Objective

This article contains information about deploying the NetScaler Gateway Plug-in and Endpoint Analysis (EPA) Microsoft Installer (MSI) packages for Windows by using an Active Directory Group Policy.

If users do not have administrative privileges to install the NetScaler Gateway Plug-in and EPA Plug-in on the user device, you can deploy the plug-in for users from Active Directory.

When you use this method to deploy the NetScaler Gateway Plug-in, you can extract the installation program and then use a group policy to deploy the program.

Prerequisites

• WinSCP or alternate secure copy or secure FTP application must be installed on the computer.

• Microsoft Active Directory Users and Computers, snap-in.

Instructions

To deploy the NetScaler Gateway Windows plug-in and EPA MSI package by using an Active Directory Group policy, complete the following procedures:

Acquiring the NetScaler Gateway Plug-in for Windows Installation Package

Option 1: Download the required release of the NetScaler Gateway Plug-in for Windows from NetScaler Downloads. Use a valid My Account or Citrix.com credential to download the software.
Note: Download the same release of the client software as that of NetScaler Gateway appliance. You can download either the 32-bit or 64-bit version of the software.

Option 2: Use the secure copy or secure FTP application to download the client from the NetScaler Gateway appliance. The client is available in the /var/netscaler/gui/vpns/scripts/vista directory of the appliance, as shown in the following screen shot:

• The 64-bit version filename is nsvpnc_setup64.exe.

Acquiring the NetScaler Gateway Endpoint Analysis Plug-in

Use the secure copy or secure FTP application to download the EPA client from the NetScaler Gateway appliance. The client is available in the /var/netscaler/gui/epa/scripts/win directory of the appliance, as shown in the following screen shot:

• The 64-bit version filename is nsepa_setup64.exe.

Installing the NetScaler Gateway Plug-in for Windows MSI Package on a Computer

To install the NetScaler Gateway Plug-in for Windows MSI package on a computer, complete the following procedure:

1. Run the appropriate installation file, such as nsvpnc_setup.exe or nsvpnc_setup64.exe.
   Note: Do not click Next in the Installer dialog box.

2. Run the following command to open the command prompt:
   cmd

3. Run the following command to change to the temporary directory:
   cd %temp%

4. Run the following command to search for the NetScaler Gateway Plug-in for Windows installation file:
   dir agee.msi /s

5. Copy the file agee.msi to an end-user accessible UNC path on a domain server, such as server.example.comshareagee.msi.

6. Cancel the installation.

Installing the NetScaler Gateway Endpoint Analysis MSI Package on a Computer

To install the NetScaler Gateway Endpoint Analysis MSI package on a computer, complete the following procedure:

1. Run the appropriate installation file, such as nsepa_setup.exe or nsepa_setup64.exe.
   Note: Do not click Next in the Installer dialog box.

2. Run the following command to open the command prompt:
   cmd

3. Run the following command to change to the temporary directory:
   cd %temp%

4. Run the following command to search for the NetScaler Gateway EPA for Windows installation file:
   dir nsepa.msi /s

5. Copy nsepa.msi file to an end-user accessible UNC path on a domain server, such as server.example.comsharensepa.msi.

6. Cancel the installation.

Configuring Active Directory Group Policy on Windows 2008 Server Domain Controller to Deploy the Packages

NetScaler Gateway Plug-in for Windows

To configure Active Directory on Windows 2008 Server Domain controller, complete the following procedure:

1. From the Start menu, select Group Policy Manager. The Group Policy Manager option is available in Programs > Administrative Tools.

2. Either create or edit an existing Group policy. To edit a policy, right-click the policy and select Edit from the shortcut menu.

3. In the Group Policy Management Editor, expand the Computer Configuration node.

4. Expand the Policies node.

5. Expand the Software Settings node.

6. Select the Software Installation node.

7. Right-click Software Installation and select New > Package from the shortcut menu.

8. Click Browse and navigate the directory structure to select the agee.msi file.

9. Select Advanced option and click OK.

10. In the Citrix NetScaler Gateway Plug-in Properties dialog box, make the required changes to the settings, as shown in the following screen shot:

11. Click OK.

NetScaler Gateway Endpoint Analysis

Additional Resources

For EPA installation issues logs:-
C:ProgramDataCitrixAGEE
nsinst2.txt and nsinst.txt
C:Users<user>AppDataLocalCitrixAGEE
this is more specific to EPA scan failures
Citrix Documentation - Deploying the NetScaler Gateway Plug-in from Active Directory
Citrix Documentation - Endpoint Analysis Requirements

• 917
• Citrix , Login Automation Machine , PowerShell ,
• 26 Mar

At one of my customers, I am upgrading the Citrix XenApp environment to the latest Long Term Service Release (LTSR). In this case, I am upgrading the Citrix Virtual Delivery Agent (VDA) to 7.15 LTSR and the Citrix Receiver to version 4.9 LTSR.

The customer has Current Release (CR) installed and needed to be upgraded. It was decided to upgrade to the latest LTSR versions because of the 5 years support cycle.

However, in this blog post, I focus on the installation of the Citrix Receiver with the help of Login Automation Machine (Login AM). To successfully install the Citrix Receiver there are some tricks and tweaks needed. In this bog I will give a solution and a possible explanation.

Unattended install

The first step is to find out if it is possible to install the Citrix Receiver in an unattended way. Citrix has built the installer in a way that the Citrix Receiver can be installed unattended. In addition, Citrix is so kind to provide us with the necessary information, for more, please click here.

The command I used is:

In Login AM, this translates to the following:

Waiting for other Login AM event to finish

After starting a deployment reboot of the test server, I ended up with the following error: “Waiting for other AM event to finishing”

To find out the reason, the log files are a good place to start. To open the log files of the Citrix installer, go to the following folder:

In the “TrolleyExpress” log, the last entry is about the “ICAWebwrapper.msi”. This Microsoft Installer (MSI) has been started, however, it never finished. If we open the corresponding log, it shows that the “ICAWebwrapper.msi” is trying to execute a custom action. Apparently, that custom action is not working and the installation is on a hold and will never finish.

Extract the receiver installer

The Citrix Receiver installation file is a wrapper and is extractable. After extracting, there will be ten separate MSI installer files. For more information how to do this, click here.

This results in a collection of MSI files:

To install the Citrix Receiver in a correct way, Citrix advises to install all the MSI in a special order with some parameters. Thus, for every MSI installer I created a Microsoft Transform (MST) file. For example, with a program called Orca, it is possible to generate a MST file. For more information about Orca, please click here.

With Orca, I added the Citrix recommended properties to the property table and some extra properties I always use when I am making customizations:

Citrix Files Silent Install

• REBOOT=ReallySuppress
• ROOTDRIVE=C:
• REBOOTPROMPT-Suppress
• SILENT=1
• MSIDISABLERMRESTART=0
• MSIRESTARTMANAGERCONTROL=0
• NEED_RECEIVER=n
• TROLLEYINSTALL=1
• ALLUSERS=1
• DONOTSTARTCC=1
• AutoUpdateCheck= disabled
• Enable_SSON=yes
• EnableCEIP=false
• ALLOWADDSTORE=n

Silent Install Citrix Workspace

I am using the “DONOTSTARTCC” property in the MST file because In a Citrix support document, the “DONOTSTARTCC” property is recommended for installations that are carried out with Group Policy Objects (GPO) and System Center Configuration Manager (SCCM) for example. For more information, please click here.

To install the Citrix Receiver, use for every extracted MSI and created MST the following command:

After putting the commands needed to install the Citrix Receiver into Login AM, the installation process is started. Again, the installation process hangs with the same message. The log files show the same problem.

Concluding from the logging, I could try at least two options:

• Change the custom action in the MSI table that is causing the problem
• Because the custom actions could not finish, install the Citrix Receiver under the system account.

Changing the custom actions table

Earlier, the logging of the installation process showed that the installation was stuck when the ICAWebWrapper.msi was installed. During the installation, there are several custom actions trying to launch a sub process. Because this was not working, I decided to change the custom actions that are responsible for launching this sub process. With the adaptations, the custom actions should not launch any sub process anymore during the installation process. Unfortunately, this did not help and the installation process was stuck on the same error again.

No time to be gentle anymore. I removed the custom actions shown in the Citrix Receiver installer logs and tried to install the Receiver again. Now, this was successful. The Citrix Receiver installed without problems, but as it turned out, the Single-Sign-On option was not working properly. Everything looked fine but apparently, the custom actions I removed were doing more than just starting a sub service.

Citrix Uninstaller

System account

The last option is to install the Citrix Receiver with the system account. Login AM uses its own service account that is comparable with a normal account that is dedicated to Login AM. However, the system account has more rights and is comparable to a Linux root account.

PsExec

First, it is needed to run the installer under the system account. That can be done with PsExec. PsExec is part of the PsTools package. For more information and a download link, click here.

The PowerShell script is starting PsExec with all the arguments needed to run it in the background. PsExec will, in return, start the command under system account to install the Citrix Receiver.

The PowerShell code:

Success

In Login AM, the PowerShell script, the PsExec.exe file, and the Citrix Receiver installation file will be copied to the local disk of the target machine. Login AM will start the PowerShell script from the targeted machine and the Citrix Receiver will be installed under the system account. In Login AM, it looks like this:

Uninstall older installations

The Citrix Receiver installation automatically uninstalls older Citrix Receiver installations. In this case, the Citrix Receiver Cleanup tool should be used. We want to end with exit code 0. If the Citrix Cleanup tool is not used, the installation will end with exit code: 3010 (A Reboot is required.) As a result, PsExec will stay active in the background and Login AM will give you the following message: “Waiting for other AM event to finish”.

Now the installation is working like a charm. I can only conclude that the newer Citrix Receiver installation files need to be installed under system account because of the custom actions present inside the “ICAWebwrapper.msi”. Also, colleagues who are using SCCM or GPO didn’t come across any issues and these installation tools are all using the system account to install software.