Creating A Bulletproof Citrix Licensing Server Infrastructure

Creating a Bulletproof Citrix
Licensing Server
Infrastructure
Using NetScaler Global Server Load
Balancing (GSLB) and CtxLicChk.ps1
PowerShell Scripts
Installation and Configuration Guide

Sunday, October 09, 2016
Written By
Dane Young (@youngtech)
Citrix Technology Professional
Revision 1.0
Acknowledgements
Brendan Lin, Citrix Consulting Services
Nicholas Rintalan, Citrix Consulting Services
Victor DiMascio, Entisys Solutions
Community Driven Information Technology Virtualization and Cloud Enthusiasts Blog
Creating a Bulletproof Citrix Licensing Server Infrastructure

(@youngtech)
Written
by
Dane
Young
Overview
In medium to large organizations, there are many business reasons why the Citrix Licensing server
(license server) component of a Citrix XenApp/XenDesktop infrastructure should be centralized. For
example, when seasonal bursts exist within departments or geographic regions, a central license
server offers manageability benefits as the segregated peaks become normalized across the various
groups consuming licenses. When license servers are segregated (departmentalized, regionalized, or
decentralized), peak usage can create additional Citrix Administrator operational overhead in
allocating, revoking, reallocating, and managing the license files installed in various license servers
and usage groups. License usage trending also becomes difficult in segregated environments as usage
data must be aggregated and reported across groups or disparate license servers. For these reasons
and others, organizations centralize the Citrix license server to avoid operational overhead, simplify
compliance and usage reporting.
When the license server is centralized, a fairly obvious single point of failure risk exists. Citrix Licensing
involves a grace period whereby clients/servers that lose communication with the license server are
protected, allowing the clients/servers to continue operations as if they were still in communication
with the license server. In practice, the grace period is a good feature, however there are instances
when Citrix Licensing may cause service interruptions to occur. An example is a scenario known as the
Citrix Licensing black hole, whereby the Citrix Licensing services and ports are up and responding to
licensing requests, however no licenses are available to be issued or obtained. This can occur if the
administrator fails to load license files properly, or in more rare instances that are difficult to reproduce
(Windows OS patches, antivirus definition updates or scans, etc.). For this reason, many organizations
define process and policy for semi-automatic/manual license server recovery including: Clustering the
licensing service, creating a cold standby with licenses preloaded, backing up license files, and
performing virtual machine snapshots of the license server. These and other options are valid (and less
complex), but offer a less resilient and robust option.
To help overcome this limitation and identify service interruptions before they occur, Citrix offers a
Citrix Licensing server monitoring tool called the Citrix License Check Utility (CtxLicChk.exe) that can
be obtained from the following support article: http://support.citrix.com/article/CTX123935. This utility
is intended to be used in conjunction with the Independent Management Architecture (IMA) based
Health Monitoring and Recovery feature available with Citrix Presentation Server 4.x, XenApp 5.x, and
XenApp 6.x. At the time of writing this guide, the Health Monitoring and Recovery feature is not yet
available in the FlexCast Management Architecture (FMA) based Citrix XenApp/XenDesktop 7.x
platform. However, using Microsoft Windows PowerShell, running this utility can be automated to
provide additional resiliency to a Citrix Licensing server infrastructure. Accompanying this guide is
CtxLicChk.ps1, a PowerShell script that can perform regular Citrix Licensing health checks using
CtxLicChk.exe, report license allocation failures using SMTP e-mail alerts, and stop the Citrix Licensing
service if license allocation fails.
When combined with Citrix NetScaler Load Balancing and Global Server Load Balancing (GSLB), a
bulletproof Citrix Licensing server infrastructure can be achieved. When the Citrix Licensing service is
stopped on the primary license server, NetScaler Load Balancing and GSLB can be used to fail over
licensing communication to a warm standby backup license server. In the examples herein, two Data
Centers (DC1 and DC2) are configured with local Citrix license servers, NetScaler Load Balancing, and
NetScaler Global Server Load Balancing provided from each Data Center. Under normal conditions only
the license server in Data Center 1 is active and primary. In the event of failures such as the primary
license server, NetScaler Load Balancing Virtual Server IP (VIP), or Data Center connectivity, Citrix
licensing traffic will be directed to the backup license server in Data Center 2.
Global Server Load Balancing is not a requirement if local resiliency within a single Data Center is
sufficient. The examples below show NetScaler configurations for both local Load Balancing as well as
GSLB. If GSLB is not a licensed feature or required for cross Data Center resiliency, local Load
Balancing can be configured using the samples below. In this case, the second set of NetScaler pair
configurations and GSLB specific sections can be dismissed.
Most importantly, if configured according to the examples provided in this guide, this bulletproof Citrix
Licensing server infrastructure complies with Citrixs product End User License Agreements (EULAs).
According to the EULAs, multiple Citrix Licensing servers may exist and have allocated licenses
installed, provided only one Citrix Licensing server is active and others are warm standby backup
2|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
license servers. Compliance to this requirement is fairly simple to validate in the event of a licensing
audit using the configuration provided in this guide.
3|Page
blog.itvce.com
Written by Dane Young (@youngtech)
Topology
The following is an example topology covered in more details throughout this guide.
4|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Prerequisites
As shown in the above topology, the example environment consists of two Data Centers (DC1 and DC)
with Global Server Load Balancing between the two subnets (172.16.4.0/24 and 172.16.5.0/24). These
two Data Centers can represent West and East coast, North America and Europe, or any other
departmental or geographic separation where discrete failure domains would be desired.
Two sets of NetScaler High Availability (HA) pairs (one HA pair in each subnet) have been deployed.
The following have been configured on each NetScaler HA pair: NetScaler IPs, Subnet IPs, appropriate
NetScaler licenses to enable Global Server Load Balancing functionality.
Two Windows Server 2012 R2 virtual machines (one in each subnet) were deployed using CTXLIC as
the NetBIOS/DNS name (case sensitive). Since these machines require the same NetBIOS/DNS name
for Citrix Licensing to load the license file, these license servers should not be domain joined as they
cannot share the same Active Directory computer object. Citrix Licensing server components have
been installed and a license file has been loaded to the MyFiles folder using the process described in
the Importing License Files section of product documentation.
Note: If the license severs must be domain joined to adhere to organization policy, the servers can be
joined to different subdomains under the top level forest. The example environment uses domain.com
for the top level forest and domain. To domain join multiple Citrix license servers, the following could
exist under the same top level forest: CTXLIC.dc1.domain.com and CTXLIC.dc2.domain.com. It is not a
recommended configuration to create subdomains strictly for this purpose unless other reasons or
benefits exist for organizational subdomains.
Two XenApp/XenDesktop 7.x Delivery Controllers have been installed (one in each subnet) to represent
resources in each Data Center. Multiple XenApp/XenDesktop resources (Windows Client and Server OS)
were deployed in each site, with the Virtual Desktop Agent installed and configured.
Summary of Prerequisites:
The following represents a summary of the prerequisites:
Two Data Centers (DC1 and DC2) with disparate subnets and routing between (172.16.4.0/24 &
172.16.5.0/24).
Two sets of NetScaler HA Pairs (one HA pair in each subnet).
NetScaler IP addresses (NSIP), Subnet IPs (SNIP), and licenses configured for each pair.
Two License servers deployed (one in each subnet) using identical NetBIOS/DNS name (CTXLIC).
o License servers are not to be domain joined.
o Citrix licensing server components have been installed on each with the license file loaded.
Citrix XenApp/XenDesktop Delivery Controller components installed on at least two servers (one in
each subnet).
o Citrix Licensing is required when the site is configured. Ideally this should be done after
GSLB licensing has been configured according to the procedures in this guide. Otherwise,
reconfiguring a Citrix XenApp/XenDesktop Site to the GSLB DNS address is acceptable and
documented in this guide if the XenApp/XenDesktop site and licensing was already
configured.
Citrix XenApp/XenDesktop resources installed and configured (Windows Client or Server OS) with
the VDA installed and configured.
5|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
NetScaler GSLB Introduction

To understand NetScaler Global Server Load Balancing (GSLB), the following GSLB Primer should be
reviewed:
http://support.citrix.com/article/CTX123976
In this configuration guide, Authoritative DNS (ADNS) option for NetScaler GSLB configuration is
utilized. The diagram below shows how ADNS works NetScaler GSLB:
6|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Citrix Licensing Server Prerequisites

As shown in the above topology, the example environment consists of two license servers. The
NetBIOS/DNS name on these two servers is identical (CTXLIC). A friendly name is used to identify each
license server corresponding to the Data Center (CTXLICDC1 and CTXLICDC2). Both servers are in a
Windows Workgroup (not domain joined). The license servers have static IP addresses corresponding to
their appropriate subnets (172.16.4.15 and 172.16.5.15). The Citrix Licensing server component has
been installed from the corresponding XenApp/XenDesktop installation media. Using the CTXLIC
hostname, a XenApp/XenDesktop license file has been downloaded from MyCitrix and installed,
licenses displayed in the Citrix License Administration Console of each server.
7|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Citrix Licensing Server Configuration

Disable Strict Name Checking
The license servers are required to have a registry change to disable strict name checking. This
change is required to allow for the backend servers to be proxied through NetScaler using a different
name than the server name. For example, the Delivery Controllers and VDAs (XenApp servers and
XenDesktop clients) would all reference ctxlic.gslb.domain.com. License traffic proxied through Load
Balancing would not function properly without these registry changes. Configure each license server
with the following registry entry as detailed below:
1)
2)
3)
4)
5)
6)
Backup the existing registry

Start Registry Editor (Regedt32.exe).
Locate and select the following key in the registry:
KEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On the Edit menu, click Add Value, and then add the following registry value:
Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1
Quit Registry Editor
Restart the server
Optionally, the following can be run from an elevated command prompt (restart the server once
completed):
reg add HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v
DisableStrictNameChecking /t REG_DWORD /d 1
Copy SSL Certificate and Key Files

The current version of the Citrix Licensing server component uses an SSL certificate to encrypt the
Licensing communication between clients and servers. Optionally, an Enterprise Certificate Authority
or Third-Party certificate may be used to encrypt communication. If issuing a custom certificate, use
the desired GSLB DNS address to ensure a certificate name mismatch error does not exist. For
configuration examples, see the following documentation:
http://support.citrix.com/proddocs/topic/licensing-11121/lic-cert-simple-license-service.html
Since the traffic will be load balanced, it is important that an identical SSL certificate exist on both
licensing servers, otherwise a certificate mismatch will cause the communication to fail. A default SSL
certificate is configured during installation. To use the default certificate from the first Citrix Licensing
server, copy the server.crt and server.key files from the following directory:
(Installation Drive:) \Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\Apache\conf
Place these two files into the same directory on the second Citrix Licensing server and restart the
Simple License Service or license server to import the new certificate.
In Studio, the following error message may be displayed during failover if the certificate (server.crt and
server.key) is not identical between the two servers:
8|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
9|Page
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
CtxLicChk.ps1 PowerShell Script Configuration

As part of the Independent Management Architecture (IMA) Health Monitoring and Recovery feature,
Citrix provides a Citrix Licensing server monitoring tool called CtxLicChk.exe. This tool can be obtained
from the following:
With FlexCast Management Architecture (FMA) at the time of writing this guide there is no equivalent
to the Health Monitoring and Recovery feature. Therefore, this tool cannot be integrated in the same
way for current XenApp/XenDesktop 7.x environments. However, included in this guide is a PowerShell
script (CtxLicChk.ps1) that will perform the test locally on each of the Citrix Licensing servers as a
Scheduled Task. If the test fails for whatever reason, the script can notify an e-mail alias using SMTP,
and stop the Citrix Licensing service. This will cause the NetScaler Load Balancing monitor to fail the
NetScaler vserver to the backup Licensing server. This reduces the possibility of the Citrix Licensing
black hole effect where the Citrix Licensing services remain up but the client is unable to obtain a
license.
To setup, download and extract CtxLicChk.zip from http://support.citrix.com/article/CTX123935. Place
the PowerShell script accompanying this guide in the extracted CtxLicChk directory where 'pkg' folder
resides. For example, CtxLicChk.zip extracted to the root of C:\ would result in C:\CtxLicChk\pkg and
C:\CtxLicChk\CtxLicChk.ps1 in same directory. Inside 'C:\CtxLicChk\pkg' folder are vc71, vclh, and
readme.txt and other subfolders/files. If a different folder structure is used, update the path to
ctxlicchk.exe in the global variables section. The script will look to the current execution directory for
the 'pkg' folder.
The script will run in an infinite loop, performing the CtxLicChk process to checks out a license with a
frequency defined in the Global Variables section as ctxlicchkfreq (example: every five minutes). If
license check process fails, the script stops the Citrix Licensing service and optionally notifies the Citrix
Administrator using an SMTP e-mail alias configured. This script does not require XenApp Health
Monitoring and Recovery as this functionality is not yet available in XenApp/XenDesktop 7.x FMA
architecture.
10 | P a g e
blog.itvce.com
CtxLicChk.ps1 PowerShell Script (Revision 1.0)

To recreate the PowerShell script accompanying this guide, open Notepad, copy/paste the contents of the table below and save as
CtxLicChk.ps1 in the extracted CtxLicChk directory:
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# Citrix License Check script for Citrix Licensing Servers
# Provides Health Monitoring and Recovery functionality for licensing services for Citrix products
# Using ctxlicchk.exe obtained from http://support.citrix.com/article/CTX123935
# Checks out a license every xx minutes (as defined in the Global Variables section ctxlicchkfreq)
# If license checkout process fails, script stops the Citrix Licensing service
# When Citrix Licensing service stops, load balancing fails over to standby license server(s)
# Use in combination with Load Balancing or Global Server Load Balancing to add resiliency
# and avoid the Citrix License Server black hole effect (Citrix Licensing services up, but unable to obtain licenses)
# This script does not require XenApp Health Monitoring and Recovery as this functionality is not yet available in XA/XD 7.x FMA architecture
#
# This script can be run as a schedule task from all Citrix Licensing Servers in a load balanced group (local or GSLB for datacenter failure resiliency)
# To setup, download and extract CtxLicChk.zip from http://support.citrix.com/article/CTX123935
# Place this script in the CtxLicChk directory where 'pkg' folder resides
# For example, CtxLicChk.zip extracted to the root of C:\ would result in C:\CtxLicChk\pkg and C:\CtxLicChk\CtxLicChk.ps1 in same directory
# Inside 'C:\CtxLicChk\pkg' folder are vc71, vclh, and readme.txt folders and files and other subfolders/files
# If you use a different folder structure, you may need to update path to ctxlicchk.exe in the global variables section
# Script will look to the current execution directory for the 'pkg' folder.
#
# Modify ctxlictype global variable prior to running the script
# Example License Types include XDT_PLT_CCS, XDT_PLT_UD, MPS_PLT_CCU, MPS_PLT_UD, etc.
# Check existing License File in \Citrix\Licensing\MyFiles for specific license type/code used
#
# Created by Dane Young (@youngtech), CTP, itvce.com Copyright 2015
# Check http://blog.itvce.com/?p=5748 for updates and for NetScaler Load Balancing / Global Server Load Balancing configuration examples
# Build 2015.02.08 Revision 1
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# GLOBAL VARIABLES
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------$ctxlicchkpath = "\pkg\vc71\ctxlicchk.exe"
# Path to ctxlicchk.exe in subdirectory (place script in root directory where 'pkg' folder resides)
$ctxlicsrv = "127.0.0.1"
# Use IPv4 address if loopback address (127.0.0.1) doesn't work for whatever reason
$ctxlictype = "XDT_PLT_CCS"
# Type of license to look for. Look at license file in \Citrix\Licensing\MyFiles folder for example
$ctxlicchkfreq = 5
# Frequency to check for licenses in minutes
$Global:ENABLESMTP = $false
# Define if SMTP notifications should be sent indicating progress throughout the script. If $false, only CtxLicChk.log
# entries will be written. If $true, the next section of variables must be defined for SMTP relay
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# SMTP Parameters for Script Startup and Failure Notification
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# By default, SMTP notifications will use secure authenticated SMTP over port 587
# Since there are many options for SMTP relay, I decided to focus on the most secure for the provided script.
# This configuration even worked using smtp.gmail.com and my Gmail account for authentication
# If you want to change this to either unsecure or unauthenticated SMTP relay, research PowerShell and Net.Mail.SmtpClient for examples
# Then, change the five lines below and search for SmtpClient within this script to update the necessary SMTP configuration lines
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------$Global:EmailFrom = "example@domain.com"
$Global:EmailTo = "example@domain.com"
$Global:SMTPServer = "smtp.domain.com"
$Global:SMTPUsername = "serviceaccountusername"
$Global:SMTPPassword = "serviceaccountpassword"
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# Full path to ctxlicchk.exe
11 | P a g e
blog.itvce.com
$ctxlicchk = "$PSScriptRoot$ctxlicchkpath"
# Create a string variable with all IP addresses for reporting
$ipaddresses = Get-NetIPAddress | format-table | out-string
# If SMTP is enabled, setup the SMTP Client using the Global parameters
if ($EnableSMTP -eq $true){$Global:SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587);$Global:SMTPClient.EnableSsl = $true;$Global:SMTPClient.Credentials = New-Object
System.Net.NetworkCredential($SMTPUsername, $SMTPPassword)}
# If SMTP is enabled, fire off the first e-mail notification at script startup
if ($EnableSMTP -eq $true){$SMTPClient.Send($EmailFrom, $EmailTo, "Starting CtxLicChk Script with the following global vairables:","ctxlicchkpath:" + $ctxlicchkpath + "`nctxlicsrv:" +
$ctxlicsrv + "`nctxlictype:" + $ctxlictype + "`nctxlicchkfreq:" + $ctxlicchkfreq + "`n" + $ipaddresses)}
# Create a CtxLicChk.log file in the same directory for logging. Flush the log and add an entry at script startup
write-output ("Starting CtxLicChk Script with the following global vairables: ctxlicchkpath:" + $ctxlicchkpath + "; ctxlicsrv:" + $ctxlicsrv + "; ctxlictype:" + $ctxlictype + ";
ctxlicchkfreq:" + $ctxlicchkfreq + "`n" + $ipaddresses) | Out-File "$PSScriptRoot\CtxLicChk.log"
# Create an infinite loop
$infiniteloop = $true
do {
# Run the CtxLicChk.exe using the ctxlicsrv and ctxlictype parameters and log the output to a new variable ctxlicchkoutput
$ctxlicchkoutput = & $ctxlicchk $ctxlicsrv $ctxlictype
# Perform logic to see if the ctxlicchk passed or failed
if ($ctxlicchkoutput -like "*License checkout test failed!*"){
# Write an entry to the CtxLicChk.log and e-mail using SMTPClient if the test failed
write-output (get-date)$ctxlicchkoutput | Out-File "$PSScriptRoot\CtxLicChk.log" -append
if ($EnableSMTP -eq $true){$SMTPClient.Send($EmailFrom, $EmailTo, "License Check Failed! Stopping Citrix Licensing Service:" + $ctxlicchkoutput + ".", $ipaddresses)}
# If the test failed, log to CtxLicChk.log that the service is being stopped and stop the Citrix Licensing service (TCP 27000 port down state)
write-output (get-date)"License Check Failed! Stopping Citrix Licensing Service" | Out-File "$PSScriptRoot\CtxLicChk.log" -append
Stop-Service -displayname "Citrix Licensing" | Out-File "$PSScriptRoot\CtxLicChk.log" -append
} else {
# If the ctxlicchk test didn't fail, log the output to the CtxLicChk.log file
write-output (get-date)$ctxlicchkoutput | Out-File "$PSScriptRoot\CtxLicChk.log" -append
}
# As part of the infinite loop, log to the CtxLogChk.log that the script is sleeping for xx minutes and go to sleep for duration specified in ctxlicchkfreq global variable
write-output (get-date)"Sleeping for $ctxlicchkfreq Minutes" | Out-File "$PSScriptRoot\CtxLicChk.log" -append
start-sleep -s ($ctxlicchkfreq * 60) # Sleep for CtxLicChk Frequency converted to seconds
} while ($infiniteLoop -eq $true)
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# Created by Dane Young (@youngtech), CTP, itvce.com Copyright 2015
# Check http://blog.itvce.com/?p=5748 for updates and for NetScaler Load Balancing / Global Server Load Balancing configuration examples
# Build 2015.02.08 Revision 1
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#---------------------------------------------------------------------------------------------------------------------------------------------------------------------# THIS POWERSHELL SCRIPT AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT
# WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We
# grant You a nonexclusive, royalty-free right to use and modify the PowerShell Script
# and to reproduce and distribute the object code form of the PowerShell Script,
# provided that You agree: (i) to not use this script in part or in whole for
# profitable gain; (ii) to not change parts of this script including owner information
# and copyright statements without crediting the author; (iii) to not market Your
12 | P a g e
blog.itvce.com
# software product in which this PowerShell Script is embedded; (iv) to include a

# valid copyright and disclaimer notice wherever this PowerShell Script is embedded;
# and (v) to indemnify, hold harmless, and defend Us and Our suppliers from and
# against any claims or lawsuits, including attorneys fees, that arise or result from
# the use or distribution of the PowerShell Script. This posting is provided "AS IS"
# with no warranties, and confers no rights. Use of included script samples are
# subject to the terms specified at http://blog.itvce.com/?page_id=4934.
#---------------------------------------------------------------------------------------------------------------------------------------------------------------------#----------------------------------------------------------------------------------------------------------------------------------------------------------------------
13 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Creating a Scheduled Task for CtxLicChk.ps1

This script can be setup to run in an infinite loop as a Scheduled Task using the following parameters:
1.
Create a new task named

utilizing a service account
Administrator.
CtxLicChk
or local
Be sure to select
Run whether user is logged on or not
2.
For the trigger, use a daily trigger at any

time as desired. Keep in mind, this script
will loop endlessly, so this is simply to
respawn the script if it terminates
unexpectedly.
3.
For the action, use the following:

Start a program
Program/script:
%SystemRoot
%\system32\WindowsPowerShell\v1.0\powe
rshell.exe
Arguments:
-NoExit
-ExecutionPolicy
Bypass -File "%PATH%\CtxLicChk.ps1"
(Where %PATH% is the location of the
script)
14 | P a g e
blog.itvce.com

(@youngtech)
4.
Use the following Conditions:
5.
Use the following Settings:
Written
by
Dane
Young
15 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Citrix NetScaler Configuration

Configuration Overview and Key Configuration Details
Review Citrix NetScaler prerequisites prior to proceeding.
To simplify the copy/paste configurations process using the NetScaler configuration examples below,
the following table represents the key configuration details and text within the configurations that can
be modified using Find and Replace.
Configuration
Citrix Licensing Monitor prefix for
CTXLIC Server in Data Center 1
Citrix Licensing Monitor prefix for
Citrix Licensing Service prefix for
Citrix Licensing Service prefix for
Citrix Licensing Load Balancing prefix
for CTXLIC Server in Data Center 1
Citrix Licensing Load Balancing prefix
for CTXLIC Server in Data Center 2
Citrix Licensing GSLB Monitor prefix
for CTXLIC vserver VIP in Data Center
1
Citrix Licensing GSLB Monitor prefix
2
Citrix Licensing GSLB Service prefix
1
Citrix Licensing GSLB Service prefix
2
Citrix Licensing GSLB Server object
for CTXLIC lb vserver VIP in Data
Center 1
Citrix Licensing GSLB Server object
for CTXLIC lb vserver VIP in Data
Center 2
GSLB Site name for Data Center 1
Text to Replace
mon_ctxlicdc1
GSLB Site name for Data Center 2
gslb_site_dc2
Citrix Licensing Server IP for CTXLIC

in Data Center 1
Citrix Licensing Server IP for CTXLIC
in Data Center 2
Citrix Licensing Server Load Balancing
vserver VIP for CTXLIC in Data Center
1
Citrix Licensing Server Load Balancing
vserver VIP for CTXLIC in Data Center
2
NetScaler Subnet IP (to be used for
ADNS Binding and GSLB Site IP) in
172.16.4.15
Replace With
(Optional to replace)
mon_ctxlicdc2
svc_ctxlicdc1
svc_ctxlicdc2
lb_ctxlicdc1
lb_ctxlicdc2
mon_gslb_ctxlicdc1
mon_gslb_ctxlicdc2
svc_gslb_ctxlicdc1
svc_gslb_ctxlicdc2
lb_ctxlicdc1_vip
lb_ctxlicdc2_vip
gslb_site_dc1
172.16.5.15
172.16.4.14
0.0.0.0
(Replace with real IP)
0.0.0.0
0.0.0.0
172.16.5.14
0.0.0.0
172.16.4.13
0.0.0.0
16 | P a g e
blog.itvce.com

(@youngtech)
Data Center 1
NetScaler Subnet IP (to be used for
ADNS Binding and GSLB Site IP) in
Data Center 2
NetScaler Global Server Load
Balancing DNS record
Written
by
Dane
Young
172.16.5.13
0.0.0.0
ctxlic.gslb.domain.com
0.0.0.0
Enable the NetScaler Features in Both Data Centers

On both sets of NetScalers (DC1 and DC2) enable the lb and gslb features, then add the GSLB site
name and IP definitions. Using Find and Replace, modify the following using the information in the
configuration details table and run the following:
enable feature gslb
enable feature lb
add gslb site gslb_site_dc1 172.16.4.13
add gslb site gslb_site_dc2 172.16.5.13
Configure Authoritative DNS for NetScalers in Data Center 1

On Data Center 1 NetScalers (DC1) configure a service listener for Authoritative DNS (ADNS) on the
Subnet IP. Using Find and Replace, modify the following using the information in the configuration
details table and run the following:
add service adns_svc 172.16.4.13 adns 53
Configure Authoritative DNS for NetScalers in Data Center 2

On Data Center 2 NetScalers (DC2) configure a service listener for Authoritative DNS (ADNS) on the
Subnet IP. Using Find and Replace, modify the following using the information in the configuration
details table and run the following:
add service adns_svc 172.16.5.13 adns 53
Configure CTXLICDC1 Load Balancing vserver for NetScalers in Data Center

1
On Data Center 1 NetScalers (DC1) configure the LB services, monitors, and vservers for CTXLICDC1
server. Using Find and Replace, modify the following using the information in the configuration details
table and run the following:
# Create a wildcard service
add service svc_ctxlicdc1 172.16.4.15 TCP * -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip
NO -useproxyport YES -sp ON -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO
# Create four monitors for each license server, for each port
add lb monitor mon_ctxlicdc1_27000 TCP -LRTM DISABLED -destIP 172.16.4.15 -destPort 27000
# Bind the four monitors to the service
bind service svc_ctxlicdc1 -monitorName
mon_ctxlicdc1_27000
mon_ctxlicdc1_7279
mon_ctxlicdc1_8082
mon_ctxlicdc1_8083
# Create the wildcard lb vserver and bind service

add lb vserver lb_ctxlicdc1 TCP 172.16.4.14 * -persistenceType NONE -cltTimeout 9000
bind lb vserver lb_ctxlicdc1 svc_ctxlicdc1
17 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young

1
mon_ctxlicdc2_27000
mon_ctxlicdc2_7279
mon_ctxlicdc2_8082
mon_ctxlicdc2_8083
# Create the wildcard lb vserver, bind service, and set backup

add lb vserver lb_ctxlicdc2 TCP 0.0.0.0 0 -persistenceType NONE -cltTimeout 9000
set lb vserver lb_ctxlicdc1 -backupVServer lb_ctxlicdc2

2
mon_ctxlicdc1_27000
mon_ctxlicdc1_7279
mon_ctxlicdc1_8082
mon_ctxlicdc1_8083
# Create the wildcard lb vserver and bind service

add lb vserver lb_ctxlicdc1 TCP 172.16.5.14 * -persistenceType NONE -cltTimeout 9000
Configure CTXLICDC12 Load Balancing vserver for NetScalers in Data

Center 2
18 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young

mon_ctxlicdc2_27000
mon_ctxlicdc2_7279
mon_ctxlicdc2_8082
mon_ctxlicdc2_8083
# Create the wildcard lb vserver, bind service, and set backup

add lb vserver lb_ctxlicdc2 TCP 0.0.0.0 0 -persistenceType NONE -cltTimeout 9000
set lb vserver lb_ctxlicdc1 -backupVServer lb_ctxlicdc2
Configure CTXLIC Global Server Load Balancing on NetScalers in Both Data

Centers
On both sets of NetScalers (DC1 and DC2) configure the LB server objects, GSLB monitors, GSLB
services, and GSLB vservers for CTXLIC.gslb.company.com. Using Find and Replace, modify the
following using the information in the configuration details table and run the following:
# Add server object for GSLB VIP for DC1 referencing CTXLICDC1 Virtual Server
add server lb_ctxlicdc1_vip 172.16.4.14
# Add server object for GSLB VIP for DC2 referencing CTXLICDC2 Virtual Server
add server lb_ctxlicdc2_vip 172.16.5.14
# Create four monitors for the LB VIP for CTXLICDC1 license server, one for each port
add lb monitor mon_gslb_ctxlicdc1_vip_27000 TCP -LRTM DISABLED -destIP 172.16.4.14 -destPort
27000
add lb monitor mon_gslb_ctxlicdc1_vip_7279 TCP -LRTM DISABLED -destIP 172.16.4.14 -destPort 7279
# Create four monitors for the LB VIP for CTXLICDC2 license server, one for each port
add lb monitor mon_gslb_ctxlicdc2_vip_27000 TCP -LRTM DISABLED -destIP 172.16.5.14 -destPort
27000
# add GSLB service object for CTXLICDC1
add gslb service svc_gslb_ctxlicdc1_27000
-publicPort 27000 -maxClient 0 -siteName
-downStateFlush DISABLED
lb_ctxlicdc1_vip TCP 27000 -publicIP 172.16.4.14

gslb_site_dc1 -cltTimeout 9000 -svrTimeout 9000
19 | P a g e
blog.itvce.com

(@youngtech)
# Add GSLB service object for CTXLICDC2
Written
by
Dane
Young

# Add GSLB monitors for CTXLICDC1 LB VIP

bind monitor mon_gslb_ctxlicdc1_vip_27000 svc_gslb_ctxlicdc1_27000 -state enabled
# Add GSLB monitors for CTXLICDC2 LB VIP
# Add GSLB virtual server object for CTXLICDC1
add gslb vserver lb_ctxlicdc1_vip TCP -backupLBMethod
-appflowLog DISABLED
# Bind GSLB services to CTXLICDC1 GSLB VIP
bind gslb vserver lb_ctxlicdc1_vip -serviceName
ROUNDROBIN
-tolerance
-EDR
ENABLED
svc_gslb_ctxlicdc1_27000
# Add GSLB virtual server object for CTXLICDC2
20 | P a g e
blog.itvce.com

(@youngtech)
add gslb
DISABLED
vserver
lb_ctxlicdc2_vip
TCP
-backupLBMethod
# Bind GSLB services to CTXLICDC2 GSLB VIP

Written
ROUNDROBIN
by
-tolerance
Dane
0
Young
-appflowLog
# Configure CTXLICDC2 to be the backup for CTXLICDC1

set gslb vserver lb_ctxlicdc1_vip -backupVServer lb_ctxlicdc2_vip -backupLBMethod ROUNDROBIN -EDR
ENABLED -appflowLog DISABLED
# Bind GSLB Domain to CTXLICDC1 GSLB VIP
bind gslb vserver lb_ctxlicdc1_vip -domainName ctxlic.gslb.domain.com -TTL 5
21 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Microsoft Domain Naming Service (DNS) Delegation

Configuration
Configure Microsoft DNS for delegated subdomain for Authoritative DNS
For Authoritative DNS (ADNS) to function properly using NetScaler GSLB DNS resolution, the NetScalers
must be delegated as Name Servers for a subdomain (gslb.domain.com for example). For more
details and examples, see the following:
For this sample configuration, a subdomain named gslb was created under domain.com with the
following addresses configured as Name Servers:
Data Center 1 NetScaler ADNS Service IP:
Data Center 2 NetScaler ADNS Service IP:
172.16.4.13
172.16.5.13
Configure using the information in the configuration details table for NetScaler Subnet IP (to be used
for ADNS Binding and GSLB Site IP).
1.
2.
3.
4.
5.
6.
To create a delegation, right-click the domain and select New Delegation from the shortcut menu.
Click Next in the Delegated Domain Name wizard.
Type the sub-domain to delegate, such as gslb.
Click Next.
Click Add.
Type the NetScaler ADNS Service IP in the FQDN and IP Address fields.
22 | P a g e
blog.itvce.com

(@youngtech)
7.
8.
Written
by
Dane
Young
Click OK.
Repeat Step 5 to Step 7 of this procedure to add each additional NetScaler ADNS Service IP:
9. Click Next.
10. Click Finish.
11. After completing the preceding procedure, the queries sent to the sub-domain to the DNS server
either cause a recursive lookup to the NetScaler appliances or are responded to with the NetScaler
records that have been configured. To verify this, query the DNS server directly for the NetScaler
appliance record of the sub-domain, as shown in the following screen shot:
23 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Configuring XenApp/XenDesktop 7.x

Configure the XenApp/XenDesktop 7.x Site to use GSLB DNS record for
Citrix Licensing
Install and configure XenApp/XenDesktop 7.x Delivery Controllers using the installation media. Once
installed, during the initial XenApp/XenDesktop Site configuration, the Citrix License server should be
configured to direct traffic to the GSLB DNS address. The following screenshots show an example
configuration after the Site has already been configured.
1.
2.
3.
In Citrix Studio navigate to Configuration \ Licensing.

Select Change License Server.
Type the FQDN of the GSLB DNS address, for example ctxlic.gslb.domain.com:
4.
Select Connect me and click Confirm:
5.
Click OK
24 | P a g e
blog.itvce.com

(@youngtech)
Written
by
Dane
Young
Configuration and Failover Validation

To confirm the configuration is working as desired, failover validation should be performed. Examples
of some failure tests include the following:
Failure of the Citrix Licensing Service

Stop the Citrix Licensing services on the primary license server and examine impact to NetScaler
monitors and licensing traffic flow to backup license server. Refresh Licensing in Studio to review
results. Launch a session using XenApp or XenDesktop resources to validate license allocation
functionality.
Failure to Obtain a Citrix License

Once the CtxLicChk.ps1 script has been configured, move all available license files from the MyFiles
folder. Restart the Citrix Licensing service to update list of available licenses (null). Run the
CtxLicChk.ps1 script using PowerShell or by manually running the Scheduled Task. Examine the SMTP
e-mail alert upon failure (if configured). Examine the CtxLicChk.log file in the same directory as the
CtxLicChk.ps1 script. Examine the Citrix Licensing service stopping and impact to NetScaler monitors
as demonstrated in the previous failure test. Refresh Licensing in Studio to review results. Launch a
session using XenApp or XenDesktop resources to validate license allocation functionality.
Failure of the NetScaler Load Balancing VIP

Disable the NetScaler Load Balancing VIP on the primary NetScalers in Data Center 1. Perform an
nslookup of the GSLB DNS address to validate failover to the backup Load Balancing VIP. Compare
results if NetScaler VIP is down but Citrix Licensing server is up. Refresh Licensing in Studio to review
results. Launch a session using XenApp or XenDesktop resources to validate license allocation
functionality.
Failure of a Data Center

Shutdown the NetScalers and license server in Data Center 1 to simulate a location connectivity loss.
Perform an nslookup of the GSLB DNS address to validate functionality of GSLB with a single Name
Server. Validate failover to the backup Load Balancing VIP. Refresh Licensing in Studio to review results.
Launch a session using XenApp or XenDesktop resources to validate license allocation functionality.
25 | P a g e
blog.itvce.com
Community Driven Information Technology Virtualization and Cloud Enthusiasts Blog
Written By
Dane Young (@youngtech)
Citrix Technology Professional
Revision 1.0
Acknowledgements
Brendan Lin, Citrix Consulting Services
Nicholas Rintalan, Citrix Consulting Services
Victor DiMascio, Entisys Solutions
THIS CONFIGURATION GUIDE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant
You a nonexclusive, royalty-free right to use and modify the configuration guide and to reproduce and
distribute the object code form of the included script, provided that You agree: (i) to not use this
configuration guide or included script in part or in whole for profitable gain; (ii) to not change parts of
this configuration guide or included script including owner information and copyright statements
without crediting the author; (iii) to not market Your software product in which this configuration guide
or included script is embedded; (iv) to include a valid copyright and disclaimer notice wherever this
configuration guide or included script is embedded; and (v) to indemnify, hold harmless, and defend Us
and Our suppliers from and against any claims or lawsuits, including attorneys fees, that arise or
result from the use or distribution of this configuration guide or included script. This posting is provided
"AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at http://blog.itvce.com/?page_id=4934.

Creating A Bulletproof Citrix Licensing Server Infrastructure

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Creating A Bulletproof Citrix Licensing Server Infrastructure

Загружено:

Авторское право:

Доступные форматы

Creating a Bulletproof Citrix

Installation and Configuration Guide

Community Driven Information Technology Virtualization and Cloud Enthusiasts Blog

Creating a Bulletproof Citrix Licensing Server Infrastructure

Creating a Bulletproof Citrix Licensing Server Infrastructure

Creating a Bulletproof Citrix Licensing Server Infrastructure

Written by Dane Young (@youngtech)

Creating a Bulletproof Citrix Licensing Server Infrastructure

Creating a Bulletproof Citrix Licensing Server Infrastructure

NetScaler GSLB Introduction

Creating a Bulletproof Citrix Licensing Server Infrastructure

Citrix Licensing Server Prerequisites

Creating a Bulletproof Citrix Licensing Server Infrastructure

Citrix Licensing Server Configuration

Backup the existing registry

Copy SSL Certificate and Key Files

Creating a Bulletproof Citrix Licensing Server Infrastructure

Creating a Bulletproof Citrix Licensing Server Infrastructure

CtxLicChk.ps1 PowerShell Script Configuration

Creating a Bulletproof Citrix Licensing Server Infrastructure

Written by Dane Young (@youngtech)

CtxLicChk.ps1 PowerShell Script (Revision 1.0)

Creating a Bulletproof Citrix Licensing Server Infrastructure

Written by Dane Young (@youngtech)

Creating a Bulletproof Citrix Licensing Server Infrastructure

Written by Dane Young (@youngtech)

# software product in which this PowerShell Script is embedded; (iv) to include a

Creating a Bulletproof Citrix Licensing Server Infrastructure

Creating a Scheduled Task for CtxLicChk.ps1

Create a new task named

For the trigger, use a daily trigger at any

For the action, use the following:

Creating a Bulletproof Citrix Licensing Server Infrastructure

Use the following Conditions:

Use the following Settings:

Creating a Bulletproof Citrix Licensing Server Infrastructure

Citrix NetScaler Configuration

GSLB Site name for Data Center 2

Citrix Licensing Server IP for CTXLIC

Creating a Bulletproof Citrix Licensing Server Infrastructure

Enable the NetScaler Features in Both Data Centers

Configure Authoritative DNS for NetScalers in Data Center 1

Configure Authoritative DNS for NetScalers in Data Center 2

Configure CTXLICDC1 Load Balancing vserver for NetScalers in Data Center

# Create the wildcard lb vserver and bind service

Creating a Bulletproof Citrix Licensing Server Infrastructure

Configure CTXLICDC2 Load Balancing vserver for NetScalers in Data Center

# Create the wildcard lb vserver, bind service, and set backup

Configure CTXLICDC1 Load Balancing vserver for NetScalers in Data Center

# Create the wildcard lb vserver and bind service

Configure CTXLICDC12 Load Balancing vserver for NetScalers in Data

Creating a Bulletproof Citrix Licensing Server Infrastructure

# Create a wildcard service

# Create the wildcard lb vserver, bind service, and set backup

Configure CTXLIC Global Server Load Balancing on NetScalers in Both Data

lb_ctxlicdc1_vip TCP 27000 -publicIP 172.16.4.14

Creating a Bulletproof Citrix Licensing Server Infrastructure

lb_ctxlicdc2_vip TCP 27000 -publicIP 172.16.5.14

# Add GSLB monitors for CTXLICDC1 LB VIP

# Add GSLB virtual server object for CTXLICDC2

Creating a Bulletproof Citrix Licensing Server Infrastructure

# Bind GSLB services to CTXLICDC2 GSLB VIP

# Configure CTXLICDC2 to be the backup for CTXLICDC1