March 4, 2019 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
March 4, 2019 [00:23:50] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has quit IRC (Quit: %Adieu! I have too grieved a heart to take a tedious leave.%)[01:22:31] *** PocketKn1fe is now known as PocketKnife[02:27:27] *** GenteelBen <GenteelBen!~Ragenix@cpc129116-lutn14-2-0-cust31.know.cable.virginm.net> has quit IRC (Quit: Leaving)[02:35:40] *** yuljk <yuljk!~yuljk@unaffiliated/yuljk> has joined #Citrix[10:57:07] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has joined #Citrix[11:00:21] <Olivier83> Hello[11:01:33] <Olivier83> I received a job offer: Citrix 6.5 and 7.15 ideally. Our current production farm is on 6.5 with a migration project to 7.15 in flight. Citrix (XenApp 6.5, XenApp/XenDesktop 7.x, ELM, PVS, CWEM)[11:01:53] <Olivier83> What is ELM and CWEM?[11:02:00] <Olivier83> they probably meant WEM[11:02:28] <Olivier83> ELM is app layering[11:21:00] <cs-bot> <masterxen> WEM is Workspace Enviroment Manager[11:22:00] <cs-bot> <masterxen> ELM is Enterprise Layer Manager[11:29:49] <Olivier83> So an interesting job if I can work on a WEM+ELM environment[12:16:08] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has quit IRC (Read error: Connection reset by peer)[12:17:53] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has joined #Citrix[12:23:08] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has quit IRC (Ping timeout: 255 seconds)[12:26:58] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has joined #Citrix[13:32:46] *** geheimnis` <geheimnis`!~geheimnis@23.226.237.192> has quit IRC (Remote host closed the connection)[13:40:34] *** geheimnis` <geheimnis`!~geheimnis@23.226.237.192> has joined #Citrix[14:26:00] *** braynyac <braynyac!uid6699@gateway/web/irccloud.com/x-tddrwzjekuznvfps> has joined #Citrix[14:31:57] <Olivier83> hi[14:35:48] <Biny> hi[14:39:06] <Biny> how goes the future?[14:43:49] <Olivier83> reading carl stalhood's ELM documentation for my upcoming interview[14:46:52] <Biny> i think the only people in here who use ELM at all are .. possibly you, and i think steeb` was asking about it :P[14:47:01] <Biny> I tried to implement it, it's just too slow to manage[14:47:43] <Olivier83> it's a client in central who want to migrate to ELM with PVS[14:48:06] <Olivier83> so in this case this could work? If you merge the layers in a single vdisk[14:49:03] <Olivier83> I've used VMware Cloud Volumes and it wasn't too bad[14:49:13] <Olivier83> but here we can read that ELM is slow indeed[14:50:28] <Biny> like, i fyou wanted to truly implement ELM and you have say 300 apps[14:50:34] <Biny> you'd have to make *300* layers[14:50:44] <Biny> which involves cloning the base layer, waiting for it to spin up a vm[14:50:54] <Biny> sealing the layer, then re-merging to base layer[14:51:14] <Biny> but you could likely in theory, take a ELM disk image and consolidate it to one disk[14:51:28] <Biny> you could also just switch to MDT and re-build that entire image and call it a day :o[14:52:32] <Olivier83> yes but with layering you have a "snapshot install" instead of a scripted install[14:53:57] <Olivier83> I will try not to talk about App-V[14:54:30] <Olivier83> I prefer App-V but it's slow... because you have this isolation layer.[14:55:05] <Olivier83> With ELM, you have the User Layers, for what I understand it's similar to App-V?[14:56:04] <Olivier83> ah no, it's like a PVD[14:57:47] <Olivier83> I was talking about the Elastic Layers[15:00:59] <Olivier83> so that's the usual question, what should be in the base image and what should be dynamically assigned to users, the common apps vs the business apps[15:14:15] <Biny> apps that consume licenses are, imo, the only apps that should be their own 'instance'[15:14:31] <Biny> i could really care less if someone finds how to launch powerpoint and i don't have it published as a WEM shortcut to them[15:18:55] <Olivier83> I like to think that there should be a single integration process for every apps in the organization: 1) the application can be deployed in an Elastic Layer <if not> 2) the application can be deployed in a disk layer <if not> the application can be deployed in the base OS image[15:19:32] <tabularasa> morning peeps[15:19:57] <Olivier83> and last resort the application will be hosted on a single XenApp instance or VM Hosted App worst case (but I think VM hosted app is dead?)[15:19:59] <tabularasa> That all sounds like a nightmare[15:20:23] <Biny> hehe yeah[15:20:26] <Olivier83> why? I like to think that this is the perfect process :)[15:20:29] <Olivier83> why not?[15:20:34] <Biny> management of it all[15:20:38] <Biny> updating it all[15:21:12] <Biny> with MDT, I can roll out a fresh image with fully patched OS, apps, in 2hours automatically.[15:23:11] <Olivier83> yes but you could have then a very large image with lots of applications[15:23:18] <Olivier83> so you need to know them very well[15:23:21] <Biny> eh[15:23:24] <Olivier83> and at least disable things on startup[15:23:34] <Biny> i set what i want to luanch on startup in WEM[15:23:38] <Biny> everything else is disabled[15:23:52] <Biny> we also run MCS, so only (1) image active (for space concerns)[15:24:31] <Olivier83> is it not how ELM is sold? to have just the apps you need per instance[15:24:49] <Olivier83> as opposed to the "tanker vdisk"[15:24:54] <Olivier83> fully loaded[15:25:49] <Olivier83> but yes I understand this, I mean I had to fight many times when they install all apps in a single vdisk but do not manage what is started at boot or at the user session[15:26:24] <tabularasa> i'm still pretty suspect of that whole app layering thing[15:26:42] <Olivier83> I think that the managers like the idea, I mean the picture[15:27:56] <Biny> it sounds great on paper[15:28:02] <Biny> but in execution, its a beast[15:28:20] <Biny> like on our vmware environment when i was playing with it[15:28:29] <Biny> it took _2_ hours to seal the disk with all the app layers[15:28:32] <Biny> and _2_ hours to unseal it[15:28:39] <tabularasa> geesh[15:28:50] <Biny> each app disk layer took almost an hour to create, and another hour to seal[15:29:01] <Biny> i'd be looking at a 40 hour week just getrting the layers ready to manage[15:29:13] <Biny> granted with SSD's i'd assume it'd be faster.[15:29:42] <Olivier83> the MDT solution is probably better[15:30:18] <Biny> stupidly easy to implement as well, and iirc mdt licensing isnt needed or is included with something that almost anyone should have already[15:30:51] <Biny> i just threw a hook onto the end of mine to connect to studio and provision a MCS clone to our sandbox catalog[15:31:09] <Biny> it sends out an email to the team and switches the published desktop to it for our test group[15:31:22] <Biny> then i kick it to prod[15:32:19] <Olivier83> but most of the time they have bad management so they are far from having a packager specialist to build images with MDT[15:32:26] <Olivier83> in the team[15:33:04] <tabularasa> we are using MDT and chocolatey to build images[15:34:22] <Biny> dont really need to package them at all, unles it's something incredibly specialized[15:35:30] <Olivier83> I agree that this is what should be done but it's hard to convince people[15:36:39] <Olivier83> now with ELM the process then should be the one I've suggested above[15:37:13] <Olivier83> with an Elastic Layer it should be fast to "capture" an app[15:37:26] <Olivier83> with VMWare Cloud Volume it's fast, with App-V it's fast[15:37:48] <Biny> with elm it's not :P[15:37:54] <Biny> spin up a lab and test it out[15:38:10] <Olivier83> so they would be far being everyone else on this market[15:38:17] <Olivier83> behind[15:38:18] <Biny> i'd show you mine but i smashed it with a floobit hammer[15:38:42] <Biny> it's very "new" to citrix, they just acquired it[15:38:45] <Biny> a year ago I think?[15:38:50] <Biny> before that it was Unidesk[15:39:09] <tabularasa> maybe 2 now actually[15:39:21] <Biny> and i dont think they've done a single thing with it[15:39:28] <Olivier83> in a previous company they've chosen App-V for their "Elastic Layers" and the time to spinup the VM, sequence the app, and get the package ready takes only a few minutes[15:39:28] <Biny> other tha nputting their logo on it[15:40:01] <tabularasa> Ron knows his shit though. That guy is sharp as fuck[15:40:52] <Olivier83> I have to create a lab[16:34:38] <Olivier83> In a XA 6.5 farm, each Session hosts query directly the SQL database right?[16:34:59] <Olivier83> or they send everything to the XDC?[16:35:03] <Olivier83> ZDC[16:35:27] <Olivier83> I think because of the election process all XA 6.5 servers have access to the DB[16:36:13] <tabularasa> directly[16:36:25] <tabularasa> however, the ZDC makes the LB decisions[16:37:51] <Olivier83> and the Web Interface will query the XML service of a designated XA server for applications enumeration[16:38:26] <tabularasa> whatever is specified in the "farm" section of the WI, yes[16:38:29] <Olivier83> I think that you had to manually enter the "most preferred" and "preferred" ZDCs in the WI configuration[16:38:31] <Olivier83> ok yes[16:39:51] <tabularasa> no, that's not correct[16:40:00] <tabularasa> I think that you had to manually enter the "most preferred" and "preferred" ZDCs in[16:40:04] <tabularasa> the WI configuration[16:40:06] <tabularasa> that's not correct[16:40:48] <Olivier83> I mean as a best practice[16:41:18] <tabularasa> oh... wait.. i misread[16:41:19] <Olivier83> because you can manually defined the most preferred and preferred ZDCs in the AppCenter[16:41:21] <tabularasa> yes, you are correct[16:41:35] <Olivier83> so then as a best practice you use these servers in the Farm configuration for the Web Interface[16:41:37] <tabularasa> yes, you set those on the farm, then in WI, you enter those in the farm section of the website[16:41:40] <tabularasa> you are correct[16:42:08] <Olivier83> and yes the best practice was to have 2 ZDCs dedicated to that, not hosting any apps etc[16:42:19] <tabularasa> also correct[16:45:34] <tabularasa> to which i have 0 enviornments doing. haha[16:45:41] <tabularasa> though, none of mine are big enough[16:47:17] <PocketKnife> hey guys...last week i was soliciting everyone if they knew how to tell what TLS version a connection came in through[16:47:26] <PocketKnife> i found an article i wanted to share for posterity: https://security.stackexchange.com/questions/45867/how-do-i-verify-exactly-which-cipher-suite-is-in-use-for-this-remote-desktop-ses[16:49:42] <Olivier83> SCHANNEL logging, nice[16:54:50] <PocketKnife> Olivier83: I needed to figure out who is still using TLS 1.0 to reach out to them[16:55:05] <PocketKnife> cause i wanna pull that plug in the near future :) but last time, they nearly strung me up[16:58:42] <Olivier83> you need to identify who is connected using TLS 1.0[16:58:57] <PocketKnife> yes, sir[16:59:11] <Olivier83> what is the RDS host operating system?[16:59:16] <PocketKnife> mostly unpatched Win7[16:59:20] <PocketKnife> 2016[17:12:31] <Olivier83> so you have a timestamp[17:14:45] <braynyac> Morning everyone.[17:14:52] <braynyac> Figured out my problem with EDT externally.[17:14:57] <tabularasa> do tell[17:14:58] <braynyac> Netscaler version.[17:15:25] <tabularasa> what version were you on?[17:15:28] <braynyac> was testing on our current "production" NS / StoreFront setup, and forgot that when it worked, I was using the new on. 11.0 vs. 11.1[17:15:43] <tabularasa> doesn't work in newer builds of 11?[17:16:17] <braynyac> probably. We haven't updated this VPX in a while due to version of XenMobile running on it for a specific use case.[17:16:20] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has quit IRC (Read error: Connection reset by peer)[17:16:37] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has joined #Citrix[17:16:51] <braynyac> We're moving the StoreFront off this week to new VPX (FINALLY getting off Web Interface), which means it should work[17:22:24] <tabularasa> heh, yeah, i wouldn't touch that shit either if i was running XM... haha[18:17:16] *** Olivier83 <Olivier83!~Olivier83@31.221.4.66> has quit IRC (Read error: Connection reset by peer)[20:25:58] <Biny> baby wireshark dododododo[20:33:51] *** Thuryn <Thuryn!~Thuryn@216.106.72.146.reverse.socket.net> has joined #Citrix[20:38:05] *** KaiForce <KaiForce!~chatzilla@99.133.184.129> has joined #Citrix[20:58:21] <KaiForce> a manager has asked me to fail a web interface login for a user with no apps. Please tell me it is impossible.[21:08:59] <braynyac> KaiForce: huh? If the user doesn't have apps, don't log them in? Send them to an error message? For what reason?[21:24:53] <Biny> no apps will show.. so, that's pretty close to fail[21:48:39] <tabularasa> KaiForce: :facepalm:[21:49:32] <KaiForce> i don't know how to deal with this much dumb[21:50:36] <KaiForce> i'm going to tell him to build a domain of only users with Citrix apps and I'll give him what he wants.[21:51:15] <braynyac> There's an easier way[21:51:20] <KaiForce> i have no idea what the thought process is[21:51:26] <braynyac> But yours is more expensive, so much better =)[21:51:31] <braynyac> make it hurt![21:51:37] <KaiForce> lol exactly[21:52:06] <braynyac> "uh yeah, that's gonna cost us $25000. You sure you want to do that?" hahahaha[21:55:04] <KaiForce> What was your idea??[21:55:40] <Biny> KaiForce: you could change your LDAP scope[21:55:50] <Biny> to a "group" of users with whatever app access[21:56:01] <Biny> then remove the mfrom that group if they cant login[21:56:06] <Biny> then the ldap filter would fail to find them[21:56:08] <Biny> and fail the login[21:56:47] <Biny> so if a published desktop is scoped to XA7 PUBLISHED DESKTOP, use that as your ldap CN scope and check for membership prior to logging in[21:57:06] <braynyac> What Biny said[21:57:50] <KaiForce> no, I specifically said please tell me it is impossible[21:57:56] <braynyac> lol[21:58:01] <braynyac> ok - it's impossible[21:58:13] <Biny> use the group "It's impossible" then[21:58:20] <braynyac> LOL[21:58:21] <Biny> then it would be.[21:58:53] <KaiForce> i heard it from the experts, thank you again #citrix![21:59:07] <Biny> memberOf=CN=ItsImpossible[22:03:06] <KaiForce> ugh now I have to try it to see if it is workable... what a waste[22:04:38] <braynyac> It's not a solution[22:05:00] <braynyac> it's a work-around. And not a great one.[22:05:15] <Biny> i kind of do that right now with our MFA[22:05:18] <braynyac> Find out why your manager wants this functionality[22:05:18] <Biny> since we moved from duo to azure[22:05:31] <Biny> duo used to validate: does user have a license? and we allocated licenses by group[22:05:33] <braynyac> I was just going to say that - implement MFA and block the group[22:05:44] <Biny> so when we switched to azure, i just did an ldap bind to the group instead[22:05:50] <Biny> if not a member of group; fail login[22:06:19] <Biny> now to do that on the WI level, I haven't touched webinterface in years[22:06:32] <Biny> i'm sure it's possible, because I _did_ do a group based check prior to having DUO[22:07:05] <KaiForce> this is not only WI but Secure Gateway :\ and questionable management[22:07:38] <tabularasa> haha, i still have some CSG in production[22:08:24] <tabularasa> easy to do in NS.. not sure if you can even do that in WI/CSG[22:08:41] <Biny> you can[22:08:43] <Biny> its a ghetto fix but[22:08:46] <Biny> im trying to find the code[22:10:47] <Biny> https://web.archive.org/web/20150310143829/http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=57&Itemid=97[22:10:51] <Biny> https://web.archive.org/web/20150310143829/http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=57&Itemid=97[22:12:20] <Biny> it basically checks if group present; if yes, pass script of signin page[22:12:27] <Biny> if not; display a banner saying not permitted[22:12:41] <Biny> sorry for the archive.org link, seems thomas koetzings site is gone[22:13:25] <KaiForce> i remember that site[22:13:53] <tabularasa> haha, that's amazing[22:14:10] <Biny> this assumes 1) your WI site can be modified with 3rd party, 2) you want to modify your WI, 3) you feel miserable and want to smash your head into your desk[22:15:06] <tabularasa> yeah, sounds like it's time to upgrade to NS[22:16:28] <KaiForce> they have a couple of NS but not for this farm. that's probably what I'll tell them. I really don't want to mess with WI[22:16:32] <Biny> i have a vpx license we aren't using (i think I do anyway)[22:17:03] <tabularasa> why don't you just add that farm to the existing NS?[22:17:06] <tabularasa> takes like 2 seconds[22:17:11] <Biny> but i can confirm thomas's code does work[22:17:15] <Biny> we used it back in 6.5[22:17:56] <Biny> tabularasa: is that a session policy?[22:18:17] <tabularasa> no, you add it to "farms" in SF/WI or whatever is backending the NS[22:19:14] <Biny> under beacons probably?[22:19:25] <tabularasa> no[22:19:38] <tabularasa> Manage Delivery Controllers[22:19:39] <tabularasa> Add[22:19:47] <tabularasa> enter $farm1 here[22:19:55] <tabularasa> then Add again, and add $farm2[22:19:59] <Biny> ah[22:23:33] <Biny> had i known it was that easy, yeesh[22:24:08] <tabularasa> heh[22:24:21] <tabularasa> yes, i have ad 4.5/6.0/6.5/7.x all in one WI before..[22:24:26] <tabularasa> Wii!!!![22:27:22] <Biny> heh yeah thats pretty neat[22:27:31] <Biny> going to have to yell at our cdw guy for 'why didnt you show this to us'[22:27:50] <KaiForce> it has to stay 100% separate for management reasons tabularasa[22:28:01] * tabularasa nods[22:28:09] <tabularasa> Biny: really? that's a huge failure...[22:28:50] <Biny> yep.[22:29:12] <Biny> im sending him a "how to" to passive-aggressively mock him for it[22:30:19] <tabularasa> lol[22:30:20] <tabularasa> nice[22:32:01] <KaiForce> they built this separate network and after it was all done they tried to put a link between the networks (???) but that got nixed[22:33:37] <tabularasa> hahahaha[22:33:54] <tabularasa> let's seperate things, but then kill it with a couple "MUST HAVE" items between networks[22:34:00] <tabularasa> which then breaks the seperation in the first place[22:34:36] <KaiForce> exactly[22:42:47] <Biny> tabularasa: we also due to HP TC 510's (low disk space)[22:42:50] <Biny> actually let me back up[22:42:57] <Biny> we currently are running (2) tabs on our TCs[22:43:02] <Biny> old env/new env (pilot)[22:43:15] <Biny> the HP TC 510's didn't have enough disk space, for hte firefox version to get installed that supported tabs[22:43:24] <Biny> so we had to nuke a ton of language files to free enough space to get it[22:43:35] <Biny> then we had to manually image a bunch of machines[22:44:32] *** Thuryn <Thuryn!~Thuryn@216.106.72.146.reverse.socket.net> has quit IRC (Remote host closed the connection)[22:44:33] *** Thuryn- <Thuryn-!~Thuryn@216.106.72.146.reverse.socket.net> has joined #Citrix[22:52:59] *** Thuryn- <Thuryn-!~Thuryn@216.106.72.146.reverse.socket.net> has quit IRC (Quit: Leaving)[23:15:52] *** KaiForce <KaiForce!~chatzilla@99.133.184.129> has quit IRC (Quit: ChatZilla 0.9.93 [Firefox 52.9.0/20180621064021])