Pages

Thursday, October 30, 2014

Attempting to secure traffic between Citrix StoreFront server and the Delivery Controller with HTTPS fails causes login to display: “There are no apps or desktops available to you at this time.”

Problem

You’re attempting to secure the traffic between your Citrix XenDesktop or XenApp 7.5 / 7.6 environment so that your StoreFront server uses HTTPS instead of HTTP to communicate to Delivery Controller:

image

image

You’ve gone ahead and issued a certificate with a SAN entry of the Delivery Controller’s FQDN and binded it to the Delivery Controller’s IIS bindings:

imageimage

You’ve also confirmed that you have updated your StoreFront’s URL to HTTPS instead of HTTP in Citrix Studio for your Delivery Controller configuration:

image

image

image

image

You’ve verified the port mappings by launching the command prompt, navigating to the directory:

C:\Program Files\Citrix\Broker\Service

… and executing:

brokerservice /show

SDK Port: 80
VDA Port: 80
WI Port: 80
WI SSL Port: 443
Log File:

image

With all the configuration and checks above completed, you proceed to restart your servers and test logging into via your NetScaler but quickly receive the following message upon successfully logging in:

There are no apps or desktops available to you at this time.

image

image

Reviewing the logs on the StoreFront Administrative Events shows 2 errors logged repeatedly:

Log Name: Citrix Delivery Services
Source: Citrix Store Service
Event ID: 4003
Level: Error
Message: All the Citrix XML Services configured for farm XenApp failed to respond to this XML Service transaction.

image

Log Name: Citrix Delivery Services
Source: Citrix Store Service
Event ID: 0
Level: Error
Message: An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

image

Note that Event ID 0 is logged first and Event ID 4003 is followed.

Solution

This issue threw me off quite a bit because my colleague had just gone through a XenDesktop 7.5 training course and when I review his lab guide demonstrating how to configure this, I was sure I haven’t missed any steps but while his lab environment was displaying applications after login, my environment did not.  I was pretty close to trying the solution Adam Paul Shattuck posted on a forum:

http://blog.technicall.us/xendesktop-7-x-how-to-deploy-in-a-highly-available-failover-ready-configuration-part-4-additional-delivery-controllers/

… where he did not have IIS installed on the Delivery Controller so used the netsh command to bind the SSH certificate to the Broker service with its GUID.  My environment had IIS so I decided to search for the Event ID 0 error since that was logged first and that was when I came across this blog post by Mark Brilman:

https://www.markbrilman.nl/2014/06/tutorial-implementing-a-secure-storefront-website-on-server-2012r2-behind-netscaler/

He had ran into an issue where his StoreFront server was logging the event ID 0 message:

An SSL connection could not be established: None of the SSL cipher suites offered TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_SHA, TLS_RSA_WITH_AES_256_SHA were accepted by the server.. This message was reported from the Citrix XML Service at address . The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

… and the way he fixed it was applying a GPO to his delivery controller enable a setting named SSL Cipher Suite Order.  The environment I was working on only had one delivery controller so instead of using a GPO, I launched gpedit.msc and enabled the setting as such:

Computer Configuration –> Administrative Templates –> Network –> SSL Configuration Settings

SSL Cipher Suite Order

image

image

I went ahead and enabled the configuration which automatically filled in the following for the SSL Cipher Suites textbox:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA

image

Clicking OK still showed the State as Not Configured:

image

… but checking the setting showed that it was enabled so I closed the box and ran gpupdate /force tested again but still got the same error.  Since Mark recommended to restart the server, I went ahead and restarted the server, tested again and noticed that the problem went away.  All applications were displayed properly and could be launched by clicking on them.

image

Tuesday, October 28, 2014

Handy Get-Hotfix Windows PowerShell CMDLET for Windows Hotfix Updates Management

There has been plenty of times in the past where I used to dread reviewing the Programs and Features’ View installed updates window in search for a hotfix that I need to remove:

image

This is especially the case with older operating systems when a seemingly endless list of hotfix updates have been installed and scrolling through the list isn’t exactly a pleasant experience:

image

I’ve also been asked in the past to perform an audit for incidents where a server wasn’t supposed to be patched was patched and the manager wanted to know how installed them.  As some may know, right clicking on the column headings gives you additional fields that you can choose to add but it does not provide a column to list what account installed them:

image

image

With the challenges mentioned above in mind, the PowerShell cmdlet I’ve enjoyed using over the past year to manage Windows hotfix updates is the:

Get-Hotfix
http://technet.microsoft.com/en-us/library/hh849836.aspx

This cmdlet will simply list out all of the hotfixes along with the following headings:

  • Source
  • Description
  • HotFixID
  • InstalledBy
  • InstalledOn

image

Definitely one of the cmdlets I’ve used most when trying to get an idea as to what updates have been installed onto a server because I can dump this to a file with the > and do a quick search in Notepad.

If you would like the searches to be ordered by a certain column you can simply add the following to the end of the cmdlet:

Get-HotFix | Sort-Object Description

image

Note that the list is not sorted by the Description column.  You can use the -descending switch as such to reverse the order in descending order:

Get-HotFix | Sort-Object Description -descending

You can also use multiple columns to sort the list:

Get-HotFix | Sort-Object Description,HotFixID

You can also execute this command (PowerShell Remoting does not need to be turned on) to list a remote server’s list of hotfixes with:

Get-HotFix -ComputerName <ComputerName>

If you’re looking for a specific hotfix, you can also use the Where command to find a match such as the following:

Get-HotFix | Where HotfixID -match "2995004"

image

A command I use quite frequently when trying to remove hotfixes is the wusa.exe command with the following format:

wusa.exe /uninstall /kb:<KB Number>

Additional switches such as the /quiet and /norestart are also commonly used.

More information can be found at the following TechNet article:

http://technet.microsoft.com/en-us/library/dd871148(v=ws.10).aspx

Saturday, October 25, 2014

Attempting to use PowerShell’s Add-Windows feature for .NET Framework 4.5 fails on a Windows Server 2012 R2 server

Problem

You have a new server installed with Windows Server 2012 R2 and need to install .NET Framework 4.5 with other roles and features so you mount the Windows Server 2012 R2 media, launch Windows PowerShell then execute the following cmdlet:

Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-ASP-NET,Web-ASP-NET45,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory -Source D:\sources\sxs

image

The installer executes and begins the install but quickly fails with the following message:

Windows PowerShell

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-ASP-NET,Web-ASP-NET45,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory -Source D:\sources\sxs

Add-WindowsFeature : The request to add or remove features on the specified server failed.

Installation of one or more roles, role services, or features failed.

The source files could not be downloaded.

Use the "source" option to specify the location of the files that are required to restore the feature. For more

information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f0906

At line:1 char:1

+ Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Wi ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],

Exception

+ FullyQualifiedErrorId : DISMAPI_Error__Cbs_Download_Failure,Microsoft.Windows.ServerManager.Commands.AddWindowsF

eatureCommand

Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

False No Failed {}

PS C:\Windows\system32>

image

Solution

This issue actually got me scratching my head for quite a bit of time because the error appeared to suggest that there was something wrong with the source files.  Executing this cmdlet or using the Add Roles and Features Wizard did not allow me to successfully install the components I needed for a Lync Server 2013 install I was doing and copying the source files from the Windows Server 2012 R2 media directly onto the server did not work either.  A bit of searching on the suggested to try getting the install.wim Index number with a cmdlet such as:

dism /get-wiminfo /wimfile:d:\sources\install.wim

… then pipe in the Windows Server 2012 R2 version into the Add-WindowsFeature cmdlet:

PS D:\sources\sxs> Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Windows-Identity-Foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-ASP-NET,Web-ASP-NET45,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory -Source

win:d:\sources\install.wim:2

Add-WindowsFeature : The request to add or remove features on the specified server failed.

Installation of one or more roles, role services, or features failed.

The source files could not be downloaded.

Use the "source" option to specify the location of the files that are required to restore the feature. For more

information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f0906

At line:1 char:1

+ Add-WindowsFeature RSAT-ADDS,NET-Framework-45-Core, NET-WCF-HTTP-Activation45,Wi ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],

Exception

+ FullyQualifiedErrorId : DISMAPI_Error__Cbs_Download_Failure,Microsoft.Windows.ServerManager.Commands.AddWindowsF

eatureCommand

Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

False No Failed {}

PS D:\sources\sxs> Dism /get-wiminfo /wimfile:d:\sources\install.wim

… but this did not work either.  After a bit of searching, I finally realized that the reason why I was getting this error was because of the following installed security update:

Security Update for Microsoft Windows (KB2966828)

image

The same cmdlet that continuously failed completed successfully once I removed this security update:

PS D:\sources\sxs> Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Windows-Identity-Foundation, Telnet-Client, BITS -Source d:\sources\sxs

Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

True Yes SuccessRest... {Background Intelligent Transfer Service (...

WARNING: You must restart this server to finish the installation process.

WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is

automatically updated, turn on Windows Update.

PS D:\sources\sxs>

image

image

image

I haven’t actually encountered the issue on a Windows Server 2012 R1 server but the following TechNet blog indicates that Security Update For Microsoft Windows 2966827 can cause the same issue as well.

Attempting to Install .NET Framework 3.5 on Windows Server 2012 R2 Fails with Error Code 0x800F0906 or “the source files could not be downloaded”, even when supplying source
http://blogs.technet.com/b/askpfeplat/archive/2014/09/29/attempting-to-install-net-framework-3-5-on-windows-server-2012-r2-fails-with-error-code-0x800f0906-or-the-source-files-could-not-be-downloaded-even-when-supplying-source.aspx

Thursday, October 23, 2014

Lync Server Management Shell 2013 does not load and hangs with a black screen on a Windows Server 2012 R2 server

Problem

You’ve just completed deploying Lync Server 2013 on a Windows Server 2012 R2 server but notice that the Lync Server Management Shell does not load and hangs with a black screen regardless of whether you run it as an administrator or not:

image

image

Solution

This only appears to affect Windows Server 2012 R2 deployments as the application shortcut appears to be created with a missing quote:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "cd $env:UserProfile; Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1'

image

Simply adding a quote back into the shortcut will correct the issue:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "cd $env:UserProfile; Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1'"

"

image

Wednesday, October 22, 2014

How to export message tracking log results as a CSV file in Exchange Server 2010

I recently had to troubleshoot an issue for a client where their log drive filled up and wanted to identify whether there was a device that was generating excessive logs on the Exchange server or whether they genuinely received that much mail between the last backup and the time when the drive filled up.  To determine whether the Exchange Organization did indeed receive enough mail to fill up the log drive, I directed my attention to the Tracking Log Explorer.  For those who are familiar with the Exchange Server 2010’s Tracking Log Explorer feature located in Microsoft Exchange –> Microsoft Exchange On-Premises –> Toolbox –> Tracking Log Explorer:

image

… would probably have come across this situation where you would like to export the returned table results:

image

… but noticed that there does not appear to be a way to do so via the GUI:

image 

The GUI does not provide a way to export these logs to a text or CSV file and therefore there wasn’t a way for me easily add up the TotalBytes column to get an idea as to how much mail was send and received:

image

I recall asking a Microsoft support engineer years ago about this for Exchange 2007 and the answer was that there was no way but seeing how it has been such a long time, I went ahead and did a quick Google search which returned this Exchange Team Blog post:

How to Easily Export Message Tracking Results in Exchange Server 2007
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

This was exactly what I wanted because I could sum TotalBytes column but the command was a screenshot which meant I had to type it out.  It was a bit annoying to have to type all that out when I was in a rush to get the results to the client at 1a.m. in the morning so to avoid having to do this again in the future, I’m going to paste the command here for reference if I ever needed it again:

get-messagetrackinglog -Server "<replaceWithServerName>" -Start "10/20/2014 10:15:00 PM" -End "10/21/2014 12:35:00 PM" -resultsize unlimited | select timestamp, eventid, source, sourcecontext, messageid, messagesubject, sender, {$_.recipients}, internalmessageid, clientip, clienthostname, serverip, serverhostname, connectorid, {$_.recipientstatus}, totalbytes, recipientcount, relatedrecipientaddress, reference, returnpath, messageinfo | export-csv c:\results.csv

Note that I added the “-resultsize unlimited” switch at the end of get-messagetrackinglog to allow unlimited results to be returned.

In addition to using this export to total up each message size to get an idea of how much logs should be generated, another useful tool for troubleshooting this issue is to download the:

Microsoft Exchange Server User Monitor
http://www.microsoft.com/en-us/download/details.aspx?id=11461

This tool allows you to monitor individual user’s utilization of the Exchange server including the amount of Bytes In and Bytes Out:

image

Monday, October 20, 2014

Securing traffic between NetScaler and StoreFront with HTTPS rather than HTTP

I’ve been asked several times since publishing my previous blog post:

Configuring a NetScaler VPX appliance to publish load balanced XenDesktop 7.x StoreFront servers
http://terenceluk.blogspot.com/2014/07/configuring-netscaler-vpx-appliance-to.html

… how can the HTTP traffic between the NetScaler and StoreFront be secured since the NetScaler effectively authenticates with the StoreFront server(s) and the StoreFront server makes a callback to the NetScaler during the process.  The answer is simple and that is to use HTTPS instead.  Not all of the customers I work with use HTTPS because their justification is that their server VLANs are secured but I usually recommend to use HTTPS when possible.  To do so, a certificate will be required for the URL that the NetScaler will be using to reach the StoreFront servers.  Before I begin with demonstrating the configuration, I would like to note the following points:

  1. Do not use the same URL that you are using for users on the internet or internal VLAN to access the NetScaler for the StoreFront servers(s). This means that if you’re using https://citrix.domain.com for your NetScaler’s VIP, do not use https://citrix.domain.com for your StoreFront servers because Citrix does not support this.
  2. Make sure that the CallBack URL that you configure on your StoreFront’s NetScaler Gateway configuration matches the name you are using for your NetScaler VIP. Any changes to the URL will not work:

image

Step #1 – Bind SSL Certificate to StoreFront’s IIS Server

Begin by binding an SSL certificate to the StoreFront’s IIS server.  This can be done either by generating a SSL certificate CSR request, sending it to a public CA and completing the certificate request so the server has the private key or simply exporting a certificate from a source as a PFX and importing it onto the StoreFront server’s Local Computer store.  The certificate used in this example will be exported from the NetScaler appliance because it is a wildcard certificate.

image

Note that the Web Interface Address URL currently configured on the NetScaler points to http://storefront.ad.domain.com because the communication between the NetScaler and StoreFront currently uses HTTP:

image

Testing the URL http://storefrontServerName.FQDN will display the default IIS page:

image

Notice that without a certificate binded to the IIS server, navigating to https://storeFrontServerName.FQDN will display the:

This page can’t be displayed

image

With the certificate imported into the Local Computer store, launch the Internet Information (IIS) Manage, navigate to ServerName –> Sites –> Default Web Site, then click on Bindings… under Edit Site:

image

Click on the Add… button in the Site Bindings:

image

Change the Type from http to https:

imageimage

Click on the Close button after the new https binding has been added:

image

There isn’t a need to perform a iisreset but you are free to do so if you like:

image

With the new https binding created, you should now be able to browse the StoreFront website via https:

image

Step #2 – Update Session Profile on NetScaler to use https URL

Now that the StoreFront server can respond to https requests, proceed with modifying the Session Profile on the NetScaler

image

Update the http URL to https:

imageimage

Step #3 – Recreate Virtual Server with https

You cannot actually change a Virtual Servers configured Protocol from HTTP to HTTPS as shown here:

imageimage

Which basically means that you’ll have to delete and recreate the Virtual Server if you already have on created as is the case in this example.  Create a new LB Virtual Server with the Add button:

image

Fill in the required fields and change the Protocol to SSL:

image

You will immediately notice that the Load Balancing Virtual Server’s State is listed as being down and this is because a new service will need to create a new Service to add it to this Load Balancing Virtual Server.  The reason why we performed this step first is because we would not be able to delete the existing HTTP service before deleting the existing HTTP Virtual Server since it is binded to a Virtual Server.  Now that we’ve deleted and recreated the Load Balancing Virtual Server, we can now remove the old HTTP service.

image

Step #4 – Recreate Virtual Server Service

Navigate to Traffic Management –> Load Balancing –> Services:

image

Since you can’t have two Services binded to the same IP where one is HTTP and another is SSL, we will delete the existing one and then create the SSL service:

image

The new Load Balancing SSL service should immediately have its State as being Up:

image

image

Navigate to the Virtual Servers and open the Load Balancing Virtual Server for the StoreFront:

image

Open the Service option:

image

Bind the SSL service that was created earlier:

image

image

image

Note that even with the service added, the service would still be labeled as being down because there is no certificate added:

image

image

Step #5 – Bind SSL Certificate to Load Balancing Server

The certificate that needs to be attached to this Load Balancing server is the same certificate that is used on the StoreFront servers and since we’re using the same wildcard certificate as we’re using for the NetScaler VIP and the StoreFront HTTPS binding, the certificate should already be on the NetScaler.  Proceed by clicking opening the Load Balancing Virtual Server and clicking on the SSL Certificate configuration:

image

Click on No Server Certificate:

image

Click on the Bind button:

image

Bind the certificate that will be used for the StoreFront servers:

image

Save the configuration:

image

image

Next, click on the Persistence configuration:

image

Change the Persistence configuration to SOURCEIP:

imageimage

Click on the Done button to exit the configuration:

image

Notice that the Virtual Server State is now Up:

image

Step #6 – StoreFront Monitoring

For better StoreFront monitoring, it is best to create a service specific monitor that the NetScaler provides and the reason why I leave it as the last item to configure on the NetScaler is because a slight misconfiguration can cause the monitor to report the StoreFront as being down so to avoid situations where I might be confused whether I published the site correctly or not, I’d like to complete all of the configuration leading to the Load Balancing Virtual Server with an Up State before I configure the monitoring.

Navigate to Traffic Management –> Load Balancing –> Monitors and click on the Add button:

image

Fill in the following fields:

Name – Type in a name for the monitor
Type – Select STOREFRONT in the drop down menu

Leave the rest of the settings as default and scroll down to the bottom of the configuration page:

image

Ensure that the following checkboxes are checked:

  • Enabled
  • Secure

image

Scroll back to the top and click on the Special Parameters tab:

image

Fill in the Store Name with the StoreFront name, ensure Storefront Account Service is checked and then click Create:

image

image

A new StoreFront monitor should now be created:

image

Note how the configuration settings we left as default are now filled in:

image

Now navigate to Services and open the properties of the StoreFront service:

image

Click on the Monitors item:

image

Bind the monitor we created for the StoreFront server:

image

image

Save the settings:

image

Notice how there is only 1 item listed in the Monitors section and that’s because the tcp-default is removed:

image

image

Complete the configuration and click on the Done button for the Load Balancing service:

image

Step #7 – Update StoreFront Base URL

If you try to access the site now, you will receive the following error after logging in with your credentials:

image

So before attempting to test, log into your StoreFront server and update the Base URL from http:// to https://:

image

image

image

image

Once this last configuration has been made, you should now be able to log into the portal and launch applications.