Merchandising Server 2.0…Still Room for Improvement
Citrix Merchandising Server and Receiver 2.0 were recently released. Some nice new features have been added and. Merchandising Server and Receiver 2.0 are nice but still have room for improvement on the administration functions and the user experience.
New features in Merchandising Server and Receiver 2.0 :
- Anonymous Deliveries – This fixed one issue I had with users getting the Citrix Receiver logon prompt after pushing the Receiver via script, SCCM, etc. There was a workaround for it, but you had to revert back to an older Citrix Receiver client. This new feature allows you to deploy the Citrix Receiver without having a user logon. Instead a system token is used. Nice feature for deploying the Citrix Receiver to managed machines without prompting for credentials after the install, machines outside of your domain, or unmanaged devices like BYOC.
- Enhanced Roaming – Improves the roaming for Citrix Receiver by using beacon websites to avoid users getting authentication messages.
- Improved Usability – Improved error reporting and improved reporting for Active Directory syncing. This is another nice new feature. I have had issues with the Merchandising Server for VMware losing sync with Active Directory. Hopefully this improved logging gives more insight into what’s going on.
- Receiver for Windows 2.0 Packager – Allows use of an external download page to download and install the Citrix Receiver with the secure access plug-in. Windows and Mac Receivers are included in the download.
- Receiver for Admins – Receiver package that can be installed separate of the Merchandising Server but only works with the Merchandising Server 2.0.
I really like the Merchandising Server and Receiver. I like how I can centrally manage and deploy Citrix plug-ins as well as the Microsoft App-V plug-in based on different rules and deliveries. I am starting to use the Merchandising Server and Receiver on deployments more and more. Installing the Receiver and deploying the plug-ins makes Citrix client management easy.
Where I see the Merchandising Server needs room for improvement are secure LDAP authentication, backup/recovery/failover, and SSL certificate support on the administration functions. Also where is a Merchandising Server for Hyper-V download?
Currently the Merchandising Server does only does LDAP authentication insecurely. So what if you are using the Merchandising Server in a secure environment or putting the virtual appliance in the DMZ? The Merchandising Server needs this feature for deployment in secure environments and when being placed in the DMZ.
Right now the only backup/recovery of the Merchandising Server appliance is thru hypervisor snapshots/backup. What if the something gets corrupt though? Where is the export/import configuration feature? Like others I have had issues with the Merchandising Server for VMware. After working with Citrix support on some of the issues I was experiencing with Merchandising Server for VMware (locking up, losing AD sync, and/or not boot properly) it was found that there was an issue with the earlier build of the Merchandising Server for VMware when it was first released. My only option was to download the appliance again and start from scratch. So if there is an issue with the build, how would a snapshot/backup on the hypervisor side help with that? At a minimum Merchandising Server needs an export/import configuration feature. I have submitted this as a feature request so hopefully this gets added in a future Merchandising Server release.
So what about high availability? High availability is not so critical since existing users will be unaffected since Receiver plug-ins that have already been deployed before the Merchandising Server went down will work fine but Receiver plug-ins updates can’t be deployed. While the Merchandising Server is down new users can’t download the Citrix Receiver and plug-ins. Now the nice thing about Merchandising Server 2.0 is that the token for anonymous deliveries can be copied to another Merchandising Server. This could possibly be a secondary, standby, or backup Merchandising Server. All you have to do is copy and paste the token from one appliance to another. Make sure you keep your token documented somewhere just incase your Merchandising Server has issues and you have to start over. What would be a nicer feature above that would be maybe some kind of sync between two Merchandising Servers. Maybe an active/passive setup with failover that keeps all settings/configuration, downloaded plug-ins, and token in sync.
Only 1024 bit SSL certificates are supported on the 2.0 release. This means you can only create a certificate request from the Merchandising Server in 1024 bit. The documentation is a little misleading because it states only 1024 bit SSL certificates are supported. The issue with this is that SSL CA vendors are starting to no longer sell 1024 bit SSL certificates, only 2048 bit and higher since 1024 bit SSL certificates will not be supported after 2010. So I called Citrix support to talk about this and even though the documentation says 1024 bit support only, you can create a 2048 bit SSL certificate on another machine and import it into the Merchandising Server. I used an IIS 7 box to create the certificate request, exported it to a PFX file, converted the PFX file to PEM format, and uploaded it to the Merchandising Server appliance. Hopefully in the next release of Merchandising Server this will be addressed. Now if you are using an internal CA like Microsoft Certificate Services this is not a big issue unless you are also managing the Receiver and plug-ins on machines that are not domain members and/or external to your network. Managing and deploying internal CA root certificates can be a pain in that scenario.
Hyper-V support. Why isn’t there just a download for Merchandising Server for Hyper-V? Why do I have to convert the Merchandising Server for XenServer to Hyper-V? There were instructions for this on the Citrix Blogs but has been taken down. The instructions are posted at Enabling Citrix Merchandising Server paravirtualized vm to run on Hyper-V. Converting the Merchandising Server for XenServer to Hyper-V is unsupported. So if you have any issues after converting the XenServer virtual appliance to Hyper-V you are on your own.
Where I see the Receiver needs room for improvement on the user experience side is authentication. The issue with getting a Citrix Receiver logon prompt after a push install via script, SCCM, etc in 1.2 was a pain. Why can’t the Receiver have pass thru authentication like the XenApp online plug-in has? The option to have pass thru authentication for devices with domain membership along with the prompt and anonymous/system token authentication for devices without domain membership is needed. The same goes for the Dazzle plug-in. This would probably take some Citrix XML integration/communication like the Web Interface has. On second thought why not just combine Merchandising Server and Web Interface into a single virtual appliance? Manage client plug-ins and user interfaces from a single instance. On the other hand I guess authentication could be a use case for Password Manager/Single Sign-on if the customer has Platinum licensing but what if they don’t?
If you are configuring the Receiver for anonymous deliveries with a system token, the Receiver can’t be downloaded and installed from the Merchandising Server. It has to installed by script, SCCM, etc. The XenAppBlog has a very good blog post on how to do this. See How to deploy Citrix Receiver for logon information after .mSI install.
Like I said above I really like the Merchandising Server and Receiver. I like the improvements in version 2.0. I hope Citrix keeps making the Merchandising Server and Receiver better. I really hope a supported Merchandising Server for Hyper-V is released along with an export/import configuration, secure LDAP authentication, 2048 bit SSL support, and pass thru authentication for the Receiver in a future release.
If you have found this article interesting or if you have any other insights, please feel free to leave comments on this article.
Very nice article Jarian – as always, thanks for the link to my article.
Totally agree with you regarding the missing features. Looking forward to secure LDAP to be able to put it into the DMZ.