Administrator’s Guide &LWUL[ 0HWD)UDPH $SSOLFDWLRQ 6HUYHU IRU :LQGRZV 9HUVLRQ &LWUL[ 6\VWHPV ,QF
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. © 1994-1999 © 1985-1997 Citrix Systems, Inc. All rights reserved. Microsoft Corporation. All rights reserved.
LLL &RQWHQWV :HOFRPH WR &LWUL[ 0HWD)UDPH [L What is Server-Based Computing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi How Does Server-Based Computing Work? . . . . . . . . . . . . . . . . . . . . . . . . . . xii Delivering Multiuser Computing to Windows NT Server 4.0 Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii How Does Citrix MetaFrame Extend the Reach of Terminal Server?. . . . . .
LY 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH &KDSWHU ,QVWDOOLQJ 0HWD)UDPH Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Drive Mapping and Server Drive Reassignment . . . . . . . . . . . . . . . . . . . . . . . Upgrading to MetaFrame 1.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
&RQWHQWV Y ICA Client Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Load Balancing Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Published Application Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shadow Taskbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing ICA Connections . . . . . . . . . . . . . . . . . . . . . . . . . .
YL 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Modules Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cache Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICA Gateways Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Streams Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Settings Tab. . . . . . . . . . .
&RQWHQWV YLL Scopes of Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Farms Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows NT Domains Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Server Farms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Joining a Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . .
YLLL 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Using ICA with Network Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICA Browsing With Network Address Translation. . . . . . . . . . . . . . . . . . . . Returning External Addresses to ICA Clients . . . . . . . . . . . . . . . . . . . . . General Tips and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applications Accessed On Network Drives . . . . . . . . . . . . . . . . . . . . . . . . .
&RQWHQWV Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BIOS Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
[ 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH
[L :HOFRPH WR &LWUL[ 0HWD)UDPH MetaFrame Application Server for Windows is Citrix’s server-based computing solution for Microsoft’s Windows Terminal Server. MetaFrame incorporates Citrix’s Independent Computing Architecture (ICA) protocol and provides a highperformance, cost-effective, and secure way to deploy, manage, and access business-critical applications throughout an enterprise — regardless of client device or network connection.
[LL 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH +RZ 'RHV 6HUYHU %DVHG &RPSXWLQJ :RUN" Server-based computing relies on three critical components: u A multiuser operating system that allows multiple concurrent users to log on and run applications in separate, protected sessions on a single server. u A remote presentation services architecture capable of separating the application’s logic from its user interface, so that only keystrokes, mouse clicks, and screen updates travel the network.
:HOFRPH WR &LWUL[ 0HWD)UDPH [LLL MetaFrame provides: u Support for heterogeneous computing environments While Terminal Server supports Windows-based devices and IP-based connections, MetaFrame goes further, providing universal access to Windowsbased applications regardless of client hardware, operating platform, network connection, or LAN protocol.
[LY 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH u Any client device. Citrix MetaFrame extends the reach of Terminal Server to virtually any client device: 286, 386, 486, and Pentium computers; Windowsbased terminals; Network Computers (NCs); wireless devices; ICA-based information appliances; RISC; PowerPC; and X-based devices (available through Citrix and OEM partners). All of this is done without rewriting a single line of code, changing client hardware, or adjusting client system configurations.
:HOFRPH WR &LWUL[ 0HWD)UDPH [Y u Systems management. MetaFrame provides enterprises with greater manageability and scalability to help lower computing costs and reduce the resources needed to support users and devices. With the optional Citrix Load Balancing Services, you can group multiple MetaFrame servers into a unified server farm.
[YL 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH u Universal information access. From 16- and 32-bit applications to the latest real-time audio and video data, MetaFrame ensures you can connect to the data you need, quickly and easily. It doesn’t matter if the desired information is on a local desktop, replicated database, the primary server, or a replicated server in the farm.
:HOFRPH WR &LWUL[ 0HWD)UDPH [YLL &RQYHQWLRQV The following conventional terms, text formats, and symbols are used throughout the printed documentation: Convention Meaning Bold Indicates boxes and buttons, column headings, command-line commands and options, icons, dialog box titles, lists, menu names, tabs, menu commands, and user input. Italic Indicates a placeholder for information or parameters that you must provide.
[YLLL 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH )LQGLQJ 0RUH ,QIRUPDWLRQ $ERXW 0HWD)UDPH Your MetaFrame package includes the following printed documentation: u The CD liner notes includes an overview of the product, Citrix support information, and instructions for activating your Citrix software licenses. u The MetaFrame Administrator’s Guide tells administrators how to install, configure, and maintain MetaFrame servers.
:HOFRPH WR &LWUL[ 0HWD)UDPH [L[ )LQGLQJ ,QIRUPDWLRQ $ERXW :LQGRZV 17 6HUYHU 7HUPLQDO 6HUYHU (GLWLRQ Most Terminal Server compatibility guidelines can be applied to Citrix MetaFrame because MetaFrame is designed to run with Terminal Server. For example, MetaFrame supports the deployment of Win32, Win16, DOS, OS/2 1.x (text only), and POSIX applications.
[[ 0HWD)UDPH $GPLQLVWUDWRUªV *XLGH
C H A P T E R 1 ,QWURGXFWLRQ 2YHUYLHZ This chapter introduces Citrix MetaFrame Application Server for Windows.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH &LWUL[ 0HWD)UDPH )HDWXUHV u Enterprise scalability. Terminal Server can accommodate up to 60 concurrent users on a single four-processor SMP Pentium server, depending on the application mix. Multiple MetaFrame servers can be combined into a server farm that utilizes load balancing to increase capacity as needed. u Extensive connectivity.
&KDSWHU ,QWURGXFWLRQ u Load balancing support. With load balancing, MetaFrame servers can be logically pooled in a server farm. When a user launches a published application that is configured for load balancing, the load balancing support routes the application to the most lightly loaded server in the farm for execution. You can create a farm of servers that run predefined applications. The load determination criteria for any server in the farm can be fine-tuned from any server in the farm.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH 1HZ LQ 7KLV 5HOHDVH u Program Neighborhood. Program Neighborhood introduces a new metaphor for user application access that replaces Remote Application Manager for the Citrix ICA Win32 Client and delivers access to centrally deployed applications. With the introduction of Program Neighborhood, server-based applications can now be pushed to the Program Neighborhood client, integrated into the local 32-bit Windows desktop, or pushed directly to the client’s Start menu.
&KDSWHU ,QWURGXFWLRQ u ICA Browser Management. With ICA Browser management, part of the enhancements to Citrix Server Administration, administrators now have the ability to control browser parameters such as backup ICA Browsers, ICA Gateways, and update and refresh intervals. Administrators can also configure which servers always attempt to become the master ICA Browser.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH u The Citrix ICA Client for Macintosh. Use this client for 68030/040 and PowerPC-based Apple Macintosh computers. u The Citrix ICA Client for UNIX is available in the following versions: u Linux RedHat 5.0 and above u SCO UnixWare 7 (UnixWare 2.1 and OpenServer 5 with the Binary Compatibility Module from SCO) u Hewlett Packard HP-UX 10.20 and above u Sun Solaris 2.5.1 and above u Sun SunOS 4.1.4 u Silicon Graphics IRIX 6.3 and above u Digital UNIX 3.
&KDSWHU ,QWURGXFWLRQ u Low bandwidth requirements. The highly efficient Citrix ICA protocol typically uses a maximum of 20K of bandwidth for each session. u Local/Remote transparency. Easy to use, all-purpose remote connectivity over a single remote connection eliminates the user dilemma of having to choose between remote node or remote control for running various applications. u Client printer and disk drive mapping.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH u Seamless Windows support. The Citrix ICA Win32 Client now supports the seamless integration of local and remote applications on the local Windows 95 or Windows NT 4.0 desktop. By simply selecting the Seamless Windows option when configuring a connection to a MetaFrame server, a user no longer needs to access an entire remote desktop to run remote Windows applications.
&KDSWHU ,QWURGXFWLRQ 6\VWHP 6L]LQJ MetaFrame supports multiple users on a Windows Terminal Server. A multiuser system requires more system resources than a single-user system. This section contains some system sizing guidelines that can help you decide on a hardware configuration that will support your users with optimal performance. Most companies find that their users can be placed in one of two categories: typical users and power users.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH Some sample configurations and supported user counts (for typical and power users) follow: Processor Memory (MB) Typical users Power users Pentium Pro 200MHz 128 32 16 Pentium Pro 200MHz 256 64 32 Dual-Processor Pentium Pro 200MHz 512 120 60 2WKHU 3HULSKHUDOV Besides the system processor and memory, the hard disk is an important factor in system throughput.
&KDSWHU ,QWURGXFWLRQ 8VLQJ 3HUIRUPDQFH 0RQLWRULQJ 7RROV Use the performance monitoring tools supplied with Windows Terminal Server to monitor system performance and the effects of configuration changes on system throughput. The most important measurements for performance monitoring are the percentage of total processor time, memory pages per second , percentage of network utilization, and hard disk I/O rates.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH Client drive mapping allows drive letters on the Citrix server to be redirected to drive letters that exist on the client computer. Client printer mapping allows a printer device on the Citrix server to be redirected to a printer on the client computer. Client COM port mapping allows a COM port on the client computer to be treated as a COM port on the Citrix server. Audio support allows application sounds and .wav files to be played on the client computer.
C H A P T E R 2 ,QVWDOOLQJ 0HWD)UDPH 2YHUYLHZ This chapter describes how to install Citrix MetaFrame on a Windows Terminal Server computer. Terminal Server must already be installed and configured before MetaFrame is installed. See “System Sizing” in Chapter 1 for hardware and software requirements for Citrix MetaFrame. The topics in the chapter include: u Before You Begin u Upgrading to MetaFrame 1.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH %HIRUH
&KDSWHU ,QVWDOOLQJ 0HWD)UDPH Drive letter Is accessed from the ICA session as: Client Drives: A A B B C V D U Server Drives: C C D D E E If you do not want the MetaFrame server drive letters to conflict with the client drive letters, the server drive letters can be reassigned to higher drive letters.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH HKEY_LOCAL_MACHINE\SYSTEM\* HKEY_CLASSES_ROOT\* HKEY_USERS\* The pagefile entry and the following shortcut files are also updated: %SystemRoot%\Profiles\Default User\*.lnk %SystemRoot%\Profiles\Administrator\*.lnk %SystemRoot%\Profiles\All Users\*.lnk The first time a user logs in to the MetaFrame server after you remap drives, references to the old drive letters in the user’s profile are updated.
&KDSWHU ,QVWDOOLQJ 0HWD)UDPH ,QVWDOODWLRQ Ã To install Citrix MetaFrame 1. Log on to the Windows Terminal Server console as an administrator. 2. Insert the MetaFrame CD in the server’s CD-ROM drive. If your CD-ROM drive supports Autorun, the MetaFrame CD-ROM installation splash screen automatically appears. If the splash screen does not automatically appear, from the Start menu, click Run and type d:\i386\autorun.exe where d is the letter of your CD-ROM drive. 3.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH 10. The Network ICA Connections dialog box appears. Select all the network protocols this server will use for ICA connections (TCP/IP, IPX, and NetBIOS). Click Next to continue. By default, ICA connections are created for all protocols already configured in Terminal Server. If you need to configure additional ICA connections after MetaFrame installation, see Chapter 4, “Configuring MetaFrame,” for more information. 11. The TAPI Modem Setup dialog box appears.
&KDSWHU ,QVWDOOLQJ 0HWD)UDPH 12. If TAPI devices are installed, the Async ICA Connections dialog box appears. Select the devices to configure for dial-in ICA connections. Click Next to continue. 13. If the server drives are not already reassigned (that is, the C drive letter is assigned to a hard drive), the Drive Mapping dialog box appears.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH higher drive letters. 1RWH Please read the “Drive Mapping and Server Drive Reassignment” section of this chapter and the information displayed in this dialog box carefully before clicking Next. This process is not reversible and should be well understood before continuing. 14. The Server Drive Reassignment dialog box appears.
&KDSWHU ,QVWDOOLQJ 0HWD)UDPH 2. If you have a multiport async adapter, select a port on which to run autodetection. MetaFrame Setup auto-detects the modem connected to the specified port. You can configure multiple ports with the same modem type in Step 5 below. 3. Windows NT searches for your modem. The detected modem is displayed. If this is the correct modem type, click Next and proceed to Step 5. — Or — If you want to select another modem type, click Change.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH 8. The Modems Properties dialog box appears. To change the configuration of an existing modem, select the modem and click Properties. To add another modem, click Add and repeat Steps 1 through 5. When you are finished, click Close and then click Next in the TAPI Modem Setup dialog box. 5XQQLQJ 6HWXS LQ 8QDWWHQGHG 0RGH Use unattended setup to install or upgrade MetaFrame without operator intervention.
&KDSWHU ,QVWDOOLQJ 0HWD)UDPH Ã To perform an unattended installation or upgrade 1. Insert the MetaFrame CD-ROM in the CD-ROM drive of the Terminal Server computer, or insert the MetaFrame CD-ROM in a CD-ROM drive accessible over the network. If your CD-ROM drive supports Autorun, the MetaFrame CD-ROM start window automatically appears. Close the start window. 2.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH $ 6DPSOH $QVZHU )LOH Here is a sample answer file that performs the following actions during MetaFrame Setup: u Installs two licenses (a base license and a server extension license) u Configures ICA connections for the TCP/IP, IPX, and NetBIOS protocols u Reassigns the server drive C to drive M >/LFHQVH 6HULDO 1XPEHUV@ &7; &7; >,&$ 1HWZRUN 3URWRFROV@ 7&3 \HV ,3; \HV 1(7%,26 \HV >'ULYH 5HDVVLJQPHQW@ 5HDVVLJQ'ULYH/HWWHU
C H A P T E R 3 &LWUL[ /LFHQVLQJ 2YHUYLHZ This chapter explains Citrix licensing. Topics in this chapter include: u What is Citrix Licensing? u The Citrix Licensing Program u Getting an Activation Code :KDW LV &LWUL[ /LFHQVLQJ" Citrix licensing is separate from Microsoft licensing. There are two types of Citrix licenses: u Base licenses. The base license enables the multiuser features of your Citrix server and can include a user count.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH To activate a Citrix license you use three numbers: serial number The number on your CD case that you enter during setup. license number The serial number appended with a code that makes it unique to this server. activation code A number that validates and enables a Citrix license. 8QGHUVWDQGLQJ 8VHU &RXQWV Base licenses and user licenses come with a user count.
&KDSWHU &LWUL[ /LFHQVLQJ In addition, if you are using the ICA Win16 or Win32 clients from MetaFrame 1.0 or earlier, all sessions must use the same network protocol (TCP/IP, IPX, NetBIOS). ,PSRUWDQW Citrix servers exhaust all local (un-pooled) user counts before giving out pooled user counts. A user assigned a local user count uses a second user count when starting a second session on a different Citrix server. 7KH &LWUL[ /LFHQVLQJ 3URJUDP Use Citrix Licensing to maintain Citrix licenses.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH 6WDUWLQJ &LWUL[ /LFHQVLQJ Ã To start Citrix Licensing • Click the Start button. Point to Programs. Point to MetaFrame Tools. Click Citrix Licensing. The Citrix Licensing utility appears, displaying all licenses currently installed on your MetaFrame server. Each license has an icon to its left that describes the license. The icons are: Icon Description The license is a base license. The license is a server extension license. The license is of an unknown type.
&KDSWHU &LWUL[ /LFHQVLQJ Ã To add a license serial number 1. On the License menu, click Add. The Enter License Serial Number dialog box appears. 2. Type the serial number exactly as it appears on the serial number sticker on the CD case. Click OK. If you enter the serial number incorrectly, an error message appears. 3. A message box containing important information about your license appears, including the grace period before activation is required.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH ,PSRUWDQW Once a disk-based license is applied, it cannot be removed and installed again. 5. A message box appears containing important information about the license. Read the information in this box carefully and click OK when done. 6. The new license number, with an 8-character code appended, now appears in the license list. *HWWLQJ DQ $FWLYDWLRQ &RGH Citrix uses an activation code-based licensing system.
&KDSWHU &LWUL[ /LFHQVLQJ 3. On the License menu, select Activate License. The Activate License dialog box appears: 4. Enter your activation code and click OK. 3ULQWLQJ 8QDFWLYDWHG /LFHQVHV You can print the license number of unactivated licenses. This is useful for archival purposes or to help with license activation. Ã To print unactivated licenses • From the License menu, select Print non-activated Licenses. $GMXVWLQJ WKH 3RROHG 8VHU &RXQW By default, all user licenses are pooled.
0HWD)UDPH $GPLQLVWUDWRU V *XLGH Ã To change the number of user counts pooled across Citrix servers 1. Select the license to adjust. 2. From the License menu, click Change Pool Count. The License dialog box appears: 3. Adjust the pooled user license count for this license. 5HPRYLQJ D /LFHQVH Ã To remove a Citrix license 1. Select the license to be removed. Be sure to write down the complete license number before proceeding. 2. From the License menu, click Remove.
C H A P T E R 4 &RQILJXULQJ 0HWD)UDPH 2YHUYLHZ This chapter describes the Citrix MetaFrame extensions to Windows Terminal Server that allow for configuration and administration of the enhanced ICA features.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 0HWD)UDPH $GPLQLVWUDWLYH 7RROV This section explains the MetaFrame tools used for administration and the extensions to Terminal Server utilities added by MetaFrame Setup. Ã To start MetaFrame tools from the Start menu 1. Click Start, point to Programs, point to MetaFrame Tools. 2. Click the name of the tool. You can also use the ICA Administrator Toolbar to quickly access common MetaFrame tools. You can configure the toolbar by right-clicking the toolbar.
&KDSWHU &RQILJXULQJ 0HWD)UDPH &LWUL[ /LFHQVLQJ Use Citrix Licensing to: u Add and remove Citrix base and server extension licenses u Activate installed licenses u Pool user licenses across servers u Restrict user licenses to a single server For more information on using the Citrix Licensing utility, see Chapter 3, “Citrix Licensing.” &LWUL[ 6HUYHU $GPLQLVWUDWLRQ Citrix Server Administration is an enhanced version of the Terminal Server Administration tool.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH ,&$ &OLHQW 3ULQWHU &RQILJXUDWLRQ Your end-users can use ICA Client Printer Configuration to: u Create and connect to ICA Client printers. u Create print queues for ICA Clients that do not support native print queues, such as the ICA DOS Client. For more information on using ICA Client Printer Configuration, see the ICA Client Administrator’s Guides for the clients you plan to deploy.
&KDSWHU &RQILJXULQJ 0HWD)UDPH 3XEOLVKHG $SSOLFDWLRQ 0DQDJHU Use Published Application Manager to configure and manage server farms and published applications. You can: u Publish applications, videos, and server desktops u Create template HTML and ICA files for ICA Web Clients u Create a farm of Citrix servers u Add a server to a farm u Change the farm to which a server belongs For more information on using Published Application Manager see Chapter 5, “Publishing Applications.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH For more information on configuring per-user settings, see the User Manager for Domains online help. For more information on configuring per-client settings, see the Citrix ICA Client Administrator’s Guides for the clients you plan to deploy. ,PSRUWDQW The per-connection settings specified in Citrix Connection Configuration take precedence over per-user or per-client settings.
&KDSWHU &RQILJXULQJ 0HWD)UDPH $GGLQJ ,&$ 1HWZRUN &RQQHFWLRQV Use the following procedure to add Network ICA connections; for example, if you install an additional protocol such as IPX. Ã To create a network ICA connection 1. Run Citrix Connection Configuration. 2. On the Connection menu, click New. The New Connection dialog box appears: 3. Enter a name for this connection in the Name box. 4. In the Type list, click Citrix ICA 3.0. 5. In the Transport list, click the transport protocol. 6.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 1RWH You cannot configure a modem or serial port as both a RAS service port and a connection port. You cannot configure a serial null modem cable connection using the Dial-Up Networking Serial Cable between 2 PCs option. You must configure the connection directly from Citrix Connection Configuration. Ã To create an asynchronous ICA connection 1. Run Citrix Connection Configuration. 2. On the Connection menu, click New. The New Connection dialog box appears. 3.
&KDSWHU &RQILJXULQJ 0HWD)UDPH &RQILJXULQJ %DVLF ,&$ &RQQHFWLRQ 2SWLRQV This section provides information on configuration options specific to ICA connections. For information on other connection options, see the Citrix Connection Configuration online help. ICA network, asynchronous modem, and asynchronous serial null modem cable connections each have different configuration options available.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH &RQILJXULQJ $V\QF 6HULDO &RQQHFWLRQV The Device Connect On, Baud, Set Defaults, Advanced, and Test options are only present for direct (null modem cable) serial connections. The options for Async Transport Configuration include: Option Description Device The serial port associated with the connection. Device Connect on Specifies the signal used to determine when the connection is established and ready for user logon.
&KDSWHU &RQILJXULQJ 0HWD)UDPH &RQILJXULQJ $GYDQFHG $V\QF 2SWLRQV Click Advanced in Async Transport Configuration to access the Advanced Async Configuration dialog box. Use this dialog box to configure the following options: Option Description Flow Control Specifies the type of flow control to use for the connection. Hardware Flow Control Specifies the hardware signals that indicate the receive buffer is full.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH &RQILJXULQJ $GYDQFHG ,&$ &RQQHFWLRQ 2SWLRQV The options on the Advanced Connection Settings dialog box in Citrix Connection Configuration provide additional control over security and performance on ICA connections. The Advanced Connection Settings options for Terminal Server connections apply to Citrix ICA connections. For more information about advanced options, see the Citrix Connection Configuration online help.
&KDSWHU &RQILJXULQJ 0HWD)UDPH &RQILJXULQJ ,&$ (QFU\SWLRQ You can specify the minimum level of encryption for the ICA connection. The default level is Basic. Strong encryption using the RC5 algorithm is available with Citrix SecureICA Services. SecureICA Services enables RSA RC5 encryption with 40-, 56-, or 128-bit minimum session keys. If the Citrix server is configured to allow RC5 56-bit connections, the Citrix ICA Client can connect with RC5 56or 128-bit encryption.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH The Client Audio Quality options are: u High. This setting is only recommended for connections where bandwidth is plentiful and sound quality is important. This setting allows clients to play a sound file at its native data rate. Sounds at the highest quality level require about 1.3Mbps of bandwidth to play clearly. Transmitting this amount of data can result in increased CPU utilization and network congestion. u Medium.
&KDSWHU &RQILJXULQJ 0HWD)UDPH During a session, users can use ICA Printer Configuration to map client devices not automatically mapped at logon. For more information on using the ICA Printer Configuration utility, see the Citrix ICA Client Administrator’s Guides for the clients you plan to deploy. &RQWUROOLQJ &OLHQW 'HYLFH 0DSSLQJV Client device mapping options are specified in the Client Settings dialog box in Citrix Connection Configuration.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH +RZ 0HWD)UDPH $VVLJQV 'ULYH /HWWHUV WR 0DSSHG &OLHQW 'ULYHV By default, the drives on the client system are automatically mapped to drive letters on the MetaFrame server during logon. The server tries to match the client drives to the client drive letters; for example, the client’s first floppy disk drive to A, the second floppy disk drive to B, the first hard drive partition to C, etc.
&KDSWHU &RQILJXULQJ 0HWD)UDPH 4. Repeat Step 3 for each subsequent partition. Assign drive letters sequentially in the same order they were originally assigned. If a CD-ROM drive is present, it should be sequentially last in the drive letter list. 5. On the Partition menu, click Commit Changes Now. This saves the changes and reboots the system. When the system reboots, the drive letters are changed to the new drive letters. You can install applications, set up users, and configure connections.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH &OLHQW &20 3RUW 0DSSLQJ Client COM port mapping allows a remote application running on the Citrix server to access devices attached to COM ports on the client computer. Client COM ports are not automatically mapped to server ports at logon, but can be mapped manually using the net use or change client commands. See Appendix A, “MetaFrame Command Reference,” for more information on the change client command.
&KDSWHU &RQILJXULQJ 0HWD)UDPH 7KH &LWUL[ 6HUYHU $GPLQLVWUDWLRQ :LQGRZ The Citrix Server Administration window has two panes. The left pane displays Citrix servers, domains, Terminal Servers, sessions, and published applications. The right pane has several tabs that you can use to display information about the objects selected in the left pane. The tabs displayed in the right pane change depending on the type of selected object; for example, if a session or server is selected.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Click the Published Applications tab to switch the left pane to the published applications view. This view shows the published applications on the network. Click the Video Servers tab to switch the left pane to the video servers view. This view shows Citrix video servers on the network. Click the Servers tab to return to the servers view.
&KDSWHU &RQILJXULQJ 0HWD)UDPH $SSOLFDWLRQV 7DE The Applications tab is available when Published Applications is selected in the published applications pane. The Applications tab displays information about applications published on the network. 8VHUV 7DE The Users tab shows information about currently logged on users. Clicking a server in the left pane shows all users with sessions on that server. Clicking a domain shows users with sessions on all servers.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 6HVVLRQ When a session is selected in the left pane, information on the user, session, and client is displayed. 3XEOLVKHG $SSOLFDWLRQ When a published application is selected in the left pane, information on the published application is displayed. 0RGXOHV 7DE The Modules tab displays the files in use by the Citrix ICA Client when a session is selected. The Modules tab can be used to diagnose problems with the connection.
&KDSWHU &RQILJXULQJ 0HWD)UDPH 0DQDJLQJ 6HUYHUV 8VHUV 6HVVLRQV DQG 3URFHVVHV Use the Citrix Server Administration utility to manage the users, sessions, and processes on a Citrix server or Terminal Server. You can connect and disconnect sessions, shadow ICA sessions, reset sessions in case of error, manage processes, and send messages to users on your server or on other servers on the network. 'LVFRQQHFWLQJ D 6HVVLRQ To disconnect a session, click Disconnect on the Action menu.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH In Title, enter the text for the title of the message dialog box. In Message, enter the text of the message. Click OK to send the message. The message appears on the user’s screen: 1RWH Multiple lines can be entered in either box by using CTRL+ENTER to move to a new line in the edit box. 6KDGRZLQJ D 8VHUªV 6HVVLRQ You can monitor the actions of users by shadowing their sessions. The shadowed session is displayed in the shadower’s session.
&KDSWHU &RQILJXULQJ 0HWD)UDPH The shadowing session must be capable of supporting the video resolution used by the shadowed session. If the shadowing session does not support the required video resolution, the operation fails. You cannot shadow the system console from another session. You cannot use Citrix Server Administration to shadow other sessions from the system console. To shadow sessions from the system console, use the Shadow Taskbar.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH /RJJLQJ 8VHUV RII WKH 6HUYHU You can forcefully end a user’s session by selecting the user in the Users tab and clicking Logoff on the Action menu. If you select multiple users, each user is logged off. Logging off users without giving them a chance to close their applications can result in data loss. 7HUPLQDWLQJ 3URFHVVHV You can forcefully end a user or system process by selecting the process from the Process tab and clicking Terminate on the Action menu.
&KDSWHU &RQILJXULQJ 0HWD)UDPH Select the Save Settings on Exit check box to save your current settings when Citrix Server Administration closes. At startup, Citrix Server Administration connects only to the server from which it is running. If you want Citrix Server Administration to reconnect to all the servers you were connected to previously, select the Remember Server Connections check box.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 8QGHUVWDQGLQJ WKH ,&$ %URZVHU 6HUYLFH The ICA Browser maintains data on Citrix servers and published applications. Separate data is maintained for each network transport (TCP/IP, IPX, and NetBIOS). The ICA Browser consists of a master browser, member browsers, and client systems. The ICA Browser uses directed packets to communicate with other ICA Browser services running on Citrix servers.
&KDSWHU &RQILJXULQJ 0HWD)UDPH %URZVHU (OHFWLRQV The ICA Browser system elects a master browser under the following conditions: u The current master browser does not respond to another ICA Browser u The current master browser does not respond to an ICA client u A Citrix server is started u Two master browsers are detected on the same network subnet A set of election criteria is used to choose a master browser.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH +RZ ,&$ &OLHQWV 8VH WKH 0DVWHU ,&$ %URZVHU Citrix ICA Clients must locate the master browser to get the address of a server or published application. The Citrix ICA Client can locate the master browser by sending out broadcast packets, or, if the address of a Citrix server is specified in the Citrix ICA Client or in an ICA file, the ICA Client locates the master browser by sending directed packets to the specified address.
&KDSWHU &RQILJXULQJ 0HWD)UDPH For ICA Gateways to function on IPX networks, routers must be configured to route raw IPX packets. For more information on the ICA Browser service, see “Understanding the ICA Browser Service” earlier in this chapter. +RPH 'LUHFWRULHV DQG 3URILOH 3DWKV If you have WINFRAME and Terminal Server servers in the same domain, the Terminal Server profile path box references the same data as the WINFRAME profile path box.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH
C H A P T E R 5 3XEOLVKLQJ $SSOLFDWLRQV 2YHUYLHZ This chapter describes application publishing.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 8VHU $FFHVV When you publish applications, user access to those applications is greatly simplified in three areas: u Addressing. Instead of connecting to a Citrix server by its IP address or server name, ICA Client users can connect to a specific application by whatever name you give it. Connecting to applications by name eliminates the need for users to remember which servers contain which applications. u Navigation of the server desktop.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV u Start the ICA Client on the client device; get an IP address or server name of a Citrix server from an administrator or from the server browsing service provided in ICA Clients; start the ICA Client’s connection wizard, specify the address and configure connection options such as encryption, window size, and color, double-click the connection object; log on to the Citrix server desktop; navigate the desktop for the word processing program’s desktop shortcut,
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH $GPLQLVWUDWLYH &RQWURO When you publish applications, you get greater administrative control over application deployment with: u Selected user access. You publish applications for specific users and user groups. By definition, an application you publish for a specific user group is unavailable to other groups. u Enabled and disabled application access. You can temporarily restrict all access to an application by disabling it.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV To the ICA Client user, a published application is an application that appears very similar to an application running locally on the client device. The way the user starts the application depends upon the ICA Client in use on the client device. Program Neighborhood users After starting Program Neighborhood, these users find a list of applications published for their user account or user group.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH The master ICA Browser selects one of the servers based on load and returns the address of that server to the ICA Client. You can tune how load balancing support calculates server load for each server in a load balancing server farm using the Load Balancing Administration utility. For instructions on balancing application load, see Chapter 6, “Advanced Topics.” 9LGHRV In order to publish videos, you must install Citrix VideoFrame on your network.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV u Common administrator’s rights. The individuals responsible for administration of a farm should have administrative rights over each server in the farm. When you log into a Citrix server console or ICA session and run Published Application Manager, you administer applications under the context of your current Windows NT user name.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Two domains, named A and B Domains A and B have a one-way trust relationship in which domain A trusts B. The trust intersection of these two domains is B. You can configure published applications for all user accounts on domain B. Note that a server that is a member of a Windows NT workgroup can never belong to a multiple server farm because there is no trust intersection between a workgroup and a domain.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV 6HUYHU )DUP $UUDQJHPHQWV You can configure your server farms in multiple ways depending upon your needs and the existing structure of your network. The following diagrams illustrate some of the ways you can arrange Citrix servers in server farms. The farm depicted above contains either a single server in a Windows NT domain or a single server in a Windows NT workgroup.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH A farm containing a single server that is a member of a Windows NT domain can expand to contain additional servers: The farm depicted above contains multiple servers from a single Windows NT domain. The user account base for this farm is simple: when you publish an application in this farm, you can grant access to any desired domain user or user group. 1RWH You cannot use each server’s local user or user group accounts when publishing applications.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV Server farms can include multiple domains as long as a common base of user accounts exists between the domains. In the example above, the trust relationship between Domain 1 and Domain 2 determines the user account base. Each domain can contain a single or multiple servers.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 7LS You do not have to create separate server farms to deliver different applications to different user groups in the common account base. Although each application you publish is published in the server farm, each user in the common account base sees only the applications he or she is authorized to use. Multiple farms do not have to include multiple domains; you can create multiple farms containing servers that are members of a single domain.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV :LQGRZV 17 'RPDLQV 6FRSH If you do not add your servers to a Citrix server farm, Published Application Manager functions in the Windows NT domains scope of management. In this scope, the applications you publish do not support Program Neighborhood features. The Windows NT domains scope exists for backward compatibility and interoperability with existing WINFRAME 1.7 and MetaFrame 1.0 installations.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Use the Server Farm Application Migration wizard after placing a server with an existing base of published applications into a farm for the first time or after upgrading a pre-MetaFrame 1.8 server containing previously published applications to MetaFrame 1.8.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV Ã To change farm membership 1. Make sure you are in the server farm management scope. (From the View menu, click Select Scope. In the dialog box that appears, click the Within a Citrix server farm radio button and then select the farm of which the server is a member in the Select a Citrix server farm pull-down list.) 2. Make sure you are viewing the server whose membership you want to change. (From the View menu, click Select Server.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 6HOHFWLQJ D 6FRSH RI 0DQDJHPHQW The Select Scope menu option lets you switch between Published Application Manager’s two scopes of management: Citrix server farms and Windows NT domains. Ã To select a scope of management 1. From the View menu, click Select Scope. The Select Management Scope dialog box appears. 2. To publish applications in a server farm, click Within a Citrix server farm. The Choose Server Farm panel appears in the bottom half of the dialog box.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV The main window’s titlebar displays the currently selected server or servers. In this case, All Servers indicates that the current view displays all applications configured on all servers in the OLDB Farm. If you are using the server farm scope of management to view a selected server in a farm, the application list includes only those applications published on that server: In this case, the applications configured on OLDB Farm’s server Bolivar2 are displayed.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH )LOWHULQJ WKH 6HUYHUV LQ
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV Ã To filter servers 1. From the View menu, click Select Server. 2. In the Select Citrix Server dialog box, click Filter Servers By. The Filter Servers By dialog box appears. Select the criterion, or criteria, by which you want to filter your servers. For example, if you select Load Balancing and SecureICA (North American), the applications displayed are those running on servers with SecureICA Services North American version and Load Balancing Services installed.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH If an application published on the Citrix server can be accessed by guest-level users, the application can be configured (using Published Application Manager) to allow access by anonymous users. When a user starts an anonymous application, the Citrix server does not require an explicit user name and password to log the user onto the server, but selects a user from a pool of anonymous users who are not currently logged on.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV 5. In the User menu, click Copy. 6. Enter a unique name in Username and click Add. Though not a requirement, it is best to use names of the form Anonxxx, following the pattern of the existing anonymous users. (You can use any name as long as the user is part of the Anonymous group.) 7. Repeat to add multiple users. 8. After the last anonymous user is added, click Close. 9. Exit User Manager for Domains.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 6HFXULW\ &RQVLGHUDWLRQV In addition to using standard Windows NT security features and practices, access to Citrix servers can be restricted in several ways: u All users on a specific connection type can be restricted to running published applications only. By allowing users to access predefined applications only, you can prevent unauthorized users from obtaining access to the Windows desktop or a command prompt.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV Ã To publish an application in a server farm In order to publish an application in a server farm, the server or server which is to host the application must be a member of a farm. Make sure the server is a member of a farm before attempting to publish the application. See “Joining a Server Farm” earlier in this chapter for more information. 1. Make sure you are in the server farm management scope. (From the View menu, click Select Scope.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 3XEOLVKLQJ D 9LGHR Before publishing a video, you must encode the video using the Citrix VideoFrame Encoder and then copy the video (.avi) file to a VideoFrame server. Ã To publish a video 1. Use the standard application publishing wizard to publish a video. (From the Application menu, click New.) If you are viewing more than one server when you start the wizard, you are asked to select a default server for the video. Select any server in the farm or domain. 2.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV You can type a UNC name or network drive and full path or click Browse to locate the file server that contains your IMS script and package. In the Choose Application dialog box that appears, select IMS Scripts from the Files of type list box and then locate and select your script. 3. Proceed through the wizard as usual until you reach the Add the Application to Citrix Servers screen. Click Filter Servers By.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 0DLQWDLQLQJ 3XEOLVKHG $SSOLFDWLRQV After you publish an application, you can later change its properties. Common reasons to change a published application’s settings include when you want to: u Rename the published application. This modification changes the name under which ICA Client users access the application. u Change the list of users allowed to run the application. u Change the list of Citrix servers hosting the application.
&KDSWHU 3XEOLVKLQJ $SSOLFDWLRQV 'HOHWLQJ 3XEOLVKHG $SSOLFDWLRQV Deleting a published application removes all published application configuration information from each server in the published application’s list of configured servers.
C H A P T E R 6 $GYDQFHG 7RSLFV 2YHUYLHZ This chapter discusses advanced MetaFrame system administration topics.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 8QGHUVWDQGLQJ 0HWD)UDPH /RDG %DODQFLQJ Load balancing allows an application to be published for execution on any of several Citrix servers in a server farm. When a published application or desktop session configured for multiple servers is launched from a Citrix ICA Client, load balancing selects which server will run the application or desktop session based on server load.
&KDSWHU $GYDQFHG 7RSLFV To reconnect to disconnected load balanced sessions, the following criteria must be met: u The user must disconnect gracefully from the server; for example, by clicking Disconnect from the Start menu. u The user must reconnect from the same Citrix ICA Client computer (using the same client name). You can use query server /disc to view a list of disconnected sessions.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Ã To adjust basic load balancing settings • Click a Citrix server in the server list pane. The Basic load balance settings tab for the selected server appears in the right pane: Ã To balance two or more servers in a Load Balancing farm 1. Determine how many users each server can support. 2. Click on the servername in the left pane and then click the Basic tab. 3. Enter the number of users determined in Step 1 in the Assume User Load is at 100% at x users box. 4.
&KDSWHU $GYDQFHG 7RSLFV Ã To adjust advanced load balance parameters 1. Click on the servername in the left panel and then click the Advanced tab. 2. Set the importance factor for each load balancing parameter. 3. Click Save. 4. Repeat for each server in the farm. $GMXVWLQJ D 6HUYHUªV /RDG %DODQFH &DOFXODWLRQ Use Load Balancing Administration to adjust six factors that influence the calculation of the overall server load.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH u Pagefile Usage. The ratio of the current pagefile size to the allowed minimum free space left in the pagefile. u Swap Activity. The number of times per second the pagefile is accessed. u Processor Usage. The percent of time the processor is busy. u Memory Load. The ratio of available memory to total physical memory. u Sessions. The ratio of total configured ICA connections to free ICA connections. u Overall Adjustment.
&KDSWHU $GYDQFHG 7RSLFV u The maximum number of users the system can support. The maximum number of users the system can support is the smaller of: u The number of ICA connections per protocol. By default, the number of ICA connections for each protocol is unlimited on MetaFrame servers and two on WINFRAME servers. u A user definable number. By default, the user definable number is simply an arbitrarily large number.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Click the Advanced tab to adjust the importance of advanced factors when calculating overall system load. The Importance factor for each parameter can be adjusted independently of any others. 0HWD)UDPH 6HFXULW\ 7RROV In addition to the security issues common to Microsoft Windows NT Server, Windows Terminal Server has additional security issues related to remote control; that is, its ability to allow remote users to logon and execute applications remotely.
&KDSWHU $GYDQFHG 7RSLFV The Aclcheck utility is used to display file and directory permissions that give excessive access to users and groups The Aclcheck utility can be used to verify the security of the MetaFrame server. See Appendix A, “MetaFrame Command Reference” for more information on using Aclcheck. See the Windows Terminal Server documentation for information on using the Security Configuration utility.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 8VLQJ ,&$ ZLWK 1HWZRUN )LUHZDOOV Network firewalls can allow or block packets based on the destination address and port. If you are using ICA through a network firewall, use the information provided in this section to configure the firewall. ,&$ 7&3 ,3 &RQQHFWLRQ 6HTXHQFH 1. The Citrix ICA Client sends a packet to port 1494 on the Citrix server requesting a response to a randomly selected port above 1023. 2.
&KDSWHU $GYDQFHG 7RSLFV ,&$ %URZVLQJ :LWK 1HWZRUN $GGUHVV 7UDQVODWLRQ Some firewalls use IP address translation to convert private (Intranet) IP addresses into public (Internet) IP addresses. Public IP addresses are called “external” addresses because they are external to the firewall, whereas private IP addresses are said to be “internal” addresses. Hosts on the internal network have one set of addresses that is translated to another set when passing through the firewall.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH In addition to specifying the alternate address on the Citrix server, the ICA Client must be configured to request the alternate address when contacting the master ICA Browser. For information on configuring ICA Clients to request the alternate address, see the Citrix ICA Client Administrator’s Guides for the clients you plan to deploy. *HQHUDO 7LSV DQG 7URXEOHVKRRWLQJ This section provides some tips and troubleshooting information for Citrix servers.
A P P E N D I X A 0HWD)UDPH &RPPDQG 5HIHUHQFH 2YHUYLHZ This appendix describes the MetaFrame command line utilities.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH $&/&+(&. 6HFXULW\ $XGLW 8WLOLW\ 'HVFULSWLRQ This command is identical to query acl. Aclcheck performs a file security audit on the specified directory or drive letter. Aclcheck reports file accesses allowed by accounts other than Administrator, Administrators, or SYSTEM. Aclcheck can also generate a report of registry keys that have Delete, Write, Add, Link, Change Permissions, or Take Ownership permissions for non-administrator users.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH If no arguments are specified, aclcheck checks all local drives and then checks the HKEY_LOCAL_MACHINE portion of the system registry.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH $&/6(7 6HW 'HIDXOW 6HFXULW\ $&/V 'HVFULSWLRQ Aclset automatically secures all files and directories on all hard drives. Aclset secures all files, directories, and drives. After the file systems are secured, use the Security Configuration utility and other tools to selectively enable user access to files and directories. This method makes sure that there are no file system security leaks.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH $/7$''5 6SHFLI\ $OWHUQDWH 6HUYHU ,3 $GGUHVV 'HVFULSWLRQ Altaddr is used to query and set the alternate (external) IP address that a MetaFrame server returns to clients who request it. The alternate address is an external address used by Citrix ICA Clients outside a firewall.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH $33 $SSOLFDWLRQ ([HFXWLRQ 6KHOO 'HVFULSWLRQ App is a script interpreter for secure application execution. App lets you write execution scripts that copy standardized .ini files containing default settings to user directories before starting the application and that perform application-related cleanup after the application terminates. The script commands are described below.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH execute Executes the program specified by the path command using the working directory specified by the workdir command. path executablepath Sets the program to be executed by executablepath. workdir directory Sets the default working directory to the path specified by directory. ([DPSOHV The following script file runs the Solitaire card game, Sol.exe: 3$7+ & ?:WVUY?6\VWHP ?6RO H[H :25.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH $8',7/2* *HQHUDWH /RJRQ /RJRII 5HSRUWV 'HVFULSWLRQ The auditlog utility generates reports of logon/logoff activity for a MetaFrame server based on the Windows NT Server security Event Log. To use auditlog, logon/logoff accounting must be enabled. Report output can be redirected to a file.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH /write:filename Specifies the name of an output file. Creates a comma-delimited file that can be imported into an application such as a spreadsheet to produce custom reports or statistics. It generates a report of logon/logoff activity for each user, displaying logon/logoff times and total time logged on. If filename exists, the data is appended to the file.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH &+$1*( &/,(17 &KDQJH ,&$ &OLHQW 'HYLFH 0DSSLQJ 6HWWLQJV 'HVFULSWLRQ Change client changes the current ICA Client device mapping settings. 6\QWD[ change client [/view | /flush | /current] change client [{/default | [/default_drives] | [/default_printers]} [/ascending]] [/noremap] [/persistent] [/force_prt_todef] [/delete host_device] [host_device client_device] [/?] 3DUDPHWHUV host_device Specifies the name to be given to a mapped client device.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH /noremap If /noremap is specified, client drives that conflict with MetaFrame drives are not mapped. /persistent Saves the current client drive mappings in the user’s profile. /force_prt_todef Sets the default printer for the MetaFrame client session to the default printer on the client’s Windows desktop. /delete host_device Deletes the client device mapping to host_device.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH The /default option maps the drives and printers on the client PC to mapped drives and printers on the MetaFrame server. The A and B drives are always mapped to A and B on the MetaFrame server. Hard drives are mapped to their corresponding drive letters if those drive letters are available on the MetaFrame server. If the corresponding drive letter is in use on the MetaFrame server, the default action is to map the drive to the highest unused drive letter.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH &/735,17 6HW WKH 1XPEHU RI &OLHQW 3ULQWHU 3LSHV 'HVFULSWLRQ Sets the number of printer pipes to the client print spooler. 6\QWD[ cltprint [/q] [/pipes:nn] [/?] 2SWLRQV /q Displays the current number of printer pipes. /pipes:nn Sets the specified number of printer pipes. This number must be between 10 and 63. /? (help) Displays the syntax for the utility and information about the utility’s options.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH ,&$3257 &RQILJXUH 7&3 ,3 3RUW 1XPEHU 'HVFULSWLRQ Configures the TCP/IP port number used by the ICA protocol on the MetaFrame server. 6\QWD[ icaport {/query | /port:nnn | /reset} [/?] 2SWLRQV /query Queries the current setting. /port:nnn Changes the TCP/IP port number. /reset Resets the TCP/IP port number to 1494, which is the default. /? (help) Displays the syntax for the utility and information about the utility’s options.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH ([DPSOH To set the TCP/IP port number to 5000: LFDSRUW SRUW To reset the port number to 1494: LFDSRUW UHVHW 6HFXULW\ 5HVWULFWLRQV Only administrators can run icaport.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 1'63695 (QDEOH RU 'LVDEOH D 3UHIHUUHG 6HUYHU IRU 1'6 /RJRQV 'HVFULSWLRQ Use ndspsvr to enable or disable a preferred server for NDS logons. 6\QWD[ ndspsvr {/query | /enable:fileservername | /disable} [/?] 2SWLRQV /query Queries the current setting. /enable:fileservername Enables the preferred server. /disable Disables the preferred server. /? (help) Displays the syntax for the utility and information about the utility’s options.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH 48(5< $&/ 6HFXULW\ $XGLW 8WLOLW\ 'HVFULSWLRQ This command is identical to aclcheck. It performs a file security audit on the specified directory or drive letter. Query acl reports file accesses allowed by accounts other than Administrator, Administrators, or SYSTEM. Query acl can also generate a report of registry keys that have Delete, Write, Add, Link, Change Permissions, or Take Ownership permissions for non-administrator users.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH If no arguments are specified, query acl checks all local drives and then checks the HKEY_LOCAL_MACHINE portion of the system registry.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH 48(5< /,&(16( 9LHZ &LWUL[ /LFHQVHV 'HVFULSWLRQ Query license displays information about Citrix licenses. 6\QWD[ query license [/server:servername | /all] [/?] 2SWLRQV /server:servername The Citrix server to be queried. The default is the current Citrix server. /all Displays information about all licenses on the network. /? (help) Displays the syntax for the utility and information about the utility’s options.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 48(5< 6(59(5 9LHZ &LWUL[ 6HUYHUV 'HVFULSWLRQ Query server displays information about the available Citrix servers on the network.
$SSHQGL[ $ 0HWD)UDPH &RPPDQG 5HIHUHQFH /gateway Displays configured gateway addresses. /serial Displays license serial numbers. /disc Displays disconnected session data. /serverfarm Displays server farm names and server load. /video Displays VideoFrame servers. /ping Pings selected server. /count:n Number of times to ping (default: 5). /size:n Size of ping buffers (default: 256 bytes). /stats Displays browser statistics on the selected server.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 5HPDUNV Query server uses the ICA Browser to display data about the Citrix servers present on a network. Query server with no parameters is the same as query server /tcp /ipx /netbios. On a server with two network cards, the query server command only enumerates servers on one card’s subnet at a time. To enumerate the servers on the other card’s subnet, specify the address of any server on the subnet with the /tcpserver:x, /ipxserver:x, or /netbiosserver:x parameter.
A P P E N D I X B &LWUL[ 'LUHFW,&$ IRU 0HWD)UDPH 2YHUYLHZ Citrix DirectICA for MetaFrame adds support for multi-VGA adapters to Citrix MetaFrame Application Server for Windows. A multi-VGA adapter (also called a multiconsole adapter) is a hardware device that contains several VGA video adapters with additional support hardware.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 6\VWHP 5HTXLUHPHQWV See the “System Sizing” section in Chapter 1 for general MetaFrame hardware requirements.
$SSHQGL[ % &LWUL[ 'LUHFW,&$ IRU 0HWD)UDPH +DUGZDUH ,QVWDOODWLRQ This section contains separate installation procedures for the Maxspeed and Stone Microsystems adapters. You can install as many multi-VGA adapters as your system can contain, but they must all be from the same manufacturer. Ã To install the Maxspeed MaxStation adapter Before installing, decide which base address to use with your multi-VGA adapter. The base address chosen must not conflict with other devices in your server.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 6RIWZDUH ,QVWDOODWLRQ Ã To install DirectICA 1. Log on to the MetaFrame server as an administrator. 2. Insert the MetaFrame CD-ROM. 3. Click the Start button and then click Run. Type d:\drctica\setup.exe where d: is the letter of the CD-ROM drive. 4. The installation wizard guides you through the setup process. 5. A dialog appears asking you to read the Readme file.
$SSHQGL[ % &LWUL[ 'LUHFW,&$ IRU 0HWD)UDPH Ã To uninstall DirectICA 1. Make sure all users are logged off from DirectICA stations. 2. Log on using the local “Administrator” account. 3. Click the Start button, point to Settings, and then click Control Panel. 4. Double-click Add/Remove Programs to display the Add/Remove Programs dialog box. 5. Select Citrix DirectICA for MetaFrame and click Add/Remove. 6. Click Yes when the confirmation dialog box appears. 7.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 3. On the Connection menu, click New. The New Connection dialog box appears. 4. Enter a name for this connection in the Name box. 5. In the Type list, click Citrix DirectICA. 6. If desired, enter a comment in the Comment box. 7. Select the DirectICA station for which to create the session. Only the stations that do not yet have connections configured are listed. 8.
$SSHQGL[ % &LWUL[ 'LUHFW,&$ IRU 0HWD)UDPH u The DTR (Data Terminal Ready) and DSR (Data Set Ready) modem signals are not supported u The RI (Ring Indicator) modem signal is not supported; most applications use CD (Carrier Detect) instead Some applications can only access COM1 or COM2. In this case, you can reassign this port using the change port command; for example change port com1: = dcomx, where x is the DirectICA station number for which to reassign the port.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH 7URXEOHVKRRWLQJ This section contains information to help you diagnose and solve common problems encountered with DirectICA. 1RWH Contact your hardware manufacturer for help with hardware problems. *HQHUDO *XLGHOLQHV Check the messages that appear during the “blue screen” phase of system startup for error messages relating to the multi-VGA adapter. Check the Event Viewer for error messages.
$SSHQGL[ % &LWUL[ 'LUHFW,&$ IRU 0HWD)UDPH %DVH $GGUHVV &RQIOLFWV ZLWK 0D[VSHHG $GDSWHUV If the DirectICA stations display a logon screen but the mice and keyboards do not work, a base address conflict is the likely cause. Compare the base address used by the multi-VGA adapter with the address ranges used by other devices on the server to see if there is a conflict.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH
A P P E N D I X C ,&$ %URZVHU 5HJLVWU\ .H\V You do not normally need to override the default values for ICA Browser registry entries. However, for some systems you can adjust individual parameters to suit your particular needs. Ã To edit the registry 1. Click the Start button and then click Run. 2. Type regedt32 and click OK to load the Registry Editor. For detailed information on how to add a parameter to a key in the registry, see the online Help for the Registry Editor.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH AckTimeout REG_DWORD 0 - 0xffffffff seconds (5 = default) Specifies the interval a browser waits for an ACK after sending a master browser update. If no ACK is received, the browser resends the update. The browser retries AckRetries times before forcing a browser election. AgeDatabaseTime REG_DWORD 0 - 0xffffffff seconds (300 = default) Indicates how frequently the master browser checks the “time to live” value associated with browser data.
$SSHQGL[ & ,&$ %URZVHU 5HJLVWU\ .H\V GatewayIpx REG_MULTI_SZ Citrix server addresses To set up an IPX gateway the remote IPX address (network:node) of a Citrix server must be specified in this list. When a master browser receives an update from a browser, it forwards the data to all configured gateways on the same network protocol. It does not matter which Citrix server the gateway address is configured on. The same address can be configured on multiple Citrix servers.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH LogMask REG_DWORD 0 - 0xffffffff (0 = default) Specifies a bit mask for logging debug information. After changing this value, stop and start the ICA Browser to start logging to the file %systemRoot%\Ibrowser.log.
$SSHQGL[ & ,&$ %URZVHU 5HJLVWU\ .H\V RefreshDelay REG_DWORD 0 - 0xffffffff seconds (30 = default) Specifies the delay after a client connects or disconnects from the Citrix server before a master browser update is sent. This delay should be large enough to let the system “settle” before sending the master browser update. SendRetries REG_DWORD 0 - 0xffffffff (3 = default) Specifies the number of times the browser sends a gateway add or delete command.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH Weighting Factor Limit Description BalanceICA Connections Configured ICA connections Number of free ICA connections BalanceUserLicenses BalanceMaxUserLicenses Number of free user licenses BalancePageFile BalanceMinPageFile Size of remaining page file BalancePageFaults BalanceMaxPageFaults Number of page faults BalanceMemoryLoad Memory load level BalanceProcessorBusy Processor load BalanceBias REG_DWORD 0 - 0xffffffff (0 = default) After all load ba
$SSHQGL[ & ,&$ %URZVHU 5HJLVWU\ .H\V BalancePageFaults REG_DWORD 0 - 1000 (100 = default) Specifies the page fault weighting factor. Each of the weighting factors is divided by the sum of the weighting factors to arrive at ratios that are used to compute the system load level. The page fault load is calculated by dividing number of page faults by BalanceMaxPageFaults and multiplying by the page file ratio.
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH BalanceICAConnections REG_DWORD 0 - 1000 (10 = default) Specifies the ICA connection weighting factor. Each of the weighting factors is divided by the sum of the weighting factors to arrive at ratios that are used to compute the system load level. The ICA connection load is calculated by dividing the number of free ICA connections by the number of configured ICA connections and multiplying by the ICA connection ratio.
,QGH[ 16-bit versus 32-bit applications 10 $ ACLCHECK (Security Audit Utility) 106 ACLSET (Set Default Security ACLs) 108 using to secure the file system 100 activating a license 30 adding a license 28 adding ICA connections 38 asynchronous connections 39 network connections 39 adjusting a server’s load balancing calculation 97 adjusting the pooled user count 32 administration, MetaFrame 35 administrative tools 34 advanced async configuration, ICA connections 43 advanced connection settings, ICA con
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH & CHANGE CLIENT (Change ICA Client Device Mapping Settings) 114 Change ICA Client Device Mapping Settings (CHANGE CLIENT) 114 Citrix licensing see licensing 25 Citrix Licensing program 27 Citrix on the World Wide Web xix Citrix Server Administration applications tab 53 cache tab 54 Citrix Server Administration window 51 connecting to a disconnected session 55 connecting to servers 52 connection statistics 57 disconnecting a session 55 ica browser tab 53 ica gateways
,QGH[ + configuring a modem 20 installation 17 unattended setup 22 upgrading 16 home directories, Terminal Server and WINFRAME 63 How to Use this Guide xvi , / ICA Browser 60 configuring 59 ICA Browser service 60 registry entries 137 registry key values 137 ICA Client features 6 platforms 5 ICA connections adding ICA asynchronous connections 39 adding ICA connections 38 adding ICA network connections 39 Configuration 38 configuring advanced connection settings 44 configuring asynchronous connections
0HWD)UDPH $GPLQLVWUDWRUªV *XLGH procedures Citrix IMS applications 88 introduction 83 load balanced 89 standard applications 86 videos 88 Program Neighborhood 66 scopes of management introduction 70 NT domains scope 77 server farms scope 70 security considerations 86 server farms changing farm membership 78 configuring 77 creating a new farm 79 example arrangements 73 multiple-domain farm 75 single-domain farm 74 single-server farm 73 when to create multiple farms 75 ICA Gateways 76 introduction 68
,QGH[ 6 7 sample answer file 24 scopes of management introduction 70 NT domains scope 77 server farms scope 70 trust relationships 71 security MetaFrame security tools 100 using ACLSET to secure the file system 100 using the Application Execution Shell (APP) 101 Security Audit Utility (ACLCHECK) 106 Security Audit Utility (QUERY ACL) 121 security considerations, application publishing 86 sending messages to users 55 Serial port support 132 server drive reassignment 14 server farms changing farm membersh
