PC infections.

Upon doing some research of my own I noticed that the reports I was reading pointed out that most of the Android malware being downloaded was actually coming form third party markets rather than Googles Android Market. Most people in the industry know that Apples market is much more stringent on the applications that are published. Users that download from a reputable source are far less likely to download infected applications.

Making Mountains out of Mole Hills?

To put this all into perspective let me start with the fact that Enterprises have used Anti-malware for years because of the immense number of worm, trojans, and other viruses threatening PC's. These PC malwares were pervasive and damaging enough that risk management was warranted. The time has come for to take these Android threats seriously, but remember the focus should be on the biggest business risk.

Malware seems to make juicy headlines and the reports identify other aspects of android security that pose a more significant threat. McAfee's report notes that " Android provides a small set of API's to administer the device; the OS controls the password/PIN policies and can remote wipe the phone. This is fairly limited and not much help when performing network security assessments building a security product. This is exactly why IT departments are resorting to encrypted containers and third party MDM agents to protect corporate data and asserting more extensive policies.

One other important issue is to note that when Google fixes vulnerabilities within days of discovery, it's up to the manufacturers to produce the firmware updates applying the fixes. This process has been complicated by the fact that a single device model may have many updates to support carrier specific customizations. Once the manufacturer produces an update its up to each carrier to test it and deploy it to the users. This all means time to patch can be very lengthy and enterprises have no way to control or speed up vulnerability management.

What does all this mean?

Market fragmentation makes it difficult for enterprises and vendors to apply consistently-strong controls.
  • Android 3.0 (Honeycomb) made hardware encryption possible for manufacturers.
  • Android 4.0 (Ice Cream Sandwich) will further raise that bar.
Enterprises will still have to deal with many different devices, each with different security capabilities and vulnerabilities. MDMs can help by enabling IT visibility and control, but IT must then shoulder the burden of deciding which devices are "Secure Enough" while limiting or banning business use of the rest. These problems should be at the forefront of enterprises network security policy considerations when deciding how to mitigate Android threats. Don't ignore the Android malware, just battle it as a part of broader Android device management and security policies.

VMware Horizon Mobile And Mobile Virtualization Platform (MVP) Are Coming Next Year

Saturday, November 26, 2011 by Mario McGuire
VMware is constantly pushing boundaries on the virtualization front and sometime next year will release MVP or Mobile Virtualization Platform. This exciting technology will allow a single phone to become your personal and business cell phone all in one. With MVP companies IT teams can enforce security and compliance policies, ease management, and reduce capital expenditures while giving the employees the freedom to use the mobile device of their choice.
  • Secure employee-owned devices with access to corporate resources.
  • Manage and provision all mobile endpoints and desktop from a single interface.
  • Reduce costs and allow employees to use their own mobile device for work.
  • Safely support a wide variety of mobile phones connecting to a company network.
More and more users are asking their IT departments to support their Android, iOS, and Blackberry units this is called "Consumerization of IT". There are many challenges for IT departments to keep up with security, compliance and ease of management. VMware MVP will allow enterprises to get the security and ease of management they require while reducing the costs involved.

Deploying a corporate profile on an employee-owned device allows IT departments to enforce security and compliance policies. With VMware MVP, a personal profile and a company profile can securely and simultaneously run on the same device instead of having two separate devices. Corporate applications and data are securely isolated from an employee's personal profile.

Management of mobile devices has always been a tough task. With VMware MVP you can remotely provision, manage and update corporate profiles in a streamlined manner no matter what device the user carries. Employees can use the personal devices to connect to their corporate network from a profile that was provisioned and managed by their companies IT department. IT administrators can manage mobile end-points and desktops from a single interface.

The ever growing mobile market will continue to present IT departments with new challenges. There are a few companies out there like VMware that are working to make these devices easier for IT to administer and more productive for the end-user. Look for more information on this product in the coming months. This will be a very anticipated release for coming year.


Desktop icons launch with a single click - Citrix Xenapp Support

Saturday, November 26, 2011 by Greg Bock
SkyByte is currently in the process of deploying a Citrix Xenapp installation and upgrade for a 40 user environment.   The new Xenapp 6.0 farm includes four virtual Windows 2008 R2 servers and a variety of published applications.  The farm is running of a VMware Vsphere cluster with end users using some of the latest thin client technology.  The current farm runs Citrix Presentation Server 4.0 on several Windows 2003 servers.  The major drawback to the current system is the 32 bit hosts and the 4GB memory limitation.   The 64 bit architecture will allow us to handle more users per host and more importantly, allocate more resources.  Each host can efficiently run resource rich applications such as Microsoft Excel 2010.

Testing has showed small tweaks were needed.  One behavior we discovered that I want to mention was everything opened with a single click instead of the traditional double click.   We felt most users are accustomed to double clicking so it needed to be changed.  It can be too easy to accidentally launch programs and unnecessary change things while single clicking things on their desktops.

To change the setting from single to double clicking, a change was needed in group policy.  Even though it shows double clicking is enabled under folder options in 2008 R2, group policy was overriding it.  The setting "Turn on Classic Shell" must be Disabled under:

User Configuration\Policies\Administrative Templates\Windows Components\Windows Explorer

Once the policy takes place, normal double clicking behavior was restored.