To access the Secondary unit without changing HA Primary unit , which I would advise against if you are not sure of the VPN status run the following

execute ha manage 1

Login with the credentials

Then run 

diagnose vpn ike gateway

Lists all the current VPNS

diagnose vpn tunnel stat

Check how many are up

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I was trying to add a Windows Feature into a Windows.wim file. 

After mounting the Wim I ran the below on a server 2012 machine

Dism /Image:”c:\temp” /Enable-Feature /FeatureName:NetFx3 /all

However I got 

Error 87 : “enable-feature is unknown”

I had to run the Dism /Image:”c:\temp” /Enable-Feature /FeatureName:NetFx3 /all command on a Windows 10 Box

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Meraki’s Advice to enable AD authentication for VPN is to create the Service account as …. Domain Administrator

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integration

This is big security no no ( Incase the account gets compromised then the whole domain gets compromised ) 

You can set this account as Domain User which will give the access

  • Query the user database via LDAP
  • Query group membership via LDAP

You can then assign the WMI permissions for : Query the domain controller via WMI 

by doing the below on the domain controller 

To set the WMI user access permissions

  1. Select Start > Run.
  2. On the Run dialog, type wmimgmt.msc in the Open field.
  3. Click OK to display the Windows Management Infrastructure (WMI) Control Panel.
  4. In the left pane of the WMI Control Panel, highlight the WMI Control (local) entry, right-click, and select the Properties menu option. This displays the WMI Control (Local) Properties dialog box.
  5. Select the Security tab in the WMI Control (Local) Properties dialog box.
  6. In the namespace tree within the Security tab, expand the Root folder. This action lists the available WMI name spaces.
  7. Click the CIMV2 namespace to highlight it.
  8. Click Security to display the Security for ROOT\CIMV2 dialog box.
  9. Click Add in the Security for ROOT\CIMV2 dialog box to display the Select Users or Groups dialog box.
  10. Add the domain user account that will be used as your proxy data collection user account. This should be a domain account (not a local computer account), but it does not need to be an account with administrative access.
  11. Click OK to close the Select Users or Groups dialog box and return to the Security for ROOT\CIMV2 dialog box. The user account you selected should now be listed in the Name list at the top of the dialog box.
  12. Select the newly added user (if it is not already selected) and enable the following permissions:
    • Enable Account
    • Remote Enable
      Enable the permissions by clicking the Allow box, if it is not already checked for that permission. The Enable Account permission should already be selected, but the Remote Enable permission will need to be selected.
  13. Click OK to close the Security for ROOT\CIMV2 dialog box.
    The permissions should now be properly set for the proxy data collection user account.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to authenticate a user with their AD credentials and the error displayed

The remote connection was denied because of the username and password combination

In the Event Log on the Meraki 

 

Also saw these errors

msg: invalid DH group 19.
 msg: invalid DH group 20.

msg: failed to begin ipsec sa negotiation.

You need a TLS Certificate on the Domain Controller and Radius server for Communication , run the below powershell 

New-SelfSignedCertificate -DnsName domaincontroller.domain.local -CertStoreLocation cert:\LocalMachine\My

This will create a cert for you in Personal / Certificates for the Local Computer

You will need to use the MMC to copy this to the Trusted Root Certification Authorities

 

I also has issues with Radius with the error : msg: failed to begin ipsec sa negotiation.

After following these settings : https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

In the end I had to Clear out the Conditions in the network polices ( Specifically the Calling Station ID ) and re-add

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Debloat Scripts
 
https://github.com/Sycnex/Windows10Debloater
 
https://www.reddit.com/r/Windows10/comments/8jgrgr/guide_how_to_make_windows_10_less_intrusive_and/
 
GPO’s to add
 
 
.

 

Computer Configuration\Administrative Templates\Windows Components\Search
Allow CortanaDisabled
Prevent automatically adding shared folders to the Windows Search indexDisabled
Don’t search the web or display web results in searchEnabled
Allow Cloud SearchDisabled
Allow indexing of encrypted filesDisabled
Prevent clients from querying the index remotelyEnabled
Do not allow locations on removable drives to be added to librariesEnabled
Prevent automatically adding shared folders to the Windows Search indexEnabled
Prevent indexing files in offline files cacheEnabled
Prevent indexing public foldersEnabled
Stop indexing in the event of limited hard drive spaceEnabled
Do not allow web searchEnabled
  
Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization
Download ModeLAN
  
Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds
Toggle user control over Insider buildsDisabled
Allow Telemetry0 – Off
Disable pre-release features or settingsDisabled
  
Computer Configuration\Administrative Templates\Windows Components\App Privacy
Let Windows apps communicate with unpaired devicesDisabled
  
Computer Configuration\Policies\Admin Templates\Windows Components\Application Compatibility
Turn off Application Telemetry Enabled
Turn off Inventory Collector Enabled
  
Computer Configuration\Policies\Admin Templates\Windows Components\Endpoint Protection\MAPS
Join Microsoft MAPS Disabled
  
Computer Configuration\Administrative Templates\System\OS Policies 
Allow publishing of User ActivitiesDisabled
Enables Activity FeedDisabled
  
Computer Configuration\Administrative Templates\Windows Components\OneDrive\
Prevent the usage of OneDrive for file storageEnabled
Prevent the usage of OneDrive for file storage on Windows 8.1Enabled
Prevent OneDrive files from syncing over metered connectionsEnabled
Save documents to OneDrive by defaultDisabled
  
Computer Configuration\Administrative Templates\Windows Components\Cloud Content
Turn off Microsoft consumer experiencesEnabled
Do not suggest third-party content in Windows spotlightEnabled
Turn off the Windows Spotlight on Action CenterEnabled
Do not use diagnostic data for tailored experiencesEnabled
Turn off the Windows Welcome ExperienceEnabled
  
Local Computer Policy\User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications
Turn off tile notificationsEnabled
Turn off toast notifications on the lock screenEnabled
Turn off notification mirroringEnabled

 

Set Explorer to My Computer not Quick Access


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

LaunchTo DWORD

1 = This PC 2 = Quick access

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to add a secondary Storefront server came up with an error during propagation of settings : 

 

Failed to get the end status of the sever configuration update.
System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Access to the path ‘C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows\CitrixReceiver.exe’ is denied.
at Citrix.DeliveryServices.ConfigurationReplication.WCF.ConfigurationReplication.EndUpdateConfiguration(IAsyncResult asyncResult)

 

Looks like the same issue as https://pariswells.com/blog/research/import-stfconfiguration-an-error-occurred-configuring-storefront-diagnostics-method-invocation-failed-because

Deleting : C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows and \Mac Fixed this issue

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If your windows 10 machines get their updates from WSUS then you might get Error 0x800F081F while installing .NET Framework 3.5 on Windows 10. This is probably due to Windows 10 not being able to search your Windows Updates location for the Feature.


Approve these updates

Synchronise Server and try again

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to import a Citrix Storefront Config produces the following Error

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. Method invocation failed because
[System.Collections.Hashtable+ValueCollection] does not contain a method named ‘Contains’.
At line:1 char:1
+ Import-STFConfiguration -configurationZip “c:\Temp\backup.zip” -HostB …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-STFConfiguration], Exception
+ FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException,Citrix.StoreFront.ImportConfigura
tion

 

You need to wipe your Storefront Config using the below Commands


PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> . .\ImportModules.ps1
PS C:\Program Files\Citrix\Receiver StoreFront\Scripts> Clear-DSConfiguration

Then retry import

 

I got then next error

 

Import-STFConfiguration : An error occurred configuring StoreFront diagnostics. The running command stopped because
the preference variable “ErrorActionPreference” or common parameter is set to Stop: Cannot remove item C:\Program
Files\Citrix\Receiver StoreFront\Receiver Clients\Mac\CitrixReceiver.dmg: You do not have sufficient access rights to
perform this operation.
At line:1 char:1
+ Import-STFConfiguration -configurationZip “c:\Temp\backup.zip” -HostB …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Import-STFConfiguration], Exception
+ FullyQualifiedErrorId : System.Management.Automation.ActionPreferenceStopException,Citrix.StoreFront.ImportConfi
guration

 

Deleting 

C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Mac

and 

C:\Program Files\Citrix\Receiver StoreFront\Receiver Clients\Windows

fixed this

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently trying to install VDA on a server 2016 server and it comes up with the below error trying to install Remote Desktop Session Host

Error Id: XDMI:334CF235

Exception:
Citrix.MetaInstaller.MetaInstallerException ‘dism’ component failed to install with error 0x800f080c.
at Citrix.MetaInstaller.Prerequisite.RdsComponents.Install(InstallationContext context)

at Citrix.MetaInstaller.InstallationManager.InstallComponent(InstallableComponent component, InstallationContext installContext)

 

Looking in the logs it’s failing when running this :

dism /quiet /norestart /english /online /enable-feature /featurename:Remote-Desktop-Services /featurename:ServerMediaFoundation /featurename:AppServer /featurename:InkAndHandwritingServices /featurename:DesktopExperience

When I run this manually I get  : 

Feature name DesktopExperience is unknown. 
Feature name InkAndHandwritingServices is unknown.

This is actually already bundled in 2016 , you will need to install VDA 7.11 ( the minimum version that supports Server 2016 ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)