Is Isolating the PVS Streaming Traffic Really a Best Practice?

Nicholas Rintalan has written a blog post on the Citrix blogs about the need of seperating the PVS stream to a separate LAN segment.

Here’s a grab of his post:

Similar to what I did in my last article where I discussed fixed versus dynamic vDisks for PVS, let’s first examine what our public documentation says about this so-called best practice.  Our oldest technote on this matter was written in 2008 and it pretty much states that it’s a best practice for “several reasons” including “performance, growth and troubleshooting”.  Fair enough…let’s come back to that in a minute and dissect each of those reasons one by one.  Another article authored in 2011 details how to set up a multi-homed VM to separate ICA traffic from PVS and other traffic.  But it never goes into WHY one might want to do so or if it’s a best practice.  Maybe our latest and greatest XA+XD best practices whitepaper will provide us with all the answers (and this whitepaper is quite excellent by the way…if you haven’t read it already, you better get on it!).  At the bottom of page 50 we state: “Separate the PVS streaming traffic onto a dedicated network for large deployments or in situations where the network is saturated”. OK, that makes a little more sense.  But I still don’t understand why everyone seems to think they fall into this category or that this should always be done.  In fact, I contend that isolating or segmenting the PVS streaming traffic onto it’s own network is more trouble than it’s worth and should only be done in special situations. There I said it – it’s not a best practice in my opinion and the rule should be to consolidate and keep it simple…the exception should be to isolate the streaming traffic! Why?

You can read the complete post here.

Installing patch for PVS vulnerability–Step-by-step guide

As you could read in this post Citrix has released a patch/update for all of its Provisioning Services versions.

This post is written with PVS 6.1 in mind and is only the PVS server side. The target device update will be posted on a different post.


The user must have administrative rights to the server.

• The server install consists of the console and server installation programs

• You must uninstall before using any of the installations included in hotfix

• Included with the target installation programs are the binaries so that they can be used to replace the present binaries without reimaging the target device.

Continue reading “Installing patch for PVS vulnerability–Step-by-step guide”

Provisioning Services 5.6 SP3 Release Notes

Citrix has released SP3 for Provisioning Services 5.6.

You can download the service pack here.

BUG0262922: While a VHD file is being copied, its vDisk becomes “Private Mode” on the PVS console of another host.

BUG0285549 Targets HA failover or rebalancing may fail when multiple NIC’s are used for PVS on the servers.

BUG0284631: When target local cache fails over to server side, the cache mode in BNIStack and that in the database is not consistent.

BUG0284672 Streamprocess crashes when many targets login and reconnect, causing corruption on the booting target list

BUG0284389 Target randomly hangs at “No servers available for disk” message when booting many targets together and duplicate login request occurs

BUG0284386 StreamProcess randomly restarts if targets reconnect with invalid vdisk ID or as “unknown device” causing multiple “Record was not found” exceptions from DB access

BG0291849: Storage monitoring of Streamprocess should use different counters for READ/WRITE failures from pending read/write threads of a target

Active Directory Continue reading “Provisioning Services 5.6 SP3 Release Notes”

Logon Optimization Guide – XenApp/XenDesktop

Citrix has released today an optimization guide for user logon for XenApp and XenDesktop.

The logon process for users accessing virtual desktops as delivered through Citrix XenDesktop or virtual applications as delivered through Citrix XenApp involves a variety of communication checkpoints and component interaction. Depending on the user environment and access location there can be an array of Citrix, Microsoft and possibly third-party components involved in the logon process. In order to optimize user productivity and enhance the overall virtual application and desktop experience, Citrix Consulting developed this white paper specifically focused on the logon process, common cause for logon delays and optimizations for improving the amount of time required to execute the logon process.

For an administrator to assess the logon process within their respective environment, the administrator must ensure that they have a detailed understanding of the logon process. This paper outlines the logon process for XenApp and XenDesktop, with a particular focus on identifying those key areas that commonly slow down the logon process. Each step of the logon process and each piece of component communication is outline in detail. With a solid understanding of the logon process, the reader is then introduced to the common causes of logon delays. This section provides a high-level aggregate of the logon delays that Citrix Consultants have encountered on customer engagements.

You can download the complete guide here or view the original post here.

Vulnerability in Citrix Provisioning Services could result in arbitrary code execution

Severity: High

Description of Problem

A vulnerability has been identified in Citrix Provisioning Services that could result in arbitrary code execution. This vulnerability can be triggered by an attacker sending a specially crafted packet to the Provisioning Services server.

This vulnerability is present in all supported versions of Citrix Provisioning Services up to and including version 6.1.

Mitigating Factors

In a typical deployment, the vulnerable component will not be accessible from the Internet.

What Customers Should Do

This vulnerability has been addressed in a series of hotfixes for affected versions of Citrix Provisioning Services. Citrix strongly recommends that customers apply the required hotfix for their Provisioning Services deployments. These hotfixes can be found at the following locations: Continue reading “Vulnerability in Citrix Provisioning Services could result in arbitrary code execution”

Personal vDisk Technology Planning Guide

Citrix has released a planning guide for XenDesktop 5.6 personal vDisk implementation.


Personal vDisks are available in all versions of XenDesktop 5.6. Generally, the use of a Personal vDisks is evaluated when there is a strong desire for personalization of the virtual desktop. This could include a need to use a variety of departmental applications with a small, distinct user groups or general personalization that is beyond what is available in the user profile. However, there is no defined limitation of Citrix Personal vDisk technology to these specific use cases. It is entirely possible to utilize Personal vDisks in scenarios that may not maximize flexibility or virtual desktop density, yet are entirely appropriate to the enterprise environment.

The use of Personal vDisks should be part of the consideration of most virtual desktop implementations, particularly when considering Dedicated Desktops. When considering Personal vDisks, the following topics should be reviewed during a virtual desktop implementation design. Continue reading “Personal vDisk Technology Planning Guide”

Access Gateway 10.0 build 54.6 Licensing issues

Access Gateway 10.0 build 54.6 disables all AG functionality if the hostname within the license file is anything other than “ns”. Note: This issue affects all Access Gateway 8.x and 9.x instances that upgrade to version 10.0 build 54.6.


The Access Gateway license file is locked to the hostname of the device, and at start up versions of Access Gateway, check for the existence of an appropriate license. If the licenses are found and are verified, the functionality is turned on. This applies to both the ICA Proxy capability of the Access Gateway platform licenses, as well as the advanced Access Gateway features turned on by the universal licenses.

Build 54.6 of 10.x (the first build of release 10.0) was found to have an issue with how the license files were parsed, which leads to all Access Gateway functionality being disabled. This is because the software is checking for the hostname “ns” within the license files, whereas in most production deployments the hostname of the device is always something that is environment specific, and is expected to match the hostname set for the device itself.


Citrix is currently working on a new build of Access Gateway 10.0 with a fix to address this issue. Until then, do not upgrade Access Gateway 9.x instances or NetScalers to version 10.0 where the Access Gateway capability is used.

You can read the original post here.