Posted on

Check for Spectre and Meltdown CPU flaws using Windows Powershell

Microsoft have provided a Powershell tool for checking and reporting on an individual Windows computer.

Press the Windows key on your keyboard and type PowerShell – when you see the shortcut appear in the search results, right click on it and choose Run as Administrator.

Quick Instructions

To install the module type

Install-Module SpeculationControl

You might get prompted to install the NuGet provider. Type Y and press enter. If you’re asked about installing from an untrusted repository do the same thing again.

Once the module installs type


If you see messages about execution error you can type

Set-ExecutionPolicy Bypass


Microsoft have released an article explaining the output of the tool.

Posted on

Exporting Microsoft Exchange Mailboxes

Often, you’ll want to export a user mailbox from Exchange and store it as a .PST file. In my organisation I do that when people leave the company. We don’t want to keep the mailbox active but it’s handy to have the old mailbox in case we ever need to go dumpster diving to find something from the past.

The easiest way it to use PowerShell to export the mailbox to a UNC file share (local drives don’t seem to be supported).

Click your Start button and type Exchange – select and run the Exchange Management Shell.

When the shell finally loads enter a command similar to this, substituting your own mailbox name and export path and filename.

New-MailboxExportRequest -Mailbox Paul -FilePath \\myserver\export\paul.pst

Some output will show that the requests is queued. It might take a few minutes to start. You can also make multiple requests and Exchange will export them whenever it feels like it.

You can check the status of the export(s) like this:


A table will be displayed along with the current Status. Once the export shows as complete it’s probably okay to delete the mailbox from Exchange – but that decision is yours to make 🙂



Posted on

Windows 10 Creators Update and Controlling Delivery Optimization (or how to turn off the Peer-to-Peer Updating)

The first versions of Windows 10 introduced the ability to share and download updates from other computers on your network, or computers from the Internet. Importantly, it will probably also use your computer to upload those same updated to computers elsewhere in the world.

Sharing is great. I taught my kids to share with their friends and family. But I draw the line at sharing my previous (limited) upload bandwidth with random people on the Internet when Microsoft should be more than capable of providing the services for this themselves.

During installs of Windows 10 up until the Anniversary Update I noticed that this option could be disabled during installation. So they give you an up front way to opt out, albeit it’s still a bit cheeky considering many people won’t understand the setting and will leave it on anyway – no doubt something Microsoft are well aware of.

When recently updating a machine to Creators Update I noticed that this option (along with many others) are absent when the machine starts up. I do need to investigate further to see if the setting is changed or inherited from the previous version.

Nonetheless, if you have a Windows 10 machine there’s a reasonable chance that you’re sharing your upload bandwidth with the Internet.

To check your settings and possible change the settings, click the Windows icon in the bottom left, type Windows Update and run the applet. Once it’s open click on Advanced options.

On the Advanced options screen click on Choose how updates are delivered.

On the Choose how updates are delivered screen you can change the behavior of Windows 10. If you only have one computer or only want updates to come direct from Microsoft you can turn the feature off. If you have more than one computer on your local network I believe it’s reasonably safe and appropriate to change your settings as per below, and choose PCs on my local network.

If you have a business network with a Windows server then your IT guys should have configured a local update server which will take priority anyway. The IT team can also configure these options via Group Policy – but again, use WSUS if you can.

Advanced users can also make the change directly into the registry thus:


Windows Registry Editor Version 5.00


Major possible values for DODownloadMode are:

0 = Off
1 = On, PCs on my local network
3 = On, PCs on my local network, and PCs on the Internet


Posted on

Retro Commodore 64 Style Command Prompt on Windows

I was using my command prompt today and noticed that my default font had somehow been changed and seemed a bit squished. I made the joke that it looked a bit like the Commodore 64 font.

And then… BAM… inspiration struck and I decided that I actually wanted a retro Commodore 64 style command prompt 🙂

This would involve altering the default font used, the colour scheme, and showing some text at the top to look like the Commodore system info.

Here’s how to do it!

First, create a shortcut on your desktop and point it to cmd.exe – which is of course the standard Command Prompt executable. Edit the properties f the shortcut and change the target to the following:

C:\Windows\System32\cmd.exe /t:98 /k cls & echo. & echo     *** COMMODORE 64 BASIC V2 **** & echo. & echo  64K RAM SYSTEM  38911 BASIC BYTES FREE & echo. & echo READY.

We’re almost there already! If you run the shortcut you can see that the default text is shown and that the colours have changed.

With the command prompt open, right click the title bar on the top of the window and choose Properties. On the Layout tab change the Window Size Width to 40, 60 or 80. 40 is more authentic, but 60 and 80 are more practical to actually use!

But wait… if you go and download the c64 TrueType font from and install the mono spaced font called C64_Pro_Mono-STYLE.ttf you’ll be able to choose this as the font on the Font tab. I would recommend setting the Size to about 12.


That’s it!

Posted on

Annoying Command Prompt Window Appearing Every Hour

I noticed recently that every hour my Windows 10 PC was popping up a command prompt window and closing it very quickly. At first I thought I had some kind of malware installed but all the scans I ran said that I was seemingly okay. I then thought Windows Update might be the culprit but it too, seemed to be innocent.

I then went hunting in the Scheduled Tasks and lo and behold I found the bugger. Armed with this knowledge I took to Google to discover that this is apparently a common thing that is annoying a lot more people than me – especially if you run stuff in full screen mode like games or media players because the process seems to minimise those things when the task runs every hour.

Anyway, to get rid of it you can do so manually by clicking your Start button and typing Task Manager and running it.

Expend Task Scheduler Library, the expand Microsoft, then expand Office. Right click on OfficeBackgroundTaskHandlerRegistration and Disable it.


If you’re familiar with the command prompt, run it as an administrator and enter the following command:

schtasks /change /tn Microsoft\Office\OfficeBackgroundTaskHandlerRegistration /disable



Posted on

iPhone, iPad or iPod Deleting Apps to Free Up Space

If you’re like me, you like to keep as many of your photos and videos on your devices as possible. Eventually though, you’re going to start running low on space.

iPhones, iPads and iPod Touches cannot have their storage upgraded, and they do not directly support adding flash storage of any kind. Fortunately though, there are a number of things that you can easily do to free up some space.

First of all though, let’s arm ourselves with some knowledge and check out how much storage you have, and how much you’re using.

On your device open the Settings app, select General and choose Storage & iCloud Usage from the list. Now choose Manage Storage.

At the top you’ll see your Used storage and Available storage.

Underneath you’ll see all of your installed apps and the amount of space they’re taking up. Some apps store data after you’ve installed them and could be quite large. Tap on any unused apps to delete them.


Note that if you have purchased apps and choose to delete them, you can download them again later for the app store and will not need to purchase them again.

After you’ve deleted apps check out the available storage space. If the available storage is still too low then I have another article that explains how to move photos and videos into iCloud.

Posted on

iPhone, iPad or iPod Running out of Storage Space and How to Fix It

If you’re like me, you like to keep as many of your photos and videos on your devices as possible. Eventually though, you’re going to start running low on space.

iPhones, iPads and iPod Touches cannot have their storage upgraded, and they do not directly support adding flash storage of any kind. Fortunately though, there are a number of things that you can easily do to free up some space.

First of all though, let’s arm ourselves with some knowledge and check out how much storage you have, and how much you’re using.

On your device open the Settings app, select General and choose Storage & iCloud Usage from the list.


You can see here how much storage has been Used and how much is still Available. If the available storage is low then the rest of this article will help you deal with that. Even if you have a lot of storage remaining you may wish to follow along anyway.

While on this screen take note of your current iCloud Total Storage and also the remaining Available iCloud storage.

When you first time up for an Apple ID you’re given 5GB of storage so you should have at least that amount. I would highly recommend upgrading to at least 50GB as the cost is very minimal (less than US$1 per month) and certainly provides many benefits.

First Step – Remove any Unwanted Apps

You might have apps that are consuming a lot of space. If you no longer use or need any of these apps this is probably the simplest thing that you can do to free up some space.

I have an article iPhone, iPad or iPod Deleting Apps to Free Up Space on how to do this. If you don’t have any apps to remove, or it doesn’t free up enough space, then come back here and continue.

Our Strategy – Storing photos and videos in iCloud

iCloud is Apple’s online “cloud” platform that provides many services that we won’t go into here. For our purposes though, your iCloud storage space can be used to store data from your device.

This is a very straightforward and automatic process if you let your device handle it automatically.

When you take photos and record videos these are generally in a very high quality resolution that takes up a lot of space. If you’re looking at these photos or videos on your iPhone, iPad or iPod touch then the size of the files is really unnecessarily large. I would never suggest for a moment that you should permanently reduce the size of the files because it’s very possible that later on you’ll want them in their full high quality. Instead, your device can be set up to keep the full high quality copy in iCloud, with a much smaller version on your device. This is all looked after for you automatically.

To turn on the option follow these steps:

On the device open up Settings, tap on your name at the top of the screen, choose iCloud and then Photos.

Turn on iCloud Photo Library, and select Optimize iPhone Storage.

Over time, your device will now move full quality photos and video into iCloud, and will keep smaller versions in your device storage for as long as you have enough storage space in iCloud to accommodate them.

Tip: if your other Apple devices also have iCloud Photo Library enabled, then your devices will share photos and videos which is very cool, and probably something you want to do. if you have other family members sharing the same Apple ID (which you really should not do) you might want to re-consider this decision though 🙂


Posted on

Cisco Troubleshooting ADSL/DSL/VDSL issues

There’s a few basic troubleshooting steps that should be followed if there’s an issue with a DSL connection. Broadly speaking, there’s three networking layer levels that may require troubleshooting. Depending on the type of issue, troubleshooting might begin at a layer 1, or at layer 2.

Layer 1 – at the lowest level troubleshooting involves  checking the physical connectivity to the Digital Subscriber Line Access Multiplexer (DSLAM) at the ISP.

Layer 2 – troubleshooting involves looking at ATM connectivity and the PPPoA or PPPoE protocol

Layer 3 – troubleshooting IP connectivity

Where to Begin Troubleshooting?

I would recommend starting with the simple show ip interface brief command – the output of which might look a bit different depending on your device and configuration.

In my case here the ADSL connection happens to be configured on Dialer0 and the status and Protocol are up/up so it would make sense to assume Layer 1 is okay and that troubleshooting can start at layer 2.

If you have a different configuration you could be looking for interfaces ATM0 and ATM0.1 for example.

router#sh ip interface brief
Interface         IP-Address  OK?  Method  Status  Protocol
Ethernet0    YES  NVRAM   up      up
Dialer0    YES  IPCP    up      up

If your DSL interface is not up/up or if they seem to be alternating between up and down then begin troubleshooting at layer 1.

Layer 1 Testing

Some things to try…

  • Is the carrier detect (CD) light on the front panel of the router on or off? If it is on then this indicates layer 1 is okay and you can probably start troubleshooting at layer 2
  • If the CD light is off, check out the physical cabling to ensure that the DSL interface is connected.
  • If the CD light is off and the cabling seems correct try checking to see if the interface is administratively down by issuing a no shutdown command in the DSL interface configuration.
  • Starting to get more desperate? On the DSL interface try dsl operating-mode auto
  • At this stage there is probably some physical issue with cabling, the provisioning of the DSL service, or the hardware – and troubleshooting this might be up to a cabling expert or the ISP.

Layer 2 Testing

One thing to check is that you have the correct PVC values for VPI and VCI for your ISP. This is rarely a problem these days but is here for completeness.

First, let’s check to see if PPP is trying to negotiate with your ISP. We’ll check the input and output packets to see if the values are changing. In the sample command below I’m filtering the output (which is a page or more long) to just show lines that contain the string “packets”.

Wait a few moments and run the command again and see if the input and output packets change.

router#sh int dialer0 | i packets
  5 minute input rate 8959000 bits/sec, 924 packets/sec
  5 minute output rate 568000 bits/sec, 640 packets/sec
    711015331 packets input, 2847957132 bytes
    459512972 packets output, 2531036441 bytes
  • If input packets are NOT incrementing then you are not receiving PPPoE negotiation packets from your ISP, so probably give them a call before continuing with any further steps.
  • If output packets are not incrementing then check your PPP configuration. Even if your ISP is broken you should ordinarily still be sending outbound packets trying to negotiate.

Is the PPPoE session up?

PPPoE is a two-phase process – PPPoE established first, and then PPP second.

Some useful commands to debug PPPoE

  • show vpdn
  • debug vpdn pppoe-events

Some useful commands to debug PPP

  • show ppp all
  • debug ppp negotiation

Layer 3 Testing

You might actually have layer 3 connectivity, but some ping packets are lost. To check the speed in kbps that your are syncing with the DSLAM at try the following command – the output is snipped to show the relevant part.

Depending on your router, or type of HWIC/EHWIC installed you might need to enter show controllers vdsl 0 command. In my example below I’m synced at 21406 kilobit/s down and 1074 kilobit/s up.

router#show dsl int atm0/0/0
              DS Channel1   DS Channel0   US Channel1   US Channel0
Speed (kbps):          0         21406             0          1074

If some sites (particularly web sites) work well and others do not, the MTU size or MSS-Adjust might need changing. Generally MTU of 1492 or MSS adjustment of 1360 would be fine.


Posted on

Citrix Technologies in the Enterprise

Some history of Citrix

[This is the accompanying tutorial document from a session I ran at the SAGE-AU conference in Hobart, Tasmania on August 5, 2003]

Citrix Systems was founded by Edward Lacobucci in 1989. With US$3M in capital, only 18 employees and a license to modify the OS/2 source from Microsoft, Citrix produced a multi-user version of OS/2 called Winview which shipped 2 years later.

By 1995 Citrix had also licensed the NT 3.51 source from Microsoft and produced WinFrame. The key developments that secured Citrix’s future were “MultiWin”, the core enabling sharing of system resources to multiple Operating System sessions, and the Citrix ICA protocol which encapsulated the session data (screen updates, mouse clicks etc).

Within a few years Microsoft licensed MultiWin from Citrix and produced Windows NT: Terminal Server Edition (actually, they called it a joint marketing/developing agreement and have since renewed the agreement). The agreement effectively gave Microsoft the ability to include MultiWin as part of the Windows operating system in the form of Windows Terminal Services. Advanced functionality (and the ICA protocol) was retained by Citrix and is currently sold as an “add on” to Windows server OS’s called Metaframe.

In recent years Citrix has value-added its product line by bundling in various other applications and services such as the Citrix Secure Gateway and NFuse, securing its position as leader in application delivery to potentially any client device, over any network.

An introduction to thin client technologies (why bother? What are the benefits over the traditional desktop scenario?)

Application deployment

  • Centralize application infrastructure. Improve manageability. Pool resources.
  • Simplify code/version control and upgrades. Maintain multiple versions. Licensing conformance (metering).
  • Leverage and extend existing applications and infrastructure. Instantly web-enable legacy applications. Current web front-ends are often not full-featured.
  • Enhance application performance and reliability – consistent application behavior regardless of location and client device. Allows a varied client base to access a familiar desktop environment. Reduce bandwidth costs.
  • Lower operating costs. Eliminates the need for frequent client desktop upgrades.
  • Enhance service levels. Consistent performance for web applications. Load balancing.
  • Increase productivity. Increases the reach of organizational information via multiple mediums.
  • Enhance security. Provides a secure environment for delivery of applications via the Web. VPN-like capabilities allow zero-footprint client access to applications from anywhere.

Business Continuity

  • The Citrix Solution for Business Continuity delivers applications and information via the Internet to users regardless of location, device or connection in the event of a planned or unplanned business interruption.
  • A high availability infrastructure
  • Customers, partners and employees quickly return to productivity
  • Rapid and secure access to applications and information over the Web
  • Organization’s business continuity objectives are met and business runs unabated
  • Preservation of employees’ sense of corporate community
  • Organizations have traditionally not had a timely and efficient means of providing application access as part of their business continuity solution. Citrix products can be a vital piece of an organization’s business continuity solution – providing uninterrupted, virtual access to all critical applications and information – during both periods of planned or unplanned systems downtime.

Remote Office Connectivity & Workforce Mobility

  • Quicker Office Integration
  • Faster Services Rollout
  • Improved Security of Corporate Information
  • Efficient Bandwidth Usage
  • Improved Application Performance
  • Improved Productivity
  • Real-Time Data Access

Architecture of the Citrix solution and why Terminal Services can’t scale

Standalone Server

Servers can be configured standalone for small environments or pilot implementations. If Metaframe is used on a single server install, it is usually because ICA is required.

Server Farm

Multiple servers can be grouped into geographically local or distributed Metaframe server “farms”. Farms allow for load balancing and redundancy of ICA connections. Terminal Services can’t load balance intelligently, and would require layer4 intervention or primitive round robin tricks to do this.

Published Content

Resources are usually accessed through the “publishing” process. Full desktops can be published or just specific applications. When a user accesses an application (as opposed to a full desktop) it appears to run as a local Windows application with (potentially) access to most desktop resources such as printers, server shares, modems etc. The subset of all the applications that a user can access in a server farm is called an “application set”. Terminal Services allows access to full desktops only, and allows only the most basic of access to workstation resources depending on the version.

Application Sets

Application sets can be viewed from Windows using the “Citrix Program Neighborhood” client. Published applications that can be accessed by that user are displayed and can be launched. Other platforms so not have this capability natively, and users or administrators must manually add application entries to the Citrix client software. However, the Citrix Program Neighborhood can itself be published to allow a similar experience on UNIX and Macintosh platforms. Alternatively, the Citrix Web Interface (called Citrix NFuse until recently) can be accessed from most browsers to view a specific application set. Terminal Services has no equivalent of an application set.

ICA Protocol

The transport protocol that communicates and controls data between the client and server farm. The ICA protocol itself encapsulates keystrokes, screen updates, audio, encryption, port redirection etc. RDP is the Terminal Services equivalent.

Installation Management

Metaframe includes Installation Management, which is a method of packaging up applications and deploying to multiple servers. Terminal Services does not provide this capability natively.

Resource Management

An integrated management subsystem that allows real-time reporting of utilisation and other metrics. Also supports NMS/MOM extensions, and event notification

Central Configuration

Metaframe XP stores farm configuration in a database. This can be a locally stored MS Access database on the first server in the farm, or it can be an existing MS SQL or Oracle database. This in itself introduces an additional administrative concern (backup the data store), but the advantages outweigh the drawbacks. Terminal Services does not require a data store because it does not have a centralised data repository (although Terminal Services does have a licensing service that operates centrally).


Session shadowing is an important support function from a client services support point of view. Depending on specific configuration, a user’s Desktop session can be “shadowed” by support personnel and any problems resolved interactively. This is effectively the equivalent of the old desktop remote control model (e.g. PC-Anywhere). RDP can now shadow.

  • Metaframe now supports extremely high resolutions and true colour, as well as serial/parallel/clipboard/drive/audio remapping. USB printers and disks can be redirected also. The time zone in the session represents local time on the client. RDP 5.2 found in Windows 2003 also supports these features.
  • According to Microsoft’s long-term strategy, Terminal Services is not a key application delivery mechanism.

The major Citrix technologies (Metaframe, NFuse, Citrix Secure Gateway etc) and the how/when/where/why?

Metaframe XP Presentation Server

The Metaframe XP Presentation Server is Citrix’s flagship product. Often referred to as simply “Metaframe XP” it provides network and Internet users with access to applications and information using a Citrix ICA client.

Metaframe XP is currently at Feature Release 3. FR’s are released periodically to customers on a maintenance agreement (1 year maintenance included with the initial purchase). FR’s contain new features to current tools and often includes completely new functionality and add-ons.

Metaframe XP is sold in 3 flavours.

Metaframe XPs (XP standard) – The basic, minimal environment. Includes NFuse.

Metaframe XPa (XP advanced) – Essentially the same as XPs but includes Load Balancing capabilities.

Metaframe XPe (XP enterprise) – The same features as XPa but includes Installation Management, Resource Management and some other enterprise management features.

Metaframe Presentation Server for UNIX

Allows remote access to Solaris, HP-UX and AIX systems. Often used in very low bandwidth environments where X11 has previously proven to be unacceptable.

Citrix Web Interface (was called NFuse and then NFuse Classic)

NFuse is effectively a web-based equivalent of the Windows “Program Neighborhood” ICA client. It prompts the user for logon credentials then displays an application set (list of applications they can launch) from a particular Metaframe farm. NFuse can be viewed from any modern web browser and runs under a number of web servers on Windows and various UNIX platforms.

NFuse can be configured to launch applications using the local ICA client, or it can embed the application in the browser window using An Internet Explorer control or Netscape plug-in. Alternatively, the zero-footprint java client can be used instead or as a backup to the other methods.

NFuse supports SSL encryption on the client end via the web server, and the server end via SSL relay. Like most Citrix products, smart card authentication and ticketing is supported.

NFuse can also be installed with Enterprise functionality to allow access to multiple server farms. The NFuse core is composed of java servlets, but nearly all functionality can be modified by editing the front-end web pages, composed of CGI and ASP pages depending on the platform.

Citrix Secure Gateway

The Secure Gateway is a solution that leverages NFuse for secure application delivery to untrusted networks. The Secure Ticket Authority and Secure Gateway Service provide a ticketing mechanism to authenticate users, and then relay SSL encrypted data from the DMZ to/from the Metaframe farm and the client without ever revealing the addresses of the internal Metaframe servers.

Secure Gateway is particularly useful when you consider that there are no additional licensing fees on top of the Metaframe investment, and that for many organisations it removes the need for a separate VPN product. The java client can be utilised to provide zero-footprint access to Metaframe applications and data over the Internet.

The Secure Gateway can run on Windows or Solaris.

Secure Access Manager (was called NFuse Elite)

NFuse Elite was originally positioned as a stand-alone web portal for enterprise customers. It did not require Metaframe to run.

The Secure Access Manager is built on top of the original NFuse Elite product, but is now positioned as a combination of web portal and application access point.

Password Manager

Password Manager is a new application that allows single sign-on to password-protected applications delivered via Metaframe and the Secure Access Manager.

Metaframe Conferencing Manager

New product. Allows users to conference ICA sessions. Share existing applications real-time. Conference features such as white boarding, private messaging. Granular conference control (who can do what). Exchange & Outlook integration. A published management app controls sessions.

How to manage the solution

Configuring the environment

Most Citrix products ship with individual management tools. In the case of Metaframe XP, all of the common management tools have been integrated into the Citrix Management Console which is a java application and can be run locally on the server or installed or published for remote use. Once the console is started you are prompted to authenticate into a particular server farm, at which point the entire farm (or individual servers) can be managed according to the administrator’s permissions.

Monitoring and performance management

Metaframe XPe includes Resource Management features that make it easy to monitor server performance and perform alerting functions. E.g. Send an e-mail to a number of administrators when CPU utilisation exceeds 90% for more than 15 minutes. Statistical information on configured metrics is also retained for long-term management.

XPe also includes Network Manager, allowing SNMP management from popular NMS’s.

All versions of Metaframe XP also add performance management counters to the Operating System, meaning that the standard windows perfmon or external SNMP-capable management utilities can be used to monitor various system counters.

Business continuity

Generally, Metaframe can be backed up just like a regular Windows or UNIX system. Because these environments tend to not have user data installed on them, many implementations require only periodic snapshots to capture configuration changes. Many implementations do not require backups at all, which is explained in a case study later.


As mentioned previously Terminal Services does not scale out well. Similar limitations apply to Metaframe XPs due to its lack of load balancing.

Metaframe XPa and XPe both contain load balancing. Scaling the solution up can be as simple as adding another server to the farm and allowing Installation Management to copy the applications onto the system. The number of connections to each machine over time will then balance out, reducing the load on any one machine and increasing redundancy.

Integration with existing environments

Because Metaframe XP value-adds an existing Windows environment, it becomes easy to integrate solutions into an existing environment. Existing Active Directory Group Policy Objects (GPO’s) apply, but in almost all cases changes will need to be made to lock down the environment as much as possible. There are some challenges and decisions to be made regarding user profiles.

Installation Management

Installation Management is included with Metaframe XPe. It allows the packaging and distribution of applications to a number of servers without intervention. It provides for a consistent experience across servers in the farm and contributes towards an effective disaster recovery strategy. IM supports its own packaging format as well as standard MSI packages familiar to existing Windows 200x administrators.

Metaframe XP Licensing

Citrix licensing can be a complex issue, and tends to vary with different product releases. Additionally, it is necessary to consider Microsoft Terminal Server licensing and application software licensing as part of the solution.

Terminal Services Licensing

Because Metaframe is installed on top of Windows 2000 Server or Windows 2003 Server (or variants thereof) it is necessary to license:

  • The server software (e.g., Windows 2000 or Windows 2003)
  • Windows Server connection CAL’s (depending on the licensing model onsite)
  • Terminal Server CAL’s (only if the client OS is not Windows 2000 Pro or Windows XP Pro)

Citrix Licensing

Licensing Metaframe itself is now drastically simpler than it used to be. Generally, a starter pack is bought, with add-on licenses purchased to increase the connection limit. Starter pack licenses usually cost exactly the same as add-on licenses per unit. Under most licensing schemes licenses cost the same each no matter what volume is purchased (i.e. no financial penalties for buying five 10-user add-on packs over a period of time rather than a 50-user pack upfront).

Metaframe is also licensed per concurrent user to the farm. This means that if you have 20 Citrix connection licenses, you can have a maximum of 20 users connected to the farm at any one time. You can legally have the Citrix ICA Client software on as many workstations as you like. Additionally, the 20 connected users may be accessing resources from any number of servers in the farm whilst only consuming a single license.

Obviously Metaframe XPs, XPa and XPe vary in price due to product capabilities. Upgrade paths also exist between versions and from older versions of Metaframe. Citrix licensing also operates on a points system, the higher the purchase and hence the higher the number of points awarded, the higher the discount margin is.

Note also that there are no longer any Metaframe “server” licenses, only connection licenses. This means that there are no penalties for scaling out to a larger number of less powerful servers, and also that a 5 user starter pack can be purchased relatively cheaply for pilot testing without a lot of risk involved.

Metaframe XP can also be upgraded from one variant to the next without reinstallation (e.g. XPs to XPa).

Application software licensing

Obviously, the whole point of having a Metaframe environment is to access applications! Application licensing really does depend on the individual vendor. As a general rule of thumb though, most vendors expect that you license software on Terminal Server and Metaframe according to concurrent users of the specific application.

One important note though: If you have a Microsoft application licensed for a specific desktop PC, then a user on that PC can access the same version of the application via Metaframe or Terminal Services without an additional license. This means that in many cases you can move software away from the local desktop without licensing hassles

Case Studies

Environment built for easy scale-out and recovery

The basic (simplified) steps involved may be similar to the following:

  • MS SQL or Oracle backend data store created, managed and backed up on existing database infrastructure
  • Metaframe XPe installed either manually or via a scripted install on the first server and documented
  • Applications installed, packaged and tested on a separate system before deployment
  • Backup the first server with something like Symantec Ghost onto a FAT32 partition at the end of the disk
  • Restore image to remaining servers in the farm

This would leave us with an environment that can be easily scaled by simply adding another server, copying the OS image to it and making some minor changes before allowing Installation Management to redeploy the software packages to the machine.

Additionally, if a server needs reinstalling due to corruption the same steps can be followed.

An existing Metaframe environment requires secure access by users who have Internet connections.

The basic design would go something like this (utilising the Citrix Secure Gateway 1.1):

  • Install the Secure Ticket Authority on the internal network and configure
  • Install the Secure Gateway service and NFuse in the DMZ and configure the java client
  • Issue an SSL certificate to secure NFuse over the web
  • Issue an SSL certificate to secure the Secure Gateway service
  • Make some minor firewall modifications to allow SSL into the DMZ etc

This solution would allow a user to connect to a specific URL (e.g. to access the NFuse web interface over SSL. An application session could then be launched. If using a local Citrix client then the root certificate for the CA that issued the certificate for the Secure Gateway service must be installed. If the java client is used there is a workaround to stream the root certificate down transparently. The application session will then connect to the nominated Secure Gateway service via SSL, supply the NFuse ticket, and ultimately start receiving ICA session data over SSL.

A Metaframe environment exists, what are the best thin clients to use?

Many customers elect to use current or old PC’s as thin clients or as fat clients that access only some applications via Metaframe (perhaps just their ERP software or some application that won’t run in their native desktop OS).

A problem is apparent in environments that wish to use Metaframe exclusively to deliver a desktop environment… how to do this cost-effectively? Dedicated thin clients can be purchased that run a variety of Operating Systems. Another common solution is to utilise small form factor PC’s with only a CPU, NIC, RAM and video support (possibly with no moving parts). A small image is loaded from the network when the system starts up. This image contains a basic Linux or DOS operating system and an ICA client. This can typically be done in only a few megabytes.

Biography of Presenter:

[Bio from 2003 – I’m all grown up now]

Paul Lawrie is a Senior Systems Engineer with Data#3, one of Australia’s largest IT Solutions companies. He holds a number of industry certifications including an NT4 MCSE+I, Windows 2000 MCSE, Citrix CCEA and Cisco CCNP. His day-to-day duties involve the design and integration of Enterprise solutions into Corporate and Industrial environments, building volumes of frequent flyer points, and trying to fit all those letters onto business cards.

Paul has worked in similar roles for various other employers including Com Tech (now Dimension Data), Unisys and Dialog, and invests his spare time avoiding IT as much as possible and spending time with friends and family.

Posted on

Loopback Group Policy for Terminal Server Users

In Windows 2000 Microsoft enhanced the system policy concept that already existed in Windows NT and developed Group Policy. A Group Policy object is a collection of settings assigned to a particular group of computers or users. A full discussion on GPO’s is far beyond the scope of this document and I will only focus on the specifics relevant to Microsoft Terminal Services and Citrix Metaframe users.

In my implementations I always dedicate an Organization Unit (OU) in Active Directory to my Terminal Servers or Metaframe Servers. For the sake of this article I will assume the same. Further, I will assume that you want to be able to set policies on the terminal servers, and to the users to log onto them.

Now, there are two parts to any Group Policy Object (GPO), User Configuration and Computer Configuration. If you assign a GPO to an OU, then the Computer Configuration will apply to the computer accounts under the OU, and the User configuration will apply to the user accounts under the OU.

Great you say! Oops, one little problem. Normally you have a User OU (or many user OU’s) with all your user accounts under them. How should you then configure the GPO that applies to those users? Think about it. Your users will probably want to logon to normal desktop PCs as well as to Terminal Servers or Citrix servers, and you will probably want them to have different policy settings in each environment. For example, it is reasonable for somebody to be able to shut down their desktop PC during the end of the day, but think of users shutting down your Metaframe farm! Woe, unhappiness.

The solution then? Microsoft have allowed for this and introduced the concept of Loopback Processing for User GPO’s when logging onto a server that it is applied to. Put simply, you can create a normal GPO object, apply it to your Terminal Server OU, configure up the User portion of the policy and have it apply to some or all users that log onto servers in that OU. Huzzah!

The information in this article applies to

  • Citrix Metaframe Presentation Server in an Active Directory Forest
  • Windows Terminal Servers in an Active Directory Forest
  • Windows GPO’s (Group Policy Objects)


Personally, I usually create two, one for the Computers and one for Users. I typically name these something like CitrixServers and CitrixUsers. the goal in this example will be to have all computer configuration carried out in the CitrixServers GPO and the user configuration in the CitrixUsers GPO. Furthermore, we will configure the CitrixUsers GPO so that it does not run for administrators and lock down their administrative ability.

Run up AD Users and Computers, and create two new GPOs under your Terminal Server or Citrix Server OU; one for computers and one for users. View the properties of the user GPO and DENY Domain Admins the right to apply the policy. That way, only non-admin users will have their settings altered and locked down.

Edit and configure the server GPO. Remember to only configure the Computer Configuration Component. If you like, you can disable the User Configuration part of the GPO for faster processing.

Edit and configure the user GPO with all the user settings you want to apply. Now for the magic. In the Computer Configuration part of the policy expand Administrative Templates then System. Under the Group Policy container is a setting called User Group Policy loopback processing mode. Enable it and set the Mode to either Merge or Replace. Use Merge if you are likely to have settings from other GPO’s that you will want to inherit. Normally I would use Replace.

That’s it! That one little setting in the Computer Configuration portion of the user policy is the key. Now to lock that baby down… but that is another article entirely…