CheckPoint SNX install instructions for major Linux distributions

I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.  Chrome gives this helpful message on the Java website:

The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.

Despite all this, it still uses the native client but with the “unsupported” -Z option.  Ah well.

With all the distributions I did the following:

  • downloaded the most prominent ISO on offer at the projects main page
  • used dd to transfer the image to usb stick
  • installed using full disk encryption
  • applied all the patch fixes
  • installed openssh-server.

Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.

You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:

These instructions are going to be terse but the links provided should give you more information if needed.

Ubuntu 15.04 Vivid Vervet

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Pressing connect will open an xterm window that downloads and runs the native client script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Linux Mint 17.2 “Rafaela”

Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:

Then select Settings > Edit Native Applications Settings > Download installation for Linux

Open a terminal and then run the command from wherever you downloaded it.

# sh +x ~/Downloads/
Installation successfull

Now when you go back to the web site, your Connect button should work.

openSUSE 13.2

This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.

zypper install  libX11-6-32bit libXau6-32bit libxcb1-32bit glibc-devel libstdc++-devel libstdc++48-devel linux-glibc-devel
rpm -ivh ./libstdc++33-3.3.3-29.2.i586.rpm

Then is was just a case of connecting to the website and pressing Connect

Fedora 22

We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from and I copied it to /usr/local/src. You’ll need to adjust accordingly.

dnf update
dnf install libcanberra-gtk2.i686 pkgconfig.i686 /usr/local/src/jre-8u60-linux-x64.rpm
alternatives --install /usr/bin/java java /usr/java/latest/bin/java 200000
alternatives --install /usr/lib64/mozilla/plugins/ /usr/java/latest/lib/amd64/ 200000
alternatives --config java


I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.

Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.

I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.

Posted in General, snx | 1 Comment

Stopping mplayer from displaying Album Art on Music or Podcasts

I use mplayer as my media player of choice. If it discovers embedded album art in the media files, it will display them as a popup window. To prevent this from happening you can use the switch -vo null which will tell it to ignore video output. For example.

mplayer -vo null /mnt/SANZA_KEN/PODCASTS/TuxJam_44.ogg

Posted in General | Leave a comment

Unable to access SharePoint in Firefox but it is possible in Chrome

Thanks to the the-edmeister  for giving a solution to this issue

That type of message might be related to Insecure NTLM (pre-NTLMv2) authentication being disabled in Firefox 30.

Type about:config in the URL bar and hit Enter. Accept the warning. Type NTLM in the Search bar at the top. Right-click network.negotiate-auth.allow-insecure-ntlm-v1 and select Toggle. Then close Firefox and restart.

See if you can access that SharePoint website without getting that 401 message.


Posted in General | Leave a comment

Can’t locate in @INC

Had a strange one while installing my new work laptop. I was migrating from one system to another, so I did a clean install of Fedora 21 and copied my data over. After that I could no longer open cpan, getting the error:

$ echo o conf | perl -MCPAN -e shell
Can't locate in @INC (you may need to install the CPAN module)

Followed by a list of paths that did not even exist.

I re-installed again and confirmed that perl and cpan were working fine. Then I restored my data, only to find that the same thing happened again. That ruled out a system issue and then I finally did a

which perl
which cpan

Only to find out that they were both pointing to binaries in my home directory. At some stage I must have made a copy of perl and cpan to my ~/bin/ instead of making a symlink. I confirmed that there was a version of cpan in /bin/cpan, and then I deleted the old version from ~/bin/cpan

Posted in General | Leave a comment

Windows Remote Desktop on GNU/Linux

This is the accompanying shownotes for a Hacker Public Radio podcast episode.

I wrote a bash script to connect to various different windows servers from my GNU/Linux desktops. I had a few different requirements:

  • I should be able to call it based on hostname.
  • All windows should be 90% smaller than my screen.
  • It should map my keyboard.
  • It should map my local disk.
  • It should quickly timeout if the port is not available.

You can get the full script here, but let’s walk through it:

The first line calls bash and then gets the server name from the symlink that is calling the script. The port is set as “3389”, but you can change that if you like.

SERVER=`basename $0`

The next few lines finds the smallest vertical and horizontal sizes, even if you are running multiple screens. Then it calculates 90% of that to use as the size.

h=$(echo "scale=0;(($(xrandr | grep '*+' | sed 's/x/ /g' | awk '{print $1}' | sort -n | head -1 )/100)*90)" | bc)
v=$(echo "scale=0;(($(xrandr | grep '*+' | sed 's/x/ /g' | awk '{print $2}' | sort -n | head -1 )/100)*90)" | bc)

Next we set the default username and password. I have it ask me for my password but I put it in here as an example.


In some cases the credentials may be different, so I have a case statement that will cycle through the servers and apply the differences. Depending on your naming schemes you may be able to use regular expressions here to filter out groups of servers.

case "${SERVER}" in
  *server*) echo "Server ${SERVER}"

  *colo*) echo "Server ${SERVER}"
  some_server ) echo "Server ${SERVER}"
  *) echo "No match for ${SERVER}, using defaults"

Next we use an inbuilt bash command to see if a remote port is open and timeout after one second.

timeout 1 bash -c "echo >/dev/tcp/${SERVER}/${PORT}"

I used to connect to rdp using the program rdesktop, but it is now of limited value due to the fact that there are many open bugs that are not getting fixed. Bugs such as Bug 1075697 rdesktop cannot connect to systems using RDP version 6 or newer  and Bug 1002978 Failed to negotiate protocol, retrying with plain RDP . I then switch to using xfreerdp. This is the client that is behind remmina.

You can use xfreerdp /kbd-list to get a list of the available keyboard layouts.

if [ $? -eq 0 ]; then
  echo "${SERVER}:${PORT} is open"
  xfreerdp /v:${SERVER} /size:${SIZE} /kbd-type:0x00000409 /t:${SERVER} /d:${WORKGROUP} /u:${USERNAME} /p:${PASSWORD} /a:drive,pc,/ /cert-ignore &
  echo "${SERVER}:${PORT} is closed"

Next you will need to be sure that your host names are available, either in dns or in your /etc/hosts/ file. For example: server1 server2 server3 coloserver1 coloserver2 coloserver3 some_server

Edit the script to your liking and then put it into your a directory in your path, possibly /usr/local/bash or ~/bin/. You can then make symbolic links to the servers to the bash script, also in a directory in your path, using the command:

ln -s /usr/local/bash/rdp.bash ~/bin/some_server
chmod +x ~/bin/some_server

Which links the global rdp.bash script to your personal symlink, and makes it executable.

All that you need to do then is type the name of the server and a rdp screen should pop up.

In our example:

$ some_server

From there your Windows Server session should pop up.

Posted in General, Podcasts | Leave a comment

Scripts based on your network location

I recorded an episode of HPR about a script that I wrote to make my life a little easier. The show is hpr1654 :: Using AS numbers to identify where you are on the Internet if you want to listen along.

My “itch”

I have a laptop and I want it to use different configurations depending on where I am. If I’m on wifi at home, I don’t want my NAS mounted, but if I’m on a wired connection I do. If I’m at work I want to connect to various servers there. If I’m in the train I want to setup a vpn tunnel. You get the idea.

My solution to this was to approach it from the laptop and go out. So to look around and see what network I was on. There are a few ways to approach this, you could look at your IP address, the arp tables, try and ping a known server in each location. The issue with looking at an IP address is that most networks use Private Networks. Very soon you will find that the wifi coffee shop happens to have picked the same range as you use at home and now your laptop is trying to backup to their cash register.

To get around this I tried other solutions such as looking at the MAC address of the default gateway using IP Route and Arp, but that requires a lot of maintenance as devices change a lot.
$ arp -n | grep $(/sbin/ip route | awk '/default/ { print $3 }') | awk '{print $3}'

The next option was to try and ping known servers, but that resulted in a lot of delays as the pings will by definition need to time out, as you run down the list of possible places you are.

Then I was thinking that I’m approaching this problem from the wrong angle. Why not start with my public IP address range, which has to be unique, and work back from there to my laptop. There are a lot of services out there that provide look up services. Some I have used in the past are

Now even Google gives back your IP address if you type in “my ip address” into the search bar. Rather than using those services I just set up a small php file on my own server that returns the public IP address of your connection. So even if your home and coffee shop happen to have the same range, they will have different public IP address ranges.

print "$ip";

From there I was planning on maintaining a look-up table of public IP addresses, along the lines of the GeoIP tools developed by MaxMind. They provide the GeoLite Country and GeoLite City databases under a OPEN DATA LICENSE, which looks to me like a modified Apache License (IANAL). They provide a C library under the LGPL.

For those not familiar with Geolocation based on IP address, it’s the technology that maps your Public IP address to a physical location. This is what blocks the BBC iplayer website outside of the UK, or presents a cookie warning within the EU, or stops everyone else in the world watching US TV websites. For most applications the location is very coarse, based on information from the regional Internet registries. Once you get past country level you need to start investing serious money to get the data and so you can expect to pay for the more granular information.

The more detailed you get the more concerned you need to be about privacy. The location for most peoples home connection is mapped to the location of their Internet Providers head office. After checking my ip address location on, of the six databases queried four put me in the head office of my ISP, one had the right town and another had me the other side of the country. So for a website that needs to perform an action based on the country of origin IP address it is quite useful but for my personal use case, it wasn’t going to help me a lot.

# geoiplookup
GeoIP Country Edition: US, United States

That was until I ran the exact same command on Fedora.

# geoiplookup
GeoIP Country Edition: US, United States
GeoIP ASNum Edition: AS15169 Google Inc.

The first line is the same but what’s this about ASNum ? It’s not mentioned in the man page, but suffice to say they are very, very important for how the Internet works.

From WikiPedia: Autonomous System (Internet)

ISP must have an officially registered autonomous system number (ASN). A unique ASN is allocated to each AS for use in BGP routing. AS numbers are important because the ASN uniquely identifies each network on the Internet.

So what that is saying is that every network in the Inter(connected)Net(work), must have it’s own unique AS Number. So my home ISP will have a different AS Number, from my local coffee shop, from my office network, etc. It actually goes even further than that. Say you have the same provider for your home Internet and mobile Internet. Even though they might be using the same ranges for all their networks, they will more than likely route between the private networks using public IP Addresses, and that means different, unique AS Number. Your mileage may vary on this, but for me it works out very well indeed.

It’s already installed on Fedora (yum install GeoIP), so to install the application on Debian/Ubuntu type:
aptitude install geoip-bin

This will drop the IPv4 (GeoIP.dat)and IPv6 (GeoIPv6.dat) databases into the directory /usr/share/GeoIP/. Your package manager will not update the databases for you, although there is a Fedora package GeoIP-update* to schedule a cron job it only updates the GeoLiteCity.dat file. Here is the script I use to update all the databases:
# vi /usr/local/bin/geoip-update.bash

Paste in the following code:

for database in
  wget "$database" -O - | gunzip -c > /usr/share/GeoIP/$(basename "$database" .gz)

Make the script executable
# chmod +x /usr/local/bin/geoip-update.bash

Then run it and check that you have new files in /usr/share/GeoIP to be sure it works. Finally all that’s left to do is to install it into cron. (Thanks James Wald)

# Minute   Hour   Day of Month       Month          Day of Week        Command
# (0-59)  (0-23)     (1-31)    (1-12 or Jan-Dec)  (0-6 or Sun-Sat)
    0      12          *             *                Mon              /usr/local/bin/geoip-update.bash > /tmp/geoip-update.bash 2>&1

I have modified my mapping script so that it combines the location and the connection type. It first does a quick check to see if there is an Internet connection and will time out after 2 seconds.

wget --timeout=2 -O -

I already have this file on my server for remote monitoring, so it makes sense to reuse it. The file contains the word “success” and if that is not returned then you don’t have any Internet connection. My server could also be down but that would be a bigger problem for me at least.

The next part gets the Public IP Address and then uses it to find the AS Number

geoiplookup "" | awk '/GeoIP ASNum Edition/ {print $4}'

So that’s all I need to find out my position on the Internet, but I also want to know what type of connection I’m using. For example, when I use a usb network theathering connection to my phone it displays as a wired connection when in fact it should be “wireless”. Once I have found both the location and the connection type, I then combine them with an underscore, and use a case statement to run the different commands.

Here is a finalized script:


result="$(wget --timeout=2 -O - 2>/dev/null)"
if [ "${result}" != "success" ]
  echo "No connection to found"
  exit 1
  myip="$(wget --timeout=2 -O - 2>/dev/null)"
  asnum=$(geoiplookup "${myip}" | grep 'GeoIP ASNum Edition: ' | awk '{print $4}' )
  case "${asnum}" in
      echo "No location found for AS Number \"${asnum}\""
      exit 2
  interface=$(route | awk '/default/ {print $(NF)}')

if [ "$( iwconfig 2>&1 ${interface} | grep 'ESSID' | wc -l )" -eq 1 ] || [ $(echo ${interface} | grep ppp | wc -l ) -eq 1 ]
  essid=$( iwconfig 2>&1 ${interface} | awk -F '"' '{print $2}')

echo "Connection Found: $myip $asnum $location $interface $type $essid"

case "${location}_${type}" in
    echo "Work Network"
    echo "Work Wireless Network"
    echo "Mobile Network"
    echo "Home Wired Network"
    echo "Home Wireless Network"
    echo "No custom configuration applied"
Posted in General, Podcasts | Leave a comment

Installing Citrix on Fedora 21

Time moves on. Distros move on, and so again it’s time to install Citrix Receiver for Linux. They have moved on to version 13.1, which fixes a lot of install bugs in the Ubuntu version. Unfortunately that seems to be at the cost of the RPM version which is no longer available. In this post we will be installing it on Fedora 21 which is still in beta.

Get the software Receiver for Linux 13.1 and look for For 64-bit Systems (assuming you have a 64 -bit system).

uname -p
-p, –processor print the processor type or “unknown”
$ uname -p

Then look for File Type: .tar.gz and download it. As root move it to somewhere like /usr/local/src/citrix/. Make sure you create a new directory as it is a tarbomb. Then extract it using the following command:

tar xvf linuxx64-

You can install it using the command:

# ./setupwfc 
Citrix Receiver for Linux 13.1.0 setup.

Copyright 1996-2014 Citrix Systems, Inc. All rights reserved.
Copyright (c) 1986-1997 RSA Security, Inc. All rights reserved.
This software uses libraries from the FFmpeg project under the LGPLv2.1

Citrix, Independent Computing Architecture (ICA), Program Neighborhood,
MetaFrame, and MetaFrame XP are registered trademarks and Citrix Receiver,
Citrix XenApp, XenDesktop, Citrix Presentation Server, Citrix Access Suite,
and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States
and other countries.

Microsoft, MS, MS-DOS, Outlook, Windows, Windows NT, and BackOffice are
either registered trademarks or trademarks of Microsoft Corporation in
the United States and other countries.

All other Trade Names referred to are the Servicemark, Trademark,
or Registered Trademark of the respective manufacturers.

Select a setup option:

 1. Install Citrix Receiver for Linux 13.1.0
 2. Remove Citrix Receiver for Linux 13.1.0
 3. Quit Citrix Receiver for Linux 13.1.0 setup

Enter option number 1-3 [1]: 1

Please enter the directory in which Citrix Receiver for Linux is to be installed.
[default /opt/Citrix/ICAClient] 
or type "quit" to abandon the installation: 

The parent directory /opt/Citrix does not exist.
Do you want to create it? [default y]: y

You have chosen to install Citrix Receiver for Linux 13.1.0 in /opt/Citrix/ICAClient.

Proceed with installation? [default n]: y

Installation proceeding...

Checking available disk space ...

        Disk space available 230130076 K 
        Disk space required 35519 K

Continuing ...
Creating directory /opt/Citrix/ICAClient
Core package...
Setting file permissions...
Integrating with browsers...
Browsers found.

Integration complete.
Do you want to integrate Citrix Receiver with KDE and GNOME? [default y]: y
Do you want GStreamer to use the plugin from this client? [default y]: 
Do you want to install USB support? [default n]: n
USB support not installed.

Select a setup option:

 1. Install Citrix Receiver for Linux 13.1.0
 2. Remove Citrix Receiver for Linux 13.1.0
 3. Quit Citrix Receiver for Linux 13.1.0 setup

Enter option number 1-3 [3]: 3
Quitting Citrix Receiver for Linux 13.1.0 setup.

Unfortunately we are not out of the woods yet, as a quick check shows that we are missing some dependencies.

# ldd /opt/Citrix/ICAClient/wfica | grep -i "not found" => not found => not found => not found => not found

Fortunately with the excellent yum installer we can just point to the missing files and it will install the required packages.

yum install

Once you log in to your companies web page and launch citrix you get a popup asking you to accept the license.
Screenshot of the EULA

Citrix ships with a very small number of CA Root Certs. Therefore the chance is quite high that you will be presented with a signed cert from a CA provider that they do not have the root certificate for. If your server has signed their SSL/TSL cert with a missing root certificate you will be presented with the “SSL error 61” message that we have come to know and love.

SSL Error

At this point I normally suggested using the certs from Firefox, but in the version of Firefox (32.0.2) shipped with Fedora 21 Beta, the root Certs are no longer kept as files on the disk. The error message actually tells you which one you are missing, in my case “Global Sign Root CA”. Now go to Firefox and open Edit > Preferences > Advanced > Certificates > View Certificates > Authorities, where you will be presented with a long list of Authorities.
GlobalSign-AlphaSSLCA-G2.pem from Firefox

Scroll down to the Authority that issued your cert and starting at the top, export them one by one and save them to /opt/Citrix/ICAClient/keystore/cacerts/. I needed to save them in my own Downloads folder, and from there I moved them to the folder as root adding the pem extension.

mv -v /home/user/AlphaSSLCA-G2 /opt/Citrix/ICAClient/keystore/cacerts/GlobalSign-AlphaSSLCA-G2.pem

For me it turned out to be the third one and once I had it installed I was able to open the applications on my companies citrix web page. One improvement is that there is no warning about missing languages.

Posted in citrix, General | 21 Comments

Setting the default document folder/directory in the KDE Kate Text Editor

By default Kate is trying to open and save files starting in the ~/Documents folder. While this may be convenient for some, I’d like to change it. Try as I might I couldn’t find this option in the configuration of Kate. I remember this was an option, and it was removed. Then it was a command line option but kate –help-all shows it as been removed.

The only I found to change this is via KDE > System Settings > Account Details > Paths > Document Path:

Changing that to your desired directory works fine.

Posted in General | Leave a comment

Speeding up Speech with mplayer

Mplayer is a fantastic media player and I have been using it as the default tool to play both music and speech for years now.

One of it’s lesser known features is the ability to speed up or slow down whatever it’s playing. Not very useful for music but very handy if you are listening to speech. In some cases you may wish to speed up podcasts, to get more enjoyment in. In other cases you may want to slow down a recording so that you can transcribe the text. For people with Dyslexia this is very empowering as it gives them control over the rate of input.

You can use the {, [, backspace, ], }, keys to control the speed.

  • { key will slow down by 50% of the current rate
  • [ key will slow down by 10% of the current rate
  • Backspace will return the speed to normal
  • ] key will speed up 10% of the current rate
  • } key will speed up by 50% of the current rate
  • 9 key will decrease the volume
  • 0 key will increase the volume

I strongly recommend taking some time to review the keyboard controls in the manpage.

By default mplayer will not maintain pitch when you change the speed. So if you speed it up the speaker starts to sound like a chipmunk, and if you slow it down female voices start to sound like male voices.

You can change this by starting mplayer with the switch -af scaletempo

You can change this quickly by creating an alias

alias mplayer='mplayer -af scaletempo'

A more permanent way to set this is to configure your mplayer configuration file. Simply add the following in the “# audio settings #” section


See the Configuration Files section in the man page for more information.

The system-wide configuration file ‘mplayer.conf’ is in your configuration directory (e.g. /etc/mplayer or /usr/local/etc/mplayer), the user specific one is ~/.mplayer/config. User specific options override system-wide options and options given on the command line override either.

Posted in Accessibility, General | Leave a comment

Installing Citrix Reciver on Ubuntu 14.04 LTS (Trusty Tahr)

EDIT: See comment below from Martin about the new version, where the fixes are applied. Get it here:

An update on installing the Citrix Reciver on Ubuntu 14.04 LTS (Trusty Tahr) as part of the Citrix series.

Get the application from the citrix website.
Select the deb format, and in my case the 64bit version.

Do not try and install this file as it will not work.

I only discovered this after I tried and failed to install it via the qapt-deb-installer. Dropping to the command line and installing dpkg failed as well but at least there was more information available.

# dpkg -i icaclient_13.0.0.256735_amd64.deb
Selecting previously unselected package icaclient.
(Reading database ... 143453 files and directories currently installed.)
Preparing to unpack icaclient_13.0.0.256735_amd64.deb ...
Unpacking icaclient ( ...
dpkg: dependency problems prevent configuration of icaclient:
 icaclient depends on libc6-i386 (>= 2.7-1); however:
 Package libc6-i386 is not installed.
 icaclient depends on ia32-libs; however:
 Package ia32-libs is not installed.
 icaclient depends on lib32z1; however:
 Package lib32z1 is not installed.
 icaclient depends on lib32asound2; however:
 Package lib32asound2 is not installed.
 icaclient depends on nspluginwrapper; however:
 Package nspluginwrapper is not installed.

dpkg: error processing package icaclient (--install):
 dependency problems - leaving unconfigured
Processing triggers for desktop-file-utils (0.22-1ubuntu1) ...
Processing triggers for mime-support (3.54ubuntu1) ...
Errors were encountered while processing:

At this point we have installed the software but there are still dependency issues. Normally running apt-get -f install would fix the problem. In this case the only option is to remove the icaclient package and I also had to run apt-get autoremove to get rid of unnecessary dependencies it installed.

After my experience with installing snx, I knew that the 32bit packages were removed after the move to MultiArch support. So I ducked around for a solution only to find this on the Citrix site “Installation Errors with Receiver for Linux 13.0 on Ubuntu 13.10 x64“, which details the problem and the fix. The fix is to essentially go in and edit the deb package to fix the dependency issues. The also provide a workaround to address the “SSL error 61”.

Here is the resolution they suggest:

The following resolution allows using Receiver for Web for authentication, enumeration and launch of the applications and desktops, as the aforementioned bug causes self-service UI to not work.

  1. Install the dependencies libmotif4:i386 nspluginwrapper lib32z1 libc6-i386 by executing the following command:
    sudo apt-get install libmotif4:i386 nspluginwrapper lib32z1 libc6-i386
  2. Get the official Citrix Receiver 13.0 .deb from:

    Note: Download from “For 64-bit Systems” section. The download popup may not work in Chrome, use Firefox.

  3. Fix the broken .deb package.
    You can fix it using the following commands:

    cd ~/Downloads
    mkdir ica_temp
    dpkg-deb -x icaclient_13.0.0.256735_amd64.deb ica_temp
    dpkg-deb --control icaclient_13.0.0.256735_amd64.deb ica_temp/DEBIAN
    sudo vi ica_temp/DEBIAN/control
    Change the line that starts with "Depends: ..." to:
    Depends: libc6-i386 (>= 2.7-1), lib32z1, nspluginwrapper
    Now rebuild the package: dpkg -b ica_temp icaclient-modified.deb
  4. Install the fixed package:
    sudo dpkg -i icaclient-modified.deb

    This installation may throw the following error:

    dpkg: error processing icaclient (–install):
    subprocess installed post-installation script returned error exit status 2
    Errors were encountered while processing icaclient

    This can be resolved by changing line 2648 in /var/lib/dpkg/info/icaclient.postinst from echo $Arch|grep “i[0-9]86” >/dev/null to echo $Arch|grep -E “i[0-9]86|x86_64” >/dev/null.
    Then restart the post-install sudo dpkg –configure icaclient.

  5. Add more SSL certificates.

    Some sites can give an SSL error. Firefox has many more certificates than Citrix, so add them.

    For example, sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

They quote the Ubuntu bug 1185771,
Mark libwebkitgtk-1.0-common as “Multi-Arch: foreign”.

Firefox is also not configured to open the Citrix Files correctly. To fix this select Open With and point it to /opt/Citrix/ICAClient/wfica

Posted in citrix | 2 Comments