ICA Client Linux

Debian 8, Jessie, Installing Citrix Receiver

Download the Citrix Receiver Client from here:

Now install the client using the commands:

sudo dpkg -i ~/Downloads/icaclient_*.deb ctxusb_*.deb
sudo apt-get -f install # Install missing depends.

Next, configure the client:

sudo /opt/Citrix/ICAClient/util/configmgr &

Without executing this command I would get a brief pop-up and then the Citrix client would simply disappear – no errors were displayed.

Using FireFox? Check here for specific instructions:

SSL configuration for GlobalSign SSL (if you’re using a different CA you can skip this / retrofit to meet your needs).

Download GlobalSign Root CA crt files from:


Convert to PEM format using openSSL:

openssl x509 -inform DER -in Root-R1.crt -out Root-R1.pem -outform PEM
openssl x509 -inform DER -in Root-R2.crt -out Root-R2.pem -outform PEM
openssl x509 -inform DER -in Root-R3.crt -out Root-R3.pem -outform PEM

Copy these to: /opt/Citrix/ICAClient/keystore/cacerts

sudo cp *.pem /opt/Citrix/ICAClient/keystore/cacerts/

Rehash the ICA Client certificates:

sudo c_rehash /opt/Citrix/ICAClient/keystore/cacerts/

Citrix “official” instruction are available here:

If you get SSL Error 61 :: “Contact your help desk with the following information: You have not chosen to trust “GlobalSign RootCA”, the issuer of the server’s security certificate (SSL error 61).”


You haven’t imported / rehashed the necessary SSL certificates for your servers certificate.

Presentation Server

Citrix : Slow Login, Profile Cleanup Script

Ran into a strange issue today with two Citrix servers, both suddenly started to exhibit extremely long logins of ~3 minutes – this initially meant that users could not access any published applications on the servers due to the default LogoffCheckerStartupDelayInSeconds timeout of 60 seconds. Sessions would start, hang at the “Welcome” stage of the Citrix application startup and then the session would terminate after 60 seconds.

We modified this registry key to 180 seconds and applications would then launch, workaround in-place, but what was really causing the issue?

After a LOT of troubleshooting it was discovered that there were 100+ profile folders on the servers. We scripted cleanup of these profiles using the script below, login times dropped to ~25 seconds.


Citrix : Profiling Microsoft Office 2010

Application Virtualisation is not a new technology, yet many companies are not using it. By placing an applictaion in a ‘bubble’ you can run, for example, different version of Microsoft Office on the same PC wihtout any problems – effectively because the application isn’t actually installed.

For the purposes of this article I wanted to see how easy it would be to ‘profile’ (or package) Microsoft Office 2010 for streaming using XenApp 6.5, including configuring offline access.


NetScaler : Upgrading VPX 9.3 to VPX 10

With NetScaler VPX 10 now released I thought I’d upgrade the HA pair I’ve configured for the recent articles on the site.

Needless to say the pocess is fairly quick and fairly simple, click the jump to read more.


NetScaler : Configuring Access Gateway for Storefront 1.1

Following the XenApp 6.5 deployment in my previous article I thought I’d detail how to configure Access Gateway for Storefront 1.1, I’ll also leverage the Load Balancer I configured in a previous article so essentially users will be able to login remotely using Access Gateway, then be Load Balanced by the NetScaler to an appropriate StoreFront Server on your internal network.

This article assumes you have deployed the NetScaler Appliance (instructions here) and configured basic Network Settings including a DNS Nameserver.


NetScaler : Load Balancing Storefront 1.1

In this article I’ll cover setup of an internal NetScaler VPX Load Balancer for Storefront 1.1. Note that this configuration will also work with Storefront 1.0, just the Storefront MMC snap-in doesn’t work as-of the 1st April this year!

Use the following article to install and configure Storefront for internal use first.


Citrix : Deploying XenApp 6.5

In this article I’ll briefly cover the deployment of XenApp 6.5 alongside the Citrix Licensing Server configuration, this is very much geared towards an article that I’m working on at the moment for Citrix Access Gateway (NetScaler VPX based) configuration for Storefront 1.1 and also Local Balancing Storefornt via the NetScaler VPX appliance.


NetScaler : Using VMACs for High Availability

This article is a natural progression of the recent serieis of articles I have published on deployment and configuration of NetScaler VPX devices for load balancing Exchange 2010:


What are VMACs are why use them?

VMAC’s are a useful addition in the NetScaler high availability tool set. In brief a VMAC creates a virtual MAC address that can ‘failover’ between devices. VMACs can be used to compliment the built-in HA or to create an active/active NetScaler pair.

By virtualising the MAC address there is no drop in network connectivity during failovers as the MAC address is shared across NetScaler devices – this means that the CAM table in the upstream switches does not require any update. As a result, failovers between NetScaler devices should be faster and less intrusive with regards to user sessions/connections.

VMAC’s work using a ‘priority’ – the higher priority determines ownership of the VMAC between devices. In a NetScaler HA configuration the priority of the VMAC between devices is the same, without HA it is configurable. For example if we had two NetScalers not using HA, NS1 and NS2, and a single VMAC configured on each we could set NS1 to have a priority of 100 and NS2 to have a priority of 90. NS1 would have ‘ownership’ of the VMAC because of its higher priority.

There are a couple of options when configuring VMAC’s:

  1. If you are using the built-in NetScaler HA then you will continue to get Active/Passive HA
  2. If you chose not to use the built-in HA feature then you can get Active/Active HA

One key benefit of using HA as well is that it synchronises the session tables across devices, without HA a failover of VMACs will disconnect Outlook Web Access users as their sessions is lost at failover, with HA sessions are kept, there is just a brief interruption to the user before they can carry on.

It is also possible to assign a VMAC to a single IP address, or group multiple IP addresses into a single VMAC. The first option allows for granularity when assigning ownership as you can assign each VMAC to a device of your choice whereas grouping the IP’s into a single VMAC reduces configuration but also reduces the options you have for splitting traffic. One option could be to group the IP’s into VMACs that represent services, so if you are load balancing multiple services via your NetScalers create a VMAC per service, i.e. Exchange 2010, Citrix Access Gateway etc.


NetScaler : Configuring High Availability

In a NetScaler Load Balancing Exchange 2010 I covered deployment of a NetScaler device to Load Balance Exchange 2010, this is an extension fo that article – illustrating how to configure a second NetScaler device in a High Availability Pair.

In this article I’ll illustrate how to add a secondary NetScaler device and configure High Availability to ensure you have a resiliant NetScaler deployment.


NetScaler : Load Balancing Exchange 2010

This article will illustrate configuration of both a one-arm and two-arm topology for load balancing Exchange 2010 SP1 using a single NetScaler VPX (NS9.3: Build The specific focus is on a one-arm topology, however I’ll clearly outline what’s required if you decide to use a two-arm configuration; either way by the end of the article you’ll have a working deployment… I hope!

This guide assumes you have deployed the NetScaler VPX and configured an IP address – for information on how to do this see the NetScaler Deployment Article.