Deploying to AWS with Citrix Smart Deploy – no NAT instance was detected


During the deployment of a blueprint via Citrix Smart Tools > Smart Deploy we came across the following error when attempting to deploy to our AWS Resource Location

The following problems were detected with your configuration
Please re-configure as no NAT instance was detected in this AWS Resource location


The blueprint / Citrix tools don’t seem to (yet) support AWS NAT Gateways. This also certainly wont work with the default VPC. To solve this we spun up a new NAT Instance in our own VPC with the servers in separate private subnets in order for the wizard to proceed / succeed. Also note If you deploy to the public subnet you need to provide an elastic IP address.

Citrix Storefront Upgrade Failure 2.x to 3.9


When trying to Upgrade our Citrix storefront servers from a 2.x version to 3.9 of storefront we encountered the following error: This meant the installation failed with the previous storefront version removed completely, and all configuration lost, and we were then unable to install any further version of Citrix Storefront.

Application Log Error, Source: Citrix Extensible Meta-Installer EVENTID: 0
Timestamp: 05/07/2017 19:04:43
Category:Error, WinError
Message:Unexpected exception. Message: Exception has been thrown by the target of an invocation.. Stack Trace =    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
  at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Citrix.Cxmi.CustomSandbox.ManagedDllLoader.CallStaticMethod(String typeName, String methodName, Dictionary`2 methodParams)
   at Citrix.Cxmi.Workflow.ExecuteTask.Execute()
   at Citrix.Cxmi.Workflow.WorkflowSequence.Execute()
   at Citrix.Cxmi.Workflow.WorkflowSequence.Execute()
   at Citrix.Cxmi.Workflow.WorkflowExtension.Run()
   at Citrix.Cxmi.Core.Engine.Run()
   at Citrix.Cxmi.Core.Program.Main(String[] args).

Things Tried:

Deletion of all local temp files – Failed

Complete uninstall and reinstall of Storefront versions – Failed

Reinstall of old version 2.x – Failed

Install of new 3.x  version as different user – failed

We had no choice but to revert the VM snapshot to recover the production Web server.


Upgrade to Storefront 3.0 First, then attempt to upgrade to a higher version.

Azure Active Directory synchronisation attempts failing

Unhealth identity synchronization notification.

Azure Active Directory did not register a synchronization attempt from the identity synchronization tool in the last 24 hours for <Company>


There are a large number of reasons why this might be affecting you, however in this specific instance we needed to ensure the Microsoft Azure Active Directory Connect was not stuck at ‘required to upgrade’ screen.

Connect to the AD where you have installed the Sync tool and confirm.

Perform the upgrade as necessary

I then had to spend nearly as hour trying to discover what username / password was configured on this damned account as it was not working with my Azure portal login (

As this was a partner subscription from the Microsoft Action pack the original configuration was setup under, also as password synchronisation was setup as part of the AD sync, the previously updated on prem passwords had not synced with Office – so no one could log in with their new passwords.


  1. I ran password recovery for the account
  2. Accessed the and confirmed all else was ok with the subscription

  3. Setup On Prem AD Sync again with the recently reset user and password.

  4. Finally we can complete the upgrade.
  5. Upgrade completed


Azure Source Anchor Upgrade from objectGUID

Post setup (or reconfiguration) of Azure AD Synchronization there is a prompt

Azure Active Directory is configured to use AD attribute objectGUID as the source anchor attribute. Its strongly recommended that you let Azure manage the source anchor for you. Please run the wizard again and select Configure Source Anchor.

Why should we do this?

Upgrading this from objectGUID to ms-DS-ConsistencyGUID is best practise and allows for easy recover of accidentally deleted on-premise user accounts.

Walk Through Steps

  1. Run the Azure AD Connector Wizard and select the Source Anchor option
  2. Select Configure Source Anchor

  3. Click ‘Configure’ to commit the settings appropriately

  4. Success


Microsoft Azure Virtual Network Gateway Deletion Failing

You may be frustrated at Microsoft Azure’s lack of ability to power off the Network gateways especially when they are chewing up resources and $. Unfortunately Azure provides no current way to power the gateways down so the only current solution is to delete them, however you need to delete them in the right order to remove the service pre-requisites.


Failed to delete virtual Network Gateway

Failed to delete virtual network gateway 'UKSouthGateway'.
Error: Gateway /subscriptions/xxxxx-xxxx-xxx-xxxx-xxxxxxx/resourceGroups/


The gateway devices must be deleted in a specific order

  1. Connections (both sides)
  2. Local Network Gateway (both sides)
  3. Virtual Network Gateways (both sides)
  4. IP Ranges (only if necessary)

Citrix Cloud Connector Installation Unsuccessful on Windows Server 2016


After multiple attempts to install the Citrix Cloud Connector software we continued to receive even after mutiple reboots.

Installation was unsuccessful. See below for details. 
A system restart is pending. The system must be restarted before any products can be installed.


Simple delete / clear the windows registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations


Citrix Cloud – Secure Browser Service


Citrix Have a cloud based secure browser service unsurprisingly called ‘Secure Browser Service‘. Here is a quick summary of the features / notes taken during a PoC for a customer.


Basically this is an Azure hosted cloud delivery of URLS you specify to publish to users (either anonymously or via your own authentication methods) combined with a browser that is ‘locked down’. You can have Firefox, Chrome, IE11 or IE11 (64bit). Even for a quick test. It’s awesome. Quick, Simple and reliable.

Flash and Video support (youtube) are native, albeit it noticeably slow (but still worked even for a UK based user while the resources were Azure West US region!) Signing up for trial was simple and very quick via my account (5 minutes after requesting the, trial was ready to go)

From a customisation perspective there is little that is changeable – and possibly will stay this way to keep the service offering simple – you can always deploy your own secure browser service via XA/XD for further customisations. Well done Citrix.


Initial Overview Page

Clicking Get started

Enter a Name, URL and select the browser and region

Browser and Region Options


I selected IE11 and West US as the region

Clicking Launch Application launched very quickly, but because its published initially in Kiosk mode my native response was to click ‘refresh’ which reloaded the entire published app – not the webpage (including back buttons etc)

Secure Browser service supports on prem apps / backends
Change Settings

Manage >

Enable non-kiosk mode

Launching with non-kiosk

Other sites were accessible

(But I didn’t push my luck) was noticeably slow but still worked, sound and all! Pretty good by default.
Where is it hosted and did it match the region published in – YES


Flash is available and the Internet speed was very fast

Flash quality was low and jittery – but was absolutely usable even with approx 150ms from my device to West US Azure

Statistics on usage
Summary Even for a PoC / Demo this is fantastic. Quick and simple and no obvious major issues. Well Done Citrix!







First Look – AWS AppStream 2.0

So what is Amazon AppStream 2.0? Here is the extract from the AWS Website: Amazon AppStream 2.0 is a fully managed, secure, application streaming service that allows you to stream desktop applications from AWS to any device running a web browser, without rewriting them. AppStream 2.0 provides users instant-on access to the applications they need, and a responsive, fluid user experience on the device of their choice. With AppStream 2.0, you can easily import your existing desktop applications to AWS and instantly start streaming them to an HTML5 compatible browser. You can maintain a single version of each of your apps, which makes application management easier. Your users always access the latest versions of their applications. Your applications run on AWS compute resources, and data is never stored on users’ devices, which means they always get a high performance, secure experience. Unlike traditional on-premises solutions for desktop application streaming, AppStream 2.0 offers pay-as-you-go pricing, with no upfront investment and no infrastructure to maintain. You can scale instantly and globally, ensuring that your users always have the best possible experience.


We like the simplicity of this product, and we hope it stays this way. The solution removes the complications of profile management, user settings and negates the need for other expensive delivery / middleware products solutions like Citrix – and just focuses on delivering the applications to the users. We believe you just need to couple this solution with the following additional components to be a viable replacement to some of your business applications:

  1. The image builder, to start hosting & testing your own applications (Update: Image Builder now available since end of Jan 2017 stay tuned for an update)
  2. A low latency link to the AWS Availability zone.
  3. A storage product like google drive, box, dropbox, or webdrive so you can be sure your clients/customers data is protected and automatically in the cloud and not in the local instance (and a policy that enforces this)

Useful Notes during the Test

  • Fleet build takes approximately 30-35+ minutes at creation
  • If you stop the fleet and start it again, the startup time is just as long as the initial creation.
  • You need an individual instance for every user so 5 servers in a fleet = 5 concurrent users.
  • Instances of Appstream do not appear under EC2
  • Opening and displaying the demo applications is lightening quick
  • Connecting from London to Ireland Appstream instance was laggy (keyboard and mouse) in fact at time it was worse than normal RDP, with a latency ave of 371ms
  • Connecting from a site with a Direct Connection to AWS and a latency of 30ms the experience was much improved
  • The entire session ran in a browser windows over HTML5 and full screen mode looked great.
  • Youtube in firefox actually would run and display videos – but in no use-able fashion, even browsing the youtube page with all the video thumbnails was borderline unusable, the session was laggy, and unresponsive, in comparison RDP actually performs better with the same youtube page, resolution and site (not that this would be the main purpose for the platform anyway, just interesting for a comparison)
  • Keys would sometimes get ‘stuck’ so instead of typing you could end up closing windows instead (but bashing the Windows, CTRL and Alt keys quickly fixed this.
  • As Appstream is only currently available in US East – N Virginia, US West-Oregon, EU – Ireland, AsiaPacific – Tokyo – I couldn’t test the new London Zone.
  • Creation of the streaming URL (username to access the instance) failed if I change the logonID to the same ‘instance’ within the same fleet (I only had one instance), after that user had logged in (im guessing this is because the session was still active / running for the previous user as there was no log off button, only a disconnect.
  • Currently image availability is only limited to Windows 2012 with the AWS demo applications (Firefox OpenOffice, Notepad++)
  • A image builder component is planned which is exciting to see what options it will have. <Stay tuned for an update review>
  • We modified settings and saved files to desktop, documents and the X:\ session share all which remained available so long as we used the same connection string (or recreated one with the same ‘loginID’ aka Windows username)
  • You can choose the VPC Appstream runs on so you should be able to run it on your internal VPC (note: we didn’t test or try this)
  • For 3 users and 6 hours of running we were billed $13.23 USD which included:
    • $4.19 per user per month RDS Cal
    • $0.11 per hour the instance was running (whether the users were connected or not)

Note: you will need an instance per concurrent user so hourly usage = $0.11 * number of concurrent users

1 user, 8 hours a day – 160 hours a month = $21.79 (Annualised $261.48)

1 user, 24 Hours a day – 480 hours a month = $56.99 (Annualised $683.88)

We are excited to see where Amazon will take this new service and how we can leverage this for our customers and as a business tool especially if it means removing the complicated middle layers of delivery software.

Walk Through

Description Screenshot
Opening the AWS Console and selecting Appsteam 2.0

Create a ‘stack’

Get the naming right

Cant choose any other image at this point

Spin up the template ‘instance’ and select the resources

Choosing the details network Subnet in our default VPC

Choose your ‘fleet’ size (1 streaming instance = 1 concurrent user)

You still pay for the resources whether users are logged in or not as the instance will remain on unless you instruct AppStream to stop it.

Review the rest of the deployment details then click ‘create’

Wait for the creation of the fleet instance There is little feedback at this point and the whole process took over 35 minutes

After waiting for a while and when the console said it was active I tried creating a streaming URL

This failed, as the instance was still not ready

Turns out you need to be using the Fleet details tab for the progress of the instance (status)

Note: seems they are bringing an image builder option so you can deploy your own images (assuming where you can install your own applications)

Update: This has been released as of End of Jan 2017! Review coming soon!

Running instances are NOT created in EC2  
Finally the fleet was running

Create the streaming URL – which you can set to expire

Once that had been created however I was unable to reauthenticate a second time i the user name was NOT the same as the original streaming URL ‘userid’

But based on that all my settings and saved files ‘still existed.


Open the URL


Launch your apps

The Appstream ’task bar’ gives you the following options


All Windows

Upload and Download files

Copy and Paste

Settings (display resolution and info re session details)

And a full screen option or numerous other options

The Appstreamed application opens ‘seamlessly’ (to use a Citrix term)

Closing the app, ‘ close the window

More apps could be launched from the ‘appstream’ start button

Multiple apps running

Currently there seems to be restricted access to the local disks / shared (when test saving a notepad++ document)


I tested a save to Session Folder, Desktop and Documents directory – and I am assuming these settings & documents ‘stick’ as I only have the one machine, not multiple instances in the ‘fleet’ and also one device to one user ‘requirement.


This makes sense to keep the solution simple and not have to over complicate it with user profiles and the like.

At the time of writing this the only option was to disconnect the session, there is no option to reboot from the session, or log off?

You can do this from the fleet details ‘management page’.

Stopping the instance took sub 10 seconds to stop.

However starting it again (which I now deeply regret) took another 35+ minutes)

Server was back online But all settings, documents created were gone (as expected for a demo really)

How to stop WhatsApp sharing your details with Facebook

If, like me, you have recently wondered how to stop WhatsApp sharing your details with Facebook well the team at WhatsApp seem to have already provided this (we hope). So lets us put aside our thoughts of deleting whatsapp entirely, for now, and whilst some of us have paid for a lifetime of “private, no-ads” service, it is still early days yet and this option maybe enough to give us some level of comfort..? Maybe??

Process to stop the data sharing

  1. Dont immediately agree to the ‘policy change’ when you see it in whatsapp
  2. Click the  “read more about the key updates to our Terms and Privacy Policy”
Whatsapp Agreement screen 1 select 'read more' to unshare data with facebook
Whatsapp Agreement Change Aug 2016 – Screen 1

3) Untick the “share my whatsapp account information with Facebook to improve my Facebook ads and product experiences.” (because, you know, our facebook experiences are already so awesome that we would willingly sign up for more targeted advertisements etc)

Whatsapp Agreement screen 2 to unselect the sharing of data to facebook
Whatsapp Agreement Change Aug 2016 – Screen 2


I just received the above messages today on my android phone EE network in the UK (26/08) however it only prompted me after a phone restart.