1. NetScaler Gateway and StoreFront
May 2016
NetScaler Gateway and StoreFront
TechEdge 2016
Paul Walker
Senior Support Readiness Specialist, WW Support Readiness
Welcome and thanks for joining us today. My name is Paul Walker and I am a Senior Readiness Specialist on the World Wide Support Readiness Team in Fort Lauderdale. If you are wondering no we will not be talking about the next Fast and Furious movie but instead todays presentation is on NetScaler Gateway and StoreFront Integration.

2. Agenda Understanding the communication flow Troubleshooting tips
Common error messages with integration
Take Aways & Resources
Q & A
As you all know understanding the communication flow between NetScaler Gateway, StoreFront and XenApp/XenDesktop resources is an invaluable skill for Citrix customers. By understanding this flow and the common challenges you can streamline your integration of these components and better focus your troubleshooting efforts should they be necessary. The payoff is a solid integration and a confident understanding of the technology involved for the administrator or architect.
For our agenda today we will look at
Understanding the communication flow between all the components necessary to successfully integrate NetScaler Gateway, StoreFront and XenApp/XenDesktop.
Discuss the most common error messages you can encounter with the integration.
Review Troubleshooting tips and methodology.
Finally we will provide some take aways and resources and leave time for Q&A at the end.

3. How many of you have taken the time to integrate NetScaler Gateway and StoreFront?
(1)So before I get started let me ask this question. Please raise your hand. How many of you have taken the time to integrate NetScaler Gateway and StoreFront?
With this integration most of you probably used the (2)NetScaler Gateway wizard for setup on NetScaler and the (3)Citrix StoreFront Console on StoreFront and this probably worked 90% of the time. But how many have taken the time to understand what are all the connection flow points for this integration to work? Well if you have done this great, but if you have not, then for the next 45 mins we will break down each of the traffic flow points and discuss the most common problems that can happen at each connection point.

4. Understanding the Flow
INTERNET
DMZ
INTERNAL NETWORK
NetScaler
443/80
ICA
443
StoreFront
443
443
To troubleshoot an issue, or to narrow it down to something more specific, we first have to understand how all the pieces work together. With this understanding “It’s easier to play the game, if you know the rules”
So let us understand what is involve in the communication flow. Looking at the diagram we can see we have a Client PC, NetScaler Gateway server, StoreFront, Authentication server, XenApp/XenDesktop server.
The user will establish an SSL connection to the Gateway virtual server and get prompted to enter their credentials.
NetScaler will verify the credentials with Active Directory.
Once authenticated, the user will be redirected to StoreFront.
StoreFront will realize that the user authenticated at the Gateway and will retrieve those credentials.
Once those credentials are received, the user’s resources will be enumerated.
When the user clicks on a desktop/App to launch, StoreFront sends the ICA file to the user.
The ICA file contains the necessary information to launch the Desktop through the Gateway (such as STA ID and Gateway FQDN).
The end user’s Receiver will establish a connection back to the Gateway on the NetScaler.
The STA ticket that StoreFront originally created for the launch ICA file will be retrieved by the NetScaler.
NetScaler will then establish a connection to the server hosting the Desktop or App.
Active Directory
389/636
XenApp
XenDesktop
STA 80/8080
ICA 1494/2598

5. Setup Instructions http://support.citrix.com/pages/netscaler-how
(1)During the setup, configuration is done on NetScaler Gateway as well as StoreFront. Right now with the back and forth there is potential to make some mistakes. We are looking to address this in future version of NetScaler and StoreFront to make the integration seamless. (2)In the meantime if you want documentation on setup instructions I suggest starting with the NetScaler How Do I ? We have these for most products but if you want the one for NetScaler it can be access at

6. Common Error Messages with Integration
Now that you understand the complete traffic flow let us take a look at some of the most common errors that you may encountered during the integration

7. Error # 1- Cannot complete your Request
(1)Cannot complete request is the most generic of the error messages a user can receive when integrating NetScaler Gateway and Storefront. The message for some has no meaning and if you click the OK button that appears the message just keep reappearing. For a user this can be frustrating. (2)If you look at the url path it shows that the connection is making it all the way to the StoreFront server so why is it giving me a message about Cannot Complete your Request. Since this is the most common and generic of the error messages let us now examine what to look for when we get this message.

8. Understanding the Flow
INTERNET
DMZ
INTERNAL NETWORK
NetScaler
443/80
443
StoreFront
443
Reviewing the traffic follow again we can see.
The user establish an SSL connection to the Gateway virtual server and get prompted to enter their credentials
NetScaler verify the credentials with Active Directory
Once authenticated, the user will be redirected to StoreFront
This is the point at which users will potentially get the Cannot Complete Message.
Now that we know where this message can appear in our flow process it can help us to determine where to start looking.
Active Directory
389/636
XenApp
XenDesktop

9. What to Check…Cannot Complete Request
(1)For the Cannot Complete Request checking the event viewer on the StoreFront server is a good first step. From the message in the event viewer it shows we are having a Communication error while attempting to contact the NetScaler Gateway. We have tips such as check that the authentication service is running and possible problem with the remote name not resolvable.

10. What to Check…Cannot Complete Request
(1)We know that the only time that the StoreFront needs to do this communication process is if we have a Callback URL defined on the StoreFront server. If the address is incorrect it will return the Cannot Complete Request message. Note that the Callback url while mandatory for WebInterface integration with NetScaler Gateway, it is only necessary when using StoreFront and NetScaler Gateway if you want to use SmartAccess control. For those that don’t know what SmartAccess is this is when we want to leverage the Citrix Virtual channels to control an application or desktop base on user experience or (2)if the logon type is set as Security token, SMS and SmartCard then we need to set a callback URL.

11. What to Check…Cannot Complete Request
(1)Another review of the event viewer indicates another scenario where we can get the Cannot Complete message. The message in the event viewer is indicating an issue with a service call Credential Wallet Service. Looking at the message it is showing an issue where the object is not set to an instance of an object.
Check the trusted domains under StoreFront + NSG – I believe they need to match.
Error: "Cannot Complete Your Request" on StoreFront-

12. What to Check…Cannot Complete Request
(2)The following services on the StoreFront server such as the Citrix Credential Wallet, Default Domain Services, and Peer Resolution Service if not started can generate this message as well. So taking a quick look to make sure these services are running on the StoreFront server services node will help address this problem.
Check the trusted domains under StoreFront + NSG – I believe they need to match.
Error: "Cannot Complete Your Request" on StoreFront-

13. What to Check…Cannot Complete Request
(1)Finally looking at the event viewer we see another message SSO failed because the specified domain is invalid. It shows 2 main causes is either the SSO domain specified in NetScaler Gateway console is invalid or the domains are being restricted in the StoreFront console.

14. What to Check…Cannot Complete Request
(1)On the StoreFront server the Configure Trusted Domains node can be hardcoded with a specific domain name. If the Trusted Domain that is defined on StoreFront does not match the domain defined in the (2)NetScaler Gateway session policy then this will also produce that error message as well. Note that Any domain is the default setting so as long as the is not alternated on the StoreFront server we should be ok.

15. Error # 2- /CGI/Login
(1)I am sure you all have seen this one before. This is where after you pass the authentication login stage the redirect hangs at the /cgi/login prompt. The message returned can be different than what is shown in the example, but the url path of /cgi/login will always appear no matter which version of the error message is reported on the screen (2) such as Website Cannot Display page, Not a privileged user or Internal Server Error.

16. Understanding the Flow
INTERNET
DMZ
INTERNAL NETWORK
443/80
NetScaler
443
StoreFront
Going thru the communication flow process we can see at what stage of the communication that message can appear..
The user will establish an SSL connection to the Gateway virtual server and get prompted to enter their credentials
NetScaler will verify the credentials with Active Directory
It will then try and make a connection to the StoreFront server
As you can see from the diagram a connection is supposed to be attempted to port 80/443 to the StoreFront server. This traffic is normally source from the snip/mip of the NetScaler server to the backend resource in our case (StoreFront), but the NetScaler Gateway needs to know how to find the address of the Storefront server. The way that the NetScaler Gateway is aware of the Storefront server is by using Session Policy.
Active Directory
389/636
XenApp
XenDesktop

17. What to Check…/CGI/Login
Receiver Session Policy
(1)After authentication the NetScaler Gateway should redirect the users connection to the StoreFront server address defined in the session policy. There are normally 2 session policies that are created when using the NetScaler Gateway wizard. One session policy is used for users connecting with a browser such as IE,Chrome, FireFox. The other session policy is for use with the Citrix Native Receiver such as IOS, Android Windows etc. If the redirection does not work we can start by checking if we have a valid session policy bound to the vserver.
Receiver for Web Session Policy

18. What to Check…/CGI/Login
(2)The policies have priority settings and the lower the number the higher the priority. So we want to make sure that the session policy that should be applied, has the lowest priority number.

19. What to Check…/CGI/Login
(3)Session Policies are also evaluated in the order of User, Group, Vserver, Global. The only time that this order changes is if we have priority set at these different levels for our policy.

20. What to Check…/CGI/Login
(4) For the session policy that is bound, we want to make sure that the correct settings are defined for the session profile. Another issue is; we need to verify that the address for the StoreFront server is valid and resolvable. If using name try IP and if using a Load Balanced vserver to represent the StoreFront server try with a single StoreFront server. This will help to eliminate any issues with the Load Balance address.

21. What to Check…/CGI/Login
CTX Troubleshoot CGI issues
CTX View Policy Hits
(1)We can use the nsconmsg command. This is a tool on the NetScaler to verify if we are hitting the correct session policy. (2)Tailing the ns.log file on the NetScaler will also let us know if we are having an issue (3)The following KB articles CTX and CTX are valid resources to help with this error as well.
/cgi/login for a User of a Particular Group-
Nsconmsg –d current –g pol_hits command-

22. Error # 3- App Enumeration
(1)There are no apps or desktop available to you at this time is another common error messages that is seen. This one is a bit tricky for most, as it shows that the communication has made it all the way from the NetScaler Gateway over to the StoreFront web page as indicated by the (2)Citrix StoreFront logo on the webpage (3)as well as the URL path. Apart from the message it provides no other indicator to the user what is going on. Question that a user may ask is am I truly getting this message because no apps were publish to me?

23. Understanding the Flow
INTERNET
DMZ
INTERNAL NETWORK
NetScaler
443/80
443
StoreFront
443
So let us take a look at the communication flow.
The user will establish an SSL connection to the Gateway virtual server and get prompted to enter their credentials
NetScaler will verify the credentials with Active Directory
Once authenticated, the user will be redirected to StoreFront
StoreFront will realize that the user authenticated at the Gateway and will retrieve those credentials
Once those credentials are received, the user’s resources should be enumerated.
But from the error we can see that we have pass all the stages of validating the user but we still get the error message. Now let us take a look at what can potentially cause this problem.
Active Directory
389/636
XML 80/8080
XenApp
XenDesktop

24. What to Check…App Enumeration
For this issue it is best to check your configuration settings. But before we do this checking the event viewer on the StoreFront server will help in providing a starting point for troubleshooting. Reading the message it states an error occurred while attempting to connect to the server on port This is the address and port for my XML broker server. The second message gives an event ID with message stating that all the Citrix XML Services for farm XA failed. These error messages are pretty clear indicator of my issue.
CTX Citrix XML Port XenDesktop

25. What to Check…App Enumeration
CTX Citrix XML Port XenApp
CTX Citrix XML Port XenDesktop
(1)To verify my farms settings I want to use the Citrix StoreFront Console. Once in the console highlight the store in question. Goto Manage Delivery Controllers where you can edit your farm(s) settings for either your XenApp 6.5 / XenDesktop farm. Here you want to verify that you have a valid XML broker set. If the XML broker is defined using a name you want to verify that you have no issues with DNS. I suggest using IP instead of name, until we can rule out any issues with DNS. Next check the XML port. Verify that you have the correct XML port defined. (2)If you are unsure of the XML port information configured for your Farm you can verify this on your XenApp/XenDesktop Server. (3)The following KB articles will provide information on checking or setting of the XML port on the XenApp and XenDesktop server respectively.

26. Error # 4- AppLaunch/STA/XenApp/XenDesktop
App Launch is another common problem that most users encounter. This message can manifest itself with multiple error messages such as Cannot start App, Cannot connect to the Citrix XenApp server Protocol driver error, Cannot connect to the Citrix XenApp server. There is no Citrix SSL Server configured on the specified address and other versions of these messages. Even though some are cryptic others provide a hint on what could be the possible cause. If you understand the different stages in the communication flow you can then use that understanding to target your troubleshooting efforts so it is more focused on the potential problem area. One thing to remember is there are 2 main parts to the communication flow. The first is the App enumeration which involves connecting and seeing your apps. The second is the application launch process. If you are able to see your apps, then you know you were successful with the first stage. Now the problem is the second stage which involves application launch.

27. Understanding the Flow- (STA)
INTERNET
DMZ
INTERNAL NETWORK
NetScaler
443/80
443
StoreFront
443
So now let us take a look at the flow process for the applaunch.
The user will establish an SSL connection to the Gateway virtual server and get prompted to enter their credentials
NetScaler will verify the credentials with Active Directory
Once authenticated, the user will be redirected to StoreFront
StoreFront will realize that the user authenticated at the Gateway and will retrieve those credentials
Once those credentials are received, the user’s resources will be enumerated
When the user clicks on a desktop to launch, StoreFront is suppose to send the ICA file to the user.
The ICA file contains the necessary information to launch the Desktop through the Gateway (such as STA ID and Gateway FQDN)
But the message return at this stage is going to be Cannot Start App. Again this is another message that is not meaningful to the user. But a good understanding of the traffic flow helps to target your troubleshooting efforts.
STA
80/8080
Active Directory
389/636
XenApp
XenDesktop

28. Understanding the Flow- (AppLaunch-Cont’d)
INTERNET
DMZ
INTERNAL NETWORK
ICA
NetScaler
443/80
443
StoreFront
443
443
If you were able to fix the Cannot Start App error then we can potentially have more errors during the app launch process. Let us take a look at the other problems that can occur with App Launch. Let us assumed that the user pass the first stage of the process which is the app enumeration as well as the previous Cannot Start App message.
When the user clicks on a desktop to launch, StoreFront sends the ICA file to the user
The ICA file contains the necessary information to launch the Desktop through the Gateway (such as STA ID and Gateway FQDN)
The end user’s Receiver client will establish a connection back to the Gateway on the NetScaler
The STA ticket that StoreFront originally created for the launch ICA file will be retrieved by the NetScaler
The NetScaler will then establish a connection to the server hosting the Desktop or App
For this type of problem we see from the flow and depending on the error message that we may have to check the configuration settings on NetScaler, StoreFront or XenApp/XenDesktop environment.
STA
80/8080
Active Directory
389/636
XenApp
XenDesktop
STA 80/8080
ICA 1494/2598

29. What to Check…AppLaunch
The event viewer on StoreFront and XenApp/XenDesktop server can provide some more information that will guide you on focusing your troubleshooting efforts. The first event message indicates a problem obtaining a ticket from the Secure Ticket Authority. The second event message indicates a problem with the XML service and possible mfserver overload issue. This information tells us we may have a potential problem with the Secure Ticket Authority server and XML server. These 2 components run on the XenApp/XenDesktop server but since we are leveraging StoreFront and looking at the logs on StoreFront we need to verify that our problem is not a misconfiguration in the StoreFront console.

30. What to Check…AppLaunch
(1)To start with troubleshooting remember
The STA server listed on the StoreFront Server must be the same as what is listed on the NetScaler Gateway server. The StoreFront server is the server that provides the STA server information that the NetScaler Gateway should contact. To remember the function of the STA server I always explain it as a coat check person.

31. What to Check…AppLaunch
(1)Having the proper firewall ports open is also necessary. It maybe necessary to get the firewall admin involved if this is not a device that you control. If the firewall admin is not available or he/she advises that the correct ports are open on the firewall for 1494 and 2598 port validation for XenApp, you can define a service on the NetScaler LoadBalancing node to verify ports are open. This works great for XenApp servers as the 1494(ICA) and 2598(Session Reliability) port are constantly running. (2)For the VDA machines this is difficult as the VDA machines are only active if it is connected. One trick is to connect to the VDA machine outside of the NetSaler Gateway. Once connected you can then add a service for the VDA on the NetScaler Load Balancing node to test the ports. (3)This will then change the status of the service to an upstate.

32. Error # 5- Receiver for Android
Another common problem area is with the Receiver for Android.

33. Cannot Add Account Cannot add account
StoreFront is Load Balanced with NetScaler
IOS/Windows Receiver work
Solution
Create a separate session policy( req.http.header User-Agent Contains Android)
Bind the policy and set priority
KB-CTX202417
When configuring the Android receiver the following Error: "Cannot add account" appears when Android Receiver connects through NetScaler Gateway VIP. When investigating it is determined that the StoreFront server is Load Balanced with NetScaler and the IOS/Windows Receiver are all working.
If you run into this problem, you can resolve this issue by creating a Session Policy separate from the other Session Policies. This session policy is configured with a specific User-Agent string to check for Android devices only. Bind this policy to the NetScaler Gateway VIP and ensure that the Android Session Policy has the highest priority. Remember the lower the number the higher the priority. For more information on this issue see CTX202417

34. Unable to Configure Android Receiver
Session Profile is correct
No issues with Certificate
NS.log on NS shows no error
No error in SF event viewer
IOS/Windows Receiver work
Solution
Verify SF external beacon has NSG FQDN
Check Load Balancing persistency set to sourceIP
KB-CTX200580
Another error for the Android Receiver is Unable to Configure Receiver on Android Device Through NetScaler Gateway. Reviewing the configuration you confirm the Session profile is correct, no certificate issues are reported, ns.log on the NetScaler and event viewer on StoreFront also shows no issues.
To solve this issue
Verify if the StoreFront external beacon has a NetScaler Gateway FQDN. If not, define the FQDN for the external beacon node on the StoreFront server then propagate the changes.
Verify if using a Load Balancing virtual server for StoreFront whether it has cookie insert persistency set. If the Load Balanced vserver is set for cookie insert persistency you want to change it to sourceip. Now test on Android Receiver, iOS Receiver, Windows PC Receiver and Windows web browser. If the later is the problem where the Load Balancing vserver is set for cookie insert then switch to source IP as the android Receiver currently does not work with this setting. For more information on this issue see CTX200580

35. Troubleshooting Tips
Now let us look at ways that you can approach troubleshooting with NetScaler Gateway and StoreFront

36. “If you have two equally likely solutions to a problem, choose the simplest.”
I will never forgot this saying that I saw in a colleague of mines cube when I first started at Citrix. It was from William of Ockham and there are many versions of this quote but it says "If you have two equally likely solutions to a problem, choose the simplest.“ I have use this technique for most of my troubleshooting and it has been very effective. Everyone will have their own style of troubleshooting and you will perfect your own style over time but normally these methods fall under 2 tracks.
Franciscan friar William of Ockham

37. Troubleshooting Tips You’re in trouble!
The stab-in-the-dark approach and the systematic approach. The stab-in-the-dark approach usually involves little knowledge of the technology involved and is completely random in nature. Occasionally, the stab-in-the-dark approach can work, but often times the more complex the technology, the less likely that this kind of approach is going to be effective.

38. Troubleshooting Tips
When troubleshooting an issue, a step-by-step, systematic approach to troubleshooting that is detailed in a fast and efficient manner, is the approach to adopt.
When problems do occur, The first thing that you should do is ascertain exactly what has gone wrong—establish what the facts are. Find out whether any changes have been made and, if so, what those changes were. If possible, try to talk to the people directly involved with any changes; secondhand information might not always be as reliable as you would like.
Also, if it becomes apparent during the troubleshooting process that there are multiple issues involved, be sure that you tackle one problem at a time. Any attempt to tackle multiple issues at one time usually just leads to confusion and may even make the situation worse.

39. Security Event Log on DC (LDAP or IAS)
Troubleshooting Tips
External
DMZ
Internal
Problem Types:
LDAP
Authentication
Security Event Log on DC (LDAP or IAS)
NetScaler
Authorization
NSIP
App Enumeration
App Launch
1- SF/WI Site Settings
2- SF/.WI Trace
3- Event Log
StoreFront
SNIP or MIP
VIP
1- Auth Svr Settings
2- NS Trace
3- aaad.debug
STA path on SF/WI
Usually when we troubleshoot issues with NetScaler Gateway deployments, its important to identify initially what types of problem is occurring. As you can see from the diagram depending on the problem area you can view different types of log data. With so many moving parts and without doing troubleshooting base on the area of the traffic flow that is causing the issue, you can end up wasting a lot of hours and troubleshooting the wrong issue.
So a couple of questions to ask? Can we authenticate? Is the application icon appearing or enumerating? Is there traffic issues or issues with the application not being able to launch? With these type of questions and also with the error message you will have an idea on where to start your troubleshooting and what logs or other tools you will need to help resolve the issue.
1- Auth Settings
2- NS.log
XenApp
XenDesktop
1- XML Settings
2- STA Logging
3- CDF Tracing
1- ProfileSettings
2- NetScaler Trace
3. Certifcate
CDF Tracing
1- NS Trace
2- STA Monitor (newnslog)
3 - Licensing
LDAP /LDAPS (TCP) - 389/636
nssslvpn.txt
Ports and IP rules
nssslvpn.txt
Ports and IP rules
ICA file - ID
Ports and IP rules

40. Troubleshooting Tips Case Troubleshooting Flow Clients Receiver
Since all calls now have some integration with other Citrix product it is a good idea to perform your troubleshooting with process of elimination so you can get the issue resolve quickly. Start at the Client side and NetScaler. Verify all the settings that are needed on the NetScaler and client side. These can include certificates, NSG vserver, authentication session policy/profile. Once all configuration has been verified move to the next integration point which is StoreFront.
Clients Receiver

41. Troubleshooting Tips Case Troubleshooting Flow
Check the necessary configuration on the StoreFront. One test to determine if the StoreFront site is healthy is to connect directly to the StoreFront Receiver for website using a browser if possible. This test will help you determine if more focus needs to be placed on the NetScaler Gateway or more on the StoreFront server. If that fails then you want to move onto the XenApp/XenDesktop server.

42. Troubleshooting Tips Case Troubleshooting Flow
The XenApp/XenDesktop server are the last components in your integration so these should be working. If you are not the XenApp/XenDesktop admin then you may need to get he/she involve. Verifying the health of these servers is critical to the integration as they provide the resources such as the apps/desktop that users need to do their jobs

43. Troubleshooting Tips Troubleshooting Analogy Head 3 2 Body 1 Legs
XenDesktop
XenApp *
(0) I use this analogy of a body to help me explain the correlation. By understanding how the communication flow operates at each level you get the understanding that the (1) NetScaler Gateway are the legs and without the body the (2)Storefront server, the legs will not work properly. We also showed that even with the legs(NetScaler Gateway) and the body (StoreFront) if the (3)head which is the (XenApp/XenDesktop) (4)is not functioning then the (5)entire integration will not work properly. 2
Body
StoreFront
NetScaler
Gateway
NetScaler
Gateway 1
Legs

44. Summary
Now let us summarize what we covered.

45. Conclusion/Summary Understanding the communication flow
Common error messages
Troubleshooting tips
To summarized what was covered we look at the complete communication flow between NetScaler Gateway, StoreFront, and XenApp/XenDesktop. If you master the different connection points then you can quickly focus your troubleshooting efforts. We reviewed the most common error messages encountered during integration and discussed some troubleshooting tips to help with diagnosing the issue. As with most setup 90% is configuration but if you don’t understand what you are configuring then when a problem happens it will be difficult for you to troubleshoot as you don’t know if your issue is a legitimate configuring error or some other problem. Remember also If you have two equally likely solutions to a problem, choose the simplest.

46. Resources Documentation
How to Configure NetScaler Gateway Session Policies for StoreFront-
Storefront 3.x-
Configure NetScaler Gateway connection settings- configure-gateway.html
Load balancing Storefront with NetScaler- with-netscaler.html
Error: "Cannot Complete Your Request" on StoreFront-
To wrap up I have put together a few Take Aways and Resources for you. These include Documentation, Troubleshooting KB articles for common troubleshooting tools.

47. Resources StoreFront Server Troubleshooting NetScaler
AAAD.debug- How to Troubleshoot Authentication with Aaad.debug-
Nsconmsg -d current -g pol_hits- How to Identify the Session Policy Applied to the User After Authentication-
Ns.log file
Wireshark- How to Record Network Packet Trace on NetScaler Appliance-
StoreFront Server
Event Viewer
StoreFront verbose logging- (How to Enable StoreFront Verbose Logging-
 XenApp/XenDesktop Server
CDFTracing- How to Capture a CDF Trace with PowerShell in XenApp 6-
Citrix Receiver
How to Enable Receiver Logging to Troubleshoot StoreFront Activation/Provisioning-
Error: 'Cannot Add Account' on Windows RT Receiver-

48. Q&A
Thank you for your time. Now let us open up for any questions that you may have around the presentation content.