Skip to content


Category: Windows Administration

I renewed a SSL certificate on my Exchange Servers and needed to update it on my NetScaler.
To import the SSL certificate to NetScaler you need to export and convert the certificate. This is common usage for using a “Windows Certificate” on a Linux system or in a Java certificate store.
The steps to accomplish this:

  • Export the certificate from Exchange to a .pfx-file.
  • Extract the Certificate and Private Key from the .pfx-file. Windows does not support doing this natively, you need to have OpenSSL installed.
  • Import the Certificate and the Private Key file to NetScaler (or another appliance).


Export the certificate from Exchange 2010 Management Console

Go to Server Configuration and select the certificate you want to export.
Enter filename and a password.

Export the certificate from Exchange admin center (Exchange 2013)

Go to Servers and select Certificates

Mark the certificate and klick the (more) icon and select Export Exchange certificate.

Enter UNC Path and Password.


Convert the exported certificate
For this step you need to install OpenSSL:

Read more about the PKCS#12 file utility:


Import the certificate to NetScaler
Go to Traffic Management > SSL > SSL Certificates and click Update.
Use the dropdown on the “Browse” button to select Local file rather than first uploading the file to the NetScaler.


To compact a dynamically expanding Linux virtual hard disk you will first need to zerofill the unused area. This is done by using the dd(data dump) tool.

This will create a file filled with NULL chars and then remove it.

When it is finished, shut down the machine and compact the disk.

You can compact the VHD by following the “2. Compact VHD” – step here


I downloaded Netscaler VPX for Hyper-V from Citrix downloads and tried to import it to my Hyper-V 2012R2 machine but it failed with an error “Hyper-V did not find virtual machines to import from location“.

Reason for the import failing is because the NSVPX image has been created on 2008R2(Hyper-V2) and due to changes to the platform they are incompatible. You can read more about it here.


The short answer is to create a new machine.

Create a new virtual machine with the following settings: (values in bold are mandatory)
Specify Generation: Generation 1
Assign Memory: Startup memory: 2048 (do not select dynamic memory)
Configure Networking: Connection: (Select your preferred Connection)
Connect Virtual Hard Disk: Use an existing virtual hard disk (the .vhd image).

…and make sure the following is configured: (edit if needed)
Number of virtual processors:2
Network Adapter: May not be a “Legacy Network Adapter”


PowerShell equivalent of above:


Now configure your network settings. You will need at least one adapter for the management IP address (NSIP) for the NetScaler. Additional adapters may be needed in your environment.


I was getting the following error in the logs on an Exchange 2010 server(SP3 with RU5).

There is a limit of attachments in a single message that the content indexer will process. If the indexer encounters more than 32 attachments, the event 9875 is thrown.

The errormessage also has information about the affected Database, Folder ID, Message ID and Document ID.

For now, the only useful information is the database name which holds the problematic message, rest of the values are hex numbers. We can assume there are a bunch of users and messages in a database, therefor we need to find the correct mailbox and item.


..this is where ExFolders come in handy.

Download ExFolders, import the regfile and copy the .exe-file to C:\Program Files\Microsoft\Exchange Server\V14\Bin\. You must run ExFolders.exe from that folder.

Launch ExFolders and select “Mailboxes” and “Database”. If you want to run against a preferred GC, make that selection, otherwise select the database.


Choose “Selected folder and subfolders” and set an output file (example: c:\folderids.txt).
Unmark all other properties and select the FolderID “ptagFID: 0x67480014“.

This will export ALL folder ID:s in every mailbox in the selected database. Note: You need full access permissions to be able to traverse the folders.


Search the exported file for the FolderID that matches the one in the errormessage. Now you know in which mailbox, and folder, the message is in.

In my case the FolderID matched with the “Recoverable Items”-folder in a mailbox.


Launch ExFolders, select the folder and “Export Item Properties”.


Add MessageID property, ptagMID:0x674A0014, in the field click “Add property to list” and OK

You have now exported all MessageIDs in that folder and one of them should match with the MessageID in the errormessage.


Depending on where the message is and what kind of action you choose to take, you can use powershell, outlook or mfcmapi to remove the message.


There are several reasons why you would like to have several instances of the same app in your Worx store. For example you need to test an application before upgrade or applications that require multiple configurations for different users.


Uploading the same app into the appcontroller will give you problems, therefor you need to make a distinction between the “new” app from the “old” one.


The .ipa file is a .zip file. Extract the file and you will find a folder named “Payload”. Within the Payload folder you will find a file “Info.plist” which holds the settings for the specific application. Property list (“P-list”) files are used in OSX and iOS programming frameworks. These files can be edited natively on OSX but Windows will need a third party tool (In my experience, plist Editor Pro is the best one so far).



You need to change the CFBundleIdentifier to be able to publish another instance of the app. Optionally you might want to change CFBundleDisplayName, this is the name displayed on the device when the app is installed.


Update: Newer versions of the MDX toolkit has option to change the “CFBundleIdentifier“, but not the CFBundleDisplayName.


While working on a bunch of provisioned servers(Citrix PVS), I needed to do some modifications on the cache drive. I made a small .VHD image which boots quickly and gives me access to some rudimentary tools. I also had to inject a couple of drivers for the VMWare components.

First of all, install the Microsoft Assessment and Deployment Kit (ADK) and get a copy of the VMWare-drivers(Program Files\Common Files\VMware\Drivers\) from a system with the VMWare Tools installed.

Right-click the shortcut to “Deployment and Imaging Tools Environment” and choose “Run As Administrator”. Use copype to build your own bootable WinPE environment. The syntax is “copype <architecture> <destination>”.


X86-architecture selected for the image and “X:\winpe_x86” used as work folder:


Mount the image:


Inject the needed VMWare drivers (\drivers is the source folder).


Copy any tools you need into the (mounted)image, for example into the folder X:\winpe_x86\mount\tools.


Unmount the image and commit your changes:


Create a boot-ISO (Optional):


Create a virtual hard drive which will be used for provisioning:


Prepare the drive by using MakeWinPEMedia:


Detach the disk and move the .vhd into your PVS server.



I stumbled into a problem importing a few machines that had previously been deleted from Hyper-V. All the files and configurations were still available.

Running the “Import Virtual Machine” wizard did not find any machines to import, so I wrote a few lines to import the machines via powershell:

…which resulted in an error when trying to import one of the machines:

I had to get more information:

Virtual Disks missing. I verified that the files were present and that the paths were correct in the .xml file. This is a disk-intensive machine and therefor the vhd-files(disks) are distributed to 3 different physical harddrives.

It seems to be assumed, that the images are present on the same volume. After moving all the images to the same location both the wizard and Import-VM worked.




Netscaler VPX Express is a free version of the NetScaler VPX appliance, but with a few limitations. You don’t have the same throughput, there is no SSL Offload and you need to renew the (free)license every year.. which is good enough for some cases.


Update 2015-04: Follow the link: Import Netscaler VPX to Hyper-V 2012R2.



Information below is kept for future reference.

Convert a NSVPX VMDK(VMWare) to VHD(Hyper-V)


I wanted to test the Netscaler VPX Express in my homelab but at the time there were no download available for Hyper-V. There were downloads for VMWare, XEN and KMS hypervisors.

I downloaded the current image for VMWare, “NetScaler VPX for ESX 10.5.e Build 52.1115.e

In an earlier post, i wrote how to convert an vmdk image to Hyper-V:


Create a new virtual machine with the following settings: (values in bold are mandatory)
Specify Generation: Generation 1
Assign Memory: Startup memory: 2048 (do not select dynamic memory)
Configure Networking: Connection: (Select your preferred Connection)
Connect Virtual Hard Disk: Use an existing virtual hard disk (the image above).

…and make sure the following is configured: (edit if needed)
Number of virtual processors: 2
Network Adapter: May not be a “Legacy Network Adapter”


Start the machine

If you get the “Invalid Slice” message you need to repair the bootloader, which can be done with the FreeBSD LiveCD.

Download the “FreeBSD-8.4-RELEASE-i386-livefs.iso”, mount it and reboot the machine.

From the Main Menu, select the following:

From the Configuration Menu, select:


Now select the freebsd partition and press “S” to make it bootable and “W” to write changes.

When asked for Boot Manager, select:

Press “Q” to finish and then exit the installer, make sure the CD-image is unmounted and reboot.

You should now be able to boot the netscaler.


After some initial configuration, login with the default credentials: NSROOT/NSROOT.







Installing/upgrading Internet Explorer to 9,10 or 11 will break the TMG Management Tools.


Workaround is to mark out 3 lines in “C:\Program Files\Microsoft Forefront Threat Management Gateway\UI_HTMLs\TabsHandler\

Search for “style.paddingTop” and comment the lines by adding ” // ” in front of them.





You can filter keypresses with keyboard scancodes, it gives you the possibility to redefine keys via the registry. You can bind a key to another key or disable a specific key (CTRL-ALT-DEL combination in kiosk-mode for example).

The scancode mappings are stored in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\Scancode Map

If the “Scancode Map” value doesn’t exist it must be added as a REG_BINARY.


Below the layout of the “Scancode Map” values:

Offset Bytes Information
0 4 Header. Version information
4 4 Header. Flags
8 4 Header. Number of mappings, including the null terminator
12 4 x Individual mappings. 4 bytes for each mapping. DWORD.
last 4 Null terminator (0,0,0,0)


Example: Remap Left Shift to L-key

00 00 00 00 Header
00 00 00 00 Header
02 00 00 00 Two definitions
26 00 2A 00 0026 = L-key. 002A = Left Shift.
00 00 00 00 Terminator

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
“Scancode Map”=hex:00,00,00,00,00,00,00,00,02,00,00,00,26,00,2A,00,00,00,00



Example: Disable CTRL-ALT(-DEL)

00 00 00 00 Header
00 00 00 00 Header
05 00 00 00 5 definitions
00 00 1d 00 0000 = Nothing. 001d = Left CTRL
00 00 38 00 0000 = Nothing. 0038 = Left ALT
00 00 1d e0 0000 = Nothing. e01d = Right CTRL
00 00 38 e0 0000 = Nothing. e038 = Right ALT
00 00 00 00 Terminator

GPO registry settings:



There is a tool available to help you find the mappings :