Author Archives: Jani Kohonen

Jani Kohonen Visit Website
Jani Kohonen is an author of and working as a Citrix Consultant and Architect with 22 years of experience in the IT industry. Jani's been working in the IT industry since 1997 and with Citrix technologies since 2001. He holds several years experience with Microsoft, Citrix, Apple, HP and VMware vendors as well as Server, Application and Desktop virtualization and Mobile technologies. He has done dozens of virtualization design and implementation projects from Small Business to the large global enterprise customers and complex environments. Jani has been awarded as Citrix Technology Advocate (CTA).
Citrix, VMware, XenMobile

VMware Fusion 10 – Cannot import .ova virtual appliance templates anymore?

I came across this situation after upgraded Fusion 8 on macOS from to version 10 and didn’t manage to import anymore some particular .ova virtual appliance tempalates in to it. e.g. Citrix XenMobile virtual appliance.

VMware Fusion 10 fails to import .ova template and gives an error: “Invalid target disk adapter type: pvscsi”. Apperantly latest OVF Tool included in it has a bug to import if SCSI Controller type configured in template as “VirtualSCSI” = pvscsi.

Workaround, before VMware fixes this issue, extract .ova template and change the SCSI Controller configured in .ovf file from “VirtualSCSI” SCSI Controller
to “lsilogic”.


1. Extract .ova file and you’ll get three files;

– opt.ovf
– opt.vmdk

2. Open opt.ovf file and edit SCSI Controller section in it from “pvscsi” to “lsilogic”;

<rasd:Description>SCSI Controller</rasd:Description>

3. After file edited you still cannot import it as the manifest file “”, which has been SHA signed, doesn’t match anymore to the original opt.ovf file signed.

4. Use OpenSSL to sign manifest file again (download and install OpenSLL first);

– Openssl sha1 *.vmdk *.ovf >

5. After signed manifest file again you’re good to go and import .ova template succesfully. Of course it now uses different SCSI Controller, but it works at least for the latest Citrix XenMobile .ova template.

Views: 4946

Read More
Citrix, NetScaler

NetScaler Gateway – Two-Factor Authentication – How to hide 2nd password field

Some two-factor products (e.g. DUO, SMS Passcode) require you to hide the 2nd password field. Easiest way is to use Rewrite policies, which works both Web browser and Receiver self-service.

Tested with:

Citrix Receiver for Windows 4.6.0
Citrix Receiver for Mac 12.4.0
NetScaler 11.1

If you have any file level customizations on NetScaler, it needs to be reset as per default settings before doing these Rewrite policy – modifications.

For Web browser:

1. Create a Rewrite Action

Header Name: Set-Cookie
Expression: (“pwcount=”+ 1″)

2. Create a Rewrite Policy

Action: Select the rewrite action which you created
Undefined Result Action: -Global undefined result action
Expression: HTTP.REQ.HEADER(“Set-Cookie”).CONTAINS(“pwcount”).NOT

Bind this policy to the Netscaler Gateway Virtual Server where 2FA is configured.

For Receiver Self-Service:

1. Create a Rewrite Action

Expression to choose target location: http.res.body(1024)
Expression: “rn”+”<META http-equiv=”X-Citrix-AM-GatewayAuthType” content=”SMS”>”
Pattern: content=”text/html; charset=UTF-8″>

2. Create a Rewrite Policy

Action: Select the Rewrite action which you created
Undefined Result Action: -Global undefined result action
Expression: http.req.url.path.endswith(“vpn/index.html”)

Bind this policy to the Netscaler Gateway Virtual Server where 2FA is configured.


Views: 3614

Read More
Citrix, Exchange, NetScaler

NetScaler – Restrict SMTP Relay

Quick way to restrict Echange SMTP Relay in NetScalers is Extended ACLs. SMTP Relay can be restricted on Exchange servers or Firewalls using ACLs. Sometimes Firewalls could be managed by 3rd party company and it would be easier to manage ACLs on NetScaler. Here is an example how to configure it on NetScaler console:

#add Ectended ACLs
add ns acl InboundSMTP1 ALLOW -srcIP = -destIP = -destPort = 25 -protocol TCP -priority 101
add ns acl InboundSMTP2 ALLOW -srcIP = -destIP = -destPort = 25 -protocol TCP -priority 102
add ns acl InboundSMTP3 ALLOW -srcIP = -destIP = -destPort = 25 -protocol TCP -priority 103
add ns acl InboundSMTP4 ALLOW -srcIP = -destIP = -destPort = 25 -protocol TCP -priority 104
add ns acl InboundSMTP5 ALLOW -srcIP = -destIP = -destPort = 25 -protocol TCP -priority 105
#deny rest
add ns acl InboundSMTPSDeny DENY -destIP = -destPort = 25 -protocol TCP -priority 300
#apply ACLs
apply ns acls
#save netscaler config
save ns config




Views: 1105

Read More
1 2 3 4 5 13