Professional Documents
Culture Documents
Web Interface for MetaFrame Presentation Server Citrix MetaFrame Presentation Server 4.0
Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. Note that copies of the End User License Agreement are included in the root directory of the MetaFrame Presentation Server CD-ROM and in the root directory of the Components CD-ROM. Copyright and Trademark Notice Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. Copyright 2001-2005 Citrix Systems, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture), NFuse, Citrix Solutions Network, MetaFrame, MetaFrame XP, Program Neighborhood, and SpeedScreen are registered trademarks or trademarks of Citrix Systems, Inc. in the United States and other countries. RSA Encryption 1996-1997 RSA Security Inc., All Rights Reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Microsoft, MS-DOS, Windows, Windows NT, Win32, Outlook, ActiveX, and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc. SafeWord is a trademark of Secure Computing Corporation, registered in the United States and other countries. UNIX is a registered trademark of The Open Group. Apache is either a registered trademark or trademark of the Apache Software Foundation in the United States and/or other countries. JavaServer Pages and Sun ONE Application Server are either registered trademarks or trademarks of Sun Microsystems Corporation in the United States and/or other countries. This product incorporates IBMs XML Parser for Java Edition, 1999, 2000 IBM Corporation. All other trademarks and registered trademarks are the property of their owners.
Go to Document Center
Contents
Contents
Chapter 1 Introduction
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Accessing Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Introducing the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 The Web Interface Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 MetaFrame Presentation Server Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Program Neighborhood Agent Services Sites . . . . . . . . . . . . . . . . . . . . . 12 MetaFrame Conferencing Manager Guest Attendee Sites . . . . . . . . . . . . 13 Management Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Application Access Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Client Deployment Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Whats New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Access Suite Console Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Installation Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Features for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Authentication and Security Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Improved Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Site Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Web Interface Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Server Farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Client Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 How the Web Interface Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 2
Go to Document Center
Additional Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 General Configuration Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Web Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 On Windows Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 On UNIX Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 User Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Personal Digital Assistants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 MetaFrame Presentation Server Client Device Requirements . . . . . . . . . . . . . 29 Installing the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Installing the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Upgrading an Existing Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Performance Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Installing the Web Interface on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Installing the Web Interface on UNIX Platforms . . . . . . . . . . . . . . . . . . . . . . . 33 Using MetaFrame Conferencing Manager on UNIX . . . . . . . . . . . . . . . . 35 Installation Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Using Language Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Removing Language Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Deploying Languages to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Configure and Run Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Creating Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Creating Sites on UNIX Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Specifying Site Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Using Site Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Troubleshooting the Web Interface Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Using the Repair Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Uninstalling the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Uninstalling the Web Interface on Microsoft IIS. . . . . . . . . . . . . . . . . . . . . . . . 42 Uninstalling the Web Interface on UNIX Platforms . . . . . . . . . . . . . . . . . . . . . 42
Chapter 3
Go to Document Center
Contents
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Getting Started with the Access Suite Console . . . . . . . . . . . . . . . . . . . . . . . . . 47 Running Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Creating Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Performing Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Managing Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Configuring Settings for All Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Specifying Advanced Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Methods of Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Authentication Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Enabling Smart Card Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Enabling Pass-through Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Enabling Explicit or Prompt Authentication . . . . . . . . . . . . . . . . . . . . . . 60 Two-factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Enabling Secure Computing SafeWord on IIS . . . . . . . . . . . . . . . . . . . . . . . . . 62 SafeWord Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 SafeWord Agent for the Web Interface Requirements. . . . . . . . . . . . . . . 63 Enabling SafeWord Authentication Using the Console . . . . . . . . . . . . . . 63 Enabling RSA SecurID 6.0 Authentication on IIS. . . . . . . . . . . . . . . . . . . . . . . 63 SecurID Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Adding the Server Running the Web Interface as an Agent Host . . . . . . 63 Copying the sdconf.rec File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Enabling RSA SecurID Authentication Using the Console . . . . . . . . . . . 64 Node Secret Registry Key Considerations . . . . . . . . . . . . . . . . . . . . . . . . 64 RSA SecurID Multiple Domain Support . . . . . . . . . . . . . . . . . . . . . . . . . 65 Enabling RSA SecurID 6.0 Windows Password Integration . . . . . . . . . . 65 Enabling Two-factor Authentication on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . 65 Enabling RADIUS With SafeWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Enabling RADIUS With RSA SecurID . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Adding the Web Interface and RADIUS Servers as Agent Hosts . . . . . . 66 Creating a Shared Secret for RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Enabling RADIUS Two-factor Authentication Using the Console . . . . . 67 Using RADIUS Challenge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Go to Document Center
Using Customized Challenge Messages. . . . . . . . . . . . . . . . . . . . . . . . . . 67 Changing Session Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Managing Application Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Managing Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Customizing the Appearance for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Managing Secure Client Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Editing DMZ Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Editing Secure Gateway Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Editing Address Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Displaying Secure Client Access Settings . . . . . . . . . . . . . . . . . . . . . . . . 74 Managing Client Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Remote Desktop Connection Requirements. . . . . . . . . . . . . . . . . . . . . . . 76 Configuring Installation Captions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Compatibility with Asian Language Web Servers . . . . . . . . . . . . . . . . . . 79 Customizing the Client for Java Deployment . . . . . . . . . . . . . . . . . . . . . 79 Editing Client-side Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Managing Client Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Managing Client Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Using Application Refresh Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring Workspace Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Feature Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring Workspace Control with Integrated Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Enabling Workspace Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Controlling Diagnostic Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Load Balancing Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Using Local Site Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Managing Configuration Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Repairing and Unstalling Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Importing and Exporting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Configuring the Web Interface Using the Configuration File. . . . . . . . . . . . . . . . . 92 Program Neighborhood Agent Considerations . . . . . . . . . . . . . . . . . . . . . . . . 106 Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Configuring Communication with MetaFrame Presentation Server . . . 107 Configuring Citrix SSL Relay Communication . . . . . . . . . . . . . . . . . . . 108 Configuring Secure Gateway Support . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Disabling Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Go to Document Center
Contents
Making the Web Interface Available to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Making the Log In Page the Default on IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 4
Chapter 5
Go to Document Center
Enabling the Server Running the Web Interface on the MetaFrame Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Using the HTTPS Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Client Session/MetaFrame Presentation Server Communication . . . . . . . . . . . . . 128 Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Use SSL/TLS or ICA Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Use Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 General Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Chapter 6
Go to Document Center
CHAPTER 1
Introduction
Overview
Welcome to the Web Interface for MetaFrame Presentation Server. This chapter introduces you to the documentation and to the Web Interface. Topics include: How to Use this Guide Introducing the Web Interface Whats New
10
Go to Document Center
Go to Document Center
Chapter 1 Introduction
11
Accessing Documentation
This administrators guide is part of the MetaFrame Presentation Server documentation set. The documentation set includes online guides that correspond to different features of MetaFrame Presentation Server. Online documentation is provided as Adobe Portable Document Format (PDF) files. Use the Document Center to access the complete set of online guides. The Document Center provides a single point of access to the documentation that enables you to go straight to the section of documentation that you need. The Document Center includes: A list of common tasks and a link to each item of documentation. A search function that covers all the PDF guides. This is useful when you need to consult a number of different guides. Cross-references between documents. You can move between documents as often as you need using the links to other guides and the links to the Document Center.
Important To view, search, and print the PDF documentation, you need to have the Adobe Acrobat Reader 5.0.5 with Search or a later version with Search. You can download Adobe Acrobat Reader for free from Adobe Systems Web site at http://www.adobe.com/. If you prefer to access the guides without using the Document Center, you can navigate to the component PDF files using Windows Explorer. If you prefer to use printed documentation, you can also print each guide from Acrobat Reader. More information about Citrix documentation, and details about how to obtain further information and support, is included in Getting Started with MetaFrame Presentation Server.
12
Go to Document Center
The Web Interface employs Java and .NET technology executed on a Web server to dynamically create an HTML depiction of server farms for MetaFrame Presentation Server sites. Users are presented with all the applications published in the server farm(s) you have made available. You can create standalone Web sites for application access or Web sites that can be integrated into your corporate portal. Additionally, the Web Interface allows you to configure settings for users accessing applications through the Program Neighborhood Agent and create sites for guest users logging in to MetaFrame Conferencing Manager. The Web Interface can be configured using the Access Suite Console on Windows platforms. For more information about using this tool, see Configuring Sites Using the Console on page 46. You can also edit the configuration file (WebInterface.conf) to create and manage MetaFrame Presentation Server sites. For more information, see Configuring the Web Interface Using the Configuration File on page 92. In addition, you can customize and extend MetaFrame Presentation Server sites. The Customizing the Web Interface guide explains how to configure sites using these methods.
Go to Document Center
Chapter 1 Introduction
13
For more information about MetaFrame Conferencing Manager, see the MetaFrame Conferencing Manager Administrators Guide.
Management Features
Multiple server farm support. You can configure multiple server farms and provide users with a display of the applications available to them from all farms. You can configure each server farm individually using the Manage server farms task. For more information, see Configuring Communication with MetaFrame Presentation Server on page 107. Complete administrative control over application deployment. Web server-side scripting lets you configure all MetaFrame Presentation Server client options in server-side scripts and ICA files. Integration with popular Web technologies. The Web Interfaces API can be accessed from Microsofts ASP.NET and Sun Microsystems JavaServer Pages. Novell Directory Services (NDS) support. The Web Interface Log In page for NDS contains a context field, allowing users to search for their user name in the tree to determine which context they are in. Active Directory and user principal name (UPN) support. All Web Interface components are compatible with Microsoft Active Directory. Users visiting MetaFrame Presentation Server sites can log on to server farms that are part of an Active Directory deployment and seamlessly access published applications. The logon pages are compatible with Active Directorys use of User Principal Names.
14
Go to Document Center
Backup servers. You can configure backup servers to ensure that users still have access to their applications in the event of a server failure. Anonymous users. This feature allows users to log on to MetaFrame Presentation Server sites using an anonymous account. Launching of published content. The Web Interface supports the content publishing features of MetaFrame Presentation Server.
Security Features
Secure Sockets Layer (SSL)/TLS support. The Web Interface supports SSL to secure communication between the server running the Web Interface and server farms. Implementing SSL on your Web server together with Web browsers that support SSL ensures the security of data as it travels through your network. The Web Interface uses Microsoft's Schannel security protocol on Windows platforms for MetaFrame Presentation Server sites. This protocol uses FIPS 140 validated cryptography, a standard required by some organizations. For more information about FIPS 140 validation, see the National Institute of Standards and Technology (NIST) Web site (http://csrc.nist.gov/cryptval/). Secure Gateway for MetaFrame Presentation Server support. The Secure Gateway, together with the Web Interface, provides a single, secure, encrypted point of access through the Internet to servers on your internal corporate networks. The Secure Gateway simplifies certificate management, because a server certificate is required only on the Secure Gateway server, rather than on every server in the server farm. Ticketing. This feature provides enhanced authentication security. The Web Interface obtains tickets that authenticate users to published applications. Tickets have a configurable expiration period and are valid for a single logon. After use, or after expiration, a ticket is invalid and cannot be used to access applications. Use of ticketing eliminates the explicit inclusion of credentials in the ICA files the Web Interface uses to launch applications.
Go to Document Center
Chapter 1 Introduction
15
Program Neighborhood Agent support. The Program Neighborhood Agent allows users to access MetaFrame Presentation Server applications directly from the Windows desktop without using a Web browser. You can remotely configure the placement of links to remote applications from the Start menu, on the Windows desktop, or in the Windows notification area. The Program Neighborhood Agent user interface can also be locked down to prevent user misconfiguration.
Whats New
The Web Interface offers the following new enhancements and features:
Installation Features
Multiple Web Site Support Previously, the Web Interface provided installation of a single Web Interface site and a single Program Neighborhood Agent Services site on each Windows server. Now, you can install multiple sites using the Access Suite Console, without having to create extra sites manually. Installer Command Line Options For automated installation, maintenance, and local site tasks, Windows and UNIX installation can be performed from the command line.
16
Go to Document Center
Go to Document Center
Chapter 1 Introduction
17
Windows Key Combinations The Web Interface and Program Neighborhood Agent now support the pass-through of a set of Windows key combinations to remote desktops running in ICA sessions. USB Synchronization for PocketPC MetaFrame Presentation Server supports PDA synchronization using tethered USB connections. This feature can be enabled and disabled by Web Interface and Program Neighborhood Agent administrators. Automatically Launch the Client for Java If the local or native embedded client is not available on the client device, you can automatically deploy the Client for Java on Client for Win32 platforms.
18
Go to Document Center
Local Site Tasks Local site tasks are used to manage configuration sources, specify how sites are hosted by IIS, and to repair and uninstall sites. You can specify if the site is using centralized configuration or a local configuration file, and specify servers from which to obtain the configuration files. Group Sites for Load Balancing You can group sites using centralized configuration so that they share one configuration, and can be used with third-party load balancers to load balance sites.
Server Farms
A server farm is a group of servers managed as a single entity. A server farm is composed of a number of servers operating together to serve applications to MetaFrame Presentation Server client users. Important among a server farms standard capabilities is application publishing. This is an administrative task that lets administrators make available to users specific applications hosted by the server farm. When an administrator publishes an application for a group of users, that application becomes available as an object to which clients can connect and initiate client sessions. The Program Neighborhood Client interface automates the client-side configuration process by eliminating the need for administrators or client users to browse the network for published applications. Using Program Neighborhood, users can log on to the server farm and receive a customized list of applications published for their individual user name. This list of applications is called an application set. The server running the Web Interface functions as a Program Neighborhood interface for connecting to one or more server farms. The server running the Web Interface queries server farms for application set information and then formats the results into HTML pages that users can view in a Web browser.
Go to Document Center
Chapter 1 Introduction
19
To communicate with server farms, the server running the Web Interface communicates with the Citrix XML Service running on one or more servers. The Citrix XML Service is a MetaFrame component that provides published application information to clients and servers running the Web Interface using TCP/IP and HTTP. This service functions as the contact point between the server farm and the server running the Web Interface. The Citrix XML Service is installed with MetaFrame Presentation Server for Windows, and MetaFrame Presentation Server for UNIX Operating Systems.
Web Server
The Web server hosts the Web Interface classes and Web server-side scripts. The Web Interfaces classes provide the following services: Authenticate users to a server farm or farms Retrieve application information, including a list of applications a user can access
The Web Interfaces classes are added to your Web server during installation. This installation program also adds Web pages and configuration files.
Client Device
In the context of the Web Interface, a client device is any computing appliance capable of executing a MetaFrame Presentation Server client and a Web browser. Client devices include desktop PCs and network computers, among others. In a client device, the browser and client work together as a viewer and engine. The browser lets users view application sets (created by server-side scripting on the server running the Web Interface) while the client acts as the engine that launches published applications. The Web Interface provides Web-based Client installation. Web-based Client installation is a method of deploying clients from a Web site. When a user visits a site created with the Web Interface, the Web-based Client installation code detects the device and the Web browser prompts the user to install an appropriate client. In the case of Windows devices, Web-based Client installation can also detect the presence or absence of an installed client and prompt the user only if necessary. See Automatically Deploying Clients on page 76 for more information. The Web Interface supports many browser/client combinations. For a complete list of supported browser/client combinations, see MetaFrame Presentation Server Client Device Requirements on page 29.
20
Go to Document Center
This diagram shows an example of a typical Web Interface interaction. The browser on the client device sends information to the Web server, which communicates with the server farm to allow users to access their applications.
1. Client device users utilize a Web browser to view the Log in page and enter their user credentials. 2. The Web server reads users information and uses the Web Interfaces classes to forward the information to the Citrix XML Service on servers in the server farms. The designated server acts as a broker between the Web server and servers. 3. The Citrix XML Service on the designated server then retrieves a list of applications from the servers that users can access. These applications comprise the users application set. The Citrix XML Service retrieves the application set from the Independent Management Architecture (IMA) system and Program Neighborhood Service, respectively. In a MetaFrame Presentation Server for UNIX farm, the Citrix XML Service on the designated server uses information gathered from the ICA browser and the local Web Interface configuration file to determine which applications the user can access. The Citrix XML Service then returns the users application set information to the Web Interfaces classes running on the server. 4. The user initiates the next step by clicking one of the hyperlinks in the HTML page. 5. The Citrix XML Service is contacted to locate the server in the farm that is the least busy. The XML Service requests a ticket from the least busy server corresponding to the users credentials. The XML Service returns the least-busy servers address and ticket to Web Interface
Go to Document Center
Chapter 1 Introduction
21
6. The classes finish parsing the template file and send a customized file to the Web browser. 7. The Web browser receives the file and passes it to the client device. 8. The client receives the file and initiates a client session with a server according to the files connection information.
What to Do Next
For information about system requirements, instructions for installing the Web Interface, and configuring the server running the Web Interface, see Deploying the Web Interface on page 23.
22
Go to Document Center
Go to Document Center
CHAPTER 2
Overview
This chapter explains how to install the Web Interface on your server and configure the server to run the Web Interface. Topics include: System Requirements Installing the Web Interface What to Do Next Installing the Web Interface on UNIX Platforms Troubleshooting the Web Interface Installation Uninstalling the Web Interface
24
Go to Document Center
System Requirements
The following section describes server, Web server, and client device requirements for the Web Interface.
Server Requirements
To run the Web Interface, your servers must meet the following requirements.
The Web Interface operates with these MetaFrame Presentation Server versions on all of their supported platforms. For a list of supported platforms, see the appropriate MetaFrame Presentation Server documentation. Citrix recommends that you have the latest version of the service pack installed on your system.
Go to Document Center
25
NDS authentication
6.20 or later
DNS addressing
6.20 or later
6.30 or later
6.20 or later
26
Go to Document Center
MetaFrame Presentation Server Requirements MetaFrame Presentation Server 3.0 or later MetaFrame 1.8 Feature Release 1 MetaFrame XP 1.0 MetaFrame for UNIX 1.1 N/A MetaFrame Presentation Server 3.0 or later MetaFrame 1.8 Feature Release 1 MetaFrame XP 1.0 MetaFrame for UNIX 1.1 MetaFrame Presentation Server 3.0 or later MetaFrame XP Feature Release 2 N/A MetaFrame Presentation Server 3.0 or later MetaFrame XP Feature Release 2 N/A MetaFrame Presentation Server 3.0 or later MetaFrame 1.8 Feature Release 1 MetaFrame XP 1.0 MetaFrame for UNIX 1.1 Feature Release 1
6.0 or later for SOCKS 6.30 or later for Secure Proxy N/A
N/A
Provided by the Web Interface Full Program Neighborhood Client for Win32/Program Neighborhood Agent 6.20 or later Provided by the Web Interface 6.20.986 or later
Go to Document Center
27
On Windows Platforms
You can use the Web Interface on the following Windows platforms and servers: Internet Information Services 6.0 on Windows Server 2003 Internet Information Services 5.0 on Windows 2000 with Service Pack 4 .NET Framework 1.1 with Service Pack 1 (Windows 2000 systems only) Visual J# .NET 1.1 ASP.NET
The following software must be installed prior to installing the Web Interface:
On Windows 2000 systems, ASP.NET is installed with the .NET Framework if IIS has previously been installed. If IIS is not installed, you must install IIS and reinstall the Framework, or install IIS and run the aspnet_regiis -i command in the WINNT\Microsoft.NET\Framework\v1.1.4322 directory.
28
Go to Document Center
Note If you receive an internal error message when using the Web Interface on Windows 2000 systems, there may have been a problem with the configuration of the .NET accounts. In this case, uninstall the Web Interface, Visual J# .NET, and all versions of the .NET Framework from the server and reinstall the software again. On Windows Server 2003 systems, ASP.NET is installed if you enabled IIS during the installation of Windows Server 2003. Otherwise, you must install IIS and select ASP.NET (which is a sub-component of IIS). The .NET Framework and J# redistributable files are included on the MetaFrame Presentation Server CD-ROM in the Support folder. If your server has a statically configured IP address, you must define the Primary DNS suffix or a fully qualified DNS domain name for the server. This can be done on Windows 2000 in My Network places/Local Area Connection Properties/ Internet Protocol properties. CAUTION Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. To verify correct configuration, check to see if a valid DNS suffix is present in the following registry key value data: Key: HKLM\System\currentControlset\services\tcpip\parameters Value: Domain
On UNIX Platforms
You can use the Web Interface with the following UNIX configurations:
Operating System Red Hat Enterprise Edition Red Hat Enterprise Edition Solaris 9 Solaris 9 Server Apache 2.x WebSphere Application Server 5.1 Sun ONE 8 WebLogic Server 8.x JDK Sun 1.4.x WebSphere Sun 1.4.x WebLogic Servlet Engine Tomcat 5.x WebSphere Sun ONE WebLogic
Go to Document Center
29
User Requirements
The following browser and operating system combinations are supported for users to log on to the Web Interface:
Browser Internet Explorer 6.0 or later Internet Explorer 6.0 or later Safari 1.0 or later Mozilla 1.0 or later Pocket IE 2003 Operating System Windows XP, Windows 2000 with Service Pack 4 Windows 2000 with Service Pack 4 Mac OS X Red Hat Enterprise Edition Pocket PC 2003
30
Go to Document Center
Installation Overview
You install the Web Interface using the MetaFrame Presentation Server CD-ROM. Before installing the Web Interface, you must install the Access Suite Console, and for Windows platforms, Microsoft Internet Information Services (IIS), and ASP.NET. If you install the Web Interface on Windows platforms running in Japanese, simplified Chinese, traditional Chinese, or Korean, do not log on to Windows with a user name containing multibyte characters. For information about installing the Access Suite Console, see the MetaFrame Presentation Server Administrators Guide.
For more information about how to install the Web Interface, see Performance Considerations on page 31 and Installing the Web Interface on UNIX Platforms on page 33.
Go to Document Center
31
Security Considerations
Citrix recommends that, as with any Windows-based server, you follow Microsoft standard guidelines for configuring your Windows server.
Note If necessary, you can change the port used on the server. For more information, see the appropriate MetaFrame Presentation Server Administrators Guide.
Performance Considerations
If you are deploying the Web Interface to a high number of users, it may be necessary to adjust system and server parameters to increase user scalability.
32
Go to Document Center
CAUTION Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. On Windows systems, for example, you can increase the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parame ters\MaxUserPort This key determines the highest port number TCP can assign when an application requests and available user port from the system. You can increase the default value of 5000 if you have large numbers of concurrent users. Additionally, you can increase the value of maxWorkerThreads and maxIoThreads on the .NET Framework. On Apache or Tomcat, you can adjust the parameters available in httpd.conf (Apache) or server.xml (Tomcat). Citrix recommends that you ensure that the Java heap size on Tomcat is sufficient to support high numbers of users if necessary. The heap size can be increased by passing the Xmx<size> parameter to Java at start up. To do this, set or amend the JAVA_OPTS variable in the catalina.sh script on Tomcat.
Go to Document Center
33
2. If you are installing the Web Interface from the MetaFrame Presentation Server CD-ROM, insert the CD-ROM in your Web servers CD drive. If you downloaded the Web Interface from a download site, copy the file WebInterface.exe to your Web server. Double-click the file. 3. Select your language from the list. The language of your operating system is detected and is displayed as the default selection. Click Next. 4. In the Welcome page, click Next. 5. In the License Agreement page, select I accept the license agreement and click Next. 6. In the Common Components page, browse to a location for the common Web Interface components (the default is C:\Program Files\Citrix\Web Interface). Click Next. 7. In the Clients page, select Install the clients from the Components CD-ROM. Click Browse to search the Components CD-ROM or CD image for the client setup files. Setup copies the contents of the CDs ICAWEB directory to the directory C:\Program Files\Citrix\Web Interface\4.0\ICAWEB that it creates off the Web servers document root. All Web sites created by the installation process assume that the Web server contains the client files in this directory structure. If you do not want to copy the clients to the Web server during Web Interface installation, select Dont install the clients from the Components CD-ROM and you can copy the clients to the server later. 8. Click Next to continue the installation. 9. When the installation is complete, click Finish. 10. Open the Access Suite Console to begin creating and configuring your sites. After installing the Web Interface, you can begin to manage your sites by configuring and running discovery. For more information, see Configure and Run Discovery on page 38.
34
Go to Document Center
Note If you are installing the Web Interface on WebSphere, an Application Security Warnings message is displayed, indicating a problem with the contents of the was.policy file. This is a policy file created by WebSphere if you select Enforce Java 2 Security under Security>Global Security. Ensure that you edit the was.policy in accordance with the WebSphere Java 2 Security policy, otherwise, the Web Interface may not function properly. This policy file is located in WEBSPHERE_HOME/AppServer/installedApps/<node-name>/ <war-file-name>.ear/META-INF. The Web Interface requires a servlet engine to work on UNIX platforms. The Apache Web server requires an additional servlet engine to support the Web Interface such as Tomcat (note that Tomcat can be used as a standalone Web server or as a servlet engine). To install the Web Interface on Red Hat (Enterprise or Fedora) ensure that the sharutils package is also installed. This is required for the uudecode utility. To install the Web Interface on Tomcat 1. Copy the WebInterface.sh.gz file from the Components CD-ROM Web Interface directory to a temporary location. 2. In a UNIX shell, navigate to the directory where the installation file was downloaded. Unzip the file by typing gunzip WebInterface.sh.gz 3. Run the installer by typing sh WebInterface.sh 4. Press Enter to read the EULA. 5. Type Yes to accept the license agreement. 6. Select a site type from the list provided. 7. Specify if you want to use a local configuration (for example, WebInterface.conf) or use the centralized configuration (the Configuration Service). If you select local file, enter the name of the server containing application information. The XML service must be installed and running on this server. Select an XML service protocol from the list provided. Specify the port on which the XML service is listening. If you select Configuration Service, enter the server (name or IP address) on which the Configuration Service is running. Enter the XML port number for the Configuration Service. You can enter multiple Configuration Services and port combinations.
Go to Document Center
35
8. If you are creating a MetaFrame Conferencing Manager Guest Attendee site, enter the External Conference Server (ECS) location and the port number. Specify if the server is secured with SSL by selecting Yes or No. 9. If you are creating a MetaFrame Presentation Server or MetaFrame Conferencing Manager site, the installer offers to copy the client files from the CD-ROM in to the .war file. 10. Enter the path and name of the .war file to create. 11. A summary is displayed. Select Yes if the information displayed is correct. 12. The .war file is created and the clients are copied from the CD-ROM, if required. 13. Follow the instructions onscreen to complete the installation of the .war file.
36
Go to Document Center
After installation, language packs can be added into the Common Files directory on Windows by copying the tree or unpacking the .zip file in that location. To customize a language for a specific site, you can copy the language pack into the sites location and modify it. The site will then use the modified language pack and other sites will continue to use the default. On UNIX, extra language packs can be installed by moving them into the appropriate directory within the site, and by extracting them if they are supplied in formats such as .zip. The installer defaults to the language of the operating system on which it is running, regardless of the language of the CD-ROM used for installation. For example, if you are installing on a French operating system using a German installation CDROM, the installer appears in French. The language default can be changed during installation, and this language will be used as the default language for sites you create. The English language pack is used as the default language and must always be present on your server.
Go to Document Center
37
38
Go to Document Center
What to Do Next
After you install the Web Interface, you need to make the Web Interface available to your users. To do this, you create and configure sites using the Access Suite Console or edit the WebInterface.conf configuration file directly. Additionally, you may need to configure the Web Interface depending upon what other components are in your MetaFrame installation, or you may want to customize or extend the Web Interfaces capabilities. For information about how to configure the Web Interface for the Secure Gateway using the Access Suite Console, see Configuring Secure Gateway Support on page 108. For information about how to configure the Web Interface using the Console or WebInterface.conf file, see Configuring Sites Using the Console on page 46 or Configuring the Web Interface Using the Configuration File on page 92. For information about security considerations, see Configuring Web Interface Security on page 117. To extend and customize Web Interface functionality, see the Customizing the Web Interface guide.
Go to Document Center
39
5. A summary containing the configuration information appears. If this is correct, click Next. Otherwise, click Back to change this information or add another server. 6. From the Discovery Progress page, the number of items discovered appears. Click Finish to close this page and begin using the Access Suite Console. After running discovery to connect to a server farm, you can use the Access Suite Console to create sites.
Creating Sites
To create new sites, click on Web Interface in the console tree, and click the Create site task. You can add one of the following sites: MetaFrame Presentation ServerFor users accessing published applications using the Web Interface. Program Neighborhood Agent ServicesFor users accessing published applications using the Program Neighborhood Agent. Conferencing Manager Guest AttendeeFor users logging in to Guest Attendee conferences.
You use this task to specify the IIS site, the URL to apply changes, and the configuration source for the site. These options can later be updated using the Local site tasks. If you want to create local sites, you must be a local administrator on the system running the Access Suite Console. Note If you use centralized configuration, you cannot specify servers from multiple farms. Site configuration can only be obtained from servers on the same farm. When sites are created or edited, a bootstrap configuration file is updated to include the configuration source, default language, and installer-generated site identifier (used by the configuration service). The site identifier is in the form <host name>:<IIS site number>:<site path>:<numeric ID> where: <host name> is the host name of the server <IIS site number> is the number of the IIS site <site path> is the path (in the IIS metabase, under the site) of the site <numeric ID> is a random 128-bit ID
40
Go to Document Center
For UNIX Web servers, <host name> and <site path> are dynamically generated, thus the SiteIDRoot field only contains the <numeric ID>. The <site path> is the recommended identification of the site obtained from the servlet engine running it, and may vary depending on the servlet engine.
Go to Document Center
41
On Windows, if centralized configuration is selected when installing a site, the site is automatically registered with the configuration service after installation. On UNIX, the site is registered on first page load after it has been deployed into a servlet engine.
42
Go to Document Center
Note If the Repair option does not fix the problem, or this option is unavailable (for example, on UNIX platforms), try uninstalling and then reinstalling the Web Interface. For information, see Uninstalling the Web Interface on page 42. You must reapply any changes you made in the WebInterface.conf file after reinstalling the Web Interface.
Go to Document Center
CHAPTER 3
Overview
This chapter explains how to configure and customize the Web Interface using the Access Suite Console and the Web Interface configuration file. Topics include: Deciding Which Configuration Method to Use Configuring Sites Using the Console Configuring the Web Interface Using the Configuration File Making the Web Interface Available to Users
44
Go to Document Center
For information about how to configure the Web Interface using the console, see Configuring Sites Using the Console on page 46 and the Access Suite Console online help. The Web Interface configuration file. The WebInterface.conf file allows you to change many of the Web Interfaces properties; it is available on both Windows and UNIX platforms. You can use this file to perform day-to-day administration tasks and customize many more settings. You edit the values in the WebInterface.conf file and then stop and restart your Web server to apply the changes. For information about configuring the Web Interface using the WebInterface.conf file, see Configuring the Web Interface Using the Configuration File on page 92. The Program Neighborhood Agent configuration file. You can configure the Program Neighborhood Agent using the Config.xml file located on the server running the Web Interface. The Config.xml file contains a number of parameters divided into the following categories: FolderDisplaySpecifies where to display application icons: in the Start menu, on the Windows desktop, or in the notification area. There are also additional parameters to specify a particular folder in the Start menu and the icon to use on the Windows desktop. This corresponds to the options on the Application Display tab of the PN Agent Properties dialog box. DesktopIntegrationDo not edit.
Go to Document Center
45
Configuration FileAllows you to specify a different URL for Config.xml for the client to use in the future. This facilitates moving users to a different server running the Web Interface. RequestSpecifies where the client should request published application data from, and how often to refresh the information. LogonSpecifies the logon method to use. UserInterfaceSpecifies whether to hide or display certain groups of options presented to the user as part of the Program Neighborhood Agent interface. FileCleanupDo not edit. ICA_OptionsSpecifies the audio and video options for client connections. This corresponds to the options on the ICA Options tab of the Program Neighborhood Agent Properties dialog box.
Web server scripts and Java servlets. You can use the Web Interfaces application programming interface (API) to extensively customize your Web Interface site. You can use ASP.NET or JavaServer Pages to write Web server scripts for MetaFrame Presentation Server sites. For more information, see the Customizing the Web Interface guide.
46
Go to Document Center
When using the Console, some Web Interface settings may be disabled if their value is not relevant to the current configuration and the corresponding WebInterface.conf settings are reset to their default values. Citrix recommends that you create regular backups of the WebInterface.conf file.
Getting Help
You can display online help for the Web Interface by pressing F1 or by rightclicking on any node in the context tree and selecting Help.
Go to Document Center
47
Running Discovery
Before you can start using the Console to manage the items in your deployment, you must run discovery, which establishes connections to your server farms. The first time you open the Console, you are automatically prompted to start the discovery process: you are guided through selecting the components you want, configuring the discovery process, and finding the items to manage. Using the Configure and run discovery wizard, you specify in which components you want discovery to search for new items, indicate whether or not to retrieve remote configuration for sites installed on your computer, edit configuration servers, and specify farms running MetaFrame Presentation Server. Subsequently, you run the discovery process if you want to discover a component or if items were added to or removed from your deployment. Click Run discovery in the task pane.
48
Go to Document Center
When discovery is complete, existing sites are displayed under the Web Interface in the console tree and you are ready to create new sites and administer existing sites. For example:
This diagram shows an example of the Access Suite Console containing existing sites.
Creating Sites
Using the Create site task, you can create the following site types: MetaFrame Presentation Serverfor users to access applications through a Web browser (the Web Interface) Program Neighborhood Agent Servicesfor users to access applications using Program Neighborhood Agent Conferencing Manager Guest Attendeefor guest users to log in to Conferencing Manager conferences
The Create Site wizard guides you through the process of creating one of these sites, allows you to specify the IIS location in which the site is hosted, specify if the site is the default within the IIS site. and the URL to apply changes, add a location in which the site obtains its configuration, and add server farms. The new site is displayed in the console tree after this task is complete.
Go to Document Center
49
To administer the site, click on it in the console tree. Site tasks, information, and alerts are displayed in the task pane and details pane. If the configuration server is not available and cannot be contacted, site tasks are not displayed in the Console.
Performing Tasks
Tasks that are available for each site type are displayed in the task pane. Tasks are either performed using wizards or by setting options in dialog boxes. To execute a task, either click on a task name in the task pane, or right-click on the site you want to configure and select a task from the menu displayed. Some tasks are only available for certain site types. This information is specified at the beginning of each of the following sections.
50
Go to Document Center
Citrix recommends that you disable user password changing in these situations. If necessary, it is possible to enable password changing in a mixed server farm deployment. The Web Interface contacts server farms in the order in which they are defined until a server farm reports that the password is successfully changed, at which point the process stops. This allows you to specify the server farm to which the change password request will be issued. However, use suitable password replication mechanisms between server farms to ensure that user passwords remain consistent. If the password change request fails, the next server farm in sequence is issued the change password request.
Go to Document Center
51
52
Go to Document Center
4. Select the Use the server list for load balancing option. 5. To change the length of time a failed server is bypassed in the Bypass any failed server for field.
Go to Document Center
53
5. If you are using SSL Relay, specify the TCP port of the Citrix SSL Relay in the SSL server port field (the default port is 443). The Web Interface uses root certificates when authenticating a Citrix SSL Relay server. Ensure all the servers running Citrix SSL Relay are configured to listen on the same port number. Note If you are using SSL Relay or HTTPS, ensure the server names you specify match the names on the certificate for the server running MetaFrame. 6. To enable ticketing, select the Enable ICA authentication tickets option. 7. To change the expiration time of tickets, enter a value in the MetaFrame ticket time to live fields. 8. Click OK to confirm your changes.
54
Go to Document Center
Configuring Authentication
Note The following section is applicable to MetaFrame Presentation Server and Program Neighborhood Agent Services sites. You can use the Configure authentication methods task to configure the ways in which users can authenticate to MetaFrame Presentation Server and the Program Neighborhood Agent.
Methods of Authentication
Authentication takes place when a user accesses applications. If authentication is successful, the users application set is displayed. You can configure the following authentication methods: Explicit (MetaFrame Presentation Server sites) or Prompt (Program Neighborhood Agent Services sites)Users are required to log on by supplying a user name and password on IIS. User Principal Names (UPN), Microsoft domain-based authentication, and Novell Directory Service (NDS) are available. For MetaFrame Presentation Server sites, RSA SecurID, and SafeWord authentication are also available. Pass-throughUsers can authenticate using the credentials they provided when they logged on to their Windows desktop on IIS. Users do not need to reenter their credentials and their application set is displayed automatically. Additionally, you can use Kerberos authentication to connect to servers. If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication will also fail and users will not be able to log in. For more information about Kerberos, see the MetaFrame Presentation Server Administrators Guide. Pass-through with smart cardUsers can authenticate by inserting a smart card into a smart card reader attached to the client device on IIS. Pass-through authentication is enabled; thus, the user is not prompted for a PIN. If you are configuring a Program Neighborhood Agent Services site, you can use Kerberos authentication to connect to servers. If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication will also fail and users will not be able to log in. For more information about Kerberos, see the MetaFrame Personation Server Administrators Guide. Smart cardUsers can authenticate using a smart card on IIS. The user is prompted for a PIN.
Go to Document Center
55
AnonymousAnonymous users can log in without supplying a user name and password, and launch applications published for anonymous users on the server. Note Citrix recommends that you do not enable anonymous user access if you are using MetaFrame 1.8 with Feature Release 1. When anonymous user access is enabled with this version of MetaFrame, users can view explicitly published applications.
CAUTION Web Interface anonymous users can obtain Secure Gateway tickets, despite not being authenticated by the Web Interface. Because the Secure Gateway relies on the Web Interface issuing tickets only to authenticated users, this compromises one of the security benefits of using the Secure Gateway in your installation.
Authentication Recommendations
Ensure users log on to their workstations and the Web Interface consistently, either explicitly (with a user name and password) or using smart cards, not a mixture of both methods. For example, if a user logs on to the Windows desktop using a smart card, and then logs on to the Web Interface explicitly, the credentials supplied by the client may be incorrect. In this case, the client may supply the PIN rather than the user name and password. If you change the methods for authenticating to the Web Interface, error messages may be displayed to existing users. Users must close and restart any browsers used to access the Web Interface.
56
Go to Document Center
Note Enabling pass-through authentication poses a security risk. See the Caution in Pass-through Requirements on page 59 for more information.
Go to Document Center
57
58
Go to Document Center
3. Ensure that the Windows Directory Service Mapper is enabled. For more information, see Step 3Enabling the Windows Directory Service Mapper on page 57. 4. Use the Configure authentication methods task in the Access Suite Console to enable smart card authentication. When Gary selects Smart Card on the Log In page, he enters his PIN to log on (assuming he logged on to his Windows desktop using his smart card). Note If you do not want Gary to have to reenter his PIN when he logs in to the Web Interface, select Pass-through with smart card.
Go to Document Center
59
The following section provides information about pass-through authentication requirements and explains the steps you must perform to enable pass-through support.
Pass-through Requirements
To use the pass-through authentication feature, your servers must be running MetaFrame Presentation Server with Feature Release 2 or later, the Web Interface must be running on IIS on Windows 2000 with Service Pack 4 or Windows Server 2003, and users must be running Internet Explorer Version 5.5 or later. CAUTION If the servers are running versions prior to MetaFrame Presentation Server with Feature Release 2, users may be able to view all applications when using pass-through. If users are using clients earlier than Version 6.30 and ICA encryption (SecureICA) is enabled, pass-through will not work. To use pass-through with ICA encryption, you must have the latest clients and the server must be running MetaFrame Presentation Server with Feature Release 2 or later. CAUTION When a user selects an application, a file is sent to the browser. The file can contain a setting that instructs the client to send the users workstation credentials to the server. By default, the client does not honor this setting; however, there is a risk that if the pass-through feature is enabled on the MetaFrame Presentation Server Client for Win32, an attacker could send the user a file that causes the users credentials to be misrouted to an unauthorized or counterfeit server. Therefore, use pass-through authentication only in secure, trusted environments.
60
Go to Document Center
Note If you do not enable pass-through during installation of the Client for Win32, you can enable it after installation. For more information about enabling this, see the Client for 32-bit Windows Administrator's Guide.
Go to Document Center
61
3. If you are configuring a MetaFrame Presentation Server site, you can select either RSA SecurID or SafeWord from the Enforce 2-factor authentication list. For more information about configuring SafeWord authentication, see Two-factor Authentication on page 62. For more information about configuring RSA SecurID authentication, see Enabling RSA SecurID 6.0 Authentication on IIS on page 63. 4. If you are configuring a MetaFrame Presentation Server site, you can specify that users can change their logon passwords within a Web Interface session using the Allow user to change password options: Select Never if you do not want to allow users to change their passwords. To let users change their logon password only when the password expires, select Only when it expires. When you enable this option, if a user fails to log on to the Web Interface due to an expired password, the user is redirected to the change password dialog box. After changing their password, users are automatically logged on to the Web Interface using the new password. To let users change their password as often as they want in the Web Interface, select At any time. When you enable this option, the change password icon appears on users pages. When users click this icon, a dialog is displayed in which users can enter a new password.
If you are configuring a Program Neighborhood Agent Services site, you can specify if users can save their passwords using the Allow user to save password option. 5. Select the type of authentication that explicit users must use: Select Windows or NIS (UNIX) to specify Microsoft domain-based authentication. You can specify whether you allow any domains to be entered in the users Domain field, or specify which domains are permitted. Additionally, you can specify which User Principal Names (UPN) suffixes are accepted. By default, all UPN suffixes are permitted.
Note If users receive a wrong credentials error message during log in, this may be due to an empty domain field. To resolve this issue, select Hide Domain field during log in, or if you are using a mixed farm environment, add UNIX as the domain name and ensure it is the first item in the Domains list. Select Use NDS authentication to specify Novell Directory Service (NDS) authentication and enter a name in the Default tree name field. You can then configure context restriction or contextless authentication.
62
Go to Document Center
Two-factor Authentication
You can configure the following two-factor authentication methods for MetaFrame Presentation Server sites: Secure Computing SafeWord for CitrixA two-factor authentication technology, using alpha-numeric codes generated by SafeWord tokens and (optionally) PIN numbers to create a passcode. Users enter their domain credentials and SafeWord passcodes in the Log In page before they can access applications on the server. RSA SecurIDA two-factor authentication method that uses numbers generated by RSA SecurID tokens (tokencodes) and PIN numbers to create a PASSCODE. Users enter their user names, domains, and RSA SecurID PASSCODES on the Log In page before they can access applications on the server. When creating users on the ACE/Server, user logon names must be the same as their domain user names.
Note When using RSA SecurID authentication, the system can generate and display a new PIN to the user. This PIN is displayed for 10 seconds or until the user clicks OK or Cancel, to ensure that the PIN cannot be viewed by others. This feature is not available on PDAs. For security reasons, users cannot log in using the Program Neighborhood Agent if the Web Interface is using RSA SecurID or Secure Computing SafeWord authentication.
SafeWord Requirements
To use SafeWord authentication with the Web Interface for IIS: The SafeWord Agent for the Web Interface must be installed on the server running the Web Interface The Web Interface must be installed prior to installing the SafeWord Agent for the Web Interface
Go to Document Center
63
SecurID Requirements
To use SecurID authentication with the Web Interface for IIS: The RSA ACE/Agent for Windows 6.0 must be installed on the server running the Web Interface The Web Interface must be installed after the installation of the ACE/Agent
64
Go to Document Center
If the node secret on the server running the Web Interface and the RSA ACE/Server does not match, RSA SecurID fails.You must reset the node secret on the server running the Web Interface and the RSA ACE/Server. Important Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. To reset the node secret on the server running the Web Interface 1. In the system registry, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT 2. Delete the NodeSecret key. Note Reinstalling the Web Interface will not delete the node secret key. If the Agent Host entry remains unchanged on the RSA server, the node secret can be reused.
Go to Document Center
65
66
Go to Document Center
Go to Document Center
67
If the user does not submit a response (for example, if they click Cancel), they are directed back to the Log In page. Citrix recommends that this mode is only used if software components or products other than the Web Interface also use the RADIUS server for authentication.
68
Go to Document Center
You can change challenge messages by launching the RSA RADIUS Configuration Utility. For more information about using this tool, see the RSA documentation provided with the SecurID software. To display the same messages to users accessing sites on IIS and UNIX servers, the following challenges must be updated:
Message For Does User Want a System PIN Is User Ready To Get System PIN Is User Satisfied With System PIN New Numeric PIN of Fixed Length New Alphanumeric PIN of Fixed Length New Numeric PIN of Variable Length New Alphanumeric PIN of Variable Length New PIN Accepted Enter Yes or No Next Token Code Required Packet Challenge Challenge Challenge Challenge Challenge Challenge Challenge Challenge Challenge Challenge Updated Value CHANGE_PIN_EITHER SYSTEM_PIN_READY CHANGE_PIN_SYSTEM_[%s] CHANGE_PIN_USER CHANGE_PIN_USER CHANGE_PIN_USER CHANGE_PIN_USER SUCCESS FAILURE NEXT_TOKENCODE
Go to Document Center
69
Full screen onlykey combinations apply to the remote desktop in the ICA session only when it is in full screen mode.
AudioOptions enabled in this section will be available for users to select. Workspace control optionsUse these options to configure workspace control settings. For more information about workspace control, see Configuring Workspace Control on page 87.
You can use the Manage application shortcuts task to specify how the Program Neighborhood Agent displays shortcuts for published applications. You can create the following types of shortcuts: Start menuYou can use the settings specified in the Manage application shortcuts page, settings defined during application publishing in MetaFrame Presentation Server, or use both settings. You can also define how and if shortcuts are displayed in the Start menu, and allow users to specify this setting. Additionally, you can create shortcuts in the Programs menu, create an additional submenu, and/or allow users to specify a submenu name. DesktopYou can use the settings specified in the Manage application shortcuts page, settings defined during application publishing in MetaFrame Presentation Server, or use both settings. You can also define how and if shortcuts are displayed in the desktop, and allow users to specify this setting. Additionally, you can use a custom folder name, allow users to select a name, and/or use a custom URL for icons. Notification areaYou can display applications in the notification area and/or allow users to specify how applications are displayed.
Using the Manage application shortcuts task, you can also remove shortcuts. You can specify when shortcuts are removed (either when the Program Neighborhood Agent closes or when users log off from the Program Neighborhood Agent), and which shortcuts are removed (Program Neighborhood shortcuts or Program Neighborhood and user-created shortcuts). If you select both Program Neighborhood and user-created shortcuts, you can also specify the search folder depth to improve performance.
70
Go to Document Center
Go to Document Center
71
Applications windowSpecify the window title bar color and image, title bar text color, number of application icon columns that are displayed, and allow users to customize these settings. Welcome AreaSpecify the title bar background color, title bar text color, welcome message text language, welcome message text, and any additional languages.
The graphics in these option pages update as you make your changes, and are reflected in the main Customize appearance for user page.
72
Go to Document Center
AlternateThe alternate address is given to the client. The server must be configured with an alternate address and the firewall configured for network address translation. TranslatedThe address given to the client is determined by the address translation mappings set in the Web Interface. Secure Gateway Direct Secure Gateway Alternate Secure Gateway Translated
The Secure Gateway works with the Web Interface to provide a single, secure, encrypted point of access through the Internet to servers on internal corporate networks. This means office workers can access corporate information remotely, without compromising network security, from anywhere in the world, from any device, and at any time. Secure Gateway ticketing (STA) is the mechanism used to notify the Secure Gateway that a user is authenticated and can be granted access to the server farm. Tickets are generated and verified by the Secure Ticket Authority server. When a user selects an application, the Web Interface sends the address of the server on which the application resides to the Secure Ticket Authority in return for a ticket. This ticket is later exchanged by the Secure Gateway for the address of the server.
Go to Document Center
73
The use of tickets enhances security, because the internal network addresses of servers are hidden. See Editing Address Translations on page 74 for an example of how to configure Secure Gateway support. For more information about the Secure Gateway, see the Secure Gateway for MetaFrame Administrators Guide. To edit Secure Gateway settings 1. From the Edit Secure Gateway settings dialog box, specify the Fully Qualified Domain Name (FQDN) of the Secure Gateway server that clients must use in the Secure Gateway address (FQDN) field. This must match what is on the certificate installed on the Secure Gateway server. 2. Specify the port number on the Secure Gateway server that clients must use in the Secure Gateway port field. The default port number is 443. 3. To use session reliability, select the Enable session reliability through Secure Gateway 3.0 option. 4. In the Secure Ticket Authorities area, click Add to specify the URL of a Secure Ticket Authority that the Web Interface can use. The Secure Ticket Authority is displayed in the Secure Ticket Authority URLs list. Secure Ticket Authorities are included with the XML service, for example, in http:// mfsrv01/Scripts/CtxSta.dll. Secure Ticket Authorities are generally used for fault tolerance; however, Citrix recommends that you do not use an external load balancer for this purpose. You can specify up to 256 Secure Ticket Authorities in this list. 5. To place the Secure Ticket Authorities in order of priority, highlight a Secure Ticket Authority URL and click Move Up or Move Down. To remove a Secure Ticket Authority URL, highlight it in the list and click Remove. 6. Choose whether or not to enable load balancing between Secure Ticket Authorities using the Use for load balancing option. Enabling load balancing allows you to evenly distribute connections among servers so that no one server becomes overloaded. If an error occurs while communicating with a server, all further communication is load balanced among the remaining servers in the list. 7. The Web Interface provides fault tolerance among servers in the Secure Ticket Authority list. If an error occurs while communicating with a server, the failed server is bypassed for the time specified in the Bypass any failed server for field. 8. Click OK to finish making changes.
74
Go to Document Center
Go to Document Center
75
Client Settings
The following clients are available for application launching: Local ClientThe full client is automatically deployed to users, including seamless window support. Applications are launched in desktop windows that can be resized. If users are accessing applications through a PDA device, you must enable the local client. Native embedded Client (ActiveX or Netscape plugin)Users download and install this client when applications are launched. Seamless windows are not supported; applications are launched in a fixed-size window. Client for JavaThe Client for Java is automatically deployed to users. This client supports seamless windows; applications are launched in desktop windows that can be resized. Embedded Remote Desktop Connection softwareRemote Desktop Connection Software is automatically deployed to users. Seamless windows are not supported; applications are launched in a fixed-size window.
76
Go to Document Center
You must specify a default client. To do this, select a client and use the Set as default button in the Manage client deployment wizard. Note The native embedded Client and embedded Remote Desktop Connection software are not supported on Personal Digital Assistants (PDAs) running Pocket PC.
Go to Document Center
77
2. Select Client for Java and click Next. 3. In the Specify launch client settings page, select the Automatic fallback to the Client for Java option. 4. Continue through the rest of the wizard and click Finish to accept the changes. Note The Client for Java must be deployed for users connecting with a Safari Web browser. Additionally, you can automatically deploy the Web Client to users running Internet Explorer. If you enable this feature, when users access the Web Interface, their client devices and Web browser are detected. If they are on a Windows platform and they do not have a client, or their current client is not up-to-date, the Web Interface attempts to automatically install the specified client on their client devices. Users install the client by selecting Yes in the dialog box that appears. You can deploy the minimal Web Client installation file (wficac.cab). This client does not install all components (such as Program Neighborhood); therefore, this client is smaller and easier to download and may be suitable for users on low bandwidth connections. The following features are not available using the minimal Web Client: SecureICA (RC5) encryption Universal Printer Driver SpeedScreen latency reduction Client audio mapping Wheel mouse support Multiple monitor support User-to-user shadowing Content redirection Novell Directory Services support Extended parameter passing Client COM port mapping
78
Go to Document Center
Panning and scaling Per-user time zone support Support for protocols other than TCP/IP Single sign-on
For more information about the features available in the Web Clients, see the Client for 32-bit Windows Administrator's Guide. To enable the Web Client download option, select the Automatically update the Web Client at log on option in the Manage client deployment task. Note Automatic installation of the Web Client on Windows workstations requires the user to have administrative rights on the client device, or that the ActiveX control be registered in Active Directory. See the Microsoft support Web site for more details.
This screen capture shows an example of an installation caption that may appear in the users Log In page.
Note To use Web-based client installation, ensure your Web server contains the client installation files. For more information about Web-based client installation, see MetaFrame Presentation Server Clients and the Web Interface on page 111.
Go to Document Center
79
You can use one of the following settings: Auto. If the user does not have an appropriate client installed, the installation caption is displayed. This is the default setting and is valid for the Client for Win32 only. Yes. The installation caption is always displayed on all platforms. No. The installation caption is never displayed.
To configure the clients offered to users by installation captions, you must edit the WebInterface.conf file. For more information, see Configuring Web-Based Client Installation on page 113 and Configuring the Web Interface Using the Configuration File on page 92.
80
Go to Document Center
Using Private Root Certificates with the Client for Java version 9.x
If you configured a Secure Gateway or the Citrix SSL Relay service with a server certificate obtained from a private certification authority (for example, if you issue your own certificates using Microsoft Certificate Services), you must import the root certificate in to the Java keystore on each client machine. For more information, see the Client for Java Administrators Guide.
Using Private Root Certificates with the Client for Java version 8.x
To use private root certificates with version 8.0 of the client, select the Use a private root certificate option. Enter the file name of the certificate in the Certificate file name field. The certificate must be located in the same directory on the Web server as the Java Client packages (such as ICAWEB\icajava in the common files directory on IIS).
Go to Document Center
81
Important This option does not verify that the root certificate is delivered over a secure connection. Because the root certificate could be transmitted over an unencrypted HTTP link, it is potentially vulnerable to attack. Citrix recommends that you configure the Web server to use HTTPS connections.
Deploying the Client for Java Using the Web Interface with Custom SSL/TLS Certificates
Use the following procedure to configure the Web Interface to use a single custom SSL root certificate if you are using the Client for Java version 8.x. The certificate is made available to the Java Client as an individual file in the Client for Javas codebase directory on the Web server. This can cause problems for .cer files because IIS sends these using MIME text and the file can become corrupted during transport (for example, line endings change). Also, some Java Virtual Machines (JVM), such as the IBM JVM on OS/2, will not retrieve certificates when specified as individual files. Citrix recommends that you package custom root certificates into a single archive file to supply multiple certificates. This procedure is documented in the Client for Java Administrators Guide. The following describes how to configure custom certificates using the Web Interface and the Client for Java. To configure custom certificates 1. Contact your Certificate Authority and obtain the root certificates that correspond to the server certificates being used on the servers. 2. In a text editor, locate and open the appembed.inc file. By default, this is located in C:\Inetpub\Wwwroot\Citrix\MetaFrame\site\include. 3. Locate the section between the <applet> and </applet> HTML tags. 4. Before the </applet> tag, specify which SSL/TLS certificates the Client for Java should use. Use the following parameters: SSLNoCACertsthe number of specified certificates in the client archive.
82
Go to Document Center
SSLCACert0, SSLCert1...SSLCert<n>The names of the root certificates to use when validating the name of the server certificate. The number of root certificates that you specify must match the number specified in the SSLNoCACerts parameter.
For example, if you have three custom root certificates with filenames A.crt, B.crt, and C.cer, insert the following lines: <param name="SSLNoCACerts" value="3"> <param name="SSLCACert0" value="A.crt"> <param name="SSLCACert1" value="B.crt"> <param name="SSLCACert2" value="C.cer"> 5. Search for the codebase parameter and make a note of the path listed on this line. <%=langCode%> is the folder name of the language with which you are working. Do not edit this line. 6. If the Client will be deployed in Microsoft Internet Explorer with the Microsoft JVM, package the certificates in a .cab file. For more information, see the Client for Java Administrators Guide. 7. Search for the cabinets parameter. Add the name of the archive you created in Step 6. For example, if you named your archive MyCerts.cab, change the following: <param name=cabinets value="<%=jicaCabFiles%>"> to <param name=cabinets value="<%=jicaCabFiles%>MyCerts.cab"> 8. Copy your archive file to the directory specified in the codebase attribute that you noted in Step 5. The default path is C:\Inetpub\Wwwroot\Citrix\ICAWEB\en\icajava. 9. Save the appembed.inc file. 10. On the client device, launch the Web browser and connect to the server running the Web Interface. All embedded Java client sessions to secured servers work transparently using SSL.
Go to Document Center
83
Using the Access Suite Console, you can set default proxy rules for clients. However, you can also configure exceptions to this behavior for individual clients. To configure exceptions, you associate the proxy servers external IP address with the proxy servers internal address and port. You can also specify that proxy behavior is controlled by the client. For example, to use the Secure Proxy feature in MetaFrame Presentation Server, configure the Web Interface to use the proxy settings specified on the client and configure the client for Secure Proxy. For more information about using clients to control proxy behavior, see the relevant MetaFrame Presentation Server Client Administrators Guide. To configure default proxy settings 1. Click the Edit client-side proxy task. 2. Click Add to create a new mapping or Edit to edit an existing mapping. 3. Enter the external address of the proxy in the IP Address field. 4. Enter the subnet mask in the Subnet Mask field. 5. In the Proxy drop-down list, select one of the following: Auto detectThe client auto-detects the Web proxy based on the clients browser configuration. Client definedThe settings configured by the user for the client. NoneNo proxy is used. SOCKSIf this option is selected, you must enter the address of the proxy server in the Proxy Address field and the port number in the Proxy Port field. The proxy address can be an IP address or a DNS name.
84
Go to Document Center
Secure (HTTPS)If this option is selected, you must enter the address of the proxy server in the Proxy Address field and the port number in the Proxy Port field. The proxy address can be an IP address or a DNS name.
6. Click OK. The mapping is added to the Mapping list. 7. You can control the order in which multiple mappings are applied. Select a mapping and click Move Up or Move Down to place the mappings in order of priority. To remove a mapping, select the mapping and click Remove.
Go to Document Center
85
Bandwidth control allows users to select session settings based on their connection bandwidth. These options are displayed in the Log In page under Advanced Options in the Connection Speed drop-down list. Bandwidth control provides control for color depth, audio, and printer mapping. To enable this feature, you must also select Allow user to customize printer mapping in the Manage client connection settings task. Additionally, you can use ICA override files to control other ICA settings for bandwidth control:
File Name bandwidth_ high.ica bandwidth_ medium_high.ica bandwidth_ medium.ica bandwidth_low.ica default.ica Description Contains the override ICA settings for high bandwidth connections. Contains the override ICA settings for medium high bandwidth connections. Contains the override ICA settings for medium bandwidth connections. Contains the override ICA settings for low bandwidth connections. Contains the override ICA settings used when no bandwidth is selected.
If the Client for Java is used, bandwidth control determines whether or not audio and printer mapping packages are downloaded. If Remote Desktop Connection is used, audio quality is either mapped to On or Off and further quality control is not provided. Low bandwidth is recommended for wireless WAN connections. Note If Remote Desktop Connection is used in conjunction with bandwidth control, the Web Interface specifies parameters appropriate to the selected bandwidth. However, the actual behavior depends on the version of the Remote Desktop Software, Terminal Servers, and the server configuration. By default, users can adjust the window size of client sessions. For MetaFrame Conferencing Manager Guest Attendee sites, you can configure: Windows key combinations Kiosk mode
Kiosk mode is ideal for situations in which client devices are public terminals and used by a variety of users. When kiosk mode is enabled, users settings are not stored and are only retained for the duration of their session. If you prevent users from adjusting a setting, the setting is not displayed in the user interface and the settings specified for the published application in the Management Console for MetaFrame Presentation Server are used.
86
Go to Document Center
Go to Document Center
87
Feature Requirements
The following requirements and recommendations apply to the workspace control feature: If the Web Interface detects that it is being accessed from within a client session, the workspace control feature is disabled. To use single sign-on, smart card, or smart card with single sign-on, you must set up a trust relationship between the server running the Web Interface and the Citrix XML service. For more information, see Configuring Workspace Control with Integrated Authentication Methods on page 88.
88
Go to Document Center
Applications published for anonymous use are terminated when both anonymous and authenticated users disconnect, provided that the Citrix XML service is set to trust Web Interface credentials. Thus, users cannot reconnect to anonymous applications after they disconnect. If client credential pass-through is not enabled, smart card users are prompted for their PINs for each session being reconnected. This is not an issue with single sign-on or smart cards with single sign-on because client credential passthrough is enabled with these options. Each session times out after a period of inactivity (typically 20 minutes). When the HTTP session times out, the Login screen appears; however, any applications launched or reconnected in that session are not disconnected. Users must manually disconnect, or log off or log back on to the Web Interface and use the Log off buttons or disconnect.
Go to Document Center
89
Enable the trust relationship only on servers directly contacted by the Web Interface. These servers are listed in the Manage server farms page. Configure IPSec, firewalls, or other technology that you use to secure the environment to restrict access to the Citrix XML service to only the Web Interface servers. For example, if the Citrix XML service is sharing a port with Microsoft Internet Information Services (IIS), you can use the IP address restriction capability in IIS to restrict access to the Citrix XML service.
To enable automatic reconnection when users log on 1. Select the Automatically reconnect to sessions when user logs in option. To automatically reconnect both disconnected and active sessions, select All sessions. To automatically reconnect disconnected sessions only, select Disconnected sessions only.
2. Use the Allow user to customize option to allow users to select these options in the user interface. To enable the Reconnect option 1. Select the Automaticity reconnect to sessions after user logs in option. To configure the Reconnect command to automatically reconnect both disconnected and active sessions, select All sessions. To configure the Reconnect command to automatically reconnect disconnected sessions only, select Disconnected sessions only.
2. Use the Allow user to customize option to allow users to select these options in the user interface.
90
Go to Document Center
To configure log off behavior 1. In the Log off section, to log users off from the Web Interface and all active sessions, select Log off all sessions when user logs off from the Web Interface. 2. Use the Allow user to customize option to allow users to select these options in the user interface.
Go to Document Center
91
Once a site has been added to a group, you cannot perform local site tasks on that site and the sites configuration is removed. To use local site tasks, you must remove the site from the group using the Remove sites from group task; the group configuration will be used for the site. Additionally, you can use the Ungroup task to remove all sites from the group.
92
Go to Document Center
Important If custom scripts and images have been created for the site and you run the Repair site task, these customized files will be removed. Customized files are also removed when using the Manage IIS Hosting task. Citrix recommends that you back up any files you create before you use either of these tasks.
Go to Document Center
93
The following table shows the parameters that WebInterface.conf can contain (in alphabetical order). If a parameter is not specified in WebInterface.conf, its default value is used.
Parameter AdditionalExplicit Authentication Description Defines the explicit two-factor authentication that must be carried out, in addition to SAM, ADS or NDS. This replaces the deprecated setting of EnableSecurIDWithExplicit Authentication. Specifies what type of address to use for the NFuse_AppServerAddress tag in Template.ica. Values None, SecurID, SafeWord, RADIUS Site Types MetaFrame Presentation Server
AddressResolution Type
MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server
AllowBandwidth Selection
Specifies whether users can provide MetaFrame Presentation Server with the type of connection between their Web browser and MetaFrame Presentation Server, to optimize ICA settings. Specifies whether to allow users to specify the number of columns. Specifies whether the user is permitted to adjust the audio quality for ICA sessions. Whether to allow users to enable/ disable client printer mapping. Specifies whether the user is permitted to change which client is used to launch the application. Specifies whether the user is permitted to change the Client for Java packages that are downloaded. Whether to allow users to choose which user interface to use.
Off, On
MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server
Off, On Off, On
AllowCustomizeJava ClientPackages
Off, On
AllowCustomize Layout
Off, On
94
Go to Document Center
Description Specifies whether users can override the behavior displayed by the workspace control feature when the user logs off of MetaFrame Presentation Server. Specifies whether the MetaFrame Presentation Server user is able to override the behavior of workspace control at log in. Specifies whether the MetaFrame Presentation Server user is able to override the behavior of workspace control when Reconnect is clicked. Specifies whether the user can access the Settings screen and make changes. Whether to allow users to select the key combination pass-through behavior. Whether to allow users to enable/ disable PDA synchronization. Specifies whether the user is permitted to change the color depth for ICA sessions. Specifies whether the user is allowed to change the window size for ICA sessions. Defines under what conditions a user may change their password. Specifies whether to return the alternate MetaFrame Presentation Server address in the ICA file.
AllowCustomize ReconnectAtLogin
On, Off
AllowCustomize ReconnectButton
On, Off
AllowCustomize Settings AllowCustomize TransparentKey Passthrough AllowCustomizeVirtua lCOMPortEmulation AllowCustomizeWin Color AllowCustomizeWin Size AllowUserPassword Change AlternateAddress
On, Off
MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server
Off, On
On, Off
AppColumns
Go to Document Center
95
Description Defines the permitted log in methods. This is a comma separated list and may contain any of the specified values in any order. Specifies whether the ICA ActiveX client should be downloaded to users with no client, or one that is out of date. Whether to use the Client for Java to launch applications if no native client is detected on Win32 platforms. Specifies the color for the lines and bars in the header and footer areas.
Site Types MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Presentation Server
AutoDeployWebClient
AutoFallbackToJava Client
Off, On
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
BrandingColor
Time before a failed RADIUS server will be considered for reuse. Time before a failed STA server will be considered for reuse.
ClientAddressMap
Part of the server side firewall configuration. A list of client address, address type pairings. The first may be a partial address, or a subnet address and mask, while the latter may takes the values: Normal, Alternate, Translated, SG, SGAlternate, and SGTranslated. Using a * in place of a client address or subnet indicates the default for all otherwise unspecified clients.
96
Go to Document Center
Parameter ClientProxy
Description Client side firewall option. Specifies a list of client subnet addresses and masks, or address prefixes, and associated proxy settings. The client address in the returned ICA file will be determined by these settings. Using a * in place of a client address or subnet indicates the default for all otherwise unspecified clients. The value of the third field (proxy address) in each set of three is ignored unless the second field (proxy type) is an explicit proxy type (SOCKS or Secure), but it must always be present; the default value for this field is the minus sign (-). A URL to be used as the hyperlink for the company logo if CompanyLogo is specified. A URL to the company logo image.
Values <ClientAddress>|<S ubnet Address>/ <Subnet Mask>|*, Auto|Client|None|SO CKS|Secure, |<ProxyAddress>|<P roxyAddress>:<Prox yPort>,
Site Types MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
CompanyHomePage
A valid URL.
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
CompanyLogo
A valid URL.
Configuration Location
Path to the configuration file within the web app | comma separated list of serveraddress:port, where server-address is either a DNS name or an IP address File | ConfigurationService
ConfigurationSource Type
MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
Go to Document Center
97
Parameter CSG_Server
Site Types MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager
CSG_ServerPort
CSG_STA_URL<n>
DefaultClient
Whether to show all clients available for download when platform cannot be auto detected. Only relevant if install captions are to be shown. The default language to be used if a browser requests a non-supported language.
On, Off
DefaultLocale
DefaultWelcome MessageLocale
Locale of the default Welcome message text to be displayed in the Welcome area of the Log In screen and Application screen. This should match up to the <lang-code> part of one of the defined WelcomeMessage_<lang-code> settings, for example, en. Whether to display the footer defined in footer.inc.
DisplayFooter
On, Off
98
Go to Document Center
Parameter DisplayHeader
Site Types MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server
DisplayMainBoxTitle BarBgImage
Whether to use background image or simple background color for the main box title bar. Specifies the time period that DuplicateLogLimit log entries will be monitored over.
On, Off
DuplicateLogInterval
DuplicateLogLimit
Specifies the number of duplicate log entries allowed in the time period DuplicateLogInterval.
Whether to enable Kerberos authentication. Specifies whether older MetaFrame Presentation Server Clients that cannot read UTF-8 ICA files are supported. If this is Off, MetaFrame Presentation Server will produce ICA files in UTF-8 encoding. Specifies whether the workspace control feature should logoff Active applications when the user logs out of MetaFrame Presentation Server. Turn this on to permit sessions on multiple RADIUS servers to be load balanced in a random-access manner. Failover between the servers still occurs regardless of whether this is On or Off.
EnableLogoff Applications
On, Off
EnableRadiusServer LoadBalancing
On, Off
Go to Document Center
99
Description Turn this on to permit requests to multiple Secure Gateway STA servers to be load balanced.
Site Types MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Presentation Server
Whether to enable PDA synchronization through tethered USB connection. Specifies whether the workspace control feature is available to MetaFrame Presentation Server users. Specifies a URL for Web Interface to redirect to when an error occurs. It takes four query string parameters: NFuse_MessageType NFuse_MessageKey NFuse_MessageArgs NFuse_LogEventID Specifies all the information for a farm.
On, Off
On, Off
ErrorCallbackURL
A valid URL.
Farm<n>
XML service address [,XML service address,...] [,Name:<name>] [,XMLPort:<port>] [,Transport:<HTTP| HTTPS|SSL>] [,SSLRelayPort: <port>] [,BypassDuration: <duration>] [,LoadBalance: <on|off>] [,ECSUrlURL>] [,AuthenticationTicke ts:<on|off>] [TicketTimeToLive: <seconds (200)>] A valid URL.
MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
HeadingImage
100
Go to Document Center
Description Controls whether the domain field is displayed on the Log in screen. Specifies download caption and links for the associated platform.
Site Types MetaFrame Presentation Server MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager
IbmAixClient
ICAWebClient
File name of the Client for Win32 that is native embedded launches and auto-deploying Web client. Class ID of the ActiveX client.
wficat.cab
IcaWebClientClassID
238f6f83-b8b4-11cf8771-00a024541ee3
ICAWebClientVersion
Version number of client (from the Client CD-ROM). Used with autoWebClientDownload. Ignore the client-provided client address when set .
IgnoreClientProvided ClientAddress
Off, On
InternalServer AddressMap
A list of normal, translated address pairings. The normal address identifies the Secure Gateway server address and the translated address is that which should be returned to the MetaFrame Presentation Server client. Specifies download caption and links for the associated platform.
NormalAddress = TranslatedAddress,
JavaClient
Go to Document Center
101
Parameter JavaClientPackages
Description The default set of Client for Java packages to download. Consists of a comma separated list in arbitrary order.
Values ConfigUI, PrinterMapping, SecureICA, Audio, ClientDriveMapping, ClipBoard, SSL, Thinwire1, ZeroLatency None. A valid filename.
JavaClientRoot Certificate
The file name of a private root certificate for the Client for Java. The certificate must be located in the same directory as the Client for Java packages. Controls whether user settings should be persistent or last only for the lifetime of the session. When kiosk mode is enabled, user settings will not persist from one session to another. Defines which clients the user is allowed to select from. Used in conjunction with AllowCustomizeClients. Preferred client to use for launches.
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager
KioskMode
Off, On
LaunchClients
Ica-Local, Ica-Java, Ica-Embedded, RdpEmbedded Ica-Local, Ica-Java, Ica-Embedded, RdpEmbedded "Default". Caption and links
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Presentation Server MetaFrame Conferencing Manager
LaunchMethod
LinuxClient
LoginDomains
Domain names to use for display and/or restriction purpose for explicit authentication. Specifies which Log in screen is displayed. May be either domainbased, or NDS. Specifies download caption and links for the associated platform.
LoginType
Default, NDS
MacClient
102
Go to Document Center
Description Specifies the background color for the main box title bar.
Site Types MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
MainBoxTitleBarBg Image
Specifies a URL to the background image for the main box title bar.
A valid URL.
MainBoxTitleFont Color
MessageHeadingBg Color
Background color for the headings of the welcome area and the message center. Font color for the headings of the welcome area and the message center. When using NDS authentication, this specifies the NDS tree to use.
MessageHeadingFont Color
NDSTreeName
OtherClient
Specifies download caption and links for unrecognized client platforms. Specifies a custom message to be displayed along with the download links for the clients. Specifies whether to use socket pooling or not.
OverrideClientInstall Caption
PooledSockets
Off, On
Go to Document Center
103
Description Specifies the timeout value to use when waiting for a response from the session's RADIUS server. A comma-separated list of RADIUS servers and optionally the ports on which they listen. Servers can be specified using IPs or names, and the server and port for each element are separated using a colon. If the port is omitted, then MetaFrame Presentation Server will assume the RADIUS default of 1812. A maximum of 512 RADIUS servers can be configured. Filename of the Remote Desktop Connection software used for embedded launches and autodeployment of this client. Class ID of the Remote Desktop Connection ActiveX client shipped with Windows Server 2003. Version number of the Remote Desktop Connection software shipped with Windows Server 2003. Specifies whether workspace control should reconnect to applications at log in, and if so, whether to reconnect all applications, or disconnected applications only. Specifies whether workspace control should reconnect to applications when the MetaFrame Presentation Server users click Reconnect, and if so, whether to reconnect to all applications, or disconnected applications only.
RdpWebClient
msrdp.cab
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services
RdpWebClientClassID
7584c670-22744efb-b00bd6aaba6d3850 5,2,3790,0
RDPWebClient Version
ReconnectAtLogin
ReconnectButton
104
Go to Document Center
Site Types MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager
RestrictDomains
Controls whether LoginDomains is to be treated as a restriction or display list for explicit authentication. The number of times a failed request to the XML service will be retried before the service is deemed to have failed.
Off, On
RetryCount
ScoUnixClient
SearchContextList
An optional comma separated list of context names for use with NDS authentication. Part of server side firewall support. A list of normal, translated address pairings. The normal address identifies the server address and the translated address should be returned to the client. Specifies download caption and links for the associated platform.
ServerAddressMap
SgiUnixClient
Go to Document Center
105
Description Controls the display of download captions. Auto specifies that the download caption is shown if the user does not have a client installed and automatic Web installation is disabled. On other platforms, the caption will always be shown. Supersedes ForceClientInstallCaption. A string which provides the basis of a unique site identifier. For windows the SiteIDRoot is used directly as the site identifier when communicating with the configuration service. For UNIX, runtime information is added to the SiteIDRoot to form the site identifier for the configuration service. Specifies download caption and links for the associated platform.
SiteIDRoot
MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager
SolarisUnixClient
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server Program Neighborhood Agent Services
Timeout
Specifies the timeout value to use when communicating with the XML service.
TransparentKey Passthrough
Tru64Client
UPNSuffixes
106
Go to Document Center
Parameter UserInterfaceLayout
Site Types MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager
WelcomeMessage_ <lang-code>
Localized welcome message text to be displayed in the welcome area of the Log in screen and Application List screen. <lang-code> is en, fr, de, es, ja or any other standard language code. Specifies download caption and links for the associated platform.
Win16Client
MetaFrame Presentation Server MetaFrame Conferencing Manager MetaFrame Presentation Server MetaFrame Conferencing Manager
Win32Client
Go to Document Center
107
NDSTreeName
The following table explains these parameters (in alphabetical order), the values that affect the Program Neighborhood Agent settings, and their recommended settings:
Parameter AuthenticationMethods Value N/A Recommended Setting Use the same authentication method configured in the Web Interface. Authentication will fail if this method differs in Config.xml. This field stops the Program Neighborhood Agent users from successfully authenticating with any other domain. NDS must be enabled in Config.xml. DefaultTree in the Logon section of Config.xml must contain the same setting.
3. Restart the server running the Web Interface to apply the changes.
Examples
This section provides typical examples of how to configure the Web Interface using the WebInterface.conf file.
108
Go to Document Center
Note The server name specified must match the name on the servers certificate. 2. Restart the Web server to apply the changes.
Go to Document Center
109
What to Do Next
For more information about deploying MetaFrame Presentation Server clients to Web Interface users or about configuring the Client for Macintosh, see MetaFrame Presentation Server Clients and the Web Interface on page 111. For information about security considerations, see Chapter 5, Configuring Web Interface Security on page 117.
110
Go to Document Center
Go to Document Center
CHAPTER 4
Overview
This chapter provides information about deploying and using MetaFrame Presentation Server clients with the Web Interface. It explains how to deploy clients using the Web-based client installation feature, and provides additional information about the Client for Java. Topics include: Using Web-Based Client Installation Client for Java Overview The Program Neighborhood Agent Overview
112
Go to Document Center
This screen capture shows an example installation caption that may appear in the users Login page.
Go to Document Center
113
2. Insert the Components CD-ROM in the Web servers CD-ROM drive or browse the network for a shared Components CD image. 3. Change directories to the CDs \ICAWEB directory. Copy the contents from the \ICAWEB directory to the CD into the \ICAWEB directory on the server running the Web Interface. Make sure you copy the contents of the directory and not the \ICAWEB directory itself.
To configure the Web Interface to offer a different Client for Win32 1. Open the WebInterface.conf file. 2. Edit the Win32Client parameter. For example:
Win32Client=Click here for the Client&/Citrix/ICAWEB/ en/ica32/ica32.exe
114
Go to Document Center
The OverrideClientInstallCaption parameter specifies a custom message that can be displayed along with the download links for the clients. By default, this parameter is commented out by a number sign (#) at the beginning of the line and the default messages are used. The default message is specific to the identified client platform, and is similar to the following: You do not have the Client (ActiveX) for 32-bit Windows installed on your system. You must install the Client to launch the applications. Select the icon below to install the Client. To display a custom message with the download links 1. Open the WebInterface.conf file. 2. Edit the OverrideClientInstallCaption parameter. For example:
OverrideClientInstallCaption=Please install a client. Here are the clients we offer:
Go to Document Center
115
116
Go to Document Center
The Console provides a tool to view and change current settings. Parameters and values from the Config.xml file are displayed in the interface, allowing you to make changes by selecting options and entering values in fields. For more information about Program Neighborhood Agent configuration using the Console, see Configuring Sites Using the Console on page 46. For specific information about installing and configuring the Program Neighborhood Agent, see the Client for 32-bit Windows Administrator's Guide.
What to Do Next
For information about security considerations, see Chapter 5, Configuring Web Interface Security on page 117.
Go to Document Center
CHAPTER 5
Overview
This chapter provides information about how to secure your data in a Web Interface environment. Topics include: Introduction to Web Interface Security Securing Web Interface Communication Securing the Program Neighborhood Agent with SSL Server Running the Web Interface/MetaFrame Presentation Server Communication Client Session/MetaFrame Presentation Server Communication General Security Considerations
118
Go to Document Center
This diagram shows how the client device interacts with the server running MetaFrame Presentation Server and the server running the Web Interface.
Go to Document Center
119
SSL
The Secure Sockets Layer (SSL) protocol provides the ability to secure data communications across networks. SSL provides server authentication, encryption of the data stream, and message integrity checks. SSL uses cryptography to encode messages, authenticate their identity, and ensure the integrity of their contents. This guards against risks such as eavesdropping, misrouting, and data manipulation. SSL relies on public key certificates, issued by certificate authorities, to ensure proof of identity. For more information about SSL, cryptography, and certificates, see the MetaFrame Presentation Server Administrators Guide, the Citrix SSL Relay for UNIX Administrators Guide, and the Secure Gateway Administrators Guide.
TLS
Transport Layer Security (TLS) is the latest, standardized version of the SSL protocol. The Internet Engineering Taskforce (IETF) renamed it TLS when they took over responsibility for the development of SSL as an open standard. Like SSL, TLS provides server authentication, encryption of the data stream, and message integrity checks. Support for TLS Version 1.0 is included in MetaFrame Presentation Server, Feature Release 2. Because there are only minor technical differences between SSL Version 3.0 and TLS Version 1.0, the server certificates you use for SSL in your installation also work for TLS. Some organizations, including US government organizations, require the use of TLS to secure data communications. These organizations may also require the use of validated cryptography, such as FIPS 140. FIPS (Federal Information Processing Standard) is a standard for cryptography. Note On UNIX platforms, the maximum SSL/TLS certificate key size supported by the Web Interface is 2048 bits.
120
Go to Document Center
Go to Document Center
121
Secure Gateway
You can use the Secure Gateway with the Web Interface to provide a single, secure, encrypted point of access through the Internet to servers on the internal corporate networks. The Secure Gateway acts as a secure Internet gateway between SSL/TLS-enabled clients and servers. The Internet portion of traffic between client devices and the Secure Gateway server is encrypted using SSL/TLS. This means that users can access information remotely without compromising security. The Secure Gateway also simplifies certificate management, because you require a certificate only on the Secure Gateway server, rather than on every server in the farm.
This diagram shows how the Secure Gateway secures communication between SSL/ TLS-enabled clients and servers.
For more information about the Secure Gateway, see the Secure Gateway Administrators Guide. For information about how to configure the Web Interface for Secure Gateway support using the Access Suite Console, see Editing Secure Gateway Settings on page 72.
Tip To ensure that only ICA connections using SSL (typically port 443) are allowed through a firewall, ensure port 1494 is blocked and open port 2598.
122
Go to Document Center
To secure the connection between the Program Neighborhood Agent and the server using SSL, follow the instructions in Managing Secure Client Access on page 71 to configure the Web Interface to use SSL. Check the Enable SSL box in the ICA Client Options tab of the application properties dialog box in the Management Console.
Example
If the line specifying Request/Resource/Location is <Location>http:// server3.eng.citrix.com/Citrix/PNAgent/launch.aspx</Location>, change it to <Location>https://server3.eng.citrix.com/Citrix/PNAgent/launch.aspx </Location>.
Go to Document Center
123
ICA files. When the user selects an application, the Web server sends an ICA file for that application to the browser. The ICA file contains a ticket that can be used to log on to the server (except in the case of smart card authentication). ICA files do not include a ticket for pass-through authentication.
Risks
Attackers can exploit Web Interface data as it crosses the network between the Web server and browser and as it is written on the client device itself: An attacker can intercept logon data, the session cookie, and HTML pages in transit between the Web server and Web browser. Although the session cookie used by the Web Interface is transient and disappears when the user closes the Web browser, an attacker with access to the client devices Web browser can retrieve the cookie and possibly use credential information. Although the ICA file does not contain any user credentials, it contains a one-time use ticket that expires in 200 seconds, by default. An attacker may be able to use the intercepted ICA file to connect to the server before the authorized user can use the ticket and make the connection. If single sign-on is enabled, an attacker could send the user an ICA file that causes the users credentials to be misrouted to an unauthorized or counterfeit server.
Recommendations
The following recommendations combine industry-standard security practices with Citrix-provided safeguards to protect data traveling between client devices and the Web server and data written to client devices.
124
Go to Document Center
In a Web Interface deployment, SSL/TLS authentication and encryption create a secure connection over which the user can pass credentials posted in the Log In page. Data sent from the Web server, including the credentials cookie, ICA files, and HTML application list pages, is equally secure. To implement SSL/TLS technology on your network, you must have an SSL/TLS-capable Web server and SSL/TLS-capable Web browsers. The use of these products is transparent to the Web Interface. You do not need to configure Web servers or browsers for the Web Interface. For information about configuring the Web server to support SSL/TLS, see the Web servers documentation. Important Many SSL/TLS-capable Web servers use TCP/IP port 443 for HTTP communications. By default, the Citrix SSL Relay uses this port as well. If your Web server is also a server running the Citrix SSL Relay, make sure you configure either the Web server or Citrix SSL Relay to use a different port.
Risks
The Web Interface XML protocol uses clear text to exchange all data with the exception of passwords, which it passes using obfuscation. The XML communication is vulnerable to the following attacks: An attacker can intercept the XML traffic and steal application set information and tickets. An attacker with the ability to crack the obfuscation can obtain user credentials as well.
Go to Document Center
125
Recommendations
Citrix recommends implementing one of the following security measures for securing the XML traffic between the Web server and server farm: Use Citrix SSL Relay as a security intermediary between the Web server and server farm. Citrix SSL Relay performs host authentication and data encryption. In deployments that do not support running the Citrix SSL Relay, run the server running the Web Interface on the server running MetaFrame Presentation Server. Use the HTTPS protocol to send Web Interface data over a secure HTTP connection using SSL if IIS is installed on the server for another purpose.
126
Go to Document Center
To configure the Web Interface to use Citrix SSL Relay using WebInterface.conf 1. Open the WebInterface.conf file. 2. Change the SSLRelayPort setting in the Farm<n> parameter to the port number of the Citrix SSL Relay on the server. 3. Change the value of the Transport setting in the Farm<n> parameter to SSL. 4. Restart the Web server to apply the changes. Tip For an example of how to configure the Web Interface to use Citrix SSL Relay using WebInterface.conf, see Configuring Citrix SSL Relay Communication on page 108. Adding Certificates to the Server Running the Web Interface On UNIX, the Web Interface includes native support for the following certificate authorities: VeriSign, Inc., http://www.versign.com Baltimore Technologies, http://www.baltimore.com
If you want to add support for other certificate authorities, you must add the certificate authoritys root certificate to the server running the Web Interface. To add a new root certificate to the server running the Web Interface 1. Copy the root certificate to your Web server. On Windows, the certificate is copied using the Certificate Microsoft Management Console (MMC) Snap-In. On UNIX, copy the certificate to the ./cacerts directory.
For information about certificates, see the installation chapter of the MetaFrame Presentation Server Administrators Guide. For MetaFrame Presentation Server for UNIX servers, see the Citrix SSL Relay for UNIX Administrators Guide.
Enabling the Server Running the Web Interface on the MetaFrame Server
For those deployments that do not support the Citrix SSL Relay, you can eliminate the possibility of network attack by running a Web server on the server supplying the Web Interface data. Hosting your Web Interface sites on such a Web server routes all Web Interface requests to the Citrix XML service on the local host, thereby eliminating transmission of the Web Interface data across the network.
Go to Document Center
127
However, the benefit of eliminating network transmission must be weighed against the risk of exploitation of the Web server. Note On MetaFrame Presentation Server systems, Setup lets you force the Citrix XML service to share Internet Information Servicess TCP/IP port instead of using a dedicated port. If you enable port sharing, the Citrix XML service and the Web server use the same port by default. At minimum, you can place both the Web server and MetaFrame server behind a firewall so that the communication between the two is not exposed to open Internet conditions. In this scenario, client devices must be able to communicate through the firewall to both the Web server and MetaFrame server. The firewall must permit HTTP traffic (often over the standard HTTP port 80 or 443 if a secure Web server is in use) for client device to Web server communication. For client to server communication, the firewall must permit inbound ICA traffic on port 1494 and port 2598. See the server documentation for information about using ICA with network firewalls. For information about using the Web Interface with network address translation, see the Customizing the Web Interface guide.
128
Go to Document Center
Risks
To capture and interpret client to server network communications, an attacker must be able to crack the binary client protocol. An attacker with binary client protocol knowledge can: Intercept initialization request information sent from the client, including user credentials. Intercept client session information including text and mouse clicks entered by users and screen updates sent from the server.
Recommendations
Use SSL/TLS or ICA Encryption
Citrix recommends implementing SSL/TLS or ICA encryption to secure the traffic between your clients and servers. Both methods support 128-bit encryption of the data stream between the client and server, but SSL/TLS also supports verification of the identity of the server. Support for SSL is included in Feature Release 1 for MetaFrame XP and higher, and Feature Release 1 for MetaFrame for UNIX and higher. Support for SSL/TLS is included in Feature Release 2 for MetaFrame XP and higher. Support for ICA encryption is included in Feature Release 1 for MetaFrame 1.8 and MetaFrame Presentation Server and higher. See the client documentation or the Citrix download site for a list of clients that support each method. See the MetaFrame Presentation Server Administrators Guide for more information about ICA encryption.
Go to Document Center
129
130
Go to Document Center
Go to Document Center
CHAPTER 6
Overview
This chapter introduces the Program Neighborhood Agent, and explains how to configure this feature using the Config.xml file. Topics include: Using the Program Neighborhood Agent Using the Access Suite Console for Configuration Using the Config.xml File Configuring the Web Interface with Program Neighborhood Agent Securing the Program Neighborhood Agent with SSL
132
Go to Document Center
Go to Document Center
133
Configuration FileAllows you to specify a different URL for Config.xml for the client to use in the future. This facilitates moving users to a different server running the Web Interface. RequestSpecifies where the client should request published application data from, and how often to refresh the information. LogonSpecifies the logon method to use. UserInterfaceSpecifies whether to hide or display certain groups of options presented to the user as part of the Program Neighborhood Agent interface. FileCleanupDo not edit. ICA_OptionsSpecifies the audio and video options for client connections. This corresponds to the options on the ICA Options tab of the Program Neighborhood Agent Properties dialog box.
For more information about using the Config.xml file, see the Client for 32-bit Windows Administrator's Guide.
134
Go to Document Center
NDSTreeName
The following table explains these parameters (in alphabetical order), the values that affect the Program Neighborhood Agent settings, and their recommended settings:
Parameter AuthenticationMethods Value N/A Recommended Setting Use the same authentication method configured in the Web Interface. Authentication will fail if this method differs in Config.xml. This field stops the Program Neighborhood Agent users from successfully authenticating with any other domain. NDS must be enabled in Config.xml. DefaultTree in the Logon section of Config.xml must contain the same setting.
3. Restart the server running the Web Interface to apply the changes. For more information about Config.xml settings, see the Client for 32-bit Windows Administrator's Guide. For more information about WebInterface.conf file settings, see Configuring the Web Interface Using the Configuration File on page 92.
To secure the connection between the Program Neighborhood Agent and the server using SSL, follow the instructions in Managing Secure Client Access on page 71 to configure the Web Interface to use SSL. Check the Enable SSL box in the ICA Client Options tab of the application properties dialog box in the Management Console.
Go to Document Center
135
Example
If the line specifying Request/Resource/Location is <Location>http:// server3.eng.citrix.com/Citrix/PNAgent/launch.aspx</Location>, change it to <Location>https://server3.eng.citrix.com/Citrix/PNAgent/launch.aspx </Location>.
136
Go to Document Center
Go to Document Center
137
Index
A
Access Suite Console 44 about 44 getting started 47 using 46 Acrobat Reader requirements 11 address translation configuring 71 mapping 74 address translations editing 74 advanced server settings 53 anonymous authentication 55 security considerations 55 application publishing 18 application refresh options 87 application sets 18 application shortcuts managing 69 appsrv.ini file editing for pass-through 60 editing for smart card support 56 authentication anonymous 55 configuring 54 explicit 54, 60 methods 54 pass-through 54, 58 pass-through with smart card 54 prompt 54, 60 recommendations 55 smart card 54 two-factor 62 Citrix SSL Relay configuring the Web Interface for 52, 108 overview 120 see also SSL Citrix XML service configuring communication with 107 configuring fault tolerance 51 role in the Web Interface 19 TCP/IP port configuration 52 viewing the port assignment 31 classes 19 client configuration files managing 86 client connection settings managing 84 client deployment managing 75 client devices requirements 29 role in the Web Interface 19 security 122, 128 client files copying to the server 112 Client for Java deployment of components 79 overview 115 using private root certificates with 80 Client for Win32 configuring for pass-through 59 configuring for smart card support 56 deploying automatically 77 installation files 113 Program Neighborhood Agent 115 client installation 78 clients deploying with custom certificates 81 download settings 78 installation 78 user customization 84 client-side proxy settings editing 83 command line 36 Components CD-ROM 29
B
bandwidth control 85
C
certificate key size 119
138
Go to Document Center
configuration files exporting 92 importing 92 configure and run discovery 38, 47 configuring using the Access Suite Console 44 Config.xml 44, 115 about 132 content publishing 14 context-sensitive help 46 cookies 122 creating sites 39, 48
D
Dell Axim requirements 29 diagnostic logging controlling 90 discovery 47 DMZ settings editing 71 documentation other sources 10
J
JavaServer Pages 45
L
language packs 36 legacy support 79 load balancing between Secure Ticket Authorities 73 XML requests 51 load balancing sites 90 local site tasks 91 Log in page making the default 109
E
error messages disabling 109 expiry time of tickets 52 explicit authentication 54
M
MetaFrame Conferencing Manager configuring on UNIX 35 MetaFrame Conferencing Manager Guest Attendee sites 13 MetaFrame Presentation Server UNIX configuration requirements 27 MetaFrame Presentation Server for UNIX determining Citrix XML service ports 31 MetaFrame Presentation Server sites 12 Microsoft domain-based authentication 61
F
fault tolerance configuring 51, 73 firewall configuring address translation 71
H
help displaying 46 HTTP 52 HTTPS 52 HTTPS protocol 127
N
NDS authentication 25, 61 support 13 network address translation 71 Novell Directory Services see NDS
I
ICA Encryption 120, 128
Go to Document Center
Index
139
O
online help 46
P
pass-through configuring 58 pass-through authentication 54 pass-through with smart card 54 password enabling users to change 61 performance considerations 31 Personal Digital Assistants requirements 29 supported configurations 29 private root certificates 80 Program Neighborhood Agent 115 about 115 configuration 44 configuration settings 106 configuring 132 Config.xml 132 securing 122, 134 Program Neighborhood Agent Services sites 12 prompt authentication 54 publishing applications 18 publishing content 14
R
readme file 10 Remote Desktop Connection and the Trusted Sites zone 76 requirements 76 Repair option 41 repairing sites 91 RSA SecurID authentication 61 PASSCODES 62 tokencodes 62 running discovery 38, 47
S
Safari requirements 29 SafeWord authentication 61 secure client access 71
secure client access settings displaying 74 Secure Gateway about 121 between clients and MetaFrame Presentation Server 129 configuring the Web Interface for 72 example of how to configure 108 ticketing 72 Secure Sockets Layer see SSL Secure Ticket Authority 72 SecureICA see ICA Encryption securing the Web Interface 121 security 117 and anonymous authentication 55 Citrix SSL Relay client-to-server communication 121 configuring the Citrix SSL Relay 125 general considerations 129 ICA Encryption 120 network communication 122, 124 client and server 128 protocols and Citrix solutions 119 Secure Gateway 121 between clients and MetaFrame Presentation Server 129 configuring the Web Interface for 72 SSL adding certificates 126 between clients and MetaFrame Presentation Server 128 between Web server and Web browser 123 TLS between clients and MetaFrame Presentation Server 128 between Web server and Web browser 123 overview 119 when installing the Web Interface 31 server farms creating 50 managing 49 password change considerations 50 removing 50 role in the Web Interface 18 specifying settings for all servers 52 server settings managing 70 specifying advanced 53
140
Go to Document Center
ticketing 14, 123 and Secure Gateway 72 configuring ticket expiry time 52 TLS and Secure Gateway 72 between clients and MetaFrame Presentation Server 128 certificate key size 119 overview 119 secure Web servers 123 troubleshooting installation 41 two-factor authentication 62
servers configuring communication with 107 role in the Web Interface 19 scripts 45 security 123 security considerations 128 session options changing 68 sessions see client sessions site configuration 40 site tasks using 41 using local 91 site types 48 sites configuring using the Access Suite Console 46 creating 39, 48 creating on UNIX 40 load balancing 90 repairing 91 specifying configuration 40 uninstalling 91 smart card about 54 enabling 55 example of how to configure 58 requirements 56 socket pooling enabling 53 SSL adding certificates 126 and Secure Gateway 72 between clients and MetaFrame Presentation Server 128 certificate key size 119 configuring the Citrix SSL Relay 125 overview 119 secure Web servers 123 see Citrix SSL Relay support system requirements 2429 client device 29 Web server 27
U
Unicode ICA files 79 uninstalling 42 uninstalling sites 91 UNIX platforms installing on 33 upgrading 30 UPN authentication 61 restricting suffixes 61 support user apperance customizing 70 user principal name see UPN user requirements 29
W
Web Client deploying 77 Web Interface configuring 44, 108 configuring with Program Neighborhood Agent 133 features 12 how it works 20 introduction 11 making available to users 109 overview 20 running on a server 126 Web server requirements 27 Web-based client installation 19 copying clients to the server 112
T
tasks performing 49
Go to Document Center
WebInterface.conf about 44 configuring the Web Interface with 92 parameters 93 Windows authentication 61 Windows Directory Service Mapper 57 Windows platforms installing on 32 Windows-based Terminals 29 workspace control about 87 automatic reconnection 89 enabling 89 log off behavior 90 reconnect option 89 requirements 87 with integrated authentication 88
Index
141