Create an ICA File from Storefront using PowerShell or JavaScript

Good ol' ICA File

Update 7-26-16: I created an additional PowerShell script that can utilize explict authentication vs anonymous only.  Available on Github.

Stand alone ICA files used to allow organizations a multitude of access options, such as single click web shortcuts, login scripts or simple desktop shortcuts for XenApp access as recent as 6.5. When XenApp moved to the FMA architecture the good ol' days of the stand alone ICA files were gone  Administrators can attempt to come close to the same behavior by utilizing Receiver SSO with shortcut publishing or web shortcuts created from Storefront.  While the ease of access is still "kind of" there, it's not nearly as easy and convenient as running a simple ICA file.  This situation adds complexity for both administrators and users by additional configuration challenges for administrators and additional steps for users to access the published resource.  To complicate things even further for administrators, add in some Windows XP clients with an older version of Internet Explorer 8(see notification below when launching Storefont web shortcut) or stand alone Citrix Receiver Web client without SSO or pnagent functionality and it's a difficult scenario to solve.  This post covers scripts I created for both JavaScript and PowerShell that can generate ICA files to be launched a variety of different ways.


TL;DR: Click here to go to GitHub to download.

Add a comment

Read more: Create an ICA File from Storefront using...

  • Category: Netscaler

Upgrade Netscaler via REST API Install Command

With the recent release of Netscaler firmware 11.1 from Citrix brings a new NITRO API command called "install" which allows firmware upgrades from the API.  I got pretty excited when I saw this and decided to take a look since I always felt this would be a great feature to have.  This post goes through how it functions and includes a powershell script that uses the new functionality for future firmware releases.


Add a comment

Read more: Upgrade Netscaler via REST API Install Command

  • Category: Netscaler

Scoring an A+ for Netscaler from SSLLABS with Powershell


UPDATE 6-13-16: Updated Script to reflect Citrix blog with updated ciphers

UPDATE 2-21-16: Script now creates STS policy and enables Forward Secrecy resulting in A+ for all SSL VIPS!

Citrix released a blog early summer of 2015 outlining steps to take to harden SSL virtual servers to receive an "A+" from SSLLABS.  While the steps are easy to follow and doesn't take a lot of time for one Netscaler instance it can be time consuming for multiple instances. I created the following script to automate the process for all Load Balanced Servers (SSL), Netscaler Gateways and Content Switches (SSL) found on a Netscaler.  If need be you can even harden the management ports.  Simply edit the switches to reflect your environment and run. The script doesn't require any snapins but does require PowerShell 3.0 or greater for REST. Please feel free to leave any feedback on github or the comments below.




Thanks to Carl Stalhood for a great starting point on the Netscaler API portion!

Add a comment
  • Category: Netscaler

2Factor with Google Authenticator and Netscaler

Update January 9, 2018

This post is extremely old and before Citrix offered a real OTP solution.  Please use Carl's guide found here.

If you use 2factor for common websites like Gmail, Wordpress or maybe even your work chances you heard of the Google Authenticator app.  It's a very inexpensive way to add an additional layer of security for authentication and can be used for a wide variety of purposes. In this post we will configure an Ubuntu 14.04 server to work with Netscaler Gateway as a RADIUS server.  Lets get started.

I would like to thank the author of for a great starting point.

Add a comment

Read more: 2Factor with Google Authenticator and Netscaler

  • Category: Netscaler

Redirect to Full Store Web Path with Netscaler

I hate having to edit single files on multiple servers since it can cause consistency issues and a pain if you need to make changes.  To redirect users to the full Storefront URL it took editing\creating a javascript snippet pointing to the full Storefront web URL.  By using the Netscaler for this process saves the time needed to touch each server and one less thing to worry about. 

add rewrite action rw_action_storefront replace HTTP.REQ.URL "\"/Citrix/StoreWeb\""
add rewrite policy rw_pol_storefront "HTTP.REQ.URL.EQ(\"/\")" rw_action_storefront


Add a comment
  • Category: Storefront

Speed up Storefront with ASPNET.config change script

I got sick of having to manually edit Aspnet.config files to disable signature checking so Storefront would load faster.  I created a script that once run from a single storefront server will pull the list of servers in the Storefront cluster and quickly look for Aspnet.config files remotely.  If the file is found not to have the tweak it will back the file up, add the "generatePublisherEvidence" line and restart IIS.

  • Uses new Powershell modules
  • Disables .NET signature checking
  • Enables pool sockets
  • Disables netbios via WMI


Download from Github



Add a comment
  • Category: Storefront

Storefront HTTP redirect and rewrite for PNAGENT

From time to time I run into clients that have very old thin clients but want to make the jump to Storefront.  While Storefront does offer "Legacy PNAGENT" it only can be utilized using the base URL, which if you are using Netscaler Gateway it must be HTTPS.  This can be a problem with old thin clients since they probably won't understand the newer SSL certs that are out there since they lack the ability to update root CAs.  The only way for these devices to function is to utilize HTTP instead of HTTPS. 

Add a comment

Read more: Storefront HTTP redirect and rewrite for PNAGENT