I’ve been meaning to update my server setup script post for quite a while now. It was one of the first posts I made on this blog and at that time of writing that post I was very new to PowerShell scripting and it showed.

Well tonight was the night!

I made some big amendments to how the script runs, mainly how it gathers the user input. It doesn’t include everything I’d like it to eventually contain and preform, but it’s a start.

If you’re interested heres the link to the post –

https://sysadminguides.org/2017/04/12/server-build-script/

Free to follow and stay updated   View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

In this post we are going to look at basic troubleshooting steps a System Administrator can carry out to identify and potentially resolve a faulty storage controller in a HP MSA 2040.

This post is going to focus more on dual controller setups, with both a Controller A and a Controller B. In my case the faulty controller was brought to my attention by the health ember light on the front of the SAN and using the methods displayed in this article. I was able to gather information and ultimately bring the controller back up.

First step is to log into the SMU (Storage Management Utility) –

Using the SMU you can use the event logs as a first step to identifying the error/problem

In my case I was getting the error below:

Error: Critical Error Fault Type: NMI p1: 0x037454E, p2: 0x0000000 ….. No Cur Thread

Overall there wasn’t a lot of information to go off aside from confirmation that a serious error had occurred on Controller A and as a result Controller B had initiated the failover process.

Controller A was still powered on and ping able, plus I could get to it’s SMU. However, when I tried to log in it would either give an unsuccessful login or state that the controller was ‘initializing’.

Get more information using CLI –

A good way to gather more information is to telnet or ssh into the working controller’s command line interface (CLI). An easy method to do this is to use a piece of software called Putty.

Just enter the controllers IP and press Open

When prompted put in your credentials (the one you would use to log into the SMU)

If a putty connection over your network isn’t working, try the below method to connect via USB.

Connecting to MSA CLI via Serial Connecton using USB to Mini USB –

-Install driver for the USB connection. (http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=MTX_8de10954d645450f9e3c0d015d )

-Check COM port on Device Manager from Windows.

-Connect USB to the Mini USB port of the MSA

-Use Putty, or Hyperterminal.

-Hit enter to connect to the MSA.

Useful CLI Commands –

Get information about both controllers

show controllers

Show recent controller events (can copy output into notepad)

show events

In my case the show controllers command displayed a health note advising me to restart the problem controller A.

Health Reason: The controller is not Healthy

Recommendation: – Restart the Storage Controller in this controller module, unless it is performing an operation where it is normal for it to be shut down, such as firmware update.

For all CLI commands, you can refer to HP’s CLI Reference Guide –

Click to access 723979-001.pdf

Re-Seating the Problem Controller –

Ultimately I chose to reseat the problem controller in an attempt to prompt a clean restart. Essentially what this involves is unscrewing the two pins holding the problem controller, followed by pulling it slightly out of the controller slot and putting it back in.

Although doing this caused the controller to show no health issues when re-running the #show controller command on the working Controller (B). I had no connectivity to the problem controller (A).

Progress! At least at this point I didn’t have any errors in my working controller’s (B) SMU and nothing was showing as unhealthy in the CLI.

Restarting the Controller –

All had to do at this point was restart the problem controller (A) via CLI. It came back up healthy with network connectivity.

restart mc a

Additional info concerning CLI restarting: Syntax restart sc|mc a|b|both
Parameters sc|mc
The controller to restart:
– sc: Storage Controller
– mc: Management Controller
a|b|both

I could now connect using putty to Controller A, I could login into it’s SMU and the ember lights had cleared from the physical panel on the SAN. Happy days!

**If a simple reseat, restart, or cold reboot of the problem controller still fails to resolve your issue or you want to try and gather more information as to the preceding events leading up to the error. There is the option to generate detailed logs via CLI.

Get more detailed logs via CLI –

• Enter the command in CLI “#show protocols”
  • If FTP is not Enabled –
  • Enter the command: “#set protocols ftp enabled”
  • Exit the telnet session, putty etc.
  • Once FTP is enabled:
    • Go to Start – Command Prompt – enter “cd ../..” (Go to C:/ Drive or the location where you want to save the logs)
    • Type “#ftp ”
      
    • Then type the user name and password of controller to authenticate.
  • Use the command “#get logs filename.zip”

Once you have your logs, you can use Trace32 to view the logs. (Can use notepad but it’s very difficult to view due to a lack of formatting.

You can download Trace32 here:

Download Microsoft Config Manager tools and choose to only install Common Tools in the wizard.

https://www.microsoft.com/en-us/download/details.aspx?id=9257

Hope this was helpful!

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Asset management is a big part of the general management of business IT. Having useful little scripts to gather information quickly with minimal effort has proved very beneficial for me, especially in environments where asset management has been neglected.

Getting a list of workstations –

If you don’t already have list of your workstations, run the PowerShell command below making sure to change the -searchbase switch to match your environment.

Get-ADComputer -filter * -SearchBase ‘OU=Workstations,DC=plebs,DC=local’ -Properties * | select Name, Description | export-csv -Path C:\temp\Workstations.csv

Creating a notepad containing workstations –

Next you will need to copy the workstations into a txt document. In my case I saved it to a temp folder on my C Drive. Your script will pull from this document.

Loop script utilizing Get-WmiObject –

Make sure to point the script to the right locations, so Get-Content needs target the location of your txt file.

$computernames = Get-Content ‘C:\temp\Computers.txt’ #Gets list of workstations from txt document
$Workstations= @() #Stops loop clearing array
foreach ($computername in $computernames)
{
$WmiObject = Get-WmiObject -computername $computername Win32_ComputerSystem | select Manufacturer, Model, Name
$Workstations += $WmiObject
}
$Workstations | export-csv -Path C:\temp\WorkstationDetails.csv

Exported CSV Results –

Go to the location of your exported CSV and you should get similar results to the image below.

Errors: The RPC server is unavailable –

This error is nothing to worry about, it simply means the desktop/laptop is currently not on the network or powered on. The script will just exclude that workstation from the list.

Want to include failed connections?

If you want to include failed connections in the final export, try using this script. It utilizes the Test-Connection command to test the connection to the workstations and as a result the addition of the failed desktops in the csv. However instead of showing the Make and Model it changes the manufacturer and model column to “Failed connection” whilst also adding the desktop name.

$computernames = Get-Content ‘C:\temp\Computers.txt’ #Gets list of workstations from txt document
$Workstations = @() #Stops loop clearing array

foreach ($computername in $computernames)
{
$status = Test-Connection $computername -count 1 -quiet #Tests connection
#If connection successful
If ($status -eq ‘true’){
$WmiObject = Get-WmiObject -computername $computername Win32_ComputerSystem | select Manufacturer, Model, Name
$Workstations += $WmiObject
}
#Else if connection fails
Else {
#Create object
$object = “” | Select “Name”,“Manufacturer”,“Model”
# Fill the object
$object.Name = $computername
$object.Manufacturer = “Failed Connection”
$object.Model = “Failed Connection”
# Add the object to the workstations array
$Workstations += $object
# Wipe the object
$object = $null }
}
$Workstations | export-csv -Path C:\temp\WorkstationDetails.csv

Want your script to gather more workstation information? –

WMI has a number of different classes that can be utilized to extract more information about the workstations in your environment.

https://ss64.com/ps/get-wmiobject.html – Includes a lot of the available classes you can check out.

Also user ‘vinaypamnani‘ on Github has published a really impressive WMI explorer application.  – https://archive.codeplex.com/?p=wmie – https://github.com/vinaypamnani/wmie2/releases

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

In my case the issue appeared after preforming an ILO firmware upgrade to a HP Proliant blade server.

The error in full was: (sorry about the lack of images)

Embedded Flash/SD-Card: Embedded media manager failed initialization

The way in which I tackled this error involved completely resetting the SD Card (NAND) using a XML script against the HP ILO configuration tool executable.

HP-Lights out configuration tool –

If you want to try the same process. Firstly you are going to need the HP-Lights out configuration tool found here:

https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=5264039&swItemId=MTX_c2f8737292c74b3b852b063ff7&swEnvOid=4210

You can install it on any device that has connectivity to the problem server. In my case I just installed it on the HP server displaying the error.

Creating the XML file –

Next you are going to want to create the XML file that’s going to initiate a wipe of your servers internal SD Card.

Simply open notepad, put in the contents below and save it in XML file format. So in my case I named it ResetNAND.xml

<RIBCL VERSION=”2.0″>
<LOGIN USER_LOGIN=”Administrator” PASSWORD=”Password“>
<RIB_INFO MODE=”write”>
<FORCE_FORMAT VALUE=”all” />
</RIB_INFO>
</LOGIN>
</RIBCL>

**Make sure to change the LOGIN USER_LOGIN line to contain your ILO username and password.

Save the file to the location of the HP ILO utility-

C:\Program Files (x86)\HP Lights-Out Configuration Utility

Running the XML –

Now it’s time to run the XML. First open up CMD and navigate to the HP Lights-Outs Configuration Utility directory. Follow this up by typing in the following, making sure to change the IP , the username/password to match your environment and the filename if you called your XML something different.

C:\Program Files (x86)\HP Lights-Out Configuration Utility>HPQLOCFG.exe -s <ILO server IP> -f ResetNAND.xml -u Administrator -p password

If all goes well, the ILO should drop for a small period of time before coming back up and displaying no SD card issues.

Other XML Scripts –

The great thing about this process, aside from fixing the SDCard error; is it gets you used to the notion of running XML scripts to gather more information about your ILO’s health/logs/settings. The same process can be used on other XML scripts.

HP provide a big collection of useful XML scripts here –

https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=5264039&swItemId=MTX_f045db3f567040f291bf645684&swEnvOid=4210

Hope this has been helpful!

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Firstly Check you are using/typing the PowerShell command correctly

In the instance where a person is looking to remove a recurring meeting from an Exchange mailbox with the use of PowerShell. He/She can firstly utilize the Search-Mailbox command, whilst also using the -searchquery switch, to firstly identify the particular calendar event and then proceed to either move, copy or delete said meeting.

To specify the date range, you can separate your dates by “..”

Additionally you can also specify the time.

The following ISO 8601-compatible datetime formats are supported in queries:

• YYYY-MM-DD
• YYYY-MM-DDThh:mm:ss
• YYYY-MM-DDThh:mm:ssZ
• YYYY-MM-DDThh:mm:ssfrZ

An example command would look something like this –

Search-Mailbox -identity “finance1“ –SearchQuery kind:meetings AND subject:Test (Recurring) AND Received:”2017/10/08 10:00:00..2017/12/08 13:00:00“

In the event where the command is seemingly going through without error, but the meeting persists –

First try making the received date range as long or longer than the recurring meeting.

For example, if the meeting is from 01/01/2018 to 01/02/2018, we need to set the shortest data range as 01/01/2018 to 01/02/2018. Or alternatively set the date range to a month later 01/01/2018 to 01/03/2018

Search-Mailbox -identity “Recruitment“ –SearchQuery kind:meetings AND subject:DailyMeeting (Recurring) AND Received:”2018/01/01 10:00:00..2018/03/01 13:00:00“

Additionally if all else fails, you can always go with the less refined option of removing the date/time section of the command.

Further reading –
Useful Exchange PowerShell Commands – The Ultimate List.
Delete calendar meetings in a Mailbox using PowerShell – Exchange

Thanks for reading – feel free to follow and stay updated   View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Client authentication involves a client certificate which is a type of digital certificate that can be used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mutual authentication designs, providing strong assurances of a requester’s identity.

This setup will involve configuring your NetScaler and Storefront for client authentication and the creation of the client certificate. This client certificate will then need to be installed on all requesting client computers, otherwise access to the NetScaler login page will be forbidden.

Additionally we will also look at an SSL error that is closely tied to this setup. The error involves users getting a certificate authentication prompt when trying to log into their apps or desktop. [ Error: “Unable to Launch Application. Cannot connect to the Citrix XenApp Server. Socket operation on non-socket.” ]

Video showcasing the result of this setup –
Firstly without the client certificate and then after installing it.

(Due to OBS recording my browser rather than my display, the successful remote connection through storefront won’t be displayed in the video, in addition to me selecting the certificate from my file directory during the import process into Firefox)

First step – Create the Client Certificate

In your Citrix netscaler web gui, navigate to the Client Certificate Wizard. Do this by going to the Configuration tab, then selecting Traffic Management in the left side bar. Followed by SSL and then Client Certificate Wizard.

Under the Create Key drop down, enter the following details. You can name the keyfile whatever you fancy and remember to give the key a PEM passphrase for security.

After that follow on with the setup and create your CSR –

The common name is my public IP considering I am not using DNS records for this setup. If you were using a domain name as your landing address you would put that in there. (i.e microhard.local).

Use the same PEM passphrase you setup for the key you created previously.

Now the setup page should look something like this after you have created both the Key and the CSR file.

The next step in the SSL Certificate Wizard is to create the certificate. Do not do this. Instead, copy the CSR file from the /flash/nsconfig/ssl/ directory on the NetScaler appliance to a Windows computer/server for the next step.

As shown below you can use the utility WinSCP to transfer the certificate of the NetScaler file directory.

[Optional] – To request a certificate from your Domain CA you are going to need to use a domain account to access the certserv web gui. This part of the process is shown below as it’s required to create the certificate. The way I prefer to do it is to create a new domain account with heavy restrictions, no domain admin for instance. This account will then be used in the process of creating the certificate. (Don’t worry, anyone can use the certificate regardless of whether they are that new account or not. They just need the certificate installed on their workstation.

In this example I am going to create an account called CitrixAuth

Creating the Certificate using your Windows Domain CA

Now that you have the CSR off your NetScaler and on your workstation.

Navigate to Microsoft Active Directory Certificate Services.

Login using an account preferably with minimal access for security reasons. I’m using the basic account I created above which doesn’t have any admin rights.

Click Request a certificate then Advanced Certificate request.

Open the CSR saved to your computer using Notepad. Copy and paste the contents into the text box under Saved Request. In Certificate Template, select User and click Submit.

Click the Base 64 encoded radio button then press Download certificate.

Install the Microsoft-generated certificate

Return to the NetScaler SSL Server Certificate Wizard, skip step 3, and go to step 4 to install the certificate. Fill in the fields making sure to upload your saved Microsoft certificate on your computer under Certificate File Name and your RSA key you create earlier under the Key File Name.

When the certificate uploads, a prompt appears for the name and password of the Key File that you created earlier. Once everything is filled in click Create and then click Done.

You should now see your client certificate under Traffic Management > SSL > Client Certificates.

Enabling Client-Authentication

Next step is to enabled client authentication on your NectScalers Virtual Gateway server

You do this by navigating to the Configuration Tab, then proceed to the NetScaler Gateway followed by Virtual Servers.

Click on your setup Virtual Server and go into SSL Parameters drop down. Proceed to tick the Client Authentication radio button and then select Mandatory on the drop down. Then press OK. Followed by Done at the bottom to saved changes.

The Problem – Client Certificate Authentication Prompt Appears while Launching Application through NetScaler Gateway Integrated with StoreFront.

At this point you would assume everything has now been configured correctly on the NetScaler end as per Critix recommendations.

However, as of writing this post most people will run into a problem later on whereas a client (with the correct certificate installed) will be able to connect to the NetScaler but won’t be able to connect to their remote session through StoreFront. What happens is upon opening a Storefront desktop or application, they will receive a certificate prompt and ultimately an SSL error.

The Error: ‘ The connection to ‘Storefront Desktop’ failed with status (Socket operation on non-socket (Socket Error 10038)) ‘

This can be shown below.

The Solution – Create another Gateway Virtual Server on a different port to the original where client authentication is unchecked (also works on a differnet IP).

The problem appears due to the client attempting to do an additional SSL handshake with the same NetScaler virtual server (because of the SSLProxy HOST defined in the ICA file) upon the user attempting to open a application or desktop.

The goal is to get around this problem is to make it so the SSL Proxy Host defined in the ICA file, points to your dummy virtual server where client authentication is unchecked, thus no additional SSL handshake is required.

Creating the Dummy Gateway –

As shown in the below screenshot, I have created another NetScaler Gateway, by going through the Create New Gateway wizard found under the XenApp and XenDesktop tab on the left on your NetScaler web GUI .

It has the same server certificate file, points to the same Storefront and authenticates using the same domain controller. The only difference is this dummy virtual server is on port 4300 as apposed to 443 which is the port set on my main virtual server.

(I used a different IP for my dummy server in this example. Citrix specifies using the same for both your Gateway virtual servers)

After completing the Gateway setup you should now see your dummy NetScaler Gateway Virtual Server as well as your original ones.

Nothing to specific for this solution needs to be setup on your dummy Gateway server settings wise. It should mimic the settings of your original Gateway Server, just without Client Authentication being checked (it will be unchecked by default). Ensure that everything vital is working such the connection to your Secure Ticket Authority Server.

Changing your Storefront Settings to reflect your NetScaler changes –

Now your dummy Gateway Server is up and running. You need to change your Storefront NetScaler Gateway settings.

On StoreFront go to Manage NetScaler Gateway

Now make sure the NetScaler Gateway URL under General Settings contains both the FQDN (or IP in my case) and the port of your dummy Gateway Server

Additionally under Authentication Settings, edit the Callback URL to also contain the port number of your dummy virtual server.

Exporting the Client Certificate of the NetScaler device in PKCS12 format

Now your Storefront has the correct settings and your NetScaler is setup correctly. It’s time to get your Client Certificate in a format that web browsers will accept. We can do this by exporting the Client certificate of your NetScaler in PKCS12 format.

To do this all you need to do is go back into your NetScaler web gui. Click on the Configuration tab, then Traffic Management on left side. Follow this up by clicking SSL, then Export PKCS#12 under Tools.

Fill in the correct details by choosing a file name and then pointing the export wizard to your Client Certificate and the key used to create it.

Create an export password so individuals can’t export this certificate off client workstations and then enter the PEM passphrase you used earlier during the process of creating the Client Certificate.

After clicking OK, use WinSCP again to go into your NetScaler file directory. Find your exported PKCS12 file and then copy it onto your workstation.

Thats it! – If everything is working on the NetScaler and Storefront side of things. All you need to do is install that certificate on a workstation requiring access. Then upon going to your NetScaler Gateway page, they will be prompted to use your installed certificate for the SSL handshake.

Any connecting workstation without your client certificate will receive a similar SSL connection error to the one below.

Other considerations –

In some cases Citrix points people to the use of port 4343 for their dummy gateway server, whilst also mentioning it can be any port other than port 443. I would advise against this as you may find it causes remote connections to drop randomly.

Further Reading – Setup Citrix NetScaler SSL without DNS records, using a Public IP and a Windows CA

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Although this is unlike my other posts which are more focused on enterprise IT. From my experience troubleshooting connectivity issues concerning Teredo, I quickly realized that their wasn’t a lot of helpful information on the internet, especially if you can’t find the device in Device Manger under Network Adapters.

Problems going to be addressed:

• Teredo driver is corrupt
• Unable to find device or missing Teredo driver in Device Manager
• Unable to connect to devices utilizing IPv6
• No connectivity in Xbox App
• No connectivity in Microsoft PC Games
• Teredo driver showing yellow exclamation mark in Device Manager
• DNS errors in Microsoft Games
• How to fix Teredo Tunneling missing problem or Teredo Tunneling Pseudo-Interface error Code 10.

**If the device isn’t showing in Device Manager skip to section 5.**

1. Firstly we want to disable the Teredo technology using Command Prompt or PowerShell:

1. Go to Start > All Programs > Accessories.
2. Right click at Command Prompt and select Run as Administrator
3. At command prompt window, type the following commands one after the other.

netsh int teredo set state disabled

netsh int ipv6 set teredo client

4. Close the window.

2. Check Device Manager to see if Teredo is showing up:

1. Press Windows key + R to open Run dialog.
2. Type hdwwiz.cpl, and then press Enter to open Device Manager.
3. Click the view tab and press Show Hidden Devices
4. Click on Network Adapters from the list.

3. If the device is showing under Network Adapters – Uninstall it:

(If the device isn’t showing skip to section 5.)

1. Right click it and press Uninstall 

4. Once it’s been uninstalled. Reinstall it by doing these steps:

1. Click on Actions tab at the top.
2. Select Add Legacy Hardware.
3. Click on Next button.
4. Make sure that Search for and install the hardware automatically (Recommended) option is selected, and then click on Next button.
5. Click on Next button again.
6. Under Common hardware types selection, look for Network Adapters and click on it.
7. Click on Next button.
8. Under Manufacturer column, select Microsoft.
9. Under Network Adapter column, select Microsoft Teredo Tunneling Adapter
10. Click on Next button.
11. Click on Next button again.
12. Click on Finish.
13. Once it’s installed restart your Desktop

5. If the driver isn’t showing up in Device Manager or the problem has not resolved:

1. Go to Start > All Programs > Accessories.
2. Right click at Command Prompt (or run PowerShell) and select Run as Administrator
3. At command prompt window, type the following commands one after the other.

netsh int teredo set state disable
netsh int teredo set state type=default
netsh int teredo set state enterpriseclient
netsh int teredo set state servername=teredo.remlab.net

4. Check to see if the problem has now been resolved.

If you’re are still having problems, reset the server name to default

netsh interface Teredo set state servername=default

Considering my issue revolved around online connectivity on Microsoft video games. I could use the Xbox App to check whether the problem had resolved or not.

Under – Settings > Network

Unhappy Teredo :

Happy Teredo :

Hopefully by following this guide Teredo is now working probably for you. If you are still having problems feel free to leave a comment and I will get back to you.

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

In normal production circumstances you would generally use the Certificate Signing Request (CSR)  to generate a domain certificate for signing by a Certificate Authority (CA). However,  in some cases you only really need a self-signed cert for your public IP address.

Many people refer to these as being less secure and this is not correct. They give less trust but the security can be even higher than commercial certs since you have full control over the creation process. However, using self-signed certs means finding secure ways to deliver the new root certificate to clients and the private key of the root needs to be secure.

Why is SSL important? It creates an encrypted link between a web server (NetScaler) and a browser. This link ensures that all data passed between the web server and browsers remain private.

**The keys you generate during this process need to be removed from the NetScaler once the setup is complete, this is especially important for setups where the NetScaler is outside the internal network in a DMZ.**

Now lets get to it – Creating the RSA Key

In the NetScaler GUI go to the Configuration tab, in click Traffic Management, and then click SSL. Click Server Certificate Wizard then fill in the field making sure to encrypt the key file with a passphrase.

After you create the RSA key, create the CSR.

Creating the Certificate Signing Request

Now in the same window create the CSR

Use the PEM passphrase you used for your RSA key.

Important: The Common Name is going to be your public IP address. This is the IP address users connect to gain access to the NetScaler login page.

After you complete the CSR, the next step in the SSL Certificate Wizard is to create the certificate. Do not do this. Instead, copy the certificate from the /flash/nsconfig/ssl/ directory on the NetScaler appliance to a Windows computer. You can use the utility WinSCP to transfer the certificate.

After you have saved the CSR to your Windows computer, use the Microsoft Active Directory Certificate Services to Request a certificate.

[Optional – you can use SSL to communicate from NetScaler Gateway to your StoreFront and XenApp/XenDesktop farm.

Additionally You can return to this page to Download the CA Certificate (Base 64). This will be needed later.

 Create a certificate by using Microsoft Active Directory Certificate Services

Important: For this part you will need the Certification Authority role installed in your environment. In my case I installed it on my Domain Controller.

Navigate to Microsoft Active Directory Certificate Services. http://<your CA server>/certsrv.

Click Request a certificate then Advanced Certificate request.

Open the CSR saved to your computer using Notepad. Copy and paste the contents into the text box under Saved Request. In Certificate Template, select Web Server and click Submit.

Click the Base 64 encoded radio button then press Download certificate.

Install the Microsoft-generated certificate

Return to the NetScaler SSL Server Certificate Wizard, skip step 3, and go to step 4 to install the certificate. Fill in the fields making sure to upload your saved Microsoft certificate (certnew(2) in my case) on your computer under Certificate File Name and your RSA key you create earlier under the Key File Name.

When the certificate uploads, a prompt appears for the name and password of the Key File that you created earlier. Once everything is filled in click Create and then click Done.

[Optional] To install a CA certificate on NetScaler Gateway You can use SSL to communicate between NetScaler Gateway, StoreFront, and XenApp/XenDesktop. To do so, install a CA certificate on the appliance.

This procedure is optional but I would highly recommend setting this part up to ensure all communication between your severs are encrypted.

In the NetScaler UI, on the Configuration tab, in the navigation pane, expand Traffic Management > SSL > Certificates and then click CA Certificates. Fill in the field as shown below and then press install.

(Remember you can download the CA certificate from the Microsoft Active Directory Certificate Services webpage – alternatively you can export it from your CA’s Certificate area using mmc)

Additional Changes – VPN Virtual Server/Gateway Settings/Storefront/Port Forwarding

Now your NetScaler has both the newly created Server Certificate and the CA, you are ready to bind/input your certificates in the other NetScaler settings. For instance your Virtual Servers will need the Server/CA certificates and so will your NetScaler Gateway Settings.

Virtual Server Settings:

Click Sever Certificate and then bind your created Server Certificate.

Then click Close and Do the same for your CA Certificate.

NetScaler Gateway Settings:

StoreFront:

On your Storefront server make sure to change your Stores Gateway appliance settings to match the Public IP URL of your NetScaler Gateway.

Router – Port Fowarding

Depending on your setup and what port your NetScaler virtual server is set to, make sure to setup port forwarding to ensure that external connections can reach your NetScaler server.

Client Computer Setup

Confirm that your CA Certificate is installed in the Trusted Root Certification Authorities in the Certificates container on the client computer.

[If you experience browser problems]

In Internet Explorer, turn off certificate revocation checking. This step is required because your private NetScaler server is unknown on the Internet.

On the Tools menu in Internet Explorer, click Internet Options > Advanced. Check that the publisher’s certificate revocation is set to Off. Check that the server certificate revocation is set to Off.

If you use a browser other than Internet Explorer (such as Firefox, or Safari) you might need to import the Trusted Root CA Certificate into the Certificate Manager, and turn off Online Certificate Status Protocol checking. This is off by default in Chrome.

Thats it! Now you have secure communication between your clients and your NetScaler.

**If you desire more security, check out my guide on how to setup Client Authentication, whereby the clients need a client certificate to be able to connect to the NetScaler.

Without Client Authentication, unwanted people can still gain access to your NetScaler login page and Storefront if they have stolen user credentials.

https://sysadminguides.org/2018/05/21/setup-citrix-netscaler-client-authentication-using-a-windows-ca/

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

The underlying problem normally involves one of these license types (partner, demo, internal only, express and developer edition licenses), the reason being is that these licenses are normally issued with a start and end date. Every time the NetScaler boots it will check the System Time with these dates to verify whether or not your license is still valid.

In my case the evaluation Netscaler ISO I received from Citrix had a default system date of April 2017 (most likely it’s creation date). This meant that every time I’d restart the NetScaler rather than doing a warm boot the system time would reset to a date before the license start date, not only would this invalidate the license losing me all the licensed features, my SSL certs would also be removed.

Configuring the system time using shell commands, such as:

date +val 1803250328

Which sets the time to 03:29 25 March 2018 or configuring the NTP Server to googles public NTP sever time.google.com. Would only work to get the server back to the current server time and re-licensed after a warm reboot.

However, as stated a normal reboot would still reset the system time back to a period not valid under the start/end of date attached to the license and even though the NTP server settings stayed, it only re-synced the system time after the boot-up checks.

As stated by Citrix, this is completely intended –

https://support.citrix.com/article/CTX122271

When making customizations to a NetScaler or NetScaler Gateway appliance, the customization changes are usually lost when you restart the appliance. This is by design. This is because a NetScaler appliance runs from RAM disk and loads from a flash device.

https://support.citrix.com/article/CTX200421

When the license on a NetScaler expires the configuration is altered. Non-licensed features are disabled and certificates greater than 512 bits are removed from the configuration

The Fix / Work Around – Using the nsbefore.sh file.

The nsbefore.sh file runs before the network components or packet engine is initialized.

It is one of the three files that can be utilized to retain the changes and customization in a NetScaler appliance when the NetScaler applicant restarts. (Also applies to VM’s running the software version)

The other two being: (In this case they are un-needed)

• The nsafter.sh file runs after the network or packet engine is initialized.
• The rc.netscaler file runs after the ns.conf file is loaded.

First we need to get into the file directory of the Citrix NetScaler –

One way to achieve this is to use a program called WinSCP to create a session over the SFTP File protocol.

As shown in the image below, create a new session and enter the IP or hostname of your NetScaler, followed by your username and password.

(Yes I know I’m using the default username/password, don’t worry this is my demo kit )

Navigate to /nsconfig/ and create a file called nsbefore.sh (you can do this within the application by right clicking)

After you have created the file – double click it and added the contents

date +val 1803250215

This command will make sure that before any licenses checks are initiated during boot-up the system time will be set to 03:29 25 March 2018.

If you want to set the time to something different (apologies if the article has aged by the time you are reading it) following the format below, change the numbers to suit your needs.

date +val YYMMDDHHMM
Where:
YY = Year – MM = Month – DD = Day – HH = Hour – MM = Minutes

As long as it’s within the start & end date of your license, it will do. If setup, your NTP settings will sync it to current time after the reboot has occurred.

Once you have saved the file you are all set – Now when you restart your NetScaler one of the first operations preformed will be the modification of the system time to one that doesn’t invalidate your license during the proceeding license checks.

In theory this could also be used to avoid your license ever expiring, however if the current time is past your end of date for that license, you will have to keep your preset system time; making sure to avoid syncing the NetScaler with an NTP server. (Not ideal and may cause problems)

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+

Slightly different than the usual enterprise IT content one would be familiar with on this blog. However, as of right now I have been running multiple ARK Steam servers for around a year with very minimal downtime. I attribute this long period of time to the fact that the maintenance is all automated using STEAMcmd in combination with PowerShell, thus resulting in very little attention from myself (months apart).

I figure if it’s working well for me, it could also work well for someone else who may be looking to automate their Steam server maintenance without the hassle of configuring ASM (ARK server software) or using some other form of third party software.

Before we get started, please bare in mind this will be focusing on the ARK game server, however if your Steam server uses STEAMCmd for installation, configuration and start-up, this process can be tweaked for the same functionality.

Firstly –

On your server/desktop create a folder on your C: drive, call it anything you want. In my case I called it ‘Startup’ – this is going to be the location for your future start-up scripts / batch files.

After creating the folder locate the SteamCMD folder in your game server (Ark Server) files. In my case the filepath is ‘C:\ArkServer\Engine\Binaries\ThirdParty\SteamCMD\Win64’

Once located create a txt file in the folder location – (I named the file ‘ark1’) and put the following contents inside of it.

@ShutdownOnFailedCommand 1
@NoPromptForPassword 1
logon anonymous
force_install_dir C:\ArkServer
app_update 376030 validate
quit

**Make sure to change the install directory (force_install_dir) to the file location of your gaming server
**Also make sure the app_update number is the correct number for your particular gaming server, 376030 is Arks dedicated installation/update number.

In short this text file contains the SteamCMD commands required to initiate a server update check, and if found the server update itself.

Next step involves creating a Batch file in your ‘Start up’ folder – I named the batch file ‘UpdateServer.bat’ – This batch file will be used by the soon to be created PowerShell script to force SteamCMD to run using the commands we laid out in the ‘ark1’ txt file.

The contents of the batch file should be –

steamcmd +runscript ark1.txt
exit

** To save the contents of a new page in notepad as a batch file you need to make sure ‘All Files’ is selected on the ‘Saves as types drop down’ and ‘.bat’ is used at the end of the file name’

As shown in the image below –

After that you are going to want to put your server start-up batch files inside this folder location – as shown in the image above my game servers are Abber, Rag, Rag-PVP, TheCenter and TheIsland.

Just for clarification, an example of the contents of one of these server start-up batch files is –

start ShooterGameServer.exe Aberration_P?SessionName=PVE-NoWipes-Gath6x/Bre6x/Tam3x/Exp10x/S+/Stacking[Clustered]?Port=50025?AltSaveDirectoryName=AbberSaved?
QueryPort=50026?MaxPlayers=100?RCONEnabled=True?RCONPort=32335?
ServerAdminPassword=Helloboss?OverrideOfficialDifficulty=5.0 -clusterid=Arkserver1 -automanagedmods -AutoDestroyStructures -OverrideOfficialDifficulty=5.0 -ForceRespawnDinos

Now you have moved your server startup files into the ‘Start-up’ folder location – you can proceed onto the second to last step of creating the PowerShell script using Windows PowerShell ISE.  – I named the script ‘ServerScheduledRestart.ps1’

The contents should include some thing similar to the contents of mine shown below –

$ErrorActionPreference = 'SilentlyContinue' #If an error occurs continue the script

$runpathUpdate = "C:\Startup\UpdateServer" 
$runpathRag = "C:\Startup\Rag" 
$runpathAbber = "C:\Startup\Abber" 
$runpathTheIsland = "C:\Startup\TheIsland" 

$ProcessName1 = "ShooterGame" #server process (arks process)
$ProcessName2 = "ShooterGameServer" #server process (arks process)
$Process1 = Get-process $ProcessName1 -ErrorAction SilentlyContinue
$Process2 = Get-process $ProcessName2 -ErrorAction SilentlyContinue


Start-Process -FilePath $runpathUpdate #Runs server update batch file

Start-Sleep -s 700 #Waits 700 seconds before continuing, as to give SteamCMD time to check/update the server files

#Ends all the ARK Server processes
While ($Process1.ProcessName -and $Process2.ProcessName -ne $Null){
$Process1 | Stop-Process -Force
$Process2 | Stop-Process -Force
}
echo "Services are now stopped - Starting batch files"

Start-Sleep -s 10

Start-Process -FilePath $runpathAbber #Runs the Abberations server start-up batch file

Start-Sleep -s 300

Start-Process -FilePath $runpathRag #Runs the Ragnorak server start-up batch file

Start-Sleep -s 350

Start-Process -FilePath $runpathTheIsland #Runs TheIsland server start-up batch file

Start-Sleep -s 30

In case you’re unfamiliar with PowerShell ISE – please see the image below, this is what your script should look like inside the program, once copied and tweaked you can go to File on the top left and save the ps1 to your ‘Startup’ folder.

Once your script is created and in the right location – it’s time to move onto the final step, which involves setting up a scheduled task to run the ‘ServerScheduledRestart.ps1’ PowerShell script every night or early morning.

Firstly navigate to ‘Task Scheduler’ in your Windows OS

Then click on ‘Create a Basic Task’ on the top right. From here just go through the easy wizard.

Give the scheduled task a name –

Then select the start date and time –

Next select the ‘start a program’ radio button, followed by inputting the following text, including the filepath of your PowerShell script –

After that click Next and Finish.

If done successfully you should see your scheduled task with the following actions as shown in the image below –

Thats it! All the steps are now completed. Your Steam server(s) should now update and restart everyday at the time you chose for the foreseeable future.

Concerning ARK servers, to make sure your mods auto-update on start-up, add ‘-automanagedmods‘ to your start-up batch file.

Thanks for reading – feel free to follow and stay updated View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+