AWS AppStream 2.0 Whats New?

AWS AppStream 2.0 Whats New for June 2018?

AWS have updated AppStream 2.0 to introduce some fantastic new features in the May & June 2018 releases.

Google Drive support has been added (selectable at fleet creation). It only supports G-suite enterprise and must be enabled in G-Suite to function, but it also has support for multiple G-Suite domains.

This means clients can avoid the clumsy upload and download of files from the local device to the remote and simply log into Google Drive and have immediate access to their files within the AppStream session.

Google Drive integration for AWS AppStream 2.0

Google Drive integration within AppStream 2.0 session

Here is a screenshot of the Windows Explorer integration and conveniently shows my free space as approx 8000 Petabytes! Good to know!

Google Drive AppStream 2.0 Windows Explorer integration

Support for Administrative controls have also been added (again selectable at fleet creation). Giving the administrator greater control and flexibility in the solution they deploy to the users for things like local device copy and paste, file upload or download (or upload only or download only or disabled) and local print options.

Selective administrative controls for AWS AppStream 2.0

Happy Clouding!

June 7, 2018

AWS Workspaces Error – This OS/platform is not authorized to access your Workspace

Situation

Recently a customer received the following message ‘this OS/platform is not authorized to access your Workspace’ when connecting to newly built AWS Workspace instance whilst attempting to connect via ‘Web Access’ https://clients.amazonworkspaces.com/

In more recent WorkSpace Updates (Jan 2019) if you dont explicitly have Web Access enabled you will receive a ERR_CM_REQUEST_FAILED message

This OS/platform is not authorized to access your Workspace
If the problem persists please contact your Workspaces Administrator.
ERR_DEVICE_ACCESS_DENIED

Solution

Web Access needs to be explicitly enabled. As these were relatively new workspaces (May 2018) the workspaces also didn’t have to be rebuilt to allow web connectivity contrary to the AWS documentation.

Open the AWS Console Select Workspaces Expand Directories Select your Directory and click Actions then Update Details
Expand the 4th Section Access Control Options
Tick Web Access
Scroll to the bottom of the update details page and click Update and Exit

May 25, 2018

AWS AppStream 2.0 Image Builder X Drive not being created

Problem

This month on creation of a new image builder in AWS AppStream we noticed that the AWS AppStream 2.0 Image Builder X Drive was not being created.

The X drive is the temporary drive for uploading and downloading files to and from the AppStream instance, and usually where we house deployment scripts, build scripts, GPOS and installation files.

Solution

As of AppStream Image builder version Base-Image-Builder-05-02-2018 this is by design.

You should update any scripts or pointers

from “X:\Temporary Files” drive

to “C:\Users\ImageBuilderAdmin\My Files\Temporary Files”

#aws #appstream2.0

January 31, 2018

How to find an AWS AppStream 2.0 users homedrive path

Scenario

AWS AppStream 2.0 generates a SHA-256 hash of the users NameID for their Home Drive – when using SAML (aka Federated) authentication. This can potentially make it difficult to find the users home share if browsing from AWS S3 or for support teams when supporting users or uploading documents to the users ‘home drive’.

Example

In this document is an example of a federated users home drive autocreated in S3 after the user has accessed AppStream 2.0 for the first time.

This script will simply create a function in Windows powershell and allow you to generate the SHA256 hash based on the NameID and so you can discover the users homepath.

Function Get-StringHash([String] $String,$HashName = "MD5")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}

$myvar = Read-Host –Prompt 'Enter string to hash'
Get-StringHash $myvar "SHA256"

Result

As we know the users NameID being passed into the AppStream session (in this instance its actually my email address)

January 24, 2018

AWS IAM CERTIFICATE_VERIFY_FAILED

Situation

When attempting to call AWS CLI commands we were receiving a CERTIFICATE_VERIFY_FAILED error message. We were using a proxy service. In this specific instance we were connecting to AWS IAM via zScaler Internet Access (ZIA)

Example

we were running a simple

aws iam get-role --role-name vmimport

Workaround

include–no-verify–ssl to by pass the ssl verification

aws iam get-role --role-name vmimport --no-verify-ssl

Solution

Drop or whitelist the iam.amazonaws.com from SSL inspection on the proxy server

November 15, 2017

Create a NetScaler Gateway Preauthentication Policy

Step	Description	Screenshot
1	Expand >NetScaler Gateway > Policies > Preauthentication
2	Click Add
3	Name the policy something like PreAuthPol_Notepad-is-running Click the + next to Request Action Note: you can call it whatever you want, I like to keep a standard format when creating policies and profiles so they are distinguishable in the various screens and in the ns.conf file as well
4	Click Create
5	Click Expression Editor Select Expression Type of: Client Security Component: Process Name: notepad.exe* Operator: EXISTS Then click Done
6	Note the expression is automatically created for you now as CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS	CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS
7	Click Create
8	Bind the new policy globally Select NetScaler Gateway > NetScaler Gateway Policy Manager
9	Click the + on AAA Global
10	Click Add Binding
11	Click in the Click to Select
12	Select the only PreAuthPolicy available Click Select
13	Click Bind
14	Click Done
15	Click Done
16	Browse to the gateway and check that before you type in any authentication credentials that the EPA scan is invoked Click Yes
17	EPA Scan with notepad not running
18	EPA Scan with notepad Running Your users can now authenticate
19	Authenticate against the NetScaler page again and then confirm you can access all NetScaler resources

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 14, 2017

Deploy the OVA File to Hypervisor – VMWare ESXi 6

In this section we are going to deploy the downloaded NetScaler firmware onto our hypervisor (VMWare).

Step	Description	Screenshot
	Connect and authenticate to your VMWare ESX web console	*Note*: In this example we are connecting to VMWare ESXi 6.0 with a private IP of 192.168.1.1. The default URL is http://192.168.1.1/ui
	Click Virtual Machines Click Create / Register VM
	Select Deploy a virtual machine from an OVF or OVA File Click the section labelled ‘Click to select files or drag/drop’
	Select both the OVF and the VMDK files from the firmware file downloaded from citrix, then click Next
	Select an appropriate storage location for your hypervisor to deploy the NetScaler VM
	Choose the network mappings and disk provisioning best for you	*Note*: Disk provisioning is set to thin in this example only to save on local hypervisor disk space.
	Click Finish on summary page
	Click on the VM in the VMWare list
	Authenticate to the VMWare console prompt with your VMware username and password
	Click on the Console button to get access to the VM console
	Success! The NetScaler has booted and is operational

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

November 13, 2017

Create Authorization Policies for NetScaler Gateway

Step	Description	Screenshot
1	Expand >NetScaler Gateway > Global Settings > Change Global Settings
2	Click Security tab Change Default Authorization Action to DENY Note: This change will affect all Gateways configured on the NetScaler that do not specifically reverse.
3	Expand NetScaler Gateway > Policies > Authorization Policies Click Add
4	Create a new policy In this example we will call it AuthPol_VPN_192.168.1.1 as the only ‘destination’ this policy will allow is to 192.168.1.1
5	Click Switch to Classic Syntax Click Expression Editor
6	Enter the IP address details into the Expression Editor of the destination IP you want to allow access to
7	Click Create Note: the Reg Expression has been ‘built for you by the editor’ you can type these manually if you know the commands (or find them online!)
8	Bind this new policy to a NetScaler User NetScaler Gateway > User Administration >AAA Users Select the user + Edit Click + Authorization Policies Select the Authorization policy Click Bind Tip: to bind this to LDAP users you must have username locally that matches

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 13, 2017

Configure Citrix NetScaler Gateway – ICA Proxy

In this guide we will connect the Citrix NetScaler to our Citrix XA/XD Environment for ICA proxy (Citrix Sessions without VPN).

Here you will see how quickly you can set up, secure and enable remote access to your Citrix environment via the NetScaler Gateway.

NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps.

Overview Diagram

Prerequisites

Item	Description
*	DNS is configured on the NetScaler correctly to resolve inside DNS addresses
*	The internal or private IP Address of the VIP assigned to the NetScaler Gateway *
*	Know the details of your Citrix Server STA (our Citrix DDC(s))
*	Firewall ports are open between the NetScaler and the StoreFront server
*	XenAPp / XenDesktop and StoreFront already configured and setup (otherwise retrieve attributes won’t work)

*	A Certificate for your NetScaler Gateway FQDN is already installed on the NetScaler

Configure the NetScaler Gateway for XA/XD – Wizard

Step	Description	Screenshot
1	Log into NetScaler GUI
2	Under Integrate with Citrix Products – Click XenApp and XenDesktop Click Get Started
3	Ensure StoreFront Is selected and Click Continue on the Prerequisites NOTE: you must have an active Citrix XenApp/XenDesktop server and a StoreFront server to proceed with the following steps. If not – please just follow along this guide to understand the steps involved.
4	Provide the details that are relevant to your StoreFront and Citrix XenApp setup Gateway FQDN: gateway.jsconsulting.services Gateway IP Address: Inside private IP address for the Virtual Server. (aka VIP) Port: 443 (SSL) Redirect: Tick this option if you are also forwarding http traffic to this VIP so the NetScaler will redirect the users to https. Then click Continue Note: In this guide we are using the following specific details as working examples – you should use the appropriate settings for your environment
5	Because we enabled port 80 redirection the wizard will enable the LoadBalancing Feature on the NetScaler – Click Yes
6	Select the certificate you have previously installed on the NetScaler. Note: you should have the complete certificate chain installed on the NetScaler – a later video will go through these steps to ensure the complete Certificate chain is installed. Click Continue
7	Keep Authentication as Domain Select Use Existing Server Select the server that has the ‘NSUsers’ profile associated (will be listed in order of creation so usually the second server in the list if you have followed our other guides)
8	Click Continue
9	Enter the details of your StoreFront server The retrieve stores button will not work if the StoreFront server is not configured. You will not be able to proceed with this wizard if you can’t ‘retrieve store’ as the wizard will not let you proceed manually In this example our StoreFront and Citrix XenApp are installed on the same box so the URLs can point to the same server
10	Click Continue
11	On the summary pages, now all the basic settings have been entered you can click Done

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

November 13, 2017

Configure NetScaler Gateway SSL VPN

Prerequisites

Item	Description
*	NetScaler configured with IP Address, Certificates and accessible from the clients either internally or remotely over the internet.
*	Ensure Split Tunnelling is Off
*	Port 443 forwarded from firewall / router to the NetScaler VIP
*	Ensure the Default Authorization on the global configuration is set to allow

Step	Description	Screenshot
1	Check NetScaler gateway feature is enabled	System > Settings > Configure Basic Features
2	Ensure Global settings for NS Gateway is set to Allow
3	Expand NetScaler Gateway Click NetScaler Gateway Wizard
4	A Separate Wizard page will open Click Get Started
5	Provide the details of your new gateway Note: my details are provided as an example only
6	Select the existing Certificate already installed on your NetScaler Click Continue
7	Select the default authentication of Local and Don’t select a secondary auth method Once the wizard has completed create a user called nsgw-localuser password: <yourpassword> User Administration> AAA Users > Add Button Click Continue
8	You may close the dashboard that is opened by default after creation of the new Gateway
9	Ensure your newly created gateway is added to DNS internally or externally (wherever you are connecting to it from) Open a web browser to the NetScaler VIP Login
10	Success!