MetaFrame Presentation Server Administrators Guide

For other guides in this document set, go to the Document Center

Citrix MetaFrame Presentation Server 4.0 for Windows Citrix MetaFrame Access Suite

Copyright and Trademark Notice Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. Copyright 2001-2005 Citrix Systems, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, and Program Neighborhood are registered trademarks, and SpeedScreen is a trademark of Citrix Systems, Inc. in the United States and other countries. RSA Encryption 1996-1997 RSA Security Inc., All Rights Reserved. This product includes software developed by The Apache Software Foundation (http://www.apache.org/). Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. DB2, Tivoli, and NetView are registered trademarks, and PowerPC is a trademark of International Business Machines Corp. in the U.S. and other countries. HP OpenView is a trademark of the Hewlett-Packard Company. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc. RealOne is a trademark of RealNetworks, Inc. SpeechMike is a trademark of Koninklijke Philips Electronics N.V. Unicenter is a registered trademark of Computer Associates International, Inc. UNIX is a registered trademark of The Open Group. All other trademarks and registered trademarks are the property of their owners. Document Code: 2/21/05 (MM)

Go to Document Center

Contents 3

Contents
Chapter 1 Chapter 2 Welcome Designing Server Farms
Overview of Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Independent Management Architecture (IMA) . . . . . . . . . . . . . . . . . . . . . . . . . 16 Independent Computing Architecture (ICA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Centralizing or Distributing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Deciding How Many Farms to Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Configuring Zones and Data Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Zone Data Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Server Farm Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Small Farm Central Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Large Farm Central Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Small Farm Distributed Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Small Farm Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Large Farm Multiple Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Large Farm Regional Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Chapter 3

The Farm Data Store

Viewing Data Store Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Choosing a Database for the Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 System Sizing for the Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Suggested Hardware Configurations for the Data Store . . . . . . . . . . . . . . . . . . 42 Connecting Directly or Indirectly to the Data Store . . . . . . . . . . . . . . . . . . . . . 44 Using a RAID Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Using Replicated Data Store Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Data Store Database Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Microsoft Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Microsoft SQL Server 2000 Desktop Engine (MSDE) . . . . . . . . . . . . . . . . . . . 50 Microsoft SQL Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 IBM DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Working with the Local Host Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Chapter 4

Planning for Deployment

System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 System Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 System Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Sizing Systems for MetaFrame Presentation Server . . . . . . . . . . . . . . . . . . . . . 72 Network Configuration and Account Authority Issues. . . . . . . . . . . . . . . . . . . . . . 75 General Configuration Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Recommendations for Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 User Access to Applications and Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Active Directory Security Model and Restrictions . . . . . . . . . . . . . . . . . . . . . . 77 Supporting Novell Directory Service Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Setting up Support for NDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring Printer Autocreation in NDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Changing Domain Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuring MetaFrame Administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . 86 Planning for Client and Server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Linking Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring ICA Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Communicating with the Citrix XML Service. . . . . . . . . . . . . . . . . . . . . . . . . . 93 Using DNS Address Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring Network Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Server Farm Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Changing Server Drive Letters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Using Smart Cards with MetaFrame Presentation Server. . . . . . . . . . . . . . . . . . . 103 Software Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Configuring the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Configuring the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Compatibility with MetaFrame Conferencing Manager . . . . . . . . . . . . . . . . . . . . 106

Chapter 5

Deploying MetaFrame Presentation Server

Creating a New Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Task Summary for Creating a New Server Farm. . . . . . . . . . . . . . . . . . . . . . . 108 Remapping Server Drive Letters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Creating the Farm Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Go to Document Center

Contents 5

Migrating to MetaFrame Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Upgrading from Versions Prior to MetaFrame XP Feature Release 3 . . . . . . 112 Migrating from MetaFrame Versions 1.0 and 1.8 . . . . . . . . . . . . . . . . . . . . . . 113 Migrating from MetaFrame XP, Feature Release 3, and MetaFrame Presentation Server 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Installing or Upgrading Individual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Creating a Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Using Autorun. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Using the Windows Installer Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Choosing Options during Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Installing MetaFrame Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Installing the Access Suite Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Installing the Presentation Server Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Installing the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Installing the Document Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Installing Client Software on the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Unattended Setup of MetaFrame Presentation Server. . . . . . . . . . . . . . . . . . . . . . 140 Applying Transforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Creating an Answer File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Performing an Unattended Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Cloning Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Uninstalling MetaFrame Presentation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Chapter 6

Managing Servers and Farms

Management Tools Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Choosing Which Console to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Management Console for the MetaFrame Access Suite . . . . . . . . . . . . . . . . . . . . 149 Users and Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 The Access Suite Console User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Viewing Applications, Servers, and Zones in Multiple Farms . . . . . . . . . . . . 152 Customizing Your Displays Using My Views. . . . . . . . . . . . . . . . . . . . . . . . . 152 Managing Sessions across Multiple Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Monitoring the Performance of Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . 154 Troubleshooting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Configuring Application Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Viewing Citrix Hotfix Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Starting the Access Suite Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Finding Items in Your Deployment Using Discovery . . . . . . . . . . . . . . . . . . . 156 Management Console for MetaFrame Presentation Server. . . . . . . . . . . . . . . . . . 157

Chapter 7

Securing Your Farms

Creating MetaFrame Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Overview of Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Overview - Deploying SSL Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Overview - Deploying the Secure Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Overview - Deploying ICA Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Setting up Citrix SSL Relay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Deploying SSL Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Configuring Kerberos Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Managing the Secure Ticket Authority (STA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Viewing Secure Ticket Authority Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Identifying Entries in the STA Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Chapter 8

Configuring ICA Connections

Overview of ICA Connections and Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Setting Up ICA Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Using the Citrix Connection Configuration Utility . . . . . . . . . . . . . . . . . . . . . 188 Adding ICA Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Adding Asynchronous ICA Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Configuring Session Settings for Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Precedence of Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Go to Document Center

Contents 7

Configuring ICA Connection Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Configuring Modem Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Configuring Direct Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Configuring Advanced ICA Connection Options . . . . . . . . . . . . . . . . . . . . . . 199 Restricting Connections to Published Applications. . . . . . . . . . . . . . . . . . . . . 200 Configuring ICA Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Using Shadowing to Monitor ICA Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Enabling Shadowing on a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Configuring ICA Connections for Shadowing. . . . . . . . . . . . . . . . . . . . . . . . . 202 Configuring Audio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Step 1 - Configuring Audio for Published Applications . . . . . . . . . . . . . . . . . 204 Step 2 - Configuring Audio Related Policy Rules . . . . . . . . . . . . . . . . . . . . . . 204 Optimizing Session Responsiveness for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Optimizing Keyboard and Mouse Click Responsiveness . . . . . . . . . . . . . . . . 208 Optimizing Web Pages and Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Optimizing Audio and Video Playback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Optimizing Macromedia Flash Animations . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Optimizing Throughput of Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Configuring Client Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Options for Client Device Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Client Drive Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Client Printer Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Client Serial Port Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Client Audio Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Granting Users Execute Permission on Mapped Client Drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Chapter 9

Deploying Client Software to Users

Choosing a Client Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Delivering Applications to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Determining the Scope of Client Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 222 Using the MetaFrame Presentation Server Components CD . . . . . . . . . . . . . . . . 223 Installing a Pass-Through Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Using Remote Desktop Web Connection Software. . . . . . . . . . . . . . . . . . . . . 223 ICA Client Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Deploying Client Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Using the Components CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Using the Client Packager for Client Deployment. . . . . . . . . . . . . . . . . . . . . . 228 Deploying Client Software over the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Client Deployment Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Manufacturing Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Application Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Insurance Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Chapter 10

Publishing Applications, Content, and Desktops

Deciding How Users Access Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Managing User Access through Content Redirection . . . . . . . . . . . . . . . . . . . . . . 236 Publishing Applications and Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 User Access to Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Administrative Control of Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Using Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Determining Whether to Provide Virtual IP Addresses or a Virtual Loopback Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Determining to Isolate Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Configuring User Access to Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Procedures for Publishing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Associating Published Applications with File Types . . . . . . . . . . . . . . . . . . . 244 Passing Parameters to Published Applications. . . . . . . . . . . . . . . . . . . . . . . . . 247 Creating Files for Application Launching and Embedding . . . . . . . . . . . . . . . 248 Providing the Client IP Address to an Application . . . . . . . . . . . . . . . . . . . . . . . . 249 Providing Virtual IP Address Ranges to Sessions. . . . . . . . . . . . . . . . . . . . . . . . . 250 Providing Virtual Loopback Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Enabling Applications for Use with Virtual IP Addresses or Virtual Loopback Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Controlling and Monitoring Virtual IP Addresses and Virtual Loopback on Individual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Isolating Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Enabling and Disabling Isolation Environments . . . . . . . . . . . . . . . . . . . . . . . 254 Creating an Isolation Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Configuring an Isolation Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Using an Isolation Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Deleting Isolation Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Uninstalling Applications Installed into an Isolation Environment. . . . . . . . . 259

Go to Document Center

Contents 9

Removing Published Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Configuring Content Redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Redirecting Content from Client to Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Redirecting Content from Server to Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Publishing Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Publishing Content to be Opened with Applications Published on Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Publishing Content to be Opened with Applications on Local Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Publishing Content on Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Setting CPU Priority Levels for Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Assigning CPU Priority Levels to Applications . . . . . . . . . . . . . . . . . . . . . . . 268

Chapter 11

Managing Users and Sessions

Controlling User Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Controlling User Logon Look and Feel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Providing Users with Workspace Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Controlling User Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Limiting Total Connections in a Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . 276 Limiting Application Instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Configuring Connection Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Logging Connection Control Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Monitoring and Managing Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Viewing Information about Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Using Session Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Managing Session Consistency and Reliability. . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Leveraging Session Reliability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Leveraging Automatic Client Reconnection . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Creating and Applying Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Configuring Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Migrating Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Overriding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Creating Exceptions to Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Prioritizing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Applying a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Searching for Policies and Viewing the Results of Multiple Policies . . . . . . . 298 Enabling PDA Synchronization Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

10

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Controlling Use of TWAIN Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Managing CPU Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 About CPU Utilization Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Controlling CPU Utilization Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Managing Virtual Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 About Memory Utilization Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Controlling Memory Utilization Management. . . . . . . . . . . . . . . . . . . . . . . . . 302 Scheduling Virtual Memory Optimization. . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Excluding Applications from Memory Optimization . . . . . . . . . . . . . . . . . . . 304 Shadowing Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Configuring User-to-User Shadowing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Monitoring Performance of Sessions and Servers. . . . . . . . . . . . . . . . . . . . . . . . . 308

Chapter 12

Managing Printers
Overview of Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Printing in ICA Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Printing Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Printer Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Using the Printer Management Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Using the Servers Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Setting Up Network Printers for Client Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Installing and Replicating Printer Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Setting Up Automatic Replication of Printer Drivers . . . . . . . . . . . . . . . . . . . 322 Assigning Network Printers to Users through Policies . . . . . . . . . . . . . . . . . . . . . 323 Mapping Printer Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Managing Drivers for Autocreated Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Configuring Autocreation of Client Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Autocreation for DOS and Windows CE Clients. . . . . . . . . . . . . . . . . . . . . . . 325 Autocreation and Citrix Connection Configuration. . . . . . . . . . . . . . . . . . . . . 325 Overriding Default Settings for Client Printers . . . . . . . . . . . . . . . . . . . . . . . . 326 Using MetaFrame Presentation Server Universal Printing . . . . . . . . . . . . . . . . . . 328 Specifying Printer Drivers for Client Printing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Limiting Printing Bandwidth in Client Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Limiting Printing Bandwidth through Policies . . . . . . . . . . . . . . . . . . . . . . . . 330 Limiting Printing Bandwidth through Server Settings . . . . . . . . . . . . . . . . . . 331

Go to Document Center

Contents 11

Appendix A Appendix B

MetaFrame Presentation Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Customizing Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Creating Transforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Creating Administrative Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Setup Property Names and Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Appendix C

Performance Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 IMA Networking Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 MetaFrame Presentation Server Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 ICA Session Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Secure Ticket Authority (STA) Performance Counters . . . . . . . . . . . . . . . . . . . . 420

Appendix D

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Go to Document Center

CHAPTER 1

Welcome

The MetaFrame Presentation Server suite of products provides integrated management capabilities for system administrators, along with ease of use and productivity enhancements for users who access applications using MetaFrame Presentation Server Clients. Important Before you install MetaFrame Presentation Server, read the Readme file, located in the Documentation directory of the product CD. For information about new and important features, see Getting Started with MetaFrame Presentation Server. Citrix provides a variety of information resources online, including a complete product documentation library, documentation updates, and technical articles on the Citrix Web site at http://www.citrix.com. This Administrators Guide is part of the MetaFrame Presentation Server documentation set. The documentation set includes online guides that correspond to different features of MetaFrame Presentation Server. Online documentation is provided as Adobe Portable Document Format (PDF) files. Use the Document Center to access the complete set of online guides. The Document Center provides a single point of access to the documentation that enables you to go straight to the section you need. The Document Center includes: A list of common tasks and a link to each item of documentation. A search function that covers all the PDF guides. This is useful when you need to consult a number of different guides. Cross-references among documents. You can move among documents as often as you need using the links to other guides and the links to the Document Center.

14

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important To view, search, and print the PDF documentation, you need Adobe Acrobat Reader 5.0.5 or later with Search. You can download Adobe Reader for free from the Adobe Systems Web site at http://www.adobe.com/. If you prefer to access the guides without using the Document Center, you can navigate to the component PDF files using Windows Explorer. If you prefer to use printed documentation, you can also print each guide from Adobe Reader. More information about Citrix documentation, and details about how to obtain further information and support, is included in Getting Started with MetaFrame Presentation Server.

Go to Document Center

CHAPTER 2

Designing Server Farms

Read this chapter to understand how server farms are structured and how you should design farms to provide users with easy access to applications and resources. This chapter discusses the following topics you should consider when designing a farm: Overview of server farms. Farms are the central unit through which to organize and manage MetaFrame Presentation Server. Centralizing or distributing servers. How you organize server location is largely driven by the location of your users, the location of users applications and data, and your network environment. There are advantages to either centralizing servers at one site or distributing them among multiple sites. Deciding how many farms to deploy. Although most deployments use a single farm, you can consider deploying separate farms for remote sites or environments with tight firewall security between sites. Planning zones in farms. You can use zones to group servers by subnet or location, control communication, enhance performance, or discourage bottlenecks between groups of servers within the farm. Servers in a zone can communicate directly with one another. Server farm deployment scenarios. You can review and draw from these six common farm configurations when designing your deployment. The scenarios range from a small single-zone farm centralized in one location to a large multizone farm with regional sites.

For information about configuring the most appropriate licensing deployment for your farm, see the MetaFrame Access Suite Licensing Guide.

16

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Overview of Server Farms

Users run their applications on servers that are grouped into server farms. Server farms are groups of servers running MetaFrame Presentation Server that you can manage as a unit, enabling you to configure features and settings for the entire farm rather than configuring each server individually. For example, when you publish the applications or resources you want to make available to users, you do so at the farm level, establishing configuration settings that pertain to all instances of the application running in the farm. Published applications are the applications that you make available to users to run on servers in the farm. Servers in a farm share a network connection and a single data store of the farms configuration information. Your farm design must include creating a data store and connecting each server in the farm to it. For more information about data stores, see The Farm Data Store on page 39. Two main architectural elements of MetaFrame Presentation Server enable you to establish the on-demand enterprise, where users access published resources easily and with any client device. Keep these elements, described in the following topics, in mind when designing farms.

Independent Management Architecture (IMA)

Independent Management Architecture (IMA) provides the framework for server communications and is the management foundation for MetaFrame Presentation Server. IMA is a centralized management service comprised of a collection of core subsystems that define and control the execution of products in a server farm. IMA enables servers to be arbitrarily grouped into server farms that do not depend on the physical locations of the servers or whether the servers are on different network subnets. IMA runs on all servers in the farm. IMA subsystems communicate through messages passed by the IMA Service through default TCP ports 2512 and 2513. The IMA Service starts automatically when a server is started. The IMA Service can be manually started or stopped through the operating system Services utility.

Independent Computing Architecture (ICA)

The Independent Computing Architecture (ICA) is the communication protocol by which servers and client devices exchange data in a server environment. ICA is optimized to enhance the delivery and performance of this exchange, even on lowbandwidth connections.

Go to Document Center

Chapter 2 Designing Server Farms

17

The ICA protocol transports an applications screens from the server it is running on to the users client device, and returns the users input to the application on the server. As an application runs on a server, MetaFrame Presentation Server intercepts the applications display data and uses the ICA protocol to send this data (on standard network protocols) to the client software running on the users client device. When the user types on the keyboard or moves and clicks the mouse, the client software sends this data to the application on the server. ICA requires minimal client workstation capabilities and includes error detection and recovery, encryption, and data compression. For more information about client software, see Deploying Client Software to Users on page 219. A server farm is a grouping of servers running MetaFrame Presentation Server that you can manage as a unit, similar in principle to a network domain. When designing server farms, keep in mind the goal of providing users with the fastest possible application access while achieving the degree of centralized administration and network security that you need.

Centralizing or Distributing Servers

The existing network layout and the location of administrators, users, applications, and data all influence how you organize servers. When users and data sources are separated by a high latency or Wide Area Network (WAN) connection, users typically experience better performance if the servers hosting the application are placed near the data source. For example, if users in London need an application that accesses a data source in Brussels, place the servers running the application in Brussels rather than near the users in London. Locating servers running MetaFrame Presentation Server close to data sources leverages the speed of the ICA protocol and enhances the user experience across high latency connections.

18

MetaFrame Presentation Server Administrators Guide

Go to Document Center

For enterprises with geographically dispersed sites, there are trade-offs to consider between centralizing servers or scattering them with the applications or data centers. The following table outlines some of these trade-offs.
Servers centralized at one site Advantages: Centralized server administration and support. Centralized application management. Servers distributed across multiple sites Advantages: Enhanced business continuity and redundancy; if one site loses connection, it does not affect all application access. When data is maintained at different sites, placing servers at those sites provides users with local access to the data. Sites can own and control their own servers. Disadvantages: If users need access to multiple sites, you may need to coordinate and replicate domains, trusts, user profiles, and data. Sites may need added local administration and support. Server-to-server communication crosses the WAN.

Disadvantages: Single point of failure; if the site loses connection, users have no alternative access. Access to data might be slow if an application must traverse a WAN link to the data.

In MetaFrame Presentation Server you use farms and zones to organize the application environment and administer servers. The next two sections discuss planning for farms and zones.

Go to Document Center

Chapter 2 Designing Server Farms

19

Deciding How Many Farms to Deploy

Before deploying MetaFrame Presentation Server you must decide whether to implement a single farm or multiple farms. This decision is influenced by your individual environment, including such factors as: Location and needs of the end users Geographical layout of the enterprise Capabilities of the farms data store database Network congestion Hardware capability Enterprise security policies concerning server communications

There is no exact formula that determines what number of farms is ideal, but there are some general guidelines that can help you make this decision. Deploying a Single Farm. In general, a single farm meets the needs of most deployments. For very large deployments with, for example, thousands of servers, breaking the environment into multiple farms can increase performance. A significant benefit to deploying a single farm is needing only one data store database. For more information about data stores, see Choosing a Database for the Data Store on page 40. Deploying Multiple Farms. You typically consider using multiple farms when you have geographically dispersed data centers that can support their own data store database or you do not want communication between servers within the farm to cross a firewall or WAN.

20

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The following table compares how single and multiple farm deployments relate to a few of the important factors you must consider when planning the server environment:
Farm Element Data Store Data Store Replication Load Balancing Firewall Traversal Single Farm The farm has one data store. Citrix recommends that you replicate the data store to remote sites when using one farm in a WAN environment. You can load balance an application across the farm. If the farm spans multiple sites, firewall ports must be open for server-to-server communication. Data store information is synchronized with member servers through notifications and queries. When a farm has multiple zones, data collectors are used to communicate dynamic information such as logons and application use across the farm Centralizing administration and support may be easier for a single farm. You can monitor and configure the farm from a single Management Console and need to log on to only one farm to do so. Multiple Farms Each farm must have a data store. If each remote site is a farm with its own data store, there is no need for data store replication. You cannot load balance an application across servers in different farms. Site-based farms eliminate the need to open firewall ports for server-to-server communication. Multiple farms may improve performance over a single farm when server-to-server traffic crosses a WAN link or when the farm is very large.

Server-to-server Communication

Administration and Support Management Consoles

You can decentralize administration and support if you want sites to have control and ownership. You can monitor and configure multiple farms from the Access Suite Console. Communicating with multiple farms from the console requires logging on to multiple servers.

You can use zones to organize servers within a farm. The next section provides information about setting up zones.

Go to Document Center

Chapter 2 Designing Server Farms

21

Configuring Zones and Data Collectors

You can use zones to enhance a farm's performance and organization. A zone is a grouping of servers that share a common zone data collector. A zone data collector is a server that manages dynamic information about the servers in the zone. Each farm has at least one zone. By default, all servers in a farm that are on the same network subnet belong to the same zone. Use Zones in the left pane of a farms Properties page to view the servers that belong to each zone. To change the membership of a server from one zone to another, select the server from the list of servers in the zone and move it to another zone. Important If you change a servers zone membership (move the server to another zone), incorrect information can appear in the Presentation Server Console until the server sends updates to the zone data collector. To ensure data synchronization, restart a server after you move it to another zone. Zones are designed to enhance the performance of a farm by allowing geographically related servers to be grouped together, whether they are connected to the same network subnet or not. If all the servers in a farm are in one location, you can configure the farm with a single zone without causing slower performance or making the farm more difficult to manage. If you manage an enterprise farm with servers in different geographic regions, you can create zones based on the location of the servers. This can improve performance and allow you to more efficiently manage the farm.

Zone Data Collectors

Zone data collectors are communication gateways between zones in farms that have more than one zone. Zone data collectors communicate information used by MetaFrame Presentation Server to list available applications for users and, when users open an application, to locate the most appropriate server on which to run the application. Each zone in a farm contains one server that is designated as the zone data collector. Zone data collectors store dynamic information about the servers, published applications, server load, and user sessions in their zone. The zone data collector tracks, for example, which applications are available and how many sessions are running on each server in the zone.

22

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This diagram shows a server farm with two zones connected by a WAN link. Only the zone data collector in each zone communicates over the WAN link. Individual servers communicate over LANs primarily with their zone data collector.

When resolving a users application request to the least-loaded server in the farm, a zone data collector queries the other zone data collectors for the information it needs to identify the server with the lightest load. Only zone data collectors send messages between zones, reducing communication traffic in the farm because every server does not need to communicate with every other server. If you have a large or geographically diverse farm, you may be able to enhance performance by organizing servers into zones. Note Beginning with MetaFrame Presentation Server 3.0, zone data collectors no longer automatically send updates about server loads in their zone to other zone data collectors. This change in communication is designed to reduce network traffic between zones. Zone data collectors no longer maintain load information for all servers in the farm as they did in earlier releases. The zone data collector now maintains load information only for the servers in its own zone. This behavior is especially beneficial in large farms. To ensure users are efficiently routed to the least loaded server in the server farm, you can set farm properties to share load information across zones. Exchanging server load information should be limited to the following conditions: The bandwidth capacity between zones is not limited The Zone preference and failover policy rule is not a consideration

Go to Document Center

Chapter 2 Designing Server Farms

23

To configure the sharing of load information across zones 1. In the left pane of farm Properties, choose Zones. 2. In the right pane, select Share load information across zones. Selecting to share load information across zones can result in increased network traffic because every change in server load is communicated to all data collectors across all zones. Connection requests are routed to the least loaded server in the server farm, even a server located across a WAN, unless a preferred order is established using the Zone preference and failover policy rule. When you establish a preferred connection order, the zone data collectors query the preferred zones in the order you set. To keep data exchanges between zones to a minimum when zones are located across WANs, thus reducing network traffic: Do not enable sharing load information across zones Set up a preferred zone connection order using the Zone preference and failover policy rule Configure a Primary Group zone in this policy rule so that incoming connection requests from users in a particular geographic location are always routed first to the zone that includes that geographic location

Tip To reduce network traffic in large farms with multiple zones, Citrix recommends that you use the Zone Preference and Failover policy rule to direct users requests for applications to preferred zones within the farm. For more information about Zone Preference and Failover, see Directing User Connections to Preferred Zones on page 27. Citrix recommends that you maintain all servers in a farm at the most recent release level of MetaFrame Presentation Server. If you find that you need to run different release levels of MetaFrame Presentation Server in your server farm on a temporary basis, configure a server running the latest release as the zones data collector.

Sizing Zones
Design zones to enhance farm performance when enumerating or opening applications for users. The number of servers you can place in one zone depends largely on the hardware of the zone data collector and the amount of farm activity. Factors that can influence zone size include: How many users connect to the farm How many users log on simultaneously

24

MetaFrame Presentation Server Administrators Guide

Go to Document Center

How long the average user stays logged on to a session (a single daily session or repeated short sessions) How many published applications are load-balanced among servers

Routinely monitor the CPU and memory usage on the zone data collector to ensure that it is not being overloaded with requests, especially after adding new applications or additional users to the farm. For most deployments, limit a zone to a group of servers that are located in a single data center and connected by low latency links. Tip Citrix recommends that you maintain as few zones as possible while still being able to complete application enumeration requests and resolutions in a timely manner. Creating too many zones can decrease performance in a farm, resulting in high network bandwidth consumption and decreased performance of the zone data collectors. Zones can typically support more than 500 servers. When sizing zones, start with 500 servers per zone and then monitor the IMA Work Item Queue Ready Count counter on the zone data collector to determine how much activity it can support. Tip To find out if a zone data collector is overloaded, you can monitor the server for the number of work items that are ready for execution. As a zone data collector becomes overloaded, work items on the server begin to pile up and stand in queue for execution. You can check the Work Item Queue Ready Count counter from the Citrix MetaFrame performance object in Windows Performance Monitor. If this counter rises above zero for a steady length of time, you should be concerned about the load on the data collector. For more information about monitoring performance, see Monitoring Performance of Sessions and Servers on page 308. If users experience delays when their available applications are being enumerated or when they open an application, or if reports are being generated slowly, the zone data collector may be overloaded. Consider taking the following actions to reduce the load on the zone data collector: Increase the CPU power of the zone data collector Dedicate the zone data collector to handling zone information and users requests for applications, but not running published applications As a last resort, divide the current zone into two zones

Go to Document Center

Chapter 2 Designing Server Farms

25

If you are installing MetaFrame Presentation Server on servers that reside on multiple subnets in the same zone, do not use the default zone name presented to you during MetaFrame Presentation Server Setup, because the default zone name is based on the subnet of the server joining the farm. If you do not change the zone name when you install MetaFrame, you can change it in the farms Properties dialog box using the Presentation Server Console.

Configuring Data Collectors for Large Zones

If you are using large zones that have more than 512 servers, Citrix recommends the following: Dedicate a server to being the zone data collector Dedicate a server to being the backup for the zone data collector Both the zone data collector and its backup are the latest generation servers with at least two processors Add the registry key entry MaxHostAddressCacheEntries to both servers

To configure a zone for more than 512 servers CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before making changes to it. 1. Add the following entry to the registry \\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\MaxHostAddressCacheEntries (DWORD) 2. Set the value of MaxHostAddressCacheEntries to a number greater than the number of servers you are planning to put in the zone but no higher than necessary, because MetaFrame Presentation Server uses this number for memory management. Note Increasing the value of MaxHostAddressCacheEntries higher than necessary can negatively impact performance. Increasing this value does not improve data collector performance. 3. Restart the IMA Service on the server.

26

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Configuring the Election of Zone Data Collectors

A zone elects, or selects, a zone data collector if a new server joins the zone or if the current data collector becomes unavailable. A zone data collector becomes unavailable if the server hosting it fails or is disconnected from the network, or if you move the server to another zone. Zones elect a new zone data collector using a preference ranking of the servers in the zone. You can set this preference ranking using Zones in the left pane of a farms Properties page. The preference levels, in order from highest to lowest preference, are: Most Preferred Preferred Default Preference Not Preferred When the zone elects a new data collector, it tries to select a server from the Most Preferred level. If no servers are available at this level, the zone selects a server from the Preferred level, and so on. The first server added to a zone is set to Most Preferred and becomes the zones initial data collector. All other servers are set to Default Preference. You can designate a specific server to become the zone data collector. For example, you may want to switch the zone data collector to a server you just added to the farm because the new server has more powerful CPU capabilities. To designate a specific server as the zone data collector, set the election preference for the server to Most Preferred and set all other servers in the zone at a lower election preference. Assign servers that you do not want to become the zone data collector to Not Preferred. If a zone spans multiple sites and the network link goes down between the sites, each site elects a zone data collector. The zone data collector does not need a connection to the farm data store to function. This allows user connections to continue to work during the interruption. When the network connection is restored, the zone returns to having one elected data collector. When a new zone data collector is elected, it gathers fresh data from the servers in the zone. Zone data collectors do not copy or back up data to or from other servers; they gather and provide only dynamic information about servers in the zone.

Go to Document Center

Chapter 2 Designing Server Farms

27

Dedicating a Server as Zone Data Collector

In large farms and enterprise networks with high client traffic, you can reduce the possibility of data collector performance issues by using dedicated data collectors. You can do this by setting up data collectors on servers that run MetaFrame Presentation Server but do not host applications. When you publish applications, do not include the data collector among the servers to run the applications. In general, if users experience slow connection times due to high CPU utilization on the data collector, consider dedicating a server to act solely as the zone data collector.

Directing User Connections to Preferred Zones

If your users connect through the Web Interface or the Program Neighborhood Agent, you can configure policies in MetaFrame Presentation Server to transparently direct users to launch applications in preferred zones. The Zone Preference and Failover policy rule enables you to set preferred zones and establish failover to other zones when the preferred servers are unavailable. Citrix recommends using this feature in farms with multiple zones dispersed geographically. Routing users to connect to servers in their own zone can reduce traffic across high latency connections. To use Zone Preference and Failover, apply it as a rule in a policy. For more information about configuring policies, see Creating and Applying Policies on page 289.

Setting Connection Order for Zones

MetaFrame Presentation Server directs user connections to zones according to the connection order assigned to each zone in the Zone Preference and Failover policy rule. The connection order levels, in order of preference, are: Primary Group. Use for zones to which you want connections directed first. Backup Group. Use for zones to which you want connections directed if the application is not available in zones assigned as the Primary Group. There are ten levels of backup groups, from 1 to 10. Backup Group 1 has highest preference among the backup groups. No Preference. Use for zones that users are directed to after Backup Group 10. Do Not Connect. Use for zones to which you do not want users to connect.

You can set connection order preferences only in the Zone Preference and Failover rule of a policy.

28

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Configuring the Zone Preference and Failover Rule

You can configure zone preference and failover in a policys properties. To configure zone preference and failover in a policy 1. In the Presentation Server Console, select the Policies node. 2. On the Contents tab, select the policy for which you want to configure zone preference and failover. 3. From the Actions menu, choose Properties. 4. In the Properties dialog box, open User Workspace > Connections and select Zone Preference and Failover. 5. Enable Zone Preference and Failover and assign a connection order to each zone. When you enable zone preference and failover, it takes precedence when in conflict with session sharing. When a user launches an application, the zone data collector first queries the zones in the users Primary Group to locate the server in that group with the smallest load. If the application is not available in the Primary Group zones, the data collector queries the zones in Backup Group 1 and so on, following the connection order you set. For example, if you have users who open applications in a farm that spans zones in Vancouver, Seattle, and Hong Kong, you can create a policy for users at each site. Set the Zone Preference and Failover rule on each user groups policy to connect to their local zone and set one of the remote sites as Backup Group 1 and the other remote site as Backup Group 2. For the Vancouver user group, assign the Vancouver zone as the Primary Group, the Seattle zone as Backup Group 1, and the Hong Kong zone as Backup Group 2. This configuration ensures that users in Vancouver launch an application on a server in Vancouver. Only if the application is not available in Vancouver does the data collector query across the WAN to find the application in Seattle. Likewise, the data collector queries the Hong Kong zone only if the application is not available in both Vancouver and Seattle. Tip To ensure the most efficient use of network traffic between zone data collectors, do not place zones at the same connection order if they have a high latency link between them. The data collector queries all zones in the same connection order simultaneously. Assign a different connection order to zones at each remote site. If you do not enable Zone Preference and Failover, users are directed by default to the server in the farm with the lightest load, even if that server is in another zone across a WAN link.

Go to Document Center

Chapter 2 Designing Server Farms

29

To use Zone Preference and Failover in an environment with servers running earlier releases of MetaFrame Presentation Server: Make sure that the zone data collector is a server running MetaFrame Presentation Server 4.0 or later Run the Citrix XML Service on servers with MetaFrame Presentation Server 4.0 or later Make sure that the Web Interface is configured to communicate with the servers in the farm that are running MetaFrame Presentation Server 4.0 Use only the most recent version of the Presentation Server Console to create, rename, or remove zones

30

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Server Farm Deployment Scenarios

Read the following sections for information about common server farm infrastructures and recommendations from Citrix for each one. The findings presented for these scenarios are based on results from extensive testing in Citrix labs.

Small Farm Central Location

This scenario describes a simple single farm environment where all servers reside in one location and are configured as follows:
Servers Zone(s) Physical Sites Data Store Connectivity 1-100 1 1 Microsoft Access, MSDE, Microsoft SQL Server, IBM DB2, or Oracle 10 Mbps or higher (LAN)

This diagram shows a small farm in a central location. The farm contains a data store, a single zone, one data collector for the zone, and multiple farm member servers.

Go to Document Center

Chapter 2 Designing Server Farms

31

Citrix recommends the following for small farms in a central location: Dedicate a data collector for zones with more than 50 servers If using Access or MSDE for the farms data store, you can consider using the same server to act as the data collector and also host the data store

Large Farm Central Location

This scenario describes a larger, but only slightly more complex, single farm environment where all servers reside in one location and are configured as follows:
Servers Zone(s) Physical Sites Data Store Connectivity 100+ 1 zone per 300+ servers 1 Microsoft SQL Server, Oracle, or IBM DB2 10Mbps or higher (switched 100Mbps is recommended)

32

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This diagram shows a large farm in a central location. The farm contains a data store and four zones. Each zone consists of a data collector and multiple farm member servers.

Citrix recommends the following for large farms in a central location: Dedicate a data collector for zones with more than 50 servers. With extremely large farms, using replicated Microsoft SQL Server databases, replicated Oracle databases, or Oracle RAC can improve performance and prevent a bottleneck at the data store. If replication is used with IBM DB2 databases, you must configure it for read-only and all changes must be made on the master database. Do not exceed 25 zones in a single farm. Scale zones to maximum capacity before introducing more zones.

Go to Document Center

Chapter 2 Designing Server Farms

33

Small Farm Distributed Sites

This scenario describes a small single farm environment where servers reside in a few locations as follows:
Servers Zone(s) Physical Sites Data Store Connectivity 1-100 (evenly distributed at a few physical locations) 1-4 2-4 Microsoft Access, MSDE, Microsoft SQL Server, IBM DB2, or Oracle 512Kbps or higher to a central site or between all locations

This diagram shows a small farm with distributed server locations. The farm consists of a single zone distributed across four locations. Location 1 includes the data store, data collector, and multiple farm member servers. Each of the other locations contain farm member servers.

Citrix recommends the following for small farms in distributed sites:

34

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Use a single zone if all distributed sites have a connection to a central site, the frequency of users connecting is limited, and the remote sites are in a single zone and each have fewer than twenty-five servers. If you are using multiple zones, provide all sites hosting a zone with a direct link to all other zone sites. Otherwise, all locations need connectivity to a central site where the zone data collector is located. Restart servers only when WAN links are at low utilization. If the majority of the servers in the farm reside at one location and the remote sites have very few servers, use a single zone.

Small Farm Remote Sites

This scenario describes a small single farm environment where small groups of 2-5 servers are distributed in multiple locations.
Servers Zone(s) Physical Sites Data Store Connectivity 1-100 (2-5 at each site to support local use) 1 2+ Microsoft Access, MSDE, Microsoft SQL Server, IBM DB2, or Oracle 128Kbps or higher to a central site

This diagram shows a single zone with remote sites and a central office. The data store and data collector are located at the central office.

Go to Document Center

Chapter 2 Designing Server Farms

35

Citrix recommends the following in for small farms with remote sites: Provide a central site with a dedicated connection to each remote site Consider centralizing servers at one site and have users connect from clients at remote sites so that communication between servers does not cross a WAN link, allowing the ICA protocol to enhance performance for users across the WAN Consider using Virtual Private Network (VPN) technology for remote sites Restart servers only when WAN links are at low utilization

Large Farm Multiple Data Centers

This scenario describes a large single farm environment where all servers reside in large data centers as specified in the following configuration:
Servers Zone(s) Physical Sites Data Store Connectivity 200+ 2-4 2 Microsoft SQL Server or Oracle (replicated to speed server start time and minimize WAN queries) High speed (T1 or higher)

This diagram shows a farm with two data centers, each with its own zone. Zone 1 contains the data store master, a data collector, and multiple farm member servers. Zone 2 contains a data store replica, a data collector, and multiple farm member servers.

Citrix recommends the following for large farms with multiple data centers: Tune database replication intervals to reduce WAN utilization. Be aware that changes made at the central site can take a few minutes to disseminate to replicas.

36

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The IBM DB2 database does not support updateable replicas and should, therefore, not be used in this scenario.

Large Farm Regional Sites

This scenario describes a large single farm environment where servers reside both in regional sites and small remote sites.
Servers Zone(s) Physical Sites Data Store Connectivity 200+ (smaller sites connect to closest regional site) 1 per regional site 2+ Microsoft SQL Server or Oracle (replicated to each regional site) High speed (T1 or higher) between all regional sites 128Kpbs or higher between regional and smaller sites

This diagram shows four regional sites with remote access. Each site is a zone and includes a data collector for the zone, multiple local farm member servers, and multiple remote farm member servers. The data store master is located in Zone 1 and a data store replica is located in each of the other zones.

Go to Document Center

Chapter 2 Designing Server Farms

37

Citrix recommends the following for large farms with regional sites: Consider using Virtual Private Network (VPN) technology for remote sites. Consider centralizing servers at one site and have users connect from clients at remote sites so that communication between servers does not cross a WAN link, allowing the ICA protocol to enhance performance for users across the WAN. Tune database replication intervals to reduce WAN utilization. Be aware that changes made at the central site can take a few minutes to disseminate to replicas. The IBM DB2 database does not support updateable replicas and should, therefore, not be used in replicated scenarios.

38

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Go to Document Center

CHAPTER 3

The Farm Data Store

The data store provides a repository of persistent information about the farm that each server can reference, including the following: Farm configuration information Published application configurations Server configurations MetaFrame administrator accounts Printer configurations Trust relationships

CAUTION Ensure that the data store is properly backed up on a regular basis. If the data store database is lost, you must recreate the farm. You cannot recreate the data store from an existing farm. When servers in a farm come online, they query the data store for configuration information.

Viewing Data Store Information

You can view and change data store information using only management tools for MetaFrame Presentation Server, such as the Presentation Server Console or the Access Suite Console. You can install these management tools from the MetaFrame Presentation Server CD.

40

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CAUTION Do not directly edit any data in the data store database with utilities or tools provided by any product other than the MetaFrame Access Suite. For example, do not use IBM DB2, Microsoft SQL Server, or Oracle utilities to edit the data store. Doing so corrupts the data store database and destabilizes the farm.

Choosing a Database for the Data Store

Before installing MetaFrame Presentation Server, you must decide which database to use for your farms data store. You can use the following database software for the farm data store: Microsoft Access. Access is a lightweight database that is included with Windows server operating systems. The Access database is created on the first server in a new farm. It is most appropriate for small to mid-sized farms. Microsoft SQL Server 2000 Desktop Engine (MSDE). MSDE is a database engine based on Microsoft SQL Server core technology. The MSDE database is created on the first server in a new farm. It is most appropriate for small to medium-sized farms and can be administered using standard Microsoft SQL Server tools. Microsoft SQL Server. SQL Server is a true client/server database that offers robust and scalable support for multiple-server data access. It is suited for use in farms of any size. Oracle. Oracle is a true client/server database that offers robust and scalable support for multiple-server data access. It is suited for use in farms of any size. IBM DB2. DB2 is a true client/server database that offers robust and scalable support for multiple-server data access. It is suited for use in farms of any size.

When using Microsoft Access, the data store database is created when you install MetaFrame Presentation Server. When using MSDE, you first install MSDE and then create an MSDE instance. Then you run MetaFrame Presentation Server Setup. The database is stored on the first server in the farm. When using Microsoft SQL Server, Oracle, or IBM DB2, the database is on a server dedicated to running the database product. This dedicated server must be set up prior to creating the farm because you need to configure an ODBC connection to it. Servers running MetaFrame Presentation Server must also have the appropriate database client software installed on them.

Go to Document Center

Chapter 3 The Farm Data Store

41

CAUTION Do not install MetaFrame Presentation Server on the Microsoft SQL, Oracle, or IBM DB2 database server. See your database products documentation for specific hardware requirements for the database server. You should consider many factors before deciding which database product to use for the data store, including but not limited to: The number of servers you currently plan to have in the farm and whether you plan to expand that number Whether or not you have a database administrator on staff with the expertise to configure and manage a data store running on SQL Server, Oracle, or DB2 Whether or not you foresee the enterprise expanding, therefore expanding the number and type of published applications Whether or not the database can sustain an increase in the number of users and connections Whether a server has the appropriate hardware configuration to also run an Access or MSDE database or whether you require that the database be located on a server that is not also running MetaFrame Presentation Server Any database maintenance requirements you may have, such as backup, redundancy, and replication

Important Microsoft SQL, Oracle, and IBM DB2 servers require significant expertise to install and maintain. If you do not have expertise with these products, attempting to use them in a production environment is not recommended. See the documentation included with your database product for important details such as performance tuning and database backup procedures. For information about supported database and ODBC driver versions, see Data Store Database Requirements on page 47.

42

MetaFrame Presentation Server Administrators Guide

Go to Document Center

System Sizing for the Data Store

The choice of which database to use for the data store depends on your implementation and environment. Use the chart below as a guideline to determine which scenario most closely matches your environment. If your environment does not fit neatly into the categories listed, choose the category that has the most in common with your environment.
Small Servers Named Users Applications 1-50 < 150 < 100 Medium 25-100 < 3000 < 100 Large 50-100 < 5000 < 500 Enterprise 100 or more > 3000 < 2000

The following are general recommendations for the farms data store database: Microsoft Access and MSDE are suitable for all small and many medium-sized environments that are located in one physical location. Microsoft SQL, Oracle, and IBM DB2 are suitable for any size environment and are especially recommended for all large and enterprise environments. When deploying large farms across a WAN, you can obtain considerable performance advantage by replicating the data store and distributing the load over multiple database servers. Microsoft SQL, Oracle, and IBM DB2 are suitable for large farms and support replication. For more information about replicating data stores, see Using Replicated Data Store Databases on page 46.

Suggested Hardware Configurations for the Data Store

This section outlines suggested hardware configurations resulting from testing in Citrix labs. All tests used Microsoft SQL Server 2000 in the default configuration without replication for the farms data store. Increasing the CPU power and speed of the database server can improve the response time of queries made to the data store. Increase the processing power of the data store database server to achieve improved results in the following areas: Starting the Citrix IMA Service on multiple servers simultaneously Adding a server to the farm Removing a server from the farm

Go to Document Center

Chapter 3 The Farm Data Store

43

The response time of other events occurring in the farmsuch as starting the IMA Service on a single server, recreating the local host cache, or replicating printer drivers to all servers in the farmis affected more by the size of the farm than by the response time of the data store. Citrix testing shows that adding processors to the server hosting the data store can dramatically improve response time when multiple simultaneous queries are being executed. If the environment includes large numbers of servers coming online simultaneously and at frequent intervals, the additional processors can service requests faster. The actual performance of a farms data store can vary depending upon which database engine is used and the level of performance tuning that can be achieved. Depending on the characteristics of a server farm, the CPU speed and CPU quantity can vary widely. In the chart below, five sample farm configurations are displayed and referred to as scenarios A through E. Each scenario lists measurements of various metrics in the farm. The second chart shows, for each corresponding scenario, which hardware configurations are suggested for the server hosting the data store.
Scenario Number of servers in farm Number of applications published to all servers Number of user policies Printers per server Printer drivers installed per server Network print servers with printers Number of Load Manager load evaluators Number of Resource Manager applications Number of Installation Manager groups Number of Installation Manager packages Number of application folders in Presentation Server Console Number of server folders in Presentation Server Console A 80 50 25 5 25 5 10 10 5 5 10 8 B 160 50 25 5 25 5 10 10 5 5 10 16 C 250 50 25 5 25 5 10 10 5 5 10 25 D 350 50 25 5 25 5 10 10 5 5 10 35 E 500 50 25 5 25 5 10 10 5 5 10 50

44

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Scenario Number of Resource Manager metrics per server Number of MetaFrame administrators Size of data store database in megabytes Scenario Dual Pentium 3/700MHz with 1GB RAM Dual Pentium 4/1.6GHz with 4GB RAM Quad Pentium 4/1.6GHz with 4GB RAM 8-way Pentium 3/700MHz with 8GB RAM

A 25 10 32 A X X X X

B 25 10 51 B X X X X

C 25 10 76 C

D 25 10 101 D

E 25 10 125 E

X X X X X X X

Connecting Directly or Indirectly to the Data Store

After you decide which database to use for the data store, decide whether servers running MetaFrame Presentation Server will connect directly to it or indirectly through another server. Direct access. To make a direct connection to the data store, a server must have the appropriate ODBC drivers installed and configured properly. The server then connects directly to the server on which the database is running. Indirect access. For indirect access, a server connects to an intermediary server running MetaFrame Presentation Server that connects to the data store directly. Citrix does not recommend that you use indirect access for mission-critical farms because the intermediary server is a single point of failure. Note Although it is possible to configure multiple servers in the farm to connect directly to a single MSDE database, Citrix does not recommend this configuration because it is not supported by MSDE. MSDE allows only five connections per installed instance of MSDE. If more than five servers attempt to access the MSDE database at the same time, they cannot connect. Citrix recommends that you configure an MSDE database for indirect access. For more information, see Configuring Connections to the MSDE Database on page 52. By default, indirect access uses TCP port 2512 for communication between servers in the farm and the intermediary server that connects to the data store. If the servers are in different subnets divided by a firewall, be sure this port is open on the firewall.

Go to Document Center

Chapter 3 The Farm Data Store

45

Using a RAID Environment

This section describes factors to consider if you are thinking about putting the farms data store in a Redundant Array of Independent Disks (RAID) environment. See the table below for information about cost, performance, and fault tolerance related to four different RAID configurations.
RAID 0 RAID 0 has no redundancy. It is striped, which means that data is divided into blocks spanning multiple disks. RAID 0 has multiple actuators (read/write mechanisms) because of the multiple disk use. More actuators improve read and write performance. Citrix does not recommend the use of RAID 0 for critical data, such as a server farms data store. The savings realized from purchasing fewer disks does not typically make up for the costs resulting from downtime and support. RAID 1 uses fully redundant disk mirroring. With disk mirroring, a complete copy of one drive is maintained on another drive. RAID 1 provides high fault tolerance and can improve read performance. However, RAID 1 writes the data twice, which can degrade write performance in single disk/controller environments. In addition, this type of redundancy requires twice the disk space. Like RAID 0, RAID 5 is striped. However, because RAID 5 adds parity to the data striping, it includes fault tolerance. If one disk in a RAID 5 group fails, the logical disk continues to function. The parity information is used to recreate data on a replacement disk. The loss of two disks in a group at one time cannot be sustained. RAID 5 uses multiple disk actuators that provide improved read and write performance. RAID 10 combines RAID 1 and RAID 0. It is a striped and fully mirrored set of disks. It is the best configuration for both redundancy and performance. Because of this, it is the most expensive storage option.

RAID 1

RAID 5

RAID 10

46

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Using Replicated Data Store Databases

Citrix recommends using a single data store where appropriate but in some situations, a replicated data store can improve farm performance. This section covers the concerns and situations that arise from using replicated database technology.

High Latency WAN Concerns

Crossing high latency links without the use of replicated databases can create situations where the data store is locked for extended periods of time when performing farm maintenance from remote sites. This means that the Citrix IMA Service may start after extended periods of time and some normal operations may fail when performed from the remote site. Tip You might experience poor performance if you use a local Presentation Server Console to perform farm maintenance on a remote site that has high latency. Such a situation requires communication between the console and the data store to cross the high latency link. You can publish the Presentation Server Console as an application on a server at the remote site and use a MetaFrame Presentation Server Client to access the published console. The following issues can arise in a high-latency situation: Data store writes take longer to complete and can, for a period of time, block all additional writes from local or remote sites Data store reads do not generally adversely affect local connections but remote sites can experience slower performance

Enhancing Performance with Replicated Databases

Because servers in a farm perform many more reads from the data store than writes to the data store, you may want to use replicated databases to increase read performance. In a WAN environment you can place replicas of the data store at sites with a considerable number of servers. This practice minimizes reads across the WAN link. Database replication does consume bandwidth. Limit the use of replicated databases to situations where the remote site has enough servers to justify the cost of placing a replicated copy of the database at the site.

Go to Document Center

Chapter 3 The Farm Data Store

47

Data Store Database Requirements

You can use the Microsoft Access or MSDE database engines or a Microsoft SQL Server, Oracle, or IBM DB2 database for the farms data store. The supported database versions and ODBC drivers are listed below. Microsoft Access Jet Engine 4.0, Service Pack 1 through Service Pack 8 Microsoft SQL Server Desktop Engine (MSDE) 8.00.760 for Windows 2000, Service Pack 3 or later Microsoft SQL Server 7.0 with Service Pack 2 Microsoft SQL Server 2000 Oracle Server 7 (7.3.4) for NT Oracle Server 8 (8.0.6) for NT Oracle Server 8i (8.1.5, 8.1.6, 8.1.7) for NT and UNIX Oracle Server 9i (9.0.1) for NT Oracle 9i R2 for NT and Solaris IBM DB2 Version 7.2 with FixPak 5-13 IBM DB2 Version 8.1 with FixPak 1-7a

Microsoft SQL Server, Oracle, and IBM DB2 databases require an ODBC database client driver installed on each server that connects directly to them. Servers that connect to the data store database indirectly (that is, through another server running MetaFrame Presentation Server) do not require an ODBC client driver.

48

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The following table lists the drivers required for supported ODBC database clients:
Database SQL 7.0 Enterprise for NT MDAC 2.5 SQL 7.0 Enterprise for NT MDAC 2.5 Service Pack 1 SQL 2000 Enterprise for NT MDAC 2.5 Service Pack 2 SQL 2000 Enterprise for NT MDAC 2.6 Service Pack 1 SQL 2000 Enterprise for NT MDAC 2.7 SQL 2000 Enterprise for NT MDAC 2.7 Service Pack 1 SQL 2000 Enterprise for NT MDAC 2.8 Oracle 7.3.4 for NT Oracle 8.1.5 for NT Oracle 8.1.6 for NT Oracle 8.1.6 for Solaris Oracle 8.1.7 for NT Oracle 9.0.1 for NT Oracle 9i R2 for Solaris Oracle 9i R2 for NT IBM DB2 FixPak 5 for NT IBM DB2 FixPak 7 for NT IBM DB2 Version 8.1 ODBC Client Driver Version 3.70.0820 3.70.0821 3.70.0961 2000.80.380.0 2000.81.7713.00 2000.81.9031.38 2000.85.1022.00 2.50.0301 8.01.55.00 8.1.6.00 8.1.6.00 8.1.7.00 9.00.11.00 9.2.0.1.0 9.2.0.1.0 7.01.00.55 7.01.00.65 8.01.04.341

CAUTION The Oracle Client Version 8.1.5 is not supported. If you are using this version, upgrade to 8.1.55.

Tip Before installing an update of Microsoft Data Access Components (MDAC), stop the Microsoft Terminal Services Licensing service. Restart the Terminal Services Licensing service before beginning MetaFrame Presentation Server Setup.

Go to Document Center

Chapter 3 The Farm Data Store

49

Microsoft Access
Choosing Use a local database on this server and selecting the Access Database entry from the list of possible databases during MetaFrame Presentation Server Setup creates a Microsoft Access database on the first server in the new farm. This database acts as the farms data store. The Microsoft Access database engine and ODBC drivers are default components of Windows servers. The ODBC connection to Access uses the Microsoft Jet Engine. To use the database engine, you do not have to install any drivers or perform any database configuration prior to installation of MetaFrame Presentation Server.

Minimum Requirements
The server that hosts the Access database should meet the following minimum requirements: Approximately 50MB of disk space for every 100 servers. Increase disk space if there are a large number of published applications in the farm. 32MB of additional RAM if the server also hosts connections.

Authenticating to the Access Database

If you decide to create a local Microsoft Access database for the data store, Setup creates a database file called Mf20.mdb. The default user name and password for this database file are both citrix. You can use the Dsmaint command (dsmaint config /pwd:newpassword) to change the password on the database. The Citrix IMA Service can be running when you use the command. Keep the new password in a secure place so you can access it if you want to migrate to another database. Important Be sure to back up the Access database using the Dsmaint command (dsmaint backup) before changing the password used to access the database. For more information about dsmaint and other commands, see MetaFrame Presentation Server Commands on page 333.

Backing Up the Access Database

You can use the Dsmaint command to back up or recover a Microsoft Access data store. Back up the data store regularly with a batch file script or before such events as making configuration changes through the Presentation Server Console.

50

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Some backups occur automaticallyeach time the Citrix IMA Service is stopped or a server is restarted, the existing Mf20.mdb file is backed up, compacted, and copied as Mf20.unk. Each time the IMA Service starts, it deletes Mf20.bak if it exists and renames the Mf20.unk file to Mf20.bak. This process helps ensure that the Mf20.bak file is a valid farm database. CAUTION If the server runs out of disk space on the drive where the Mf20.mdb file is stored, automatic backups stop. Ensure that the amount of free disk space is at least three times the size of the Mf20.mdb file. The Mf20.mdb file and all automatic backup files are located by default in the %ProgramFiles%\Citrix\Independent Management Architecture folder. CAUTION Do not try to recover the data store with the dsmaint recover command without first verifying that the Mf20.bak file exists because this command removes the existing Mf20.mdb file from the server. If the Mf20.bak file does not exist, run dsmaint backup.

Microsoft SQL Server 2000 Desktop Engine (MSDE)

To use MSDE for the farm data store, install it on the server before you run MetaFrame Presentation Server Setup. If you intend to remap the server drives for MetaFrame, remap the server drives prior to installing MSDE. You can install MSDE using one of the following methods: Run the SetupMsdeForMetaFrame.cmd batch file. Use this method if you do not have an instance of MSDE already installed on the server and you want to use the default MSDE instance name and password values. SetupMsdeForMetaFrame.cmd is located in the Support\MSDE folder on the MetaFrame Presentation Server CD. Launch MSDE Setup from a command prompt. Use this method if you cannot use the default MSDE instance name and password. You must install MetaFrame Presentation Server using a manual method if you specify an instance name for MSDE different from the default.

Go to Document Center

Chapter 3 The Farm Data Store

51

Important If you install MSDE and specify an instance name different from the default CITRIX_METAFRAME, you must install MetaFrame Presentation Server using a manual installation method so that you can set the MetaFrame Presentation Server Setup property CTX_MF_MSDE_INSTANCE_NAME to the new instance name. See Customizing Setup on page 389 for more information about Setup properties. To install MSDE 2000, Release A, using default options If you do not have an instance of MSDE already installed on the server and you are not using SQL authentication, you can run SetupMsdeForMetaFrame.cmd, located on the MetaFrame Presentation Server CD in the directory Support\MSDE. Running the SetupMsdeForMetaFrame.cmd batch file installs MSDE 2000, Release A, using the default instance name CITRIX_METAFRAME and sets the MSDE administrator (SA) password to CITRIX. Note The MSDE administrator SA password is required to be set; however, SQL authentication is not enabled by default when you install MSDE using SetupMsdeForMetaFrame.cmd. Because SQL authentication is not enabled, the SA password is not used. Setting the SA password to CITRIX is not a security risk unless you are using SQL authentication. SetupMsdeForMetaFrame.cmd creates the required files and directories for MSDE support in the directory \Program Files\Microsoft SQL Server and a named instance directory, MSSQL$CITRIX_METAFRAME. If you need to specify an instance name and SA password, follow the procedure below to install MSDE at a command prompt using custom options. To install MSDE 2000, Release A, using custom options 1. At a command prompt, change to the Support\MSDE\MSDE directory on the MetaFrame Presentation Server CD. For example, if your CD drive is E, type: E: cd \Support\MSDE\MSDE 2. Change to installation mode by typing: change user /INSTALL 3. Launch the MSDE installer, specifying the instance name and SA password. For example, type: setup.exe INSTANCENAME=<name> SAPWD=<password>

52

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important Citrix strongly recommends that you use the version of MSDE (MSDE 2000, Release A) included on the server installation CD for MetaFrame Presentation Server. After you install MSDE, choose Use a local database on this server and select the SQL Server Desktop (MSDE) Database entry from the list of possible databases during MetaFrame Presentation Server Setup.

Minimum Requirements
The server hosting the MSDE database should meet the following minimum requirements: Approximately 50MB of disk space for every 100 servers and 25 applications in the farm 32MB of additional RAM if the server also hosts connections 70MB of disk space for the MSDE database

Important If you intend to use MSDE to host your farms data store, do not use double-byte characters in the name of the server on which the MSDE database will be stored.

Authenticating to the MSDE Database

Windows NT authentication is supported for the MSDE database. For security reasons, Microsoft SQL Server authentication is not supported.

Migrating to MSDE
You can migrate only a data store using Microsoft Access to MSDE. To migrate from Access to MSDE, run the MigrateToMsde utility located in the Support\MSDE directory on the MetaFrame Presentation Server CD. For more information about the MigrateToMsde utility, see MetaFrame Presentation Server Commands on page 333.

Configuring Connections to the MSDE Database

Although it is possible to configure multiple servers to connect directly to a single MSDE database, Citrix does not recommend this configuration because it is not supported by MSDE. MSDE allows only five connections per installed instance of MSDE.

Go to Document Center

Chapter 3 The Farm Data Store

53

A single server running MetaFrame Presentation Server can use multiple connections to the MSDE instance. If more than one server attempts to connect directly to the MSDE database at the same time, the connections may be denied, resulting in intermittent failures. Citrix recommends that you configure the first server to connect to the MSDE database using direct access and all subsequent servers to connect indirectly.

Microsoft SQL Server

MetaFrame Presentation Server supports the following versions of Microsoft SQL Server for the farms data store. Microsoft SQL Server 7. Microsoft SQL Server 7 with Service Pack 2 or Service Pack 3 is supported on Windows 2000 Server and Windows Server 2003 families. Version 3.70.08.20 or greater of the Microsoft SQL ODBC driver must be installed on each server that directly accesses the SQL server. On Windows 2000 servers, the necessary drivers are installed with the operating system. On Windows NT 4.0 Server, install Microsoft Data Access Components (MDAC) Version 2.6 with Service Pack 1, which can be downloaded for free from Microsofts download site. Do not use MDAC 2.6 without Service Pack 1. Important On Windows NT 4.0, Terminal Services systems, stop the Terminal Services Licensing Service before installing MDAC. After installing MDAC, clear the event log, then restart the server before installing MetaFrame Presentation Server. Microsoft SQL Server 2000. Microsoft SQL Server 2000 is supported on Windows 2000 Server and Windows Server 2003 families. On Windows NT 4.0 Server, Windows NT Service Pack 5 (SP 5) or later must be installed for all SQL Server 2000 editions. The following configurations have been verified by Citrix testing: MDAC 2.5, Windows 2000 Server, SQL Server 2000 MDAC 2.51, Windows 2000 Server with SP1 or SP2, SQL Server 2000 MDAC 2.51, Windows 2000 Server with SP1 or SP2, SQL Server 2000 with SP1 MDAC 2.6 SP1, Windows 2000 Server with SP1 or SP2, SQL Server 2000 with SP1

54

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important MDAC 2.6 without SP1 is not supported because of an issue with the driver.

Minimum Requirements
The practices outlined in this section are suggested practices for using Microsoft SQL Server as the data store. Be sure to read the Microsoft SQL Server documentation before you install and configure Microsoft SQL Server. The server hosting the SQL Server database should meet the following minimum requirements: There should be approximately 100MB of disk space for every 250 servers and 50 published applications in the farm. The required disk space increases if a large number of published applications are in the farm. Set the temp database to automatically grow on a partition with at least 1GB of free disk space. Citrix recommends 4GB if the farm is large and includes multiple print drivers. Note Make sure that enough disk space exists on the server to support growth of both the temporary database (temp) and the data store database.

Authenticating to the Microsoft SQL Server Database

Consider the following issues when planning authentication to the SQL Server database: Microsoft SQL Server supports Windows NT and Microsoft SQL Server authentication. Consult the Microsoft SQL Server documentation for configuring Windows NT authentication support. For high-security environments, Citrix recommends using Windows NT authentication only. The user account used for installing, upgrading, or applying hotfixes to the data store must have database owner (db_owner) rights to the database.

Go to Document Center

Chapter 3 The Farm Data Store

55

When you finish installing the database with database owner rights, set the user permissions to read/write only. Doing this increases the security of the database. Important If you change the rights from database owner to read/write, be sure to change the rights back to database owner before you attempt to install service packs or feature releases. Installation of service packs or feature releases can fail if the user account you use to authenticate to the data store during Setup does not have database owner rights.

When using Microsoft SQL Server in a replicated environment, be sure to use the same user account for the data store on each Microsoft SQL Server.

Configuring Microsoft SQL Server

Consider the following issues when planning the configuration of the server to host the Microsoft SQL Server data store database: Each farm requires a dedicated database. However, multiple databases can be running on a single server running Microsoft SQL Server. Do not configure the farm to use a database that is shared with any other client/server applications. Set the Truncate log on Checkpoint option in your database to control log space. Back up the database regularly and follow Microsoft recommendations for configuring database and transaction logs for recovery. If your database server hosts more than 256 connections (each server running MetaFrame Presentation Server uses one connection) and uses a Microsoft SQL Server data store, the number of worker threads available for the database must be equal to or greater than the number of connections. See the Microsoft SQL Server documentation for procedures to increase worker threads.

Using Sockets Rather than Named Pipes

For better performance, Citrix recommends that you use TCP/IP sockets to connect servers running MetaFrame Presentation Server to a server hosting Microsoft SQL Server. Named pipes is an authenticated communication protocol. Any time you attempt to open a connection to the SQL Server database using named pipes, the Windows NT authentication process occurs. TCP/IP sockets do not rely on Windows NT authentication to establish a connection, but do provide user/password authentication to the database after the connection is established. This eliminates the possibility of an error if the server running SQL Server and the server running MetaFrame Presentation Server do not have the correct domain or Active Directory trust relationship.

56

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The following procedures explain how to configure the connection to use TCP/IP sockets. To create a SQL Server data source connection during MetaFrame Presentation Server Setup 1. Enter the data source description and select the SQL Server to which to connect. Click Next. 2. Select NT Authentication or SQL Server Authentication. 3. Click Client Configuration. 4. Select TCP/IP from the available network libraries. Click OK. 5. After installing MetaFrame, modify the Data Source Name (DSN) you created during installation and change its client configuration to use TCP/IP. To modify a Data Source Name (DSN), use the Windows ODBC Data Source Administrator utility to open the File DSN (located by default in the %Program Files%\Citrix\Independent Management Architecture folder) and select TCP/IP as the connection protocol for the client configuration.

Failover
For fault tolerance with Microsoft SQL Server, use Microsoft clustering, which provides failover and failback for clustered systems. If failover of the SQL Server database occurs in a clustered environment, the failover of the database is transparent to MetaFrame Presentation Server. A Microsoft Cluster Services (MSCS) cluster group is a collection of resources, such as disk drives, that are owned by one of the failover cluster nodes. You can transfer the ownership of the group from one node to another, but each group can be owned by only one node at a time. The database files for an instance of Microsoft SQL Server 2000 are placed in a single MSCS cluster group owned by the node on which the instance is installed. If a node running an instance of Microsoft SQL Server fails, MSCS switches the cluster group containing the data files for that instance to another node. Because the new node already has the executable files and registry information for that instance of Microsoft SQL Server on its local disk drive, it can start up an instance of Microsoft SQL Server and start accepting connection requests for that instance. Note MSCS clustering does not support load balancing among clustered servers because it functions in active/passive mode only.

Go to Document Center

Chapter 3 The Farm Data Store

57

Distributed Databases
MetaFrame Presentation Server supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. Microsoft SQL Server uses replication to create the distributed database environment. MetaFrame Presentation Server requires data to be coherent across multiple databases. Coherent data is the same across the databases and synchronized for updating. A two-phase commit algorithm is required to maintain data coherency when there are writes to the database. When configuring Microsoft SQL Server for a two-phase commit, you must use the Immediate Updating Subscriber model. See your Microsoft SQL Server documentation for information about setting up replication with the Immediate Updating Subscriber model. CAUTION Do not use merged replication. Using merged replication corrupts the data store. The following procedure explains how to set up a distributed database environment for an existing farm. To set up a distributed environment for an existing farm 1. Configure a Publisher (the Microsoft SQL Server currently hosting the data store) and Subscribers (remote sites) using Microsoft SQL Server Enterprise Manager. 2. Execute the dsmaint publishsqlds command on a server in the farm. This step executes the necessary SQL statements to create the published articles on the current Microsoft SQL Server (Publisher). For more information about the dsmaint command, see DSMAINT on page 368. 3. Configure the remote sites (Subscribers) to subscribe to the published articles you created in Step 2.

58

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Migrating to SQL Server

Migration of a farm data store to Microsoft SQL Server is supported for the database versions listed in the following table. For information about data store migration, see DSMAINT on page 368.
Original platform Microsoft Access Microsoft Access Microsoft Access MSDE Oracle 8.1.6 Oracle 8.1.7 Oracle9i IBM DB2 with FixPak 5 SQL Server 7 with SP4 Target platform SQL Server 7 with SP3 SQL Server 2000 SQL Server 2000 with SP1 SQL Server 2000 SQL Server 2000 with SP1 SQL Server 2000 with SP1 SQL Server 2000 with SP1 SQL Server 2000 with SP1 SQL Server 2000 with SP3

Oracle
MetaFrame Presentation Server supports the following Oracle databases for the farms data store: Oracle 7, Version 7.3.4 Oracle 8, Version 8.0.6 Oracle8i, Version 8.1.6 and 8.1.7 Oracle9i, Enterprise Edition Database Release 1

If you are using Oracle 8, install the Oracle Net8 client Version 8.1.5.5 and ODBC drivers provided by Oracle on each server that will directly access the database server. The farms data store is stored as an object (schema) assigned to a user. You do not need a separate database for each data store. During install, you can either run the Net8 Easy Config, or cancel the installation at that point and copy the Tnsnames.ora and Sqlnet.ora files from the Oracle server to %Oracle home directory%\Network\Admin on each server in the farm.

Go to Document Center

Chapter 3 The Farm Data Store

59

Important Restart the system after you install the Oracle client and before you install MetaFrame Presentation Server. In some cases, you need to configure the DNS entry within the Oracle Net8 Assistant. To do this, click Profile and then select the Oracle Names tab. Enter the DNS suffix that the network is using. You can use the command IPCONFIG /ALL to gather the DNS suffix that must be used. If you do not restart the server after you install the Oracle client, or if the client requires the DNS suffix to be specified, Setup reports the following error: The procedure entry point OCIUnicodeToCharSet could not be located in the dynamic link library OCI.dll. If you are using Oracle9i, install the Oracle9i Administrator client to obtain the Oracle ODBC driver Version 9.0.1.0.1. The Oracle9i Run-time client does not have ODBC driver support, which is required on each server directly accessing the database server.

Minimum Requirements
The practices outlined below are suggested practices for using an Oracle database for the farms data store. Be sure to read the Oracle documentation before you install and configure Oracle databases. The server hosting the Oracle database should meet the following minimum requirements. Guidelines given here apply to supported versions of Oracle7, 8, 8i, and 9i except as noted otherwise. There should be approximately 100MB of disk space for every 250 servers and 50 published applications in the farm. The required disk space increases if a large number of published applications are in the farm. The Oracle Client (Version 8.1.55 or later) must be installed on the server before you install MetaFrame Presentation Server. The 8.1.5 client is not supported with MetaFrame Presentation Server.

Authenticating to the Oracle Database

Consider the following issues when planning authentication to the Oracle database: Oracle for Solaris supports Oracle authentication only; it does not support Windows NT authentication. Oracle for Windows NT supports both Windows NT and Oracle authentication. Consult the Oracle documentation for information about configuring Windows NT authentication.

60

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The Oracle user account must be the same for every server in the farm because all servers running MetaFrame Presentation Server share a common schema. If you are using one database to hold information for multiple farms, each farm represented in the database must have a different user account because the data store information is stored in the Oracle user accounts schema. The account used to connect to the data store database must have the following Oracle permissions: Connect Resource Unlimited Tablespace (optional)

Configuring an Oracle Data Store

Consider the following guidelines when configuring an Oracle server to host the server farms data store. Use Shared/Multi-Threaded Server mode to reduce the number of processes in farms with more than 100 servers. However, performance may be affected during periods of high data store load. Consult your Oracle documentation for information about configuring the database to run in Multi-Threaded Server mode. When using an Oracle server in dedicated mode, add one additional process for each server connected directly to the Oracle database. For example, if the Oracle server uses 100 processes before installing MetaFrame Presentation Server and the farm has 50 servers, set the processes value to at least 150 in the Init.ora file on the Oracle server. Consult the Oracle documentation for more information. If you are running Oracle in Multi-Threaded Server mode, verify that the following parameters in the Init.ora file are greater than or equal to the values shown below. If you are running multiple farms on the same Oracle database, include all servers running MetaFrame Presentation Server for the calculations listed below. Round up for fractional values.
MTS_SERVERS = Number of servers / 10 MTS_MAX_SERVERS = Number of MetaFrame servers / 5 SERIALIZABLE = False ROW_LOCKING = Always

Where Number of servers is the total number of servers running MetaFrame Presentation Server. Citrix recommends online backups using Archivelog mode. Archivelog mode reduces the recovery time of an unresponsive database.

Go to Document Center

Chapter 3 The Farm Data Store

61

Note If you are using the same Oracle database for multiple server farms, Citrix recommends that you create a unique tablespace with its own user name and password for added security for each farm. Do not use the default system account within Oracle.

Migrating to Oracle
Migration of a farm data store to an Oracle database is supported for the database versions listed in the following table. For information about data store migration, see the Dsmaint command on page 368.
Original platform Microsoft Access Microsoft Access Microsoft Access Microsoft Access Microsoft Access MSDE Microsoft SQL Server (SQL 7 with SP2 or SP3 or SQL 2000 with SP1) Microsoft SQL Server (SQL 7 with SP2 or SP3 or SQL 2000 with SP1) Microsoft SQL Server (SQL 7 with SP2 or SP3 or SQL 2000 with SP1) Microsoft SQL Server (SQL 7 with SP2 or SP3 or SQL 2000 with SP1) Microsoft SQL Server (SQL 7 with SP2 or SP3 or SQL 2000 with SP1) IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 Target platform Oracle 7 Oracle 8 Oracle 8.1.6 Oracle 8.1.7 Oracle9i All Supported Versions of Oracle Oracle 7 Oracle 8 Oracle 8.1.6 Oracle 8.1.7 Oracle9i Oracle 7 Oracle 8 Oracle 8.1.6 Oracle 8.1.7 Oracle9i

62

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Note If you migrate from an Access database to an Oracle 8.1.7 database, the Citrix IMA Service fails to start because the Oracle 8.1.7.0 driver alters the logon authentication method. To avoid this problem, disable the Oracle NT Security feature in the Oracle Advanced Security settings before migrating an Access database to Oracle 8.1.7.

Client Configuration
If you use the Oracle 8.1.7 client to access the data store, you must disable the Oracle NT Security feature for the client to work with MetaFrame Presentation Server. The Oracle 8.1.7.0 driver installs a security feature, called NT Security, that uses Windows NT credentials to authenticate to the Oracle server. Because the Citrix IMA Service is configured to use the system account to access the data store, the service fails to connect to the Oracle server when the NT Security feature is enabled. You can disable the use of NT Security on the Authentication tab of the Oracle Advanced Security settings. Consult your Oracle documentation for more information.

Failover
With Oracle, you can maintain a standby database for quick disaster recovery. A standby database maintains a copy of the production database in a permanent state of recovery. Citrix recommends the use of standby databases. With Oracle8i and 9i, the management of standby databases is fully automatic. See the Oracle documentation for instructions about setting up a standby database.

Distributed Databases
MetaFrame Presentation Server supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. Oracle uses replication to create the distributed database environment. Important items concerning distributed databases are listed below. To reduce the load on a single database server, install read/write replicas and distribute the farm servers evenly across the master and replicas. MetaFrame Presentation Server requires data coherency across multiple databases. Therefore, a two-phase commit algorithm is required for writes to the database. All participating databases must be running Oracle

Using Oracle as a distributed database solution requires the following:

Go to Document Center

Chapter 3 The Farm Data Store

63

All participating databases must be running in Multi-Threaded Server/Shared mode (rather than Dedicated mode) All clients (servers running MetaFrame Presentation Server that connect directly to the Oracle database) must be SQL*Net Version 2 or Net8 Install the farm data store database first on the master site, and then configure replication at the sites being used for database replication snapshots Replicate all objects contained in the data store users schema (tables, indexes, and stored procedures)

Tip If the performance at the replicated database site is significantly slower, verify that all the indexes for the users schema are successfully replicated. When configuring Oracle for a two-phase commit, Citrix recommends the following: Use updateable, synchronous snapshots with a single master site. MetaFrame Presentation Server does not work with read-only snapshots. Some functions need write access to the data store. Use the Oracle Fast Refresh feature where possible (this requires snapshot logs). Do not configure conflict resolution when setting up the replication environment. Set the replication link interval to be as frequent as the network environment allows (Citrix recommends one minute). With Oracle replication, if no changes are made, data is not sent over the link. If Oracle is configured in Multi-Threaded Server mode and remote reads or writes are initiated from the remote site, these can block local reads or writes. This is because all connections share a set of worker threads called MultiThreaded Servers. To remedy this, increase the value of the Max_Mts_Servers parameter in the Init.ora file.

Using Oracle Parallel Server

Oracle Parallel Server can provide exceptional performance gains in extremely large farms where having only a single front-end database server creates a performance bottleneck. An Oracle Parallel Server configuration provides a load-balanced environment where multiple front-end Oracle servers share the same disk subsystem and database tables. Oracle Parallel Server distributes load evenly across all participating servers and, in the event of a server failure, automatically routes connections to the surviving nodes.

64

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Note Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix test labs. Oracle Parallel Server is designed to allow multiple database servers to access the same back-end database. In theory, this provides good scalability in centrally located farms with hundreds of servers.

IBM DB2
MetaFrame Presentation Server supports IBM DB2 Universal Database Enterprise Edition Version 7.2 for Windows 2000 with FixPak 5 or later for the farms data store. Install the IBM DB2 Run-Time Client and apply FixPak 5 on each server accessing the database server. If you have multiple farms, create a separate database/ tablespace for each farm data store. Important Restart the system after you install the IBM DB2 Run-Time client and FixPak5 and before you install MetaFrame Presentation Server. You may also need to restart after you install the Run-Time client and before you install FixPak 5. See the DB2 documentation for more information.

Minimum Requirements
The practices outlined below are suggested practices for using an IBM DB2 database for the farms data store. Be sure to read the DB2 documentation before you install and configure DB2 databases. The server hosting the DB2 database should meet the following minimum requirements: There should be approximately 100MB of disk space for every 250 servers and 50 published applications in the farm. The required disk space increases if a large number of published applications are in the farm. Citrix labs tested the IBM DB2 environment with the following permissions assigned to the user: connect database, create tables, register functions to execute to database managers process, and create schemas implicitly. If you create a data source name (DSN) for use with an unattended installation of IBM DB2, Citrix recommends that you create the DSN using the Microsoft ODBC Data Source Administration screen. Doing so ensures that the DSN is populated according to server requirements for proper connectivity to the DB2 database or tablespace. Give the DB2 user account that is used for the farm the following permissions: Connect database

Go to Document Center

Chapter 3 The Farm Data Store

65

Create tables Register functions to execute to database managers process Create schemas implicitly

System administrator (DB2Admin) account permissions are not needed for data store access. Consult DB2 documentation for tuning database performance. The following settings can help optimize performance in large farms:
Recommendations appl_ctl_heap_sz Increase the default of 128 4KB pages (.5 MB) to 512 (2 MB). This parameter represents the maximum amount of shared memory available to each application instance running on the node. Increase from the default of 250 4KB pages (1MB) to 75-100% of the size of the database for best performance. This parameter represents the buffer memory the database uses for processing requests. Increase from the default of 128 4KB pages (.5MB) to at least 256. This parameter represents the amount of memory available to the database manager for each agent. Should be equal to the number of servers in the server farm Ensure that this value is greater than the number of servers in the farm or servers may fail to connect.

DB2 Setting Application Control Heap Size

Buffer Pool Size

buffpage

Application Heap Size

applheapsz

Average Number of Active Applications Maximum Number of Active Applications

avg_appls maxappls

Distributed Databases
MetaFrame Presentation Server supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. You can use a distributed database to distribute the load of read requests. IBM DB2 uses replication to create the distributed database environment.

66

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important MetaFrame Presentation Server uses the data type of binary large object (BLOB) to store information in an IBM DB2 database. IBM DB2 does not support the use of BLOB data types in an updateable replication scenario. Therefore, if your farm needs to have updateable replicas, use Microsoft SQL Server or Oracle for the farms data store instead of IBM DB2.

Migrating to IBM DB2

Migration of a farm data store to an IBM DB2 database is supported for the database versions listed in the following table. For information about data store migration, see the Dsmaint command on page 368.
Original platform Microsoft Access MSDE Microsoft SQL Server 2000 with SP1 Oracle 7 Oracle 8 Oracle 8.1.6 Oracle 8.1.7 Oracle9i Target platform IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5 IBM DB2 with FixPak 5

The migration of an existing farm data store to IBM DB2 is completed as a single transaction for roll-back purposes. Before migrating the database to DB2, verify that enough log space exists on the target DB2 server to support the migration. If the DB2 server runs out of log space, the migration fails and rolls back.

Go to Document Center

Chapter 3 The Farm Data Store

67

Working with the Local Host Cache

A subset of data store information, the local host cache, exists on each server in the farm, providing each member server with quick access to data store information. The local host cache also provides redundancy of the data store information, if for example, a server in the farm loses connectivity to the data store. When a change is made to the farms data store, a notification to update the local host cache is sent to all the servers in the farm. However, it is possible that some servers will miss an update because of network problems. Member servers periodically query the data store to determine if changes were made since the servers local host cache was last updated. If changes were made, the server requests the changed information.

Tuning Local Host Cache Synchronization

CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. You can adjust the interval by which member servers query the farms data store for missed changes. The default interval is 30 minutes. You can configure the interval using the following registry key on each server you want to adjust, with the value expressed in hexadecimal notation: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ DCNChangePollingInterval (DWORD) Value: 0x1B7740 (default 1,800,000 milliseconds) You must restart the IMA Service for this setting to take effect. Most changes made through the Presentation Server Console are written to the data store. When you open the console, it connects to a specified server. The Citrix IMA Service running on this server performs all reads and writes to the data store for the console. If the data store is experiencing high CPU usage when there should not be significant read or writes to the data store, it is possible that the data store is not powerful enough to manage a query interval of 30 minutes. To determine whether or not the data store query interval is causing the high CPU usage on the data store, you can set the query interval to a very large number and test CPU usage. If the CPU usage returns to normal after you set a large query interval, the data store query interval is probably the cause of the high CPU usage. You can adjust the query interval by trial and error.

68

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To test the query interval, set the interval to 60 minutes and then restart all the servers in the farm. If the data store is still experiencing constant high CPU usage, increase the query interval further. If the CPU usage returns to normal, you can try a smaller value. Continue these adjustments until data store CPU usage is normal. Important Do not set the data store query interval higher than necessary. This interval serves as an important safeguard against lost updates. Setting the interval higher than necessary can cause delays in updating the local host cache of the farms member servers. The next section tells you how to force the local host cache to refresh.

Refreshing the Local Host Cache

You can force a manual refresh of a servers local host cache by executing dsmaint refreshlhc from a command prompt. This action forces the local host cache to read all changes immediately from the farms data store. Refreshing the local host cache is useful, for example, if the Citrix IMA Service is running, but published applications do not appear correctly when users browse for application sets. A discrepancy in the local host cache occurs only if the IMA Service on a server misses a change event and is not synchronized correctly with the data store.

Recreating the Local Host Cache

You can manually create the local host cache from the farms data store. If the Citrix IMA Service fails to start or you have a corrupt local host cache, you may need to recreate it. To recreate the local host cache, stop the IMA Service and then run the command dsmaint recreatelhc. Running this command performs three actions: Sets the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\PSRequired to 1 Deletes the existing local host cache (Imalhc.mdb) Creates an empty local host cache (Imalhc.mdb)

You must restart the IMA Service after running dsmaint recreatelhc. When the IMA Service starts, the local host cache is populated with fresh data from the data store. The data store server must be available for dsmaint recreatelhc to work. If the data store is not available, the Citrix IMA Service fails to start.

Go to Document Center

CHAPTER 4

Planning for Deployment

This chapter includes background information about decisions you need to make before you deploy MetaFrame Presentation Server. Be sure to read this chapter before you install MetaFrame Presentation Server.

System Requirements
This section describes minimum configurations and recommendations for installing MetaFrame Presentation Server. For information about system requirements for client devices, see the Client Administrators Guide for each client platform.

System Software Requirements

For a complete list of software requirements for all components of MetaFrame Presentation Server, see the Installation Checklist for MetaFrame Presentation Server 4.0. You can install MetaFrame Presentation Server on computers running the following Microsoft operating systems: Windows 2000 Server Family: Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server; Service Pack 4 or later Windows Server 2003 Family: Windows Server 2003, Standard Edition, Enterprise Edition, and Datacenter Edition Important You must install the Terminal Services component before you install MetaFrame Presentation Server. Terminal Services is not installed with Windows by default; you can install it with Add/Remove Programs in the Control Panel. Install Terminal Services in Application Server mode.

70

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CAUTION On Microsoft Windows 2000 Server and Microsoft Windows Server 2003 operating systems, Citrix does not recommend using the /3GB switch in the Boot.ini file on servers running MetaFrame Presentation Server. Windows 2000 Server and Windows Server 2003 operating systems can address up to 4GB of memory, usually 2GB for kernel and 2GB for processes. Using the /3GB switch in the Boot.ini file changes memory allocation to 1GB for kernel and 3GB for processes. Due to the large number of applications and processes running on a MetaFrame Presentation Server and Terminal Services, kernel memory space is heavily used, so using the /3GB switch causes a decrease in scalability. The /3GB switch is useful for systems with a few processes that consume a large amount of memory such as with Microsoft SQL Server and Microsoft Exchange Server. However, if the applications hosted on MetaFrame Presentation Server are not written to utilize the /3GB switch, you cannot take advantage of the extra memory and may instead encounter instability.

Running MetaFrame Presentation Server on Windows Server 2003

MetaFrame Presentation Server on Windows Server 2003 includes the following changes in functionality: The ICA Client Creator utility is not supported. If you want to create installation floppy diskettes for supported client software, you must manually create them. Virtual Scripts directory is not created when IIS is enabled. MetaFrame Presentation Server Setup installs a .dll fileWpnbr.dllin a virtual directory called Scripts. This file is required if you are using the Web Interface for port sharing. If Setup does not detect a virtual directory called Scripts, Setup creates a physical directory under \\Inetpub\Scripts. Remote users can connect to MetaFrame Presentation Server over TCP/IP only. Terminal Services in Windows server does not support remote connections over IPX/SPX, NetBIOS, and asynchronous transports. Restrict each user to one session feature is enabled by default. When this setting is enabled, the server disconnects an active session and reconnects the new connection request from the same user to the disconnected session. Enabling this feature conserves resources and simplifies reconnecting to disconnected sessions. You can disable this setting in the Server Settings node of Terminal Services Configuration.

Go to Document Center

Chapter 4 Planning for Deployment

71

Users must be members of the Remote Desktop Users group to connect through Terminal Services. By default, there are no users in the Remote Desktop Users group, so users are blocked from connecting remotely. MetaFrame Presentation Server Setup allows you to add the members of the local Users group to the Remote Desktop Users group. If you skip the step of adding users to the Remote Desktop Users group, you must add users to this group after Setup completes.

Naming Servers and Server Farms

Server names must be unique. If necessary, change the name of a server before installing MetaFrame Presentation Server. MetaFrame Presentation Server supports server names that contain extended characters only if your networks DNS server supports names with extended characters.

System Hardware Requirements

The following requirements are based the operating systems on which you run MetaFrame Presentation Server. Windows 2000 Server and Advanced Server. Microsoft recommends a 166MHz or faster Pentium-compatible processor, 256MB of RAM, and a 2GB hard drive with at least 1GB of free space. Windows 2000 Datacenter Server. Microsoft recommends an eight-way or greater array of Pentium III Xeon processors, 256MB of RAM, and a 2GB hard drive with at least 1GB of free space. Windows Server 2003, Standard Edition. Microsoft recommends a 550MHz or faster Pentium-compatible processor, 256MB of RAM, and a 2GB hard drive with at least 1.5GB of free space. Windows Server 2003, Enterprise Edition. Microsoft recommends a 733MHz or faster Pentium-compatible processor, 256MB of RAM, and a 2GB hard drive with at least 1.5GB of free space. Windows Server 2003, Datacenter Edition. Microsoft recommends a 733MHz or faster Pentium-compatible processor, 1GB of RAM, and a 2GB hard drive with at least 1.5GB of free space. Important Microsoft recommends that you do not install Terminal Services on a Windows server acting as a domain controller. By default, users cannot log on to Terminal Services sessions on a domain controller. You can permit users to log on by setting the log on locally right; however, this is not recommended.

72

MetaFrame Presentation Server Administrators Guide

Go to Document Center

All servers running MetaFrame Presentation Server must have graphics capabilities of a minimum of VGA 640 x 480 pixels. Set the displays for computers running the Presentation Server Console to a least 800 x 600 pixels.

Modems and Multiport Adapters

In addition to ICA connections over network protocols (see Configuring Network ICA Connections on page 136), MetaFrame Presentation Server supports asynchronous ICA connections. When you set up an asynchronous ICA connection on a computer running MetaFrame Presentation Server, client devices with modems can dial up the modem on that server. When they connect, client and server communicate directly without the overhead of Windows Remote Access Service (RAS) and TCP/IP. If you want to configure modems for ICA dial-up connections and the modems are configured for Windows RAS, remove the modems from the RAS modem pool before you start MetaFrame Presentation Server Setup. Important You cannot configure a modem or serial port as both a RAS service port and an ICA asynchronous connection port. For ICA asynchronous connections, Citrix recommends high-speed serial port hardware or intelligent multiport adapters on the server. These devices use the CPU efficiently, freeing CPU resources that can be devoted to running user sessions. If you have a multiport asynchronous adapter, install it before starting MetaFrame Presentation Server Setup.

Sizing Systems for MetaFrame Presentation Server

MetaFrame Presentation Server supports multiple users on Windows 2000 and Windows 2003 servers. A multiuser system requires more system resources than a single-user system. This section provides some system-sizing guidelines that can help you decide on a hardware configuration that will support your users with optimal performance. Note More information about system sizing, optimization, configuration, and deployment scenarios is included in the Advanced Concepts Guide for MetaFrame Presentation Server. This guide is available from the Support area of the Citrix Web site at http://support.citrix.com. Most companies find that their users can be categorized as typical users or power users.

Go to Document Center

Chapter 4 Planning for Deployment

73

Typical user. A typical user generally uses one or two applications but normally only one at a time. Little actual program data is transferred between the client and server, and the users rarely use Object Linking and Embedding (OLE). Power user. A more sophisticated user who uses three or more applications, often with several active at the same time. Data is often cut and pasted between local and remote applications, and OLE is used heavily. Power users consume more resources than typical users. A good rule of thumb is that one power user is equivalent to two typical users in processor utilization and RAM requirements. Tip The configuration examples in this section are based on numbers of typical users. Adjust the numbers for power users.

Processor, Bus, and Memory

The processor and bus architecture are fundamental to MetaFrame Presentation Server performance. The ISA (AT bus) architecture is low-bandwidth and is not recommended. Use a higher-performance bus, such as EISA or PCI, for best performance. These buses support the high sustained data transfer rates typical of MetaFrame Presentation Server. The memory (RAM) requirement for MetaFrame Presentation Server is 16MB plus 4MB for each typical user or 8MB for each power user. In many cases, adding RAM has a larger effect on system performance than upgrading to a faster processor.

Win16 Application Requirements

Because Windows 2000 Server and Windows Server 2003 support Win32-bit environments (Windows Server 2003 also supports 64-bit), use Win32 applications whenever possible. Windows 2000 Server and Windows Server 2003 are Win32 (32-bit) environments. Windows 3.x for DOS is a Win16 (16-bit) environment. Windows 2000 and Windows 2003 run Win16 applications through a process called WOW (Win16 on Win32), which translates16-bit applications in enhanced mode. This process causes Win16 applications to consume additional system resources, reducing the number of users per processor by 20% and increasing the RAM required per user by 25%. For this reason, use Win32 applications whenever possible. If you intend to run Win16 applications, adjust your processor and RAM requirements accordingly.

74

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Hard Drives
The hard drive subsystem in a server is an important factor in system throughput. Small Computer System Interface (SCSI) disk drives and adapters, especially Fast Narrow SCSI (SCSI-2), Fast Wide SCSI, Wide Ultra SCSI, and Wide Ultra2 SCSI devices, have significantly better throughput than ST-506, Integrated Device Electronics (IDE), or Enhanced Small Device Interface (ESDI) disk drives and adapters. For the highest performance, consider using a SCSI-based Redundant Array of Independent Disks (RAID) controller. RAID controllers automatically place data on multiple disk drives and can increase performance and improve data reliability. Use NTFS for all disk partitions on your servers. NTFS allows security configuration, better performance, and more fault tolerance.

Network Interfaces
The ICA protocol is highly compressed and causes negligible loading on a network, but because the server handles all network requests, Citrix recommends a highperformance network interface card (NIC). If a multiport asynchronous communications adapter is installed for supporting serial ICA connections, be sure to use an intelligent (microprocessor-based) adapter to reduce interrupt overhead and increase throughput.

Using Performance Monitoring Tools

Citrix recommends that you use performance monitoring tools to get accurate accounts of system performance and the effects of configuration changes on system throughput. The most important measurements for performance monitoring are the percentage of total processor time, memory pages per second, percentage of network utilization, and hard drive I/O rates. A good way to estimate how many users a server can support is to measure system performance with two to five users on the system and then scale the results. This method yields reliable results. For information, see Monitoring Performance of Sessions and Servers on page 308.

Go to Document Center

Chapter 4 Planning for Deployment

75

Network Configuration and Account Authority Issues

Before you implement your MetaFrame Presentation Server installation, you must consider issues related to network configuration and the management of user accounts. This section discusses recommended practices for: Windows NT (non-Active Directory) and Active Directory domains and groups Security models and user access to applications Configuration of accounts for MetaFrame administrators Working with Novell Directory Services

General Configuration Issues

Citrix recommends that you do not install MetaFrame Presentation Server on Windows primary or backup domain controllers because of the following factors: Domain controllers handle user validation for network logons and access to network resources. These functions and the associated network communication can significantly affect the performance of an application server. MetaFrame Presentation Server Setup cannot create anonymous accounts on primary or backup domain controllers, so you cannot publish applications for anonymous access on servers that are domain controllers.

Recommendations for Active Directory

If your network is configured to use Active Directory domains and groups, consider the following Citrix deployment recommendations: Use Windows 2000 Server or Windows Server 2003. Install MetaFrame Presentation Server exclusively on Windows 2000 or Windows Server 2003 servers. Native support for Active Directory is included in these versions of Windows, so you do not need to install additional services. Use a single forest. Install all servers in the server farm so they reside in one Active Directory forest. See Using Active Directory Forests on page 76.

76

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Recommended Domain Configurations

Citrix recommends the following for configuration of server farms with Active Directory: All servers reside in the same domain The server farm domain has no trust relationships with non-Active Directory domains The server farm is in a single Active Directory forest

These recommendations are not a requirement. However, multiple domains or trust relationships with non-Active Directory domains can affect all aspects of user authentication, which include: Authentication for MetaFrame administrators Access by users to published applications Assignment of users to network printers

Using Active Directory Forests

If you use Windows Active Directory, Citrix recommends that all servers in a server farm belong to the same Active Directory forest. If your farm has servers in more than one forest, users cannot log on using UPNs. UPN logons use the format username@UPN identifier. With Active Directory, UPN logons do not require a domain to be specified, because Active Directory can locate full UPN logons in the directory. However, if multiple forests exist in the server farm, problems can arise because the same UPN identifier can exist in two domains in separate forests. Important Because there is no efficient way to perform account resolution, MetaFrame Presentation Server does not support UPN logons if a server farm spans multiple Active Directory forests.

User Access to Applications and Printers

To authorize user access to resources in a server farm, you select user and group accounts. For example, when you publish an application, you select the servers to host the application and the Presentation Server Console lists the user accounts from the trust intersection of all the servers (accounts that are trusted by all the servers). You then select the users and groups that you want to allow to use the application.

Go to Document Center

Chapter 4 Planning for Deployment

77

After you select users, changing the list of host servers can change the trust intersection, which can make the application unavailable to users who are no longer in the servers trust intersection. If the trust intersection changes, the console informs you and removes users who are no longer eligible to use the resource from the authorized users list. A published application is available only to users who can access every server that hosts the application. When multiple servers host the same application, you cannot predict to which servers users will connect when they launch the application. Therefore, if a user is authorized to access only some servers, you cannot ensure that the user will always be able to use the application. To prevent unpredictable access, MetaFrame Presentation Server removes users from the authorized users of a published application or printer if the accounts are not in the trust intersection for all the host servers.

Trust-Based Routing
Trust-based routing allows servers to be members of a server farm even if the servers belong to domains that do not trust each other. In trust-based routing, a request to enumerate users or authenticate a user is routed to a server that has the required domain trust relationship if the originating server does not. During a trust query cycle, a server registers its trusted domains with the farms data store. This operation occurs during every service startup and approximately every six hours while the service is executing. Therefore, the data store is a central repository of all trust data for the servers in the server farm. When a server needs to perform an operation (as defined below) on a domain that it does not trust, the server determines from the data store which servers can perform the operation and then routes the request to the most accessible server. Trust-based routing applies to the following operations: Authenticating a MetaFrame administrator to the Presentation Server Console Refreshing the display or launching an application in Program Neighborhood Enumerating users and groups in the console Resolving users and groups into distinguished account names when you add users or groups to a published application, add users to a printer autocreation list, or define new MetaFrame administrators

Active Directory Security Model and Restrictions

Active Directory introduces new types of security groups to which network users can belong. You can use these security groups when you select users for published applications and network printers.

78

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This section describes the Active Directory security groups and gives recommendations for using Active Directory security groups in a server farm. Domain local groups. In the Active Directory model, domain local groups can contain groups from other domains, but the domain local group can be assigned to resources only in the domain in which it exists. Universal groups. Universal groups can contain groups from other domains. Universal groups are stored in the Active Directory global catalog. Universal groups can be used for assigning permissions to resources in any domain. Domain global groups. Global groups contain groups within the same domain and can be assigned to resources in any domain. Citrix recommends that you use domain global groups for user access to published applications and network printers. Note Domain global groups are equivalent to non-Active Directory global groups. Domain local groups and universal groups are available only in Active Directory domains that are operating in native mode. If you plan to use universal groups or domain local groups, Citrix recommends that you follow the deployment guidelines in this section regarding domain configuration and use of groups to reduce administrative complexity. For in-depth technical information about user access issues and configuration issues, see User Permission Scenarios with Active Directory on page 78. If you change the servers that host a published application, the trust intersection with individual user accounts and with domain local groups can change. For example, if all servers hosting an application or a printer reside in a common domain, D1, you can select domain local groups from D1 to grant access to the resource. If you then configure additional servers to host the resource and these servers do not reside in D1, the Presentation Server Console detects the change and removes the D1 domain local group from the configured accounts for the resource. For more information about domains, establishing trust relationships among domains, and configuring user accounts in domains or Active Directory, see your Windows documentation.

User Permission Scenarios with Active Directory

With Active Directory, the following issues affect the choices you make when you configure a server farm and manage user permissions:

Go to Document Center

Chapter 4 Planning for Deployment

79

If you use universal groups to give users permission to run published applications, all the servers that run an application (if you use Load Manager for load balancing) must reside in an Active Directory domain. If you use a domain local group to give users permission to run published applications, all servers that load balance an application must belong to the same domain. Also, the domain local group you assign to an application must be in the common primary domain of all the load balancing servers. If a user is a member of a domain local group, the group is in the users security token only when the user logs on to a computer in the same domain as the domain local group. Trust-based routing does not guarantee that a users logon request is sent to a server in the same domain as the domain local group.

The following table describes how network configurations affect user permissions with Active Directory.
Program Neighborhood filtering Domain Global Groups Domain Local Groups No adverse effects. Authenticating to published applications No adverse effects. Authenticating to the Presentation Server Console No adverse effects.

Recommendation: All servers in the farm must be in the same domain for Program Neighborhood filtering to work properly. Rationale: If a user is a member of a domain local group, the group is present in the users security token only when logging on to a computer in the same domain as the domain local group. Trustbased routing (see page 77) does not guarantee that a logon request is sent to a server in the same domain as the domain local group. It guarantees only that the request is handled by a server in a domain that trusts the users domain.

Recommendation: All servers that load balance an application must be in the same domain if a domain local group is authorized to use the application. Rationale: Domain local groups assigned to an application must be from the common primary domain of all the load balancing servers. When you publish applications, domain local groups appear in the accounts list if the first condition above is met and accounts from the common primary domain are displayed (a green domain icon denotes the servers common primary domain). If a published application has users from any domain local groups and you add a server from a different domain, domain local groups are removed from the configured users list, because all servers must be able to validate any user with permission to run the application.

Recommendation: If a user is a MetaFrame administrator only by membership in a domain local group, the user must connect the console to a server in the same domain as the domain local group. Rationale: If the user connects the console to a server in a different domain than the domain local group, the user is denied access to the console because the domain local group is not in the users security token.

80

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Program Neighborhood filtering Universal Recommendation: No Active Groups Directory domains in the forest to which the servers belong have explicit trust relationships with nonActive Directory domains. Rationale: Non-Active Directory domains have no knowledge of universal groups and the domain controllers exclude a universal group from a users security token. As a result, applications might not appear in Program Neighborhood.

Authenticating to published applications Recommendation: If universal groups are assigned permission to the application, all servers that manage the application must be in an Active Directory domain. Rationale: A server in a non-Active Directory domain could authenticate the user to run the application. In this case, universal groups are not in the users security token, so the user is denied access to the application. It is possible for a server in a non-Active Directory domain to load balance an application with servers in an Active Directory domain if the domains have an explicit trust relationship.

Authenticating to the Presentation Server Console Recommendation: If a user is authenticating to the console and is a MetaFrame administrator only by membership in a universal group, the console must connect to a server that belongs to an Active Directory domain in the universal groups forest. Rationale: Non-Active Directory domain controllers and domains outside a universal groups forest have no information about the universal group.

Supporting Novell Directory Service Users

This section covers the basic concepts and procedures for using MetaFrame Presentation Server with Novell Directory Service (NDS). For more detailed information about this topic, see the Advanced Concepts Guide for MetaFrame Presentation Server, available from the Support area of the Citrix Web site at http://support.citrix.com. MetaFrame Presentation Server supports user authentication through NDS. NDS offers access by a secure logon and organizes network resources in a directory tree for administration. When an NDS tree is designated in a farm running MetaFrame Presentation Server, the tree is accessed directly for NDS user account information. You must install the Novell Client on servers used for NDS applications. Dedicate servers with the Novell Client to applications for NDS objects after NDS is enabled for a server farm. Do not host published applications assigned to Windows NT, Windows 2000, or Active Directory users on these servers. The server farm can be a mixture of servers used exclusively for NDS applications and other servers. A MetaFrame administrator must have NDS credentials to manage applications and printers for NDS objects and to assign MetaFrame administrator privilege to NDS objects. To administer applications on a server dedicated to NDS, you must connect the Presentation Server Console to a server running MetaFrame XP, Feature Release 1 or later.

Go to Document Center

Chapter 4 Planning for Deployment

81

The following table lists NDS terms and their meanings used in this section:
Term Tree Container object Meaning A set of objects set up hierarchically in a tree structure. The root object of the NDS tree is at the top of the tree. The tree may or may not branch to these NDS Container objects: Country (a country location for this part of the organization) Organization (a company, university, or departmental unit) Organizational Unit (a business unit, division, or project team) The name for a leaf object on the tree. Examples of leaf objects are: users, groups, servers, and printers. An objects position in the tree. One way to represent context is by a string of the Common Names of the objects in the path from the leaf or container object to the root. A combination of an objects common name and its context that makes up a complete NDS path for an object. A full Distinguished Name (DN) starts with a period, for the root, and has a period between each object name.

Common Name Context

Distinguished Name

Setting up Support for NDS

For MetaFrame Presentation Server to access NDS on Novell servers, one of the following must be installed: NDS Version 8.73 for NetWare 5.1 NDS for eDirectory Version 8.5x for Windows NT 4.0, Windows 2000 Server, or NetWare 5.x Novell Client Version 4.8 MetaFrame XP, Feature Release 1 or later

The minimum software requirements are:

If you are setting up a server that does not yet have MetaFrame Presentation Server installed, install the Novell Client before you install MetaFrame Presentation Server. If MetaFrame Presentation Server is already installed, follow the procedure below for information about specifying the correct logon. Important If you install the Novell Client on a server before installing MetaFrame Presentation Server, set the following value in the [386Enh] section of the System.Ini file before you install MetaFrame Presentation Server: FileSysChange=off

82

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Make this change in the System.ini file for all users. If this parameter is not set correctly, MetaFrame Presentation Server Setup reports that the FileSysChange parameter is not valid. Novell technical document 10058117 refers to this issue. See the Novell knowledgebase on the Web at http://support.novell.com/search/kb_index.jsp for more information. To change the registry on a server when installing the Novell Client If MetaFrame Presentation Server is installed before you install or upgrade the Novell Client, you must change registry settings on the server before and after you install the Novell Client. CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. 1. Before installing the Novell Client, run regedt32. 2. Edit the registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon From the right pane, select GinaDLL and choose String from the Edit menu. In the String Editor dialog box, type Msgina.dll, a new value for the GinaDLL entry. 3. Install the Novell Client without restarting when prompted. 4. Edit the registry entry for GinaDLL as in Step 2. This time type Ctxgina.dll as the value. 5. With the key path for Winlogon still selected, click Edit on the top menu bar. 6. Click Add Value. 7. Type ctxGinaDLL in the Add Value dialog box. Data Type is REG_SZ. 8. Type nwgina.dll in the String Editor dialog box. This is the new value for the new ctxGinaDLL entry. 9. Restart the server.

Go to Document Center

Chapter 4 Planning for Deployment

83

To enable or disable NDS support for a server farm NDS support is disabled for a server farm by default. MetaFrame Presentation Server supports one NDS tree per farm. 1. Connect to a server that has MetaFrame XP Feature Release 1 or later and the Novell Client installed. 2. Select the farm node at the top of the tree and choose Actions > Properties. 3. Click MetaFrame Settings in the left pane of the Properties page. 4. Enter the NDS tree name in the Novell Directory Services Preferred Tree field. 5. Click OK. To assign MetaFrame administrator privileges to NDS objects A MetaFrame administrator can assign MetaFrame administrator privileges to objects in an NDS tree, such as a country, organization, organization unit, group, user, or an alias. 1. In the console, from the Actions menu, select New > MetaFrame Administrator. The first page of the Add MetaFrame Administrator wizard appears. 2. On the first page of the Add MetaFrame Administrator wizard, open the NDS tree in the Look in box. Objects in the NDS tree represent container objects and leaf objects. 3. Select the Show Users box to see the user and alias objects in this hierarchy. 4. Open container objects until the object that you want to add to the MetaFrame Administrator list is displayed in the Look in box. Select this object. 5. Click Add. Click Next. 6. Assign the tasks you want the MetaFrame administrator to be able to perform. 7. Click Finish. This object and those below it have the selected MetaFrame administrator privileges. To log on to the Presentation Server Console as an NDS user You need a Distinguished Name, password, and NDS tree name to perform the following steps. If you do not have this information, consult the Novell or MetaFrame administrator who set up the NDS object to have MetaFrame administrator privileges.

84

MetaFrame Presentation Server Administrators Guide

Go to Document Center

1. Type a Distinguished Name in the User Name field. A full Distinguished Name starts with a period and has a period between each object name. For example, user JoeX, within two container objects (the Admin organization unit within the PNQ organization) would type the following Distinguished Name in the User Name box: .JoeX.Admin.PNQ 2. Type the password in the Password box. 3. Type the NDS tree name in the Domain box. To publish an application for NDS users 1. Log on to the Presentation Server Console as an NDS user. 2. Verify that the intended host server has the Novell Client installed. 3. From the Actions menu, choose New > Published Application. 4. Follow the instructions in the Publish Application wizard. Click Help to obtain detailed help for each step. 5. In the Specify Users dialog box of the Publish Application wizard, double-click to open the NDS tree. 6. Open container or leaf objects until the object to be granted access is in the window. 7. Select the object and click Add. Click Finish. The object and those under it can access the application.

Configuring Printer Autocreation in NDS

The Presentation Server Console can be used to choose Windows NT or Active Directory print queues and assign them to NDS objects for autocreation. Print permissions to the queue must be granted to the Dynamic Local User created when NDS users log on to a server. This may involve enabling the Guest account on the print server. See Microsoft documentation for information about enabling the Guest account. Novell Distributed Print Services (NDPS) print queues cannot be chosen and assigned to NDS objects through Printer Management in the Presentation Server Console. Consult Novell documentation for setting up NDPS print queues in ZENworks.

Go to Document Center

Chapter 4 Planning for Deployment

85

Using the BUILTIN Group

When you specify users and groups for access to published applications or network printers, or when you create MetaFrame administrators, a special option, the BUILTIN group, is available from the menus that list network domains. You can use the BUILTIN option: If your network environment is configured with Windows workgroups rather than with Windows network domains For compatibility with Novells ZENworks product

Using BUILTIN for Publishing Applications and Printer Management

If you use the BUILTIN group to specify users for applications and printer resources, do not use Program Neighborhood or the Web Interface for client connections to published applications. Use only custom ICA connections in Program Neighborhood to launch applications.

Compatibility with ZENworks Dynamic Local Users

In network environments that use Novells ZENworks product for user management, use the BUILTIN group for compatibility. You select the BUILTIN group to specify dynamic local users managed by ZENworks when you publish applications and assign users to network printers. With ZENworks, the software that handles user logons (called GINA for Graphical Identification and Authentication) on every machine that supports this feature is replaced with the GINA provided by Novell. Users log on by entering NDS credentials. An NDS server authenticates the user and determines permissions for the logon server. On this server, ZENworks dynamically creates a local user and gives group permissions according to the user policies. The only constant security IDs between sessions are the security IDs of the BUILTIN groups to which the NDS user belongs.

Changing Domain Trust Relationships

If you add a new domain trust relationship, you might be unable to select user accounts in the server farm based on the trust relationship right away. You might see this situation when you publish an application, for example, after adding a new trust relationship. In the dialog box where you configure user accounts for the application, when you select a domain, the newly-trusted domain does not appear until the IMA Service propagates the new trust relationship throughout the server farm.

86

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The user management subsystem updates its domain trust information every six hours (and during service startup). Therefore, it might take as long as six hours for all servers in the server farm to recognize a new trust relationship. You can avoid a delay in detection of network trust changes by restarting the IMA Service on all servers affected by the change. For example, if you change a trust relationship to allow DomainX to trust DomainY, restart all servers that belong to DomainX. With Active Directory, if you add a new domain to an Active Directory forest, for example, restart the IMA Service on all servers that belong to a domain in the forest that is affected by the change. If you are unsure which servers are affected by a trust relationship change, you can restart the IMA Service on all servers in the farm to ensure that the change is recognized. Citrix recommends that you restart the IMA Service only during offpeak hours when the load on the servers is very low.

Configuring MetaFrame Administrator Accounts

MetaFrame administrators are individuals tasked with managing and administrating server farms. You can create MetaFrame administrator accounts with the following permission levels: Full access to all areas of server farm management View-only access to all areas of server farm management Mixed levels of access to areas of farm management or specific tasks within those areas; administrators can have a mixture of view-only access, write access, or no access

In order to create effective MetaFrame administrator accounts, ensure that all users you are going to add as MetaFrame Administrators are Domain Users for the domain in which your farm resides. Users who are MetaFrame Administrators who take server snapshots must also be authorized WMI users on each server on which they are taking snapshots. When you install MetaFrame Presentation Server on the first server in a new farm, you specify an initial farm administrator. This user account is automatically configured as a MetaFrame administrator with full administration rights in the Presentation Server Console. Ensure that all users you add as MetaFrame Administrators are Domain Users for the domain in which your farm resides. Users who are MetaFrame Administrators who take server snapshots must also be authorized WMI users on each server on which they are taking snapshots.

Go to Document Center

Chapter 4 Planning for Deployment

87

To give other user accounts access to the console, a MetaFrame administrator with full administration rights logs on to the console and creates other MetaFrame administrator accounts. The level of permission for various areas of farm management depends on the specific business function of the administrator. For example, your system or network administrators may need complete access to all areas of farm and server management, while help desk personnel may need only view access to most areas. To give administrators of your server farm access to the Presentation Server Console, you add their network user accounts to the MetaFrame administrators group. The console uses standard Windows network logon and user account authentication mechanisms. Click the MetaFrame Administrator node in the left pane of the console to view all MetaFrame administrators. When you create a MetaFrame administrator account for a user, you can grant or deny access to specific farm management tasks, such as disconnecting users, or to an entire area of server farm management, such as managing sessions. You can create specialized MetaFrame administrators with the permission level to carry out specific tasks without granting these administrators full access to all areas of farm management. For more information about delegating administration rights to MetaFrame administrators, see Creating MetaFrame Administrator Accounts on page 159. Note One MetaFrame administrator account with full administration rights must always exist in the server farm. MetaFrame Presentation Server prevents you from deleting the last MetaFrame administrator account with full administration rights. However, if no administrator accounts exist in the farm data store database, a local administrator account can log on to the Presentation Server Console to set up MetaFrame administrator accounts. If the data store database contains at least one MetaFrame administrator account, a local administrator account cannot log on to the Presentation Server Console.

Planning for Client and Server Communications

In a server farm, several types of data transmission and communication pathways link clients and servers. Consider the following communication issues for your deployment of MetaFrame Presentation Server, clients, and optionally, the Web Interface and related Citrix services: Configuring ICA browsing so clients can find published applications and servers in your server farm

88

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Configuring network firewalls to allow communication among clients, MetaFrame Presentation Server, and the Web Interface Configuring a server farm for interoperability with servers running MetaFrame 1.8

Note Features described in this section, including ICA browsing and published applications, are not available to all MetaFrame Presentation Server Clients. This section focuses on the features available with Clients for Win32, Version 6.0 or later.

Linking Clients and Servers

In a server farm, the main communication processes between clients and servers are ICA browsing and ICA sessions.

This diagram shows a client performing ICA browsing when requesting an application from a server. To run an application, a client initiates an ICA session with the server.

ICA Browsing
ICA browsing is a process in which a client transmits data to locate servers on the network and get information about the server farms published applications. For ICA browsing, clients communicate with the Citrix XML Service or the ICA browser, depending on the browsing protocol selected in the client. These options are described under Configuring ICA Browsing on page 90. ICA browsing occurs when: Users launch published applications. The client sends a request to locate the application on a server. If you are using Load Manager, a component of MetaFrame Presentation Server for Windows, Advanced Edition and Enterprise Edition, the client gets the address of the server with the lightest load. Program Neighborhood users display the Application Set list in the Find New Application Set wizard.

Go to Document Center

Chapter 4 Planning for Deployment

89

Program Neighborhood users display the Server or Published Application list in the Add New ICA Connection wizard to create a custom ICA connection.

This screenshot shows how ICA browsing produces the Server and Published Application lists for a custom ICA connection in the Client for 32-bit Windows.

ICA Sessions
An ICA session is the communications link between clients and servers that users establish to run applications. In an ICA session, a server transmits an applications screen display to the client and the client sends the users keystrokes, mouse actions, and local data to the application running on the server. The default port on servers for ICA sessions is 1494. This port must be open on firewalls for inbound communication if clients are outside the firewall. The outbound port used on the client for the ICA session is configured dynamically when the session is established. In addition to computers running MetaFrame Presentation Server, other components, such as computers running the Web Interface, proxy servers, and Web browsers can be involved in establishing ICA sessions. In all cases, the basic communications link for an ICA session is between the client and the server.

90

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Configuring ICA Browsing

Users connect to servers and applications from application sets or custom ICA connections in the client. As described above, ICA browsing is a process that locates servers and published applications in response to requests from a client. When a user launches an application from an application set, ICA browsing locates a server that hosts the published application so the client can connect to the server and run the application. When a user sets up a custom connection, ICA browsing produces a list of published applications or servers in the server farm. The user selects an application or server to define the custom connection.

Important MetaFrame Presentation Server does not support multiple farms on the same subnet configured to respond to master browser requests.

Server Location Settings

The method that clients use for ICA browsing depends on the specified server location settings. Users running Program Neighborhood can configure server location settings using the Program Neighborhood user interface. For new application sets and custom connections, you configure server location settings from the Server Location button in the Find New Application Set wizard or the Add New ICA Connection wizard in the client. For existing application sets and custom ICA connections, you can change Server Location settings on the Connection tabs in the Settings dialog boxes.

Go to Document Center

Chapter 4 Planning for Deployment

This screen capture shows Server Location options: Network Protocol, Server Group, and Address List.

91

Note Some MetaFrame Presentation Server Clients do not use ICA browsing and connect only to specified servers. The options described in this section apply to MetaFrame Presentation Server Clients for Win32. For information about other server location options, see the Administrators Guide for each client you plan to deploy.

Specifying the Network Protocol for ICA Browsing

The Network Protocol setting you specify for server location in the client affects the following deployment issues related to ICA browsing: The communications protocol the client uses to locate servers The component in MetaFrame Presentation Server that the client communicates with The port through which the client communicates The default locations that the client contacts

Using TCP/IP+HTTP Network Protocol for ICA Browsing

Citrix recommends that you select TCP/IP+HTTP as the server location network protocol in the MetaFrame Presentation Server Client. In addition, Citrix recommends that you specify servers to contact for ICA browsing by entering IP addresses or DNS names of servers in the Address List box. When TCP/IP+HTTP is selected and you specify servers in the Address List box, the client communicates with the Citrix XML Service on a specified server for ICA browsing. By default, if no server is specified, the client attempts to resolve the name ica to an IP address. This is indicated by the virtual server location ica in the Address List box. This feature allows the DNS or WINS administrator to configure a host record that maps ica to a valid server IP address that can service XML requests from clients. Tip You can configure the clients DNS server to use round-robin DNS to map the name ica to a set of servers that can service the XML requests. This is a convenient method to use to avoid individual configuration of server location addresses on clients.

92

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To locate the Citrix XML Service, the MetaFrame Presentation Server Client makes an HTTP connection to port 80 on the server. If the user is launching a published application, for example, the XML Service then sends to the client the address of a server that has the application published. When you configure the client to use TCP/IP+HTTP, communication between the client and XML Service consists of XML-formatted data in HTTP packets. Citrix recommends using TCP/IP+HTTP protocol for ICA browsing because it provides several advantages for most server farms: TCP/IP+HTTP uses XML data encapsulated in HTTP packets that the client sends to port 80 by default. Most firewalls are configured so port 80 is open for HTTP communication. TCP/IP+HTTP does not use UDP (User Datagram Protocol) or broadcasts to locate servers in the server farm. Routers pass TCP/IP packets between subnets, which allows clients to locate servers that are not on the same subnet.

Using TCP/IP Network Protocol for ICA Browsing

If TCP/IP is specified as the server location network protocol and (Auto-Locate) appears in the Address List box, clients send UDP broadcasts to the ICA browser service on port 1604 to locate servers and published applications. By default, server farms operating in native mode do not respond to clients that use UDP broadcasts for ICA browsing. Therefore, if clients are configured to use TCP/ IP and to auto-locate servers, they fail to locate servers or published applications in the farm.

Go to Document Center

Chapter 4 Planning for Deployment

93

You can set the server farm, or individual servers, to respond to client broadcasts for compatibility with deployed clients. Because UDP broadcast packets do not traverse subnets, using broadcasts for ICA browsing works only if a server that responds to broadcasts is in the same subnet as the clients. After the client locates a server, it communicates using directed (not broadcast) UDP to port 1604. Because of broadcast limitations, you might prefer to enter one or more IP addresses or DNS names of servers in the Address List box. You must do this if the client is not on the same subnet as a data collector. In summary, using the TCP/IP setting and auto-location for ICA browsing is less efficient than using TCP/IP+HTTP because it relies on UDP and UDP broadcasts.

Effects of Server Location Settings on ICA Browsing

The following table summarizes ICA browsing methods that result from various Network Protocol and Address List settings. Native mode is when only servers running IMA-based versions of MetaFrame Presentation Server exist in the network
and the option to interoperate with MetaFrame 1.8 servers is not selected in farm Properties. IMA-based versions include MetaFrame XP, Feature Release 1, or later.
Network protocol TCP/IP+HTTP TCP/IP+HTTP Address list Default (ica) Specified server(s) Data type XML/HTTP XML/HTTP Responder XML Service XML Service Farm configuration Native mode or interoperability mode. Native mode or interoperability mode. In interoperability mode, specify MetaFrame Presentation Server. Interoperability mode. Native mode if servers are set to respond to broadcasts. Servers must be on clients subnet. Native or interoperability mode.

TCP/IP

Default (Auto-Locate)

UDP broadcast

ICA browser on data collectors ICA browser

TCP/IP

Specified server(s)

Directed UDP

Communicating with the Citrix XML Service

Citrix XML Service is a component of MetaFrame Presentation Server. The service is installed by default on all servers. When clients are configured to use TCP/IP+HTTP for ICA browsing, the XML Service communicates published application information to clients using the HTTP protocol and XML data. The XML Service also communicates published application information to servers running the Web Interface.

94

MetaFrame Presentation Server Administrators Guide

Go to Document Center

For example, when a user launches a published application in Program Neighborhood, the client sends a request for the application. The XML Service responds with the address of a server on which the application is published. With the Web Interface, for example, a user connects to a Web page using a Web browser. The XML Service provides a list of available applications to the server running the Web Interface. The Web server displays the available applications on the users personalized application Web page.

Setting the Port for Citrix XML Service

The Citrix XML Service uses an IP port on the server to communicate with clients and with the Web Interface. You can set the port number while running MetaFrame Presentation Server Setup. Important All servers in the farm must use the same port for the Citrix XML Service. The XML Service default communication port is 80. Port 80 is open on most firewalls to allow inbound communication to Web servers. If your servers, including your Web servers, are behind a firewall, this port is probably open, allowing clients to communicate with servers and allowing Web browsers to communicate with servers running the Web Interface. If you intend to send data over a secure HTTP connection using secure socket layer (SSL), be sure that the XML Service is set to share its port with IIS and that IIS is configured to support HTTPS. Note Port 80 is the default port for HTTP communication with Web servers. The Citrix XML Service includes an Internet Server Application Programming Interface (ISAPI) extension that you can plug into Internet Information Services (IIS). The extension allows IIS and the XML Service to share port 80. This is necessary only if IIS is installed on servers running MetaFrame Presentation Server. IIS is required to run the Web Interface. For information about configuring the XML Service port number, see Configuring the Citrix XML Service Port on page 134. For information about configuring the port that the Web Interface uses, see the Web Interface Administrators Guide.

Go to Document Center

Chapter 4 Planning for Deployment

95

Important If you change the port used by the Citrix XML Service, you must set the correct port in the client. You can specify a port number when you add a server to the Address List under Server Location in the client. If you also use the Web Interface, be sure it uses the correct port for XML Service communication. For more information, see the Web Interface documentation. See the clients Administrators Guide or online help for instructions about configuring the clients.

Using DNS Address Resolution

Client browsing requests normally generate an IP address for connecting to servers. You can configure servers to respond with the fully qualified domain name (FQDN). This feature, called Domain Name System (DNS) address resolution, is available to clients using the Citrix XML Service. Servers reply with an IP address as the default. You can change the default setting, which applies to the entire server farm, in the Presentation Server Console. In most situations, using IP addresses works well and requires less overhead. For ease of administration, MetaFrame Presentation Server Clients are configured to request FQDNs if DNS addressing is enabled in the server farm. Clients connecting through the Web Interface request IP or DNS addresses based on a line in a Web server configuration file. This file is set up for IP addresses initially. Regardless of what clients are set up to request, unless DNS addressing is enabled for the server farm, IP addresses are returned. DNS address resolution works only in server farms that do not interoperate with MetaFrame 1.8 (that is, DNS address resolution works only in farms that contain servers running only MetaFrame XP Feature Release 1 or later) and you must be using MetaFrame Presentation Server Client 6.20.985 or later. Important If DNS addressing is enabled, clients cannot connect reliably unless they can resolve the fully qualified domain name of all servers in the server farm. Ping a server with its DNS host name to verify this. Unless your DNS environment is configured specifically to use this feature, Citrix recommends that you do not enable DNS address resolution in the server farm.

96

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To enable or disable DNS address resolution in a server farm 1. Open the Presentation Server Console. 2. Select the farm node at the top of the tree and choose Actions > Properties. 3. Select MetaFrame Settings in the left pane of the farms Properties page. 4. In the right pane, select or clear Enable XML Service DNS address resolution. 5. Click OK.

Configuring Network Firewalls

Protecting servers that contain valuable data and are critical to your organizations mission requires that you consider security as an integral part of your MetaFrame Presentation Server deployment planning. In addition to physically securing servers, most organizations install network security measures including firewalls to isolate servers running MetaFrame Presentation Server and Web browsers from the Internet and from publicly accessible networks. To deploy MetaFrame Presentation Server behind network firewalls, configure access for client users by allowing packets to pass to specific communication ports that clients use. As described above, Citrix recommends that MetaFrame Presentation Server Clients use TCP/IP+HTTP for ICA browsing. To use this protocol with clients outside a firewall, configure the firewall to pass inbound HTTP packets on port 80, the default port for the Citrix XML Service on MetaFrame Presentation Server. This port is usually open on firewalls for inbound HTTP packets to Web servers. In ICA sessions, clients communicate with port 1494 on servers. If the clients are outside the firewall, this port must be open for inbound communication to servers.

Server Farm Configurations

The diagrams below illustrate network configurations for server farms. The diagrams identify port numbers, components, and the recommended protocol for ICA browsing. See Configuring ICA Browsing on page 90 for more information. In the diagrams in this section, communication paths are bidirectional; arrows indicate the direction in which communication is initiated. The first diagram shows the basic configuration for communication between client and server when a user launches a published application.

Go to Document Center

Chapter 4 Planning for Deployment

97

This diagram shows basic client-to-server communication. With a firewall between clients and servers, port 80 is open for inbound HTTP to the XML Service, and port 1494 is open for inbound ICA packets.

The process of running the application begins with ICA browsing for server location. TCP/IP+HTTP protocol and server addresses are specified for server location in the MetaFrame Presentation Server Client. 1. The client sends a request to the Citrix XML Service on port 80 on a specified server using HTTP. 2. The Citrix XML Service sends the address of a server that has the requested application. 3. The client establishes an ICA session with the server specified by the XML Service. ICA packets travel from the client to port 1494 on the server. ICA packets travel from the server to a dynamically assigned port number on the client. Organizations often place their Web servers in a demilitarized zone (DMZ) between firewalls. In the following configuration, servers running the Web Interface are located between firewalls to isolate them from the server farm and clients.

98

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This diagram shows communication with servers running the Web Interface. In a network configuration with Web servers in a demilitarized zone between firewalls, users Web browsers send application requests to servers running the Web Interface. Web servers send secure (HTTPS) requests to the SSL Relay and XML Service in the server farm. Clients establish ICA sessions with servers on port 1494. The port used on the clients is configured dynamically.

As with the basic configuration, Citrix recommends that clients use the TCP/IP+HTTP protocol to communicate through a firewall. When the user launches an application from a Web page, the client establishes an ICA session through the firewall to port 1494 on the server. The diagram below illustrates communication between clients and servers when SSL encryption is used.

Go to Document Center

Chapter 4 Planning for Deployment

99

This diagram shows client-to-server communication with SSL. For SSL communication, port 443 is open for inbound communication to the Citrix SSL Relay. The client communicates with the SSL Relay for server location and ICA session communication.

The process of running the application begins with ICA browsing for server location. In this scenario, SSL+HTTPS protocol and server IP addresses are specified for server location in the client. 1. The client sends an encrypted request to the Citrix SSL Relay on port 443 on a specified server using HTTPS. 2. The SSL Relay decrypts the request and sends it to the Citrix XML Service on port 80. 3. The Citrix XML Service sends the address of a server that has the requested application to the SSL Relay. 4. The SSL Relay encrypts and sends the address of the server to the client. 5. The client establishes an SSL-encrypted ICA session with the server specified by the Citrix XML Service. ICA packets travel from the client to port 443 on the server and are then decrypted and passed to port 1494. SSL-encrypted ICA packets travel from the server to the client.

100

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Configuring TCP Ports

The table below lists the TCP/IP ports that servers, MetaFrame Presentation Server Clients, the IMA Service, and other Citrix services use in a server farm. This information can help you configure firewalls and troubleshoot port conflicts with other software. The table includes configuration information to consider if you change default settings.
Communication ICA sessions (clients to servers) Default port 1494 Configuration See ICAPORT on page 372 for instructions about changing the port number. This port must be open on firewalls for inbound packets from clients to servers. See Managing Session Consistency and Reliability on page 284. This port must be open on firewalls for inbound packets when clients use the TCP/IP+HTTP network protocol for server location. See Configuring the Citrix XML Service Port on page 134 for configuration instructions. See Step 3 - Changing the SSL Port on page 179 for configuration instructions. See MetaFrame Presentation Server Commands on page 333 for information about the IMAPORT command. See the documentation for your database software.

Session reliability Citrix XML Service

2598 80

Citrix SSL Relay Server to server

443 2512

Server to Microsoft SQL or Oracle server Server to license server Presentation Server Console to server Clients to ICA browser service (UDP)

139, 1433, or 443 for MSSQL 27000 2513

In the console, open the farm or server properties page, License Server. See MetaFrame Presentation Server Commands on page 333 for information about the IMAPORT command. Servers always respond to directed UDP requests. Use the settings of a farms Properties page for configuring the way that servers respond to broadcasts from clients. Not configurable. This port is used only when the farm is interoperating with servers running MetaFrame 1.8.

1604

Server-to-server (directed UDP)

1604

Go to Document Center

Chapter 4 Planning for Deployment

101

Changing Server Drive Letters

Client drive mapping gives users access to the drives of their local client device when they use applications on servers. When users start ICA sessions, MetaFrame Presentation Server assigns drive letters to client drives. Client drives that use the same letters as the servers drives are assigned different drive letters, starting with V and going backwards through the alphabet. If client drive letters do not conflict with the servers drive letters, MetaFrame Presentation Server uses the original letters for client drives. Server floppy disk drives are not available to client users, so MetaFrame Presentation Server uses the drive letters for floppy disk drives specified on the client devices. Non-Windows MetaFrame Presentation Server Clients that support floppy drive mapping can be configured manually with specific drive letter mappings for each drive.

Default drive mappings for sessions are shown in the following table. Client drives C and D are renamed V and U, because the server drives use the letters C and D.
Logical drive letter Client drives A (floppy drive) B (floppy drive) C D Server drives C D E Drive letter in ICA sessions A B V U C D E

102

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To make drive access more familiar for users, you can change the server drives to use letters that are not likely to be used by client devices. Doing so ensures that client drives retain their original drive letters. The following table shows an example of drive letters used if you change the drive letters of a server.
Logical drive letter Client drives A (floppy drive) B (floppy drive) C D Server drives C D E Drive letter in ICA sessions A B C D M N O

If you intend to change a servers drive letters, do so before you install MetaFrame Presentation Server. If you change server drive letters after you install MetaFrame Presentation Server, you must do it before installing any applications. If you change the servers drive letters, MetaFrame Presentation Server searches the following registry keys and changes all drive references to reflect the new drive letters: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\* HKEY_LOCAL_MACHINE\SOFTWARE\Equinox\eqn\CurrentVersion \NetRules HKEY_LOCAL_MACHINE\SYSTEM\* HKEY_CLASSES_ROOT\* HKEY_USERS\* MetaFrame Presentation Server also updates the pagefile entry and the following shortcut files:
%SystemRoot%\Profiles\Default User\*.lnk %SystemRoot%\Profiles\Administrator\*.lnk %SystemRoot%\Profiles\All Users\*.lnk

The first time a user logs on to a server after you change the drive letters, references to the old drive letters in the users profile are updated. Run Driveremap.exe to change the servers drive letters. For more information about this utility, see DRIVEREMAP on page 362.

Go to Document Center

Chapter 4 Planning for Deployment

103

Using Smart Cards with MetaFrame Presentation Server

You can use smart cards in your MetaFrame Presentation Server environment. Smart cards are small plastic cards with embedded computer chips. Smart cards can contain memory only, memory with security logic, or memory with CPU capabilities, depending on the intended application. In a business computer network setting, smart cards are an effective implementation of public-key technology and can be used to: Authenticate users to networks and computers Secure channel communications over a network Use digital signatures for securing content

If you are using smart cards for secure network authentication, your users can authenticate to applications and content published on servers. In addition, smart card functionality within these published applications is also supported. For example, a published Microsoft Outlook application can be configured to require that users insert a smart card into a smart card reader attached to the client device to log on to the server. After users are authenticated to the application, they can digitally sign email using certificates stored on their smart cards. Citrix has tested smart cards that meet Standard 7816 of the International Organization for Standardization (ISO) for cards with electrical contacts (known as a contact card) that interface with a computer system through a device called a smart card reader. The reader can be connected to the host computer by the serial, USB, or PCMCIA port. Citrix supports the use of PC/SC-based cryptographic smart cards. These cards include support for cryptographic operations such as digital signatures and encryption. Cryptographic cards are designed to allow secure storage of private keys such as those used in Public Key Infrastructure (PKI) security systems. These cards perform the actual cryptographic functions on the smart card itself, meaning the private key and digital certificates never leave the card. In addition, you can use two-factor authentication for increased security. Instead of merely presenting the smart card (one factor) to conduct a transaction, a userdefined PIN (a second factor), known only to the user, is employed to prove that the cardholder is the rightful owner of the smart card. Note MetaFrame Presentation Server does not support RSA Security Inc.s PKCS (Public-Key Cryptography Standard) #11 functional specification for personal cryptographic tokens.

104

MetaFrame Presentation Server Administrators Guide

Go to Document Center

You can also use smart cards with the Web Interface for MetaFrame Presentation Server. For details about configuring the Web Interface for smart card support, see the Web Interface Administrators Guide, available from the Document Center.

Software Requirements
The following section presents the basic guidelines for using smart cards with MetaFrame Presentation Server. Consult your smart card vendor or integrator to determine detailed configuration requirements for your specific smart card implementation. The following components are required on the server: PC/SC software Cryptographic Service Provider (CSP) software

These components are required on the device running the supported MetaFrame Presentation Server Client: PC/SC software Smart card reader software drivers Smart card reader

Your Windows server and client operating systems may come with PC/SC, CSP, or smart card reader drivers already present. See your smart card vendor for information about whether these software components are supported or must be replaced with vendor-specific software. If you are using pass-through authentication to pass credentials from your Windows 2000 or Windows XP client device to the smart card server session, CSP software must be present on the client device. You do not need to attach the smart card reader to your server during CSP software installation if you can install the smart card reader driver portion separately from the CSP portion.

Configuring the Server

A complete and secure smart card solution can be relatively complicated and Citrix recommends that you consult your smart card vendor or integrator for details. Configuration of smart card implementations and configuration of third-party security systems such as certificate authorities are beyond the scope of this documentation. Smart cards are supported for authenticating users to published applications, or for use within published applications that offer smart card functionality. Only the former is enabled by default upon installation of MetaFrame Presentation Server.

Go to Document Center

Chapter 4 Planning for Deployment

105

To enable support for smart card usage within an application, run the Scconfig.exe command-line utility on each server that hosts the application. This utility is used to specify the applications (for example, Outlook.exe) that you want to configure to have smart card transactions redirected from the server on which they execute to the client device that hosts the smart card reader. This utility may be executed remotely by specifying a target server according to the syntax below.
SCCONFIG /? SCCONFIG ([/SERVER:servername] | [/FARM]) ([/QUERY] | [/Q]) SCCONFIG ([/SERVER:servername] | [/FARM]) [/LOGON:on|off] [/ENABLE_PROCESS: processname] [/ DISABLE_PROCESS:processname] SCCONFIG [/SERVER:servername] [/INHERIT:on|off]

The parameters used in this utility are explained below. The /? option returns on-screen help for this utility. The /SERVER:servername option specifies the target server to configure. The /FARM option is used to set a farm-wide setting but does not configure any servers. When the farm-wide setting is set, servers are configured according to the state of the /INHERIT option. When MetaFrame Presentation Server is installed on the server, on is the default state for /INHERIT. If neither the /SERVER or /FARM option is specified, the local server is assumed. The /QUERY or /Q option can be used with the /SERVER or /FARM option to display currently configured settings. The /LOGON option is used to turn on or off support for smart card authentication during logon to MetaFrame Presentation Server. Upon MetaFrame Presentation Server installation, on is the default state for / LOGON. The /ENABLE_PROCESS and /DISABLE_PROCESS options are used to enable or disable support for applications that can take advantage of smart card functionality when run as published applications. For example, to enable support for Microsoft Outlook, the processname would be OUTLOOK.EXE.

Setting Windows Policies for Smart Cards

Microsoft Windows supports two security policy settings for interactive logon to a server session. MetaFrame Presentation Server Client sessions can utilize the following policies: Require smart card for interactive session logon. This policy is a user policy that requires the user to insert a smart card for authentication.

106

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Smart-card removal policy. This is a computer policy that has three possible settings to determine the client device behavior when the user removes the smart card from the smart card reader: None (no effect) Lock Workstation (disconnects all user sessions) Force Logoff (logs off all user sessions)

Configuring the Client

The following clients support smart cards: MetaFrame Presentation Server Clients for 32-bit Windows Client for Linux Client for Windows-based terminals

To configure smart card support for users of these clients, see the Administrators Guide for the clients in your environment.

Compatibility with MetaFrame Conferencing Manager

Upgrading to MetaFrame Presentation Server Version 3.0 on a server hosting MetaFrame Conferencing Manager 2.0 renders MetaFrame Conferencing Manager inoperable. If you have MetaFrame Conferencing Manager 2.0 installed, before installing or upgrading MetaFrame Presentation Server, upgrade MetaFrame Conferencing Manager to Version 3.0. If you use unattended setup of MetaFrame Presentation Server and you do not want the MetaFrame Presentation Server installation to fail on hosts where MetaFrame Conferencing Manager 2.0 is installed, in the answer file change the parameter IgnoreMCM=No to IgnoreMCM=Yes. The answer file UnattendedTemplate.txt on the installation CD describes in greater detail the use of IgnoreMCM. For more information about unattended installation of MetaFrame Presentation Server and answer files, see Unattended Setup of MetaFrame Presentation Server on page 140.

Go to Document Center

CHAPTER 5

Deploying MetaFrame Presentation Server

This chapter gives you guidelines and step-by-step instructions for the following tasks: Creating a new server farm Migrating to MetaFrame Presentation Server Overview of upgrading an existing server farm Installing or upgrading individual servers Choosing options during Setup Installing client software on the server Unattended Setup of MetaFrame Presentation Server Cloning servers Uninstalling MetaFrame Presentation Server

If you are deploying MetaFrame Presentation Server for the first time, before you install this product, read Planning for Deployment on page 69.

108

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Creating a New Server Farm

To deploy and use MetaFrame Presentation Server, you must create a server farm. This section provides an overview for creating a new server farm. For information about upgrading existing server farms, see Migrating to MetaFrame Presentation Server on page 112.

Task Summary for Creating a New Server Farm

To create a new server farm 1. For guidelines about how to design your server farm, see Designing Server Farms on page 15. 2. Review the installation checklist and ensure your computer is prepared for product installation. The installation checklist provides a task overview as well as system requirements for each component. To access the installation checklist From the initial Autorun screen, click View installation checklist - Or From either installation CD for MetaFrame Presentation Server, open Documentation\docs\checklist.html

3. Remap server drives. 4. Install database software and create the farm data store. The data store contains persistent configuration information about all servers in the farm. All servers must be able to reference this configuration information. Before installing MetaFrame Presentation Server, you choose and install a database product to serve as your farm data store. For information about using various database products for the farm data store, see Choosing a Database for the Data Store on page 40. 5. Install the MetaFrame Access Suite license server. For information about installing the license server, see the MetaFrame Access Suite Licensing Guide. 6. Create your farm by installing your first data collector and server. For information about installing individual servers, see Installing or Upgrading Individual Servers on page 116.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

109

7. Install the Access Suite Console, the Presentation Server Console, and the Document Center. For information about installing individual servers, see Installing or Upgrading Individual Servers on page 116. 8. Install the Web Interface. For information about installing individual servers, see Installing or Upgrading Individual Servers on page 116. 9. After installation, restart servers. The installation of MetaFrame Presentation Server performs the following: Updates the computer with a new Gina DLL Registers modules to be loaded as part of Windows Terminal Services For any newly installed server running MetaFrame Presentation Server, for the new Gina DLL to take effect and allow users to log on and to enable Windows Terminal Services, you must restart the computer.

Remapping Server Drive Letters

If you are performing a new installation of MetaFrame Presentation Server and want to remap server drive letters, Citrix recommends that you do so before installing MetaFrame Presentation Server and before installing applications on the server. Remapping server drive letters after you install MetaFrame Presentation Server can cause unstable performance by the server, components of the operating system, and installed applications. CAUTION With utilities provided in Windows, it is possible to change server drive letters after you install MetaFrame Presentation Server. Citrix advises against remapping server drive letters after you install MetaFrame Presentation Server. Doing so can destroy data stored on disk drives and can leave MetaFrame Presentation Server and the operating system unable to operate. If you are upgrading from an earlier release, Setup migrates and retains the server drive mappings in place from the previous configuration.

About Remapping Server Drive Letters

When a user launches an ICA session, MetaFrame Presentation Server tries to map disk drives on the server to the typical drive letters for the client. If the drive letters are available, the server maps the clients first floppy disk drive to A, the second floppy drive to B, the first hard disk drive to C, and so on. However, a server cannot map client device drives to letters that are assigned to the servers own disk drives.

110

MetaFrame Presentation Server Administrators Guide

Go to Document Center

By changing the server to use drive letters that are higher, such as M, N, or O, the original lower drive letters become available for assignment to the drives on client devices. This can make the use of drives on client devices less confusing for users, because they see their drives identified by typical drive letters. To access the drive remap utility, select Product installations on the initial Autorun screen, and then select Remap drives. For more information about the DriveRemap utility, see DRIVEREMAP on page 362.

Creating the Farm Data Store

This section assumes that you chose and installed a database product to serve as your farm data store. For information about using various database products for the farm data store, see Choosing a Database for the Data Store on page 40. To use Microsoft SQL Server, Oracle, or IBM DB2 for a server farms data store, use your database management software to create a database. Then, during Setup, configure each servers ODBC driver to connect to the database. The following sections include the basic procedures for creating databases using Microsoft SQL Server, Oracle, or IBM DB2. If you are setting up your farm to use Microsoft Access or the Microsoft SQL Server 2000 Desktop Engine (MSDE), you do not need to read this section and can skip to Unattended Setup of MetaFrame Presentation Server on page 140. Using a Microsoft Access or MSDE database involves creating a database locally while you install MetaFrame Presentation Server on the first server in the farm. To create a data store database with Microsoft SQL Server Some dialog boxes might differ from the descriptions in this procedure, depending upon the version of Windows and SQL Server you use. 1. Run SQL Enterprise Manager on your Microsoft SQL server (Start > Programs > Microsoft SQL Server > Enterprise Manager). 2. In the Enterprise Managers left pane, expand the tree until you reach the folder level. Select the Databases folder and select New Database from the Action menu. 3. A dialog box appears. In the Name box, enter a name and click OK. 4. Expand the Security folder and from the Action menu, select Logins, then select New Login. A dialog box appears with the General tab displayed. In the Name text box, enter a name. Make note of the name because you must enter it when you install MetaFrame Presentation Server.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

111

5. In the Authentication section of the General tab, select SQL Server authentication and enter a password. Remember the password; you must enter it when you install MetaFrame Presentation Server. 6. In the Defaults area of the General tab, in the Database menu, select the database name you specified in Step 4. 7. Click the Database Access tab. In the Database list, select the database name you specified in Step 4. 8. In the Database Roles list, select DB_Owner. Leave other selected roles selected. 9. Click OK. You are prompted to confirm your password, which completes the creation of the database. To create a data store database with Oracle 1. If you do not already have Oracle installed, install it using the default database. 2. On the Oracle server, run SQL Plus. At the connection prompt, type internal. 3. Use the following commands as guidelines for creating a tablespace and user: create tablespace MFIMA datafile D:\ORADATA\MFIMA.DBF size 5000k autoextend on next 5000k maxsize unlimited; alter tablespace MFIMA default storage (pctincrease 0 maxextents unlimited); create user MFADMIN identified by PASSWORD default tablespace MFIMA temporary tablespace TEMP; grant connect, resource to MFADMIN; The tablespace is named MFIMA and saved in D:\ORADATA\MFIMA.DBF. The user is named MFADMIN and has the password PASSWORD. Temp is the default temporary tablespace for Oracle 8i and Oracle 9i. If you are using Oracle 7, use TEMPORARY_DATA instead of TEMP. To create a data store database with IBM DB2 1. If you do not already have an IBM DB2 database installed, install one using the default database. 2. Create a tablespace for MetaFrame Presentation Server using the following DB2 SQL script: CREATE REGULAR TABLESPACE CTXSDB PAGESIZE 4 K MANAGED BY SYSTEM USING (C:\CTXSDB\MPS4) EXTENTSIZE 32 OVERHEAD 8.3 PREFETCHSIZE 32 TRANSFERRATE 0.18 BUFFERPOOL IBMDEFAULTBP COMMENT ON TABLESPACE CTXSDB IS

112

MetaFrame Presentation Server Administrators Guide

Go to Document Center

3. Create a local user account called MPSADMIN and then use the following DB2 SQL script to grant this account use of the tablespace: GRANT USE OF TABLESPACE CTXSDB TO USER MPSADMIN WITH GRANT OPTION GRANT USE OF TABLESPACE CTXSDB TO PUBLIC WITH GRANT OPTION In the example above, the tablespace is named CTXSDB and saved in C:\CTXSDB\MPS4\sqltag.nam. The user is named MPSADMIN.

Migrating to MetaFrame Presentation Server

Even though MetaFrame Presentation Server does not support upgrading from MetaFrame 1.8 and versions prior to MetaFrame XP, Feature Release 3, you can perform staged upgrades to MetaFrame Presentation Server 3.0, and then upgrade to the current release.

Upgrading from Versions Prior to MetaFrame XP Feature Release 3

You cannot use Autorun to upgrade servers running MetaFrame 1.0, MetaFrame 1.8, or versions of MetaFrame XP prior to Feature Release 3. See the following table for information about supported migration paths from earlier versions of this product:
Starting version MetaFrame 1.0 for Windows 2000 Server MetaFrame 1.8 at Service Pack 3 or 4 for Windows 2000 Server MetaFrame XP, Feature Release 1 for Windows 2000 Server MetaFrame XP, Feature Release 2 for Windows 2000 Server Upgrade path MetaFrame Presentation Server 3.0 for Windows 2000 Server with Service Pack 4 MetaFrame Presentation Server 3.0 for Windows 2000 Server with Service Pack 4 MetaFrame Presentation Server 3.0 for Windows 2000 Server with Service Pack 4 MetaFrame Presentation Server 3.0 for Windows 2000 Server with Service Pack 4

After upgrading your farm to MetaFrame XP, Feature Release 3, or MetaFrame Presentation Server 3.0, you can then use Autorun to upgrade servers to the most current release.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

113

For instructions about how to migrate a farm with servers running MetaFrame 1.0, MetaFrame 1.8, and versions of MetaFrame XP prior to Feature Release 3, see the MetaFrame Presentation Server Migration and Upgrade Guide, which is available for download from the Support area of the Citrix Web site: http://support.citrix.com/

Migrating from MetaFrame Versions 1.0 and 1.8

MetaFrame Presentation Server no longer supports interoperability mode. Because there is no longer support for interoperability with farm servers running MetaFrame 1.0 or 1.8, follow this general procedure for the migration of a server farm. To migrate a farm from MetaFrame 1.0 or 1.8 1. Install the latest version of MetaFrame Presentation Server on a server that is independent of your MetaFrame 1.0 or 1.8 farm. 2. Use the Presentation Server Console to configure your newly installed farm to match the settings of your farm running MetaFrame 1.0 or 1.8. Ensure that you also match the settings for published applications. Alternatively, you can create a script to export and import published application information. See the Citrix Developer Network (http://apps.citrix.com/cdn/) for additional information about the Citrix Application Publishing SDK and MetaFrame Presentation Server SDK (MPSSDK). 3. Deploy Web Interface (or MetaFrame Secure Access Manager) as the primary entry point for your newly installed farm. Use DNS CNAME (alias) records for the Web Interface servers. Use a simple mnemonic for the DNS alias, such as myapps. For example, Citrix could have an internal Web Interface deployment with multiple servers that share the DNS alias myapps.citrix.com. Not only is this configuration easy for users to remember, it is also useful for load balancing multiple Web Interface servers. 4. Open the new deployment for testing by pilot users. 5. After refining the pilot deployment, switch users to it. Instruct users to access your Web Interface server URL. Here is an example based on the previous DNS alias example: https://myapps.citrix.com 6. If most clients in your organization are Win32 based, Citrix recommends that you deploy Web Interface with Program Neighborhood Agent. Use the Citrix client packager to repackage the Program Neighborhood Agent and include the URL of your Web Interface deployment.

114

MetaFrame Presentation Server Administrators Guide

Go to Document Center

7. Deploy the new package to client desktops using Active Directory group policy, Microsoft Systems Management Server (SMS), or other third party deployment product. This deployment method requires no user input. 8. Decommission the farm running MetaFrame 1.0 or 1.8. You can use the Web Interface for MetaFrame Presentation Server 4.0 to aggregate the published applications from the MetaFrame 1.8 farm alongside the MetaFrame Presentation Server 4.0. This is useful if the transition from MetaFrame 1.8 to MetaFrame Presentation Server 4.0 takes place over a period of weeks or months. When using Web Interface with MetaFrame 1.8, you must ensure that ICA authentication tickets are disabled for the MetaFrame 1.8 farm configuration. If ICA authentication tickets are not disabled, the following message is displayed in the browser of the Web Interface client:
Error: An error has occurred while connecting to the requested resource.

You also see the following event in the application log of the Web Interface server:
Event Type: Error Event Source: Web Interface at <Site_Path> Event Category: None Event ID: 0 Description: The farm <Farm_Name> has been configured to use MetaFrame Presentation Server ticketing, but no ticket tag was received. Check that the farm supports ticketing. [Log ID: a561610e]

Migrating from MetaFrame XP, Feature Release 3, and MetaFrame Presentation Server 3.0
To upgrade servers running MetaFrame XP, Feature Release 3 or MetaFrame Presentation Server 3.0, you can use Autorun from the server installation CD. See the following table for information about supported migration paths from earlier versions of this product:
MetaFrame XP, Feature Release 3 for Windows 2000 Server MetaFrame XP, Feature Release 3 for Windows Server 2003 MetaFrame Presentation Server 3.0 for Windows 2000 Server MetaFrame Presentation Server 4.0 for Windows 2000 Server with Service Pack 4 MetaFrame Presentation Server 4.0 for Windows Server 2003 MetaFrame Presentation Server 4.0 for Windows 2000 Server with Service Pack 4

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

115

MetaFrame Presentation Server 3.0 for Windows Server 2003

MetaFrame Presentation Server 4.0 for Windows Server 2003

Citrix recommends that you maintain all servers in a farm at the most recent release level of MetaFrame Presentation Server. If you find that you need to run different release levels of MetaFrame Presentation Server in your server farm on a temporary basis, configure a server running the latest release as the zones data collector. See Configuring Zones and Data Collectors on page 21 for more information. To migrate a server farm to MetaFrame Presentation Server 1. Verify installation prerequisites. To verify that your computer satisfies installation prerequisites for each component you are installing, review the installation checklist. To access the installation checklist, select View installation checklist from the initial Autorun screen. 2. Install the license server. Citrix licensing has changed from MetaFrame XP, Feature Release 3. If you are upgrading from MetaFrame XP, Feature Release 3, before you upgrade the first server in a farm, install a license server. Before upgrading, ensure you download current licenses. For information about installing the license server, see the MetaFrame Access Suite Licensing Guide. 3. Upgrade MetaFrame Conferencing Manager from Version 2.0 to Version 3.0 or 4.0. MetaFrame Conferencing Manager, Version 2.0 is not compatible with this version of MetaFrame Presentation Server. 4. Turn off interoperability mode in the farm you are migrating. 5. Upgrade farm metric servers. If you are upgrading from an earlier release of MetaFrame Presentation Server, Enterprise Edition, upgrade the farm metric servers (primary and backup) before upgrading other servers in the farm. Resource Manager, a component of Enterprise Edition, uses the farm metric servers to interpret information collected from other servers. Farm metric servers running earlier versions of Resource Manager than other servers in the farm may cause inconsistencies.

116

MetaFrame Presentation Server Administrators Guide

Go to Document Center

6. Upgrade Presentation Server Console, Access Suite Console, and Web Interface. To automatically upgrade the consoles and the Web Interface and preserve custom configuration settings, accept the default settings of the Install MetaFrame Presentation Server and its components option in Autorun. Accepting the default settings automatically upgrades the consoles and the Web Interface before upgrading the server and preserves custom configuration settings. Note When you upgrade the Access Suite Console, or if you are sharing My Views between systems running different versions of the Access Suite Console, there are certain restrictions on how the upgraded console recognizes previously saved My Views. Specifically, this restriction applies if you are using the consoles included with MetaFrame Presentation Server 3.0 and MetaFrame Presentation Server 4.0. If, after upgrading, you are asked whether or not you want to upgrade your .msc configuration file, choose one of the following options: If you choose to Upgrade your file, you cannot use an older version of the console to access the My Views stored in the file, but you can save My Views in your new version of the console. If you choose Dont Upgrade, the file is not upgraded. You can continue to use either version of the console to access the My Views stored in the file, but you can save only My Views to this file using the older version of the console.

7. Upgrade zone data collectors. 8. Upgrade farm servers. 9. If you are using MetaFrame Conferencing Manager, install and configure the Guest Attendee Web Interface. For additional information about upgrading individual servers, continue with the next section.

Installing or Upgrading Individual Servers

MetaFrame Presentation Server and its components are compiled into a Windows Installer package (.msi) file. You can run the .msi file to install individual components, or use Autorun to install one or more components and perform other tasks, such as viewing the installation checklist. For information about using the .msi file, see Using the Windows Installer Package on page 119.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

117

Important Several aspects of the way MetaFrame Presentation Server is installed have changed. If you are upgrading from an earlier release of this product and want to preserve your configuration settings, make sure you read the section Migrating to MetaFrame Presentation Server on page 112.

Creating a Log File

Installation and uninstallation log files are not created automatically for Windows Installer packages. You can create log files with the following methods: Use the logging command to create log files for only the Windows Installer operation you are carrying out. Turn on automatic logging for all Windows Installer operations by creating a new registry string value.

CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before making changes to it. Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows\Installer Type: REG_SZ Name: Logging Value data: iwearucmopv A log file is created in the %Tmp% directory for each operation. Use Active Directorys Group Policy Editor to configure logging properties for an Active Directory group.

To edit the Logging policy, open Group Policy Editor and select Computer Configuration > Administrative Templates > Windows Components > Windows Installer.

Using Autorun
Autorun consists of multiple screens from which you select tasks you want to perform, such as installing MetaFrame Presentation Server or viewing the installation checklist. If you select an installation task, a Setup wizard opens and guides you through the installation process. For information about choosing options during Setup, see Choosing Options during Setup on page 120.

118

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Choosing Options on the Initial Autorun Screen

Among the options on the initial Autorun screen are the following: View installation checklist. Make sure you view the installation checklist and prepare the product installation as outlined in the checklist. You can print a copy of the checklist for easy reference. Product installations and updates. Select this option to go to the next Autorun screen and to select the components of MetaFrame Presentation Server you want to install. Install Document Center. Select this option to install the Citrix Document Center on the server. The Document Center gives you a single point of access to all Administrators Guides to the MetaFrame Access Suite. After installing the Document Center, you can browse the table of contents for information about a task you want to accomplish and get point-and-click access to all pertinent sections across the guides. For more information, see Installing the Document Center on page 138.

Choosing Options on the Product Installations and Updates Screen

The product installations and updates screen presents you with the following options: Install MetaFrame Access Suite licensing. Select this option to install the license server. For more information about installing the license server, see the MetaFrame Access Suite Licensing Guide. Install MetaFrame Presentation Server 4.0 and its components. Select this option to install or upgrade to MetaFrame Presentation Server or its components. When you select this option, the MetaFrame Presentation Server components Setup wizard appears. Use the Select Components screen of the wizard to select the components you want to install. By default, all components except the license server are selected for installation. When you click Next, you start a sequence of separate Setup wizards, each of which guides you through the installation of a particular component of MetaFrame Presentation Server.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

119

Important If you are upgrading to MetaFrame Presentation Server, make sure to read the section, To migrate a server farm to MetaFrame Presentation Server on page 115 for important information about preserving custom configuration settings. Apply Service Pack 2005.04 to MetaFrame Presentation Server 3.0. Select this option to apply all service packs for MetaFrame Presentation Server 3.0. This option does not update your server to the feature set for MetaFrame Presentation Server 4.0. This option fixes only problems solved since the last full release of MetaFrame Presentation Server 3.0. Install management consoles. Select this option to install the Access Suite Console and the Management Console for MetaFrame Presentation Server only. You can install both consoles on computers other than those running MetaFrame Presentation Server, such as workstations and laptops.

Using the Windows Installer Package

MetaFrame Presentation Server and its components are compiled into a Windows Installer package (.msi) file. Windows Installer is a component of the Windows operating system that manages the installation and removal of applications. Windows Installer applies a set of centrally defined setup rules during the installation process that define the configuration of the application. Windows Installer technology consists of the Windows Installer Service for the Windows operating systems and the package .msi file format used to hold information regarding the application setup. You use the Windows Installer Service to modify, repair, or remove an existing application that was installed using Windows Installer technology. Go to Add/Remove Programs in Control Panel to remove or modify Windows Installer packages installed on the system. You can deploy Windows Installer packages using Installation Manager, Microsoft Active Directory Services, or Systems Management Server. For more information about Windows Installer technology and the Windows Installer Service, see the Windows online Help or the Microsoft Web site at http://www.microsoft.com. For more information about working with the MetaFrame Presentation Server Windows Installer package, see Customizing Setup on page 389. If you encounter problems when running a Windows Installer package, you can check the Windows Event Viewer for a list of the problems. To open Event Viewer, go to Start > Program Files > Administrative Tools > Event Viewer. Check the Application Log for any entries in the Source column of the type MSIInstaller.

120

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Common Windows Installer Commands

You can use the Msiexec command to install, modify, and perform operations on Windows Installer packages from the command line. The MetaFrame Presentation Server Windows Installer package, Mps.msi, is located in the MetaFrame Presentation Server folder of the MetaFrame Presentation Server CD-ROM. You also use the Msiexec command to run administrative installations. Administrative installations allow you to store preconfigured, customized images of MetaFrame Presentation Server Setup on network share points. You can then access the MetaFrame Presentation Server Windows Installer package and install MetaFrame Presentation Server from anywhere on your network. For more information about creating customized administrative installation share points, see Customizing Setup on page 389. Some common options for the Msiexec command are listed below. For further information about the parameters and switches you can use with the listed options, go to the Microsoft Web site and search on msiexec.
Option Install or configure a product Uninstall a product Set a logging level (use with Install or Uninstall option) Syntax msiexec /i {package|ProductCode} msiexec /x {package|ProductCode} msiexec /L [i][w][e][a][r][u][c][m][p][v][+][!] LogFile To include the v option in a log file using the wildcard flag, type /L*v at a command prompt. The Windows Installer log file options can also be used with the uninstall process. msiexec /i package TRANSFORMS=TransformList If you are applying multiple transforms, separate each transform file with a semicolon. msiexec /q {n|b|r|f}

Install a transform (use with Install or Uninstall option) Set the user interface level (use with Install or Uninstall option)

Choosing Options during Setup

The MetaFrame Presentation Server Setup wizard guides you through the process of installing MetaFrame Presentation Server and its components. When Setup begins, a series of information pages and dialog boxes ask you to select options and configure the product. Click Next to continue after you complete each entry. If you want to return to a previous page to make changes, click Back. If you click Cancel, Setup stops without finishing.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

121

The following section describes the various options you configure during Setup. The options are presented in the order they appear if you select the Install MetaFrame Presentation Server and its components option on the Product installations screen of Autorun. Depending on the components you choose to install, you may not encounter all configuration options described in this section, or you may encounter them in different order. To install MetaFrame Presentation Server and its components, your computer must satisfy specific installation prerequisites for each component. To verify that your computer satisfies installation prerequisites for each component you are installing, review the installation checklist. To access the installation checklist, select View installation checklist from the initial Autorun screen. If you launch Setup from the Autorun screen, Setup automatically installs any software prerequisites on the server except Windows components. Setup does not install Windows components. If Setup detects a missing Windows component that is required to run MetaFrame Presentation Server, you must install the Windows component manually and then resume Setup. You may choose to install software prerequisites yourself. To do so, run the Setup files located in the Support folder of the MetaFrame Presentation Server CD-ROM and then resume Setup. Consult your software vendor for installation guidelines and available updates.

Installing MetaFrame Presentation Server

Selecting the Product Edition
Select the edition of MetaFrame Presentation Server you are licensed to run. When you purchase MetaFrame Presentation Server, you can select from three editions: MetaFrame Presentation Server for Windows, Enterprise Edition is designed for single-point control of servers, licenses, and resources in large organizations and multinational corporations. An Enterprise Edition license enables all features of the Advanced Edition and also provides system monitoring and analysis, application packaging and delivery, and integration with third-party SNMP management tools. MetaFrame Presentation Server for Windows, Advanced Edition is designed with the small to medium business in mind. An Advanced Edition license enables all features of the Standard Edition and also includes load balancing functionality. MetaFrame Presentation Server for Windows, Standard Edition is designed to give businesses outstanding performance from applications running on a central server.

122

MetaFrame Presentation Server Administrators Guide

Go to Document Center

If you have questions about which edition to choose, contact your reseller or go to the Product Information area of the Citrix Web site at http://www.citrix.com/ products. Based on the edition you select, Setup presents you with the components that are available for installation.

Selecting Components of MetaFrame Presentation Server

The Component Selection screen presents you with a list of components you can install based on the edition of MetaFrame Presentation Server (Standard, Advanced, or Enterprise Edition) you are installing. Click Disk Cost to view the amount of disk space the selected components require. Management Console for MetaFrame Presentation Server. Enables complete, singlepoint management of the entire server farm through a comprehensive interface. Installation Manager. (Enterprise Edition only.) Provides centralized, farm-wide installation capabilities such as support for unattended installs, packager rollback, scheduled package delivery, and MSI support. Installer Service. (A component of Installation Manager.) Provides the ability to install applications packed by the Packager to computers running MetaFrame Presentation Server. Packager. (A component of Installation Manager.) Monitors application installation routines and packages all application files for distribution to your server farm. Resource Manager. (Enterprise Edition only.) Provides customizable metrics and reporting, real-time graphs and alerts, and capacity planning for server farm resources. Load Manager. (Advanced and Enterprise Editions.) Provides load balancing of user connections across servers to more effectively utilize server resources. Network Manager. (Enterprise Edition only.) Provides the ability to administer server farms through the native management consoles of leading network management solutions. Program Neighborhood/Program Neighborhood Agent. Installs a pass-through client on the server. For more details, see Installing a Pass-Through Client on page 123. WMI Providers. (Enterprise Edition only.) Installs WMI providers.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

123

About WMI Providers and Microsoft Operations Manager

MetaFrame Presentation Server, Enterprise Edition includes support for the management technology that allows you to monitor servers and server farms using Microsoft Operations Manager 2000. Microsoft Operations Manager (MOM) is a management solution for Microsoft Windows server deployments that you can use for performance monitoring, event management, alerting, and reporting. Windows Management Instrumentation (WMI) is the standard management infrastructure included as part of Microsoft Windows 2000 Server and Windows Server 2003. The WMI Provider for MetaFrame Presentation Server supplies information about servers and server farms. This information is displayed by the MetaFrame Presentation Server Management Pack, which is a plug-in to MOM. You must install the WMI Provider on each server you want to monitor with MOM. A Licensing Provider is also available that supplies information about Citrix licensing. Citrix licensing is handled by one or more license servers. The Licensing Provider runs on the license server and collects information from the license server. The Licensing Provider is installed by default when you install the license server. The MetaFrame Presentation Server Management Pack, used in conjunction with the WMI Providers, allows you to use the MOM environment to monitor the health and performance of servers running MetaFrame Presentation Server and license servers. The Management Pack provides real-time event and performance monitoring and includes an extensive knowledge base, with links to Citrix Knowledge Base articles and other sources of information.

Installing a Pass-Through Client

A pass-through client is a MetaFrame Presentation Server Client for 32-bit Windows (Program Neighborhood or Program Neighborhood Agent) you install on a computer running MetaFrame Presentation Server. Running a pass-through client on a server gives users of other, less feature-rich clients access to the features of Program Neighborhood. Users launch the pass-through client from the server desktop or as a published application and then connect to their sets of published applications from within the pass-through client. In addition, installing a passthrough client on the server allows you to test client-server connectivity.

Configuring a Server Address for the Pass-Through Client

If you select Program Neighborhood Agent as the pass-through client, you must specify the URL of the Web server running the Web Interface. Program Neighborhood Agent uses a configuration file that is located on the Web server that hosts the Web Interface. By default, Setup attempts to resolve localhost and enters the results of the resolution.

124

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Enabling Pass-Through Authentication for the Pass-Through Client

Pass-through authentication allows the users local credentials to be passed to the server for authentication. If you enable pass-through authentication, users are not explicitly prompted for authentication to MetaFrame Presentation Server.

Creating a New Server Farm

When you run Setup on the first server in a farm, you create the farm. Before you create a new farm, you must decide the following: Which database to use to host the farm data store. If you are using Microsoft Access or Microsoft SQL Server 2000 Desktop Engine (MSDE), the database is created on the first server on which you run Setup. A name for the new server farm. Which user account should be initially granted full access to all farm management tasks.

For more information about deployment recommendations, see Planning for Deployment on page 69.

Joining an Existing Server Farm

When you want to add servers to an existing server farm, you run Setup on those servers and join the servers to the farm. Before you join servers to an existing server farm, you must have the following information at hand: If you are using a database (Microsoft Access or MSDE) on the first server in the farm, you need to know the name of that server and the logon credentials of a user authorized to access the database. If you are using a database (Microsoft SQL Server, Oracle, or IBM DB2) on a dedicated server, you need to know which type of database is configured to host the data store. You also need to know the logon credentials of a user authorized to access the database.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

125

Configuring the Data Store

This section explains how to configure servers to connect to the farm data store. For background information about the data store, see Choosing a Database for the Data Store on page 40. For background information about server farm zones, see Configuring Zones and Data Collectors on page 21.

Using Microsoft Access or MSDE for the Data Store

To use a Microsoft Access or SQL Server 2000 Desktop Engine (MSDE) database as the farm data store, you create the database when you install MetaFrame Presentation Server on the first server in the farm. Additional servers connect to the first server using default TCP port 2512. To create a server farm using Access or MSDE for the data store 1. On the Create or Join a Server Farm Setup screen, select Create a new farm and click Next. 2. On the Create a Server Farm Setup screen, enter the following information: Enter a name for the new server farm. Farm names can include spaces but cannot be more than 32 characters in length. Select Use a local database on this server and select the database from the list.

Important To use SQL Server Desktop (MSDE) for your farm data store, you must install MSDE on the server before you install MetaFrame Presentation Server. For more information about installing MSDE, see Microsoft SQL Server 2000 Desktop Engine (MSDE) on page 50. The default zone name is the mask for the subnet in which the server resides. If you want to change the server farm zone name, clear the option Use Default Zone Name and enter the new name.

3. Click Next and continue with Setup. To add a server to an existing server farm 1. On the Create or Join a Server Farm Setup screen, select Join an existing farm and click Next. 2. Select Connect to a database on this server and then enter the name of the server hosting the Access or MSDE database. The default communication port is 2512. 3. Accept the default zone name or enter a different zone name. 4. Click Next and continue with Setup.

126

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Using SQL, Oracle, or IBM DB2 for the Data Store

The following procedure describes options that appear during Setup. The same procedures are used whether the data store is a Microsoft SQL database, an Oracle database, or an IBM DB2 database. Before starting Setup, you must create the data store database using your database management software; see the procedures To create a data store database with Microsoft SQL Server on page 110, To create a data store database with Oracle on page 111, or To create a data store database with IBM DB2 on page 111. To create a server farm with a SQL, Oracle, or DB2 data store Follow this procedure only when installing MetaFrame Presentation Server on the first server in a new farm. See the next procedure for configuring the remaining servers in the farm. 1. On the Create or Join a Server Farm Setup screen, select Create a new farm and click Next. 2. On the Create a Server Farm Setup screen, enter the following information: Enter a name for the new server farm. Farm names can include spaces but cannot be more than 32 characters in length. Select Use the following database on a separate database server and select the database from the list.

Important If your driver does not appear in the list, cancel Setup, install the driver, and then restart Setup. The default zone name is the mask for the subnet in which the server resides. If you want to change the server farm zone name, clear the option Use Default Zone Name and enter the new name.

3. Click Next and continue with Setup. 4. Follow the procedure To configure an ODBC driver for Microsoft SQL Server on page 127, To configure the ODBC driver for Oracle on page 130, or To configure the ODBC driver for IBM DB2 on page 131. 5. Follow the remaining instructions in Setup. This completes data store configuration of the first server in a new farm.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

127

To add a server to an existing server farm 1. On the Create or Join a Server Farm Setup screen, select Join an existing farm and click Next. 2. Select Connect directly to the database using ODBC. Select your database from the list and click Next. 3. Follow the instructions in the procedure To create a server farm with a SQL, Oracle, or DB2 data store beginning with Step 3.

Configuring ODBC Drivers

This section provides step-by-step instructions for configuring ODBC drivers for Microsoft SQL Server, Oracle, and IBM DB2 databases. Some of the dialog boxes shown are components of Microsofts ODBC manager and may differ from those you see, depending upon the version of Windows and the ODBC driver you are using. To configure an ODBC driver for Microsoft SQL Server If you select a SQL driver from the database list in Setup, the following dialog box appears:

This screen capture shows where to select a SQL server.

1. For the Name text box, accept the default value. From the Server list, select the SQL server you want to use. 2. When prompted to select how to verify the authenticity of the login ID: Select With SQL Server authentication. In the Login ID text box, specify the login ID created by the database administrator.

128

MetaFrame Presentation Server Administrators Guide

Go to Document Center

In the Password text box, specify the password associated with login ID.

Click Next. If the ODBC manager is unable to verify the login ID and password, the ODBC manager prompts you to reenter them.

This screen capture shows where to select SQL server authentication and specify the login ID and password.

3. When prompted: Select Change the default database to. From the list, select the database you created for MetaFrame Presentation Server. Click Next.

Note SQL Server login IDs can be configured to log on to a database by default. If in your SQL Server administrative program the logon ID is set to log on to the data store database by default, you do not have to specify a default database in this dialog box.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

129

This screen capture shows where to change the default database and where to select a database from the list.

4. Click Finish.

This screen capture shows the Finish button is located on the same pane where you can change the language of SQL Server system messages.

5. Test the new data source name. Click Test Data Source. If the test completes successfully, click OK twice to complete the data source name configuration. After creating your new data source, follow the steps in the procedure, To create a server farm with a SQL, Oracle, or DB2 data store on page 126, beginning with Step 6.

130

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To configure the ODBC driver for Oracle Selecting an Oracle driver from the database list in Setup brings up the Oracle8 ODBC Drive Connect dialog box.

This screen capture shows the Oracle8 ODBC Driver Connect dialog box with fields for Service Name, User Name, and Password.

1. In the Service Name text box, type the service name used when you installed the Oracle client. In the User Name and Password text boxes, type the user name and password created on the Oracle server for the data store. 2. Click OK. This completes the Oracle data store setup. You are now ready to proceed with MetaFrame Presentation Server Setup. Follow the steps in the procedure To create a server farm with a SQL, Oracle, or DB2 data store on page 126, beginning with Step 6.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

131

To configure the ODBC driver for IBM DB2 Selecting IBM DB2 ODBC DRIVER from the database list in Setup brings up the Connect To DB2 Database dialog box.

This screen capture shows the Connect To DB2 Database dialog box with a drop-down menu for selecting a Database alias, a button to add a Database alias, fields for entering User ID and Password, Change password features, and Connection mode selection of Share or Exclusive.

1. Set the connection mode to Share. 2. Click Add to launch the IBM DB2 Client Configuration Assistant. This wizard walks you through configuring the ODBC connection to the DB2 database. 3. Follow the instructions in the Client Configuration Assistant. On the Protocol page, be sure you select TCP/IP. Citrix recommends that you use this protocol to connect to the data store. 4. Click Finish when you are done configuring the connection. 5. On a Windows 2003 Server, click Test Connection to make sure that the connection to the database works. 6. Click Close. 7. Ensure that the connection mode is still set to Share. 8. Enter the User ID and Password. 9. Click OK.

132

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This completes the DB2 data store setup. You are now ready to continue with Setup. Follow the steps in the procedure To create a server farm with a SQL, Oracle, or DB2 data store on page 126, beginning with Step 6.

Assigning Farm Administrator Credentials

MetaFrame administrators manage MetaFrame server farms.When you install MetaFrame Presentation Server on the first server in a new farm, you specify an initial farm administrator. This user account is configured automatically as a MetaFrame administrator with full administration rights to all farm management tasks in the Presentation Server Console. To give other user accounts access to the console, a MetaFrame administrator with full administration rights logs on to the console and creates other MetaFrame administrator accounts. You can create MetaFrame administrator accounts with the following permission levels: Full administration rights to all areas of farm management View-only access to all areas of server farm management Access to areas of farm management or specific tasks within those areas; administrators can have a mixture of view-only access, write access, or no access

For more information about delegating administration rights to MetaFrame administrators, see Creating MetaFrame Administrator Accounts on page 159. Note One full authority administrator account must always exist in the server farm. Therefore, MetaFrame Presentation Server prevents you from deleting the last full authority administrator account. However, if the account no longer exists in the network account authority, the console allows a local administrator to log on to the console to set up administrator accounts.

Specifying the MetaFrame Access Suite License Server

Before users can connect to the server, you must configure it to point to the MetaFrame Access Suite license server so that your software is licensed. If you do not have the necessary information (license server name and port number) available at the time you install MetaFrame Presentation Server, you can configure the information later from the Presentation Server Console.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

133

Authenticating Users of Microsoft Remote Desktop Web Connection Software

Users of Microsofts Remote Desktop Web Connection software can access published applications from the Web Interface. In Windows 2000 Server (but not in Windows Server 2003), Terminal Services is configured by default to prompt users for a password when connecting to a server. As a result, users launching applications from the Web Interface are prompted for a password twice by the Web server when logging on to the Web Interface, and by the server running MetaFrame Presentation Server each time they launch an application. For user convenience, you can override the default setting on the computer running MetaFrame Presentation Server so that only the Web server prompts users for passwords. Select No to retain the Terminal Services default configuration that prompts users for passwords, or Yes to modify the default configuration. To revert to the Windows 2000 Terminal Services default configuration 1. Open the Terminal Services Configuration control panel. 2. Select Properties for the RDP-Tcp connection type. 3. On the Logon Settings tab, select Always prompt for password. 4. Click OK.

Configuring Session Shadowing

You use session shadowing to monitor and interact with user sessions. When you shadow a user session, you can view everything that appears on the users session display. You can also use your keyboard and mouse to remotely interact with the user session. Shadowing can be a useful tool for user collaboration, training, troubleshooting, and monitoring by supervisors, help desk personnel, and teachers. During Setup, you can limit or disable shadowing. You can disable shadowing of ICA sessions on all servers in a server farm if legal privacy requirements prohibit shadowing of users sessions. Alternatively, you may want to disable shadowing on servers that host sensitive applications, such as personnel or payroll applications, to protect confidential data. Shadowing is protocol-specific. This means you can shadow ICA sessions over ICA and Remote Desktop Protocol (RDP) sessions over RDP only.

134

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important Shadowing restrictions are permanent. If you disable shadowing or enable shadowing but disable certain shadowing features during Setup, you cannot change the restrictions later. Any user policies you create to enable user-to-user shadowing are subject to the restrictions you place on shadowing during Setup. Do not disable shadowing as a substitute for user- and group-specific connection policies. Prohibit shadowing of user sessions on this server. Select this option to permanently disable shadowing of user sessions on the server. If you disable shadowing during Setup, you cannot enable it using other MetaFrame Presentation Server configuration utilities or by creating connection policies. Allow shadowing of user sessions on this server. Select this option to enable shadowing of user sessions by the server. When you enable shadowing, you can apply the following restrictions: Prohibit remote control. By default, authorized users can view a session they are shadowing, and also use their keyboard and mouse to interact with it. Select this option to allow authorized users to view sessions but not to have keyboard and mouse input. Shadowing without keyboard and mouse input may conceal from the user the fact that a session is being shadowed. Force a shadow acceptance popup. By default, users are notified by an acceptance prompt when other users are attempting to shadow their sessions. Select this option to deny users the ability to shadow sessions without sending this acceptance prompt. Log all shadow connections. You can log events such as shadowing attempts, successes, and failures in the Windows event log and examine them using Event Viewer. Select this option to enable logging.

Configuring the Citrix XML Service Port

MetaFrame Presentation Server uses the Citrix XML Service to supply servers running the Web Interface and TCP/IP- connected clients with the names of published applications that are available in a server farm. By default, Setup configures the Citrix XML Service to share the default TCP/IP communication port (port 80) with Microsoft Internet Information Services (IIS). If you intend to send data to the Web Interface over a secure HTTP connection using SSL, be sure that the Citrix XML Service is set to share its port with IIS and that IIS is configured to support HTTPS.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

135

If you do not want the Citrix XML Service to share the TCP port with IIS, you can use a separate port for the Citrix XML Service. On the Configure Citrix XML Service Port Setup page, select Use a separate port and enter the new port number. If you plan to change the port used by the Citrix XML Service on MetaFrame Presentation Server, make sure the port you plan to use is not used by any other application. For a list of ports in use, type netstat -a at a command prompt. Make a note of the port number you specify. If you use a port other than the default port 80, you must configure servers running the Web Interface and any clients using TCP/IP + HTTP server location to use the port you choose. See the Web Interface Administrators Guide for instructions about configuring the Web Interface to use a different port. See the Client Administrators Guides for instructions about configuring the clients to use a different port. Important All servers in the farm must use the same TCP port for the Citrix XML Service. If farms are running in interoperability mode, this requirement includes all servers running either MetaFrame 1.8, MetaFrame XP, or MetaFrame Presentation Server. To change the Citrix XML Service port after installation Important Use this procedure only if you do not want to share the port used by IIS. If you entered a port number other than the default Share with IIS during Setup, you can change the port to another port number using the Presentation Server Console. However, if you want to change the setting to share the port with IIS after running Setup, you must follow the instructions for manually setting the Citrix XML Service to share the TCP port with IIS. 1. Use the Services Control Panel to stop the Citrix XML Service. 2. At a command prompt, type ctxxmlss /u to unload the Citrix XML Service from memory. 3. Type ctxxmlss /rnn, where nn is the number of the port you want to use. For example, ctxxmlss /r88 forces the Citrix XML Service to use TCP/IP port 88. 4. Restart the Citrix XML Service in the Control Panel. To manually configure Citrix XML Service to share the TCP port with IIS 1. Use the Services Control Panel to stop the Citrix XML Service. 2. At a command prompt, type ctxxmlss /u to unload the Citrix XML Service.

136

MetaFrame Presentation Server Administrators Guide

Go to Document Center

3. Copy Wpnbr.dll and Ctxxmlss.txt to the IIS scripts directory on your Web server. These files are installed in \Program Files\Citrix\System32 during MetaFrame Presentation Server installation. The default scripts directory is \Inetpub\Scripts. 4. Use Internet Service Manager to give the files read and write access. 5. Stop and restart the Web server.

Configuring Network ICA Connections

By default, Setup enables ICA connections over the TCP/IP network protocol only. To enable ICA connections over a different network protocol, install the protocol and then use the Citrix Connection Configuration utility to enable ICA connections for the newly-installed protocol. Note Windows Server 2003 supports ICA connections over TCP/IP only.

Installing the Access Suite Console

The Management Console for the MetaFrame Access Suite extends your ability to manage your software deployment by integrating consoles with the Microsoft Management Console (MMC). The Access Suite Console snaps into the MMC to provide a central, easy to install, and easy to use location for managing your deployment. You can use the Access Suite Console to manage your deployment from a central location. Management functionality is provided through a number of snap-in management tools (snap-ins) that you can select when you install the Access Suite Console or at any time later. For more information, see Management Console for the MetaFrame Access Suite on page 149. To install the MetaFrame Access Suite Console, select Install management consoles from the initial Autorun screen and then follow the instructions in the Setup wizard. The method for adding or removing extension snap-ins depends on whether you are running the MMC in author mode or user mode. For more information about these modes, see the MMC Help. Add or remove extension snap-ins as follows: To add or remove extension snap-ins to the console (MMC author mode) Use the Add/Remove Snap-in option on the Console menu of the MMC menu bar and select MetaFrame Presentation Server - Administration Snap-in.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

137

To add or remove extension snap-ins to the console (MMC user mode) 1. Open Add/Remove Programs in Control Panel. 2. Select MetaFrame Presentation Server - Administration Snap-in and click Change. 3. Follow the on-screen instructions to select or clear the desired components.

Installing the Presentation Server Console

The Presentation Server Console is a centralized management utility you use to administer a farm running MetaFrame Presentation Server. The Presentation Server Console is installed by default when you install MetaFrame Presentation Server. However, you can install standalone copies of the Presentation Server Console on devices that do not have MetaFrame Presentation Server installed. For more information about the console, see Management Console for MetaFrame Presentation Server on page 157. To install a standalone copy of the Presentation Server Console, select Install management consoles from the initial Autorun screen and then follow the instructions in the Setup wizard.

Making the Console Accessible to Screen Readers

Screen reader software may not readily interpret some of the text that appears in the Presentation Server Console. By default, screen readers do not interpret static text areas that appear separate from input elements such as text boxes or check boxes. You can configure the console to be more fully accessible to screen readers. Use the following procedure to configure the console so that you can use the Tab key to move to static text areas you want screen readers to interpret. To make the console accessible to screen readers On a computer where the console is installed: 1. Locate and use a text editor to open the Isctx.log file. If you installed the console in the default location, Isctx.log is located in the \Program Files\Citrix\ Administration folder. 2. On the second line of Isctx.log, type the following text, including the hyphen: -labelsGetFocus:true 3. Save and close the file, then restart the console.

138

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Installing the Web Interface

The Web Interface gives you the infrastructure to make applications available both from a Web page and through the Program Neighborhood Agent. Install the Web Interface if you want users to: Access published applications through a Web browser Access published applications through the Program Neighborhood Agent

Although both methods of application deliverythrough a Web browser or through the Program Neighborhood Agentoffer a different user experience, both methods rely on Java object technology provided by the Web Interface and executed on a Web server. Accessing applications through a Web browser. Users can access published applications through the Web Interface. The Web Interface presents users with custom Web pages with links to the published applications users are authorized to launch. The links are dynamically generated based on users profiles, so different users see different links depending on the applications the users have permissions to use. Accessing applications through the Program Neighborhood Agent. You do not need to publish a Web page if you want users to access published applications through the Program Neighborhood Agent. However, because this client leverages the technology provided by the Web Interface, you must install the Web Interface to use the Program Neighborhood Agent. The Web Interface requires a server running both Microsoft Internet Information Services (IIS) Version 5.0 or later and the Microsoft Java Virtual Machine (JVM). For large-scale deployments, Citrix recommends that you run the Web Interface on dedicated Web servers. For smaller deployments, you can run MetaFrame Presentation Server and the Web Interface on the same server. For more information about configuring the Web Interface, see the Web Interface Administrators Guide.

Installing the Document Center

The Document Center gives you a single point of access to all administrators guides. If you are installing MetaFrame Presentation Server for the first time, use the Document Center for information and in-depth guidelines about planning your server deployment, from designing server farms to updating client software. If you are upgrading from an earlier release, use the Document Center for important information about upgrading and about new features in this release.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

139

You can install a standalone copy of the Document Center on any 32-bit Windows computer without installing MetaFrame Presentation Server. To ensure you have access to all relevant information when you need it, Citrix recommends that you install the Document Center before you install or upgrade to MetaFrame Presentation Server. To view, search, and print the contents of the Document Center, install Adobe Reader 5.0.5 or later with Search on the computer. You can download Adobe Reader for free from Adobe Systems Web site at http://www.adobe.com/. To install the Document Center, select Install Document Center from the initial Autorun screen and then follow the instructions in the Setup wizard.

Installing Client Software on the Server

At the end of Setup, you can run the ICA Client Distribution wizard to install client software and related utilities on the server. You can then use the client images you install on the server to distribute client software to users. The ICA Client Distribution wizard prompts you for the name of the client setup initialization file. The file, ICASetup.ini, is located in the root folder of the MetaFrame Presentation Server Components CD. For more information about configuring and deploying client software to users, see Deploying Client Software to Users on page 219. Create or update ICA Client images. The ICA Client Creator is a utility you use to create installation disks for Windows and DOS client software. The ICA Client Distribution wizard places copies of the client software in the database from which this utility creates client disks. Note The ICA Client Creator utility is not supported on Windows Server 2003. Create or update the ICA Client Update Database. Client Auto Update is a feature that enables you to schedule the download and installation of the latest client software from MetaFrame Presentation Server to client devices. The ICA Client Distribution wizard places copies of clients in the database on the MetaFrame Presentation Server used by Client Auto Update.

140

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Install or upgrade the pass-through client on the server. The pass-through client is an instance of Program Neighborhood or Program Neighborhood Agent that runs as a published application on the server. It gives users of non-Win32 clients, including the Client for DOS, the Client for Java, and RDP clients, access to their application sets from within the feature-rich interface of Program Neighborhood even if Program Neighborhood is not installed on their client devices. Install Program Neighborhood if you plan to deploy clients other than Program Neighborhood to users. The wizard includes typical and custom installation paths. A typical installation does the following: Installs the Client Auto Update Database and copies client software into the database Installs the ICA Client Creator database and copies each client into the database Installs the MetaFrame Presentation Server Clients on the server

When performing a custom installation, a dialog box gives you options for installing clients. If you select Create/Update Citrix ICA Client Images or Create/Update Citrix ICA Client Update Database, dialog boxes let you select clients to install. For example, if you choose to Create/Update Citrix ICA Client Images, a dialog box lets you select clients to add to the ICA Client Creators database. Clear the check boxes for clients you do not want to add to the database.

Unattended Setup of MetaFrame Presentation Server

You can configure MetaFrame Presentation Server Setup to run without assistance with the following methods: Applying transforms to the installation database. A Windows Installer transform modifies the installation package file at installation time and applies the values you set. Sample transform files are located on the MetaFrame Presentation Server CD at Support\Install. Creating an answer file to provide answers to the questions asked during Setup. A sample answer file is located on the MetaFrame Presentation Server CD at Support\Install.

The following sections describe creating and applying transforms and creating answer files.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

141

Applying Transforms
You can manipulate the installation process by applying Windows Installer transforms (files with the .mst extension) to the installation database contained in a Windows Installer package. A transform makes changes to elements of the database. A transform file modifies the installation package when it is being installed and dynamically affects the installation behavior. When you create a transform to apply to the MetaFrame Presentation Server Windows Installer package, you set your desired values for properties in the package. When you then apply the transform to the installation package, the questions you are asked during Setup are answered. Creating a transform allows you to roll out MetaFrame Presentation Server in unattended mode. Transforms that you create to customize a Windows Installer setup package remain cached on your system. These files are applied to the base Windows Installer package whenever the Installer needs to modify it. You can apply transforms only when you initially install Windows Installer packages; you cannot apply transforms to software that is already installed. Citrix provides four sample transforms on the MetaFrame Presentation Server CD. You can open these transforms and edit the properties in them using commercially available Windows Installer editing tools. The sample transforms include sample values for select properties, allowing you to determine which properties to edit to achieve a certain configuration. For more information about each sample transform and the properties you can set for each configuration, see Customizing Setup on page 389. To create a customized transform using one of the sample transform files 1. Using your preferred tool for editing Windows Installer packages, open the MetaFrame Presentation Server Setup Windows Installer package, Mps.msi, located on the MetaFrame Presentation Server CD in the \MetaFrame directory. 2. Apply the transform that includes the properties and values you want to modify. 3. Enter new values for the properties you want to change. 4. Generate the transform file. 5. Save the file with a new name.

Creating an Answer File

You can create an answer file to provide answers to the questions asked when you run Setup. A sample answer file is located on the MetaFrame Presentation Server CD at Support\Install. Instructions are provided in the file for setup options. Copy the sample answer file to another location and modify it for your needs.

142

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Performing an Unattended Installation

To perform an unattended installation 1. Insert the MetaFrame Presentation Server CD in the CD-ROM drive of the server or in a CD-ROM drive accessible over the network. If your CD-ROM drive supports Autorun, the MetaFrame Presentation Server CD splash screen appears. Close the window. 2. Open the sample file UnattendedTemplate.txt, located in the directory Support\Install, in any text editor. Save the file with another name. 3. Enter the values for the entries you want to set. The sample file includes definitions and possible values for each entry. 4. Type the following at a command prompt where Windows Installer package is the name of the Windows Installer package you want to run, and answer file is the name of the text file you created in Step 2: UnattendedInstall Windows Installer package answer file

Using the Command Line

You can also use the Msiexec command to install MetaFrame Presentation Server. Set properties by adding Property=value on the command line after other switches and parameters. For definitions of the properties in the MetaFrame Presentation Server Windows Installer package, see Customizing Setup on page 389. The following sample command line installs the MetaFrame Presentation Server Windows Installer package and creates a log file to capture information about this operation. Add the properties you want to set after the switches. msiexec /i mps.msi /L*v c:\output.log

Cloning Servers
If your organization uses system imaging utilities to clone standard server configurations, with a few adjustments you can also clone servers running MetaFrame Presentation Server. For detailed information about cloning servers, see Advanced Concepts for MetaFrame Presentation Server, available from the Support area of the Citrix Web site at http://www.citrix.com.

Go to Document Center

Chapter 5 Deploying MetaFrame Presentation Server

143

Uninstalling MetaFrame Presentation Server

To remove a server from a farm, Citrix recommends that you uninstall MetaFrame Presentation Server. This removes the host information from the farm data store and removes the server from the list of servers displayed in the Presentation Server Console. You can uninstall MetaFrame Presentation Server using Add/Remove Programs in Control Panel or by using the Windows Msiexec command. For more information about this command, go to the Microsoft Web site and search on msiexec. Before uninstalling MetaFrame Presentation Server, log off from any sessions and exit all programs running on the server. To uninstall MetaFrame Presentation Server 1. Exit any applications running on the server. 2. Choose Start > Settings > Control Panel > Add/Remove Programs. 3. Click Change or Remove Programs, select Citrix MetaFrame Presentation Server, and click Remove. If you need to force the removal of MetaFrame Presentation Server from the system, you can use the command line to add the property: CTX_MF_FORCE_SUBSYSTEM_UNINSTALL and set its value to Yes. The following sample command line enables logging of the uninstallation operation and forces the removal of MetaFrame Presentation Server: msiexec /x mps.msi /L*v c:\output.log CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=Yes where mps.msi is the name and location of the msi package of MetaFrame Presentation Server.

144

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important If you rename a server on your network, the new server name is added to the list of servers in the farm. However, you must remove the old server name because it is still listed as a member of the farm. Before you remove the server name, be sure to update all references to the new server name, including data collector ranking, published application references, and license assignments. If you are planning to uninstall MetaFrame Presentation Server from the Resource Manager metric farm server or database connection server for a summary database, be sure to reassign the server before removing it from the farm. If you are using a summary database, Citrix recommends that you update the database before removing any servers from the farm. Be sure to also create any necessary billing reports from the server before you remove it.

Files that Remain after Uninstalling

The files listed below are not removed from the server when you uninstall MetaFrame Presentation Server. Files that remain in folder %systemroot%\system32\spool\drivers\w32x86\3\: Hp__clj1.ppd Hpc4500.gpd Hpcabout.dll Hpcclj1.dll Hpcclj1.ini Hpccljui.dll Hpccmac.gpd Hpcfont.dll Hpcljx.hlp Hpcstr.dll Hplj2.gpd Pcl4res.dll Ps5ui.dll Pscript.hlp Pscript.ntf Pscript5.dll Stdnames.gpd Ttfsub.gpd Unidrv.dll Unidrv.hlp Unidrvui.dll The following file remains in folder %systemroot%\system32\spool\drivers\color\: Hpclj.icm

Go to Document Center

CHAPTER 6

Managing Servers and Farms

This chapter includes basic information about tools that you use to manage servers, server farms, and published applications. More detailed information is available in the online help for the tools. Some tools are installed when you run MetaFrame Presentation Server Setup. For more information, see Deploying MetaFrame Presentation Server on page 107.

Management Tools Overview

Citrix provides a comprehensive suite of tools for managing servers, farms, published applications, and connections. This section provides an overview of the features of these MetaFrame Presentation Server tools. MetaFrame Presentation Server includes two management consoles: the Management Console for the MetaFrame Access Suite (also known as the Access Suite Console) and the Management Console for MetaFrame Presentation Server (also known as the Presentation Server Console). You can install the management consoles from the MetaFrame Presentation Server CD. Browse the Autorun screens to the Management Consoles option. For a summary of which console to use to perform a particular task, see Choosing Which Console to Use on page 147. To manage your deployment more flexibly, you can install the Access Suite Console and the Presentation Server Console independently from MetaFrame Presentation Server. Both consoles can be used on client devices as well as servers, but for best performance Citrix recommends running the Access Suite Console on a computer running MetaFrame Presentation Server. For more information about the installation requirements of each of the management tools, see the Installation Checklist for Citrix MetaFrame Presentation Server. For more information about installing management tools, see Deploying MetaFrame Presentation Server on page 107. You can launch some tools by accessing the Citrix program group on the Start menu. Other tools are available from the toolbar for MetaFrame Presentation Server.

146

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Management Console for the MetaFrame Access Suite. Use the Access Suite Console to manage multiple farms in your deployment. The console snaps into the Microsoft Management Console (MMC) and enables you to manage items administered through the MetaFrame Presentation Server, MetaFrame Secure Access Manager, and MetaFrame Password Manager products. For MetaFrame Presentation Server, you can use the Access Suite Console to administer servers, server farms, published applications, and sessions. You can create a variety of reports, configure application access (both through the Web Interface and Program Neighborhood Agent), and support MetaFrame Conference Manager guest attendee logons. In addition, you can use the console to troubleshoot alerts and diagnose problems in your farms, and view hotfix information for your Citrix products. For more information about using this tool, see Management Console for the MetaFrame Access Suite on page 149. Management Console for MetaFrame Presentation Server. Use the Presentation Server Console to connect to any server farm in your deployment and manage servers in the farm. Use the console to manage your deployment with Resource Manager, Installation Manager, Load Manager, and Network Manager. For more information about using this tool, see Management Console for MetaFrame Presentation Server on page 157. License Management Console. Use this console to manage and track MetaFrame Access Suite software licenses. For more information about licensing, see the online help in the console and the MetaFrame Access Suite Licensing Guide. Citrix Connection Configuration. Use this tool to configure the user connections that link to servers. For information, refer to the online help in Citrix Connection Configuration. Citrix SSL Relay Configuration. Use this tool to secure communication between a server running the Web Interface and your farm. For information, see Setting up Citrix SSL Relay on page 175. ICA Client Creator. Use this utility to create diskettes or disk images for installing client software. Note ICA Client Creator is not supported on servers running Windows Server 2003.

Go to Document Center

Chapter 6 Managing Servers and Farms

147

ICA Client Update Configuration. Use this tool to manage the Client Update Database on a computer running MetaFrame Presentation Server. The database contains current client software for each supported client platform and can be used to install clients when users log on to the server. For more information about deploying client software to users, see Deploying Client Software to Users on page 219. Shadow Taskbar. Shadowing allows users to view and control other users sessions remotely. You can use the Shadow taskbar to shadow sessions and to switch among multiple shadowed sessions. You can also use the Presentation Server Console to shadow ICA sessions. For more information about shadowing, see Shadowing Sessions on page 304. SpeedScreen Latency Reduction Manager. Use this tool to configure local text echo and other features that improve the user experience on slow networks.

Choosing Which Console to Use

The Access Suite Console and the Presentation Server Console allow you to perform different administrative tasks as listed in the following table and described in more detail later in this chapter.
To do this: View applications, servers, and zones in multiple farms. Manage sessions across multiple farms. Monitor the performance of server farms. Troubleshoot alerts using information in knowledge base articles. Create reports that describe server farm performance, application usage, and other aspects of your deployment. Configure access to published applications and MetaFrame Conferencing Manager guest attendee logons. Use this console: Access Suite Console Access Suite Console Access Suite Console Access Suite Console Access Suite Console

Access Suite Console In earlier releases of MetaFrame Presentation Server, application access was configured through the Web Interface and Program Neighborhood Agent Consoles. These tasks are now carried out in the Access Suite Console. Access Suite Console Access Suite Console

Create traces for servers in multiple farms to assist Citrix Technical Support with problem analysis. View hotfix information for your Citrix products.

148

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To do this: Manage sessions and processes in a specific farm. Create MetaFrame administrators and modify their privileges. Define how users connect to published applications and content. Create and manage published applications and content. Manage printers. Administer servers in a farm. Create environments for isolating published applications in a farm. Manage your server farm using Resource Manager, Installation Manager, Load Manager, and Network Manager.

Use this console: Presentation Server Console Presentation Server Console Presentation Server Console Presentation Server Console Presentation Server Console Presentation Server Console Presentation Server Console Presentation Server Console

Go to Document Center

Chapter 6 Managing Servers and Farms

149

Management Console for the MetaFrame Access Suite

The Access Suite Console extends your ability to manage your deployment by integrating many of the administrative features of your MetaFrame products into the Microsoft Management Console (MMC). The Access Suite Console is a standalone snap-in to the MMC. Management functionality is provided through a number of management tools (extension snap-ins) that you can select when you install the Access Suite Console or at any time later. For information about adding or removing extension snap-ins, see Installing the Access Suite Console on page 136.

Users and Accounts

Only MetaFrame administrators can use the Access Suite Console. Depending on the privileges granted them, administrators have varying levels of access to areas of server farm management. For example, administrators may be able to manage sessions running on servers in their own location without being able to view servers in other locations. You should therefore ensure that the correct administrator privileges are in place before allowing others to use the console. Citrix recommends that you use your domain account to run the Access Suite Console. You can use your local administrator account, but the user name and password should be the same for all local administrator accounts for all servers in your farm or farms; this is necessary to ensure that access to all servers is available when you use Dashboard and Report Center. CAUTION Do not run the console in two sessions simultaneously on one computer using the same account. Changes made on the console in one session can overwrite changes made in the other.

150

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The Access Suite Console User Interface

The main user interface of the console consists of three panes: The left pane contains the console tree. The task pane in the middle displays administrative tasks and tools. This pane is not present in other MMC snap-ins. The details pane on the right displays information about what is selected in the console tree and relevant tasks.

Note The top-level node of the console tree provided with MetaFrame Presentation Server 4.0 is called MetaFrame Presentation Server Administration. In MetaFrame Presentation Server 3.0, this node is called Access Suite Console.

This screen capture shows the layout of the console before running discovery (see Finding Items in Your Deployment Using Discovery on page 156). The left pane contains the console tree. The task pane is in the middle. The details pane is on the right.

Go to Document Center

Chapter 6 Managing Servers and Farms

151

The following nodes are available under the top-level node in the console tree: Alerts. Lists the alerts created by all the items in your deployment. Doubleclick an alert to drill down to the affected item. Search Results. Displays the results of any search that you perform. Click Search in the task pane to perform a standard or advanced search. My Views. Allows you to customize the information that you display in the details pane. For instructions about creating My Views, see Customizing Your Displays Using My Views on page 152.

In addition, nodes are also created by some Access Suite Console snap-ins when they are installed. Some snap-ins are not visible as nodes in the console tree but they add features, such as extra tasks, to other snap-ins. Depending on your Access Suite Console installation, the following snap-ins are available: Presentation Server. Allows the console to establish contact with your deployment and displays the applications, servers, and zones in your farms. Presentation Server is contained in the Suite Components node. Dashboard. Displays alerts, allows you to monitor server performance data, and helps you to diagnose server problems. This snap-in does not appear as a separate node in the console tree, but adds alerting and monitoring features to the Presentation Server snap-in. For information about displaying performance data, see the Dashboard online help. My Knowledge. Provides context-sensitive troubleshooting information about alerts using knowledge based articles from Citrix and any that your organization creates. This snap-in does not appear as a separate node in the console tree, but adds troubleshooting features and some additional alerts to the Presentation Server snap-in. For information about viewing and providing troubleshooting information, see the My Knowledge online help. Report Center. Allows you to create reports describing various aspects of your deployment. For more information, see the Report Center online help. Licensing. Launches the License Management Console that allows you to manage licenses for your Citrix products. For information about the License Management Console, see the MetaFrame Access Suite Licensing Guide. Diagnostic Facility. Creates trace logs and other system information to assist Citrix Technical Support in diagnosing problems.

152

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Web Interface. Allows you to manage how users access applications through Web Interface and Program Neighborhood Agent sites, and to administer MetaFrame Conferencing Manager guest attendee logons. In earlier releases of MetaFrame Presentation Server, application access was configured through the Web Interface and Program Neighborhood Agent Consoles. These tasks are now carried out in the Access Suite Console. Web Interface is located in the console tree under Suite Components > Configuration Tools. For more information, see the Web Interface Administrators Guide. Hotfix Management. Manages hotfixes for your Citrix products. Hotfix Management is located in the console tree under Suite Components > Configuration Tools.

Viewing Applications, Servers, and Zones in Multiple Farms

You can use the Access Suite Console to view the applications, zones, and servers in multiple farms in your enterprise. Farms are shown in the Presentation Server node of the console tree. You can view details about any farm or its applications, servers, or zones. For example, you can see all currently reported alerts or the required encryption for published applications. You can display various details about all user sessions in the server farms. For example, you can list sessions accessing a specific published application, sessions connecting to a specific server, or view a specific users sessions and applications.

Customizing Your Displays Using My Views

You can create custom displays of the details pane. These custom displays are called My Views. These are configurable displays that give you quick access to items you need to examine regularly or items in different parts of the console tree that you want to group in the same display. Instead of repeatedly browsing the console tree, you can place the items in a single, easily retrieved display. For example, you can create a My View to display your preferred performance data for two sets of servers in different server farms. The performance-related information in a My View is refreshed at regular intervals. Important To display performance-related data in My Views, servers must have Resource Manager for MetaFrame Presentation Server installed and be running the MetaFrame Presentation Server Provider for Microsoft Windows Management Instrumentation.

Go to Document Center

Chapter 6 Managing Servers and Farms

153

To create a My View 1. In the console tree, select My Views. 2. In the task pane, click Create new My View. 3. Select the new My View in the console tree and click Add items to My View in the task pane. 4. Add the items that you want to manage and click OK. 5. In the task pane, click Edit My View and give the My View a meaningful name and description. To add items to a My View 1. Select the My View in the console tree and click Add items to My View in the task pane. 2. Add or remove items as required and click OK. Tip Create a new My View quickly by basing it on an existing one. Select the existing My View in the console tree and click Duplicate My View in the task pane. Then add or remove items from the duplicate My View as required. To remove items from a My View 1. Select the My View in the console tree. 2. Select the item you want to remove. 3. From the Actions menu, select Delete.

Managing Sessions across Multiple Farms

You can use the Access Suite Console to manage sessions in multiple farms in your enterprise. To manage the sessions in a farm 1. Select the farm in the console tree. 2. In the task pane, click Change display > Sessions. The tasks that you are then allowed to perform depend on the selected session and your permissions as an administrator. Note If the size of your farm means that this type of display may be very large, it may be more practical to display sessions for a single server, application, or user.

154

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Monitoring the Performance of Server Farms

A selection of performance metrics is available for the servers in a farm and the Access Suite Console allows you to display these metrics in a highly visual way. For example, you may want to monitor farms located in different areas. In this case, you can use a My View to group each farms servers on a different part of the screen and then use a background graphic to identify each location. A suitable performance metric, such as CPU Load, displayed in the My View allows you to pinpoint problems quickly on any server at any location. Using My Views in this way helps you anticipate or identify problems with your servers or applications as soon as possible. As well as up-to-date metrics, you can also view and graph a variety of historical data for your servers. For instructions about displaying performance data in the Access Suite Console, see the Dashboard online help. For information about My Views, see Customizing Your Displays Using My Views on page 152.

Troubleshooting Alerts
You can get context-sensitive information about alerts in the Access Suite Console using My Knowledge. Two types of information are available: Articles provided by Citrix Articles provided by your company

The Citrix articles are provided as a standard component. To provide users with local knowledge, you set up a company knowledge database. After you do this, administrators with the necessary permissions can add, edit, and delete articles. When you set up a new company knowledge database, My Knowledge automatically creates the required tables and stored procedures in the database. To create these tables and stored procedures yourself, the necessary SQL files are provided in the My Knowledge folder in the Component CD folder. To see all the alerts that can be generated for a server farm, select the farm, then select the Available Alerts display. For configurable alerts, you can also quickly see the current configuration, which may give you a better understanding of why the alert was raised. If necessary, you can then move directly to reconfigure the alert, disable it, or delete it from your console or all consoles.

Go to Document Center

Chapter 6 Managing Servers and Farms

155

Creating Reports
Administrators often need to create reports that describe how various aspects of the server farms are functioning. For example, quarterly data for server uptime, CPU utilization, or application availability are commonly compared with agreed figures in a service level agreement. Report Center in the Access Suite Console extends the reporting capabilities in Resource Manager for MetaFrame Presentation Server, and allows you to easily generate reports from a variety of real-time and historical data sources. Wizards help you select the type of report, the data to be displayed, and the schedule for running the report. You can view the status of your scheduled reports and adjust the report parameters. Report Center contains several report types that describe: Application usage and availability Server usage and availability, including CPU and memory utilization reports and a server snapshot report (that can also be created from a real-time metric graph) The distribution of client types that connect to your servers Administration policies in place for the farm Session statistics over time, including active and disconnected sessions

For information about creating reports in the Access Suite Console, including assistance with troubleshooting, see the Report Center online help.

Configuring Application Access

Users access to published applications is controlled by sites that you create and administer using the Access Suite Console. In previous releases of MetaFrame Presentation Server, this was achieved using the Web Interface Console or the Program Neighborhood Agent Console, but you now use the Web Interface snap-in to perform this task. Web Interface also allows you to administer MetaFrame Conferencing Manager guest attendee logons. For more information about configuring application access and MetaFrame Conferencing Manager guest attendee logons, see the Web Interface Administrators Guide.

156

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Viewing Citrix Hotfix Information

With Hotfix Management, you can check which hotfixes are applicable to your MetaFrame products, search for particular updates on your system, and identify servers where up-to-date hotfixes have yet to be applied.

Starting the Access Suite Console

To start the console Click Start > Programs > Citrix > MetaFrame Presentation Server > Access Suite Console for Presentation Server. If, when starting the console, you are prompted to upgrade, be aware of the restrictions on any customization that has occurred (My Views, for example). For more information about these restrictions, see Migrating from MetaFrame XP, Feature Release 3, and MetaFrame Presentation Server 3.0 on page 114.

Finding Items in Your Deployment Using Discovery

After you start the console but before you can use it to manage the items in your deployment, you must configure and run discovery. Discovery is an important Access Suite Console operation that you perform. It is not equivalent to locating items that already exist in the console tree, which you perform using Search in the task pane. In contrast, discovery adds items to the console tree. You discover items using the Configure and run discovery task. This starts the Configure and Run Discovery wizard that allows you to: Configure discovery: specify the Access Suite products and their components, and the deployment items that you want to locate and manage Run discovery: create connections to the items that you specify

The first time you open the console, the Configure and Run Discovery wizard runs automatically. At any stage afterwards, run the wizard to locate newly installed products or components and to update the console if items were added to or removed from your deployment. When using discovery to connect to your MetaFrame Presentation Server deployment, you must specify the name of at least one server in each farm that you want to manage. When discovery is complete, the console tree is updated with the components and items that you specified.

Go to Document Center

Chapter 6 Managing Servers and Farms

157

To run the discovery process for more than one product or component 1. Select Suite Components in the console tree. 2. If you need to configure discovery for at least one product or component, click Configure and run discovery. To just run discovery for the items used by the components, click Run discovery. For example, if a new server farm is created in your deployment, click Configure and Run discovery to add that farm and its servers to the console tree. If a new server is added to a farm that is already present in the console tree, click Run discovery to add that server to the console tree. To run the discovery process for a single product or component 1. Select the product or component in the console tree. 2. To configure discovery, click Configure and run discovery. To just run discovery for the items used, click Run discovery. You should consider running discovery on a regular basis to ensure that you have the most up-to-date view of your deployment. Run discovery if: You install or remove a MetaFrame product or component. The console does not recognize any recently installed products or components until you run discovery. Items are added to or removed from an existing deployment. The console tree is refreshed only after discovery is completed. Similarly, report contents will not necessarily contain up-to-date information unless discovery is run after any changes to reported items take effect. Your administrative privileges change or you change a custom administrators privileges. Modifications to privileges do not take effect in the console until you rerun discovery.

Management Console for MetaFrame Presentation Server

You can use the Presentation Server Console to manage any server farm in your deployment. Use the Presentation Server Console to: Configure server and farm settings Create administrator accounts and delegate tasks Create policies for users connections View information about current sessions, users, and processes Set up and manage printers for users Publish applications and monitor application usage

158

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Monitor, reset, disconnect, and reconnect sessions Send messages to users and shadow their sessions

For a comparison of the tasks that you can perform with the Presentation Server Console and the Access Suite Console, see Choosing Which Console to Use on page 147. The features and capabilities of the console depend on the MetaFrame Presentation Server edition you are running. The commands, controls, and features that you see in the console can vary from the descriptions and illustrations in this manual, depending on the components you install. Load Manager is an optional component that is installed with MetaFrame Presentation Server for Windows, Advanced Edition. Resource Manager, Installation Manager, and Network Manager are optional components that are installed with MetaFrame Presentation Server for Windows, Enterprise Edition. When these components are installed, additional features and functions are added to the Presentation Server Console. MetaFrame Presentation Server Setup installs the Presentation Server Console on each server in the farm by default. You can also use the MetaFrame Presentation Server CD to install the Presentation Server Console on other workstations you want to use to manage server farms. Important Earlier versions of the Presentation Server Console do not recognize settings you configure using the latest version of the Presentation Server Console. If you run the console from devices that do not have MetaFrame Presentation Server installed, such as workstations or laptops, make sure to upgrade those devices to the latest version of the Presentation Server Console. To use the Presentation Server Console, you must be a MetaFrame administrator. Administrators can have varying levels of access to areas of server farm management. If you try to access an area of the console you are not authorized to use, the right pane of the console may be blank.

Go to Document Center

CHAPTER 7

Securing Your Farms

This chapter describes how to use MetaFrame administrator accounts to secure and delegate administrative tasks and describes ways in which you can secure farm communications.

Creating MetaFrame Administrator Accounts

MetaFrame administrators are individuals tasked with managing and administrating server farms. You can make any member of a Windows or Novell Directory Services (NDS) account authority a MetaFrame administrator. You can customize the scope of an administrators authority; that is, assign different tasks to individual administrators or groups of administrators. To do this, you create separate administrator accounts and then apply varying combinations of privileges and permissions to each.

Types of MetaFrame Administrator Accounts

You can create and configure administrator accounts with three different levels of authorityadministrators with full, view-only, or custom levels of access to farm management. Full authority administrators. Full administrators can manage all aspects of a server farm. They can, for example, publish applications, manage printers, terminate user sessions, and create other administrator accounts. View-only authority administrators. View-only administrators can view all aspects of the server farm; they can, for example, view configuration information and monitor session states, but they cannot modify any settings. Custom authority administrators. Custom administrators can perform select, limited sets of tasks.

160

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Note To create, delete, and configure MetaFrame administrator accounts, you must log on to the Presentation Server Console as a full authority administrator. The authority level you grant an administrator depends on the specific business function of the administrator. For example, your system or network administrators may need complete access to all areas of farm management, while help desk personnel may need view-only access to most areas. Your need to have custom administrator accounts with varying levels of authority is likely to increase along with the size of your organization. For a smaller scale organization whose scope is limited to a single zone and a single geographic area, having a single group of administrators, all of whom share the same, full level of authority, may suffice to manage the entire farm. However, for larger scale organizations that span multiple departments and perhaps multiple administrative, geographic, and time zones, you may want to delegate limited sets of tasks to individuals in particular departments or zones without giving them access to other areas of farm management. For example, if your finance department uses mission-critical applications and routinely deals with sensitive data, you can let a qualified member of that department manage those applications. To do this, you place the applications in a custom Applications folder and then give the individual permissions to manage just those applications. In this scenario, delegating a commensurate amount of authority ensures that: A qualified individual oversees a familiar set of applications The individual does not have access to areas of farm management you do not want to delegate The integrity of confidential data and applications is preserved You can focus on other areas of farm management that require your attention

If you set up multiple zones in a farm, you can delegate tasks based on zones. To do this, create a folder for each zone under the Servers node, place your servers in the appropriate folders, and then assign the tasks of managing the servers to select administrators.

Creating New MetaFrame Administrator Accounts

When you install the first server in a new server farm, you are required to provide credentials for a full authority administrator. The account you specify becomes the first MetaFrame administrator for the new server farm. This account has full authority to manage and administrate all areas of farm management. Use this account to log on to the console and to add other individuals to the MetaFrame administrators group.

Go to Document Center

Chapter 7 Securing Your Farms

161

Important Citrix recommends that you do not mix different release versions of MetaFrame Presentation Server in the same server farm. Upgrade MetaFrame Presentation Server to the current version to ensure that custom administrator settings apply properly. Restricting access to areas of farm management may not prevent administrators from running some command-line utilities available with MetaFrame Presentation Server. When you create a new administrator account, you must associate it with one of three authority levelsfull, view-only, or custom access to farm management. You can modify an administrators authority level at any time. For an overview of authority levels, see Types of MetaFrame Administrator Accounts on page 159. For information about modifying authority levels of existing administrator accounts, see Delegating Tasks to Custom Administrators on page 162. To create administrator accounts with full or view-only authority, you select individual or group accounts and associate them with full or view-only privileges. Both full and view-only privileges apply farm wide. To create administrator accounts with custom authority, you select individual or group accounts, assign them custom privileges, and then permissions to perform select tasks. Note One full authority administrator account must always exist in the server farm. Therefore, MetaFrame Presentation Server prevents you from deleting the last full authority administrator account. Citrix recommends that you add your standard network administrators group to your MetaFrame administrators group so that network administrators have access to manage network resources including print servers. To create, delete, and configure MetaFrame administrator accounts, you must log on to the Presentation Server Console as a full authority administrator. To create MetaFrame administrator accounts 1. In the console, from the Actions menu, select New > MetaFrame Administrator. The first page of the Add MetaFrame Administrator wizard appears. 2. In the Look in list, select the user or user group accounts you want to add to the MetaFrame administrators group and then click Add. Select Show Users to display all user names in the selected domain.

162

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Tip Instead of selecting names from the list, you can type them in a text box. To do this, click Add List of Names and use semicolons (;) to separate names. 3. Click Next. 4. On the Privileges page, select the authority level you want to grant the selected administrator accounts. Select among the following options: Select View Only to give the selected administrators view-only access to all areas of farm management. Click Finish when you are done and proceed to Step 5. Select Full Administration to give the selected administrators full access to all areas of farm management. Click Finish when you are done and proceed to Step 5. Select Custom to delegate specific, limited tasks to the selected administrators. Click Next when you are done and proceed to Step 5.

5. On the Permissions page, in the Folders pane, select the folder or node for which you want to delegate tasks to the selected administrators. The tasks you can delegate for the selected node or folder appear in the Tasks pane. 6. In the Tasks pane, select the tasks you want to delegate. Click Finish when you are done.

Delegating Tasks to Custom Administrators

You can delegate tasks to custom MetaFrame administrator accounts when you create the accounts or by editing an existing accounts properties. You delegate tasks by associating custom MetaFrame administrator accounts with permissions to perform select tasks. Permissions you set on nodes (Policies, Printer Management, and so on) apply farm wide. Permissions you set on folders (Applications, Servers, and any folders within) apply only to the applications and servers contained within the selected folder. The following table describes the delegated permission you can assign for custom administrators.
Tasks FARM-RELATED TASKS Farm Management Edit All Other Farm Settings Toggles on/off all subtasks. Allows full access to view and modify all areas of farm management. To disable subtasks, clear the check boxes. Allows administrators to edit all farm properties, with the exception of zones. Description

Go to Document Center

Chapter 7 Securing Your Farms

163

Tasks Edit Zone Settings View Farm Management

Description Allows administrators to configure zones, move servers to zones, and set election preferences. Allows view-only access to the farm properties.

APPLICATION-RELATED TASKS If you select a folder of applications, the assigned permissions affect only the applications in the specified folder. Published Applications Toggles on/off all subtasks. Allows full access to view and modify all areas of publishing applications in the specified folder. To publish applications in isolation environments, administrators also must have the View Isolation Environments permission. To disable subtasks, clear the check boxes. Allows administrators to manage applications, including publishing and editing properties. To publish applications in isolation environments, administrators also must have the View Isolation Environments permission. Automatically selects and requires the View permission. Allows view-only access to published applications and content. Toggles on/off all subtasks. Allows full access to view and modify all areas of resource management in the specified folder. To disable subtasks, clear the check boxes. Allows administrators to add, remove, snooze, sleep, awaken, and edit the properties of metrics associated with Resource Manager applications and published applications. When creating or editing Resource Manager applications, the servers to which the administrator can assign the application are controlled by the Assign RM Applications to Servers permission for the server folder. Automatically selects and requires the View permission. If an application metric is configured to send out SMS or email notifications, this permission allows administrators to receive SMS or email notifications related to applications, using the contact information specified in the Alert Contact Details section of their profile. Automatically selects and requires the View permission. Note: Administrators can be given permission to receive other types of SMS and email notifications in the Resource-Related tasks or Server-Based tasks.

Publish Applications and Edit Properties

View Published Applications and Content Resource Manager

Create RM Applications and Edit Properties

Receive SMS and Email Notifications

164

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Tasks View RM Applications and Content

Description Allows administrators to view any Resource Manager applications, as well as any metrics associated with the application. Administrators can also select the metric and generate a real-time graph that displays the current metric count and the metric error and warning thresholds. If administrators also have the View Published Applications and Content or View Session Management permissions for the same folder, they can view metrics associated with published applications in the specified folder and generate real-time graphs for these metrics. The RM watcher is available to display application-related Resource Manager alerts. Note: Administrators can be given permission to view resource-related Resource Manager alerts using View Resource Management Configuration and Alerts and server-related Resource Manager alerts using View RM Information and Alerts. Toggles on/off all subtasks. Allows full access to view and modify all areas of session management for the specified folder. To disable subtasks, clear the check boxes. Allows administrators to connect to a session. Automatically selects and requires the View permission. Allows administrators to disconnect one or more sessions. Automatically selects and requires the View permission. Allows administrators to log off one or more sessions. Automatically selects and requires the View permission. Allows administrators to reset client and disconnected sessions. Automatically selects and requires the View permission. Allows administrators to send desktop messages to one or more sessions. Automatically selects and requires the View permission. Allows view-only access to sessions management.

Sessions

Connect Sessions Disconnect Users Log Off Users Reset Sessions Send Messages View Session Management ADMINISTRATOR-RELATED TASKS MetaFrame Administrators

Toggles on/off all subtasks. Allows administrators to open the MetaFrame Presentation Server Console and Web Interface Console and to view the properties of other administrators. To disable subtasks, clear the check boxes. Allows administrators to open the MetaFrame Presentation Server Console. Allows administrators to open the Web Interface Console. Allows administrators to view the properties of other administrators.

Log on to Presentation Server Console Log on to Web Interface Console View MetaFrame Administrators INSTALLATION-RELATED TASKS

Go to Document Center

Chapter 7 Securing Your Farms

165

Tasks Installation Manager Edit Installation Manager

Description Toggles on/off all subtasks. Allows full access to view and modify all areas of installation management. To disable subtasks, clear the check boxes. Allows administrators to edit and/or install/uninstall packages, package groups, server groups, and Installation Manager properties. Automatically selects and requires the View permission. Allows view-only access to the Installation Manager node in the Presentation Server Console, the Installation Manager properties, all of the available packages and package groups, package and package group properties, and installation information. Administrators can view a server group only if they have the Install and Uninstall Packages server folder permission for at least one server in the group, and they can view only the individual servers in the group for which they have this permission.

View Installation Manager

ISOLATION ENVIRONMENT TASKS Isolation Environments Manage Isolation Environments Toggles on/off all subtasks. Allows full access to view and modify all areas of isolation environments. To disable subtasks, clear the check boxes. Allows administrators to create and modify isolation environments, as well as publish applications in an isolation environment. To publish applications in an isolation environment, administrators also need the Publish Applications and Edit Properties permission. Automatically selects and requires the View permission. Allows view-only access to isolation environments and the applications published in them.

View Isolation Environments LOAD MANAGER TASKS Load Manager Assign Load Evaluators Edit Load Evaluators View Load Evaluators

Toggles on/off all subtasks. Allows full access to view and modify all areas of load management. To disable subtasks, clear the check boxes. Allows administrators to assign load evaluators to servers and published applications. Allows administrators to edit load evaluation settings. Automatically selects and requires the View permission. Allows view-only access to load evaluator settings.

MONITORING AND ALERTING TASKS The following tasks are related to the My Knowledge extension - Configuration and Alerts. Monitoring and Alerting Toggles on/off all subtasks. Allows full access to view and modify all areas of monitoring and alerting. To disable subtasks, clear the check boxes.

166

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Tasks Edit Alerts Configuration

Description Allows administrators to modify the current configuration of alerts generated by the My Knowledge extension (SMA alerts). This information includes thresholds, polling intervals, and whether the alert is enabled or disabled. Automatically selects and requires the View Alerts Configuration permission. To apply the configuration of all the My Knowledge extension alerts of the currently selected farm (the source farm) to other discovered farms that have SMA enabled (the target farms), administrators must have the View Alerts Configuration permission for the source farm and Edit Alerts Configuration permission for the target farms.

Edit My Knowledge Configuration Allows administrators to create a new configuration and edit or delete the current company knowledge configuration for the farm. Automatically selects and requires the View My Knowledge Configuration permission. To copy the company knowledge database configuration from another discovered farm that has its company knowledge database configured (the source farm) to the currently selected farm, the administrator must also have the View My Knowledge Configuration permission in the source farm. View Alerts Configuration Allows view-only access to the current configuration of the current configuration of alerts generated by the My Knowledge extension. This information includes thresholds, polling intervals, and whether the alert is enabled or disabled. Allows view-only access to the current company knowledge configuration of alerts generated by the My Knowledge extension.

View My Knowledge Configuration POLICY-RELATED TASKS User Policies Edit User Policies View User Policies PRINTER-RELATED TASKS Printers Edit All Other Printer Settings

Toggles on/off all subtasks. Allows full access to view and modify all areas of user policies. To disable subtasks, clear the check boxes. Allows administrators to create and modify policies. Automatically selects and requires the View permission. Allows view-only access to policies.

Toggles on/off all subtasks. Allows full access to view and modify all areas of printer management. To disable subtasks, clear the check boxes. Allows administrators to import network print servers, map drivers, and edit all other printer settings, with the exception of editing printer drivers, editing printers, and replicating printer drivers. Automatically selects and requires the View permission. Allows administrators to edit driver-related features. Automatically selects and requires the View permission. Allows administrators to add, edit, delete, or reset client printers. Automatically selects and requires the View permission.

Edit Printer Drivers Edit Printers

Go to Document Center

Chapter 7 Securing Your Farms

167

Tasks Replicate Printer Drivers

Description Allows administrators to replicate printer drivers from one server to another and to manage the auto-replication list. Automatically selects and requires the View permission. Allows view-only access to printers and printer drivers.

View Printers and Printer Drivers RESOURCE-RELATED TASKS Resource Management

Toggles on/off all subtasks. Allows full access to view and modify all areas of managing resources for the farm. To disable subtasks, clear the check boxes.

Configure Resource Management Allows administrators to edit the configuration of all the areas described in the View Resource Management Configuration permission. Automatically selects and requires the View permission. Generate Billing Reports Allows administrators to generate billing reports, manage cost centers, manage fee profiles, and view saved reports. Saved reports can also be viewed using any Web browser. Automatically selects and requires the View permission. Allows administrators to generate current and summary reports and view any saved reports. Saved reports can also be viewed using any Web browser. Automatically selects and requires the View permission. If the Summary Database is configured to send out SMS or email notifications, this permission allows administrators to receive the SMS or email notification related to resource management tasks (those not related to applications or servers), using the contact information specified in the Alert Contact Details section of their profile. Automatically selects and requires the View permission. Note: Administrators can be given permission to receive other types of SMS and email notifications in the Application-Related tasks or Server-Based tasks. Allows administrators to view the Resource Manager node in the MetaFrame Presentation Server Console, including the current configuration of the following areas of Resource Manager: - Summary Database configuration - SMS servers, gateways, and the receivers of SMS alerts - Community string used for sending SNMP alerts - Configuration of the currently selected method for sending email alerts (SMTP or MAPI), and the receivers of email alerts - Primary and backup farm metric servers The RM watcher is available to display any current Resource Manager alerts, other than alerts related to applications or servers. Note: Administrators can be given permission to view application-related Resource Manager alerts using View RM Applications and Content and server-related Resource Manager alerts using View RM Information and Alerts.

Generate Current and Summary Reports Receive SMS and Email Notifications

View Resource Management Configuration and Alerts

SERVER-BASED TASKS If you select a folder of servers, the assigned permissions affect only the servers in the specified folder.

168

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Tasks Installation Manager Install and Uninstall Packages

Description Toggles on/off all subtasks. Allows full access to install and uninstall packages on servers in the specified folder. To disable subtasks, clear the check boxes. Allows administrators to install and uninstall packages on all the servers in the specified folder. This permission also controls which servers and server groups administrators can view in the Server Groups section of the Installation Manager node for the farm. Administrators can view a server group only if they have the Install and Uninstall Packages server folder permission for at least one server in the group, and they can view only the individual servers for which they have this permission. Allows full permissions for administering published applications on servers in the specified folder. To disable subtasks, clear the check boxes. Allows administrators to publish applications from servers. To publish applications from a server, administrators must also have the Publish Applications and Edit Properties permission. Toggles on/off all subtasks. Allows full access to Resource Manager for servers in the specified folder. To disable subtasks, clear the check boxes. Allows administrators to assign the servers on which a Resource Manager application can be monitored. Servers for which administrators do not have this permission will not be visible when the administrators assign servers to a Resource Manager application. Note: This permission does not have any effect on the servers that can be assigned to published applications. Allows administrators to add, remove, snooze, sleep, awaken, and edit the properties of metrics associated with servers. Administrators can also modify the configuration of the following sections in the server properties: - Ignored processes - Metric summary schedule - Restart schedule - Resource Manager alert recipients Automatically selects and requires the View permission. If a server metric is configured to send out SMS or email notifications, this permission allows administrators to receive SMS or email notifications related to servers, using the contact information specified in the Alert Contact Details section of their profile. Automatically selects and requires the View permission. Note: Administrators can be given permission to receive other types of SMS and email notifications in the Resource-Related tasks or Application-Related tasks.

Published Applications Assign Applications to Server

Resource Manager Assign RM Applications to Servers

Edit RM Information

Receive SMS and Email Notifications

Go to Document Center

Chapter 7 Securing Your Farms

169

Tasks View RM Information and Alerts

Description Allows the administrators to view any metrics that have been added to the servers in the specified folder. Administrators can also select a metric and generate a real-time graph that displays the current metric count and the metric error and warning thresholds. If administrators also have the Generate Current and Summary Reports permission, they can generate reports directly from the graph. Administrators can view the Resource Manager server log and view the current configuration of the following sections in the server properties dialog: - Ignored processes - Metric summary schedule - Restart schedule - Resource Manager alert recipients The RM watcher is available to display server-related Resource Manager alerts. Note: Administrators can be given permission to view application-related Resource Manager alerts using View RM Applications and Content and resource-related Resource Manager alerts using View Resource Management Configuration and Alerts. Toggles on/off all subtasks. Allows full access to view and modify all areas of server administration in the specified folder. To disable subtasks, clear the check boxes. Allows administrators to edit settings for the license server. Allows administrators to edit all server settings, with the exception of SNMP settings, moving and removing servers, terminating processes, and license server settings. Allows administrators to set up notifications of events by the SNMP agent. Allows administrators to move servers between server folders and remove servers from the farm. Allows administrators to terminate processes. Allows view-only access to server information. Toggles on/off all subtasks. Allows full access to view and modify all areas of session administration. To disable subtasks, clear the check boxes. Allows administrators to connect to user sessions. Automatically selects and requires the View permission. Allows administrators to disconnect user sessions. Automatically selects and requires the View permission. Allows administrators to log off users. Automatically selects and requires the View permission.

Servers

Edit License Server Settings Edit Other Server Settings

Edit SNMP Settings Move and Remove Servers Terminate Processes View Server Information Sessions Connect Sessions Disconnect Users Logoff Users

170

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Tasks Reset Sessions Send Messages

Description Allows administrators to reset user sessions. Automatically selects and requires the View permission. Allows administrators to send messages to users, such as broadcasting information about an upgrade or a warning about a system shutdown. Automatically selects and requires the View permission. Allows view-only access to session management.

View Session Management

You cannot grant permissions to applications and servers directly. To grant permissions to applications and servers, you must first place the applications or servers in folders and then grant permissions at the folder level. Therefore, before you delegate tasks for applications and servers, make sure you group the applications and servers in folders that allow you to delegate the tasks in a meaningful way. Note To apply the same permissions to a new folder as to its parent folder, select the Copy permissions from the parent folder option when you create the new folder. To create, delete, and configure MetaFrame administrator accounts, you must log on to the Presentation Server Console as a full authority administrator. To associate an administrator account with select tasks 1. In the left pane of the console, select MetaFrame Administrators. The list of configured MetaFrame administrator accounts appears in the Contents tab. 2. In the Contents tab, select the administrator account to which you want to delegate a task or tasks and choose Properties from the Actions menu. The Properties page for the selected administrator account appears. 3. If the administrator is not a custom administrator, on the Properties page, select Privilege Type, then select the Custom option. 4. On the Properties page, select Permissions. The Permissions page appears, featuring the Folders and Tasks panes. 5. In the Folders pane, select the folder or node for which you want to delegate tasks to the selected administrator. The tasks associated with the selected folder or node appear in the Tasks pane. 6. In the Tasks pane, select the tasks you want to delegate. 7. Click OK when you are done.

Go to Document Center

Chapter 7 Securing Your Farms

171

Delegating Tasks Based on Zones

You can delegate tasks based on server farm zones. You can use zones to enhance a farms performance and organization. A zone is a grouping of servers that share a common data collector, which is a server that manages dynamic information about the servers in the zone. Each farm has at least one zone. Delegating farm administration tasks based on zones allows you to leverage qualified staff in different geographic areas to manage the servers in those areas. For example, if you have a zone that is located in a different time zone, you might want to delegate a number of tasks pertaining to the servers in that zone to an administrator who is also located in that zone. To delegate tasks based on zones, you must take the following three steps:

Step 1 - Creating Zone Folders

Under the Servers folder, create a new zone folder for each zone for which you want to delegate tasks to other administrators.

Step 2 - Mirroring Actual Zones

Move the server icons from the Servers folders to the zone folders you created in Step 1. Make sure that the contents of each zone folder reflect the geographic makeup of the actual zones. You can use Zones on a farm's Properties page to view the servers that belong to each zone in the farm.

Step 3 - Delegating Tasks

Delegate tasks based on zone folders as appropriate. For step-by-step instructions for delegating tasks based on folders, see To associate an administrator account with select tasks on page 170.

Overview of Security Components

Depending on your security needs, you can incorporate the following security components when designing secure MetaFrame Presentation Server deployments. The guidelines outlined in this chapter provide general direction when planning secure environments. Be sure to consult with your organizations security expert for a comprehensive security strategy that best fits your needs.

172

MetaFrame Presentation Server Administrators Guide

Go to Document Center

ICA encryption (SecureICA). Use ICA encryption (Citrix SecureICA) to encrypt the information sent between a server running MetaFrame Presentation Server and a client. ICA encryption makes it virtually impossible for unauthorized users to open an encrypted transmission and, in the unlikely event that such an attack succeeds, ICA encryption ensures that the attacker sees only meaningless screen commands and not sensitive information. ICA encryption provides confidentiality to guard against the threat of eavesdropping. Note ICA encryption is not recommended for use across public networks. In general, you use ICA encryption when: You want to secure internal communication within a LAN or a WAN, or you want to secure internal access to an Intranet You need to secure communications from devices that use Microsoft DOS or run on Win16 systems You have older devices running client software that cannot be upgraded There is little risk of man-in-the-middle attacks

Citrix SSL Relay. Use Citrix SSL Relay to provide end-to-end Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption between specific servers and clients. In general, you use SSL Relay when: You have a small number of servers to support (five or fewer) You do not need to secure access at a DMZ You do not need to hide server IP addresses or you are using Network Address Translation (NAT) You do need end-to-end encryption of data between clients and servers

The Secure Gateway. Use the Secure Gateway to provide SSL/TLS encryption between a secure Internet gateway server and an SSL-enabled client, combined with encryption of the HTTP communication between the Web browser and the Web server. Using the Secure Gateway makes firewall traversal easier and provides heightened security by providing a single point of entry and secure access to your server farms. In general, you use the Secure Gateway when: You have a large number of servers to support You want to hide internal IP addresses You want to secure access from the DMZ

Go to Document Center

Chapter 7 Securing Your Farms

173

You need two-factor authentication (in conjunction with the Web Interface)

A Virtual Private Network Solution. Use a Virtual Private Network (VPN) solution when you need to create secure tunnels between geographic locations. In general, you use a VPN solution when: You need two-factor authentication You need to create a secure pipeline for full (beyond ICA) network access You want to secure the network from within the DMZ Users normally access the network from the same workstations You want to use IP Security (IPSEC)

Both the Secure Gateway and SSL Relay support SSL/TLS encryption. Selection is largely a matter of deciding which deployment best meets the needs of the organizations security policies. Each approach has its own advantages. Overviews of the SSL Relay, the Secure Gateway, and ICA encryption are included in this chapter.

174

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Overview - Deploying SSL Relay

This deployment provides end-to-end encryption of the communication between the client and the computer running MetaFrame Presentation Server. You must install and configure SSL Relay and the appropriate server certificate on each server running MetaFrame Presentation Server within the server farm. The SSL Relay operates as an intermediary in the communications between the client and the Citrix XML Service running on each server. Each client authenticates the SSL Relay by checking the relays server certificate against a list of trusted certificate authorities. After this authentication, the client and SSL Relay negotiate requests in encrypted form. The SSL Relay decrypts the requests and passes them to the server. When returning the information to the client, the server sends all information through the SSL Relay, which encrypts the data and forwards it to the client to be decrypted. Message integrity checks verify that each communication was not tampered with. For more information about configuring SSL Relay, see Setting up Citrix SSL Relay on page 175.

Overview - Deploying the Secure Gateway

Using the Secure Gateway provides the following benefits: Removes the need to publish the addresses of every server running MetaFrame Presentation Server Simplifies server certificate management Allows a single point of encryption and access to the servers

Use the Secure Gateway to create a gateway that is separate from the computers running MetaFrame Presentation Server. Establishing the gateway simplifies firewall traversal because ICA traffic is routed through a widely accepted port for passage in and out of firewalls. The Secure Gateway provides increased scalability. However, because ICA communication is encrypted only between the client and the gateway, you may want to use ICA encryption to secure the traffic between the gateway and the servers running MetaFrame Presentation Server. For more information about implementing and configuring the Secure Gateway, see the Secure Gateway Administrators Guide available from the Document Center.

Go to Document Center

Chapter 7 Securing Your Farms

175

Overview - Deploying ICA Encryption

Unlike SSL/TLS encryption, ICA encryption, used on its own, does not provide authentication of the server. Therefore information could, in theory, be intercepted as it crosses a public network and then be rerouted to a counterfeit server. Also, ICA encryption does not provide integrity checking. Using ICA encryption should be viewed as only one aspect of a comprehensive security policy. Select the ICA encryption level for a published application on the applications Properties page. You must also enable ICA encryption for the client. See the documentation for the client you plan to deploy.

Setting up Citrix SSL Relay

The Citrix SSL Relay can secure communications between clients, servers running the Web Interface, and computers running MetaFrame Presentation Server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). The following sections cover: How to deploy SSL Relay in your server farm. How to upgrade from a MetaFrame XP Feature Release 1 SSL Relay deployment. For more information, see Setting up Citrix SSL Relay on page 175.

If you are using Microsoft Certificate Authority (CA) to assist in setting up SSL Relay, you can use the SSLAutoConfig tool, which is located in the Support folder on the server installation CD. For more information about how to use SSLAutoConfig, see Advanced Concepts for MetaFrame Presentation Server 4.0.

Deploying SSL Relay

You must complete the following tasks to successfully deploy SSL Relay. More information about these tasks is included later in this chapter. 1. Obtain a server certificate for each computer running MetaFrame Presentation Server. A separate server certificate is needed for each server on which you use the Citrix SSL Relay. 2. Install the server certificate on each server. 3. Change the SSL Relay port number, if necessary. To use the SSL Relay and Internet Information Services (IIS) on the same server, you must change the port number used by IIS or the SSL Relay. See Step 3 - Changing the SSL Port on page 179.

In the SSL Relay, select the server certificate and allowed ciphersuites, according to your security policy. Change the target address or port, or add additional addresses for redundancy. For instructions, see Step 4 - Configuring SSL Relay on page 180 or the application online Help for the SSL Relay configuration tool.

Step 1 - Obtaining Root and Server Certificates

Your organizations security expert should have a procedure for obtaining certificates. Certificates must be signed by a trusted entity called a Certificate Authority (CA). Where you choose to obtain certificates depends on a number of factors, including: Whether or not your organization is a CA Whether or not your organization has already established a business relationship with a public CA The fact that the Windows operating system includes support for many public Certificate Authorities The cost of certificates and the reputation of a particular public CA

From your chosen Certificate Authority, you need to obtain a separate server certificate for each server on which you use the Citrix SSL Relay. The server certificate identifies a specific machine, so you need to know the fully qualified domain name (FQDN) of each server. You also need to install a root certificate on each client device. Root certificates are available from the same CAs that issue server certificates. The Web Interface and the MetaFrame Presentation Server Clients include native support for the following certificate authorities: VeriSign, Inc., http://www.verisign.com Baltimore Technologies, http://www.baltimore.com

This means that if you use server certificates from these certificate authorities, you do not need to install a root certificate on your client devices. If you use a different certificate authority, you need to install root certificates and server certificates. See the documentation for the clients you are using for instructions about installing a root certificate.

Requesting a Certificate
After you decide on your Certificate Authority, you generate a request for a certificate using your Web server software. This generates information known as a certificate signing request (CSR) that you send to the Certificate Authority for signing.

Go to Document Center

Chapter 7 Securing Your Farms

177

You submit the CSR to the Certificate Authority and receive your signed SSL certificate and password in return. If your organization is a Certificate Authority, you should have your own procedures for supplying signed certificates. Important The common name for the certificate must be the fully qualified domain name of the server. You can use the Microsoft Web Server Certificate wizard in the IIS snap-in to request and import a certificate. You can use the wizard to request a certificate if you are using an external CA, or request and also install the certificate if you are using the wizard and an online CA; for example, you have Microsoft Enterprise Certificate Services set up. To request a certificate using IIS 1. Click Start > Programs > Administrative Tools > Internet Services Manager. 2. In the Internet Information Services Console tree, select Default Web Site and choose Properties from the Action menu. 3. Navigate to the Directory Security tab and select Server Certificate. The IIS Web Server Certificate wizard appears. Click Next. 4. Select Create a New Certificate and then click Next. 5. Select Prepare the request now, but send it later and then click Next. 6. In the Name field, type the name for the server certificate. The Name field does not require that you enter the FQDN of the server; you can enter a server name. 7. In Bit Length, enter the bit length to be used for the certificates encryption strength. The greater the bit length, the higher the security. Citrix recommends that you select 1024 or higher. If you are specifying a bit length higher than 1024, verify that the clients you use can support it. Click Next. 8. Enter details about your organization. Click Next. 9. In Common Name, type the FQDN of the server on which the SSL Relay is running. Click Next. 10. Fill in the relevant geographical information. Click Next. 11. Save the certificate request and click Next. Verify the information in the Request File Summary. 12. Click Next and then click Finish. The information in the request can be sent to any CA for signing.

178

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Step 2 - Installing the Certificate

The versions of SSL relay included with MetaFrame XP, Feature Release 2 and later use Microsofts own SSL implementation, known as SChannel. This means that SSL Relay uses the same registry-based certificate store as IIS, so you can install certificates using IIS or the Microsoft Management Console (MMC) Certificate Snap-in. When you receive a certificate from the CA, you can restart the Web Server Certificate wizard in IIS and the wizard will install the certificate. See the instructions in Requesting a Certificate for information about how to start the Web Server Certificate wizard. Alternatively, you can view and import certificates on the computer using the MMC. To use the Microsoft Management Console (MMC) to import a certificate 1. Launch the Microsoft Management Console by choosing Start > Run and then typing mmc. Click OK. 2. If you do not see Certificates in the Console Root folder, you must add the Certificates Snap-in. From the console menu, choose Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears. Click Add. The Add Standalone Snap-in dialog box appears. Select Certificates and click Add. The Certificates snap-in dialog box appears. Click Computer account and then click Next. The Select Computer dialog box appears. Verify that Local computer is selected and then click Finish. Click Close to close the Add Standalone Snap-in dialog box. Click OK to close the Add/Remove Snap-in dialog box.

3. In the left pane of the console, click the plus sign (+) for Certificates (Local Computer) to expand the folder. 4. Click the plus sign (+) to expand the Personal folder and then click Certificates. 5. In the right pane, select the certificate to import. 6. From the Action menu select All Tasks and then click Import. The Certificate Import wizard appears. 7. Click Next and then click Browse to search for the certificate file to be imported.

Go to Document Center

Chapter 7 Securing Your Farms

179

8. Select the certificate file and click Next. 9. Enter the private key password in the Password box and click Next. 10. Click Next to accept the default values in the next window and then click Finish to import the certificate.

Step 3 - Changing the SSL Port

The Citrix SSL Relay uses TCP port 443, the standard port for SSL connections. Most firewalls open this port by default. You can optionally configure the SSL Relay to use another port. Be sure that the port you choose is open on any firewalls between the client devices and the server running the SSL Relay. Important Microsoft Internet Information Services (IIS) Version 5.0 is installed by default on Windows servers and allocates port 443 for SSL connections. To run MetaFrame Presentation Server on a server running Windows 2000 or Windows Server 2003, you must configure IIS to use a different port or configure the SSL Relay to use a different port. You must install a server certificate on IIS before you change the port number. The following procedure includes instructions for adding a server certificate to IIS. You can use the same server certificate with IIS and the SSL Relay. To change the SSL port for Internet Information Services Version 5.0 1. Click Start > Programs > Administrative Tools > Internet Services Manager. 2. In the Internet Information Services Console tree, select Default Web Site and choose Properties from the Action menu. The Default Web Site Properties dialog box appears. 3. From the Directory Security tab, click Server Certificate. The Welcome to the Web Server Certificate wizard appears. Follow the instructions in the wizard to create or import a certificate. 4. When your server certificate is installed, select the Web Site tab in the Default Web Site Properties dialog box. 5. Change the SSL port number to something other than 443. 6. Click OK to close the Default Web Site Properties dialog box. To change the Citrix SSL Relay port number 1. On the server, click the Citrix SSL Relay Configuration Tool button on the ICA Administrator toolbar to start the SSL Relay configuration tool.

180

MetaFrame Presentation Server Administrators Guide

Go to Document Center

2. On the Connection tab, type the new port number in the Relay Listening Port box. 3. Click OK. See the Web Interface Administrators Guide for the procedure to reconfigure servers running the Web Interface with the new port number. To run SSL Relay on port 443 without using HTTPS 1. Stop the Microsoft Internet Information Service. 2. Configure and start the SSL Relay service. 3. Restart the Microsoft Internet Information Service. SSL Relay will use port 443 before IIS, including when the server is restarted. Note When you install MetaFrame Presentation Server, members of the User group are allowed to edit registry entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Secure\Citrix\Citrix SSL Relay. You can use the Microsoft Security Configuration and Analysis tool to prevent members of the User group from editing these registry entries.

Important If you change the default Citrix SSL Relay port, you must set SSLProxyHost to the new port number in the MetaFrame Presentation Server Client for Win32 Appsrv.ini file. For more information about client settings, see the Client for 32-bit Windows Administrators Guide.

Step 4 - Configuring SSL Relay

To configure the SSL Relay 1. From the Citrix Programs group on the Start menu, choose Administration Tools and then Citrix SSL Relay Configuration Tool to start the SSL Relay configuration tool. 2. On the Relay Credentials tab, select the server certificate. 3. On the Connection tab, configure the fully qualified domain name (or IP address) and port combinations to which the SSL Relay forwards decrypted data. The SSL Relay forwards packets only to the servers and ports listed on this tab. 4. On the Ciphersuites tab, select which ciphersuites to allow. For more information, see the online Help for the SSL Relay configuration tool.

Go to Document Center

Chapter 7 Securing Your Farms

181

Configuring Kerberos Logon

Versions 8 and 9 of the MetaFrame Presentation Server Clients for 32-bit Windows feature enhanced security for pass-through authentication. Rather than sending user passwords over the network, pass-through authentication now leverages Kerberos authentication in combination with Security Support Provider Interface (SSPI) security exchange mechanisms. Kerberos is an industry-standard network authentication protocol built into the Windows operating systems. Kerberos logon offers security-minded customers the convenience of pass-through authentication combined with secret-key cryptography and data integrity provided by industry-standard network security solutions. System requirements. Kerberos logon requires MetaFrame Presentation Server 3.0 or 4.0, MetaFrame Presentation Server Clients for 32-bit Windows Version 8.x or 9.x, and works only between clients and servers that belong to the same or to trusted Windows 2000 or Windows 2003 domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool. Kerberos logon is not available in the following circumstances: Connections for which you select any of the following options in Terminal Services Configuration: On the General tab, the Use standard Windows authentication option On the Logon Settings tab, the Always use the following logon information option or the Always prompt for password option

Connections you route through Secure Gateway If the server running MetaFrame Presentation Server requires smart card logon If the authenticated user account requires a smart card for interactive logon

SSPI requires XML Service DNS address resolution to be enabled for the server farm, or reverse DNS resolution to be enabled for the Active Directory domain. To enable XML Service DNS address resolution 1. In the Presentation Server Console, select the farm for which you want to enable DNS address resolution. 2. From the Actions menu, select Properties. The farm Properties page appears. 3. Select MetaFrame Settings. 4. Check Enable XML Service DNS address resolution and then click OK.

182

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To disable Kerberos logon to a particular server CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. To disable Kerberos logon to a particular server, set the following registry key on the server: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Logon\DisableSSPI = 1 You can configure the Client for 32-bit Windows to use Kerberos with or without pass-through authentication. For more information about client configuration, see the Client for 32-bit Windows Administrators Guide.

Managing the Secure Ticket Authority (STA)

When you install MetaFrame Presentation Server, you also install the STA. If MetaFrame Presentation Server is installed on a server that has an older version of the STA, the old STA is upgraded to the new version. The new STA eliminates the requirement for Microsofts Internet Information Services (IIS). The STA can be hosted by the Citrix XML Service. Important If you are securing communications between the Secure Gateway and the STA, ensure you install a server certificate on the server running the STA.

Viewing Secure Ticket Authority Statistics

In addition to monitoring the performance of the server running the Secure Gateway, Citrix recommends monitoring the performance of the server running the STA as part of your administrative routine. To view STA performance statistics 1. Access the Performance Monitor. 2. Right-click in the right pane and click Add Counters. 3. For the location of the performance counters, select Use local computer counters. 4. Select Secure Ticket Authority from the Performance Object drop-down list.

Go to Document Center

Chapter 7 Securing Your Farms

183

5. Select the performance counters you want to monitor and click Add. 6. Click Close. 7. Use the Windows Performance Console controls that appear at the top of the right pane to switch views, add counters, and so on.

Identifying Entries in the STA Log

The STA logs fatal errors to its application log, which is located in the \inetpub\scripts directory. When creating a log, the STA uses the following format for naming log files:
stayyyymmdd-xxx.log

where yyyy is the year, mm is the month, and dd is the day of the log file creation. The first time the STA is loaded, it creates a log file. To view entries in the STA log, use a plain-text editor to open the log file. If the STA does not create a log file, it may be due to lack of write privileges to the \inetpub\scripts directory. The sections that follow identify error messages you may find in the STA log.

Fatal Error Messages

The following messages are logged when a fatal error occurs. In all these cases, the STA cannot be started and ticketing fails. The best way to correct such problems is to reinstall the STA:.
Error Number CSG1001 CSG1002 Error Messages Unable to read config file. Unable to initialize Random Generator. Description The configuration file is missing or cannot be found. The random generator is corrupted. The random generator is used to generate random number sequences that are used to encrypt tickets. If this component is not found or is malfunctioning, ticketing fails. The CtxXmlss.txt file is the XML translation file used by the STA to translate input to Unicode. The system is unable to allocate memory required for the application. This error could occur if the system is running low on memory. Close some applications before trying again. Configuration parameter is not defined in the STA configuration file.

CSG1003 CSG1004

Unable to access XML translation file CtxXmlss.txt. Insufficient memory to initialize system. Missing entry in config file for configuration parameter.

CSG1005

184

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Application Error Messages

The following messages are logged as a result of the STA experiencing operational problems. The STA was started, but certain operations, such as generating performance data, fail:
Error Number CSG1101 CSG1102 CSG1103 Error Message Unable to initialize performance counters. No Ticket Store in memory. Unable to delete old log file. Description The service cannot access memory for performance counters. Performance counter data is not updated. Memory is not initialized at startup. The STA is unable to delete the oldest log file. The system attempts to delete the oldest log file when the number of log files reaches the maximum limit. This error could occur if the file is in use or its file attributes are changed.

Warning Messages
These messages are logged as a result of events caused by corrupted data requests or data packets received, ticket time-outs, and so on. In general, these errors are likely to occur when the data request originates from an unknown source:
Error Number CSG1201 CSG1202 Error Message Request Data - Parsing failed, bad XML. Request Data - No ticket or wrong ticket version in XML. Request Data - Ticket not found. Request Ticket - Parsing failed, bad XML. Request Ticket - No data or wrong type in XML. Request Ticket - No memory to save data. Request Ticket - Maximum reached, data NOT saved. Description Data request packet contains corrupt XML data and cannot be parsed. The request is not in the right format for the STA to resolve the ticket to its associated data. The request is rejected. The ticket requested is not found. This can occur if the ticket times out. The ticket request failed because the STA encountered unknown XML data. The ticket cannot be parsed. Data request packet received contains no data or incorrect XML data. Ticketing failed. The system is low on memory and cannot save the ticket request. The maximum active ticket limit is reached. Ticketing failed. Increase the maximum ticket limit or reduce the ticket lifetime.

CSG1203 CSG1204 CSG1205 CSG1206 CSG1207

Go to Document Center

Chapter 7 Securing Your Farms

185

CSG1208 CSG1209

Request Ticket - Failed, data NOT saved. Unused tickets still in IMDB at unload.

A system error occurred when trying to save this ticket. The STA terminated abruptly. Unused tickets are still present in the In-Memory Database (IMDB).

Status Messages
These status messages are logged as a result of normal STA operations.
Error Number CSG1301 CSG1302 CSG1303 CSG1304 CSG1305 CSG1306 Error Message CtxSTA.dll Loaded. CtxSTA.dll Unloaded. Ticket Timed Out. Request Data - Successful. Request Ticket - Successful. Log file index reset to 000 (from 999). Description The STA is started. The STA is unloaded (stopped). This ticket reached the maximum ticket lifetime and has now expired. This ticket data request is successful. This ticket request is successful. 1000 log files were generated in a 24-hour period. The STA now reuses the oldest log file, STAyyyymmdd000.log.

186

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Go to Document Center

CHAPTER 8

Configuring ICA Connections

MetaFrame Presentation Server lets users run applications published on servers by enabling connections from varied computer platforms through MetaFrame Presentation Server Client software. Managing the connections to your server farm involves management of network access and configuring connections to the farm. You manage user access through standard Windows permissions and account configuration tools. MetaFrame Presentation Server provides the tools you use to configure ICA connections.

Overview of ICA Connections and Sessions

Users can access applications on a server through ICA connections and ICA sessions. ICA connections are network protocol-specific listener ports that are set up on a computer running MetaFrame Presentation Server. When a client links to a server through an ICA connection, it establishes an ICA session. The ICA session is an active link that runs on the server until the user logs off and ends the session. This section explains how ICA connections and sessions work together. It includes information about using the Citrix Connection Configuration utility to configure ICA connections. Later sections in this chapter tell you how to set properties for ICA sessions. Note In addition to ICA connections, the Citrix Connection Configuration utility supports connections using Microsofts RDP protocol for Terminal Services. Client settings and other options, such as asynchronous connection options, are not available for RDP connections.

188

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Setting Up ICA Connections

At least one ICA connection is required on a server for MetaFrame Presentation Server Clients to establish ICA sessions. After an ICA connection is set up, it exists even if no users are linked to the server with active ICA sessions. In contrast, an ICA session ordinarily exists on a server only while a user is linked to the server and using resources. When a user logs off from the server, the ICA session ends. However, if a connection breaks, an ICA session using the connection can remain active until its state is changed by Auto Client Reconnect or ICA Keep-Alive settings, or by a MetaFrame administrator using the Presentation Server Console. Multiple clients can establish ICA sessions through the same ICA connection on a server. MetaFrame Presentation Server associates a user ID and ICA connection with each ICA session. You can set up one ICA connection on a server for each network transport protocol and adapter that clients use to link to the server. MetaFrame Presentation Server supports the following ICA connection configurations: Transport types. Terminal Services in Windows Server 2003 supports only the TCP/IP protocol. Windows 2000 servers support TCP/IP, IPX, SPX, NetBIOS, and asynchronous (modem or direct cable) connections. Supported hardware. Network interface cards (NIC), serial ports, and modems.

Using the Citrix Connection Configuration Utility

The Citrix Connection Configuration utility adds support for more connection types and advanced configuration options to the Terminal Services Configuration utility that ships with Windows. Use the Citrix Connection Configuration utility to: Add network, asynchronous, and other types of connections Configure existing connections Set parameters for mapping client devices Set modem parameters Test modem configurations

Go to Document Center

Chapter 8 Configuring ICA Connections

189

To start the Citrix Connection Configuration utility Select Citrix Connection Configuration from the Citrix program group in the Start menu. From the Citrix Connection Configuration window, you can view the existing ICA and RDP connections. You can use the Connections menu to add, edit, or delete ICA connections. For more information about procedures for adding and modifying connections, choose Contents from the Help menu in the Citrix Connection Configuration utility.

Adding ICA Connections

If you install additional network protocols or modems, you can create ICA connections for users to access the server. To add a network ICA connection Use the following procedure to add an ICA connection for a network adapter. You might need to do this if, for example, you install an additional protocol such as IPX. 1. Select Citrix Connection Configuration from the Citrix program group in the Start menu. 2. From the Connection menu, choose New. The New Connection dialog box appears.

This screen capture shows the New Connection dialog box with network transport configuration options.

190

MetaFrame Presentation Server Administrators Guide

Go to Document Center

3. Type a name for the connection in the Name box. You can enter an optional description in the Comment box. 4. From the Type list, select Citrix ICA 3.0. 5. From the Transport list, select the transport protocol. 6. Click OK to add the ICA connection. If a connection with these settings exists, a message tells you that a connection cannot be created with the same settings.

Adding Asynchronous ICA Connections

You can set up asynchronous ICA connections for access to servers. Asynchronous ICA connections can be dial-up connections through modems and direct cable (null modem) connections between the serial ports of a client device and server. MetaFrame Presentation Server supports modem configurations through the Windows Telephony Application Programming Interface (TAPI). For the best performance over asynchronous connections, Citrix recommends using high-speed serial port hardware and processor-controlled multi-port adapters. Using hardware devices that place less demand on CPU resources allows more processor power to be devoted to running user sessions. Important On a server running MetaFrame Presentation Server, a modem or serial port cannot be configured for both dial-up networking and ICA asynchronous connections. Also, you cannot configure an asynchronous direct cable connection using the Serial Cable between 2 PCs option in Windows dial-up networking. Instead, you must configure the ICA asynchronous connection in the Citrix Connection Configuration utility. To add an asynchronous ICA connection 1. From the Start menu, select Programs > Citrix, and then select Citrix Connection Configuration. 2. From the Connection menu, choose New. The New Connection dialog box appears.

Go to Document Center

Chapter 8 Configuring ICA Connections

191

This screen capture shows the New Connection dialog box with asynchronous transport configuration options.

3. Type a name for the new connection. 4. From the Type list, select Citrix ICA 3.0. 5. From the Transport list, select async. Options for asynchronous connections appear in the dialog box. 6. From the Device list, select the COM port for the connection. Standard COM ports appear in the list. If a TAPI modem is installed on a COM port, the modem type follows the COM port name in the list. If a modem is installed on a particular COM port, you cannot select that COM port for a direct cable (null modem). To install a modem, click Install Modem. Then, follow the instructions in the Install New Modem wizard to install and configure the modem. To configure an existing modem, click Modem Properties.

7. Click OK to add the connection. If a connection with these settings exists, a message tells you that a connection cannot be created with the same settings.

Configuring Session Settings for Clients

Three types of settings control the behavior of an ICA session: Per-connection settings. You can use the Citrix Connection Configuration utility to configure settings for each ICA connection. These settings are referred to as perconnection settings because they affect all ICA sessions that users establish through the ICA connection.

192

MetaFrame Presentation Server Administrators Guide

Go to Document Center

You can click Advanced, ICA Settings, and Client Settings in the New Connection or Edit Connection dialog box to configure per-connection settings. For example, for a particular ICA connection, you can set a time-out value in the Advanced Connection Settings dialog box. This time-out setting affects the sessions of all users who link to the server through that ICA connection. Procedures for configuring per-connection settings appear later in this chapter. Per-user settings. User and group settings that you configure in Windows apply to any ICA connection. These settings, which are based on individual user accounts, include user names and group memberships, permissions, and dial-in settings. For more information about per-user settings, refer to your Windows documentation. See the Windows online help for Local Users and Groups, or Active Directory Users and Computers. Per-client settings. You can configure a MetaFrame Presentation Server Client to enable additional security and compression. These settings apply to any ICA session established by that client, independent of the person using the client device or the ICA connection used for the session. For information about configuring per-client settings, see the Client Administrators Guide for each client that you deploy.

Precedence of Settings
A setting you specify in the Citrix Connection Configuration utility takes precedence over per-user and per-client settings. However, for some ICA connection settings, you can select an option to apply settings from user accounts or clients to the ICA connection. You can specify that an ICA connection use some settings from user accounts by selecting Inherit User Config. You can specify that an ICA connection use some settings from MetaFrame Presentation Server Clients by selecting Inherit Client Config.

If you select one of these check boxes, the associated ICA connection settings are dimmed and cannot be edited. The setting specified by the Windows user account or client takes precedence over the ICA connection setting. If you clear the check box for these options, the original ICA connection settings take effect.

Go to Document Center

Chapter 8 Configuring ICA Connections

193

Important You can create policies to enable some connection settings for specific users, clients, or servers. Policies override similar connection settings configured in the Citrix Connection Configuration utility. However, if you disable functionality in the Citrix Connection Configuration utility, you cannot enable the functionality by creating policies. For more information about policies, see Creating and Applying Policies on page 289.

Configuring ICA Connection Options

This section discusses ways to configure options for ICA connections associated with network interface cards, modems, and direct cable (null modem) connections. You can configure new ICA connections in the New Connection dialog box as described earlier in this chapter. To modify the configuration of an existing ICA connection, double-click the connection in the Citrix Connection Configuration window. For more information about configuration procedures, see the Citrix Connection Configuration online help.

Configuring Modem Callback

You can configure an ICA connection for modem callback. This feature allows the call charges to be incurred at the server end of the connection, or to provide a small measure of security. When modem callback is active and a user dials in to the ICA connection on the server, the server modem answers, then hangs up, and dials a specified telephone number (the callback number) to reach the client modem and complete the connection. Modem callback to a fixed number can provide a small level of security based on telephone numbers. Using this feature verifies that authorized users are dialing in by calling back to specified numbers to complete dial-in ICA connections. To configure modem callback for a new ICA connection, use the options in the New Connection dialog box when you create a modem ICA connection. To change the settings for an existing ICA modem connection, double-click the ICA connection in the Citrix Connection Configuration utility. Then, use the Edit Connection dialog box to configure modem callback.

194

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Enabling Modem Callback

You can enable or disable modem callback by using the first drop-down list and the adjacent check box in the Modem Callback area.

This screen capture shows modem callback options from the Edit Connection dialog box.

Select the Inherit User Config check box to enable modem callback only for users who have modem callback enabled in their Windows user accounts. When this option is selected, the drop-down list is not available. From the drop-down list, choose To a fixed phone number or To a roving phone number to enable modem callback for all users. Choose Disabled from the drop-down list to disable modem callback for all users.

When you enable modem callback, you can specify one callback phone number for all users. You might do this if all users dial in from one phone number at a branch office, or you can use callback numbers from each users Windows account. Another option is to let users enter callback numbers when they make connections.

Specifying a Callback Number

To enable callback to a specified phone number, select To a fixed phone number in the first list. Type the telephone number in the Phone Number box. The connection calls back the phone number in the Phone Number box to establish the connection for all usersunless you select the Inherit User Config option next to the Phone Number box. When you select Inherit User Config, the Phone Number box is not available. You can select the Inherit User Config option to use the callback configuration from the users Windows account configuration. If the users account is set to a specified phone number, that number is used, or user accounts can allow callers to enter callback numbers each time they connect. For example, if users home phone numbers are specified in their user account configurations, you can choose To a fixed phone number and select the Inherit User Config option to ensure that users can dial in only from verified locations.

Go to Document Center

Chapter 8 Configuring ICA Connections

195

Using a Roving Phone Number

To enable callback and allow all users to enter the callback number, select To a roving phone number in the first drop-down list in the Modem Callback area. This setting prompts users to enter a callback number when they start an ICA session by modem. If a phone number is entered in the Phone Number box, this is the default number for callback. You might want to use callback to a roving number so that remote users who dial in from hotels and other locations do not have to be responsible for phone charges for lengthy connections. You can select the Inherit User Config box next to the Phone Number box. When this is selected, the Phone Number box is not available. The modem uses the callback configuration from the users Windows account. If the users account is set to call back a specified phone number, that number is used for callback. If you select Set by Caller in the users account, the user can specify a callback number when making a connection.

Configuring Direct Cable Connections

You can use the Citrix Connection Configuration utility to configure ICA connections for direct cable connections between serial (COM) ports on client devices and a computer running MetaFrame Presentation Server. You can configure new connections in the New Connection dialog box when you create an asynchronous ICA connection. To edit a connection, double-click the asynchronous ICA connection in the Citrix Connection Configuration utility. Use the Edit Connection dialog box to configure the ICA connection. Options for asynchronous cable (null-modem) ICA connections appear in the Async Transport Configuration area in the New Connection and Edit Connection dialog boxes.

This screen capture shows asynchronous transport configuration options from the New Connection and Edit Connection dialog boxes.

With these options you can configure the following device and transmission properties for the ICA connection:

196

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Device. Specifies the serial port (COM port) to use for the connection. The available COM ports on the server appear in the drop-down list. Device Connect On. Specifies the signal type (CTS, DSR, RI, DCD, or First Character) for the server to use to determine when a connection is established and ready for user logon. You can select Always Connected to bypass connection detection. Baud. Sets the communication rate for the connection. You can select standard baud rates from the drop-down list. Set Defaults. Resets to default values the Device Connect On and Baud settings and the settings in the Advanced Async Configuration dialog box. Advanced. Opens the Advanced Async Configuration dialog box for configuring additional serial port settings. These settings are described in the next section.

Using the Async Test Dialog Box

You can test an asynchronous direct cable connection by using the Test button in the New Connection dialog box and the Edit Connection dialog box when you configure an asynchronous ICA connection. The Test button appears in the Async Transport Configuration area when the Transport setting is Async and the selected Device is a COM port that does not have a modem installed on it. The Test button opens the Async Test dialog box for testing communication through the specified serial port. In the dialog box, you can monitor control signals and transmit data to and receive data from a client device connected to the serial port.

Go to Document Center

Chapter 8 Configuring ICA Connections

197

This screen capture shows the Async Test dialog box displaying received data.

The dialog box displays the name of the serial port and baud rate. A row of indicator lights shows the status of the DTR, RTS, CTS, DSR, DCD, and RI signals. You can type text in the scrolling area to send ASCII data to a device that is connected to the specified serial port. The text you type does not appear in the dialog box unless a connected device echoes text that it receives. If you transmit text from a terminal emulation program (such as HyperTerminal in Windows) that is running on a connected client device, the text appears in the Async Test dialog box if the connection is configured correctly.

Configuring Advanced Async Options

When you create or edit an asynchronous cable ICA connection, the Advanced button in the Async Transport Configuration area opens the Advanced Async Configuration dialog box. You can use this dialog box to configure flow control and other data transmission settings. Flow Control. Select Hardware or Software flow control, or select None to configure the asynchronous connection with no flow control. Hardware Flow Control. If you select Hardware in the Flow Control area, the options in the Hardware Flow Control area are available to specify signals used for flow control. Hardware flow control is the default configuration.

198

MetaFrame Presentation Server Administrators Guide

Go to Document Center

From the first drop-down menu, select the hardware signal action that indicates the receive buffer is full. From the second menu, select the hardware signal action that indicates data transmission can proceed. The default settings are Turn off RTS when receive buffer is full and Transmit data when CTS is on.

This screen capture shows the Advanced Async Configuration dialog box with the flow control option Hardware (RTS/CTS) selected. Options available are hardware flow control, DTR state, parity, and stop.

Software Flow Control. If you select Software in the Flow Control area, the options in the Software Flow Control area are available to specify the start and stop characters for data transmission. Select Decimal or Hex to define character values, and then type decimal or hex values in the text boxes to set the Xon and Xoff characters for software flow control.

This screen capture shows the Advanced Async Configuration dialog box with the flow control option Software (Xon/Xoff) selected. Options available are software flow control, DTR state, RTS state, parity, and stop.

Go to Document Center

Chapter 8 Configuring ICA Connections

199

DTR State. The DTR State options are available with any flow control option unless you select Turn Off DTR for Hardware Flow Control. Select On to specify that the Data Terminal Ready (DTR) signal is always on. Select Off to specify that the signal is always off. RTS State. These options are available with any flow control option unless you select Turn Off RTS for Hardware Flow Control. Select On to specify that the Request To Send (RTS) signal is always on. Select Off to specify that the signal is always off. Parity. Click an option to specify the parity type or click None to specify no parity setting. Stop. Select 1 or 2 to specify the number of stop bits per character. Byte. This setting for the configuration of transmitted data cannot be changed because ICA protocol requires 8 bits per byte.

Configuring Advanced ICA Connection Options

The Advanced Connection Settings dialog box provides additional control over security and performance on ICA connections. To use the dialog box, click the Advanced button when you create or edit an ICA connection. The Advanced Connection Settings options for Windows connections apply to Citrix ICA connections. For more information about advanced options, see the Citrix Connection Configuration online help.

200

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This screen capture shows the Advanced Connection Settings dialog box with options for logon, time out, security, auto-logon, initialization, user profile overrides, and other connection settings.

Restricting Connections to Published Applications

To support high-security environments, connection settings are restricted by default to allow sessions to open only with a published application as configured by an administrator. This restriction ensures, for example, that users cannot create custom connections to open a session with an application on the server to which you don't want them to have access. If you want to allow sessions to open with resources other than published applications, you can clear the Only launch Published Applications check box in the Initial Program area of the Advanced Connection Settings dialog box of the Citrix Connection Configuration utility. Important In releases earlier than MetaFrame Presentation Server 3.0, default connection settings did not apply the restriction to launch only published applications, allowing user sessions to open with any application or program on the server. If you upgrade from an earlier release, connection configuration settings are preserved during the upgrade. To ensure a high level of security for upgraded deployments, after you upgrade select Only launch Published Applications. This setting does not apply to MetaFrame administrators. MetaFrame administrators can, for example, launch a server desktop as the initial program of a connection, even if the desktop is not a published resource and Only launch Published Applications is selected.

Go to Document Center

Chapter 8 Configuring ICA Connections

201

MetaFrame Presentation Server provides additional options for controlling connections from clients, limiting ICA sessions, and restricting application usage. For more information, see Controlling User Logons on page 271 and Controlling User Connections on page 275.

Configuring ICA Encryption

In the Security area, you can configure encryption for the ICA connection. Select an option from the Required Encryption menu. The default encryption level is Basic. You can select strong encryption that applies the RC5 encryption algorithm with 128-bit minimum session keys to log on only or to all data transmission.

Using Shadowing to Monitor ICA Sessions

Shadowing an ICA session means viewing the session from another session, usually running on another device. During shadowing, you can monitor the session activity as if you are watching the screen of the client that initiated the session. This section discusses settings for ICA connections related to shadowing. For information about how to shadow sessions, see Shadowing Sessions on page 304. While you are shadowing a session, if the server and ICA connection allow it, you can use your keyboard and mouse to remotely control the users keyboard and mouse in the shadowed session.

Enabling Shadowing on a Server

To shadow ICA sessions, shadowing must be enabled on the server first and then for the ICA connections. You enable shadowing when you install MetaFrame Presentation Server. To do this, you must select the default option, which allows shadowing on all ICA connections on the server. After you install MetaFrame Presentation Server, you can use the Citrix Connection Configuration utility to limit or prohibit shadowing for specific ICA connections on the server. If you select the option that allows shadowing, and also select options to restrict some aspects of shadowing, you cannot remove the restrictions using the Citrix Connection Configuration utility. However, you can add shadowing restrictions for specific ICA connections on the server using the Citrix Connection Configuration utility.

202

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Prohibiting Shadowing on a Server

During installation of MetaFrame Presentation Server, if you select the option that prohibits shadowing, shadowing is not enabled for any ICA connections on the server. Any limits you set for shadowing during MetaFrame Presentation Server installation cannot be removed later using the Citrix Connection Configuration utility.

Configuring ICA Connections for Shadowing

When you configure an ICA connection, you can use the Advanced Connection Settings dialog box to configure shadowing for the ICA connection. If you want individual user configurations to take precedence over the ICA connection settings for shadowing, select Inherit User Config next to the Shadowing menu in the Advanced Connection Settings dialog box. This makes the Shadowing menu unavailable. For more information about user configuration, see Precedence of Settings on page 192. When the Inherit User Config option is not selected, you can use the Shadowing menu to configure shadowing for an ICA connection. The shadowing settings affect all ICA sessions that use the ICA connection. The settings in the Shadowing menu are in the form of statements that include terms (described in the following table) for shadowing status and features.
Term Enabled Disabled Input Meaning Shadowing is possible for sessions on the ICA connection. Sessions on the ICA connection cannot be shadowed. Refers to using the keyboard and mouse for remote control of the shadowed session. On means that the input from the mouse and keyboard are accepted for remote control from the device shadowing the session. Off means that this input is not accepted. Refers to a notification message that MetaFrame Presentation Server sends to a client user. The message asks the user to allow someone to shadow the session. Users can accept or deny shadowing requests. On means the server notifies users of all attempts to shadow sessions. Off means the server does not notify users, so they cannot deny permission or prevent shadowing.

Notify

Go to Document Center

Chapter 8 Configuring ICA Connections

203

For example, one option in the Shadowing menu states: is enabled, input off, notify on. This setting does the following: allows shadowing, prohibits remote control with the keyboard and mouse during shadowing, and requires the notification (and permission) of client users before anyone can shadow their sessions. Note If you disable input for remote control or user notification when you install MetaFrame Presentation Server, options for these features are not available in the Shadowing menu in the Citrix Connection Configuration utility. However, the options still appear in Microsofts user properties dialog box, but choosing them does not override the settings you select during MetaFrame Presentation Server installation. In general, you can use individual client properties to disable shadowing features on a per-user basis, but not to enable shadowing features that you disable on a server.

Configuring Audio
MetaFrame Presentation Server offers you a variety of tools to manage and control the availability of sound in client sessions, both in terms of quality and cost in resources, including: Audio properties you configure for individual published applications Audio related policies and settings you configure for specific connection types Audio settings the user configures on the client device

For example, you can use audio related connection polices to control bandwidth usage and server CPU utilization. You can configure a policy rule to enable audio for connections where audio is essential, and configure another rule to disable audio for connections where it is not essential. From the Presentation Server Console, you control the availability of speakers and microphones in client sessions with separate policy rules. On the client device, a single setting controls both. To enable audio on the client device, the user selects an audio quality level from the Settings dialog box (for Program Neighborhood) or from the Properties dialog box (for Program Neighborhood Agent). The connection policies you configure on the server determine what audio quality levels are available to the user. Connection policies permitting, enabling audio on the client device turns on speakers, microphones, or both.

204

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Important This section covers aspects of enabling audio support on servers. To use audio in client sessions, users must also enable audio on the client device. For more information about enabling audio for clients, see the Administrators Guides for the clients you want to configure. You control the availability and quality of audio in client sessions by performing the following two steps:

Step 1 - Configuring Audio for Published Applications

You can enable or disable audio for published applications. If you disable audio for a published application, audio is not available within the application under any condition. If you enable audio for an application, you can use policy rules and filters to further define under what conditions audio is available within the application. For information about configuring audio-related policy rules, see Step 2 Configuring Audio Related Policy Rules below. To enable or disable audio for a published application 1. In the Presentation Server Console, select the published application for which you want to enable or disable audio. 2. From the Actions menu, select Properties. 3. Under ICA Client Options, select or clear the Enable legacy audio check box. Note In earlier releases of MetaFrame, this option was called Enable audio.

Step 2 - Configuring Audio Related Policy Rules

From disabling audio altogether to fine-tuning compression levels and bandwidth allocation when audio is enabled, you can use policy rules to control and manage the availability, quality, and cost of audio in client sessions. Policy rules are applied when the user logs on and remain in effect until the user logs off. Changes you make to a rule do not affect users who are already connected until they launch a new session.

Go to Document Center

Chapter 8 Configuring ICA Connections

205

Note The availability and quality of audio in client sessions is determined both by Terminal Services Configuration settings and by policies you configure through the Presentation Server Console. By default, Terminal Services settings are configured, whereas Presentation Server policies are not. This means that Terminal Services settings apply by default, making medium quality audio available in client sessions until you configure Presentation Server policies that override the Terminal Services settings. If configured, Presentation Server policies override Terminal Services settings.

Configuring Bandwidth Limits for Audio Throughput

Use policy rules to configure the amount of bandwidth you want to allocate to audio transfers between servers and clients. For example, you might want to create separate policy rules for groups of dial-up users and for those who connect over a LAN, accommodating the different amounts of bandwidth each group will typically have available. To configure bandwidth limits for audio 1. In the Presentation Server Console, select the policy for which you want to configure the rule. 2. From the Actions menu, select Properties. 3. Expand the Bandwidth and then the Session Limits nodes. Select Audio to configure the rule. By default, when you enable this rule, a bandwidth limit is not specified.

Configuring Audio Compression and Output Quality

As a rule of thumb, higher sound quality requires more bandwidth and higher server CPU utilization. You can use sound compression to effect a trade-off between sound quality and overall session performance. Use policy rules to configure the compression levels you want to apply to sound files. You might want to consider creating separate policies for groups of dial-up users and for those who connect over a LAN. Over dial-up connections, where bandwidth typically is limited, users likely care more about download speed than sound quality. For such users, create a policy for dial-up connections that applies high compression levels to sound, and another for LAN connections that applies lower compression levels.

206

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To configure audio compression and output quality 1. In the Presentation Server Console, select the policy for which you want to configure the rule. 2. From the Actions menu, select Properties. 3. Select Client Devices > Resources > Audio > Sound quality and configure the rule. Choose from the following levels of sound quality: Low sound quality; best performance. This setting is recommended for lowbandwidth connections. This setting causes any sounds sent to the client to be compressed to a maximum of 16Kbps. This compression results in a significant decrease in the quality of the sound. The CPU requirements and benefits of this setting are similar to those of the Medium setting; however, the lower data rate allows reasonable performance for a low-bandwidth connection. Medium sound quality; good performance. This setting is recommended for most LAN-based connections. This setting causes any sounds sent to the client to be compressed to a maximum of 64Kbps. This compression results in a moderate decrease in the quality of the sound played on the client device. High sound quality; lowest performance. This setting is recommended for connections only where bandwidth is plentiful and sound quality is important. This setting allows clients to play a sound file at its native data rate. Sounds at the highest quality level require about 1.3Mbps of bandwidth to play clearly. Transmitting this amount of data can result in increased CPU utilization and network congestion. Note High sound quality increases bandwidth requirements by sending more audio data to clients and increases server CPU utilization. By default, when you enable this rule, the medium sound quality level is selected.

Configuring Digital Dictation Support

For users to take and play back digital dictations in client sessions, both audio input (for microphones) and output (for speakers) must be enabled. Audio input and output are controlled by two separate policies; you must configure both to ensure that audio input and output are enabled. To enable audio input for client sessions 1. Select the policy for which you want to enable audio input. 2. From the Actions menu, select Properties. 3. Select Client Devices > Resources > Audio > Microphones.

Go to Document Center

Chapter 8 Configuring ICA Connections

207

4. Select Enabled and Use client microphones for audio input. 5. Click OK when you are done. Note Microphone input is supported on MetaFrame Presentation Server Clients for Win32, Windows CE, and Linux. The Clients for Linux and Windows CE do not support Philips SpeechMike products. By default, when you configure this rule, audio input is enabled on client devices. Users can override the policy and disable their microphones by selecting No in the Client Audio Security dialog box. Users of Program Neighborhood and Program Neighborhood Agent access this dialog box from the Program Neighborhood Connection Center (for seamless connections), or from either the Program Neighborhood Connection Center or the clients system menu (for non-seamless connections). Users of other MetaFrame Presentation Server Clients are automatically presented with the same dialog box at the beginning of their sessions. To enable audio output for client sessions 1. Select the policy for which you want to enable audio output. 2. From the Actions menu, select Properties. 3. Select Client Devices > Resources > Audio > Turn off speakers. 4. Select Disabled. 5. Click OK when you are done. By default, when you configure this rule, client speakers are disabled.

Enabling Microphones and Speakers

You control audio input (for microphones) and output (for speakers) on client devices with two separate policies. This allows you to implement separate connection policies, for example, for users of mobile devices and for users who connect over a LAN. For the mobile user group, you may want to enable audio input but disable audio output. This allows mobile users to record notes from the field, but prevent the server from sending audio to the mobile devices by disabling audio output, ensuring better session performance. On the client, users control audio input and output in a single stepby selecting an audio quality level from the Settings dialog box (for Program Neighborhood) or from the Properties dialog box (for Program Neighborhood Agent).

208

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Optimizing Session Responsiveness for Users

Network latency and bandwidth availability can impact the performance of connections to published applications and content. SpeedScreen technology allows you to configure several options to improve connection speed and responsiveness. Configure the following features to take advantage of SpeedScreen enhancements: SpeedScreen Latency Reduction Manager. Provides mouse click feedback and local text echo, both of which reduce a users perception of latency when typing and clicking. SpeedScreen Browser Acceleration. Optimizes the responsiveness of graphics-rich HTML pages in published versions of Microsoft Outlook, Outlook Express, and Internet Explorer. SpeedScreen Multimedia Acceleration. Allows you to control and optimize the way MetaFrame Presentation Server passes streaming audio and video to users. SpeedScreen Flash Acceleration. Allows you to control and optimize the way MetaFrame Presentation Server passes Macromedia Flash animations to users. SpeedScreen Image Acceleration. Offers you a trade-off between the quality of photographic image files as they appear on client devices and the amount of bandwidth the files consume on their way from the server to the client.

Optimizing Keyboard and Mouse Click Responsiveness

On high latency network connections, users may experience delays between the time they click a link and the time the link opens. As a result, users may click links more than once, possibly opening multiple copies of a file or application. Similarly, characters a user types may not be instantly displayed, possibly causing the user to type characters repeatedly before seeing them onscreen. SpeedScreen Latency Reduction Manager helps reduce a users perception of latency with mouse click feedback and local text echo. Mouse Click Feedback. Mouse click feedback, which is enabled by default, changes the appearance of the pointer from idle to busy after the user clicks a link, indicating that the system is processing the users request. Local Text Echo. When a user types text, the keystrokes are sent to the server, which renders the fonts and then returns the updated screen redraw to the client. You can bridge the delay between keystroke and screen redraw by enabling local text echo. Local text echo temporarily utilizes client fonts to immediately display text a user types while the screen redraw from the server is in transit.

Go to Document Center

Chapter 8 Configuring ICA Connections

209

By default, Mouse Click Feedback is enabled and Local Text Echo is not enabled. You can enable and disable Mouse Click Feedback at the server level and Local Text Echo both at the server and application level. You can also configure Local Text Echo settings for individual input fields within an application. See the application help for SpeedScreen Latency Reduction Manager for more information. Note Applications that use non-standard Windows APIs for displaying text may not support Local Text Echo. To launch SpeedScreen Latency Reduction Manager, click its button on the ICA Administrator Toolbar or select SpeedScreen Latency Reduction Manager from the Citrix program group in the Start menu. Important Test all aspects of an application with Local Text Echo in a nonproduction environment before enabling text echo for your users.

Propagating Local Text Echo Settings to Other Servers

When you configure SpeedScreen Latency Reduction Manager on a particular server, the settings are saved in the %SystemRoot%\system32\ss3config folder of that server. You can propagate the settings to other servers by copying the ss3config folder and its contents to the same location on the other servers. Tip If you plan to propagate SpeedScreen Latency Reduction Manager settings to other servers, select to Apply settings to all instances of the selected application when configuring local text echo. Paths to published applications might differ from one server to another; applying the settings to all instances of the selected application ensures that the settings apply regardless of where the application is located on the destination server.

Optimizing Web Pages and Email

As both Web pages and HTML-based email get richer in graphics content, more bandwidth is used. You can use SpeedScreen Browser Acceleration to optimize the responsiveness of image-rich Web pages and email in published versions of Internet Explorer, Outlook, and Outlook Express. With SpeedScreen Browser Acceleration, the user can scroll the pages and use the Back and Stop buttons immediately while image files download in the background.

210

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To further accelerate the accessibility of Web pages and email, you can enable JPEG compression with SpeedScreen Browser Acceleration. JPEG compression offers you a trade-off between the quality of JPEG files as they appear on client devices and the amount of bandwidth the files consume on their way from server to client. JPEG compression results in slightly lower image resolution and slightly higher resource consumption on both server and client. It does not affect JPEG files rendered by applications other than those mentioned above. For information about improving the throughput of image files rendered by other applications, see Optimizing Throughput of Image Files on page 212. SpeedScreen Browser Acceleration requires Version 7.0 or later of the MetaFrame Presentation Server Clients for Win32, Internet Explorer 5.5 or later, and High Color (16 bit) or greater connection color depth. By default, SpeedScreen Browser Acceleration is enabled at the server farm level. You can customize the settings for this feature at the farm level and for individual servers. To do this, select the corresponding farm or server Properties page in the Presentation Server Console and modify the SpeedScreen Browser Acceleration settings as appropriate.

Optimizing Audio and Video Playback

SpeedScreen Multimedia Acceleration optimizes multimedia playback through published instances of Internet Explorer, Windows Media Player, and RealOne Player. This feature offers significant performance gains in the following areas: User Experience. Multimedia playback in ICA sessions is much smoother Server CPU Utilization. The client device decompresses and renders multimedia content, freeing up server CPU utilization Network Bandwidth. Multimedia content is passed over the network in compressed form, reducing bandwidth consumption

Without SpeedScreen Multimedia Acceleration, the cumulative cost of several users playing multimedia content in ICA sessions at the same time is high, both in terms of server CPU utilization and network bandwidth consumption. When you play multimedia content in an ICA session, the server decompresses and renders the multimedia file, which increases the servers CPU utilization. The server sends the file over the network in uncompressed form, which consumes more bandwidth than the same file requires in compressed form. With SpeedScreen Multimedia Acceleration, the server streams multimedia to the client in the original, compressed form. This reduces bandwidth consumption and leaves the media for the client device to decompress and render, thereby reducing server CPU utilization.

Go to Document Center

Chapter 8 Configuring ICA Connections

211

SpeedScreen Multimedia Acceleration optimizes multimedia files that are encoded with codecs (compression algorithms) that adhere to Microsofts DirectShow standards. DirectShow is an application programming interface (API) that allows, among other things, multimedia playback. To play back a given multimedia file, a codec compatible with the encoding format of the multimedia file must be present on the client device. As a rule of thumb, if you can play back a given multimedia file locally on a given client device, you can play back the same file on the same client device within an ICA session. Users can download a wide range of codecs, such as those supported by Windows Media Player or RealOne Player, from vendor Web sites. By default, SpeedScreen Multimedia Acceleration is enabled at the server farm level. You can customize the settings for this feature at the farm level and for individual servers. To do this, select the corresponding farm or server Properties page in the Presentation Server Console and modify the SpeedScreen Multimedia Acceleration settings as appropriate. Note With SpeedScreen Multimedia Acceleration enabled, RealOne Players built-in volume and balance controls do not work within client sessions. Instead, users can adjust volume and balance from the volume controls available from the client notification area.

Optimizing Macromedia Flash Animations

Macromedia Flash animations are a common component of many Web sites and Web applications. In earlier versions of MetaFrame Presentation Server, users playing Flash animations in published applications often observed poor rendering quality of the animation, slow session responsiveness, or a combination of both. This is because Macromedia Flash Player, which renders the animation on the server, starts in high quality mode by default. While this guarantees the highest possible rendering mode for each frame, it also means that each frame consumes a lot of bandwidth on its way to the user. SpeedScreen Flash Acceleration improves the users session responsiveness by forcing Flash Player to start up in low quality mode, rendering animations at a lower quality level and reducing the amount of data put on the wire for each frame. SpeedScreen Flash Acceleration also reduces the amount of processing power that is required to render Flash animations. By default, SpeedScreen Flash Acceleration is enabled at the server farm level. You can customize the settings for this feature at the farm level and for individual servers. To do this, select the corresponding farm or server Properties page in the Presentation Server Console and modify the SpeedScreen Flash Acceleration settings as appropriate.

212

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Optimizing Throughput of Image Files

The size of image files affects the amount of time the files take to travel from server to client. Often, image files contain redundant or extraneous data that is of little benefit to the user and slows down the users session while downloading and rendering. SpeedScreen Image Acceleration offers you a trade-off between the quality of photographic image files as they appear on client devices and the amount of bandwidth the files consume on their way from server to client. SpeedScreen Image Acceleration applies a lossy compression scheme to reduce the size of image files for faster throughput. The compression scheme removes redundant data while attempting to minimize the loss of information. Under most circumstances, the data loss is minimal and its effect nominal. However, Citrix recommends that you use discretion in applying this feature where preservation of image data may be vital, as in the case, for example, of X-ray images. SpeedScreen Image Acceleration is enabled by default. You can use policy rules to override the default settings and accommodate different user needs by applying different levels of image compression to different connections. To do this: 1. Select the policy for which you want to configure the rule. 2. From the Actions menu, select Properties. 3. Select Bandwidth > SpeedScreen > Image acceleration using lossy compression and configure the rule. Choose no or low compression for users who need to view images at original or near original quality levels. You can accelerate image throughput by choosing one of four compression levels per policy rule:
Lossy Compression Level High compression Medium compression Low compression No compression Image Quality Low Good High Same as original Bandwidth Requirements Lowest Lower Higher Highest

Go to Document Center

Chapter 8 Configuring ICA Connections

213

Note There is a slight delay between the time a user logs on to a session and the time policy rules, if configured, take effect. For the time immediately following a users logon and before policy rules take effect, SpeedScreen Image Acceleration defaults to low image compression. This behavior improves session performance by slightly accelerating image throughput while decreasing image quality only marginally. Then, if a policy rule is configured for the users connection type, the policy rule takes effect, overriding the default setting. If no policy rule is configured, SpeedScreen Image Acceleration applies image compression as follows: Medium compression for WAN and lower bandwidth connections, no compression for LAN connections. Medium compression amounts to slightly better session performance due to slightly lower image quality. Use policy rules to override the default behavior as appropriate.

Configuring Client Device Mapping

MetaFrame Presentation Server Clients support mapping devices on client computers so users can access the devices within client sessions. You do not need a network or RAS connection to use client device mapping. Client device mapping provides: Access to local drives, printers, and serial ports Cut-and-paste data transfer between a client session and the local clipboard Audio (system sounds and .wav files) playback from the client session

During logon, the client informs the server of the available client drives, COM ports, and LPT ports. By default, client drives are mapped to server drive letters and server print queues are created for client printers so they appear to be directly connected to the server. These mappings are available only for the current user during the current session. They are deleted when the user logs off and recreated the next time the user logs on. MetaFrame Presentation Server lists all client disk and printer devices in the Microsoft window that displays objects in the Client Network. During a client session, users can use ICA Printer Configuration to map client devices not automatically mapped at logon. For more information about using the ICA Printer Configuration utility, see the Administrators Guides for the clients you plan to deploy.

214

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Options for Client Device Mapping

Client device mapping options are specified in the Client Settings dialog box in the Citrix Connection Configuration utility. The Connection Configuration options control whether or not drives and printers are mapped to client drives and printers. If these options are cleared, the devices are still available but must be mapped to drive letters and port names manually. Connect client drives at logon. If this option is checked, the client devices drives are automatically mapped at logon. Connect client printers at logon. If this option is selected, MetaFrame Presentation Server maps printers that are configured on client devices with Clients for Windows. With Clients for DOS, users can manually map printers. Default to main client printer. If this option is checked, the users default client printer is configured as the default printer for the client session. Inherit user config. If this option is selected, the per-user settings in User Manager are used. To automatically connect to only the printer configured as the default printer when the user logs on, select the By default, connect only the clients main printer check box. Default printers can be set on the client device. Users can override the default printer mapping with ICA Client Printer Configuration. For more information about ICA Client Printer Configuration, see the Administrators Guides for the clients you plan to deploy. Click Client Mapping Overrides to disable client device connections.

Client Drive Mapping

Client drive mapping is built into the standard device redirection facilities of MetaFrame Presentation Server. The client drives appear as client network objects in Windows. The clients disk drives are displayed as shared folders with mapped drive letters. These drives can be used by Windows Explorer and other applications like any other network drive. By default, the drives on the client system are automatically mapped to drive letters on the server when users log on. The server tries to match the client drives to the client drive letters; for example, the clients first floppy disk drive to A, the second floppy disk drive to B, the first hard drive partition to C, and so forth. This allows the user to access client drive letters in the same way locally and within client sessions.

Go to Document Center

Chapter 8 Configuring ICA Connections

215

However, the same drive letters are often in use by the drives on the server. In this case, client drives are mapped to different drive letters. The server starts at V and searches in ascending order for unassigned drive letters.

Reassigning Server Drives

For a client session, a server tries to map disk drives on a client device to the typical drive letters for the client. If the drive letters are available, the server maps the clients first floppy disk drive to A, the second floppy drive to B, the first hard disk drive to C, and so on. However, a server cannot map client device drives to letters that are assigned to the servers own disk drives. Run DriveRemap.exe, located on the MetaFrame Presentation Server CD, to change the drive letters of the server. For more information about the DriveRemap utility, see DRIVEREMAP on page 362. By changing the server to use drive letters that are higher, such as M, N, and O, the original lower drive letters become available for assignment to the drives on client devices. This can make the use of drives on client devices less confusing for users, because they see their drives identified by familiar drive letters. If you want to change server drive letters, Citrix recommends that you do so before installing MetaFrame Presentation Server and before installing applications on the server. Changing server drive letters after MetaFrame Presentation Server installation can cause unstable performance by the server, components of the operating system, and installed applications. CAUTION With utilities provided in Windows, it is possible to change server drive letters after you install MetaFrame Presentation Server. Citrix advises against changing server drive letters after you install MetaFrame Presentation Server and published applications. Doing so can destroy data stored on disk drives and can leave MetaFrame Presentation Server and the operating system unable to operate. You can turn off client drive mapping through policies you configure in MetaFrame Presentation Server. You can turn off mapping to client floppy disk drives, hard drives, CD-ROM drives, or remote drives. For more information about configuring policies, see Creating and Applying Policies on page 289.

Controlling Drive Mapping when Using NetWare Logon Scripts

Client drive mapping and NetWare logon script execution occur in parallel. If the logon script maps NetWare network drives, it is possible that a user could find drive V mapped to client drive C during one client session but mapped to a NetWare drive during another.

216

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. You can avoid this problem by adding two registry values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\InitialNetwareDrive. REG_SZ: InitialClientDrive. Defines the first drive letter to use for client drive mapping. The system searches backward through the alphabet to assign drive letters to client drives that could not be mapped to their native drive letters. REG_SZ: InitialNetWareDrive. Defines the drive letter to use for the NetWare SYS:LOGIN directory that is mapped to the preferred server during the initial NetWare attachment. This setting is the equivalent of the DOS VLM Net.cfg setting First Network Drive. If this value is not set, the first available drive letter starting with C and ending with Z is used for this mapping.

Client Printer Mapping

Client printer mapping allows a remote application running on a server to access client printers (printers that are attached locally to client devices). The client mappings appear as another network type, Client Network, to the Windows Print Manager. MetaFrame Presentation Server maps client printers when a user logs on and deletes client printers when the user logs off, if the printers do not contain unfinished print jobs. If the print queue contains print jobs, you can set MetaFrame Presentation Server to retain the printer and the print jobs. For more information about client printers and printer management in server farms, see Managing Printers on page 311. For information about specific clients, see the Administrators Guide for each client you use.

Client Serial Port Mapping

Client COM port mapping allows a remote application running on the server to access devices attached to COM ports on the client device. Client COM ports are not automatically mapped to server ports at logon, but can be mapped manually using the net use or change client commands. See MetaFrame Presentation Server Commands on page 333 for more information about the change client command.

Go to Document Center

Chapter 8 Configuring ICA Connections

217

For more information about client COM port mapping, see the Administrators Guides for the clients you plan to deploy.

Client Audio Mapping

Client audio mapping allows applications running on the server to play sounds through a sound device on the client device. Clients for DOS and Win16 require Sound Blaster 16-compatible sound cards. Clients for Win32 require any Windowscompatible sound card; the Client for Win32 uses standard Windows API calls for audio. The server can control the amount of bandwidth used by client audio mapping. Audio mapping is configured per-client and per-connection in the ICA Settings dialog box. For more information about using client audio mapping, see the Client Administrators Guides for the clients you plan to deploy.

Granting Users Execute Permission on Mapped Client Drives

As a security precaution, when a user logs onto MetaFrame Presentation Server, by default, the server maps client drives without user execute permission. For users to be able to execute files residing on mapped client drives, you must override this default by editing the value of ExecuteFromMappedDrive in the registry on a server running MetaFrame Presentation Server. CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. To change the ExecuteFromMappedDrive registry setting 1. After installing MetaFrame Presentation Server, run regedit. 2. Find the key HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Cdm/ Parameters/ExecuteFromMappedDrive 3. To grant users execute permission on mapped drives, set ExecuteFromMappedDrive to 1. To deny users execute permission on mapped drives, which is the default, set ExecuteFromMappedDrive to 0. 4. Restart the server for the change to take effect.

218

MetaFrame Presentation Server Administrators Guide

Go to Document Center

You can turn off client drive mapping through policies you configure in MetaFrame Presentation Server. MetaFrame Presentation Server now fully applies client drive access restrictions that you specify in policy rules that turn off mapping to client drives. Releases earlier than MetaFrame Presentation Server 3.0 allowed applications to access a restricted client drive through a UNC path even when a policy rule turned off mapping to the client drive. Now, applications cannot access client drives restricted through policy rules that turn off mapping to the client drive.

Go to Document Center

CHAPTER 9

Deploying Client Software to Users

This chapter addresses issues to help you plan and implement your deployment of MetaFrame Presentation Server Client software to users.

Choosing a Client Deployment Method

To access published applications and content, users run client software on their client devices. You can deliver the appropriate client software to your users and install it with the following methods: Using Microsoft Systems Management Server (SMS) or Active Directory Services in Windows (for clients that can be installed with Windows Installer packages) Using the Components CD Using a Web browser Downloading from a network share point Using installation floppy disks

Tip If you are updating the MetaFrame Presentation Server Clients, use the Client Update Database to deploy the latest versions of the client software. If you are a system administrator for a small company with users in one physical location, installing the client software from floppy disks or from a network file server presents few problems. You can eliminate user involvement in the installation process by installing the client software on each users machine using a set of floppy disks or the MetaFrame Presentation Server Components CD. This method is useful if your users have limited computer experience.

220

MetaFrame Presentation Server Administrators Guide

Go to Document Center

If your users have a moderate level of computer expertise, you can direct them to a network share point containing the client software. You can send users an email message that contains both a link to the installation files and instructions for installing the software. Installation by users can eliminate the need for you to manually install client software. In a large enterprise or an application service provider (ASP) environment with hundreds or thousands of users in multiple locations, manual installation methods are not efficient. In these situations, Web delivery of client software or deploying with Active Directory or Microsoft Systems Management Server are the best choices. The table below lists common computing environments and the appropriate deployment methods to use in each scenario.
Organization Enterprise, ASP supplying personalized content and published applications Deployment method The Web Interface Requirements Users click links on their desktops or run a supported Web browser (see the Web Interface Administrators Guide for a full list). Users download client software from a centralized location. See your Windows or SMS documentation for more information. Users run a Web browser to access a client download Web site and install software. Users connect to a network share point and install software. Client devices have floppy disk drives.

Enterprise, ASP, small business

Active Directory or Systems Management Server (SMS)

Enterprise, ASP, small business

Web-based installation

Enterprise, small business Small business (single site); organization with remote users who require client installation diskettes

Network share point Diskettes

Go to Document Center

Chapter 9 Deploying Client Software to Users

221

Delivering Applications to Users

To choose the best method for deploying client software, decide how your users will access published applications. If you want to deliver applications to your users through a Web page, use the Web Interface in conjunction with MetaFrame Presentation Server. When you deliver applications using a Web-based method, users click links on their desktops using the Program Neighborhood Agent or launch Web browsers to access applications you publish in the server farm. If you do not want to deliver applications to your users through a Web page, publish the applications for direct access. To directly access published applications and content, users launch client software. Using the MetaFrame Presentation Server Client for 32-bit Windows, users can launch Program Neighborhood to access their applications. Using the Client for Win16, users launch Remote Application Manager to establish connections to servers and published applications.

Providing Application Access with the Web Interface for MetaFrame Presentation Server
If you implemented or plan to implement a corporate Web-based access point, use the Web Interface for MetaFrame Presentation Server to integrate personalized application sets and information into your companys Web site. With the Web Interface, users can access published applications through program icons on their desktops, in their Start menus (with Program Neighborhood Agent), or through Web browsers. A Web-integrated MetaFrame Presentation Server system consists of three components: a server farm, a Web server, and client devices. When a user logs on to the Web Interface, the Web-based client installation feature checks the users computer for the presence of ICA or Remote Desktop Connection software. If the necessary client software is not detected, the client installation feature presents the appropriate client software for download and setup. Important When you choose to install the Web Interface, a Web site is installed in a Citrix folder under the Web document root of the server; for example, c:\Inetpub\wwwroot\Citrix\MetaFrame. This Web site contains logic that at runtime references the servers document root directory for the presence of client software. To use the client installation feature of the Web Interface, copy the Icaweb folder on the MetaFrame Presentation Server Components CD into the Citrix folder in the Web document folder; for example, c:\Inetpub\wwwroot\Citrix\Icaweb. You must copy the entire Icaweb folder to the Citrix folder to enable Web-based Client installation from the Web Interface.

222

MetaFrame Presentation Server Administrators Guide

Go to Document Center

If you plan to use the Web Interface, see the Web Interface Administrators Guide for more information. If you do not plan to use the Web Interface but want to deploy client software over the Web, see Deploying Client Software over the Web on page 229.

Determining the Scope of Client Deployment

Take the following factors into consideration before you decide which deployment method to adopt: The clients you need to deploy. To determine which clients you need to deploy, determine which client devices and operating systems you need to support. A smaller organization with many similar client devices might need to deploy the client on only one or two platforms. In this scenario, using installation diskettes or copying the necessary files to a central network share point for download are the most efficient deployment methods. Heterogeneous computing environments and geographic separation of large enterprises and ASPs can make it impossible to predetermine which client devices need to be supported. In these scenarios, Web-based installation is the most efficient deployment method. Centralized control and configuration requirements. Determine what limits you need to impose on users access to published applications. You can configure various settings before you initially deploy the clients. For information about preconfiguring clients, see the Administrators Guide for the required client or the Support area of the Citrix Web site at http://support.citrix.com. Ease-of-use requirements for users. Providing a simple installation process that requires little interaction from users might be a key factor. Enterprises and ASPs with hundreds or thousands of users with varied computing expertise require the most foolproof deployment process. You can push the client software to your users by various methods, including through the use of logon scripts or Windows scripts, or through the use of a commercial software distribution package.

Go to Document Center

Chapter 9 Deploying Client Software to Users

223

Using the MetaFrame Presentation Server Components CD

The MetaFrame Presentation Server Components CD contains setup and installation files for all client software. You can use the Components CD to directly install client software on client devices that have CD-ROM drives, or copy the CD image to a network share point on a file server. For more information about installing client software, see the Administrators Guide for the required client. You can copy the necessary files from the Components CD to your server using the ICA Client Distribution wizard. You can then access the client files from your server. The ICA Client Distribution wizard appears during MetaFrame Presentation Server Setup. If you skip this step during Setup, you can run the wizard by selecting ICA Client Distribution Wizard from the Citrix program group in the Start menu. Use the ICA Client Distribution wizard to: Create or update client images on your server Create or update the Client Update Database

For detailed instructions about running the ICA Client Distribution wizard, see Installing Client Software on the Server on page 139.

Installing a Pass-Through Client

When you run MetaFrame Presentation Server Setup, you can install Program Neighborhood or Program Neighborhood Agent as pass-through clients on the server. Installing a pass-through client gives users of other, less feature-rich clients access to the features of Program Neighborhood. Users launch the pass-through client from the server desktop or as a published application and then connect to their set of published applications from within Program Neighborhood. In addition, installing a pass-through client on the server allows you to test client server connectivity.

Using Remote Desktop Web Connection Software

MetaFrame Presentation Server now provides basic support for Remote Desktop Web Connection software. Users can access applications and content you publish through the Web Interface using both MetaFrame Presentation Server Client and Remote Desktop Web Connection software. Users do not need Remote Desktop Connection software to be preinstalled on their devices to access published applications and content through the Web Interface. In a way similar to the Web Client, you can configure the Web Interface to download the Remote Desktop Web Connection software, an ActiveX control for use with Internet Explorer, to client devices.

224

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The infrastructure to support Remote Desktop sessions on MetaFrame Presentation Server, including the Remote Desktop Web Connection ActiveX control, is installed with MetaFrame Presentation Server and the Web Interface. Users connecting to MetaFrame Presentation Server with the Remote Desktop Web Connection ActiveX control draw licenses from your license entitlement the same way users connecting with Client software do. Use the administrative controls of the Web Interface Console to configure the availability of the Remote Desktop Web Connection ActiveX control to users. Use the standard MetaFrame Presentation Server management tools to monitor and manage Remote Desktop sessions. For information about configuring the Web Interface, see the Web Interface Administrators Guide. Client System Requirements. Internet Explorer 5.5 or later. Supported client operating systems: Windows 2000, Windows NT 4.0, Windows Server 2003, Windows XP, Windows XP Media Center Edition, Windows 98, Windows Me. Note You cannot route remote desktop sessions through Secure Gateway. See the following table for an overview of MetaFrame Presentation Server features and their availability through remote desktop sessions.
MetaFrame Presentation Server Feature Availability for Users of the Remote Desktop Connection ActiveX Control:

MetaFrame Presentation Server Feature Supported with Remote Desktop Connection Software Content redirection from client to server Content redirection from server to client Digital Dictation Support Dynamic Session Reconfiguration MetaFrame Presentation Server Client options (audio, encryption, printing settings) ICA Keep-Alive Improved User Logon Printer bandwidth Published application shortcuts on client desktop and Start menu Session Reliability no no no yes no

no partially* no no no

Go to Document Center

Chapter 9 Deploying Client Software to Users

225

MetaFrame Presentation Server Feature Supported with Remote Desktop Connection Software SpeedScreen Browser Acceleration SpeedScreen Flash Acceleration SpeedScreen Image Acceleration SpeedScreen Multimedia Acceleration SpeedScreen Latency Reduction Manager Workspace Control Zone Preference and Failover no no no no no no yes

* Improved user logon, a new feature in this release of MetaFrame Presentation Server, allows users to see all connection and logon status information in a sequence of windows, from the time they click a link to a published application on the Web Interface, through the authentication process, to the moment the published application launches in the session. Some of the windows are generated by MetaFrame Presentation Server, others by functionality provided by the client software. The Remote Desktop Web Connection ActiveX control does not provide this functionality. As a result, when you connect to MetaFrame Presentation Server using the Remote Desktop Web Connection ActiveX control, you see only the windows generated by MetaFrame Presentation Server; the client-side portion of the feature is not available.

226

MetaFrame Presentation Server Administrators Guide

Go to Document Center

User Authentication with Remote Desktop Connection Software

Depending on the authentication method users of the Remote Desktop Web Connection ActiveX control use to authenticate to the Web Interface, they may or may not be prompted for additional authentication when launching published applications. Refer to the following table for information about what authentication users of the Remote Desktop Web Connection ActiveX control must provide to launch applications based on the authentication methods you configure for the Web Interface.
After logging on to the Web Interface using the following authentication method.... Guest ... users of Remote Desktop Connection software can launch applications as follows: Applications you publish for anonymous users: No authentication is required. Applications you publish for explicit users: Not available. Applications you publish for anonymous users: No additional authentication is required. Applications you publish for explicit users: No additional authentication is required. Applications you publish for anonymous users: No additional authentication is required. Applications you publish for explicit users: Users must provide their password. Applications you publish for anonymous users: No additional authentication is required. Applications you publish for explicit users: Users must provide their PIN.

Explicit

Desktop Credential Pass-Through

Smart card Note: Support for smart card in combination with Remote Desktop Connection software is available only on servers running Windows Server 2003.

ICA Client Object

The ICA Client Object specification makes available a set of application programming interfaces (APIs) to the Client for Win32. Any application that supports object embedding can interface with and pass instructions to this client. The APIs give MetaFrame administrators, Web developers, and advanced users of the client software the ability to programmatically control the appearance and behavior of the Client for Win32. With these APIs you can: Use the ICA Client Object with commercial desktop applications that support object embedding, including standard Web browsers such as Internet Explorer and Netscape, as well as the Microsoft Office suite of business applications

Go to Document Center

Chapter 9 Deploying Client Software to Users

227

Integrate ICA functionality into third-party applications Use the ICA Client Object APIs within custom scripts (Visual Basic and HTML) to programmatically integrate and manipulate the appearance and behavior of the client

For more information about the ICA Client Object, see the Citrix ICA Client Object Programmers Guide, available from the Citrix Knowledge Center at http://support.citrix.com.

Deploying Client Software

The following section explains how to deploy the client software using Web-based installation, from a network share point, and with installation floppy disks. You can integrate components of the methods that follow with your existing electronic software distribution system, or create scripts that permit an unattended install of the client software on your users devices.
Typical client deployment methods, by organization type:

Organization Enterprise, ASP supplying personalized content and published applications Enterprise, ASP, small business

Deployment Method Web Interface Active Directory or Systems Management Server; MetaFrame Presentation Server Client download Web site Network share point MetaFrame Presentation Server Components CD; floppy disks

Enterprise, small business Small business (single site); organization with remote users who require MetaFrame Presentation Server Client installation floppy disks

For examples of client deployment practices, see Client Deployment Practices on page 230.

228

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Using the Components CD

The MetaFrame Presentation Server Components CD contains all the setup and installation files you need to deploy client software to users. Use the Components CD to manage and deploy client software in one or more of the following ways depending on the deployment methods you choose: Copy the client software to a computer running MetaFrame Presentation Server and to the Client Update Database Directly install client software on devices that have CD-ROM drives Copy the CD image to a network share point on a file server Create installation floppy disks

Copying the client software to a server running MetaFrame Presentation Server and to the Client Update Database allows you to manage and update the client software from a single, central location. To copy the client software to a server and to the Client Update Database, use the ICA Client Distribution wizard. The wizard is available during MetaFrame Presentation Server Setup and thereafter by selecting ICA Client Distribution Wizard from the Citrix program group in the Start menu. For detailed instructions about running the ICA Client Distribution wizard, see Installing Client Software on the Server on page 139.

Using the Client Packager for Client Deployment

The MetaFrame Presentation Server Clients for 32-bit Windows (Program Neighborhood, Program Neighborhood Agent, and Web Client) are available as a single Microsoft Windows Installer package (.msi) file known as the Client Packager. You can customize the Client Packager using the built-in customization wizard and then use Microsoft Systems Management Server (SMS) or Active Directory Services to distribute and install the client software. The Client Packager, Ica32Pkg.msi, is located in the following folder (substitute language with the language of the client software) on the Components CD: Icainst\language\ica32 where language is one of: En (English) Fr (French) De (German) Ja (Japanese) Es (Spanish)

Go to Document Center

Chapter 9 Deploying Client Software to Users

229

Separate, self-extracting executable (.exe) files for each MetaFrame Presentation Server Client for 32-bit Windows are also located in the Icaweb\language\ folder. Note The Windows Installer service is present by default on computers running Windows 2000, Windows XP, Windows Me, or Windows Server 2003. On computers running older operating systems, you must install the Windows Installer service.

Deploying Client Software over the Web

More companies are turning to Web-based technology to deliver information and applications to users. For large enterprises and ASPs, Web-based delivery can greatly automate repetitive tasks and centralize control of configuration options. Large organizations naturally want to minimize user involvement with software installation. There are two ways you can leverage Web technology to deploy client software to users. If you are using the Web Interface, you configure your intranet or Web page to automatically download any necessary client software to users as appropriate. For information about deploying client software through the Web Interface, see the Web Interface Administrators Guide. Deploying Clients through the Web Interface. When a user logs on to the Web Interface, a built-in client software installation feature checks the users device for the presence of the Web Client and presents the client software for download if necessary. To use the built-in client installation feature, you must prepare the Web servers Web document root folder to contain the required client files. To prepare the Web servers Web document root folder 1. On the Web server where you installed the Web Interface, open the Citrix folder that was created in the Web document root folder at c:\Inetpub\wwwroot. 2. Copy the Icaweb folder from the Components CD to the Citrix folder in the Web document root folder of the Web server; for example, c:\inetpub\wwwroot\citrix\icaweb. For more information about configuring the client software installation feature of the Web Interface, see the Web Interface Administrators Guide.

230

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Client Deployment Practices

This section provides examples of client software deployment practices for a large manufacturing enterprise, a regional bank, an application service provider, and an insurance company.

Manufacturing Enterprise
The Best Paper Company employs approximately 30,000 people, located in shopfloor sites and remote offices in several countries. The enterprise has many pockets of MetaFrame Presentation Server installations, each owned and managed by a different team. Published applications include PeopleSoft and Oracle Manufacturing and Financials. The networking environment includes the following: Ethernet LANs Frame Relay WAN Internet connections for remote users TCP/IP network protocol Thousands of 486 PCs running Windows 95 Thousands of Pentium PCs running Windows 2000

The Best Paper Company is using the Web Interface for MetaFrame Presentation Server to give users access to critical applications. The companys existing farms function as an application serving back-end. The server farm supplies application set information and hosts published applications. Application sets are delivered to groups or individual users, based on their role in the company. A user launches a Web browser to connect to the logon page for the Web Interface. When the user is authenticated to the server farm, the application set assigned to the user is displayed within the browser. To start an application, the user clicks a hyperlink on the Web Interface page. The company uses the Web Interfaces built-in Web-based ICA Client Installation feature to deploy the client software. When a user launches an application, the users computer is checked for the presence of the client software. If the client is not detected, the users platform is identified and the appropriate client software is presented for download and setup. The Web browser and the client software work together as viewer and engine. The browser displays the users application sets and the client software launches applications. For more information about the Web Interface, see the Web Interface Administrators Guide.

Go to Document Center

Chapter 9 Deploying Client Software to Users

231

Application Service Provider

LinkToUs, a commercial ASP, has four data centers, located in the United States, Canada, and Ireland, serving over 100,000 end-users worldwide. LinkToUs offers its customers the following connection options: Internet Virtual Private Network (VPN) Frame Relay X.25 connections in more than 105 countries Private point-to-point lines

LinkToUs customers can choose from a variety of published application set packages that can include applications from Microsoft, Onyx, Sales Logic, and Pivotal. With the implementation of the Web Interface, LinkToUs is now also designing and hosting highly customized corporate entry portals providing application integration, personalized Web content, external Web content integration, and search and categorization features. LinkToUs works closely with its customers to develop user groups that meet their needs, and then builds application sets based on these groups. The ASP can display published applications from several server farms, including servers running MetaFrame Presentation Server for Windows or MetaFrame Presentation Server for UNIX, on a single Web page. The Web developers at LinkToUs created a simple script that allows automatic download and installation of the Web Client. When users access the corporate portal hosted by LinkToUs for the first time, the Web Client is automatically downloaded and installed on the users computer. For more information about the Web Interface, see the Web Interface Administrators Guide. For more information about automatic download and installation of Web Clients, see the Knowledge Center, accessible from the Support area of the Citrix Web site at http://support.citrix.com.

Insurance Company
Protection Insurance is a mid-sized company with 800 employees. Published applications include PeopleSoft and customized applications for the insurance industry from JDE and Prelude. The networking environment includes: Ethernet LAN, Internet, and dial-up connections TCP/IP network protocol

232

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Pentium PCs running Microsoft Windows NT

This diagram shows the following: 1. A user attempts to connect to an application published on a server. 2. The central Client Update Database detects an older version of the client software on the client device and prompts the user to update to the new version. 3. The user accepts the update. The Client Update Database pushes the new client software to the client device.

The purchasing department preconfigures users systems to include the latest version of the MetaFrame Presentation Server Clients for 32-bit Windows. When applications are published, a shortcut to each application is placed on the users Start menu. Users can also launch Program Neighborhood to access other application sets they have permission to use. When Citrix releases a new version of the client software, Protection Insurances IT staff adds the client to the Client Update Database. When users initiate their connections to a server, the new client software is pushed to their client devices. A MetaFrame administrator sets the update options to force users to disconnect from their ICA sessions and accept the updates. This ensures that all staff members are using the most current version of the client software.

Go to Document Center

CHAPTER 10

Publishing Applications, Content, and Desktops

With MetaFrame Presentation Server, you can expand users access to information. You make information available to users by publishing applications and files on servers. You then decide whether users should open certain file types with these published applications or with applications running locally on client devices. You can publish the following types of resources: Applications installed on servers running MetaFrame Presentation Server. When users access them, the published applications appear to be running locally on client devices. You can publish any application that can run on the Windows console (32-bit Windows applications, 16-bit Windows applications, DOS applications, POSIX applications, and OS/2 applications). The servers desktop, so users can access all of the resources available on the server. Data files such as Web pages, documents, sound files, spreadsheets, and URLs. In MetaFrame Presentation Server, the combined total of data types you can publish is referred to as content.

Load Managed Applications

If you are licensed for MetaFrame Presentation Server Advanced Edition or Enterprise Edition, you can use Load Manager to publish an application to be hosted on multiple servers. When a user connects to an application that is published on more than one server in the server farm, Load Manager determines where to start the client session based on server load.

234

MetaFrame Presentation Server Administrators Guide

Go to Document Center

You can adjust server load calculations for individual servers with Load Manager. For instructions about configuring load evaluators, see the Load Manager Administrators Guide, available from the Document Center or the Documentation folder on the product CD.

Installation Manager Applications

If you are licensed for MetaFrame Presentation Server Enterprise Edition, you can install and publish Installation Manager packages for users to access. Using Installation Manager, you can simultaneously install an out-of-the-box application on all MetaFrame Presentation Servers on your network from a single point without manual intervention. Publishing an Installation Manager application causes each server that you specify to download and install the application. Deleting a published Installation Manager application uninstalls the application from each server that you specified to run the application. For more information about using Installation Manager, see the Installation Manager Administrators Guide, available from the Document Center or the Documentation folder on the product CD.

Using the Web Interface to Present Applications

If you want to provide users with access to published applications and content with a Web-based solution, you can use the Web Interface. For more information about the Web Interface, see the Web Interface Administrators Guide.

Deciding How Users Access Information

Before you begin publishing applications and content, review your network to identify obstacles that interfere with effectively managing resources. For example, you may encounter problems in the following areas: Heavy server loads. Users are using applications that require a lot of server processing power, which can slow down session performance. High bandwidth consumption. Users are viewing and downloading files that consume a lot of bandwidth, which can slow down network performance. Security of servers and client devices. Users frequently introduce viruses into the environment. Desktop integrity. Users damage client systems or make them unusable by misconfiguring them or by installing unauthorized or incompatible software.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

235

To use MetaFrame Presentation Server to solve many of these types of problems, review the following questions: Which types of applications should users run on MetaFrame Presentation Servers? For example, if users introduce viruses and other destructive elements into the network, publishing email applications, or perhaps all applications, for users to access on servers can add a layer of protection. If you prefer to have users run applications such as email programs locally, you can use content redirection in conjunction with the Win32 Program Neighborhood Agent to redirect application launching from the client device to the server. When users double-click email attachments encountered in an application running locally, the attachment opens in an application that is published on the server, associated with the corresponding file type, and assigned to the user. Which types of applications should users run locally on client devices? When running published instances of Web browsers, email clients, or office productivity software, users may frequently access files that call on other applications for rendering. For example, a multimedia file embedded in a Web page may be associated with Windows Media Player. Leveraging client-side resources to render multimedia files locally can reduce the toll on server processing power, memory, and network bandwidth. For users of MetaFrame Presentation Server Client software for 32-bit Windows, you can take advantage of SpeedScreen Multimedia Acceleration. SpeedScreen Multimedia Acceleration defrays the memory and processing power requirements that result from rendering multimedia files from servers to clients. It also sends multimedia files over the network in compressed form, thereby reducing bandwidth consumption. For users of older or non-Win32 Client software that does not support SpeedScreen Multimedia Acceleration, you can redirect URLs to multimedia files so that the files are rendered by applications present on client devices. Redirecting files to be rendered by client-side applications alleviates server load and frees server processing power for other users and applications. For information about SpeedScreen Multimedia Acceleration, see Optimizing Audio and Video Playback on page 210.

236

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Which users should access applications locally and which should access applications published on servers? To provide a smoother user experience, review your user base, client hardware, and client operating systems to determine which users should open which types of applications. For example, you may publish a financial spreadsheet on a server for users in your accounting department to access. For security reasons, you want these users to open the published file with the associated application published on the server. However, you also published an audio file of a keynote speech given by the company president. To prevent the servers from becoming overloaded, you want users to open this file with player applications on their local client devices.

Managing User Access through Content Redirection

With the capability to redirect application and content launching from server to client or client to server, referred to as content redirection, access to information is expanded even more. You decide whether users access information with remote applications published on servers or with applications running locally on client devices. Content redirection provides flexibility when considering application management and information storage locations and allows you to more effectively manage all of the resources available in the enterprise. You can also use this capability if your users connect to resources published on servers through the Web Interface. Note For your users to access content published with a specified universal naming convention (UNC) path and through the Web Interface, you must publish the content with content redirection and redirect to a correctly published application. You can use the following methods, or combination of methods, to broaden information access: Use content publishing to provide access to document files, media files, Web pages, and any other type of file, regardless of storage location. Shortcuts to the published content are presented to users the same way shortcuts to published applications are presented. You can decide whether users open published files with local applications or with remote applications published on servers. For more information about publishing content, see Publishing Content on page 263.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

237

Use content redirection to redirect application launching from server to client or client to server. If a user receives an email attachment in a locally running email program, you can use content redirection to allow the attachment to be opened in a remote application published on a server. You can also allow users to open any Web and multimedia content they encounter while running a published application with local players, freeing server resources.

You can determine which applicationsremote or localusers launch in which situations. For more information about content redirection, see Configuring Content Redirection on page 260.

Publishing Applications and Content

When you publish applications, you make applications that are installed on a server running MetaFrame Presentation Server easily available to users. Similarly, you publish content to make documents, media files, URLs, and other files available to users. With application publishing, you can: Increase your control over application deployment Shield users from the mechanics of the Windows server environment Push application icons and shortcuts to user desktops through Program Neighborhood and the Program Neighborhood Agent

Use the Presentation Server Console to publish applications. With the Presentation Server Console, you can publish applications on any server in the farm, including servers that are temporarily out of operation.

User Access to Published Applications

When you publish applications, user access to those applications is simplified in several areas. Addressing. Instead of connecting to a server by its IP address or server name, users can connect to a specific application by whatever name you give it. Connecting to applications by name eliminates the need for users to remember which servers host which applications. Navigation. Instead of requiring users to navigate the Windows interface on a server to find and start installed applications, users can connect directly to published applications.

238

MetaFrame Presentation Server Administrators Guide

Go to Document Center

User authentication. Instead of logging on to and logging off from multiple servers to access applications, Program Neighborhood users can be authenticated once to all servers in a server farm and get immediate access to all applications configured for their user group or specific user names. Publishing applications for the special Citrix Anonymous user group lets you completely eliminate the need for user authentication for those applications you want to provide to all users on your network. For more information, see Anonymous Users on page 242. Published applications are presented to users running the Win32 Program Neighborhood Client as application sets. An application set is a users view of the resources that the user is authorized to run. Note Users running the Win32 Program Neighborhood Client open the Program Neighborhood interface to connect to applications and content published in server farms. The Program Neighborhood Client runs on Windows XP, Windows 2000, Windows NT 4.0 Workstation, Windows 95, Windows 98, and Windows Me platforms. Publishing applications in your server farm benefits users of most clients. Although the Clients for UNIX, Macintosh, DOS, and the Web Client do not support the complete (server- and client-side) administrative configuration of the ICA connection provided by Program Neighborhood, these clients do support connections to published applications. With the Clients for UNIX, Macintosh, and DOS, users benefit from application publishings simplified addressing and desktop navigation when they configure connections to published applications using their connection configuration managers. With the clients that work with Web browsers (which are available as an Internet Explorer Active-X control, Netscape plug-in, or Java applet), you can create Web access that lets users click a link in a Web page to start a published application. You can use the Web Interface to achieve this.

Setting up a Pass-Through Client

When you run MetaFrame Presentation Server Setup, you can install the passthrough Win32 Client on the server. The pass-through client is an instance of Program Neighborhood or Program Neighborhood Agent that runs as a published application on the server. It gives users of non-Win32 clients, including the DOS, Java, and RDP clients, access to their application sets from within the feature-rich interface of Program Neighborhood even if Program Neighborhood is not installed on their client devices.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

239

Administrative Control of Applications

When you publish applications, you get greater administrative control over application deployment with: Selected user access. You publish applications for specific users and user groups. By definition, an application you publish for a specific user group is unavailable to other groups. Enabled and disabled applications. You can temporarily restrict all access to an application by disabling it. You can enable the application later to return access to users. This capability is useful when you want to take an application offline for maintenance. Multiple-server application hosting. Application publishing, when used in conjunction with Load Manager, lets you direct client connection requests to the least busy server in a farm of servers configured to run an application. Note Load Manager is part of MetaFrame Presentation Server when you license the Advanced or Enterprise Edition. Load Manager provides features for managing server loads in server farms. For information about Load Manager, see the Load Manager Administrators Guide, available from the Document Center or the Documentation folder on the product CD.

Using Published Applications

When you publish an application, configuration information for the application is stored in the data store for the server farm. The configuration information includes which types of files are associated with the application; properties of the ICA connection, including its name; users who can connect to the application; and client-side session properties that include window size, number of colors, level of encryption, and audio setting. To users, published applications appear very similar to applications running locally on the client device. The way users start applications depends upon which client they are running on the client device. Client for Win32 Program Neighborhood. After starting Program Neighborhood, users find a list of applications, called an application set, published for their user account or user group. Client users on UNIX, Macintosh, and DOS. Using connection managers, these users can browse a list of all applications published on the network and select an application to run.

240

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Web access. Users who have the Win32 Web Client or the Client for Java can access applications using their Web browsers. You can use the Web Interface to present hyperlinks to published applications. When users click these links, the published application or content is launched on the server. The Client for Win32 Program Neighborhood Agent integrates hyperlinks to published applications into the Windows desktop. You must use the Web Interface to allow users to connect using the Program Neighborhood Agent. For more information about using the Program Neighborhood Agent, the Client for Win32 Web Client, or the Program Neighborhood, see the Client for 32-bit Windows Administrators Guide, available from the Document Center or the Documentation folder on the product CD. For information about configuring Web access with the Web Interface, see the Web Interface Administrators Guide.

Determining Whether to Provide Virtual IP Addresses or a Virtual Loopback Address

If an application you are publishing requires a unique IP address for each user session or requires a unique loopback address, after publishing the application, you can configure your server to supply virtual IP addresses or a virtual loopback address. You can use virtual IP addresses or virtual loopback for applications that fail or malfunction when running in multiple, concurrent sessions. Failure and malfunctions usually occur with custom applications that are not intended to operate with Windows Terminal Services. The operational requirements of an application determine whether it requires a virtual IP address or a virtual loopback address. If the application requires an IP address for identification purposes only, configure your server to use the client IP address. For instructions, see Providing the Client IP Address to an Application on page 249. An application requires a virtual IP address if it: Uses Windows sockets Requires a unique IP address or uses a specified TCP port number

For more information and instructions about configuring a server so it can provide virtual IP addresses, see Providing Virtual IP Address Ranges to Sessions on page 250.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

241

An application requires a virtual loopback address if it: Uses the Windows socket loopback (localhost) address 127.0.0.1 Uses a specified TCP port number

For more information and instructions about configuring a server so it can provide a virtual loopback address, see Providing Virtual Loopback Addresses on page 251.

Determining to Isolate Applications

Enterprise applications published using MetaFrame Presentation Server often share specific operating system resources. Such sharing enables efficient use of limited system resources. However, sharing of system resources also introduces interdependencies between applications which, in turn, introduce compatibility issues in a multiuser environment. For example, a simple software patch applied to a particular application could affect another that depends on a shared component. The two applications could subsequently begin to misbehave or fail. If you have different versions of software you want to host from a single server, software that isnt designed for use with Terminal Services or is not designed for use by multiple users, you may want to isolate such an application in an isolation environment. Good candidates for application isolation are legacy applications such as MS DOS or 16-bit Windows applications, applications that exhibit compatibility issues in a multiuser environment, or a set of applications that are unable to coexist on a single server. Note Only isolate those applications that require application isolation environments. For more information concerning isolation environments, see Isolating Published Applications on page 253.

Configuring User Access to Applications

Before you publish applications, consider the network account authority that you use, and the ways that the configuration of your users accounts can affect user access to applications. For general information about user account configuration, including use of Windows Active Directory, Windows NT domains, and Novell Directory Services (NDS), see Network Configuration and Account Authority Issues on page 75.

242

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Publishing applications in server farms lets you set up two types of application access: explicit user account access and anonymous access. Note The total number of users, whether anonymous or explicit, who are logged on to a server farm at the same time cannot exceed the total count of all the connection licenses available from the license server.

Anonymous Users
During MetaFrame Presentation Server installation, Setup creates a special user group named Anonymous. By default, this user group contains 15 user accounts with account names in the form Anonx, where x is a three-digit number from 000 to 014. By default, anonymous users have guest permissions. Note MetaFrame Presentation Server cannot create anonymous user accounts on Windows primary or backup domain controllers. Therefore, you cannot publish applications for anonymous access on a server if it is a domain controller. Citrix does not recommend installing MetaFrame Presentation Server on Windows domain controllers. If an application you publish on a server can be accessed by users with guest permissions, you can configure the application using the Presentation Server Console to allow access by anonymous users. When a user starts an application that is configured for anonymous users, the server does not require an explicit user name and password to log the user on to the server and run the application. Anonymous users are granted minimal ICA session permissions that include the following properties that differ from standard ICA session permissions for the default user: Ten-minute idle (no user activity) time-out Log off from broken or timed out connections No password is required The user cannot change the password

When an anonymous user session ends, no user information is retained. The server does not maintain desktop settings, user-specific files, or other resources created or configured for the client. For more information about configuration of client connections on servers, see Configuring ICA Connections on page 187.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

243

Configuring Anonymous User Accounts

The anonymous user accounts that MetaFrame Presentation Server creates during installation do not require additional configuration. If you want to modify their properties, you can do so with the standard Windows user account management tools.

Explicit Users
An explicit user is any user who is not a member of the Anonymous group. Explicit users have user accounts that you create, configure, and maintain with standard user account management tools. Explicit users who log on to a server farm to run applications have a persistent existence: their desktop settings, security settings, and other information is retained between client sessions in a specific user profile. Important Do not assign any explicit users to the Anonymous group.

Procedures for Publishing Applications

Making applications and content available to users is an integral function of MetaFrame Presentation Server. Use the Presentation Server Console to publish applications on any server in the farm to which you log on. You do not have to run the console from the MetaFrame Presentation Server on which the applications are installed. The server or servers hosting a published application must be a member of the server farm. Because some applications do not function well with each other, with Terminal Services, or in a multiuser environment, before publishing an application, determine whether the application requires isolation. For more information about isolating applications, see Determining to Isolate Applications on page 241. To publish an application 1. Open the Presentation Server Console. 2. Verify that the server you want to host the application is a member of the server farm. You can find the intended host server or servers under the Servers node. 3. From the Actions menu, choose New > Published Application. 4. Follow the instructions in the Application Publishing wizard. Detailed help for each step is available by clicking Help.

244

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Tip If you want to publish an application on additional servers, you can drag the application in the console tree and drop it on servers to publish the application on the servers. The application must already be installed on the servers, and it inherits its settings from the first server where you published the application. Some published applications may require a unique IP address or a loopback address in sessions. For more information about determining whether a unique IP address or a loopback address is needed for your published applications, see Determining Whether to Provide Virtual IP Addresses or a Virtual Loopback Address on page 240.

Associating Published Applications with File Types

When you publish applications, you can associate the published applications with certain file types present in the servers Windows registry. Associate published applications with file types to: Implement Content Redirection from client to server for users running the Client for Win32 Program Neighborhood Agent Have users open content published on servers with applications published on servers

Important If you install and then publish applications after installing MetaFrame Presentation Server, you must update the file type associations in the servers Windows registry. For instructions for doing this, see Updating File Type Associations in the Server Farm on page 247.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

245

When you associate published applications with file types and then assign the applications to users, you automatically implement the following: 1. Users running the Program Neighborhood Agent open all files of the associated type encountered in locally running applications with applications published on the server. For example, when users double-click email attachments encountered in an application running locally, the attachment opens in an application that is published on the server, associated with the corresponding file type, and assigned to the user. This feature is named Content Redirection from client to server. If you do not want this to occur for any Program Neighborhood Agent users, do not associate the published application with any file types. If you do not want this to occur for specific Program Neighborhood Agent users, do not assign those users to the published application associated with the file type. For more information about Content Redirection, see Configuring Content Redirection on page 260. 2. Users connecting through the Web Interface or using the Program Neighborhood Agent open published content of the associated file type with the application published on the server. For example, you publish a document of the Microsoft Word for Windows type. This feature is named content publishing. When you also publish the Microsoft Word application, associate it with a list of file types (files with the .doc extension, for example), and assign it to a group of users, the published content is opened in the Microsoft Word application published on the server. This occurs for users when they connect to the logon page for the Web Interface and click the link to the published content (the document, in this case). If you do not want this to occur for any users, do not associate the published application with any file types. If you do not associate the published application with any file types, users open the published content with local player or viewer applications if they are installed on the client devices. For more information about Content Publishing, see Publishing Content on page 263. You associate published applications with file types on the last page of the Publishing wizard or on a published applications Properties page.

246

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Depending on how or if you want to redirect application launching, you may need to publish the same application more than once. Follow the procedures below to associate published applications with file types: To associate a published application with file types when running the Publishing wizard 1. Open the Presentation Server Console. 2. If you have not yet published the application, select New > Published Application from the Actions menu. 3. Follow the instructions on the pages of the Publishing wizard. For detailed online help, click Help on each page. 4. On the last page of the wizard, select the file types you want to associate with the published application. Note When you associate a file type with a published application, several file extensions can be affected. For example, when you associate the Word document file type, file extensions in addition to the .doc extension are associated with the published application. 5. Click Finish when you are done. To associate a published application with file types for an application you already published 1. Open the Presentation Server Console. 2. Expand the Applications node in the left pane to display your published applications. 3. Select the application you want to associate with file types. From the Actions menu, select Properties. 4. On the Content Redirection tab, select the file types you want to associate with the published application. Note When you associate a file type with a published application, several file extensions can be affected. For example, when you associate the Word document file type, file extensions in addition to the .doc extension are associated with the published application. 5. Click OK when you are done.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

247

Updating File Type Associations in the Server Farm

You can verify which file types are associated with a published application on an applications property sheet. You can view all file types associated with published applications for the entire server farm on the Content Redirection tab, displayed when you select the server farm in the left pane of the console. Follow the procedure below to update file type associations in your server farm. If you publish applications to be hosted on more than one server, be sure to update the file types for each server. To update file type associations in the server farm 1. Open the Presentation Server Console. 2. Expand the Servers node in the left pane. 3. Select a server. From the Actions menu, select Server > Update File Types from Registry.

Passing Parameters to Published Applications

When you associate a published application with file types, MetaFrame Presentation Server appends the symbols %* (percent and star symbols enclosed in double quotation marks) to the end of the applications command line. These symbols act as a placeholder for client-passed parameters. If a published application does not launch when expected, verify that its command line contains the symbols cited above. If you do not see these symbols in an applications command line, you can add them manually. If the path to the applications executable file includes directory names with spaces (such as C:\Program Files), you must enclose the command line for the application in double quotation marks to indicate that the space belongs in the command line. To do this, follow the instructions below for adding quotation marks around the %* symbols and then add a double quotation mark at the beginning and the end of the command line. Be sure to include a space between the closing quotation mark for the command line and the opening quotation mark for the %* symbols. For example, change the command line for the published application Windows Media Player to the following: C:\Program Files\Windows Media Player\mplayer1.exe %* The following procedures assume you want to add the symbols to the Notepad application, which is published on a MetaFrame Presentation Server.

248

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To add a parameter placeholder to a published application 1. In the Presentation Server Console, expand the Applications node. Select the application to use and choose Properties. 2. In the Properties dialog box, select the Application Location tab. 3. In the Command Line box, add a space and %* (percent and star symbols enclosed in quotation marks) to the end of the command line. For example, for the following command line: %SystemRoot%\System32\Notepad.exe Add %* to the end, as follows: %SystemRoot%\System32\Notepad.exe %* 4. Choose OK to save the changes.

Creating Files for Application Launching and Embedding

You can create the files you need to allow users to access published applications from a Web page. You must create two types of filesan HTML file and an ICA fileto enable users to do this. This process is called Application Launching and Embedding. If you are using the Web Interface or Web Interface Extension for MetaFrame XP, you do not need to manually create these separate HTML and ICA files. The Create HTML File wizard and the Create ICA File wizard walk you through creating these files. To launch one of these wizards, select a published application in the Management Console for MetaFrame XP and click the Create ICA File or Create HTML File buttons on the toolbar. The wizards walk you through the process of creating the necessary files.

Creating an ICA File

An ICA file contains published application information in ini file format. You can create ICA files and distribute them to users. When users double-click ICA file icons, the published application is launched. When a user receives an ICA file, the users client device initializes a session to run the specified application on the server. To create an ICA file for an application 1. In the left pane of the management console, select the published application in the Applications folder. 2. Click the Create ICA File button on the toolbar or choose Application > Create ICA File from the Actions menu.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

249

3. Follow the instructions in the Create ICA File wizard.

Creating an HTML File

You can easily create an HTML page that presents users with links to published applications. When users click the link in the HTML file you create, the connection is implemented through an ICA file. You can also create the ICA file when you generate the HTML file. To create an HTML file 1. In the left pane of the management console, select the published application in the Applications folder. 2. Choose Create HTML File from the toolbar or the Actions menu. 3. Follow the instructions in the wizard to create your HTML file.

Providing the Client IP Address to an Application

For identification purposes, some applications require the IP address be unique for a session. Such IP addresses are not needed for binding or addressing purposes. In such a case you can configure the session to use the IP address of the client. To supply client IP addresses to published applications on a server 1. On the server on which the applications reside, start regedit. CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. 2. Using regedit, create the following two registry entries: HKEY_LOCAL_MACHINE\Software\Citrix\VIP\ Name: UseClientIP Type: REG_DWORD Data: 1 (enable) or 0 (disable, which is the default) HKEY_LOCAL_MACHINE\Software\Citrix\VIP\ Name: HookProcessesClientIP Type: REG_MULTI_SZ Data: multiple executable names representing application processes that use client IP addresses

250

MetaFrame Presentation Server Administrators Guide

Go to Document Center

3. Close regedit and restart your server. 4. After making the prescribed registry modifications, in the Presentation Server Console, use the farm properties page, Virtual IP Processes, to add the application process. For instructions, see Enabling Applications for Use with Virtual IP Addresses or Virtual Loopback Address on page 252. Do not configure the use of client IP addresses if: Clients connect using network protocols other than TCP/IP Clients reconnect to disconnected sessions from different client devices Sessions use a pass-through client

Providing Virtual IP Address Ranges to Sessions

Using virtual IP addresses, you can provide published applications with unique IP addresses for use in sessions. This is especially important to Computer Telephony Integration (CTI) applications that are widely used in call centers. Users of these applications can access them on a server running MetaFrame Presentation Server in the same fashion that they access any other published application. In order to assign virtual IP address ranges, you must have a reserved range of static IP addresses that you can assign to the server. Work with your network administrator to obtain a list of free addresses that are not part of your DHCP pool. Before assigning virtual IP address ranges, determine the maximum number of users you may have connecting concurrently to the server. Because every session connecting to the server is assigned an IP address (not just sessions launching the application that requires virtual IP addresses), assign at least as many static IP addresses to the server as the maximum number of users who may be connecting concurrently to that server. Note In the event more sessions are launched on a server than IP addresses are available, the server displays the error: No virtual IP address is available for this session, please contact your administrator. The inability of the server to assign a virtual IP address to a session does not prevent the user from launching an application that requires a virtual IP address within the session; however, the application may not function correctly.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

251

To make virtual IP addresses available to applications running in sessions 1. At the farm level, configure virtual IP address ranges and assign them to servers. 2. Enable applications for use with virtual IP addresses. In addition to configuring virtual IP address ranges and enabling applications for use with virtual IP addresses, you can also control and monitor virtual IP addresses available from each server. The sections that follow describe how to perform each of these tasks. To configure virtual IP address ranges 1. In the left pane of the console, select the farm. 2. On the Actions menu, click Properties. 3. Select Virtual IP Address Configuration. 4. Use the Virtual IP Address Configuration dialog box to configure the virtual IP address ranges and assign them to servers. 5. Click OK and restart all affected servers. After configuring virtual IP address ranges, continue by specifying the application processes that are enabled to use virtual IP addresses. For more information, see Enabling Applications for Use with Virtual IP Addresses or Virtual Loopback Address on page 252.

Providing Virtual Loopback Addresses

Using virtual loopback, you can provide published applications with loopback addresses to use in sessions. To make a virtual loopback address available to applications running in sessions 1. At the farm level, enable virtual loopback on servers. 2. Enable applications to use virtual loopback. In addition to enabling virtual loopback on servers and enabling applications to use virtual loopback addresses, you can also control and monitor virtual loopback at the server level. The sections that follow describe how to perform each of these tasks. To enable virtual loopback 1. In the left pane of the console, select the farm. 2. On the Actions menu, click Properties.

252

MetaFrame Presentation Server Administrators Guide

Go to Document Center

3. In the left pane of farm Properties, select Virtual Loopback Configuration. 4. Use the Virtual Loopback Configuration dialog box to select the servers from which you want to make virtual loopback available. This automatically enables virtual loopback on the selected servers. After configuring virtual IP loopback, continue by specifying the application processes on each server for which you want virtual loopback available. The next section describes how to select applications for virtual loopback use.

Enabling Applications for Use with Virtual IP Addresses or Virtual Loopback Address
After you configure virtual IP addresses or configure virtual loopback on the Properties page of a farm, continue by specifying the processes that can use the virtual IP addresses or virtual loopback. To specify the process names 1. In the left pane of the console, select the farm. 2. On the Actions menu, click Properties. 3. In the left pane of the farm Properties page, select Virtual IP Processes. 4. In the Virtual IP Processes dialog box, use the Add Process, Edit Process, and Delete Process buttons to control lists of processes to which the server provides virtual IP addresses and loopback addresses. When adding files to the lists, select the executable files associated with the applications you want to enable to use virtual IP and virtual loopback. Depending on the list to which you add a process, the next time the process starts in a session, it uses a virtual IP address or virtual loopback.

Controlling and Monitoring Virtual IP Addresses and Virtual Loopback on Individual Servers
After you configure virtual IP address ranges or virtual loopback at the farm level, you can use Virtual IP Configuration settings at the server level to: Enable and disable virtual IP address and virtual loopback on a server View the IP address ranges available on a server Control logging of the assignment and release of virtual IP addresses

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

253

To configure virtual IP address and virtual loopback on an individual server 1. In the left pane of the console, expand the Servers node and select a server. 2. From the Actions menu, click Properties. 3. In the left pane of server Properties page, select Virtual IP Configuration. 4. Use the Virtual IP Configuration dialog box to: Disable and enable use of virtual IP address on the server. (Virtual IP addresses are enabled by default when you assign an address range to a server.) Enable and disable virtual loopback availability from the server. (By default, virtual loopback is enabled on each server when you enable virtual loopback for the farm.) Control logging of assignment and release of virtual IP addresses.

Isolating Published Applications

Isolation environments enable you to isolate a published application within a virtual environment. The isolation environment protects the operating system and applications from conflicts and other complications that frequently occur between incompatible or legacy applications. The isolation environment creates an environment or user-specific copy of the system resources modified by the published application during installation or runtime. This allows the application to function without affecting the rest of the system. The isolation environment also provides a virtual mapping from an application to operating system resources. The mapping is accomplished through the use of rules that specify how an application behaves within an isolation environment. The basic steps for isolating an application are as follows: 1. Through testing, identify applications that malfunction when used through MetaFrame Presentation Server or Terminal Services. 2. Ensure isolation environments are enabled for the farm. (By default isolation environments are enabled at the farm level.) 3. Create isolation environments. 4. Configure the properties of the isolation environment. 5. Isolate the published application.

254

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Enabling and Disabling Isolation Environments

Isolation environments are enabled by default. You can disable, re-enable and configure isolation environments for an entire farm through the Isolation Settings farm property. To re-enable or disable isolation environments for a farm 1. In the left pane of the Presentation Server Console, select the farm node. 2. From the Actions menu, choose Properties. 3. In the left pane of the farm Properties dialog box, choose Isolation Settings. 4. Use the Enable application isolation check box to enable and disable isolation environments for the farm. You can also use the Isolation Settings page to change the location of where application and user data are stored on the server. For more information, see online help for the Isolation Settings page. You can disable and enable isolation environments on an individual server. By default, when you enable isolation environments for a farm, you enable isolation environments on all the farm servers. To disable isolation environments on a server 1. Under the Servers node of the Presentation Server Console, select the server for which you want to disable isolation environments. 2. From the Actions menu, choose Properties. 3. In the left pane of the server Properties dialog box, choose Isolation Settings. 4. Clear the checkboxes for Use farm setting to enable application isolation and Enable application isolation, then click OK To enable isolation environments on a single server, but not for a whole farm 1. Disable isolation environment for the farm. 2. Under the Servers node of the Presentation Server Console, select the server for which you want to enable isolation environments. 3. From the Actions menu, choose Properties. 4. In the left pane of the server Properties dialog box, choose Isolation Settings. 5. Clear the checkbox Use farm setting to enable application isolation.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

255

6. Check Enable application isolation, then click OK. 7. Restart the server. Note You set isolation settings only at the farm level. To change isolation settings when isolation environments are enabled on individual servers, but not for the farm, temporarily enable isolation environments at the farm level.

Creating an Isolation Environment

Creating isolation environments on farms enables safe installation and execution of applications. It also mitigates application compatibility and interoperability issues in a server environment. By default, the ability to create isolation environments on the farm is enabled, and the farm setting is applied to all servers in the farm. You can verify and change the settings if needed. To create isolation environments for the farm 1. In the left pane of the console, select the Isolation Environments node. 2. From the Actions menu, select New > Isolation environment. 3. Enter a name for the new isolation environment and click OK. The new isolation environment appears in the Contents pane for the Isolation Environments node. After creating the isolation environment, you have the option of configuring each isolation environment through its properties. For more information about configuring individual isolation environments, see Configuring an Isolation Environment on page 255.

Configuring an Isolation Environment

The default settings of an isolation are designed to resolve most compatibility issues; however, you can refine and optimize isolation environment settings as required.When you opt to configure an isolation environment, you decide the following characteristics: Applications. Specifies applications installed into the isolation environment as well as applications that are candidates for publishing. You can also specify other applications published on the server farm that are associated with this isolation environment.

256

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Roots. Specifies the virtual directories and registry locations in which files modified by users (user profile root) and applications (installation root) reside. You can set root locations for the following: Farm level. You can configure root locations only at the farm level Server level. Root locations set at the farm level apply only to enabled servers

Rules. Specifies whether or not isolation, redirection, or ignore rules need to be applied to system resources, such as files, registry, and named objects. Security. Specifies the type of security policy, such as enhanced or relaxed, to apply to this isolation environment. Selecting enhanced security prevents execution of files located in the user profile root. To configure the properties of an isolation environment 1. In the left pane of the console, select Isolation Environments. 2. In the Contents tab, select the isolation environment to configure. 3. On the Actions menu, click Properties. 4. Use the Properties page to add applications and configure roots, rules, and security settings for the isolation environment. For specific information about each Properties page, click Help. 5. To save your settings, click OK.

Using an Isolation Environment

After creating and enabling isolation environments, you can isolate an application by: Associating the published application with an isolation environment Installing an application into an isolation environment

When you delete an isolation environment, applications associated with or installed into that isolation environment are no longer available for use.

Associating an Application with an Isolation Environment

When you associate a published application with an isolation environment, the isolation environment manages all the interactions of the published application with system resources. The isolation environment forces the application to launch in the isolation environment and access a virtualized version of system resources. This prevents direct access of key system resources by the application, which in turn prevents the occurrence of application conflicts and incompatibilities.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

257

Associate an application with the isolation environment after you publish the application on a server in the farm. To associate a published application with an isolation environment 1. In the left pane of the console, select the Isolation Environments node. 2. In the Contents tab, select the isolation environment with which you want to associate an application. 3. On the Actions menu, click Properties. 4. On the Applications page, click Add. 5. Select a published application to add to the isolation environment, then click OK.

Installing an Application into an Isolation Environment

You install an application into an isolation environment to keep all operations of an application completely separate from other applications on the server. Application shortcuts, registry settings, paths, and configuration files reside within the confines of the isolation environment. If an application prevents other applications from running, uninstall the application from the server, and reinstall it into the isolation environment. Installing applications in an isolation environment and then publishing them can correct problems not corrected by associating the application with an isolation environment. You can install applications into isolation environments through Installation Manager, third party application deployment software such as Microsoft SMS, or by using the aiesetup command from a command prompt. For information about using Installation Manager to deploy applications, see the Installation Manager Administrators Guide, which is available through the Document Center. Note Citrix does not support installing an application into an isolation environment through a connection made with Remote Desktop Connection. To use aiesetup to install an application into an isolation environment 1. Ensure the application is not already installed on the server. If it is, uninstall the application.

258

MetaFrame Presentation Server Administrators Guide

Go to Document Center

2. Use the command aiesetup to install the application in an isolation environment of your farm. Install the application only after you determine that it is incompatible with Terminal Services. For more information about how to use the aiesetup command, see AIESETUP on page 339. 3. On the server, follow the normal steps to publish the application on the farm so that users can access the application. On the Specify What to Publish page, complete the following settings: Check the Isolate Application check box (disabled by default), and click Settings. In the Isolation Settings dialog box, from the list of available isolation environments, select the isolation environment into which you installed the application. Click the Application was installed into environment check box (disabled by default). Select the application from the Choose installed application list. If applicable, enter application parameters in the Command line arguments field.

4. Click OK, and continue with the steps in the wizard to publish the application. For more information about how to publish an application, see Procedures for Publishing Applications on page 243.

Deleting Isolation Environments

When you delete an isolation environment, you remove access to it through the Presentation Server Console and access to it by your users. Deleting an isolation environment from the console does not remove application or user-specific files resident in the deleted isolation environment folder on disk. To delete isolation environments 1. In the left pane of the Presentation Server Console, select the Isolation Environments node. 2. On the Contents tab, select the isolation environments you want to delete. 3. From the Actions menu, choose Application Isolation > Delete isolation environment(s).

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

259

Because applications installed into isolation environments may not function correctly after you delete the isolation environment, Citrix recommends that you also uninstall the applications installed into the isolation environment. The next section describes how to unistall applications installed into an isolation environment and delete the contents of the isolation environment folder.

Uninstalling Applications Installed into an Isolation Environment

Unlike removing applications not installed into an isolation environment, you can not reliably use Windows Add/Remove Programs to uninstall applications installed into an isolation environment. Windows Add/Remove Programs may not completely delete everything that was installed, resulting in an incomplete uninstall. Note Citrix recommends before deleting an isolation environment to follow your company policy for backing up user-specific files. Because uninstalling applications installed into an isolation environment also removes user-specific files resident in the user profile root of the deleted isolation environment folder, Citrix recommends that before deleting an isolation environment folder, you follow your company policy with regard to backing up user-specific files. To uninstall all applications installed into an isolation environment 1. Delete all the files that reside in the installation root location of the isolation environment (typically C:\Program Files\Citrix\AIE\<aiename>). Note Citrix recommends before deleting an isolation environment to follow your company policy for backing up user-specific files.

CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. 2. Use regedit to delete the registry entries under installation root (typically HKLM\Software\Citrix\AIE\<aiename>). 3. Because the server does not automatically update published application links, after you remove applications from a deleted isolation environment, use the console to delete the published links for the uninstalled applications.

260

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Because an application file system and registry are isolated, this procedure provides a clean uninstall of the applications from the server.

Removing Published Applications

As you publish updated applications on your servers, you can remove the older or less-used applications. Removing a published application does not uninstall the application from the server or make it completely unavailable to clients. Removing a published application from the server farm simply stops advertising the applications availability. To remove a published application 1. Select the application you want to remove under Applications in the left pane of the Presentation Server Console. 2. From the Actions menu, choose Delete Published Application. 3. When prompted, confirm the deletion by clicking OK.

Configuring Content Redirection

With Content Redirection, you determine which applications remote or local users launch and in which situations. Use Content Redirection to redirect application launching from: Client to server Server to client

Redirecting Content from Client to Server

When you configure Content Redirection from client to server, users running the Win32 Program Neighborhood Agent open all files of the associated type encountered in locally running applications with applications published on the server. You must use the Web Interface to allow users to connect to published applications with the Program Neighborhood Agent. Note Content Redirection from client to server is available only with MetaFrame Presentation Server Advanced or Enterprise Editions. The Program Neighborhood Agent gets updated properties for published applications from the server running the Web Interface. When you publish an application and associate it with file types, the applications file type association is changed to reference the published application in the client devices Windows registry.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

261

If you have users who run applications such as email programs locally, you can use the content redirection capability in conjunction with the Win32 Program Neighborhood Agent to redirect application launching from the client device to the server. When users double-click attachments encountered in an email application running locally, the attachment opens in an application that is published on the server, associated with the corresponding file type, and assigned to the user. Important You must enable client drive mapping to use this feature. You can enable client drive mapping for the entire server farm, for specific servers, or for specific users with user policies. For more information about user policies, see Creating and Applying Policies on page 289. If you do not want this to occur for any Program Neighborhood Agent users, do not associate the published application with any file types. If you do not want this to occur for specific Program Neighborhood Agent users, do not assign those users to the published application associated with the file type. Follow the procedure below to configure Content Redirection from client to server. To configure Content Redirection from client to server 1. Determine which of your users connect to published applications using the Program Neighborhood Agent. Content Redirection from client to server applies only to those users connecting with the Program Neighborhood Agent. 2. Verify that client drive mapping is enabled. You can enable client drive mapping for a specific connection using Citrix Connection Configuration or for specific users by creating user policies. 3. Publish the applications you want Program Neighborhood Agent users to open on the server. 4. When you publish the application, associate it with file types on the last page of the Application Publishing wizard.

Redirecting Content from Server to Client

When you enable Content Redirection from server to client, embedded URLs are intercepted on the server running MetaFrame Presentation Server and sent to the client using the ICA Control virtual channel. The users locally installed browser is used to play the URL. Users cannot disable this feature. For example, users may frequently access Web and multimedia URLs they encounter when running an email program published on a server. If you do not enable Content Redirection from server to client, users open these URLs with Web browsers or multimedia players present on servers running MetaFrame Presentation Server.

262

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To free servers from processing these types of requests, you can redirect application launching for supported URLs from the server to the local client device. Note If the client device fails to connect to a URL, the URL is redirected back to the server. The following URL types are opened locally on the Clients for Win32 and Linux when this type of content redirection is enabled: HTTP (Hypertext Transfer Protocol) HTTPS (Secure Hypertext Transfer Protocol) RTSP (Real Player and QuickTime) RTSPU (Real Player and QuickTime) PNM (Legacy Real Player) MMS (Microsofts Media Format) Note If Content Redirection from server to client is not working for some of the HTTPS links, verify that the client device has an appropriate certificate installed. If the appropriate certificate is not installed, the HTTP ping from the client device to the URL fails and the URL is redirected back to the server. Content Redirection from server to client requires Internet Explorer Version 5.5 with Service Pack 2 on systems running Windows 98.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

263

Follow the procedures below to enable Content Redirection from server to client. To enable Content Redirection from server to client Determine if you want Content Redirection from server to client to apply for the entire server farm, for specific servers, or for specific users only. To apply the behavior to the entire server farm, select the farm in the console and choose Properties from the Actions menu. Select MetaFrame Settings in the left pane of the farms Properties page. Select the option Enable Content Redirection from server to client. To apply the behavior to a specific server, select the server and choose Properties from the Actions menu. Select MetaFrame Settings in the left pane of the servers Properties page. Select the option Enable Content Redirection from server to client. To apply the behavior to specific connections, in a policy, enable the rule User Workspace > Content Redirection > Content Redirection from Server to Client. Assign the policy to only those connections for which you want to open supported URL file types on client devices. For more information about policies, see Creating and Applying Policies on page 289.

Publishing Content
You can give users access to information, such as documents, Web sites, and video presentations, by publishing content for users in the same way that you publish applications in a server farm. With content publishing, you can publish and manage various types of content and present it to users with the applications they need. Published content and published applications appear together through the Web Interface, Program Neighborhood, and Program Neighborhood Agent interfaces. You can configure MetaFrame Presentation Server to allow users to open published content in local player or viewer applications running on client devices or in applications published on servers.

Publishing Content to be Opened with Applications Published on Servers

Follow these basic steps if you want users to open published content with applications published on MetaFrame Presentation Servers. 1. Publish the data file you want users to access. For more detailed instructions for publishing content, see Publishing Content on Servers on page 265.

264

MetaFrame Presentation Server Administrators Guide

Go to Document Center

2. Determine which users you want to open the published content with a published application. 3. Publish the application that corresponds to the content file type. For example, if you published a Microsoft Word for Windows document file named Quarterly_Sales.doc, publish Microsoft Word on a server running MetaFrame Presentation Server. For more information about publishing applications, see the online Help for the Application Publishing wizard. 4. When you publish Word, associate the file type Word document with the application. Note When you associate a file type with a published application, several file extensions can be affected. For example, when you associate the Word document file type, file extensions in addition to the .doc extension are associated with the published application. 5. Assign the published Word to the users you want to open the published document with the published application.

Publishing Content to be Opened with Applications on Local Client Devices

When you configure MetaFrame Presentation Server to allow users to open published content with applications running locally on client devices, the client passes the name of the published content file to the local viewer application. The MetaFrame Presentation Server does not download the file to the client. Instead, the local viewer application accesses the file the same as it would if a user doubleclicked the file in Windows Explorer (and a file type association specified the application to use). For example, when a user opens a published Microsoft Streaming Media file in Program Neighborhood, the Windows Media Player application runs on the client device to play the content. You can publish any content for users to view with a local viewer application. Publishing content does not use resources or licenses for the client or MetaFrame Presentation Server because local viewer applications do not use ICA sessions to display the published content.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

265

Follow these basic steps for publishing content for users to access with applications running locally on client devices. 1. Publish the data file you want users to access. For more detailed instructions for publishing content, see Publishing Content on Servers on page 265. 2. If you publish the application that corresponds to the content file type, do not associate it with any file types if you want all users to open the published content with locally installed applications. However, if you want some users to open the published content with the published application, you can associate the published application with the content file type, but only assign the application to those users. For more information about publishing applications, see the online Help for the Application Publishing wizard.

Content Publishing Requirements and Limitations

The following requirements and limitations apply when publishing content in server farms: You can publish content using the Presentation Server Console when a server farm is in interoperability mode with servers running MetaFrame 1.8, but users do not see published content in Program Neighborhood, Program Neighborhood Agent, or the Web Interface. Published content appears in application sets in Program Neighborhood, Program Neighborhood Agent, and the Web Interface, so access to published content requires that the client support those features. You cannot create custom ICA connections to access published content. You cannot publish a UNC directory path to display a folder to users of Netscape Navigator versions prior to 6.0. See Specifying Locations for Publishing Content on page 266 for more information. When you publish a file using a network path, users must have permission to access the file on the network to be able to access it as published content through MetaFrame Presentation Server.

Publishing Content on Servers

You publish content using the Presentation Server Console and the Publishing wizard. You can select options in the wizard when you publish content, and you can later check and modify the settings in the Properties dialog box for the published content.

266

MetaFrame Presentation Server Administrators Guide

Go to Document Center

If you want users to open published content with local applications, the applications must be associated with published content through Web browser MIME types or Windows file associations on the client device. No other client-side configuration is necessary after viewer applications are installed and associations are configured. To publish content 1. In the Presentation Server Console, choose Actions > New > Published Application to open the Publishing wizard. 2. Type a name for the content you are publishing in the Display Name box. This text appears as the name of the icon that represents the published content. 3. For Application Type, select Content. 4. In the Content Address box, specify the location of the content by entering a URL or UNC address. See Specifying Locations for Publishing Content. below for more information. 5. After specifying the content address, continue using the wizard to specify other settings and publish the content.

Specifying Locations for Publishing Content

When you publish content, you can specify the location using a variety of address formats. You can enter any of the following types of information (examples shown in parentheses): HTML Web site address (http://www.citrix.com) Document file on a Web server (https://www.citrix.com/press/pressrelease.doc) Directory on an FTP server (ftp://ftp.citrix.com/metaXP) Document file on an FTP server (ftp://ftp.citrix.com/metaXP/Readme.txt) UNC file path (file://myServer/myShare/myFile.asf) or (\\myServer\myShare\myFile.asf) UNC directory path (file://myServer/myShare) or (\\myServer\myShare) Important Specifying a UNC directory path does not correctly display the specified directory to users of Netscape Navigator prior to Version 6.0. Earlier versions of Navigator incorrectly interpret the path as relative to the Web server. To publish a directory to such users, consider specifying an FTP directory or listable Web server directory.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

267

Setting CPU Priority Levels for Applications

By default, MetaFrame Presentation Server gives all published applications equal priority for access to CPU cycles. All application instances run with normal CPU priority. The default configuration assumes that CPU access by all applications is equally important. The default configuration does not prevent one application from consuming resources that are required by other, mission-critical applications running on the same server. You can manage some aspects of resource usage by applications through your deployment methods. For example, you can isolate mission-critical applications by publishing them on separate servers so less-important applications do not compete for server resources. You achieve better performance by publishing CPU- and memory-bound applications on high-performance servers. MetaFrame Presentation Server provides a setting you can apply to published applications to prioritize their CPU access. You can use the CPU priority settings on servers running Windows server operating systems. Note The term published application in this section refers to applications and server desktops that are published for users in the server farm. It does not refer to published content such as documents and media files. You can apply a CPU priority setting to each published application. Each instance of the application that runs in the server farm is affected by the setting. When multiple servers host the same published application, the setting applies to each server in the server farm on which the application runs. If you publish the same application more than oncefor separate groups of users, different host servers, or with different settings, for exampleyou create separate published applications -- each can have its own CPU priority setting. You can use this setting in any size server farm, independent of load management features in MetaFrame Presentation Server Advanced Edition and Enterprise Edition. Load management distributes connections to servers based on the servers loads. In contrast, the CPU priority setting applies to a published application that runs on any server in the server farm.

268

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Assigning CPU Priority Levels to Applications

When you assign a CPU priority level to a published application, the priority level that you specify is used by the CPU scheduler on all servers that host the published application (and for every instance of the application that runs on a server). When a server is executing multiple applications, the CPU scheduler prioritizes CPU access by application threads according to the priority level that you assign or the default priority level. With this option, you can assign normal or lower CPU priority to Microsoft Internet Explorer, for example, and assign high CPU priority to an application whose performance is more important to the enterprise, such as PeopleSoft Human Resources Management. A higher priority setting gives Human Resources Management a performance advantage over Internet Explorer when both applications run on the same server. You can assign five priority levels (in order from lowest to highest priority): low, below normal, normal, above normal, and high. The default is normal. Important High priority indicates a process that performs time-critical tasks. The threads of a high-priority process preempt the threads of low- and normal-priority processes. An example is the Task List, which must respond quickly when called by the user, regardless of the load on the system. Use extreme care when using the high-priority setting. A CPU-bound application assigned high priority can consume nearly all available CPU cycles, which can cause unacceptable performance by other applications running on the server. The CPU priority option is in the Application Publishing wizard and on the Application Limits page in the Properties sheet for each published application. You can set the priority level when you first publish applications and set or change the level for published applications using the Presentation Server Console. To publish an application and set its CPU priority 1. In the Presentation Server Console, choose Actions > New > Published Application to run the Publish Application wizard. 2. Proceed through the wizard pages, entering information and selecting options for the application you are publishing. 3. On the Specify Application Limits page, select an option from the CPU priority level menu. The default setting is Normal. 4. Click Next and then proceed through the subsequent screens until you complete the wizard.

Go to Document Center

Chapter 10 Publishing Applications, Content, and Desktops

269

To modify the CPU priority of a published application 1. In the left pane of the Presentation Server Console, expand the Applications node. Select the application you want to modify and choose Properties from the Actions menu. 2. On the Properties page, click Application Limits in the left pane. 3. Select an option from the CPU priority level menu. The default setting is Normal. 4. Click OK to apply the setting and close the dialog box.

270

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Go to Document Center

CHAPTER 11

Managing Users and Sessions

This chapter describes how to manage users and their sessions in a server farm. It includes information about using the Presentation Server Console to monitor users connections. This chapter also includes information about creating and applying policies to control select settings for users or user groups. You can use the Presentation Server Console to perform session-management activities, including logging off, shadowing, disconnecting, and sending messages to users. Note You may not see some or all of the data described below if you have not been granted permission to perform these tasks. See your primary MetaFrame administrator for more information.

Controlling User Logons

You can control the ability of users to establish sessions on a server in the farm by enabling or disabling logons. By default, logons are enabled when you install MetaFrame Presentation Server. You might want to disable logons when you install software or perform other maintenance or configuration tasks. To enable or disable logons 1. Select a server in the Presentation Server Console tree and choose Properties from the Actions menu to display the Properties page. Select MetaFrame Settings in the left pane. 2. To prevent users from logging on, make sure Enable logons to this server is not selected on MetaFrame Settings. To restore the ability of users to connect to the server, select Enable logons to this server.

272

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Note For servers running MetaFrame Presentation Server 3.0 or later, clearing the Enable logons to this server check box is a persistent setting that remains in effect after restarting the server. In earlier releases, the Enable logons to this server setting defaults to being selected each time the server is started.

Controlling User Logon Look and Feel

When connecting to a server, users see all connection and logon status information in a sequence of windows, from the time they double-click a published application icon on the client device, through the authentication process, to the moment the published application launches in the session. The windows replace several other windows users observed while connecting to MetaFrame in previous releases of the product. They consolidate all connection and authentication status messages previously generated both by Windows and by MetaFrame into a continuous, consistent, and informative user experience. MetaFrame Presentation Server achieves this logon look and feel by suppressing the status windows generated by a servers Windows operating system when a user connects. To do this, MetaFrame Presentation Server Setup enables the following Windows local group policies on the server on which you install the product: Administrative Templates > System > Disable Boot / Shutdown / Logon / Logoff status messages (Windows 2000 Server) Administrative Templates > System > Remove Boot / Shutdown / Logon / Logoff status messages (Windows Server 2003) Administrative Templates > System > Verbose vs normal status messages (Windows 2000 Server, Windows Server 2003)

However, group policies you configure in Active Directory take precedence over equivalent local group policies you configure for individual servers. Therefore, when you install MetaFrame Presentation Server on servers that belong to an Active Directory domain and configure the group policies above in Active Directory, those policies may prevent MetaFrame Presentation Server from suppressing the status windows generated by the Windows operating systems of the individual servers. In that case, users see the status windows generated by the Windows operating system when connecting to that server. For optimal performance, do not configure the above group policies in Active Directory.

Go to Document Center

Chapter 11 Managing Users and Sessions

273

Providing Users with Workspace Control

The Workspace Control feature provides users with the ability to quickly disconnect from all running applications, to reconnect to applications, or to log off from all running applications. Workspace Control enables users to move among client devices and gain access to all of their applications when they log on. For example, you can use Workspace Control to assist healthcare workers in a hospital who need to move quickly between workstations and access the same set of applications each time they log on to MetaFrame Presentation Server. If you configure Workspace Control options to allow it, these workers can disconnect from multiple applications at one client device and then reconnect to open the same applications at a different client device. For users accessing applications through the Web Interface or the Program Neighborhood Agent you can configureand allow users to configurethe following activities: Logging on. By default, Workspace Control enables users to automatically reconnect to all running applications when logging on, bypassing the need to reopen individual applications. Through Workspace Control, users can open disconnected applications plus applications active on another client device. Disconnecting from an application leaves the application running on the server. If you have roaming users who need to keep some applications running on one client device while they reconnect to a subset of their applications on another client device, you can configure the logon reconnection behavior to open only the applications that the user disconnected from previously. Reconnecting. After logging on to the server farm, users can reconnect to all their applications at any time by clicking Reconnect. By default, Reconnect opens both applications that are disconnected plus any active applications currently running on another client device. You can configure Reconnect to open only those applications that the user disconnected from previously. Logging off. For users opening applications through the Web Interface, you can configure the Log Off command to log the user off from the Web Interface and all active sessions together, or log off from the Web Interface only. Disconnecting. Users can disconnect from all running applications at once without needing to disconnect from each application individually.

Workspace Control is enabled in the server farm by default and is available only for users accessing applications through the Web Interface or the Program Neighborhood Agent.

274

MetaFrame Presentation Server Administrators Guide

Go to Document Center

User policies and client drive mappings change appropriately when a user moves to a new client device. Policies and mappings are applied according to the client device where the user is currently logged on to the session. For example, if a health care worker logs off from a client device in the emergency room of a hospital and then logs on to a workstation in the hospitals X-ray laboratory, the policies, printer mappings, and client drive mappings appropriate for the session in the X-ray laboratory go into effect for the session as soon as the user logs on to the client device in the X-ray laboratory. You can configure Workspace Control behavior in the Web Interface Console or the Program Neighborhood Agent Console. For more information about enabling and configuring Workspace Control for users, see the Web Interface Administrator's Guide.

Configuring Workspace Control with Integrated Authentication Methods

If users log on using smart cards or pass-through authentication, you must set up a trust relationship between the server running the Web Interface and any server in the farm that the Web Interface accesses for published applications. Without the trust relationship, the Disconnect, Reconnect, and Log Off commands fail for those users logging on with smart card or pass-through authentication. You do not need to set up a trust relationship if your users authenticate to the Web Interface or Program Neighborhood Agent by typing in their credentials. To set up the trust relationship, open the servers Properties page in the Presentation Server Console, choose XML Service in the left pane, and select Trust requests sent to the XML Service. The Citrix XML Service communicates information about published applications between servers running the Web Interface and servers running MetaFrame Presentation Server. If you configure a server to trust requests sent to the Citrix XML Service, consider these factors: The trust relationship is not necessary unless you want to implement Workspace Control and your users log on using smart cards or pass-through authentication. Enable the trust relationship only on servers directly contacted by the Web Interface. These servers are listed in the Web Interface Console. When you set up the trust relationship, you depend on the Web Interface server to authenticate the user. To avoid security risks, use IPSec, firewalls, or any technology that ensures that only trusted services communicate with the XML Service. If you set up the trust relationship without using IPSec, firewalls, or other security technology, it is possible for any network device to disconnect or terminate client sessions.

Go to Document Center

Chapter 11 Managing Users and Sessions

275

Configure IP Security (IPSec), firewalls, or other technology that you use to secure the environment so that they restrict access to the Citrix XML Service to only the Web Interface servers. For example, if the Citrix XML Service is sharing a port with Microsoft Internet Information Services (IIS), you can use the IP address restriction capability in IIS to restrict access to the Citrix XML Service.

Controlling User Connections

When user logons are enabled, MetaFrame Presentation Server does not limit user access to sessions and published applications. In general, users can launch multiple connections and can connect to any published application that they are authorized to use. You can use the connection control feature to control connections to servers and published applications. This feature can help you maintain availability of resources in a server farm. Having no limit on connections works best in an environment where users and published applications are well-behaved. All users have equal access to the published applications. Adverse usage conditions in a server farm can degrade performance and reliability. In an unregulated environment, you might encounter the following problems: Errors caused by individual users who run more than one instance of a published application at the same time Denial-of-service attacks by malicious users who run multiple application instances that consume server resources and connection license counts Over-consumption of resources by non-critical activities such as Web browsing

Connection control provides two types of limits, as shown in the following table.
Limit type Concurrent connections in the server farm Published application instances Description Restricts the number of concurrent connections (sessions) that each user in the server farm can establish. See Limiting Total Connections in a Server Farm on page 276. Restricts the total number of instances of a published application that can run in the server farm at one time, and prevents users from launching more than one instance of a published application. See Limiting Application Instances on page 276.

276

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Limiting Total Connections in a Server Farm

When a user launches a published application, the client establishes a connection to a computer running MetaFrame Presentation Server and initiates an ICA session. If the user launches a second published application (without logging off from the first one), this creates a second concurrent connection in most cases. Note The seamless session option in the MetaFrame Presentation Server Client enables session sharing, a mode in which more than one published application runs with a single connection. If a user runs multiple applications with session sharing, the session counts as one connection. To conserve resources, you can limit the number of concurrent connections that users are permitted to establish. The limit applies to each user who connects to the server farm. A users active sessions and disconnected sessions are counted for the users total number of concurrent connections. For example, you can set a limit of three concurrent connections for users. If a user has three concurrent connections and tries to establish a fourth, the limit you set prevents the additional connection. A message tells the user that a new connection is not allowed. Limiting connections can help you maintain availability of connection license counts as well as prevent over-consumption of server resources by a few users. You can apply the concurrent connections limit to all users, including members of the local administrators group. To set connection limits, select Connection Limits in the left pane of the farms Properties page. Note The option Enforce limit on administrators refers to local administrators. By default, local administrators are exempt from the limit so they can establish as many connections as necessary.

Limiting Application Instances

By default, users in a server farm have unlimited access to the published applications that they are authorized to use. MetaFrame Presentation Server does not limit the number of instances of a published application that can run at one time in a server farm. Also, by default, a user can launch more than one instance of a published application at the same time. With connection control, you can specify the maximum number of instances of a published application that can run at one time in the server farm.

Go to Document Center

Chapter 11 Managing Users and Sessions

277

For example, you can publish Autodesk AutoCAD and set a limit of 30 concurrent instances in the server farm. When 30 users are running AutoCAD at the same time, no more users can launch the application because of the limit of 30 concurrent instances. You can use the concurrent instances limit to enforce an applications licensing requirement. Another connection control option lets you prevent any user from running multiple instances of a particular published application. With some applications, running more than one instance in a single user context can cause errors on the server. You can apply application limits independently to each published application. For example, you can apply the limitations on total concurrent instances and multiple instances by a single user to one published application. You can limit only the total concurrent instances of another application. You can configure a third application to limit launching of multiple instances by individual users.

Configuring Connection Control Settings

You can use connection control to manage published applications and published desktops only. Connection control options do not apply to published content such as documents and media files, which execute on the client device. For more information about publishing content, see Publishing Applications, Content, and Desktops on page 233. Connection control is implemented entirely on the server. MetaFrame Presentation Server Clients contain no configuration options related to connection control. Connection control affects users only if a connection attempt is prevented. If a users connection exceeds a connection limit, the client displays a message that describes why the connection is not available. You configure connection control settings, including the option to log events related to connection control, in the Presentation Server Console. The option to limit each users total concurrent connections in the server farm is available from Connection Limits on the Properties page for the server farm. Options for limiting application instances are available when you select Application Limits in the left pane of each applications Properties page. You can also set these options when you publish an application.

278

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To limit concurrent connections in a server farm Use this procedure to set the number of concurrent connections that each user can establish in the server farm. 1. In the Presentation Server Console, select the farm node and choose Properties from the Actions menu. 2. On the Properties page, select Connection Limits. 3. Select Maximum connections per user to limit each users concurrent connections. Enter the number of concurrent connections to allow for each user. 4. If you want the connection limitation to apply to everyone, including local administrators, select Enforce limit on administrators. 5. Click OK to apply the settings and close the page. To publish an application or desktop with application limits 1. In the Presentation Server Console, choose Actions > New > Published Application to run the Application Publishing wizard. 2. Proceed through the wizard pages, entering information and selecting options for the application you are publishing. 3. Under Concurrent Instances, select one or both of the following options: Limit instances allowed to run in server farm. Select this option and enter the maximum number of instances that can run at one time in the server farm (without regard to who launches the application). Allow only one instance of application for each user. Select this option to prevent any user from running more than one instance of this application at the same time.

4. After you enter all required information and select the options to use, click Finish to publish the application. To set application limits on a published application or desktop 1. In the Presentation Server Console, select the published application or desktop and choose Properties from the Actions menu. 2. On the Properties page, select Application Limits.

Go to Document Center

Chapter 11 Managing Users and Sessions

279

3. Configure the following options: Limit instances allowed to run in server farm. Select this option and enter the maximum number of instances of this application that can run in the server farm at one time. Allow only one instance of application for each user. Select this option to prevent each user from running more than one instance of this application at the same time.

4. Click OK to apply the settings and close the page.

Logging Connection Control Events

You can enable logging for connection control events when you select Connection Limits in the left pane of the farms Properties page. By default, event logging is disabled. Event logging records an entry in the System log each time a server denies a user connection because of a connection control limit. Each server records the data in its own System log. The following limits can result in connection denials, which the system records if logging is enabled. Maximum connections per user. You can limit users to a maximum of five connections, for example. If a user tries to launch a sixth connection, the server denies the connection request and records the users name and the time in the System log. Application instances. You can limit a published application to a certain number of concurrent instances. If you type 10 in Maximum instances and a user tries to launch the application when 10 instances are running, the server denies the connection request and records the user name, the time, and the name of the published application in the System log. Use Limit instances allowed to run in server farm in Application Limits on the Properties page to limit instances of each published application. Application instances per user. You can configure a published application to allow each user to run only one instance of the application. If a user tries to launch a second instance of the application, the server denies the connection request and records the user name, the time, and the name of the published application in the System log. Use Allow only one instance of application for each user in Application Limits on the Properties page to limit each published application to one instance for a user.

280

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To enable logging of connection control events 1. Select the farm node in the Presentation Server Console and choose Properties from the Actions menu. 2. On the Properties page, select Connection Limits. 3. Select Enable logging of over-the-limit denials. 4. Click OK to apply the setting and close the page.

Monitoring and Managing Sessions

You can use the Presentation Server Console for monitoring and management of your users sessions. You can use the console to: Monitor sessions according to the published applications and servers to which they are connected Send messages to users in active sessions Reset or disconnect sessions and log off users Use shadowing to monitor and remotely control selected sessions

Viewing Information about Sessions

Several tabs in Presentation Server Console display information about client sessions in table format. Each row in the table lists details for one session. You can use different views in the console to monitor user sessions based on the published applications that users are connected to, or the servers where the sessions are established. Active sessions appear on several tabs when a server has active client sessions: When you select a published application in the tree, sessions that are running the application appear on the Users tab When you select a server, sessions that are running on the server, including console sessions, appear on the Users and Sessions tabs When you select the Servers node in the tree, the Users tab displays sessions running on all servers; console sessions do not appear on this tab

For example, if you select a published application, the Users tab in the right pane displays the sessions in which the selected application is running. The information appears in columns that display the user name, client device name, session ID number, server name, session, the state of the session, and the date and time the user logged on.

Go to Document Center

Chapter 11 Managing Users and Sessions

281

Session Information Displayed in the Console

On the tabs that display session information, each row represents one session. You can click the column headings to sort the information. When you click the active sort heading, you reverse the sort order. You can rearrange the information in the table by dragging a column heading to a new position. The session information that appears in the console includes details that help you identify the various types of sessions and the users associated with the sessions. The following column labels appear on tabs that display session information. User. The name of the user account that initiates a session appears in the User column for each session. In the case of anonymous connections, the user name is a string with the letters Anon followed by a session number. Server. The servers on which the selected application is running appear in this column. Session. The Session column identifies a session with a name that includes the protocol that the session uses, usually ICA or RDP (Remote Desktop Protocol). The name also includes the network protocol for the session, and a number that distinguishes the session from other sessions that are running on the server. Session ID. The Session ID is a unique number that begins with 0 for the first connection to the console. Listener sessions are numbered from 65,537 and numbered backward in sequence. State. A sessions state is listed as Active, Listen, Idle, Disconnected, or Down. The meaning of session state labels is explained in the following section, which describes commands you use for managing sessions on servers. Type. The type of connection being used to connect to the server, ICA or RDP, for example. Client name. This column displays the name of the client device that is running the session. Application. The name of the published application running within this session. Logon Time. The time at which the user logged on. Idle Time. The amount of time during which the user has not interacted with the application.

Using Session Management Commands

In the Presentation Server Console you can select client sessions and choose commands to manage the sessions.

282

MetaFrame Presentation Server Administrators Guide

Go to Document Center

In Presentation Server Console, use the Actions menu and the toolbar buttons to choose session management commands. You can right-click a session in the console and choose commands from the menu that appears.

Disconnecting Sessions
To disconnect a session, choose Disconnect. When you disconnect a session, you close the connection between the client and the server. However, this does not log off the user, and programs that were running in the session are still running on the server. If the client user then connects to the server (by selecting a published application or custom connection to the server), the disconnected session is reconnected to the client.

Connecting to Disconnected Sessions

When a session is disconnected, the word Disconnected appears in the State column on the tabs in the Presentation Server Console where session information appears. You can connect to a users disconnected session by choosing Connect. Your session must be capable of supporting the video resolution of the disconnected session. From the system console, you can connect only to sessions that were disconnected from the console.

Shadowing Sessions
If you enabled shadowing on the server when you installed MetaFrame Presentation Server, you can shadow a users session. Shadowing allows you to view the users actions and take remote control of the users keyboard and mouse. See Using Shadowing to Monitor ICA Sessions on page 201 for more information about shadowing.

Sending Messages to Users

You can send a message to a user by selecting the users session and choosing Send Message. You can select multiple sessions to send a message to multiple users at the same time. For information about viewing sessions, see Viewing Information about Sessions on page 280. To broadcast a message to all users, you can select all active user sessions in the right pane in the console. In the Send Message dialog box, you can type a message title; the user name of the MetaFrame administrator who is logged on to the console and the current time appear in the Title box by default. Type the message text in the Message box. The text you type automatically wraps to the next line if you type past the right margin.

Go to Document Center

Chapter 11 Managing Users and Sessions

283

When you finish typing the message, click OK to send the message to the selected sessions.

Resetting Sessions
Resetting a session with the Reset command terminates all processes that are running in that session. You can use the Reset command to remove remaining processes in the case of a session error. However, resetting a session can cause applications to close without saving data. If you reset a disconnected session, the word Down appears in the State column for the session. When you refresh the console display or when the next automatic refresh occurs, the session no longer appears in the list of sessions.

Resetting All Sessions

Special sessions that listen for requests to connect to the server are identified by the word Listen in the State column. If you reset a listener session, the server resets all sessions that use the protocol associated with the listener. For example, if you reset the ICA listener session, you reset the ICA sessions of all users who are connected to the server.

Viewing Session Status

You can use the Status command to display user and I/O information about a session. The Session Status dialog box displays connection statistics, including the count of incoming and outgoing data that is transmitted in the session and the number of errors and the compression ratio used in the session. The dialog box also shows the user name and session name. By default, the Session Status data is updated every second. You can choose the command buttons in the dialog box to reset the counters and refresh the data. Click Reset Counters in the dialog box to return all counters to zero Click Refresh Now to immediately refresh the displayed data

Logging Off Sessions

Choose Logoff Selected Session to force a users session to end. If you select multiple sessions, choosing the command ends each selected session. Important Ending users sessions with the Logoff Selected Session command can result in loss of data if users do not close their applications first. You can send a message to warn users to exit all applications if you need to log off their sessions.

284

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Viewing Session Details

You can select a session in the Presentation Server Console and choose Session Information to view detailed information about the processes, settings, client software, and client cache associated with the selected session.

Viewing and Terminating Processes

If you need to terminate a process started by a client session, select the session and then select the Processes tab in the right pane of the console. You can right-click a process and choose the Terminate command to terminate the process.

Managing Session Consistency and Reliability

Users can lose network connectivity for various reasons, including unreliable networks, highly variable network latency, and range limitations of wireless devices. Losing connectivity often leads to user frustration and always leads to a loss of productivity. You can leverage two features of MetaFrame Presentation Server to optimize the reliability of ICA sessions and to reduce the amount of inconvenience, downtime, and loss of productivity users incur due to lost network connectivity. Session Reliability is a new feature in MetaFrame Presentation Server 3.0 and is available with the Advanced and Enterprise Editions of the product. Auto Client Reconnect is available with all levels of MetaFrame Presentation Server. If you are licensed for the Advanced or Enterprise Editions of MetaFrame Presentation Server, you can take advantage of both features in combination.

Leveraging Session Reliability

Session Reliability keeps ICA sessions active and on the users screen when network connectivity is interrupted. Users continue to see the application they are using until network connectivity resumes. This feature is especially useful for mobile users with wireless connections. Take, for example, a user with a wireless connection who enters a road or railroad tunnel and momentarily loses connectivity. Ordinarily, the client session would be disconnected and disappear from the users screen, and the user would have to reconnect to the disconnected session. With Session Reliability, the client session remains active on the server. To indicate that connectivity is lost, the users display freezes and the cursor changes to a spinning hourglass until connectivity resumes on the other side of the tunnel. The user continues to access the display during the interruption and can resume interacting with the application when the network connection is restored. Session Reliability reconnects users without reauthentication prompts.

Go to Document Center

Chapter 11 Managing Users and Sessions

285

Session Reliability is available with the Enterprise and Advanced Editions of MetaFrame Presentation Server. This feature is supported with Version 8.x or later of the MetaFrame Presentation Server Client for 32-bit Windows. Users of the Program Neighborhood Client can override the Session Reliability setting you configure on the server by selecting or clearing the Enable session reliability option in their application or connection settings. Users of Program Neighborhood Agent and the Web Client cannot override the server setting. By default, Session Reliability is enabled at the server farm level. You can customize the settings for this feature by selecting the server farms Properties page in the Presentation Server Console and modifying the Session Reliability settings as appropriate. You can edit the port on which MetaFrame Presentation Server listens for session reliability traffic and edit the amount of time Session Reliability keeps an interrupted session connected. The Seconds to keep sessions active option has a default of 180 seconds, or three minutes. Though you can extend the amount of time Session Reliability keeps an ICA session open, keep in mind that this feature is designed to be convenient to the user and that it does not, therefore, prompt the user for reauthentication. If you extend the amount of time a session is kept open indiscriminately, chances increase that a user may get distracted and walk away from the client device, potentially leaving the session accessible to unauthorized users. Note You can use Session Reliability in conjunction with SSL, but not in sessions routed through the Secure Gateway. If you do not want users to be able to reconnect to interrupted sessions without having to reauthenticate, use the Auto Client Reconnect feature. You can configure Auto Client Reconnect to prompt users to reauthenticate when reconnecting to interrupted sessions. If you use both Session Reliability and Auto Client Reconnect, the two features work in sequence. Session Reliability closes, or disconnects, the user session after the amount of time you specify in Seconds to keep sessions active. After that, the settings you configure for Auto Client Reconnect take effect, attempting to reconnect the user to the disconnected session.

Leveraging Automatic Client Reconnection

With the Auto Client Reconnect feature, a MetaFrame Presentation Server Client can detect broken connections and automatically reconnect users to disconnected sessions. When this feature is enabled, users do not have to reconnect manually to continue their work.

286

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Auto Client Reconnect is supported with the Clients for 32-bit Windows, Java, and Windows CE. This feature does not work with sessions embedded in applications using the ICA Client Object. By default, Auto Client Reconnect is enabled at the server farm level, and user reauthentication is not required. You can customize the settings for this feature at the farm level and for individual servers. To do this, select ICA Settings on the corresponding farm or server Properties page in the Presentation Server Console and modify the Auto Client Reconnect settings as appropriate.

How Automatic Client Reconnection Works

When a client detects an unintended disconnection of an ICA session, it attempts to reconnect the user to the session until there is a successful reconnection or the user cancels the reconnection attempts. When a connection breaks, it may leave the server session in an active state. Users can reconnect only to sessions that are in a disconnected, or inactive, state. Cookies containing keys to user credentials and session IDs are created on the client device when ICA sessions are started. Because users can be reconnected only to disconnected sessions, Auto Client Reconnect uses the cookie on the client device to disconnect an active session before attempting to reconnect. Sometimes automatic reconnection can result in a new ICA session instead of a reconnected session. A new session can be created if: The cookie on the client containing the key to the session ID and credentials expires. When the session starts originally, this cookie is sent to the client. This cookie persists on the client for several minutes after a connection breaks. The cookie containing the key does not force users to reauthenticate. Instead, users are prompted with a logon screen before reconnection occurs.

The following types of disconnections do not result in automatic reconnection attempts: Users disconnect ICA sessions by exiting applications without logging off. Clients do not make automatic reconnection attempts in this case. Anonymous users sessions are disconnected.

Security in Automatic Client Reconnection

Auto Client Reconnect incorporates an authentication mechanism based on encrypted user credentials. When a user initially logs on to a server farm, MetaFrame Presentation Server encrypts and stores the user credentials in memory, and creates and sends a cookie containing the encryption key to the client. The client submits the key to the server for reconnection. The server decrypts the credentials and submits them to Windows logon for authentication.

Go to Document Center

Chapter 11 Managing Users and Sessions

287

When cookies expire, users must reauthenticate to reconnect to sessions. Cookies are not used if you select Require user authentication. Selecting this option displays a dialog box to users requesting credentials when the client is attempting to reconnect automatically. Use the Presentation Server Console to enable Require user authentication. Tip For maximum protection of users credentials and ICA sessions, use SSL encryption for all communication between clients and the server farm.

Configuring Automatic Client Reconnection Settings

You can do the following to configure automatic reconnection: Require user authentication upon autoreconnection. You can set this requirement at the server farm level or for individual servers. Enable or disable logging of reconnection events for the server farm or individual servers. Enable or disable auto reconnect functionality on the client using an ICA file or in the Appsrv.ini file found on client devices.

You can use the Presentation Server Console or the Acrcfg command to require user authentication for automatic reconnection and reconnection event logging. Reconnection event logging is disabled by default. For more information about the Acrcfg command, see MetaFrame Presentation Server Commands on page 333. You can disable Auto Client Reconnect on Presentation Server Client for 32-bit Windows by setting TransportReconnectEnabled=Off in the [WFClient] section of the clients Appsrv.ini file. For more information about client configuration using Appsrv.ini, see the Client for 32-bit Windows Administrators Guide. Settings for ICA connections also affect Auto Client Reconnect.

Configuring ICA Connections for Automatic Client Reconnection

By default, Auto Client Reconnect is enabled at the server farm level; user reauthentication is not required. However, if a servers ICA TCP connection is configured to reset sessions with a broken communication link, automatic reconnection does not occur. Auto Client Reconnect works only if the server disconnects sessions when there is a broken or timed out connection. In this context, the ICA TCP connection refers to a MetaFrame Presentation Servers virtual port (rather than an actual network connection) that is used for ICA sessions on TCP/IP networks.

288

MetaFrame Presentation Server Administrators Guide

Go to Document Center

By default, the ICA TCP connection on a MetaFrame Presentation Server is set to disconnect sessions with broken or timed out connections. Disconnected sessions remain intact in system memory and are available for reconnection by the MetaFrame Presentation Server Client. The ICA connection can be configured to reset, or log off, sessions with broken or timed out connections. When a session is reset, attempting to reconnect initiates a new ICA session; rather than restoring a user to the same place in the application in use, the application is restarted. If MetaFrame Presentation Server is configured to reset sessions, Auto Client Reconnect creates a new ICA session. This process requires users to enter their credentials to log on to the server. To configure the ICA TCP connection for Auto Client Reconnect 1. Run Citrix Connection Configuration by selecting Citrix Connection Configuration in the Citrix program group on the Start menu. 2. In the Citrix Connection Configuration window, select the ica-tcp connection and choose Edit from the Connection menu. 3. In the Edit Connection dialog box, click Advanced. 4. In the Advanced Connection Settings dialog box near the bottom, the first pop-up menu sets the behavior for a broken or timed out connection. If Inherit User Config is selected, you cannot change the setting because the connection inherits the setting from each users profile. When Inherit User Config is not selected, you can select one of the following options to configure the ICA TCP connection: Disconnect. The server places broken connections in the disconnected state. The client can reconnect automatically without any action by users.

Reset. The server resets broken connections. Automatic reconnection creates a new ICA session and requires users to reenter credentials. Be sure to select Disconnect to set up the ICA TCP connection to work with the auto client reconnect feature.

5. Click OK to close the dialog box and the previous dialog box. Choose Connection > Exit to close Citrix Connection Configuration.

Go to Document Center

Chapter 11 Managing Users and Sessions

289

To configure automatic reconnection for individual users In the Advanced Connection Settings dialog box, if Inherit User Config is selected for the setting labeled On a broken or timed-out connection, the connection inherits the setting from each users profile. To view or change the setting for broken or timed out connections, do the following to display the properties for each user. On servers running Windows 2000, use Computer Management to configure user profiles. 1. Select the user and choose Properties from the Action menu to open the users Properties dialog box. 2. On the Sessions tab, under When a session limit is reached or a connection is broken, select Disconnect from session to allow automatic reconnection.

Logging Automatic Client Reconnection Events

To enable or disable log entries for automatic reconnection events, use ICA Settings in the Properties pages for the server farm or individual servers. Logging is disabled by default. When logging is enabled, the servers System log captures information about successful and failed automatic reconnection events to help with diagnosis of network problems. Automatic reconnection can fail if the client submits incorrect authentication information (which might occur during an attack) or the server determines that too much time has elapsed since it detected the broken connection. Each server stores information about reconnection events in its own System log. The server farm does not provide a combined log of reconnection events for all servers.

Creating and Applying Policies

You can use policies to apply select settings to connections filtered for specific users, client devices, IP addresses, or servers. Using policies is an efficient method for controlling connection settings for groups of users, clients, and servers. For example, you can create policies that apply one set of rules to connections from workstations in company headquarters and another set of rules to connections from lender laptops that you provide to a roaming sales force.

290

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Policies contain rules that define the policys settings. A single policy can apply multiple rules. You can create policies that: Direct users to connect to servers in a local zone and fail over to a specific remote zone Set a required encryption level for a group of specific clients Control audio sound quality used by client devices Route print jobs from specific workstations directly from the server to the printer rather than through the client device Control bandwidth limits for sessions

Policies are applied when users log on to the server farm and remain in effect for the length of the users session. In general, policies override similar settings configured for the entire server farm, for specific servers, or on the client. However, the highest encryption setting and the most restrictive shadowing setting always override other settings. With policies, you can tailor MetaFrame Presentation Server to meet users needs based on their job functions, geographic locations, or connection types (LAN, WAN, or dial-up). For example, for security reasons you may need to place restrictions on user groups who regularly work with highly sensitive data. You can create a policy that requires a high level of encryption for client sessions and prevents users from saving the sensitive files on their local client drives. However, if some of the people in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one should take precedence. Policy rules have three states: enabled, disabled, or not configured. By default, all rules are not configured. All unconfigured rules are ignored when users log on to the server, so the rules come into play only when the state is enabled or disabled.

Creating Policies
The basic steps for effectively creating and using policies are as follows. These steps are explained in more detail below. 1. Decide the criteria on which to base your policies. You may want to create policies based on user job function, connection type, client device, or geographic location, or you may want to use the same criteria that you use for your Windows Active Directory group policies. 2. Create the policy. Creating a policy involves the following steps: Naming the policy Assigning the policy to user accounts, client devices, or servers

Go to Document Center

Chapter 11 Managing Users and Sessions

291

Setting the policys rules

3. Prioritize or rank policies. Ranking policies allows you to set the order in which policies take priority over one another when they contain conflicting rules. Higher ranked policies take precedence over lower ranked policies. When you create policies for groups of users, clients, or servers, you may find that some members of the group require exceptions to some policy rules. To more effectively manage exceptions, you can create new policies for only those group members needing the exceptions, and then rank that policy higher than the policy for the entire group. To create a policy 1. In the Presentation Server Console, select the Policies node in the left pane and choose Actions > New > Policy or click the Create Policy button on the console toolbar. 2. In the New Policy dialog box, enter the name and description of the policy, then click OK. Examples of policy names are Accounting Department or Lender Laptops. The policy name is displayed in the right pane of the console. After creating a policy, you must configure at least one filter that determines sessions to which the policy applies.

Configuring Policy Rules

You use policy rules to configure the connection settings to be applied when the policy is enforced. Policies can contain multiple rules. Policy rules have three states: enabled, disabled, or not configured. By default, all rules are not configured. All rules that are not configured are ignored when users log on to the server, so the rules come into play only when the state is enabled or disabled. To configure policy rules 1. You set the policys rules on the policys property sheet. Select the policy and choose Actions > Properties to open its property sheet. Some policy rules are organized into folders. Expand the folders to view the rules you can apply. 2. When setting policy rules, determine which settings you want to apply. For any rule you want to add to the policy, select Enabled and set rule options in the right pane. For more information about policy rules, select the rule in question and then click Help. 3. Click OK when you are done.

292

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The following tables presents rules you can configure within a policy.

Bandwidth
To limit bandwidth used for the following: Desktop wallpaper Menu and window animations Window contents while a window is dragged Compression level for image acceleration Client audio mapping Devices connected to a local COM port Cut-and-paste using local clipboard Access in a session to local, client drives Printers connected to the client LPT port Custom devices connected to the client through OEM virtual channels Client session Printing TWAIN device (such as a camera or scanner) Use this policy rule: Visual Effects > Turn off desktop wallpaper Visual Effects >Turn off menu animations Visual Effects >Turn off window contents while dragging Speed Screen > Image acceleration using lossy compression Session Limits > Audio Session Limits > COM ports Session Limits > Clipboard Session Limits > Drives Session Limits > LPT Ports Session Limits > OEM Virtual Channels Session Limits > Overall Session Session Limits > Printer Session Limits > TWAIN Redirection

Client Devices
Control whether or not to allow audio input from client microphones Control client audio quality Control audio mapping to client speakers Control whether or not client drives are connected when users log on to the server Control how drives map from the client device Improve the speed of writing and copying files to a client disk over a WAN Prevent client devices attached to local COM ports from being available in a session Resources > Audio > Microphones Resources > Audio > Sound quality Resources > Audio > Turn off speakers Resources > Drives > Connections Resources > Drives > Mappings Resources > Drives > Optimize > Asynchronous writes Resources > Ports > Turn off COM ports

Go to Document Center

Chapter 11 Managing Users and Sessions

293

Prevent client printers attached to local LPT ports from being made available in a session Allow use of USB-tethered, Windows CE-based, PDA devices Configure resources for the use of TWAIN devices, such as scanners and cameras Prevent cut-and-paste data transfer between the server and the local clipboard Prevent use of custom devices, such as an electronic pen (stylus) Disable auto client update for a group of users, clients, or servers

Resources > Ports > Turn off LPT ports Resources > PDA Devices > Turn on automatic virtual COM port mapping Resources > Other > Configure TWAIN redirection Resources > Other > Turn off clipboard mapping Resources > Other > Turn off OEM virtual channels Maintenance > Turn off auto client update

Printing
Control creation of client printers on the client device Allow use of legacy printer names and preserve backwards compatibility with prior versions of the server Control the location where printer properties are stored Control whether print requests are processed by the client or the server Prevent users from using printers connected to their client devices Control installation of native Windows drivers when automatically creating client and network printers Control when to use the universal print driver Choose a printer based on a roaming users session information Client Printers > Auto-creation Client Printers > Legacy client printers

Client Printers > Printer properties retention Client Printers > Print job routing Client Printers > Turn off client printer mapping Drivers > Native printer driver auto-install

Drivers > Universal driver Session printers

294

MetaFrame Presentation Server Administrators Guide

Go to Document Center

User Workspace
Limit the number of sessions that a user can run at the same time Direct connections to preferred zones and failover to backup zones Control whether or not to use content redirection from the server to the client device Control whether or not shadowing is allowed Allow or deny permission for users to shadow connections Use the servers time zone instead of the clients estimated local time zone Use the servers time zone instead of the clients time zone Identify which credential repository to use when using MetaFrame Password Manager Prevent use of MetaFrame Password Manager Connections > Limit total concurrent sessions Connections > Zone preferences and failover Content Redirection > Server to client Shadowing > Configuration Shadowing > Permissions Time Zones > Do not estimate local time for legacy clients Time Zones > Do not use Clients local time MetaFrame Password Manager > Central Credential Store MetaFrame Password Manager > Do not use MetaFrame Password Manager

Security
Require that connections use a specified encryption level Encryption > SecureICA encryption

Migrating Policies
If you upgrade from a previous release of MetaFrame, your existing policies and their rules are maintained and all new rules are not configured. After migrating, you can open the settings for an existing policy and enable new rules and filters that you want to add to the policy. In a server farm that has servers running a previous release of MetaFrame, new filters and rules are ignored by the servers running earlier releases.

Go to Document Center

Chapter 11 Managing Users and Sessions

295

Overriding Policies
Policies are applied when users log on and remain in effect for the length of the session. In general, connection policies override similar MetaFrame settings configured for the entire server farm, for specific servers, or on the client. However, the highest encryption setting and the most restrictive shadowing setting always override other settings. Important Microsoft Group Policy settings can override MetaFrame Presentation Server policy rules if the Microsoft Group Policy settings are more restrictive. If connection behavior does not match expected results, check your Microsoft Group Policy settings for conflicting configurations.

Creating Exceptions to Policies

After you create basic policies using your primary criteria, you may find that you need to create additional policies for individual users who require exceptions to some policy rules. For example, for security reasons you may need to place restrictions on user groups that regularly work with highly sensitive data. You can create a policy that requires a high level of encryption for client sessions and prevents users from saving the sensitive files on their local client drives. However, if some of the people in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one should take precedence.

Prioritizing Policies
You can prioritize policies by ranking the priority number. By default, new policies are given the lowest priority. In cases of conflicting policy settings, a policy with a higher priority will override a policy with a lower priority. A policy with the priority number of 1 has the highest ranking priority. If you have five policies ranked 1 through 5, the policy ranked with priority number 5 has the lowest priority. In the following procedure, the interwoven example assumes that you created a policy for your Accounting user group. One of the rules enabled in this policy prevents the user group from saving data to their local drives. However, two users who are members of the Accounting group travel to remote offices to perform audits and need to save data to their local drives. The steps below describe creating a new policy for Accounting group members Carol and Martin that will allow them access to their local drives while allowing the other policy rules to work the same way for them as for all other members of the Accounting group.

296

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To create exceptions and prioritize policies 1. Determine which users need additional policies to create exceptions. The policy named Accounting Profile that is assigned to the Accounting group includes a rule that prevents access to local drives. Carol and Martin, members of the Accounting group, need access to their local drives. 2. Determine which rule or rules you do not want to apply to these users. You want most of the rules in this policy to apply at all times to all users, with the exception of the rule that prevents access to local drives. 3. Create a new policy. See To create a policy on page 291 for more information. You may want to name this policy Accounting Profile - local drive access. 4. Edit the description of the policy by selecting the policy and choosing Actions > Policy > Edit Description. You can use policy descriptions to help you keep track of your policies. 5. Open the policys property sheet and locate the rule you do not want to apply to Carol and Martin. Set the rules state to Disabled. 6. To assign users Carol and Martin to the policy, select it and choose Actions > Policy > Apply this policy to. In the Policy Filters dialog box, select Users and make sure the Filter based on users check box is selected. Open domains or user groups in the Look in box until the user accounts for Carol and Martin are displayed and add them to the Configured Accounts box. Select the Show Users option to display individual user accounts. 7. Click OK when you are finished adding users. 8. Rank the Accounting Profile - local drive access policy higher than the Accounting Profile policy. By default, new policies are given the lowest rank (which corresponds to the highest priority number). Right-click the Accounting Profile - local drive access policy and select Priority > Increase Priority until this policys priority number is lower than the Accounting Profile policy. A policy with a priority number of 1 has the highest priority. When a user logs on, all policies that match the filters for the connection are identified. MetaFrame Presentation Server sorts the identified policies into priority order and compares multiple instances of any rule, applying the rule according to the priority ranking. If the rule appears in a policy ranked highest, those rule settings will override the settings for the same rule in a policy ranked lower. Any rule configured as disabled wins over a lower-ranked rule that is enabled. Policy rules that are not configured are ignored and will not override the settings of lower-ranked rules.

Go to Document Center

Chapter 11 Managing Users and Sessions

297

Applying a Policy
By default, newly created policies are not applied to any sessions. Before a policy has an effect, you must create a filter for it so the server can apply it to matching sessions. You can filter sessions and apply a policy to them based on a combination of the following criteria: Access control through which a client is connecting to a session IP address of a client device connecting to a session Name of a client device connecting to a session Users or user groups associated with a session Server hosting a session

By applying both user group and client device filters, you can create one policy for employees of a New York office when they connect from their office workstations, and create another policy for the same New York employees that sets a higher encryption level for sessions connecting from laptops they use in the field. To apply a policy 1. In the left pane of the console, choose the Policies node. 2. In the Contents tab, choose the policy you want to apply. 3. From the Actions menu, choose Policy > Apply this policy to. 4. Use the Policy Filters dialog box to configure filters to apply the policy to a session based on access control, client IP address, client name, server the session connects to, or the user who is making the connection. To apply the policy according to the type of access control through which the user is connecting, click Access Control in the left pane. Using the Access Control filter, you can match any connection a client makes through MetaFrame Secure Access Manager. To apply the policy to client IP addresses, click Client IP Address in the left pane and select Filter based on client IP address. Click Add to configure an individual address or range of addresses and then specify whether to allow or deny the addresses for the policy. To apply the policy to client names, click Client Name in the left pane and select Filter based on client name. Click Add to specify a client name to which the policy applies. To apply the policy to servers, click Servers in the left pane and select Filter based on servers. Select servers or folders of servers in the right pane and choose to apply or not apply the policy to them.

298

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To apply the policy to users, click Users in the left pane and select Filter based on users. Select the user group and/or users to whom you want to assign the policy and then click Add. By default, the policy is allowed for any users or user groups you add to the configured accounts list. If there are members of the user group you do not want assigned to this policy, you can add the individual members of the group and then select Deny to prevent the policy from being applied to them.

5. If a filter has an Allow/Deny setting, you must select Allow to enforce the policy. 6. Click OK when you are finished applying the policy filters. Note To assign policies to all users accessing applications through the Web Interface, you can use the wildcard expression WI_* when specifying the client name filter. Users accessing applications through the Web Interface receive a random client name of WI_number, where number is random ASCII characters. Because the assigned client name is random, you cannot anticipate the client name to be assigned to individual client users.

Searching for Policies and Viewing the Results of Multiple Policies

To find policies and determine the effective rule settings when more than one policy applies to a session, use Search. You can use search to list policies that apply to a connection based on: Whether or not the connection is made through access control The IP address of the client device making the connection The name of the client device making the connection The user or group membership of the user making the connection The server to which the connection is being made

Go to Document Center

Chapter 11 Managing Users and Sessions

299

To use search for policies 1. Make sure that Policies is the selected entry in the Search for list. Search finds all policies that apply to the combination of access control, IP address, client name, user, and server criteria you set in the Search dialog box. 2. Use the View Resultant Policy function after a policy search to calculate the results of multiple policies that can affect a connection. MetaFrame Presentation Server merges all policies that can affect a connection when enforcing policies. When there are multiple policies that can apply to a connection, it is the resultant policy that MetaFrame Presentation Server enforces.

Enabling PDA Synchronization Support

MetaFrame Presentation Server supports the synchronization of USB-tethered and Microsoft Windows-powered PDAs that use ActiveSync as a synchronization agent. All features of ActiveSync are supported. When used in a load-balanced (multi-host) server environment, some ActiveSync features related to file I/O require the setup of roaming user profiles and, for efficiency, optional folder redirection. To enable PDA synchronization 1. Open the properties of a policy in which you want to enable PDA synchronization. 2. Enable the rule Client Devices > Resources > PDA Devices > Turn on automatic virtual COM port mapping. 3. Disable the rule Client Devices > Resources > Ports > Turn off COM ports (or set it to Not Configured). Note If the PDA Devices policy rule is disabled (by default), or there is no PDA attached to the client device, a session user might access a PDA physically connected to the server.

300

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Controlling Use of TWAIN Devices

By default, users can use published applications to process data acquired by locally connected TWAIN devices. You can control the redirection of TWAIN devices by enabling the policy rule Configure TWAIN redirection. To enable the configuring of TWAIN redirection 1. Open the properties of a policy in which you want to control TWAIN redirection. 2. Enable the rule Client Devices > Resources > Other > Configure TWAIN redirection. 3. Use the options to allow and disallow TWAIN redirection, as well as control the level of data compression.

Managing CPU Usage

You can improve system speed, performance, and scalability by enabling CPU optimization for a farm or individual servers. This feature is especially useful when user demand exceeds available CPU resources and causes farm performance to degrade. Performance degradation can occur during peak times when users run applications in multiple sessions.

About CPU Utilization Management

To increase the number of users who can use a server and improve a farm's ability to manage resources and normalize CPU peaks when the farms performance becomes limited by CPU burdens, enable CPU utilization management. When you enable CPU utilization management, the server allocates an equal share of the CPU to each user. This prevents one user from impacting the productivity of other users and allows more users to connect to a server. You can also enable or disable CPU optimization for individual servers within the farm. CPU optimization is not enabled by default. You do not want to enable CPU optimization on farms or servers that host: CPU intensive applications that may require a user to have a share of the CPU greater than that allocated to fellow users. Special users who are considered to have a higher priority access to servers. (You can exclude specified users from CPU restrictions. For more information, see the MetaFrame Presentation Server Advanced Concepts Guide.)

Go to Document Center

Chapter 11 Managing Users and Sessions

301

Controlling CPU Utilization Management

You can control CPU utilization at the farm level and enable CPU utilization management at an individual server level. To control CPU utilization at the farm level 1. In the left pane of the console, select the farm. 2. From the Actions menu, choose Properties. 3. In the left pane of the farm Properties dialog box, choose Memory/CPU Utilization Management. 4. Use the Memory/CPU Utilization Management page to enable or disable CPU utilization management, then click OK. To enable CPU utilization management for an individual server (disabled at the farm level) 1. In the left pane of the console, open the Servers node and choose the server for which you want to enable CPU utilization management. 2. From the Actions menu, choose Properties. 3. In the left pane of the server Properties dialog box, click Memory/CPU Utilization Management. 4. On the Memory/CPU Utilization Management page, clear the checkbox Use farm settings for CPU utilization management. 5. Check Enable CPU utilization management, then click OK.

Managing Virtual Memory Usage

You can improve system speed, performance, and scalability by controlling virtual memory utilization for a farm or individual servers. This feature is especially useful when user demand exceeds available random access memory (RAM) and causes farm performance to degrade. Performance degradation can occur during peak times when users run applications in multiple sessions.

About Memory Utilization Management

To increase the number of users who can use a server and improve a farms ability to optimize the use of DLLs stored in virtual memory, enable memory utilization management. When you enable memory utilization management, you enable the rebasing of DLLs for virtual memory savings without actually changing the DLL files. You can also schedule the rebasing of DLLs for off peak hours, exclude specific applications from DLL rebasing, and rebase DLLs through a user account with permissions to access application files stored on file servers.

302

MetaFrame Presentation Server Administrators Guide

Go to Document Center

In addition to enabling and disabling this feature for a farm, you can enable this feature for individual servers within a farm. Memory utilization management is not enabled by default. You do not want to enable memory utilization management on farms or servers that exclusively host signed or certified applications. MetaFrame Presentation Server can detect only some published applications that are signed or certified. CAUTION If after enabling memory utilization management and running scheduled memory optimization published applications fail, exclude those applications from memory optimization. Before deploying memory utilization management 1. Using a test server hosting your published applications, enable memory utilization management. 2. Schedule memory optimization. 3. After memory optimization completes, run all published applications. 4. Add to the exclusion list those applications that fail.

Controlling Memory Utilization Management

You can control memory utilization management at the farm level and enable memory utilization management at an individual server level. To control memory utilization management at the farm level 1. In the left pane of the console, select the farm. 2. From the Actions menu, choose Properties. 3. In the left pane of the farm Properties dialog box, choose Memory/CPU Utilization Management. 4. Use the Memory/CPU Utilization Management page to enable or disable memory optimization, then click OK. After enabling memory optimization, create a schedule when the servers can rebase DLLs. For instructions about how to create a farm-wide memory optimization schedule, see the next section.

Go to Document Center

Chapter 11 Managing Users and Sessions

303

To enable memory optimization for an individual server (disabled at the farm level) 1. In the left pane of the console, open the Servers node and choose the server for which you want to enable memory optimization. 2. From the Actions menu, choose Properties. 3. In the left pane of the server Properties dialog box, click Memory/CPU Utilization Management. 4. On the Memory/CPU Utilization Management page, clear the check box Use farm settings for memory optimization. 5. Check Enable memory optimization, then click OK. When you enable virtual memory optimization at the server level, virtual memory optimization occurs at a time set by the farm-wide schedule. For instructions about how to create a farm-wide virtual memory optimization schedule, continue with the next section.

Scheduling Virtual Memory Optimization

After enabling virtual memory optimization, you create a virtual memory optimization schedule that identifies when a server rebases DLLs for greater operating efficiency. When a server rebases a DLL: It makes a hidden copy of the DLL. It modifies the starting address of the DLL to avoid conflicts that result in multiple copies of a single DLL held in virtual memory.

Schedule virtual memory optimization at a time when your servers have their lightest loads. To create a memory optimization schedule 1. In the left pane of the console, select the farm for which you want to create a virtual memory optimization schedule. 2. From the Actions menu, choose Properties. 3. In the left pane of the farm Properties dialog box, choose Memory Optimization. 4. Use the Virtual Memory Optimization Schedule page to set: The optimization interval. The frequency at which the server rebases DLLs. You can set the frequency to be every time you restart your server, every day, once a week, or once a month.

304

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The optimization time. The time at which the server begins rebasing DLLs. The value of optimization time is based on a twenty-four hour clock.

5. If you store application files on a file server or remote server that requires special access permissions, such as a domain administrator, clear the checkbox Use local system account and provide the account and password that has permissions to access the remotely stored application files.

Excluding Applications from Memory Optimization

If any applications fail after you enable memory optimization, add the application executable to the memory optimization exclusion list. To add an application to the excluded applications list 1. In the left pane of the console, select the farm for which you want to create a virtual memory optimization schedule. 2. From the Actions menu, choose Properties. 3. In the left pane of the farm Properties dialog box, choose Memory Optimization. 4. On the Memory Optimization page, under Exclude applications, click Add and choose the executable of the application you want to exclude from memory optimization.

Shadowing Sessions
You can monitor the actions of users by shadowing their sessions. A shadowed session is displayed in the session of the shadower, the user who establishes shadowing. Shadowing a session provides a powerful tool for you to assist and monitor users. Shadowing is a useful option for your Help desk staff who can use it to aid users who have trouble using an application. Help desk personnel can view a users actions to troubleshoot problems and can demonstrate correct procedures. You can also use shadowing for remote diagnosis and as a teaching tool. You can create a user policy to enable user-to-user shadowing. When you create a policy allowing user-to-user shadowing, users can shadow other users without requiring administrator rights. Multiple users from different locations can view presentations and training sessions, allowing one-to-many, many-to-one, and manyto-many online collaboration. See Configuring User-to-User Shadowing on page 306 for more information about user-to-user shadowing.

Go to Document Center

Chapter 11 Managing Users and Sessions

305

A shadower can remotely control a shadowed session through the shadowers mouse and keyboard, if this action was not prohibited by options selected when MetaFrame Presentation Server was installed on the server. Important If shadowing restrictions are selected during MetaFrame Presentation Server installation, the restrictions cannot be changed later. For more information, see Configuring Session Shadowing on page 133. By default, the user who will be shadowed is asked to accept or deny the request to shadow the session. You can shadow multiple sessions using the Presentation Server Console or the Shadow Taskbar.

Shadowing from the Presentation Server Console

When you use Presentation Server Console for shadowing, you must start each shadowing session individually; if you select multiple sessions to shadow, the Shadow command and button are not available. To start shadowing multiple sessions at once, use the Shadow Taskbar. To use the Presentation Server Console for shadowing, you must have Program Neighborhood installed on the system with the console. Program Neighborhood is installed by default when you install MetaFrame Presentation Server on a server, but the client is not installed when you install Presentation Server Console separately on a workstation. You can use the MetaFrame Presentation Server Components CD to install Program Neighborhood on a workstation. To shadow a session from the console 1. On the Users or Sessions tab in the right pane of the console, select the user or session that you want to shadow. 2. Choose Shadow from the console toolbar or Actions > Server > Shadow.

Using the Shadow Taskbar

To launch the Shadow Taskbar, choose Shadow Taskbar from the Citrix program group on the Start menu. The Shadow Taskbar appears as a toolbar at the top of the console display. Tip You can click the Shadow Taskbar button on the ICA Administrator toolbar to launch the Shadow Taskbar.

306

MetaFrame Presentation Server Administrators Guide

Go to Document Center

When the Shadow Taskbar is running and no sessions are being shadowed, the Shadow button appears alone on the taskbar. Click the Shadow button and the Shadow Session dialog box appears. Use the Shadow Session dialog box to select the sessions you want to shadow. You can select sessions based on the server, the application, or the users who are associated with the sessions. You can select multiple sessions in the dialog box to begin shadowing several sessions at once. Click OK to begin shadowing the selected sessions. For more information about shadowing with the Shadow Taskbar, press F1 to view online Help when the Shadow Taskbar is running.

Configuring User-to-User Shadowing

You can monitor the actions of users in ICA sessions by shadowing their sessions. A shadowed session is displayed in the session of the shadower, the user who establishes shadowing. With user-to-user shadowing, you can allow users to shadow other users without requiring them to be members of the MetaFrame Administrators group. Multiple users from different locations can view presentations and training sessions, allowing one-to-many, many-to-one, and many-to-many online collaboration. With user-to-user shadowing, you can enable Help Desk personnel to shadow users ICA sessions or allow your Sales Department to hold an online meeting to review sales leads. Note You are prompted to configure shadowing settings during MetaFrame Presentation Server Setup. If you elect to prohibit shadowing during Setup, you cannot enable shadowing with user policies. You can also disable shadowing for a particular connection type using the Citrix Connection Configuration utility. If you disable shadowing in Citrix Connection Configuration, you cannot enable shadowing with user policies. The basic steps for configuring user-to-user shadowing are as follows. These steps are explained in more detail later in this section. 1. Create a user policy that identifies the users who can shadow other users sessions. 2. Assign the policy to the users to be shadowed. 3. Publish the Citrix Shadow Taskbar and assign it to the users who will shadow. 4. Instruct these users how to initiate shadowing from their client devices.

Go to Document Center

Chapter 11 Managing Users and Sessions

307

Note Instruct your users to refrain from launching the Shadow Taskbar in seamless mode. The Shadow Taskbar cannot function in seamless mode.

Creating User Policies for User-to-User Shadowing

You configure user-to-user shadowing by creating policies that define users who can shadow. You then assign the policies to the users you want to be shadowed. You can create and apply a policy that allows Novell Directory Services (NDS) users to be shadowed. However, you cannot configure NDS users to have shadowing permissions. In the following procedure, the interwoven example assumes that you want to create a policy for your Sales user group that allows them to shadow the department manager, AnthonyR. The Sales Department uses the user-to-user shadowing feature for online collaboration on sales leads. To create a user policy for user-to-user shadowing 1. Create a new policy. The policy for the Sales Department is named Sales Group Shadowing. See Creating and Applying Policies on page 289 for stepby-step instructions for creating user policies. 2. Open the Sales Group Shadowing policys properties by selecting the policy and choosing Actions > Properties. 3. Open the Shadowing folder under User Workspace in the left pane. Select the rule named Configuration. 4. Set the rules state to enabled by selecting Enabled. 5. Select Allow shadowing to enable shadowing. Because the Sales Manager may work with sensitive data, select the option Prohibit being shadowed without notification. If the sales manager does not want other users to be able to take control of his mouse and keyboard, select the option Prohibit remote input when being shadowed. 6. Select the rule named Permissions in the left pane of the property sheet. 7. Set the rules state to enabled by clicking Rule Enabled. 8. Click Configure to select the users who will shadow the Sales Manager. To allow the members of the Sales Department to shadow the Sales Manager, select the Sales user group and then click Add. The user group is listed in the Configured Accounts list. Click OK when you are done adding users.

308

MetaFrame Presentation Server Administrators Guide

Go to Document Center

9. The users and user groups you added to the Configured Accounts list are listed in the right pane of the policys property sheet. By default, the shadowing permission for each user or user group is set to Allow. You can deny shadowing permissions by clicking Deny. 10. Click OK at the bottom of the policys property page when you are done configuring the shadowing rules. After you create the policy and configure the rules, you must assign the policy to the users who you want to be shadowed. To assign the shadowing policy to users 1. Select the Sales Group Shadowing policy and choose Actions > Policy > Apply this policy to. 2. Select Users in the left pane and select Filter based on users. 3. Select the users you want to be shadowed. To allow the Sales Manager, AnthonyR, to be shadowed, select the domain of which he is a member. Click Show Users to display the individual user accounts in the selected domain. 4. Select the user AnthonyR and then click Add. AnthonyRs user account is displayed in the Configured Accounts list. 5. Click OK when you are done adding users. Important The list of users permitted to shadow is exclusive for each user to whom a policy is assigned. For example, if you create a policy that permits user MichelleF to shadow user LorenaB, this policy allows only MichelleF to shadow LorenaB, unless you add more users to the list of users who can shadow in the same policys property sheet. To allow users to shadow other users sessions, you can publish the Shadow Taskbar utility to the users you want to be able to shadow. When users open this published application, the Shadow Taskbar appears at the top of users screens. For more information about using the Shadow Taskbar to shadow sessions, see Using the Shadow Taskbar on page 305 and the Taskbars online Help.

Monitoring Performance of Sessions and Servers

Performance monitoring counters for ICA data are installed with MetaFrame Presentation Server and can be accessed from Performance Monitor, which ships with the Windows operating system. Performance monitoring provides valuable information about utilization of network bandwidth and helps determine if a bottleneck exists.

Go to Document Center

Chapter 11 Managing Users and Sessions

309

By using Performance Monitor, you can monitor the following ICA-specific counters: Bandwidth and compression counters for ICA sessions and MetaFrame Presentation Servers Bandwidth counters for individual virtual channels within an ICA session Latency counters for ICA sessions

Note The entire ICA counter list is exposed only on a server running the Enterprise Edition of MetaFrame Presentation Server. On a server running the Advanced or Standard Edition, only latency-related counters are available. For more information about specific counters available with MetaFrame Presentation Server, see Performance Counters on page 413. To access ICA performance counters 1. Select Start > Programs > Administrative Tools > Performance. 2. Select System Monitor in the Tree view.

This screen capture shows the Performance dialog box with System Monitor selected.

3. Click Add. 4. In the Add Counters dialog box, click the Performance object drop-down list and select ICA Session. The ICA performance counters are listed under Select counters from list.

310

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This screen capture shows the Add Counters dialog box with computer-selection drop-down list, Performance object drop-down list, and counters list.

5. Select All Counters to enable all available ICA counters or select Select counters from list and then highlight the individual counters you need. 6. Select All Instances to enable all instances of the selected ICA counters or select Select instances from list and highlight only the instances you need. In Performance Monitor, the instance list contains all active ICA sessions, which includes any session (shadower) that is shadowing an active ICA session (shadowee). An active session is one that is logged on to successfully and is in use; a shadowing session is one that initiated shadowing of another ICA session. Note In a shadowing session, although you are able to select ICA counters to monitor, you will see no performance data for that session until shadowing is terminated. 7. Click Add and then click Close. You can now use Performance Monitor to view and analyze performance data for the ICA counters you added. For more information about using Performance Monitor, see your Windows documentation.

Go to Document Center

CHAPTER 12

Managing Printers

Users can print documents easily when they run applications on servers running MetaFrame Presentation Server. For most users, printing when they use applications in a client session is no different from printing from applications that run on their own computers. This chapter describes features for making printers available to users and managing printers in server farms. To find step-by-step instructions for using the features that are described in this chapter, use the online Help in the Presentation Server Console. For more information about printing configuration and options for MetaFrame Presentation Server Clients, see the Administrators Guide for the clients you plan to deploy.

Overview of Printing
When users run applications that are published on servers, they can print to the following types of printers: Printers that are connected to ports on users Win16 and Win32 client devices, Windows CE, DOS, and Macintosh OS platforms Virtual printers created for tasks such as printing from a PostScript driver to a file on a Windows client device Shared printers that are connected to print servers on a Windows network Printers that are connected directly to servers running MetaFrame Presentation Server Printers that change according to attributes of a session (session printers)

312

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The printers that MetaFrame Presentation Server Clients use can be categorized by connection types. You can set up three general types of printer connections in a server farm: client connections, network connections, and local connections. Therefore, this chapter refers to printers in a server farm as client printers, network printers, and local printers, depending on the type of connection they have in the farm. Client printers. The definition of a client printer depends on the client platform. Simple ports: On DOS-based and Windows CE client devices, a client printer is physically connected by a cable to a port on the client device. A PC or PostScript printer connected to a serial port on a Macintosh OS system is also considered a client printer. Print queues that manage printers: On 32-bit Windows platforms (Windows XP, Windows 2000, Windows NT, or Windows 9x), any printer that is set up in Windows (these printers appear in the Printers folder on the client device) is a client printer. Locally connected printers, printers that are connected on a network, and virtual printers are all client printers. Note Some virtual printers, such as a fax/modem device that is set up in the Printers folder, might not be available as a client printer in ICA sessions. When a user shares a client printer through Windows printer sharing, the printer appears as a network printer to other users. Network printers. Printers that are connected to print servers and shared on a Windows network are referred to as network printers. In Windows network environments, users can set up a network printer on their computers if they have permission to connect to the print server. When a network printer is set up for use on an individual Windows computer, the printer is a client printer on the client device. Local printers. Printers that are connected directly to servers are local printers within a particular server farm. This definition includes a printer that is connected to the server that hosts a users session, as well as printers that are connected to other servers running MetaFrame Presentation Server in the same server farm. If a printer is connected to a server outside of a server farm (either the server is not a member of a server farm or is a member of a different server farm), the server farm considers the printer a network printer, not a local printer.

Go to Document Center

Chapter 12 Managing Printers

313

Printing in ICA Sessions

The following list summarizes the types of printers that can be available for a MetaFrame Presentation Server Client, based on the previously described printer definitions. Depending on the users platform and the printers that exist in the farm, a user who connects to a server and runs a published application or desktop in an ICA session can print to the following: Autocreated client printers Policy-based session printers, such as network printers set up for the farm and printers connected directly to farm servers and set up for use in the farm

It is important to note that printer availability can vary with the client device. For specific information about printing capabilities, see the Administrators Guide for each client you plan to deploy.

Printing Configuration Scenarios

The previous section describes printers that can be used by MetaFrame Presentation Server Clients. Some printers can be used without being set up specifically for use in a server farm. For example, you can make client printers available for users on Windows devices without configuring printers on each client device. This section describes when and how you need to set up and configure printers for clients. It gives an overview of the configuration features available in the Presentation Server Console. The steps required to set up printers for use by your users depends on the configuration of the clients, the type of printers you use and their connections, and the configuration of your application servers. For example, two scenarios for printing appear below. For more information about the printer management setup mentioned in these scenarios, see the feature descriptions later in this chapter.

Scenario 1 Printers Installed on Windows Clients

Users run Windows 2000 or higher on their client devices. Printers are already set up for all users on their client devices (so they can print from applications that they run locally). Some users have PC printers connected directly to their computers, while others print to shared network printers.

314

MetaFrame Presentation Server Administrators Guide

Go to Document Center

In this type of environment, you can set up printers in the server farm by simply installing printer drivers on a server and using the replication feature in the Presentation Server Console to distribute the drivers to all the servers in the farm. The printers that users normally print to are available automatically when they connect to a server, because MetaFrame Presentation Server creates each users client printers for use during ICA sessions. Mapping is necessary when the printer drivers you install for Windows 9x client computers and Windows servers have different names, or when you want to use one driver instead of another. Unless an applied policy enforces the legacy printers rule, when users print from applications running on a server, the installed client printers appear in Windows in the following form: printer_name on server_name (from client_name) in session_ID Here is an example: HP LaserJet 4000 on printsrv03 (from garybW2K) in session 3 If a policy applies the legacy printers rule, the installed client printers appear in Windows in the following form: Client\user_name#name_on_remote where name_on_remote is the actual printer name on the remote device. Here is an example: Client\garyb#HP LaserJet 1012

Scenario 2 Network Printers in a Mixed Environment

In a typical mixed computing environment, users run clients on a variety of operating systems. Some, but not all users, might have printers connected to their client devices. Shared printers on network print servers might be available to all users, but they might not be set up because users are untrained or because administrators do not want to set up individual clients in a new network deployment or an application service provider environment. In these situations, you can make printers available easily through MetaFrame Presentation Server. MetaFrame Presentation Server can automatically create client printers for the client devices that have printers installed. For the entire user base, you can set up network printers for users on all client platforms. You make printers that are already installed on client computers available in client sessions by installing printer drivers on a server and using the replication feature in the Presentation Server Console to distribute the drivers to all servers in the farm. MetaFrame Presentation Server automatically creates these client printers when users connect to servers in the farm.

Go to Document Center

Chapter 12 Managing Printers

315

When some users have Windows 9x client devices, you map client printer drivers to the drivers you install on servers. This is necessary when driver names for the same printer are different on client devices running Windows 9x than they are on the Windows 2000 or Windows 2003 servers. Driver mapping is not necessary for client devices running Windows 2000 or higher, because they use the same printer drivers as the Windows 2000 or higher servers. You import network print servers into the server farm to make the shared printers available to all users when they connect to servers in the farm. If some client printer drivers are not compatible with the server platforms in the farm, use the Driver Compatibility feature to prevent incompatible printer drivers from causing server errors. Unless an applied policy enforces the legacy printers rule, when users print from applications running on a server, the installed client printers appear in Windows in the following form: printer_name on server_name (from client_name) in session_ID Here is an example: HP LaserJet 4000 on printsrv03 (from garybW2K) in session 3 If a policy applies the legacy printers rule, the installed client printers appear in Windows in the following form: Client\user_name#name_on_remote where name_on_remote is the actual printer name on the remote device. Here is an example: Client\garyb#HP LaserJet 1012 When users print to the network printers in the server farm, they see the original assigned network printer names in Windows dialog boxes.

Printer Management Features

The Presentation Server Console provides access to all printer management features.You use the console to monitor and configure printers for users in a server farm. To make changes to printer configurations, you must be a MetaFrame administrator with the right to manage the Printer Management node. You can use printer management features from several views in the Presentation Server Console. The first parts of this section describe the console views you can use for managing printers for users and the information you can monitor from the tabs in the consoles right pane.

316

MetaFrame Presentation Server Administrators Guide

Go to Document Center

After you launch the console and log on to a server in the farm, the left pane in the console displays the tree view of the server farm management nodes. When you select an item in the tree, the right pane displays one or more tabs. Expand the Printer Management node or the Servers node or the objects under these nodes to use the primary printer management features in the console.

This screen capture shows Printer Management and Servers nodes. The expanded Printer Management node makes available Drivers and Printers objects.

Using the Printer Management Node

When you select Printer Management in the console tree, the right pane displays tabs labeled Contents, Bandwidth, and Network Print Servers (the default tab). When you expand the Printer Management node, the left pane displays objects labeled Printers and Drivers in the tree.

Contents Tab
When you select Printer Management, the Contents tab displays objects labeled Drivers and Printers. The same objects appear in the tree under Printer Management when you expand the node. Double-clicking an object on the Contents tab is the same as selecting the object in the tree. Either action changes the right pane to display information about the object you select and puts commands related to the object in the Actions > Printer Management submenu and on the console toolbar.

Network Print Servers Tab

Use the Network Print Servers tab to view the names of network print servers whose printers can be configured in the server farm. When you create a new server farm, the tab lists nothing until you import one or more network print servers. After you import print servers, the Network Print Servers tab displays the name of each print server and the date and time when the console last updated the print server information. The tab uses the time zone of the machine to which the console is connected for the date and time display.

Go to Document Center

Chapter 12 Managing Printers

317

Importing print servers. Use the Network Print Servers tab when you want to import a network print server to make its printers available to the users of the server farm. When you select the tab, you can choose Import Network Print Server from the toolbar or the Actions menu. The command and toolbar button are not available when other tabs are selected. Tip Importing a network print server lets users in the server farm use a printer that is not connected to their client device. Client printers are automatically made available to users in their ICA sessions. Updating server information. If you add printers to or remove them from a network print server, update the print server information to be sure that the console displays the available printers on the Printers tab. To do this, select a print server and use the Update Network Print Server command from the toolbar or the Actions menu. You must take this action because updating print server information does not take place automatically. Removing print servers. Removing a print server removes all of its printers from the farm. This is the opposite of importing a network print server. If you remove printers, users cannot print to them. If you want to do this, select the print server to remove and then choose Discard Network Print Server from the console toolbar or the Actions menu. After you confirm the command, the printer server no longer appears on the Network Print Server tab and its printers do not appear on the Printers tab.

Bandwidth Tab
When you select Printer Management in the console tree, the Bandwidth tab displays the print stream bandwidth setting for each server in the farm. Note While you can limit print stream bandwidth through server settings, the best practice is to do so through policies. For more information about configuring a policy to include a print stream bandwidth limit, see Limiting Printing Bandwidth through Policies on page 330. You can use this tab to set or remove print stream bandwidth limits on servers and copy settings from one server to others. Limiting printing bandwidth can improve application performance for clients when printing and application data must compete for limited bandwidth. When you select a server in the list on the Bandwidth tab, you use the Edit command to change its bandwidth setting, or use the Copy command to copy its bandwidth setting to one or more servers in the farm. You can use these commands from the console toolbar or the Actions menu.

318

MetaFrame Presentation Server Administrators Guide

Go to Document Center

When you select the Servers node in the tree, the Printer Bandwidth tab provides the same display and features as the Bandwidth tab when you select Printer Management. You can use ICA Printer Bandwidth in the left pane of a servers Properties page to edit the servers print stream bandwidth setting. For more information about limiting the bandwidth of print data streams, see Limiting Printing Bandwidth in Client Sessions on page 330.

Drivers Tab
When you select Drivers in the tree, the Drivers tab in the right pane displays information about printer drivers installed on servers running MetaFrame Presentation Server. The driver information includes each drivers name and operating system platform. You select a specific server from the Server drop-down menu to display the drivers installed on one server, or select (Any) to display all drivers on all servers in the farm. If not prevented through the Native printer driver auto-install rule, MetaFrame Presentation Server installs the drivers needed for the autocreation of client or network printers. MetaFrame Presentation Server installs these drivers from the primary set of native printer drivers provided with the Windows operating system. If a driver for a printer used by client users is not in this primary set, that printer can be autocreated only after you obtain and install a driver on the server(s) to which these users connect. After installing the driver on one or more servers, you can use the Drivers tab to replicate the installed driver to other servers in the farm. Use the Drivers tab to copy printer drivers to other servers in a server farm. If printer drivers are not already installed, copy the drivers to each server where users log on and need access to the driver for printing to client printers or network printers. To copy a driver, select the driver and then use the Replicate Drivers command from the console toolbar or the Actions menu. Note Two tabs in Presentation Server Console show printer driver information. To display the drivers installed on a server, you can select the server from the Server menu on the Drivers tab, or select the server in the console tree and look at the Printer Drivers tab. You can use either tab to copy printer drivers to other servers in a farm.

Go to Document Center

Chapter 12 Managing Printers

319

Printers Tab
When you select Printers in the Presentation Server Console tree, the Printers tab in the right pane lists all printers you can configure in the server farm. The list includes the following printers: Local shared printers that you install and connect directly to servers in the farm Network printers that are installed and connected to network print servers when you import the print servers into the farm Printers discovered and attached through the Session printers policy rule

The printer list shows the printer name, print server name, driver name, and server operating system platform for each local printer. For network printers, the list shows only the printer name and print server name. You can select a local printer on the Printers tab and use the console to copy the drivers to other servers. You cannot copy a driver of a network printer from this tab. (Use the Drivers tab to copy drivers from a server to other servers.) To assign users to a printer, you configure session printer policies. Session printer policies make a printer available to the user of a session to which you applied the policy. Note To connect to a session printer, the end user must have the necessary Windows user or group permissions.

Using the Servers Node

When you select Servers in the Presentation Server Console tree, multiple tabs appear in the right pane. The tab that relates to printer management is the ICA Printer Bandwidth tab. This tab displays the same information as the Bandwidth tab that appears when you select Printer Management in the console tree. See Bandwidth Tab on page 317.

Printers Tab
When you select a server in the console tree under the Servers node or on the Contents tab, the Printers tab displays information about a servers local printers. The tab displays information about the printers that are connected directly to the server if you select the Shared option when you install the printers. Printers that you do not share do not appear on the tab.

320

MetaFrame Presentation Server Administrators Guide

Go to Document Center

This tab is similar to the Printers tab that appears when you select Printers in the console tree. However, when you select one server, the Printers tab displays only the servers local printer information, not information about network printers in the farm. You can select a local printer on the Printers tab and use the console to replicate the drivers and settings for the printer to other servers. You can also assign users to the printer to make it available as an autocreated printer in the users ICA sessions. If you want to assign the same users to another printer, select the printer and copy its autocreation settings from this tab.

Printer Drivers Tab

When you select a server in the console tree (under the Servers node), the Printer Drivers tab lists printer drivers that are installed on the server. Select a driver name in the list to display the names of all the servers that have the driver installed. Use the Replicate Drivers command to copy the driver to other servers in the farm. You need to copy printer drivers to each server where users log on and need access to the driver for printing to client printers or network printers. The Printer Drivers tab displays the same information that the Drivers tab displays when you select Drivers in the console tree.

Go to Document Center

Chapter 12 Managing Printers

321

Setting Up Network Printers for Client Users

To make network printers available to client users, you can: Add network printers through Session printer rules Import network print servers into the server farm

Importing network print servers into the server farm makes all printers that are connected to the print server available to the users that you specify through printer policy rules. After you install required printer drivers, users can print to these printers in their ICA sessions. To make network printers available to users The following steps outline the procedure for setting up network printers for users. For detailed instructions, use the Help in the Presentation Server Console. 1. Import network printers from a network print server into the farm. Select Printer Management in the Presentation Server Console, select the Network Print Servers tab, and choose Import Network Print Server. Specify the network print server to import. When the operation finishes, the print server appears on the Network Print Servers tab in the console. 2. If the necessary drivers are not included in the Windows native set and native printer driver auto-install is disabled, install the printer drivers for your network printers on a server in the farm. Use the Replicate Drivers command to distribute the drivers to all the servers in the farm. 3. Allocate network printers to users. With this release of MetaFrame Presentation Server, you allocate network printers to users through session printers policies. When a specified user logs on to a server in the farm, session printer policies determine which printers are available to the user. For more information about configuring a policy to use session printers, see Assigning Network Printers to Users through Policies on page 323

Installing and Replicating Printer Drivers

To install printer drivers on a server, you use the standard Windows printer installation methods. The Add Printer wizard asks for information about a printer and copies the necessary driver files. You might need to insert a Windows installation CD or media from the printer manufacturer so the wizard can copy the files.

322

MetaFrame Presentation Server Administrators Guide

Go to Document Center

When you use the wizard to install drivers on a server, the actual printer is not attached to the server. Select the Local option and select any local printer port that does not have an actual printing device connected; you can add multiple printers to one port. Tip In server farms where it is practical to do so, install all driver files on one server. After you install drivers, to copy the driver files and registry settings to other servers in the server farm, you can use the driver replication feature in the Presentation Server Console. Use the replication feature to save time when you install printer drivers and to ensure that all drivers are available on all servers where clients need them, so that users can print to the client and network printers in the farm. Important Because printer drivers are platform-specific, do not replicate drivers from a server to other servers on a different platform. When the Drivers tab in the console lists drivers from both platforms and you choose Replicate Drivers, the console warns you about this because you can select drivers on either platform to replicate.

Setting Up Automatic Replication of Printer Drivers

You can set up automatic printer driver replication so MetaFrame Presentation Server performs replication when you add a server to the farm or when you restart a server in the farm. MetaFrame Presentation Server maintains one auto-replication list for each platform in the server farm. When you select a printer driver for replication, MetaFrame Presentation Server adds the driver to the appropriate auto-replication list. You can add or remove drivers from the auto-replication lists by choosing Auto-replication from the Drivers tab in the console. When you edit the auto-replication list, you can use one server or any server as the source for a particular printer driver. If you specify any server, MetaFrame Presentation Server copies the driver from any server that is available in the farm at the time of auto-replication to a new or restarted server. This setting avoids the possibility that a specific source server for a printer driver might be unavailable when new or restarted servers need to receive a printer driver. MetaFrame Presentation Server cannot replicate drivers from network printers (printers installed on network print servers) because MetaFrame Presentation Server does not have guaranteed access to the driver files.

Go to Document Center

Chapter 12 Managing Printers

323

If driver replication fails because of communication errors, the console displays an error message and records the error in the server System log for each server where the operation failed.

Assigning Network Printers to Users through Policies

By configuring session printer rules in policies, you can assign default printers and connect users to printers based on specific attributes of users sessions (filtering). 1. In the console, select the Policies node. 2. On the Contents tab, choose the policy for which you want to configure printing rules. 3. From the Actions menu, choose Properties. 4. In the policys Properties dialog box, expand Printing, then select Session printers. When configuring session printers for a policy: Identify network printers to which you want the applicable sessions to connect by adding printers to the list Use the drop-down list to choose the default printer for all sessions to which the policy is applied Use a filter to apply the policy

When multiple policies are applied to a user session, printer rules are merged. For information about policies, see Creating and Applying Policies on page 289.

Mapping Printer Drivers

Mapping of printer drivers refers to identifying printer drivers that have different names for the same printer on different Windows platforms. Use mapping if drivers you install on servers have names different from the drivers used by Windows 9x computers for their client printers. Printer mappings are listed in a Citrix file, Wtsprnt.Inf. To manage printer driver mapping for a server farm 1. Under the Printer Management node of the console, select Drivers. 2. From the Actions menu, choose Printer Management > Mapping. 3. In the Driver Mapping dialog box, choose a server platform (because drivers differ on Terminal Server and Windows 2000 or Windows 2003 servers) and add the names of client printer drivers that correspond to the drivers you install on servers in the farm.

324

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Note When you designate a printer driver to be incompatible for printers in the farm (see Managing Drivers for Autocreated Printers on page 324), you cannot create a printer driver mapping with the same driver.

Managing Drivers for Autocreated Printers

Some printer drivers can cause server problems when users print to client printers in the server farm. Because printing to a client printer with a defective driver can cause a fatal system error on a server, you might need to prevent autocreation of client printers that use certain printer drivers. If a defective driver is replicated throughout a server farm, it is difficult and time consuming to remove it from every server to prevent its use with client printers. However, you can accomplish the same result with the Presentation Server Console. Use the printer driver compatibility feature to designate drivers that you want to allow or prohibit for use with client printers.

Maintaining Driver Compatibility Lists

MetaFrame Presentation Server has a driver compatibility list for each server platform in use in the server farm. To add or remove drivers or edit driver names in the compatibility list 1. Under the Printer Management node of the console, select Drivers. 2. From the Actions menu, choose Printer Management > Compatibility. 3. Use the Driver Compatibility dialog box to manage the printer driver compatibility list for each server platform. You can list the printer drivers you allow or the drivers you do not allow to be used in the farm. To add drivers to the list, choose from the menu of all drivers that are installed on servers in the farm. MetaFrame Presentation Server normally sets up (autocreates) client printers for all users who have client printers installed on their client devices. When users log on: MetaFrame Presentation Server checks the client printer driver compatibility list before it sets up the client printers. If a printer driver is on the list of drivers that are not allowed, MetaFrame Presentation Server does not set up the printer. When the compatibility list prevents setup of a client printer, MetaFrame Presentation Server sends messages to client users and writes a message in the servers event log.

Go to Document Center

Chapter 12 Managing Printers

325

Configuring Autocreation of Client Printers

This section explains how to configure autocreation of client printers for various client device platforms.

Autocreation for DOS and Windows CE Clients

MetaFrame Presentation Server provides autocreation of client printers (printers that are locally connected to client devices) for DOS and Windows CE Clients. Autocreation makes these printers available for the client user for printing from the applications they run in ICA sessions. MetaFrame Presentation Server can make the client printers available if you use the console to set up autocreation for these clients. Servers download a printer definition to the client device to make the client printer available in client sessions. To monitor and configure printer autocreation for Clients for DOS and Windows CE 1. Under the Printer Management node of the console, select Printers. 2. From the Actions menu, choose Printer Management > Client Printers. You can view the status of printers for clients on DOS and Windows CE platforms in the Client Printers dialog box. In the dialog box, the word <downloaded> appears in the list when information for client printer setup is sent from the server to the client device. Use the Client Printers dialog box to add, remove, reset, edit, and delete the configuration for the Clients for DOS and Windows CE printers. These client printers are available to the individual client users only. A client printer appears in applications running on the server only during the client users ICA session.

Autocreation and Citrix Connection Configuration

Settings that affect the autocreation of client printers appear in Citrix Connection Configuration. An overview of these settings is included here. For more information about these settings, see the online Help for Citrix Connection Configuration. For specific information about MetaFrame Presentation Server Client capabilities and settings, see the Administrators Guide for each client platform.

326

MetaFrame Presentation Server Administrators Guide

Go to Document Center

If the Connect Client Printers at Logon option is selected in the connection properties or user profile, client printers are automatically created when users log on to ICA sessions. MetaFrame Presentation Server deletes the printers when users log off if the printers do not contain unfinished print jobs. Changes made by users to their Windows printer settings are not maintained. If print jobs are present, MetaFrame Presentation Server retains the printer and its associated jobs. You can preserve printers to maintain custom print settings. If you do not want autocreated printers deleted when users log off, configure the client printer using the Properties dialog box in the servers Printers folder within an ICA session. The Properties dialog box displays a Comment field that contains the text Auto Created Client Printer for automatically created client printers. If you modify or delete this description, MetaFrame Presentation Server does not delete the printer when a user logs off from the server. Subsequent logons by the same user employ the printer already defined and do not modify it. If a users connection profiles do not specify Connect Client Printers at Logon, the user can connect to a client printer through Windows printer setup. MetaFrame Presentation Server does not automatically delete printers that are set up this way when users log off.

Overriding Default Settings for Client Printers

By default, client printers are automatically created when a user logs on. In the absence policies applied through MetaFrame Presentation Server and Windows group settings, the server uses defaults set for Terminal Services through the Citrix Connection Configuration tool. If Windows group policies exist, those take precedence over the default Terminal Services settings. To override Windows group policies settings, you can use the Presentation Server Console to create and apply policies that control printer management for users. To override these default settings for selected users, enable printer rules in policies you apply to their sessions. Disabling these rules in a policy causes the default to override the enabling of the same rule in a policy of lower priority. To configure an existing policy for autocreation of client printers 1. In the console, select the Policies node. 2. On the Contents tab, choose the policy for which you want to configure printing rules. 3. From the Actions menu, choose Properties. 4. In the policys Properties dialog box, expand Printing, then Client Printers.

Go to Document Center

Chapter 12 Managing Printers

327

Under Client Printers, you can then configure the following rules: Auto-creation. To control automatic creation of client printers, enable this rule. After enabling this rule, choose how you want to create client printers: To create all printers automatically on a client device, choose Auto-create all client printers. To create only printers directly connected to the client device through an LPT, COM, USB, or other local port, choose Auto-create local (non-network) client printers only. To create only the printer defined as the default printer for the device, choose Auto-create the clients default printer only. To turn off creation of client printers, choose Do not auto-create client printers.

Legacy client printers. To choose the style of client printers that should be autocreated, enable this rule. After enabling this rule, choose the style of client printers to create: To create printers that are private to each user session and use standard Windows Terminal Services naming conventions, choose Create dynamic session-private client printers. To create printers that can be shared between sessions and use printer names that are compatible with prior versions of MetaFrame, choose Create old-style client printers.

Printer properties retention. To control where the server stores modified, clientprinter properties, enable this rule. After enabling this rule, choose where you want to store printer properties: To store printer properties on the client or the user profile, choose Held in profile only if not saved on client. If the server cannot store printer properties on the client, it stores them in the user profile. In performing the necessary system checking, there may be delays in logon time and use of additional bandwidth. Choose this option if your server farm requires backward compatibility with prior versions of MetaFrame and its clients and is not constrained by bandwidth or logon performance. If your server uses an unsaved mandatory or roaming profile, choose Saved on client device only. Only choose this option if all the servers in your farm are running this version of MetaFrame Presentation Server and your users are using the most recent clients.

328

MetaFrame Presentation Server Administrators Guide

Go to Document Center

If your server farm includes servers running prior versions of MetaFrame or is constrained by bandwidth and logon speed, or your users use legacy clients, choose Retain in user profile only.

Print job routing. To allow to connect directly from the server to the print server of a client printer (a shared network printer), enable this rule, then configure according to the following: If the network print server is not across a WAN from the server, choose Connect directly to network print server if possible. If the network print server is across a WAN from both the client device and the server, choose Always connect the printer indirectly as a client printer.

Turn off client printer mapping. To have users employ only network printers or printers connected directly to the server, enable this rule.

Using MetaFrame Presentation Server Universal Printing

As described previously in this chapter, the server automatically creates client printers when users log on to a server. With autocreation of client printers, users print to their regular printers from applications that are running on servers without having to set up their printers each time they log on. Autocreation of client printers requires drivers for client printers to be available on servers running MetaFrame Presentation Server. The driver replication feature helps ease printer driver management (see Managing Drivers for Autocreated Printers on page 324). However, maintaining drivers for many different printing devices can cause problems. MetaFrame Presentation Server Universal Printing is designed to relieve the burden of administering a multitude of printer drivers, avoid problems with driver maintenance, and other client printing issues in diverse environments. Because the server uploads printer properties, the universal printing feature depends on the client printer that is being used. You can view the properties of a client printer created with a universal print driver to see the options that are available.

Go to Document Center

Chapter 12 Managing Printers

329

Specifying Printer Drivers for Client Printing

When client printers are automatically created, you configure policies to specify whether the client printers use universal drivers available with MetaFrame Universal Printing, native printer drivers that must be installed on the server, or both. To set policy rules that specify which printer drivers to use for sessions 1. In the console, select the Policies node. 2. On the Contents tab, choose the policy for which you want to configure printing rules. 3. From the Actions menu, choose Properties. 4. In the policys Properties dialog box, expand Printing, then Drivers. Under Drivers, you can configure the following rules: Native printer driver auto-install.. Use this rule to configure whether or not to install native printer drivers automatically on servers. You can greatly reduce printer administration by configuring native printer drivers to be installed automatically on servers when printers are autocreated. A specific client printer can be created on a server only when its native driver is also installed on the server. A standard set of native printer drivers is provided with Windows. MetaFrame Presentation Server can automatically install printer drivers from the standard Windows drivers and automatically create both network and client printers. To automatically install native print drivers, enable this rule. Enabling the rule automatically sets Install Windows native drivers as needed. This option has the potential to create a large number of printer drivers. You can limit which drivers are installed by using the driver compatibility list. For more information about how to set up and use a driver compatibility list, see Maintaining Driver Compatibility Lists on page 324 Third-party drivers that are not provided with the standard Windows drivers must be manually installed on the server before you can configure MetaFrame Presentation Server to automatically create the printers that use those drivers. You can also replicate a third-party driver from another server in the farm. To prevent drivers from being installed automatically, choose the option Do not automatically install drivers. Universal driver. To control the assignment of a universal printer driver for client printers, configure this rule. When you configure the universal driver rule, you can select the following options:

Use universal driver only if requested driver is unavailable. Select this option to use native drivers for client printers, if they are available. If the driver is not available on the server, the client printer is automatically created with the appropriate universal driver. Use only printer model specific drivers. Select this option if you do not want to use the universal print driver. Use universal driver only. Select this option if you do not want to use native drivers.

Limiting Printing Bandwidth in Client Sessions

When users access servers through slower networks or dial-up connections, data sent during printing can affect video updates and application performance. To achieve the best performance for some users, you can limit the bandwidth used by print data streams in ICA sessions. By limiting the data transmission rate for printing, you make more bandwidth available in the ICA data stream for transmission of video, keystrokes, and mouse data. More available bandwidth can help prevent degradation of the user experience during printing. There are two ways you can limit printing bandwidth in client sessions: Use a policy to configure bandwidth session limits Use the Presentation Server Console to limit printing bandwidth in the server farm

The two sections that follow describe each of these configurations.

Limiting Printing Bandwidth through Policies

The best practice for limiting printing bandwidth is to configure policies to do it. You can set a policy rule to limit bandwidth in sessions to which the policy is applied. You apply such a policy to sessions that have slow connection speeds. To configure a printing bandwidth rule 1. In the left pane of the console, select the Policies node. 2. In the right pane of the console, select a policy that you apply to sessions with low connection speeds. 3. From the Actions menu, choose Properties. 4. In the policy Properties page, open Bandwidth > Session Limits, and choose Printer.

Go to Document Center

Chapter 12 Managing Printers

331

5. Use the Printer rule to enable and disable the printing bandwidth session limit. When enabling the printing bandwidth session limit, provide a bandwidth limit in kilobits per second. 6. Click OK. After configuring a printing bandwidth limit in a policy, consequent sessions to which it is applied adhere to the limit. You must apply a policy through a filter for the policy to affect sessions.

Limiting Printing Bandwidth through Server Settings

You can set limits on individual servers and copy the bandwidth setting from one server to one or more other servers. You can monitor the current bandwidth setting when you select the Printer Management node or the Servers node in the console tree. For more information about views for bandwidth management, see Using the Printer Management Node on page 316 and Bandwidth Tab on page 317.

332

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Go to Document Center

APPENDIX A

MetaFrame Presentation Server Commands

This appendix describes MetaFrame Presentation Server commands. These commands must be run from a command prompt on a server running MetaFrame Presentation Server. They provide additional methods for maintaining and configuring servers and farms.
Command acrcfg aierun aiesetup altaddr app apputil auditlog change client chfarm cltprint ctxxmlss driveremap dscheck dsmaint icaport imaport Description Configure autoreconnect settings Run isolation environment. Primarily for use in scripting environments. Install or uninstall an application from an isolation environment Specify server alternate IP address Run application execution shell Add servers to Configured Servers list for published applications Generate server logon/logoff reports Change client device mapping Change the server farm membership of the server Set the number of client printer pipes Change the XML Service port number Remap the servers drive letters Validate the integrity of the server farm data store Configure the server farms data store Configure TCP/IP port number used by the ICA protocol on the server Change IMA ports

334

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Command migratetomsde query twconfig

Description Migrate the server farms data store from a Microsoft Access database to an MSDE database View information about server farms, processes, servers, ICA sessions, and users Configure ICA display settings

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

335

ACRCFG
Use acrcfg to configure automatic client reconnection settings for a server or a server farm.

Syntax
acrcfg [/server:servername | /farm] [/query | /q] acrcfg [/server:servername | /farm] [/require:on | off] [/logging:on | off] acrcfg [/server:servername] [/inherit:on | off] [/require:on | off] [/logging:on | off] acrcfg [/?]

Parameters
servername The name of a server running MetaFrame Presentation Server.

Options
/query, /q Query current settings. /server The server to be viewed or modified by the other command line options. The server specified by servername must be in the same server farm as the server on which the command is run. This option and the /farm option are mutually exclusive. The local server is the default if neither /server nor /farm is indicated. /farm The options on the command line after /farm are applied to the entire server farm. /inherit:on | off To use the auto client reconnect settings from the server farm set /inherit to on for a server. To disregard the server farm auto client reconnect settings, set /inherit to off. By default, /inherit is set to on for a server.

336

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/require:on | off If you want users to be prompted for credentials during automatic reconnection, set /require to on. Servers inherit the server farm setting unless /inherit is off. To allow users to automatically reconnect to disconnected sessions without providing credentials, set /require to off. By default, /require is set to off for both a server and a server farm. /logging:on | off You can enable logging of client reconnections in the Application Event Log on a server. Logging can be set only when /required is set to off. Logging is set to off for both servers and server farms by default. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
Enabling automatic client reconnection allows users to resume working where they were interrupted when an ICA connection was broken. Automatic reconnection detects broken connections and then reconnects the users to their sessions. However, automatic reconnection can result in a new ICA session being launched (instead of reconnecting to an existing session) if a clients cookie, containing the key to the session ID and credentials, is not used. The cookie is not used if it has expired, for example, because of a delay in reconnection, or if credentials must be reentered because /require is set to on. Auto client reconnection is not triggered if users intentionally disconnect. The auto client reconnect feature is enabled by default and can be disabled using Appsrv.ini or an ICA file only on the Client for Win32 or with the Web Interface for MetaFrame Presentation Server. The /require and /logging options are valid with either /server or /farm, but /inherit is not used with /farm. If neither /server nor /farm is selected and the /inherit, /require, or /logging options are used, they are applied to the local server. You can set /require only when /inherit is set to off. You can set logging only when /require and /inherit are set to off. When logging is not valid, it disappears from later queries. A query shows the required setting whether or not it is on. Settings and values are not case sensitive.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

337

Examples
The following four commands result in the following configurations: Require users to enter credentials when they automatically reconnect to servers configured to inherit farm-wide settings Show the results Allow users to be reauthenticated automatically to the local server and set the server to log client reconnections Show the results
C:\>acrcfg /farm /require:on Update successful C:\>acrcfg /farm /q Auto Client Reconnect Info for: Farm-wide Settings REQUIRE: on C:\>acrcfg /inherit:off /require:off /logging:on Update successful C:\>acrcfg /q Auto Client Reconnect Info for: Local Server INHERIT: off REQUIRE: off LOGGING: on

Security Restrictions
You must be a MetaFrame administrator to make changes.

338

MetaFrame Presentation Server Administrators Guide

Go to Document Center

AIERUN
Use aierun to launch an application into an isolation environment.

Syntax
aierun [/w] AIE_Name Application [application parameters] aierun [/?]

Parameters
AIE_Name The name of an isolation environment. Application The name of the application to launch in the named isolation environment. You can also append application parameters, if any.

Options
/w Waits for the application launched by aierun to exit before continuing. This option is useful when aierun is used in a script or batch file. /? Displays the syntax for the command and information about the command options.

Remarks
aierun is an internal launcher used by MetaFrame Presentation Server during application launching. Use of aierun from a desktop session is not supported.

Security Restrictions
None.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

339

AIESETUP
Use aiesetup to install an application into an isolation environment.

Syntax
aiesetup [/d] [/n] [/q] [/w] AIE_Name Setup_application [application parameters] aiesetup [/?]

Parameters
AIE_Name The name of an isolation environment. Setup_application The name of an application installer, such as an .msi or .exe, to run. You can also append any parameters that the installer is required to process at runtime. When using aiesetup with an .msi file, use msiexec.exe with the /i option.

Options
/d Disables the automatic application discovery process for the isolation environment. /n Disables automatically setting the Windows server to install mode (through the change user install command). /q Installs the application in quiet mode and does not require user intervention, such as pressing Enter to begin discovery prompt. This is useful in automated application deployments, such as when using Installation Manager. /w Waits for the application launched by aiesetup to exit before continuing. This option is useful when aiesetup is used in a script or batch file. /? Displays the syntax for the command and information about the command options.

340

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Usage
aiesetup launches the specified application installer and forces the application to install within the specified isolation environment. At runtime, if you did not use the /d option, aiesetup displays the following message at a command prompt:
Press <Enter> to start the application discovery process when application installation completes.

Press Q to skip application discovery and quit.

When installation is complete, the silent application discovery process is invoked. The application discovery process locates application shortcuts added by the installer and adds the information to the data store. Data collected by the application discovery process facilitates publishing of applications installed in an isolation environment. Press Q to omit the application discovery process if it is not already running and return to a command prompt. Alternatively, you can use the /d option with aiesetup to omit the application discovery process.

Remarks
Application isolation functionality includes the ability to install applications into an isolation environment as well as uninstall applications installed into an isolation environment. This is useful in cases when different versions of an application cannot be installed on a single server. To install an application into an isolation environment, follow the procedure outlined below. 1. Create an isolation environment with isolation rules as appropriate. For information about creating isolation environments, see Creating an Isolation Environment on page 255. For information about configuring isolation environment rules, see online help for the Presentation Server Console. 2. Ready a copy of the MSI or EXE file for the application to be installed into the isolation environment.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

341

Security Restrictions
To execute aiesetup, you must be a MetaFrame administrator with the permissions to perform all of the following tasks: Manage isolation environments for the farm Publish applications and edit properties for the farm

Run the aiesetup command on the server where you are installing the application. Citrix does not support installing an application into an isolation environment through a connection made with Remote Desktop Connection.

342

MetaFrame Presentation Server Administrators Guide

Go to Document Center

ALTADDR
Use altaddr to query and set the alternate (external) IP address for a server running MetaFrame Presentation Server. The alternate address is returned to clients that request it and is used to access a server that is behind a firewall.

Syntax
altaddr [/server:servername] [/set alternateaddress ] [/v] altaddr [/server:servername] [/set adapteraddress alternateaddress] [/v] altaddr [/server:servername] [/delete] [/v] altaddr [/server:servername] [/delete adapteraddress] [/v] altaddr [/?]

Parameters
servername The name of a server. alternateaddress The alternate IP address for a server. adapteraddress The local IP address to which an alternate address is assigned.

Options
/server:servername Specifies the server on which to set an alternate address. Defaults to the current server. /set Sets alternate TCP/IP addresses. If an adapteraddress is specified, alternateaddress is assigned only to the network adapter with that IP address. /delete Deletes the default alternate address on the specified server. If an adapter address is specified, the alternate address for that adapter is deleted. /v (verbose) Displays information about the actions being performed.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

343

/? Displays the syntax for the utility and information about the utilitys options.

Remarks
The server subsystem reads the altaddr settings for server external IP addresses at startup only. If you use altaddr to change the IP address setting, you must restart the IMA Service for the new setting to take effect. If altaddr is run without any parameters, it displays the information for alternate addresses configured on the current server.

Examples
Set the servers alternate address to 1.1.1.1:
altaddr /set 1.1.1.1

Set the servers alternate address to 2.2.2.2 on the network interface card whose adapter address is 1.1.1.1:
altaddr /set 2.2.2.2 1.1.1.1

Security Restrictions
None.

344

MetaFrame Presentation Server Administrators Guide

Go to Document Center

APP
App is a script interpreter for secure application execution. Use App to read execution scripts that copy standardized .ini type files to user directories before starting an application, or to perform application-related cleanup after an application terminates. The script commands are described below.

Syntax
app scriptfilename

Parameter
scriptfilename The name of a script file containing app commands (see script commands below).

Remarks
If no scriptfilename is specified, app displays an error message. The Application Execution Shell reads commands from the script file and processes them in sequential order. The script file must reside in the %SystemRoot%\Scripts directory.

Script Commands
The script commands are: copy sourcedirectory\filespec targetdirectory Copies files from sourcedirectory to targetdirectory. Filespec specifies the files to copy and can include wild cards (*,?). delete directory\filespec Deletes files owned by a user in the directory specified. Filespec specifies the files to delete and can include wild cards (*,?). See the Examples section for more information. deleteall directory\filespec Deletes all files in the directory specified. execute Executes the program specified by the path command using the working directory specified by the workdir command.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

345

path executablepath Executablepath is the full path of the executable to be run. workdir directory Sets the default working directory to the path specified by directory.

Script Parameters
directory A directory or directory path. executablepath The full path of the executable to be run. filespec Specifies the files to copy and can include wildcards (*,?). sourcedirectory The directory and path from which files are to be copied. targetdirectory The directory and path to which files are to be copied.

Examples
The following script file runs the program Sol.exe:
PATH C:\Wtsrv\System32\Sol.exe WORKDIR C:\Temp EXECUTE

The following script file runs the program Notepad.exe. When the program terminates, the script deletes files in the Myapps\Data directory created for the user who launched the application:
PATH C:\Myapps\notepad.exe WORKDIR C:\Myapps\Data EXECUTE DELETE C:\Myapps\Data\*.*

The following script file copies all the .wri files from the directory C:\Write\Files, executes Write.exe in directory C:\Temp.wri, and then removes all files from that directory when the program terminates:
PATH C:\Wtsrv\System32\Write.exe WORKDIR C:\Temp.wri COPY C:\Write\Files\*.wri C:\Temp.wri EXECUTE

346

MetaFrame Presentation Server Administrators Guide

DELETEALL C:\Temp.wri\*.*

Go to Document Center

The following example demonstrates using the script file to implement a front-end registration utility before executing the application Coolapp.exe. You can use this method to run several applications in succession:
PATH C:\Regutil\Reg.exe WORKDIR C:\Regutil EXECUTE PATH C:\Coolstuff\Coolapp.exe WORKDIR C:\Temp EXECUTE DELETEALL C:\Temp

Security Restrictions
None.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

347

APPUTIL
Use apputil to add servers to the Configured Servers list for a published application, and to install or uninstall Installation Manager packages or package groups on specified servers.

Syntax
apputil [ /? ] apputil [ /q ] apputil [ /i applicationID servername ] apputil [ /u applicationID servername ] apputil [ /qj jobID] apputil [ /qp ] apputil [ /ip packageID servername [reboot] ] apputil [ /up packageID servername [reboot] ]

Parameters
applicationID The ID of a published application, as displayed by the /q option. servername For the /i and /u options, this is the name of the server to add to the Configured Servers list for the published application. For the /ip and /up options, this is the name of the server that the Installation Manager package or package group will be installed on or uninstalled from. jobID The ID of job that installs or uninstalls an Installation Manager package or package group. packageID The ID of an Installation Manager package or package group, as displayed by the /qp option.

Options
/? Display the syntax for the utility and information about the utilitys options.

348

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/q Queries a list of all available published applications, published desktops, and published applications bundled into Installation Manager packages. /i Add a server to the Configured Servers list for a specified published application. You can use the /i option with the following types of published resources: Standard published applications. Note that any server-specific overrides you configure when you publish the application (such as overrides to the command line and working directory entries) are not applied to the specified server when it is added to the Configured Servers list. To use the /i option with the published application, be sure that the target application is located in the default location you specify when you published the application. Published server desktops. Installation Manager packages. When you run apputil for published applications associated with Installation Manager packages, the packaged application is scheduled for immediate installation on the target host, and the server is added to the Configured Servers list for the published application.

/u Remove a server from the Configured Servers list for a specified Published Application. Note that if the application published an Installation Manager package, that package is not uninstalled from the target host. /qj Query the status of a specified job. Typically, a jobs status progresses from Pending to Started to Success. /qp Query a list of all available Installation Manager packages and package groups. /ip Schedule the installation of an Installation Manager package or package group on a specified server. Use reboot to force the server to restart after the job completes. /up Schedule the uninstall of an Installation Manager package or package group on a specified server. Use reboot to force the server to restart after the job completes.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

349

Remarks
You must run this utility from a server running MetaFrame Presentation Server Enterprise Edition and Installation Manager. When you use the /i option with an Installation Manager package, an unnamed Installation Manager job is created. When the job completes successfully, connections to the published application are enabled on the server. When you use the Presentation Server Console to manually add servers to the Configured Servers list for Installation Manager packages, or install and uninstall packages or package groups, you can schedule when this should occur. However, when you use the apputil utility, these tasks are scheduled immediately. If an error occurs during execution of the utility, the process exit code 1 is returned. Apputil returns 0 on success.

Examples
The following examples display the correct syntax and usage for the apputil utility.
C:\>apputil /q Available published Application ID 2e0e-0009-000010a9 2e0e-0009-000010ac 2e0e-0009-000010af applications: 3. Type Description Application Word Desktop Desktop Package Acrobat Reader

C:\>apputil /i 2e0e-0009-000010a9 SERVERA Success. The published application is now configured for the specified server. C:\>apputil /i 2e0e-0009-000010ac SERVERA Success. The published desktop is now configured for the specified server. C:\>apputil /i 2e0e-0009-000010af SERVERA Success. The packaged application has been scheduled for immediate installation. C:\>apputil /qp There are 2 packages and package groups available. Package ID Type Description 05d1-007a-00000301 Package Group Accounts Package Group 05d1-0037-00000300 Package Acrobat Reader C:\>apputil /ip 05d1-007a-00000301 SERVERA

350

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Successfully scheduled install job. Job ID: 05d1-0038-000003b8 C:\>apputil /qj 05d1-0038-000003b8 Job status: SUCCESS

Running the following script adds a server (specified as a command line parameter), to the Configured Servers list for a published application. Script name: Rollout.cmd
AppUtil.exe /i 397e-0009-00000430 @IF ERRORLEVEL 1 goto Error AppUtil.exe /i 397e-0009-00000491 @IF ERRORLEVEL 1 goto Error AppUtil.exe /i 397e-0009-00000494 @IF ERRORLEVEL 1 goto Error AppUtil.exe /i 397e-0009-0000049a @IF ERRORLEVEL 1 goto Error @ECHO Success! @GOTO End :Error @ECHO Failure! :End Usage: Rollout.cmd <server> %1 %1 %1 %1

Security Restrictions
To run this utility, you must be a MetaFrame administrator with the permissions to perform the following tasks: To use the /q option, you must at least have permission to view published applications and content. To use the /i or /u options for published applications and published desktops, you must have permission to view published applications, to publish applications, and to edit a published applications properties. To use the /i option for Installation Manager packaged applications, you must have permission to edit Installation Manager, in addition to the permissions described above. To use the /qp and /qj options, you must have View Installation Manager permission.

To use the /ip and /up options for Installation Manager packages or package groups, you must have Install and Uninstall Packages permission.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

351

AUDITLOG
Auditlog generates reports of logon/logoff activity for a server based on the Windows NT Server security event log. To use auditlog, you must first enable logon/logoff accounting. You can direct the auditlog output to a file.

Syntax
auditlog [username | session] [/eventlog:filename] [/before:mm/dd/yy] [/after:mm/dd/yy] [[/write:filename] | [/detail | /time] [/all]] auditlog [username | session] [/eventlog:filename] [/before:mm/dd/yy] [/after:mm/dd/yy] [[/write:filename] | [/detail] | [/fail ] | [ /all]] auditlog [/clear:filename] auditlog [/?]

Parameters
filename The name of the eventlog output file. session Specifies the session ID for which to produce a logon/logoff report. Use this parameter to examine the logon/logoff record for a particular session. mm/dd/yy The month, day, and year (in two-digit format) to limit logging. username Specifies a user name for which to produce a logon/logoff report. Use this parameter to examine the logon/logoff record for a particular user.

Options
/eventlog:filename Specifies the name of a backup event log to use as input to auditlog. You can back up the current log from the Event Log Viewer by using auditlog /clear:filename. /before:mm/dd/yy Reports on logon/logoff activity only before mm/dd/yy. /after:mm/dd/yy Reports on logon/logoff activity only after mm/dd/yy.

352

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/write:filename Specifies the name of an output file. Creates a comma-delimited file that can be imported into an application, such as a spreadsheet, to produce custom reports or statistics. It generates a report of logon/logoff activity for each user, displaying logon/logoff times and total time logged on. If filename exists, the data is appended to the file. /time Generates a report of logon/logoff activity for each user, displaying logon/logoff times and total time logged on. Useful for gathering usage statistics by user. /fail Generates a report of all failed logon attempts. /all Generates a report of all logon/logoff activity. /detail Generates a detailed report of logon/logoff activity. /clear:filename Saves the current event log in filename and clears the event log. This command does not work if filename already exists. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
Auditlog provides logs you can use to verify system security and correct usage. The information can be extracted as reports or as comma-delimited files that can be used as input to other programs. You must enable logon/logoff accounting on the local server to collect the information used by auditlog. To enable logon/logoff accounting, log on as a local administrator and enable logon/logoff accounting with the Audit Policy in Microsoft Windows.

Security Restrictions
None.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

353

CHANGE CLIENT
Change client changes the current disk drive, COM port and LPT port mapping settings for a client device.

Syntax
change client [/view | /flush | /current] change client [{/default | [/default_drives] | [/default_printers]} [/ascending]] [/noremap] [/persistent] [/force_prt_todef] change client [/delete host_device] [host_device client_device] [/?]

Parameters
host_device The name of a device on the host server to be mapped to a client device. client_device The name of a device on the client to be mapped to host_device.

Options
/view Displays a list of all available client devices. /flush Flushes the client drive mapping cache. This action forces the server and the client to resynchronize all disk data. See Remarks for more information. /current Displays the current client device mappings. /default Resets host drive and printer mappings to defaults. /default_drives Resets host drive mappings to defaults. /default_printers Resets host printer mappings to defaults.

354

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/ascending Uses ascending, instead of descending, search order for available drives and printers to map. This option can be used only with /default, /default_drives, or /default_printer. /noremap If /noremap is specified, client drives that conflict with server drives are not mapped. /persistent Saves the current client drive mappings in the client device users profile. /force_prt_todef Sets the default printer for the client session to the default printer on the clients Windows desktop. /delete host_device Deletes the client device mapping to host_device. /? (help) Displays the syntax for the utility and information about the utilitys options.

Remarks
Typing change client with no parameters displays the current client device mappings; it is equivalent to typing change client /current. Use change client host_device client_device to create a client drive mapping. This maps the client_device drive letter to the letter specified by host_device; for example, change client v: c: maps client drive C to drive V on the server. The /view option displays the share name, the share type, and a comment describing the mapped device. Sample output for change client /view follows:
C:>change client /view Available Shares on client connection ICA-tcp#7 Sharename \\Client\A$ \\Client\C$ \\Client\D$ \\Client\LPT1: \\Client\COM1: Type Disk Disk Disk Printer Printer Comment Floppy FixedDrive CdRom Parallel Printer Serial Printer

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

355

The /flush option flushes the client drive cache. This cache is used to speed access to client disk drives by retaining a local copy of the data on the server running MetaFrame Presentation Server. The time-out for hard drive cache entries is ten minutes and the time-out for diskette data is five seconds. If the client device is using a multitasking operating system and files are created or modified, the server does not know about the changes. Flushing the cache forces the data on the server to be synchronized with the client data. The cache time-out for diskettes is set to five seconds because diskette data is usually more volatile; that is, the diskette can be removed and another diskette inserted. The /default option maps the drives and printers on the client device to mapped drives and printers on the server running MetaFrame Presentation Server. Drives A and B are always mapped to drives A and B on the server. Hard drives are mapped to their corresponding drive letters if those drive letters are available on the server. If the corresponding drive letter is in use on the server, the default action is to map the drive to the highest unused drive letter. For example, if both machines have drives C and D, the client drives C and D are mapped to V and U respectively. These default mappings can be modified by the /ascending and /noremap options. The /default_printers option resets printer mappings to defaults. /default_printers attempts a one-to-one mapping of all client printers; for example, the clients LPT1 and LPT2 ports are mapped to the servers LPT1 and LPT2 ports. If the /ascending option is specified, the mapping is done in ascending order. The /default_drives option resets host drive mappings to defaults. /default_drives attempts a one-to-one mapping of all client drives; for example, client drives A and B are mapped to server drives A and B. Hard drives are mapped to their corresponding drive letters if those drive letters are available on the server. If the corresponding drive letter is in use on the server, the default action is to map the drive to the highest unused drive letter. For example, if both machines have drives C and D, the client drives C and D are mapped to V and U respectively. If the /ascending option is specified, the mapping is done in ascending order. The /ascending option causes the mapping to occur in ascending drive letter order. For example, if the first two available drive letters on the server are I and J, drives C and D in the preceding example are mapped to I and J respectively. The /noremap option causes the mapping to skip drive letters occupied on the server. For example, if the server has a drive C but no drive D , the clients drive C is mapped to D on the server, but the clients drive D is not mapped.

356

MetaFrame Presentation Server Administrators Guide

Go to Document Center

The /persistent option causes the current device mappings to be saved in the users profile. Drive conflicts can occur if the /persistent option is in use and the user logs on from a client device that has a different disk drive configuration, or logs on to a server that has a different disk drive configuration. The /force_prt_todef option sets the default printer for the ICA session to the default printer on the clients Windows desktop.

Security Restrictions
None.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

357

CHFARM
Change farm is used to change the farm membership of a server.

Syntax
chfarm

Remarks
You can use chfarm when you want to move a server from its current server farm. You can move the server to an existing IMA-based server farm or create a new server farm at the same time that you move the server. Citrix recommends that you back up your data store before running chfarm. Important If the server you want to move provides information for a Resource Manager summary database, update the summary database before using chfarm. If you do not update the summary database, you will lose approximately 24 hours worth of summary data stored on the server. To update the summary database, click the Resource Manager node in the Presentation Server Console, select the Summary Database tab, and click Update Now. The chfarm utility is installed in %ProgramFiles%\citrix\system32\citrix\IMA. To run this utility, choose Run from the Start menu. Enter chfarm. CAUTION Be sure that the Presentation Server Console is closed before you run the chfarm command. Running chfarm while the console is open can result in loss of data and functionality. Chfarm stops the IMA service on the server. The data store configuration part of the MetaFrame Presentation Server Setup wizard appears. On the first page, you can select to join an existing server farm or create a new server farm. The wizard continues and you specify an existing data store (to join an existing server farm) or set up a new data store (if you create a new server farm). While running chfarm, you are prompted for the user name and password of the user you want to designate as the initial MetaFrame administrator for the farm. For information about data store setup and server farm configuration, see The Farm Data Store on page 39. If chfarm reports any error, continuing the process can corrupt the data store. If you cancel the data store configuration part of the MetaFrame Presentation Server Setup wizard, the server you are switching rejoins the original farm. After the farm membership is changed or a new farm is created, restart the server.

358

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Do not remove a server that hosts a server farms data store from the server farm, unless all other servers are removed first. Doing so renders the farm unstable.

Important Notes for Using MSDE for the Data Store

This section explains how to use chfarm to create a new farm that uses Microsoft SQL Server 2000 Database Engine (MSDE) for the server farms data store when changing a servers farm membership. If you want to use MSDE to host a new server farms data store, a named instance of MSDE must be installed on the server on which you run chfarm. The default named instance that chfarm uses is CITRIX_METAFRAME. Running chfarm does not automatically install MSDE; you must install it separately. For information about installing MSDE, see Microsoft SQL Server 2000 Desktop Engine (MSDE) on page 50.

Chfarm Options When Using MSDE

Use these options when running chfarm to create a new farm with MSDE as the data store: /instancename:<name> The name of the MSDE instance to which to migrate. The default value is CITRIX_METAFRAME. /database:<name> The name of the MSDE database to which to migrate. The default value is MF20. Note You cannot migrate a database to the same named instance of MSDE that is already in use. If you are already using MSDE and you want to migrate to a new farm using MSDE, you must either migrate to another database (Access or a third party database) and then back to MSDE, or install another named instance of MSDE and then launch chfarm with the /instancename option. To move a server to a new server farm using MSDE as the data store 1. Create a named instance of MSDE by installing MSDE on the first server in the new farm. 2. Run chfarm on the server that you want to use to create the new farm using the /instancename:<name> option, where <name> is the name of the instance of MSDE you created in Step 1.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

359

Note If you name an instance of MSDE CITRIX_METAFRAME, you do not need to use the /instancename option.

360

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CLTPRINT
Use cltprint to set the number of printer pipes for the client print spooler.

Syntax
cltprint [/q] [/pipes:nn] [/?]

Options
/q Displays the current number of printer pipes. /pipes:nn Sets the specified number of printer pipes. This number represented by nn must be from 10 to 63. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
Printer pipes are used to send data from applications to client print spoolers. The number of pipes specifies the number of print jobs that can be sent to the spooler simultaneously. The default number of printer pipes is ten. The Spooler service must be stopped and restarted after changing the number of pipes. Print jobs already spooled continue printing. Print jobs sent to the spooler trigger an error message while the service is stopped. Make sure no users start printing during the time the Spooler service is stopped.

Security Restrictions
None.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

361

CTXXMLSS
Use ctxxmlss to change the Citrix XML Service port number.

Syntax
ctxxmlss [/rnnn] [/u] [/knnn] [/?]

Options
/rnnn Changes the port number for the Citrix XML Service to nnn. /u Unloads Citrix XML Service from memory. /knnn Keeps the connection alive for nnn seconds. The default is nine seconds. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
For more information, see Configuring the Citrix XML Service Port on page 134.

Security Restrictions
None.

362

MetaFrame Presentation Server Administrators Guide

Go to Document Center

DRIVEREMAP
Use the driveremap utility to change the servers drive letters. MetaFrame Presentation Server Setup installs the driveremap utility in C:\Program Files\Citrix\System32. Note In previous releases of MetaFrame Presentation Server, the utility to change the servers drive letters was named Drvremap.exe.

Important If you are installing MetaFrame Presentation Server on a server that is not running a previous version of MetaFrame, run the driveremap utility before you install MetaFrame Presentation Server. Citrix recommends that you do not change server drive letters after you install MetaFrame Presentation Server or applications you want to publish for users to access.

Syntax
driveremap /? driveremap /dbscript:filename driveremap /drive:M driveremap /u driveremap /noreboot driveremap /IME

Options
The following parameters can be used with driveremap at a command line. /? Displays the syntax for the utility and information about the utilitys options.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

363

/dbscript:filename Sets the path to Fixsecuritydatabase.cmd to filename. For Windows Server 2003, the Fixsecuritydatabase utility is run to update drive information in the Windows security database after you remap the system drive. Fixsecuritydatabase in not needed for Windows 2000 Server. If you run driveremap from a location other than the MetaFrame Presentation Server CD, use the /dbscript switch to specify the path to Fixsecuritydatabase.cmd. If you copy Fixsecuritydatabase.cmd to a folder with the same relative location to Driveremap.exe as on the MetaFrame Presentation Server CD (\Support\Install\Fixsecuritydatabase.cmd), you do not need to specify a new path with the \dbscript switch. After remapping drives on Windows Server 2003, ensure that you restart the server and log on with an administrator account that has read access to the Fixsecuritydatabase.cmd file specified by /dbscript. /drive:M Specifies the drive letter to use for the first remapped drive. /u Permits unattended or silent installation where no dialog boxes are displayed and no user input is required. You must use this option in conjunction with the /drive: option. /noreboot Surpresses the Restart Computer message and does not restart the system. Citrix strongly recommends that you restart the system after running this utility. /ime[filename] Changes the drive letter specified in Software\Microsoft\Windows\CurrentVersion\Ime\Japan\IMEJP\Dictionaries for all of the loaded hives under HKEY_USERS.

Remarks
The Drive Remapping utility allows you to select the drive letters you want to map. Before installation, you can run the Drive Remapping utility from the Autorun screens of the MetaFrame Presentation Server CD. After installing MetaFrame Presentation Server, you can open the utility by running Driveremap.exe with no parameters.

364

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CAUTION Do not run Driveremap within an ICA session or RDP session, for example from a command prompt of a server desktop published as an application. Running Driveremap in an ICA session or RDP session can cause the server to become unstable.

Examples
The following command remaps the servers drive letters. The first available drive is changed to M. The command uses the noreboot option, which suppresses the appearance of any dialog boxes. driveremap /u /drive:M /noreboot The following command returns the servers drive letters to the drive letters that start at C and then prompts you to restart the server. driveremap /u /drive:M /drive:C

Known Issues
The following items are known issues you may encounter when running the driveremap utility. When running driveremap with no parameters, the drive letter choices in the drop-down list may be greyed out. This can occur if the server has noncontiguous drive letters, for example, C, D, X. The mapped drive letters are spread over the interval [a..z] and no reasonable interval shifting can be performed. Network drives are also taken into account. To work around this issue, change the drive letters to C, D, and E and then run the driveremap utility. At a command prompt, if you remap to a letter that is in use, nothing happens and you are returned to the prompt. Locate the servers drive letters in Windows Explorer to verify that the drive letters are changed. MetaFrame Presentation Server drive remapping is not supported on Windows 2000 Dynamic Disks. Installation of the Web Interface on a server running MetaFrame Presentation Server may fail if you are upgrading a server with remapped drives. See article CTX240747 in the online Citrix Knowledge Base at http://support.citrix.com for more information. If you upgrade from MetaFrame 1.8 to MetaFrame Presentation Server on a server with changed server drive letters, the Win32 Pass-Through Client is not updated. To avoid this issue, be sure the server is operating in install mode before running Setup.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

365

Security Restrictions
Only MetaFrame administrators can execute this command.

366

MetaFrame Presentation Server Administrators Guide

Go to Document Center

DSCHECK
Use dscheck to validate the consistency of the database used to host the server farms data store. You can then repair any inconsistencies found.

Syntax
dscheck [/clean] [/?]

Options
/clean Attempts to fix any consistency error that is found. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
Dscheck performs a variety of tests to validate the integrity of a server farms data store. When run without parameters, only these tests are run. Run dscheck on a server in the farm that has a direct connection to the data store. When you run dscheck with the /clean option, the utility runs tests and removes inconsistent data (typically servers and applications) from the data store. Because removing this data can affect the farms operation, be sure to back up the data store before using the /clean option. Contact Citrix Technical Support for assistance in restoring a backed up data store. When you run the utility with the /clean option, you may need to run the dsmaint command with the recreatelhc parameter on each server in the farm to update the local host caches. Running this command sets the PSRequired registry value to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime. Dscheck reports the results of the tests in several ways. First, dscheck sends any errors found as well as a summary to the event log and to the command window. You can also write the output produced by dscheck to a file. Second, several performance monitor values are updated under the performance object for Citrix MetaFrame Presentation Server. These values include a count of server errors, a count of application errors, a count of group errors, and an overall flag indicating that errors were detected. The performance monitor values can be used with Resource Manager to detect when problems are present. Third, dscheck returns an error code of 0 for a successful scan (no errors are found) and an error code of 1 if any problems are encountered.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

367

Dscheck looks primarily at three data store objects: servers, applications, and groups. For each of these object types, dscheck performs a series of tests on each object instance. For example, for each server object in the data store, dscheck verifies that there is a corresponding common server object and then further verifies that both objects have matching host IDs and host names.

Examples
To run consistency checks only: dscheck To check consistency and fix errors: dscheck /clean

Security Restrictions
To run this utility, you must have direct access to the data store.

368

MetaFrame Presentation Server Administrators Guide

Go to Document Center

DSMAINT
Use dsmaint to configure the IMA data store for a server farm. When using this command, user names and passwords may be case-sensitive, depending on the database product you are using and the operating system on which it runs.

Syntax
dsmaint config [/user:username] [/pwd:password] [/dsn:filename] dsmaint backup destination_path dsmaint failover direct_server dsmaint compactdb [/ds] [/lhc] dsmaint migrate [{ /srcdsn:dsn1 /srcuser:user1 /srcpwd:pwd1}] [{/dstdsn:dsn2 /dstuser:user2 /dstpwd:pwd2}] dsmaint publishsqlds {/user:username /pwd:password} dsmaint recover dsmaint recreatelhc dsmaint verifylhc [/autorepair] dsmaint [/?]

Parameters
destination_path Path to the backup data store. dsn1 The name of the source data store. dsn2 The name of the destination data store filename The name of the data store. direct_server The name of the new direct server for IMA data store operations. password The password to connect to the data store.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

369

pwd1 The source data store password. pwd2 The destination data store password. user1 The source data store user logon. user2 The destination data store user logon. username The name of the user to use when connecting to the data store.

Options
config Changes configuration parameters used by IMA to connect to the data store. /user:username The username to connect to a data store. /pwd:password The password to connect to a data store. /dsn:filename The filename of an IMA data store. backup Creates a backup copy of the Access database that is the farms data store. Run this command on the server that hosts the data store. Requires a path or share point to which the database file will be copied. The backup command cannot be used to create backups for Oracle or SQL data stores. failover Switches the server to use a new direct server for IMA data store operations. compactdb Compacts the Access database file. /ds Specifies the database is to be compacted immediately. If the IMA service is running, this can be executed from the direct server or an indirect server. If the IMA service is not running, this can be executed only on the direct server.

370

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/lhc Specifies the local host cache is to be compacted immediately. migrate Migrates data from one data store database to another. Use this command to move a data store to another server, rename a data store in the event of a server name change, or migrate the data store to an Oracle, SQL Server, or DB2 database. /srcdsn:dsn1 The name of the data store from which to migrate data. /srcuser:user1 The user name to use to connect to the data store from which the data is migrating. /srcpwd:pwd1 The password to use to connect to the date store from which the data is migrating. /dstdsn:dsn2 The name of the data store to which to migrate the data. /dstuser:user2 The user name that allows you to connect to the data store to which you are migrating the source data store. /dstpwd:pwd2 The password that allows you to connect to the data store to which you are migrating the source data store. publishsqlds Publishes a data store to allow replication. recover Restores an Access data store to its last known good state. This must be executed on the direct server while the IMA service is not running. recreatelhc Recreates the local host cache database. verifylhc Verifies the integrity of a Microsoft Access local host cache. If the local host cache is corrupt, you are prompted with the option to recreate it. With the verifylhc /autorepair option, the local host cache is automatically recreated if it is found to be corrupted. /? Displays the syntax for the utility and information about the utilitys options.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

371

Remarks
compactdb During database compaction, the database is temporarily unavailable for both reading and writing. The compaction time can vary from a few seconds to a few minutes, depending on the size of the database and the usage. config For Access databases, this command resets the password used to protect the database, setting the matched security context to allow IMA access to this database. You must stop the IMA service before using config with the /pwd option. CAUTION You must specify a /dsn for dsmaint config or you will change the security context for access to the SQL or Oracle database. migrate Existing data store databases can be migrated to a different database software. For example, you can create a farm with an Access database and later migrate the farm data store to a SQL Server database. For more information about migrating the data store to a different database software and which migrations are supported, see The Farm Data Store on page 39. Important By default, the Access database does not have a user name or password. When migrating a database from Access, leave the /srcuser: and /srcpwd: parameters blank. The connection to a local Access database is based on the host servers name. If the name of the server changes, use migrate to change the name of the database. publishsqlds Execute publishsqlds only from the server that created the farm. The publication will be named MFXPDS.

Security Restrictions
The dsmaint config and dsmaint migrate commands can be executed only by a user with the correct user name and password for the database.

372

MetaFrame Presentation Server Administrators Guide

Go to Document Center

ICAPORT
Use icaport to query or change the TCP/IP port number used by the ICA protocol on the server.

Syntax
icaport {/query | /port:nnn | /reset} [/?]

Options
/query Queries the current setting. /port:nnn Changes the TCP/IP port number to nnn. /reset Resets the TCP/IP port number to 1494, which is the default. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
The default port number is 1494. The port number must be in the range of 065535 and must not conflict with other well-known port numbers. If you change the port number, restart the server for the new value to take effect. If you change the port number on the server, you must also change it on every client that will connect to that server. For instructions for changing the port number on clients, see the Administrators Guide for the clients that you plan to deploy.

Examples
To set the TCP/IP port number to 5000: icaport /port:5000 To reset the port number to 1494: icaport /reset

Security Restrictions
Only MetaFrame administrators can run icaport.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

373

IMAPORT
Use imaport to query or change the IMA port. Important When you run MetaFrame Presentation Server Setup, Setup references port 2513 for communication with the Presentation Server Console. If you change this port number on the first server in the farm on which you install MetaFrame Presentation Server, you cannot join additional servers to the server farm.

Syntax
imaport {/query | /set {IMA:nnn | ds:nnn | cmc:nnn}* | /reset {IMA | DS | CMC | ALL} } [/?]

Options
/query Queries the current setting. /set Sets the designated TCP/IP port(s) to a specified port number. ima:nnn Sets the IMA communication port to a specified port number. cmc:nnn Sets the Presentation Server Console connection port to a specified port number. ds:nnn Sets the data store server port to a specified port number (indirect servers only). /reset Resets the specified TCP/IP port to the default. ima Resets the IMA communication port to 2512. cmc Resets the Presentation Server Console connection port to 2513. ds Resets the data store server port to 2512 (indirect servers only). all Resets all of the applicable ports to the defaults.

374

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/? Displays the syntax for the utility and information about the utilitys options.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

375

MIGRATETOMSDE
Use migratetomsde to migrate a server farms data store from Microsoft Access to Microsoft SQL Server 2000 Database Engine (MSDE). Migratetomsde offers fail-safe operation and automatically rolls back any changes that it makes to the system in the event of any failures. The utility is located on the MetaFrame Presentation Server CD in the Support\MSDE directory.

Syntax
migratetomsde [/instancename:instancename | /dbname:dbname | /accessuser:user | /accesspwd:pwd | /revert | [/?]

Options
/instancename:instancename Specify a named instance of MSDE other than the default value of CITRIX_METAFRAME. /dbname:dbname Specify a database other than the default value of MF20. /accessuser:user /accesspwd:pwd Specify the user and pwd values for your Access database if you changed them using the Dsmaint Config utility. /revert Reverts to the Access database originally used as the server farms data store. Running this command restores backups that were made when the migration was initially done. Any changes made to the farm since the migration from Access to MSDE are lost. /? Displays the syntax for the utility and information about the utilitys options.

376

MetaFrame Presentation Server Administrators Guide

Go to Document Center

QUERY
Use query to display information about server farms, processes, servers, sessions, terminal servers, and users within the network.

Query Farm
Syntax
query farm query farm query farm query farm query farm query farm query farm [server [/addr | /app | /app appname | /load]] [/tcp ] [ /ipx ] [ /netbios ] [ /continue ] [ /app | /app appname | /disc | /load | /process] [/online | /online zonename] [/offline | /offline zonename] [/zone | /zone zonename] [/?]

Parameters
appname The name of a published application. server The name of a server within the farm. zonename The name of a zone within the farm.

Options
farm Displays information about servers within an IMA-based server farm.You can use qfarm as a shortened form of query farm. server /addr Displays address data for the specified server. /app Displays application names and server load information for all servers within the farm or for a specific server.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

377

/app appname Displays information for the specified application and server load information for all servers within the farm or for a specific server. /continue Do not pause after each page of output. /disc Displays disconnected session data for the farm. /ipx Displays IPX data for the farm. /load Displays server load information for all servers within the farm or for a specific server. /netbios Displays NetBIOS data for the farm. /process Displays active processes for the farm. /tcp Displays TCP/IP data for the farm. /online Displays servers online within the farm and all zones. The data collectors are represented by the notation D. /online zonename Displays servers online within a specified zone. The data collectors are represented by the notation D. /offline Displays servers offline within the farm and all zones. The data collectors are represented by the notation D. /offline zonename Displays servers offline within a specified zone. The data collectors are represented by the notation D. /zone Displays all data collectors in all zones. /zone zonename Displays the data collector within a specified zone.

378

MetaFrame Presentation Server Administrators Guide

Go to Document Center

/? Displays the syntax for the utility and information about the utilitys options.

Remarks
Query farm returns information for IMA-based servers within a server farm.

Security Restrictions
Only MetaFrame administrators can run query farm.

Query Process
Syntax
query process [ * | processid | username | sessionname | /id:nn | programname ] [ /server:servername ] [ /system ] query process [/?]

Parameters
* Displays all visible processes. processid The three- or four-digit ID number of a process running within the farm. programname The name of a program within a farm. servername The name of a server within the farm. sessionname The name of a session, such as ica-tcp#7. username The name of a user connected to the farm.

Options
process Displays information about processes running on the current server.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

379

process * Displays all visible processes on the current server. process processid Displays processes for the specified processid. process username Displays processes belonging to the specified user. process sessionname Displays processes running under the specified session name. process /id:nn Displays information about processes running on the current server by the specified ID number. process programname Displays process information associated with the specified program name. process /server:servername Displays information about processes running on the specified server. If no server is specified, the information returned is for the current server. process /system Displays information about system processes running on the current server. /? Displays the syntax for the utility and information about the utilitys options.

Security Restrictions
None.

Query Server
Syntax
query server [ server [/ping [/count:n] [/size:n] | /stats | /reset | /load | /addr]] query server [/tcp] [/ipx] [/netbios] [/tcpserver:x] [/ipxserver:x] query server [/netbiosserver:x] query server [/license | /app | /gateway | /serial | /disc | /serverfarm | /video] query server [/continue] [/ignore] [/?]

380

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Parameters
n The number of times to ping a server (the default is five times) or the size of ping buffers (the default is 256 bytes). server The name of a server within the farm. x The default TCP, IPX, or NetBIOS server address.

Options
server server Displays transport information for the specified server. /addr Displays address information for the specified server. /app Displays application names and server load for the specified server. /continue Do not pause after each page of output. /count:n Number of times to ping the specified server. /disc Displays disconnected session data on the current server. /gateway Displays configured gateway addresses for the current server. /ignore Ignore warning message about interoperability mode. /ipx Displays IPX data for the current server. /ipxserver:x Defines the IPX default server address. /license Displays user licenses for the current server. /load Displays local data on the specified server. /netbios Displays NetBIOS data for the current server.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

381

/netbiosserver:x Defines the NetBIOS default server address. /ping Pings selected server. The default is five times. /reset Resets the browser statistics on the specified server. /serial Displays license serial numbers for the current server. /serverfarm Displays server farm names and server load. /size:n Size of ping buffers. The default is 256 bytes. /stats Displays the browser statistics on the specified server. /tcp Displays the TCP/IP data for the current server. /tcpserver:x Defines the TCP/IP default server address. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
Query server displays data about only the servers present on a network within a server farm running in interoperability mode. It shows every server within the farm, even if the server is not currently connected to the farm. Query farm is the recommended command for displaying this information in a farm that is not running in interoperability mode.

Security Restrictions
None.

382

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Query Session
Syntax
query session [sessionname | username | sessionid] query session [/server:servername] [/mode] [/flow] [/connect] [/counter] query session [/?]

Parameters
servername The name of a server within the farm. sessionname The name of a session, such as ica-tcp#7. sessionid The two-digit ID number of a session. username The name of a user connected to the farm.

Options
session sessionname Identifies the specified session. session username Identifies the session associated with the user name. session sessionid Identifies the session associated with the session ID number. session /server:servername Identifies the sessions on the specified server. session /mode Displays the current line settings. session /flow Displays the current flow control settings. session /connect Displays the current connection settings. session /counter Displays the current Terminal Services counter information.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

383

/? Displays the syntax for the utility and information about the utilitys options.

Security Restrictions
None.

Query Termserver
Syntax
query termserver [servername] [/domain:domain] [/address] [/continue] query termserver [/?]

Parameters
servername The name of a server within the farm. domain The name of a domain to query.

Options
termserver servername Identifies a Terminal Server. /address Displays network and node addresses. /continue Do not pause after each page of output. /domain:domain Displays information for the specified domain. Defaults to the current domain if no domain is specified. /? Displays the syntax for the utility and information about the utilitys options.

Remarks
If no parameters are specified, query termserver lists all Terminal Servers within the current domain.

384

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Security Restrictions
None.

Query User
Syntax
query user [ username | sessionname | sessionid ] [ /server:servername ] query user [/?]

Parameters
servername The name of a server within the farm. sessionname The name of a session, such as ica-tcp#7. sessionid The ID number of a session. username The name of a user connected to the farm.

Options
user username Displays connection information for the specified user name. user sessionname Displays connection information for the specified session name. user sessionid Displays connection information for the specified session ID. user /server:servername Defines the server to be queried. The current server is queried by default. /? Displays the syntax for the utility and information about the utilitys options.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

385

Remarks
If no parameters are specified, query user displays all user sessions on the current server. You can use quser as a shortened form of the query user command.

Security Restrictions
None.

386

MetaFrame Presentation Server Administrators Guide

Go to Document Center

TWCONFIG
Use twconfig to configure ICA display settings that affect graphics performance for clients.

Syntax
twconfig [/query | /q] twconfig [/inherit:on | off] twconfig [discard:on | off] twconfig [/supercache:on | off] twconfig [/maxmem:nnn] twconfig [/degrade:res | color] twconfig [/notify:on | off] twconfig [/?]

Options
/query, /q Query current settings. /inherit:on | off Set to on to use the ICA display properties defined for the farm. Set to off to use the settings specified for this server. By default, this is set to on. /discard:on | off Discard redundant graphics operations. /supercache:on | off Use alternate bitmap caching method. /maxmem:nnn Maximum memory (in kilobytes) to use for each sessions graphics (150KB minimum, 8192KB maximum). /degrade:res | color When the maxmem limit is reached, degrade resolution first or degrade color depth first. /notify:on | off If on, users are alerted when maxmem limit is reached.

Go to Document Center

Appendix A MetaFrame Presentation Server Commands

387

/? Displays the syntax for the utility and information about the utilitys options.

Remarks
A server can be set to inherit its ICA display settings from the server farm ICA display settings. Use /query to display the current inherit settings. If /inherit is on, the settings displayed with /query are the server farm settings. When /inherit is off, the settings shown are for the current server only. Twconfig can be used only to change the settings on this server, for this server. To change the settings for another server or for the server farm, use the Presentation Server Console. Within the maxmem limit, various combinations of session size and color depth are available. The session size and color depth values are determined using the following formula: height x width x depth maxmem, where the height and width are measured in pixels and depth is the color depth in bytes according to the following table:
Color depth True Color (24-bit) High Color (16-bit) 256 Colors (8-bit) 16 Colors (4-bit) Bytes 3 2 1 .5

The following is a list of the maximum session sizes with a 4:3 aspect ratio for each color depth at the default maxmem value (height by width by color depth): 1600 by 1200 by 24-bit color 1920 by 1440 by 16-bit color 2752 by 2064 by 256 colors 3904 by 2928 by 16 colors

Security Restrictions
None.

388

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Go to Document Center

APPENDIX B

Customizing Setup

This chapter includes information about customizing MetaFrame Presentation Server Setup. Use the information in this chapter to accomplish the following: Configure the properties in the MetaFrame Presentation Server Windows Installer installation package with the information needed to create your server farm Work with the four sample Windows Installer transform files included on the MetaFrame Presentation Server CD Create administrative installation packages on network share points so you can install MetaFrame Presentation Server from any location in your network

This chapter describes how to create an administrative installation on a network share point. In the examples in this chapter, the installation package is customized with transforms and placed on a network share point. Important Be sure to read the chapters in this book Planning for Deployment on page 69 and Deploying MetaFrame Presentation Server on page 107 before you attempt the procedures in this chapter. The basic procedure for effectively customizing the Windows Installer package is outlined below. Each of these steps is explained in more detail in this chapter. For more information about Windows Installer, including more details about the commands briefly described in this chapter, see the Windows online Help or the Microsoft Web site at http://www.microsoft.com.

390

MetaFrame Presentation Server Administrators Guide

Go to Document Center

To create customized administrative installation packages 1. Review the sample transform files included on the MetaFrame Presentation Server CD and gather the information you must enter to transform the installation package. Note If you are creating a MetaFrame Presentation Server farm with multiple servers, you must modify two transforms: one transform to run on the first server in the farm, and a second transform to run on the servers joining the newly created server farm. 2. Open the installation package in your preferred Windows Installer editing tool and apply a transform. Save the transform with a new name. Repeat this step for each of the transforms you need to modify. If you are modifying the installation package for two scenarioscreating a farm and joining a farmyou will have two modified transform packages when you are done. 3. Create the network share points for the installation packages. Create two shares: one for the package transformed to run on the server on which you are creating the server farm, and one for the package transformed to run on the servers joining the server farm. 4. Create the administrative installation packages on the network shares you created in Step 3.

Creating Transforms
You can manipulate the installation process by applying Windows Installer transforms (files with the .mst extension) to the installation database contained in a Windows Installer package. A transform makes changes to elements of the database. A transform file modifies the installation package when it is being installed and dynamically affects the installation behavior. Transforms that you create to customize a Windows Installer setup package remain cached on your system. These files are applied to the base Windows Installer package whenever the Installer needs to modify it. You can apply transforms only when you initially install Windows Installer packages; you cannot apply transforms to software that is already installed. When you create a transform to apply to the MetaFrame Presentation Server Windows Installer package, you set your desired values for properties in the package. When you then apply the transform to the installation package, the questions you would be asked during Setup are answered. Creating a transform allows you to install MetaFrame Presentation Server in unattended mode.

Go to Document Center

Appendix B Customizing Setup

391

There are several commercially available tools you can use to create or edit transforms. Citrix provides four sample transforms on the MetaFrame Presentation Server CD, located in the Support\Install directory. The transforms include sample values for select properties, allowing you to determine which properties you can edit to achieve a certain configuration. For definitions and possible values of the properties in the sample transforms, see Setup Property Names and Values on page 397. The transforms in the following examples are used to create a server farm using Microsoft Access for the farms data store and a server farm using Microsoft SQL Server as the farms data store. Important Do not apply the sample transforms to MetaFrame Presentation Server Setup without editing them to include your required values. Some of the commercially available Windows Installer packaging tools allow you to edit existing transforms. Use the sample transforms as a guideline to achieve the desired configuration. To create a customized transform using one of the sample transform files 1. Using your preferred tool for editing Windows Installer packages, open the MetaFrame Presentation Server Setup Windows Installer installation package, MPS.msi, located on the MetaFrame Presentation Server CD in the \MetaFrame Presentation Server directory. 2. Apply the transform that includes the properties and values you want to modify. 3. Enter new values for the properties you want to change. 4. Generate the transform file and save it with a new name. To apply a transform Type the following at a command prompt, where package is the name of the Windows Installer installation package and TransformList is the list of the transforms that you want to apply: msiexec /i package TRANSFORMS=TransformList If you are applying multiple transforms, separate each transform with a semicolon. For further information about the parameters and switches you can use with these options, go to the Microsoft Web site at http://www.microsoft.com and search on msiexec. The properties to set to achieve the results of each sample transform are listed in the following sections.

392

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Create a New Server Farm Using a Locally Hosted Data Store (Microsoft Access or MSDE)
This sample transform shows possible values for creating a server farm that uses an MSDE database for the farm data store. The database is stored locally on the first server in the farm on which you installed MetaFrame Presentation Server. The name of the sample transform file on the MetaFrame Presentation Server CD is Localdb_access_create.mst.

Properties and Sample Values

CTX_MF_NEW_FARM_NAME=FarmAccess CTX_MF_USER_NAME=Administrator CTX_MF_DOMAIN_NAME=Domain1 CTX_MF_FARM_SELECTION=Create CTX_MF_CREATE_FARM_DB_CHOICE=Local CTX_MF_LOCAL_DATABASE=SQL CTX_MF_MSDE_INSTANCE_NAME=CITRIX_METAFRAME CTX_MF_LICENSE_SERVER_NAME=License_Server CTX_MF_SHADOWING_CHOICE=Yes CTX_MF_ENABLE_VIRTUAL_SCRIPTS=Yes CTX_MF_XML_PORT_NUMBER=80 CTX_MF_XML_CHOICE=Share CTX_MF_SERVER_TYPE=a CTX_MF_SHADOW_PROHIBIT_NO_LOGGING=No CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION=No CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA=No You must add the following rows to the transform because they are not available in the default MetaFrame Presentation Server Windows Installer package. CTX_MF_CLIENT_CD_PATH=\\fileserver\image CTX_MF_LAUNCH_CLIENT_CD_WIZARD=Yes

Go to Document Center

Appendix B Customizing Setup

393

Join an Existing Server Farm that Uses a Locally Hosted Data Store (Microsoft Access or MSDE)
In this sample transform, the existing server farm uses an MSDE database stored on one of the MetaFrame Presentation Servers. The name of the sample transform file on the MetaFrame Presentation Server CD is Join_Indirect.mst.

Properties and Sample Values

CTX_MF_FARM_SELECTION=Join CTX_MF_INDIRECT_JOIN_USER_NAME=Administrator CTX_MF_INDIRECT_JOIN_DOMAIN_NAME=Domain1 CTX_MF_JOIN_FARM_SERVER_NAME=Server1 CTX_MF_JOIN_FARM_SERVER_PORT=2512 CTX_MF_JOIN_FARM_DB_CHOICE=Indirect CTX_MF_LICENSE_SERVER_NAME=License_Server CTX_MF_ENABLE_VIRTUAL_SCRIPTS=Yes CTX_MF_XML_PORT_NUMBER=80 CTX_MF_XML_CHOICE=share CTX_MF_SERVER_TYPE=a CTX_MF_SHADOW_PROHIBIT_NO_LOGGING=Yes CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION=No CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA=No You must add the following rows to the transform because they are not available in the default Windows Installer package. If you have a blank password, do not add the password property. In general, if a property exists in the .msi file and you want to set it to Null, delete the property in the transform file. CTX_MF_CLIENT_CD_PATH=\\fileserver\image CTX_MF_LAUNCH_CLIENT_CD_WIZARD=Yes CTX_MF_INDIRECT_JOIN_PASSWORD=Password

394

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Create a New Server Farm Using a Data Store on a Separate Database Server (Microsoft SQL, Oracle, or IBM DB2)
This sample transform creates a farm that uses a Microsoft SQL Server, Oracle, or IBM DB2 database for the farm data store. The database is stored on a dedicated database server and is configured for direct access by the servers in the farm. The name of the sample transform file on the MetaFrame Presentation Server CD is thirdpartydb_create_direct.mst.

Properties and Sample Values

CTX_MF_NEW_FARM_NAME=Farm-ThirdParty CTX_MF_CREATE_FARM_DB_CHOICE=ThirdParty CTX_MF_USER_NAME=Administrator CTX_MF_DOMAIN_NAME=Domain1 CTX_MF_FARM_SELECTION=Create CTX_MF_ODBC_USER_NAME=sa CTX_MF_ODBC_PASSWORD=citrix CTX_MF_ODBC_RE_ENTERED_PASSWORD=citrix CTX_MF_LICENSE_SERVER_NAME=License_Server CTX_MF_SHADOWING_CHOICE=Yes CTX_MF_XML_PORT_NUMBER=180 CTX_MF_XML_CHOICE=Separate CTX_MF_SERVER_TYPE=e CTX_MF_SHADOW_PROHIBIT_NO_LOGGING=No CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION=Yes CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA=No You must add the following rows to the transform because they are not available in the default Windows Installer package. CTX_MF_CLIENT_CD_PATH=\\fileserver\image CTX_MF_LAUNCH_CLIENT_CD_WIZARD=Yes CTX_MF_SILENT_DSNFILE =\\fileserver\image\TestSQL.DSN

Go to Document Center

Appendix B Customizing Setup

395

Join an Existing Server Farm that Uses a Data Store on a Separate Database Server (Microsoft SQL, Oracle, or IBM DB2)
In this sample transform, the existing server farm uses a SQL, Oracle, or IBM DB2 database stored on a dedicated database server. The new server joining the farm accesses the data store directly. The name of the sample transform file on the MetaFrame Presentation Server CD is thirdpartydb_join_direct.mst.

Properties and Sample Values

CTX_MF_FARM_SELECTION=Join CTX_MF_JOIN_FARM_DB_CHOICE=Direct CTX_MF_ODBC_USER_NAME=sa CTX_MF_ODBC_PASSWORD=citrix CTX_MF_ODBC_RE_ENTERED_PASSWORD=citrix CTX_MF_LICENSE_SERVER_NAME=License_Server CTX_MF_SHADOWING_CHOICE=Yes CTX_MF_XML_PORT_NUMBER=180 CTX_MF_XML_CHOICE=Separate CTX_MF_SERVER_TYPE=e CTX_MF_SHADOW_PROHIBIT_NO_LOGGING=No CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION=Yes CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA=No You must add the following rows to the transform because they are not available in the default Windows Installer package. CTX_MF_CLIENT_CD_PATH=\\fileserver\image CTX_MF_LAUNCH_CLIENT_CD_WIZARD=Yes CTX_MF_SILENT_DSNFILE =\\fileserver\image\TestSQL.DSN

396

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Creating Administrative Installations

You can use Windows Installer to perform an administrative installation of MetaFrame Presentation Server. An administrative installation decompresses the installation files and copies them to a network share point. You can create customized images of MetaFrame Presentation Server Setup on share points. Users who can access the share point can then run MetaFrame Presentation Server Setup from the source image. When you create and maintain an administrative source image, you can apply any Windows Installer patch files (files with the .msp extension) to the image as they are released. Applying patch files to the source image allows you to install the patches when you install the application on a clean system; you do not have to install the patches separately after you install the application. You create administrative installations on network share points only once. Citrix recommends that you create the following two administrative installation source images: The installation package and any transforms needed to create the server farm. Run this image on the first server in the server farm. The installation package and any transforms needed to join other servers to the server farm. Run this image on all servers joining an existing server farm.

Follow the steps below to create an administrative installation on a network share point. To create an administrative installation 1. Copy the MetaFrame Presentation Server CD image to a network location so that you can refer to it if necessary. 2. Create the appropriate transform files to create a new server farm and to join a server farm. 3. Run the msiexec /a command to create two network images from which MetaFrame Presentation Server can be installed: The image to use when creating a server farm The image to use when joining a server farm The following is an example of the command line to use to accomplish this: msiexec /a <full path the base mps.msi package> /L*v <full path to a log file> /qb TARGETDIR=<full path to the network location> TRANSFORMS=<semi-colon delimited list of the appropriate transform file(s) created from Step 2 (example: sql_join.mst)>

Go to Document Center

Appendix B Customizing Setup

397

4. Run MetaFrame Presentation Server Setup from the network share points you created. Start with the share point that contains the image used to create the first server in the farm. The following is an example of a command line to accomplish this: msiexec /i <full path to my new share point mps.msi> /L <full path to a log file location> /qb-

Setup Property Names and Values

Some values, such as passwords, may be case-sensitive. Values that include spaces must be enclosed in quotation marks () if you are using them in a command line. CTX_USE_EXISTING_JRE Definition: Use this property to indicate to the installer to accept the version of JRE currently installed on your computer. The Presentation Server Console requires at least Java Runtime Environment (JRE) Version1.4.2_06, and Citrix has fully tested only this version. If you want to use a version of the JRE later than Version 1.4.2_06, such as 1.4.3, set CTX_USE_EXISTING_JRE to Yes. The version of JRE installed on your computer must be at least 1.4.2_06 and less than 1.5. Possible values: Yes or No Default value: No CTX_MF_FARM_SELECTION Definition: Defines whether you are creating a new server farm or joining an existing farm. If this server is joining an existing farm, you must set CTX_MF_JOIN_FARM_DB_CHOICE. Possible values: Create, Join Default value: Create CTX_MF_NEW_FARM_NAME Definition: The name of the new farm; always specify if you are creating a new farm. Possible values: User defined. Default value: NewFarmName

398

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CTX_MF_USER_NAME Definition: User name for the initial MetaFrame administrator credentials; applies only when creating a farm. Possible values: User defined Default value: UserName CTX_MF_DOMAIN_NAME Definition: Domain name for the farm administrator credentials; applies only when creating a farm. Possible values: User defined Default value: DomainName CTX_MF_CREATE_FARM_DB_CHOICE Definition: When creating a new server farm, specify whether the database is a local database (Access or MSDE) stored on the first server in the new farm, or a third-party database stored on a separate database server (SQL, Oracle, or IBM DB2). Possible values: ThirdParty or Local Default value: Local CTX_MF_LOCAL_DATABASE Definition: Type of locally stored database that stores the farm data store. Possible values: Access or SQL (SQL for MSDE) Default value: Access CTX_MF_MSDE_INSTANCE_NAME Definition: If you are using MSDE for a local database, you can specify an installed instance of MSDE instead of using the default. If you specify an instance of MSDE other than the default for example, if you install MSDE using a command prompt and specify custom options you must enter the name of the custom instance you install. Possible values: User defined. Default value: CITRIX_METAFRAME CTX_MF_ODBC_PASSWORD Definition: Password for a third-party database that stores the farm data store. Possible values: User defined Default value: Password

Go to Document Center

Appendix B Customizing Setup

399

CTX_MF_ODBC_USER_NAME Definition: User name for a third-party database that stores the farm data store. Possible values: User defined. Default value: UserName CTX_MF_SILENT_DSNFILE Definition: Path to the DSN file to be used for the data store - use for silent installation. Possible values: Complete path to the DSN file Default value: (null) CTX_MF_JOIN_FARM_DB_CHOICE Definition: Use when joining this server to an existing server farm. Possible values: Direct, Indirect Set this propertys value to indirect if you are using a Microsoft Access or MSDE database, stored locally on the first server in the farm on which you installed MetaFrame Presentation Server, for the data store. Set this propertys value to direct if you are using a Microsoft SQL, Oracle, or IBM DB2 database, stored on a separate dedicated database server, for the data store. Default value: Direct CTX_MF_INDIRECT_JOIN_DOMAIN_NAME Definition: Domain name of a user account that has full administrative rights in MetaFrame Presentation Server. Define if you are joining a farm that uses a Microsoft Access or MSDE database, stored locally on the first server in the farm, for the data store (indirect access). Possible values: Can be any users domain (the user account must have full administrative rights in MetaFrame Presentation Server). Default value: DomainName CTX_MF_INDIRECT_JOIN_USER_NAME Definition: User name of a user account that has full administrative rights in MetaFrame Presentation Server. Define if you are joining a farm that uses a Microsoft Access or MSDE database, stored locally on the first server in the farm, for the data store (indirect access). Possible values: Can be any user who has full administrative privileges in MetaFrame Presentation Server. Default value: Administrator

400

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CTX_MF_INDIRECT_JOIN_PASSWORD Definition: The password for a user account that has full administrative rights in MetaFrame Presentation Server. Define if you are joining a farm that uses a Microsoft Access or MSDE database, stored locally on the first server in the farm, for the data store (indirect access). Possible values: The password for the user name entered in CTX_MF_INDIRECT_JOIN_USER_NAME. Default value: (null) CTX_MF_JOIN_FARM_SERVER_NAME Definition: Name of a server in the server farm you want to join. Possible values: Name of a server hosting the Access or MSDE data store. Default value: ServerName CTX_MF_JOIN_FARM_SERVER_PORT Definition: Port number for the IMA communication port used to communicate with the locally stored server farm data store (for example, if you are using a Microsoft Access or MSDE database, stored locally on the first server in the farm on which you installed MetaFrame Presentation Server, for the data store). Possible values: User defined Default value: 2512 CTX_MF_ZONE_NAME Definition: Name of the zone to which the server belongs. Possible values: Not applicable Default value: None. The default value for the zone name is generated programatically, based on the subnet address of the server.

Go to Document Center

Appendix B Customizing Setup

401

CTX_MF_ADD_ANON_USERS Definition: Determines whether anonymous users added to the Users group are included in the Remote Desktop Users group on Windows Server 2003. This property is ignored during upgrades. If set to Yes and if CTX_MF_CREATE_REMOTE_DESKTOP_USERS is set to CopyUsers or DoNothing during a clean install, the anonymous users are added to the Remote Desktop Users group. If CTX_MF_CREATE_REMOTE_DESKTOP_USERS is set to AddEveryone, this property is ignored because the Remote Desktop Users group is configured so that every user in the Users group is also a Remote Desktop user. Set this property to No during a clean install to prohibit anonymous connections to MetaFrame Presentation Server running on Windows Server 2003. Possible values: Yes, No Default value: Yes Note CTX_MF_CREATE_REMOTE_DESKTOP_USERS takes precedence over CTX_MF_ADD_ANON_USERS. If CTX_MF_CREATE_REMOTE_DESKTOP_USERS is set to AddEveryone and CTX_MF_ADD_ANON_USERS is set to No, anonymous connections to MetaFrame Presentation Server are enabled on this server.

402

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CTX_MF_CREATE_REMOTE_DESKTOP_USERS Definition: Determines whether or not to add users to the Remote Desktop Users group on a Windows Server 2003 system. Users must be members of the Remote Desktop Users group to log on remotely to a Windows Server 2003 system. Setting this property has no effect if the server is running Windows 2000 or if the Remote Desktop Users group already has members. Possible values: AddEveryone Adds the Authenticated Users group to the Remote Desktop Users group. This option allows all current and future authenticated users to log on remotely to the server. CopyUsers Copies all current users from the Users group to the Remote Desktop Users group. Any user accounts you add must be added to the Remote Desktop Users group manually. DoNothing Does not add any users to the Remote Desktop Users group. Choosing this option means that no users will be allowed to log on remotely to the server until you add users to the Remote Desktop Users group in Windows Server 2003. Default value: CopyUsers CTX_MF_SHADOWING_CHOICE Definition: Turns ICA session shadowing on or off. Important If you turn session shadowing off when you install MetaFrame Presentation Server, you cannot enable shadowing at a later time through user policies or connection configuration. Possible values: Yes - turn it on or No - turn it off Default value: Yes CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA Definition: Prohibits or allows remote control of mouse and keyboard in ICA sessions. Possible values: Yes - Prohibit or No - Allow Default value: No

Go to Document Center

Appendix B Customizing Setup

403

CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION Definition: Prohibits or allows shadowing connections without user notification. Possible values: Yes - Prohibit or No - Allow Default value: No CTX_MF_SHADOW_PROHIBIT_NO_LOGGING Definition: Prohibits or allows shadow connections without logging. Possible values: Yes - Prohibit or No - Allow Default value: No CTX_MF_XML_CHOICE Definition: Determines whether Microsoft Internet Information Services (IIS) and the Citrix XML Service share the same port on this server or use separate ports. If you do not want IIS and the XML Service to share the same port, you must set the XML Service port number in CTX_MF_XML_PORT_NUMBER. Possible values: Share - share with IIS or Separate - use separate port, set in CTX_MF_XML_PORT_NUMBER. Default value: Share CTX_MF_XML_PORT_NUMBER Definition: Port number you want the Citrix XML Service to use when you do not want the XML Service and IIS to share ports. Possible values: User defined Default value: 80 CTX_MF_LAUNCH_CLIENT_CD_WIZARD Definition: Specifies whether or not to launch the ICA Client Distribution wizard (to update the clients images on the server). Possible values: Yes- Launch wizard or No - Do not launch wizard; that is, do not update client images. Default value: No CTX_MF_CLIENT_CD_PATH Definition: Path to the MetaFrame Presentation Server Components CD; to be passed to the ICA Client Distribution wizard. Possible values: Complete path to the Components CD. Default value: (null)

404

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CTX_MF_SERVER_TYPE Definition: The edition of MetaFrame Presentation Server to be installed. If you are performing a silent installation and using a command line, the command line arguments for this property must be set to the correct value. Possible values: E for Enterprise Edition, A for Advanced Edition, or S for Standard Edition. Default value: E CTX_MF_ENABLE_VIRTUAL_SCRIPTS Definition: Directs MetaFrame Presentation Server Setup to create the virtual scripts directory. If the value is set to Yes or 1, Setup does not display the dialog box asking for permission to create the virtual scripts directory, even if you are running Setup in full UI mode. If you are running a silent installation where this property is not set to Yes or 1 and the XML port on the server is shared with IIS (if you are installing the Web Interface, for example), Setup aborts and the following error message is added to the installation log file: ERROR: SetIISScriptsDir - Could not get the scripts path because the Virtual Scripts directory in not enabled in IIS or the property CTX_MF_ENABLE_VIRTUAL_SCRIPTS is not set to Yes. If the property is defined, the silent installation continues with no error. Possible Values: Yes or 1 - Create the virtual scripts directory if it does not already exist. Not defined, 0 or No - Do not create the virtual scripts directory if it does not already exist. You are prompted during Setup to create the virtual scripts directory. Default Value: Not defined CTX_MF_ADD_LOCAL_ADMIN Definition: If enabled, creates MetaFrame administrator accounts for all user accounts in the local Administrators group. Possible values: Yes, No Default value: No

Go to Document Center

Appendix B Customizing Setup

405

CTX_ADDLOCAL Definition: This property is similar to the Windows Installer ADDLOCAL property. Possible values: Blank (default), All, CTX_MF_MetaFrame_Core, CTX_MF_IM, CTX_MF_IM_Packager, CTX_MF_IM_Service, CTX_MF_LM, CTX_MF_NM, CTX_MF_RM, PN_ENGINE, PN, PN_AGENT, WMI, MetaFrame_XP, CTX_MF_CMC, CTX_MF_ICA_Shell_Editor, CTX_MF_IMA_Core, CTX_MF_IM_Plugin, CTX_MF_RM_Plugin, CTX_SMA, CTX_MF_CTXCPU, CTX_MF_CTXSFO, CTX_MF_ASCII. Separate entries by commas. Valid configurations are: All Install every feature (XPE configuration). MetaFrame_XP,CTX_MF_MetaFrame_Core,CTX_MF_IMA_Core,CTX_MF _ICA_Shell_Editor,CTX_SMA,CTX_MF_CTXCPU,CTX_MF_CTXSFO Core MetaFrame, required for any configuration (referred to below as @Core). PN, PN_ENGINE Install the full Program Neighborhood client as the PassThrough Client (referred to below as @PN). PN_AGENT, PN_ENGINE Install the Program Neighborhood Agent as the Pass-Through Client. CTX_MF_CMC,CTX_MF_IM_Plugin,CTX_MF_RM_Plugin Install the Presentation Server Console (referred to below as @CMC). CTX_MF_IM_Service Install the Installation Manager installer service. CTX_MF_IM_Packager Install the Installation Manager Packager. CTX_MF_IM,CTX_MF_IM_Service,CTX_MF_IM_Packager Install all Installation Manager components (referred to below as @IM). CTX_MF_RM Install Resource Manager. @Core,CTX_MF_LM,WMI,@CMC,PN,@IM,CTX_MF_RM,CTX_MF_AS CII Install all default MetaFrame Presentation Server Enterprise Edition components. @Core,CTX_MF_LM,@CMC,PN Install all default MetaFrame Presentation Server Advanced Edition components. @Core,@CMC,PN Install all default MetaFrame Presentation Server Standard Edition components. Default value: Blank

406

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CTX_RDP_DISABLE_PROMPT_FOR_PASSWORD Definition: Setting this property to Yes changes the security setting on the server so that passwords from users of Microsoft Remote Desktop Web Connection software are not required. Users must still enter credentials when logging on to the Web Interface, but can launch applications without further prompts for credentials by the server. Possible values: Yes, No Default value: No CTX_MF_LIC_CHOICE_FOR_CREATE Definition: Configures the server to point to an existing license server. If set to Point, ensure that CTX_MF_LICENSE_SERVER_NAME points to a valid license server. If you install the license server after installing MetaFrame Presentation Server, set CTX_MF_LIC_CHOICE_FOR_CREATE to DontKnow. Possible values: Point, DontKnow Default value: Point Note You can also use the Presentation Server Console to configure the server to point to the license server. CTX_MF_LICENSE_SERVER_NAME Definition: Defines the license server to which the server points. Only applies: When performing a new installation while joining an existing server farm or peforming an upgrade and CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE is set to Point When performing a new installation while creating a new server farm and CTX_MF_LIC_CHOICE_FOR_CREATE is set to Point

Possible values: User defined Default value: localhost CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE Definition: Configures the server to point to an existing license server. If set to Point, ensure that CTX_MF_LICENSE_SERVER_NAME points to a valid license server. If set to UseFarmSettings, ensure that the existing server farm is configured to use a license server. If you install the license server after installing MetaFrame Presentation Server, set CTX_MF_LIC_CHOICE_FOR_JOIN_OR_UPGRADE to DontKnow.

Go to Document Center

Appendix B Customizing Setup

407

Note You can also use the Presentation Server Console to configure the server to point to the license server. Possible values: Point, UseFarmSettings, DontKnow Default value: UseFarmSettings CTX_MF_LICENSE_SERVER_PORT Definition: If the value of CTX_MF_LICENSE_SEVER_PORT_DEFAULT is set to (null), CTX_MF_LICENSE_SERVER_PORT specifies the number of the port to use when communicating with the license server. Possible values: an integer representing the number of the port through which the license server has been configured to listen for requests Default value: 27000 CTX_MF_LICENSE_SERVER_PORT_DEFAULT Definition: When set to (null), specifies to use the value of CTX_MF_LICENSE_SERVER_PORT as the number of the port to use when communicating with the license server. Possible value: (null) Default value: 1 CTX_IGNORE_MCM Definition: MetaFrame Presentation Server is not compatible with MetaFrame Conferencing Manager 2.0. If you upgrade to MetaFrame Presentation Server before upgrading to MetaFrame Conferencing Manager 3.0 or 4.0, MetaFrame Conferencing Manager fails on this server. Therefore, Citrix recommends that you upgrade to MetaFrame Conferencing Manager 4.0 before upgrading to MetaFrame Presentation Server. MetaFrame Conferencing Manager 4.0 is available from the MetaFrame Presentation Server components installation CD. If the installer detects MetaFrame Conferencing Manager 2.0 on the server, an error message appears. For the installer to ignore the error message and continue the installation, set this property to Yes. Possible values: Yes, No Default value: No

408

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CTX_REMOVE_WI_TURNKEY Definition: When upgrading from earlier versions of MetaFrame that include the Web Interface, you must upgrade the Web Interface before upgrading to MetaFrame Presentation Server. Otherwise, the Web Interface may be removed from the server as a result of the upgrade. Set this property to Yes if you do not object to the removal of the Web Interface from the server. Possible values: Yes, No Default value: No CTX_MF_ONLY_LAUNCH_PUBLISHED_APPS Definition: MetaFrame Presentation Server features a security enhancement that prohibits non-administrative users from launching desktop sessions (but not published applications). If set to Yes, the security enhancement is enabled. Possible values: Null, Yes, No Default value: Null Note If set to a value other than Yes or No, the security enhancement is enabled when performing a clean install but disabled when performing an upgrade. INSTALLDIR Definition: The target location for the installation. Possible values: User defined. Default value: %Program Files%\Citrix REBOOT Definition: Standard Windows Installer property that controls whether you restart a server or prompt for the server to be restarted. Possible values: Force - Forces restart to occur; no further prompts are displayed. Suppress - Forces restart to not occur by default; a prompt occurs if action is necessary. ReallySuppress - Force restart to not occur; no prompts appear. Default value: Force

Go to Document Center

Appendix B Customizing Setup

409

REINSTALLMODE Definition: Specifies the type of reinstall to perform. Options are caseinsensitive and order-independent. Possible values: p - install missing files o - replace older versioned or missing files c - replace corrupt files (checksum validation) e - replace same versioned or missing files d - replace files of differing versions a - replace all files regardless of version u - replace user registry settings m - replace machine registry settings s - replace shortcuts v - replace the cached .msi package with the package being installed from Default value: oums Important Citrix recommends that you do not modify this property.

Pass-Through Client Properties

Use the following properties if you are installing the Pass-Through Client. CLIENT_NAME Definition: Identifies the client device to the server farm. Possible values: User defined Default value: %COMPUTERNAME% CLIENT_UPGRADE Definition: Upgrades the client with the more current version. Possible values: Yes, No Default value: Yes

410

MetaFrame Presentation Server Administrators Guide

Go to Document Center

CLIENT_INSTALLDIR Definition: The target location for the Pass-Through Client installation. Possible values: User defined Default value: %Program Files%\Citrix\ICA Client ENABLE_DYNAMIC_CLIENT_NAME Definition: When using the Pass-Through Client, turn on or off the capability to use the computer name as the client device name and recognize changes to the client name. Possible values: Yes, No Default value: Yes PROGRAM_FOLDER_NAME Definition: Start Menu Program Folder Name, where Start Menu Program Folder Name is the name of the Programs folder on the Start menu containing the shortcut to the Program Neighborhood or Program Neighborhood Agent software. Possible values: User defined Default value: Citrix\MetaFrame Access Clients SERVER_LOCATION Definition: The URL of the server running the Web Interface. This server hosts the configuration file for the Program Neighborhood Agent. You must enter the server address if you want to use the Program Neighborhood Agent as the PassThrough Client. The server address can use HTTP or HTTPS. Possible values: User defined Default value: localhost DEFAULT_NDSCONTEXT Definition: Include this parameter if you want to set a default context for NDS. If you are including more than one context, place the entire value in quotation marks, and separate the contexts by a comma. Examples of correct parameters:
DEFAULT_NDSCONTEXT=Context1 DEFAULT_NDSCONTEXT=Context1,Context2

Example of an incorrect parameter:

DEFAULT_NDSCONTEXT=Context1,Context2

Go to Document Center

Appendix B Customizing Setup

411

ENABLE_SSON Definition: Set to Yes to enable Single Sign-On (Pass-Through Authentication) for the Pass-Through Client. Set to No to disable Single Sign-On for the PassThrough Client. Possible values: Yes, No Default value: Yes

412

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Go to Document Center

APPENDIX C

Performance Counters

Performance monitoring counters that are directly related to the performance of ICA sessions and networking and security are installed with MetaFrame Presentation Server. You can access these counters from the Performance Monitor, which ships with the Windows operating system. Citrix recommends that you use performance monitoring to get accurate accounts of system performance and the effects of configuration changes on system throughput. You can add and then view the following three categories of MetaFrame Presentation Server counters, called performance objects in Performance Monitor: Citrix IMA Networking Citrix MetaFrame Presentation Server ICA Session

You must choose one of the above performance objects in the Add Counters dialog box of Performance Monitor to select individual counters for monitoring. For more information about adding counters to Performance Monitor, see Monitoring Performance of Sessions and Servers on page 308.

IMA Networking Counters

The following counters are available through the Citrix IMA Networking performance object in Performance Monitor:
Counter Bytes Received/sec Bytes Sent/sec Network Connections Description This counter is for inbound bytes per second. This counter is for outbound bytes per second. Number of active IMA network connections to other IMA servers.

414

MetaFrame Presentation Server Administrators Guide

Go to Document Center

MetaFrame Presentation Server Counters

The following counters are available through the performance object in Performance Monitor:
Counter Application Enumerations/sec Application Resolution Time (ms) Application Resolutions/sec Average License Check-In Response Time (ms) Average License Check-Out Response Time (ms) DataStore Connection Failure DataStore bytes read DataStore bytes read/sec DataStore bytes written/sec DataStore reads DataStore reads/sec DataStore writes/sec DSCHECK Found Errors Flag DSCHECK Number of Application Errors DSCHECK Number of Group Errors DSCHECK Number of Server Errors DynamicStore bytes read/sec DynamicStore bytes written/sec Description The number of application enumerations per second. The time in milliseconds that a resolution took to complete. The number of application resolutions per second. The average license check-in response time in milliseconds. The average license check-out response time in milliseconds. The number of minutes that the server running MetaFrame has been disconnected from the data store. The number of bytes read from the data store. The number of bytes of data store data read per second. The number of bytes of data store data written per second. The number of times data was read from the data store. The number of times data was read from the data store per second. The number of times data was written to the data store per second. This counter displays one (1) if DSCHECK finds errors or zero (0) for no errors. The number of application errors found by DSCHECK. A maximum value indicates that the application test could not run. The number of group errors found by DSCHECK. A maximum value indicates the group test could not run. The number of server errors found by DSCHECK. A maximum value indicates the server test could not run. The number of bytes of dynamic store data read per second. The number of bytes of dynamic store data written per second.

Go to Document Center

Appendix C Performance Counters

415

Counter DynamicStore Gateway Update Count DynamicStore Gateway Update, Bytes Sent DynamicStore Query Count DynamicStore Query Request, Bytes Received DynamicStore Query Response, Bytes Sent DynamicStore reads/sec DynamicStore Update Bytes Received DynamicStore Update Packets Received DynamicStore Update Response Bytes Sent DynamicStore Writes/sec Filtered Application Enumerations/sec Last Recorded License CheckIn Response Time (ms) Last Recorded License CheckOut Response Time (ms) License Server Connection Failure LocalHostCache bytes read/sec LocalHostCache bytes written/sec LocalHostCache reads/sec LocalHostCache writes/sec Maximum License Check-In Response Time (ms)

Description The number of dynamic store update packets sent to remote data collectors. The number of bytes of data sent across gateways to remote data collectors. The number of dynamic store queries that were performed. The number of bytes of data received in dynamic store query request packets. The number of bytes of data sent in response to dynamic store queries. The number of times data was read from the dynamic store per second. The number of bytes of data received in dynamic store update packets. The number of update packets received by the dynamic store. The number of bytes of data sent in response to dynamic store update packets. The number of times data was written to the dynamic store per second. The number of filtered application enumerations per second. The last recorded license check-in response time in milliseconds. The last recorded license check-out response time in milliseconds. The number of minutes that the server has been disconnected from the license server. The number of bytes of IMA local host cache data read per second. The number of bytes of IMA local host cache data written per second. The number of times data was read from the IMA local host cache per second. The number of times data was written to the IMA local host cache per second. The maximum license check-in response time in milliseconds.

416

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Counter Maximum License Check-Out Response Time (ms) WorkItem Queue Executing Count WorkItem Queue Pending Count WorkItem Queue Ready Count Zone Elections

Description The maximum license check-out response time in milliseconds. The number of work items that are currently being executed. The number of work items that are not yet ready to be executed. The number of work items that are ready to be executed. The number of zone elections that occurred. This value starts at zero each time the IMA service starts and is incremented each time a zone election takes place. The number of times the server won a zone election.

Zone Elections Won

Go to Document Center

Appendix C Performance Counters

417

ICA Session Counters

The following counters are available through the ICA Session performance object in Performance Monitor. Note For MetaFrame Presentation Server for Windows, Standard and Advanced Editions, only the counters marked with an asterisk (*) are installed.
Counter Input Audio Bandwidth Input Clipboard Bandwidth Description The bandwidth, measured in bps, used when playing sound in an ICA session. The bandwidth, measured in bps, used when performing clipboard operations such as cut-and-paste between the ICA session and the local window. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 1 port . The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 2 port . The bandwidth, measured in bps, used when sending data to the client COM port. The bandwidth, measured in bps, used when executing LongCommandLine parameters of a published application. The bandwidth, measured in bps, used when performing file operations between the client and server drives during an ICA session. The bandwidth, measured in bps, used when initiating font changes within a SpeedScreen-enabled ICA session. The bandwidth, measured in bps, used to negotiate licensing during the session establishment phase. There is normally no data for this counter because this negotiation takes place before logon. The bandwidth on the virtual channel that prints to a client printer attached to the client LPT 1 port through an ICA session that does not support a spooler. This is measured in bps. The bandwidth on the virtual channel that prints to a client printer attached to the client LPT 2 port through an ICA session that does not support a spooler. This is measured in bps.

Input COM 1 Bandwidth

Input COM 2 Bandwidth

Input COM Bandwidth Input Control Channel Bandwidth Input Drive Bandwidth

Input Font Data Bandwidth Input Licensing Bandwidth

Input LPT 1 Bandwidth

Input LPT 2 Bandwidth

418

MetaFrame Presentation Server Administrators Guide

Go to Document Center

Counter Input Management Bandwidth Input PN Bandwidth Input Printer Bandwidth

Description The bandwidth, measured in bps, used when updating clients through the auto client update feature. The bandwidth, measured in bps, used by Program Neighborhood to obtain application set details. The bandwidth, measured in bps, used when printing to a client printer through a client that has print spooler support enabled. The bandwidth, measured in bps, used for published applications that are not embedded in a session window. The bandwidth, measured in bps, used from client to server for a session. The compression ratio used from client to server for a session. The line speed, measured in bps, used from client to server for a session. The bandwidth, measured in bps, used from client to server for data channel traffic. The bandwidth, measured in bps, used for text echoing. The bandwidth, measured in bps, used from client to server for ThinWire traffic. The last recorded latency measurement for the session. The average client latency over the lifetime of a session. The difference between the minimum and maximum measured latency values for a session. The bandwidth, measured in bps, used for playing sound in an ICA session. The bandwidth, measured in bps, used for clipboard operations such as cut-and-paste between the ICA session and the local window. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 1 port. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client COM 2 port. The bandwidth, measured in bps, used when receiving data from the client COM port.

Input Seamless Bandwidth Input Session Bandwidth Input Session Compression Input Session Line Speed Input SpeedScreen Data Channel Bandwidth Input Text Echo Bandwidth Input ThinWire Bandwidth Latency - Last Recorded* Latency - Session Average* Latency - Session Deviation* Output Audio Bandwidth Output Clipboard Bandwidth

Output COM 1 Bandwidth

Output COM 2 Bandwidth

Output COM Bandwidth

Go to Document Center

Appendix C Performance Counters

419

Counter Output Control Channel Bandwidth Output Drive Bandwidth

Description The bandwidth, measured in bps, used when executing LongCommandLine parameters of a published application. The bandwidth, measured in bps, used when performing file operations between the client and server drives during an ICA session. The bandwidth, measured in bps, used when initiating font changes within a SpeedScreen-enabled ICA session. The bandwidth, measured in bps, used to negotiate licensing during the session establishment phase. There is normally no data for this counter because this negotiation takes place before logon. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client LPT 1 port. The bandwidth, measured in bps, used when routing a print job through an ICA session that does not support a spooler to a client printer attached to the client LPT 2 port. The bandwidth, measured in bps, used when updating clients through the auto client update feature. The bandwidth, measured in bps, used by Program Neighborhood to obtain application set details. The bandwidth, measured in bps, used when printing to a client printer through a client that has print spooler support enabled. The bandwidth, measured in bps, used for published applications that are not embedded in a session window. The bandwidth, measured in bps, used from server to client for a session. The compression ratio used from server to client for a session. The line speed, measured in bps, used from server to client for a session. The bandwidth, measured in bps, used from server to client for data channel traffic. The bandwidth, measured in bps, used for text echoing. The bandwidth, measured in bps, used from server to client for ThinWire traffic.

Output Font Data Bandwidth Output Licensing Bandwidth

Output LPT 1 Bandwidth

Output LPT 2 Bandwidth

Output Management Bandwidth Output PN Bandwidth Output Printer Bandwidth

Output Seamless Bandwidth Output Session Bandwidth Output Session Compression Output Session Line Speed Output SpeedScreen Data Channel Bandwidth Output Text Echo Bandwidth Output ThinWire Bandwidth

Secure Ticket Authority (STA) Performance Counters

The following performance counters are available for the Secure Ticket Authority:
Performance Counter STA Bad Data Request Count STA Good Data Request Count STA Bad Ticket Request Count STA Good Ticket Request Count STA Peak Data Request Rate STA Peak Ticket Request Rate STA Peak All Request Rate STA Ticket Timeout Count STA Count of Active Tickets Description The total number of unsuccessful ticket validation and data retrieval requests during the lifetime of the STA. The total number of successful ticket validation and data retrieval requests received during the lifetime of the STA. The total number of unsuccessful ticket generation requests received during the lifetime of the STA. The total number of successful ticket generation requests received during the lifetime of the STA. The maximum rate of data requests per second during the lifetime of the STA. The maximum rate of ticket generation requests per second during the lifetime of the STA. The maximum rate of all monitored activities per second. The total number of ticket time-outs that occur during the lifetime of the STA. Total count of active tickets currently held in the STA.

Go to Document Center

APPENDIX D

Glossary

account authority The platform-specific source of information about user accounts used by a server running MetaFrame Presentation Server; for example, a Windows NT domain, Active Directory domain, or Novell Directory Services (NDS). anonymous application An application published exclusively for the use of anonymous users. anonymous session A client session started by an anonymous user. anonymous user An unidentified user granted minimal access to a server or farm and its published applications. anonymous user account A user account defined on a server running MetaFrame Presentation Server for access by anonymous users. application name A text string used to uniquely identify a published application within a farm. The application name is used by the farm and clients to recognize individual applications that may have the same display name. The text string is automatically generated based on the display name entered when the application is published. application set A users view of the applications published on a server farm that the user is authorized to access. automatic client reconnect The feature that prompts supported MetaFrame Presentation Server Clients to automatically reconnect to a session when dropped connections are detected (when network issues outside of MetaFrame Presentation Server occur). automatic client update The server feature that enables you to install the latest versions of MetaFrame Presentation Server Clients on your servers and then schedule the download and installation of that software to your users client devices. certificate store The location on the server running the Citrix SSL Relay that contains the server certificate. The certificate for the SSL Relay should be in Local computer/Personal so that you can manage it with the Certificate snap-in for Microsoft Management Console.

422

MetaFrame Presentation Server Administrators Guide

Go to Document Center

ciphersuite An encryption/decryption algorithm. When establishing an SSL connection, the client and server determine a common set of supported ciphersuites and then use the most secure one to encrypt the communications. Ciphersuites have different advantages in terms of speed, encryption strength, exportability, and so on. Citrix SSL Relay A Windows service that runs on a server to support an SSL-secured connection between a server running the Web Interface for MetaFrame Presentation Server and a server running MetaFrame Presentation Server. See also Secure Sockets Layer (SSL)/Transport Layer Security (TLS) on page 427 and ICA Encryption on page 424. Citrix XML Service A Windows service that provides an HTTP interface to the ICA browser. It uses TCP packets instead of UDP, which allows connections to work across most firewalls. The default port for the Citrix XML Service is 80. client COM port mapping The feature that enables applications running on a server to access peripherals attached to COM ports on the client device. client device Any hardware device capable of running the MetaFrame Presentation Server Client software. client device mapping The feature that enables published applications running on the server to access storage and peripherals attached to the local client device. Client device mapping consists of several distinct features: client drive mapping, client printer mapping, and client COM port mapping. client drive mapping The feature that enables applications running on the server to access physical and logical drives configured on the client device. client printer mapping The feature that enables applications running on the server to send output to printers configured on the client device. client update database The database that servers use to automatically update MetaFrame Presentation Server Clients. It contains copies of the client software and configuration information about how to perform the updates. connection control The feature that allows you to set a limit on the number of connections that each user can have simultaneously in the farm. You can also limit the number of concurrent connections to specified published applications, and you can prevent users from launching more than one instance of the same published application. content publishing This feature allows you to publish document files, media files, Web URLs, and any other type of file from any network location. Icons for published content appear in Program Neighborhood, on the desktop, and on the users logon page for the Web Interface. Users can double-click published content icons to access content in the same way they access published applications. content redirection This feature allows you to specify whether clients open published content, applications, browsers, and media players locally or remotely. There are two types of content redirection: from server to client and from client to server.

Go to Document Center

Appendix D Glossary

423

CPU prioritization The feature that allows you to assign each published application in the server farm a priority level for CPU access. This feature can be used to ensure that CPU-intensive applications in the server farm do not degrade the performance of other applications. custom ICA connection A user-created shortcut to a published application or computer running MetaFrame Presentation Server. data store An ODBC-compliant database that stores persistent data for a farm. Examples of persistent data include configuration information about published applications, users, printers, and servers. Each server farm has a single data store. See also local host cache, zone data collector. delegated administration The feature that allows you to delegate areas of MetaFrame Presentation Server administration and farm management. Administrators can assign certain staff members to perform specific tasks such as managing printers, published applications, or user policies. Specialized staff members can carry out their assigned tasks without being granted full access to all areas of server farm management. disconnected session A client session in which the client is no longer connected to the server but the users applications are still running. A user can reconnect to a disconnected session. If the user does not do so within a specified time-out period, the server automatically terminates the session. display name A name you specify when you publish an application. The display name appears in the newer Program Neighborhood Client and in Application folders in the Presentation Server Console. You can also choose to use the display name in the Web Interface. dynamic store A data store that contains frequently updated configuration data such as application load information. A server farm replicates dynamic store information across multiple servers. file type association You configure content redirection from client to server by associating published applications with file types and then assigning them to the users you want to be affected. full duplex audio The ability of sound to travel in both directions at the same time. A telephone, for example, works in full duplex mode, allowing both parties to speak and be heard at the same time, whereas a walkie-talkie works in half duplex mode, allowing only one party to speak and be heard at a time. ICA Independent Computing Architecture. The architecture that MetaFrame Presentation Server uses to separate an applications logic from its user interface. With ICA, only the keystrokes, mouse clicks, and screen updates pass between the client and server on the network, while 100% of the applications logic executes on the server. ICA asynchronous connections Asynchronous connection types allow direct dial-in to a computer running MetaFrame Presentation Server without the overhead of RAS and TCP/IP. ICA browser See master ICA browser or master browser.

424

MetaFrame Presentation Server Administrators Guide

Go to Document Center

ICA Client Creator The server utility you use to create disks from which you can install MetaFrame Presentation Server Clients and the ICA File Editor on a wide range of client devices. ICA Client Printer Configuration The utility you use to create and connect to client printers for the Clients for DOS and Windows CE. You must run this utility in an ICA session from the client whose printer you want to configure. ICA Client Update Configuration The utility you use to configure the client update database. ICA connection The logical port used by a client to connect to, and start a session on, a computer running MetaFrame Presentation Server. 1. An ICA connection is associated with a network connection (such as TCP/IP, IPX, SPX, or NetBIOS) or a serial connection (modems or direct cables). 2. The active link established between a client and a computer running MetaFrame Presentation Server. ICA Encryption This feature enables use of the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols to secure communication between the clients that support SSL and computers running MetaFrame Presentation Server. SSL provides server authentication, encryption of the data stream, and message integrity checks. After configuring the Citrix SSL Relay, you can specify the use of SSL when you publish applications. See also Citrix SSL Relay. ICA file A text file (with the extension ica) containing information about a published application. ICA files are written in Windows ini file format and organize published application information in a standard way that MetaFrame Presentation Server Clients can interpret. When a client receives an ICA file, it initializes a session running the application on the server specified in the file. ICA protocol The protocol that MetaFrame Presentation Server Clients use to format user input (keystrokes, mouse clicks, and so forth) and address it to servers for processing. Servers use the ICA protocol to format application output (display, audio, and so forth) and return it to the client device. ICA session A lasting connection between a client and a computer running MetaFrame Presentation Server, identified by a specific user ID and ICA connection. It consists of the status of the connection, the server resources allocated to the user for the duration of the session, and any applications executing during the session. An ICA session normally terminates when the user logs off from the server. Independent Management Architecture (IMA) Citrixs server-to-server infrastructure that provides robust, secure, and scalable tools for managing any size server farm. Among other features, IMA enables centralized platform-independent management, an ODBC-compliant data store, and a suite of management products that plug in to Presentation Server Console. interoperability The ability of MetaFrame Presentation Server to work with servers running MetaFrame 1.8 in the same server farm. Not all MetaFrame Presentation Server features are available in such a farm.

Go to Document Center

Appendix D Glossary

425

isolation environment A feature of MetaFrame Presentation Server to isolate a published application on a server farm. The isolation environment protects the operating system from conflicts and other compatibility issues that frequently occur between incompatible or legacy applications. key store The directory on the server running the SSL Relay containing the server certificate. The default directory is %SystemRoot%\SSLRelay\keystore\certs. load management A feature of the Advanced and Enterprise Editions of MetaFrame Presentation Server that enables management of application loads. When a user launches a published application that is configured for load management, that users session is established on the most lightly loaded server in the server farm, based on criteria you can configure. local application An application installed on a local client device. local host cache A local subset of the server farm data store information. This file is present on all computers running MetaFrame Presentation Server. See also data store. local text echo A feature that accelerates the display of text input on a client device to effectively shield users from experiencing latency on the network. Management Console for MetaFrame Presentation Server The extensible, platformindependent tool for administering computers running MetaFrame Presentation Server and management products. This console is also referred to as the Presentation Server Console. master ICA browser or master browser The ICA browser on one server in a network that gathers information about licenses, published applications, performance, and server load from the other member browsers within the network and maintains that information. member ICA browser or member browser The ICA browsers on the servers in a network that forward information about licenses, published applications, performance, and server load to the master browser. MetaFrame administrators System administrators responsible for installing, configuring, and maintaining computers running MetaFrame Presentation Server. In a UNIX environment, it is the user group assigned to these administrators, which has the default name ctxadm. MetaFrame Presentation Server Client Citrix software that enables users to connect to computers running MetaFrame Presentation Server from a variety of client devices. mouse-click feedback A feature that enables visual feedback for mouse clicks. When a user clicks the mouse, the client software immediately changes the mouse pointer to an hourglass to show that the users input is being processed. NDS support Support for Novell Directory Services (NDS) allows users in Novell network environments to log on using their NDS credentials to access applications and content published on computers running MetaFrame Presentation Server.

426

MetaFrame Presentation Server Administrators Guide

Go to Document Center

neighborhood folder A group of logically related applications within a users application set. You can assign an application to a specific neighborhood folder when you publish it. network printer A printer that is connected to a network print server. panning and scaling Features of MetaFrame Presentation Server Clients that allow users to view a remote session that is larger than the client desktop. For example, if the client desktop is 1024 x 768 and the session is 1600 x 1200 pixels, the session image does not fit in the session view window. Panning provides scroll bars. Scaling provides controls in the System menu to shrink the session window. pass-through authentication When you enable pass-through authentication for the Presentation Server Console, the console uses your local user credentials from the server on which the console is running. You can log on without reentering credentials. Users can also enable pass-through authentication in clients that support this feature. pass-through client A client installed on a server so that users of every MetaFrame Presentation Server Client platform can access published applications by connecting to them through Program Neighborhood as a published application. policies Policies are used to apply MetaFrame Presentation Server settings for client device mapping, for example, to specific users, clients, and servers. Policies override similar settings configured farm-wide at the server level or on the client. Program Neighborhood The user interface for the Program Neighborhood Client that lets users view the published applications they are authorized to use in the server farm. Program Neighborhood allows access to application sets and custom ICA connections. Program Neighborhood Agent The Program Neighborhood Agent allows you to deliver published applications directly to users desktops so users can access links to published applications with or without a Web browser. With the Program Neighborhood Agent, links to published applications appear in the Start menu, on the Windows desktop, or in the Windows notification area. Remote applications are integrated into the desktop and appear to the user as local applications. You must use the Web Interface for MetaFrame Presentation Server to use the Program Neighborhood Agent. published application An application installed on a server or server farm that is configured for multiuser access from MetaFrame Presentation Server Clients. With Load Manager, you can manage the load for published applications among servers in the farm. With Program Neighborhood and the Web Interface, you can push a published application to your users client desktops. published content A document, media clip, graphic, or other type of file or URL that you publish for access by users. Published content is executed by local applications on client devices.

Go to Document Center

Appendix D Glossary

427

relay listening port The TCP port on a computer running MetaFrame Presentation Server that the Citrix SSL Relay monitors for data from a Web server. seamless window One of the settings you can specify for the window size property of a published application. If a published application runs in a seamless window, the user can take advantage of all the client platforms window management features, such as resizing, minimizing, and so forth. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) A standards-based architecture for encryption, authentication, and message integrity. It is used to secure the communications between two computers across a public network, authenticate the two computers to each other based on a separate trusted authority, and ensure that the communications are not tampered with. SSL/ TLS supports a wide range of ciphersuites. server A server on which MetaFrame Presentation Server software is running. You can publish applications, content, and desktops for remote access by clients on these servers.

server farm A group of computers running MetaFrame Presentation Server and managed as a single entity, with some form of physical connection between servers and a database used for the farms data store. session ID A unique identifier for a specific client session on a specific computer running MetaFrame Presentation Server. Shadow Taskbar The taskbar on a server desktop that you can use to shadow multiple users and to quickly switch between shadowed sessions. shadowing A feature that enables an authorized user to remotely join or take control of another users client session for diagnosis, training, or technical support. See also user-to-user shadowing. SpeedScreen Browser Acceleration The feature that provides substantial performance enhancements for users running HTML-capable applications, such as Internet Explorer, published on computers running MetaFrame Presentation Server. SpeedScreen Browser Acceleration requires less bandwidth and allows users running ported applications to interact with the browser while graphically-rich pages or large images are being downloaded. SpeedScreen Latency Reduction A combination of technologies implemented in ICA that decreases bandwidth consumption and total packets transmitted, resulting in reduced latency and consistent performance regardless of network connection. universal printing When you use universal printing you do not need to install and duplicate a potentially large set of native printer drivers in your server farm. The universal printer drivers can replace multiple native printer drivers that would otherwise be needed in diverse printing environments. MetaFrame Presentation Server Clients can work with universal drivers depending on the client devices version and platform.

428

MetaFrame Presentation Server Administrators Guide

Go to Document Center

user-to-user shadowing The feature that allows users to shadow other users without requiring administrator rights. Multiple users from different locations can view presentations and training sessions, allowing one-to-many, many-to-one, and many-to-many online collaboration. See also shadowing. Web-based client installation A Web-based method for deploying client software to users. You construct a download Web site that users access to download the MetaFrame Presentation Server Client for their client devices. Windows-Based Terminal (WBT) A fixed-function thin-client device that can run applications only by connecting to a server. WBTs cannot run applications locally. zone A logical grouping of computers running MetaFrame Presentation Server, typically related to the underlying network subnets. All servers in a zone communicate with the server designated as the data collector for the zone. zone data collector A computer that stores dynamic data for one zone in a farm. Examples of dynamic data include current server load, the number of current user sessions, and the applications currently running in user sessions on a specified server.

Go to Document Center

429

Index
A
Access Suite Console 146, 149, 152 choosing when to use 147 installing 136 snap-ins 151 starting 156 user interface 150 users and accounts 149 Acrcfg command 335 Acrobat Reader requirements 14 Active Directory Services 75, 119, 219, 228 Address List for client browsing 93 administration tools see management tools administrator accounts see MetaFrame administrators alerts troubleshooting 154 Altaddr command 342 anonymous applications and users 242 App command 344 applications configuring access to 155 installing into an isolation environment 257 isolating through association 256 see publishing applications and content uninstalling from isolation environment 259 viewing in multiple farms 152 Apputil command 347 Async Test dialog box 196 asynchronous connection options 195197 asynchronous ICA connections 72, 190 audio mapping 217 Auditlog command 351 authentication, user 77, 7980, 85, 87, 110, 127, 226, 230, 238, 286, 289 Citrix SSL Relay 172, 175, 179 changing the port 179 Citrix SSL Relay Configuration 146 Citrix XML Service 93, 134, 361 client device mapping 214 client IP address 249 client printers 312 client software utility for installing 146 Client Update Database 232 managing 147 cloning servers 142 Cltprint command 360 COM port mapping 216 commands 333387 company knowledge database 154 Components CD 223, 227 configuring anonymous user accounts 243 Citrix SSL Relay 175 client device mapping 213 client reconnection settings 287 Connection Control settings 277 direct cable connections 195 distributed databases 57 ICA audio settings 203 ICA browsing 90 ICA Client connections 187 ICA encryption 201 ICA network connections 136 MetaFrame administrators 86, 159 network firewalls 96 ODBC drivers 127 Oracle servers 62 ports 100 printer autocreation in NDS 84 servers and server farms ??208 shadowing 133 user access to applications 241 Connection Control feature 275 connections controlling 275 logging control events 279 tool for configuring 146

C
Change Client command 353 Chfarm command 357 Citrix Connection Configuration 146, 188, 190193, 195 197

430

Index

Go to Document Center
deployment scenarios large farm, central location 31 large farm, multiple data centers 35 large farm, regional sites 36 small farm, central location 30 small farm, distributed sites 33 small farm, remote sites 34 Diagnostic Faciilty snap-in 151 direct cable connections 195 discovery running and configuring 156 distributed databases using with IBM DB2 65 using with Oracle 62 using with SQL Server 57 DLL optimization 301 DNS address resolution 95 DNS and server names 71 documents and files, publishing 263 DOS-based printers 312 drive mapping 101, 214 Driveremap command 362 Drivers tab 318 Dscheck command 366 Dsmaint command 368

content publishing 236237, 263 publishing to be opened on client 264 publishing to be opened on server 263 see also publishing applications and content content redirection 236237, 245 configuring 260 from client to server 245, 260 from server to client 261 counters ICA session 417 MetaFrame Presentation Server 414 STA 420 counters, performance 413 CPU 300 CPU priority for applications 267 Ctxxmlss command 361 customizing displays 152 customizing displays in Access Suite Console 152

D
Dashboard snap-in 151 data source connection, creating for SQL Server 56 data store choosing a database 40 configuring during Setup 125 configuring ODBC drivers 127 connecting to 44 creating 110 database requirements 47 Dsmaint command 368 local host cache 67 migrating to IBM DB2 66 migrating to MSDE 52 migrating to Oracle 61 overview 39 suggested hardware configurations 42 system sizing 42 using a RAID environment 45 using IBM DB2 64 using Microsoft Access 49 using Microsoft MSDE 50 using Oracle 58 using SQL Server 53

E
Edit Connection dialog box 193, 195 email, optimizing performance 209 encryption, configuring 201 error message, STA 183 explicit users 243 extended characters in server names 71 external IP addresses 342

F
failover on Oracle 62 on SQL Server 56 farm data store see data store file type association 244 firewalls see network firewalls Flash animations, optimizing performance 208

G
global groups 78

Go to Document Center
graphics requirements 72

Index

431

H
hardware requirements 71 hotfix information managing 156 Hotfix Management snap-in 152, 156 HTML files 249

I
IBM DB2 migrating to 66 requirements 64 using DB2 for the data store 126 with distributed databases 65 ICA browsing 88, 9091, 93, 9599 ICA Client Creator 146 ICA Client Distribution wizard 139, 223, 228 ICA Client Object 226 ICA Client Update Configuration 147 ICA Clients client printers 312 Components CD 223, 227 deploying 219 deploying with the Web Interface 231 deployment methods 219220, 227 deployment scope 222 logging activity 351 logons to servers, controlling 271, 275 NDS logons 80 printer mapping 216 Program Neighborhood Agent 221 server location methods 91 shadowing 147 updating 232 ICA connections 187188 adding 189 asynchronous 72, 190, 195 audio mapping 217 client device mapping 214 COM port mapping 216 drive mapping 214 Edit Connection dialog box 193 encryption 201 modem callback options 193 network connections 136 null modem cables 193 printer mapping 216 restricting connections 200

ICA encryption 172 ICA files 248 ICA sessions 89, 187, 233, 280 browsing configuration 90 controlling logons 271 disconnecting sessions 282 encrypting 201 monitoring 280, 308 performance monitoring 308 published application data 280 resetting 283 sending messages to users 282 Session ID 281 session reliability 284 shadowing 147, 201, 304 states of 281 terminating processes 284 Icaport command 372 IMA 100, 357 changing the IMA port 373 IMA service 85, 343 IMA data store see data store image download, optimizing performance 208 imaging servers 142 Imaport command 373 Independent Management Architecture (IMA) see IMA installation Autorun 117 common Windows Installer commands 120 configuring ODBC drivers 127 configuring the data store 125 creating a log file 117 creating administrative installations 396 creating an answer file for unattended installation 141 creating Windows Installer transforms 141 imaging servers 142 sample setup transforms 390 setup properties explained 389 shadowing restrictions 133 unattended installation 140 uninstalling MetaFrame Presentation Server 143 using Microsoft Access for the data store 125 using MSDE for the data store 125 using SQL, Oracle, or IBM DB2 for the data store 126 Web Interface 138 installing MetaFrame Presentation Server 107 interoperability mode 115

432

Index

Go to Document Center
146, 149 choosing when to use 147 customizing displays 152 snap-ins 151 starting 156 user interface 150 users and accounts 149 management consoles choosing which one to use 147 management tools 145 memory allocation 70 messages, sending to users 282 MetaFrame administrators 86 creating customized administrators 160 delegating tasks to 159, 162 MetaFrame Conferencing Manager 115 MetaFrame Conferencing Manager compatibility 106 MetaFrame Presentation Server Administration 150 MetaFrame XP 112 MetaFrame 1.8 112 Microsoft Access 49 Microsoft Management Console 146 Microsoft SQL Server 53 MigratetoMSDE command 375 migrating a server farm 112 migrating to MetaFrame Presentation Server 142 see also upgrading to MetaFrame Presentation Server MMC 146 modems 72 callback options 193 ICA connections with 193 monitoring ICA sessions 280, 308 mouse and keyboard, optimizing performance 208 moving a server to a different farm 357 Msiexec command 120 multimedia, optimizing performance 208 My Knowledge snap-in 151, 154 My Views 152

IP addresses of client made available to sessions 249 ranges for server sessions 250 IP addresses and loopback monitoring at server level 252 IP addressing 95, 99, 342 IP connectivity 9192, 96 IP ports 94, 100 isolation environments associating with applications 256 configuring 255 creating 255 deleting 258 enabling and disabling 254 installing applications into 257 uninstalling applications installed into 259

J
Jet database see Microsoft Access

K
Kerberos logon 181 kernel memory space 70 keyboard and mouse, optimizing performance 208

L
latency tool for reducing 147 License Management Console 146 Licensing snap-in 151 Load Manager 233 local host cache 67 local printers 312 logons controlling 271 controlling look and feel 272 reporting 351 log, STA 183 loopback addresses 251

N
naming servers and server farms 71 NDS see Novell Directory Service NetWare drive mapping assignments 215 network firewalls 44, 8889, 92, 9698, 100 latency reduction 208 printers 312, 321 protocols 9192, 96

M
Management Console for MetaFrame Presentation Server 146, 157 choosing when to use 147 Management Console for the MetaFrame Access Suite

Go to Document Center
New Connection dialog box 193 NFuse Classic see Web Interface Novell Directory Service BUILTIN group 85 printer autocreation 84 supporting 80 ZENworks Dynamic Local Users 85 null modem cables, ICA connections with 193

Index

433

O
ODBC drivers, configuring 127 Oracle authentication and security 62 client configuration 62 distributed databases 62 failover 62 migrating to 61 requirements 58 server configuration 62 using Oracle for the data store 126 Oracle Parallel Server 63

P
pass-through client 238 installing 123 PDA synchronization 299 performance counters 309, 413 performance monitoring 308, 413 permissions Access Suite Console 149 policies configuring user-to-user shadowing with 306 creating 291 prioritizing 295 searching for 298 ports used by MetaFrame Presentation Server 100 Presentation Server Console 146, 157 choosing when to use 147 controlling access to 160

printing bandwidth consumption 317 client 312313 client printer mapping 216 Drivers tab 318 importing print servers 317 installed printers 319 local 312 managing printers 311 network printers 312, 314 printer autocreation in NDS 84 printer drivers 318, 321 Printers tab 319 replicating printer drivers 322 setting up network printers 321 shared printers 311 user permissions 78 processes virtual IP and virtual loopback availability lists 252 processes, terminating 284 Program Neighborhood Agent 221 protocols, networking 9192, 96 proxy servers 89 publishing applications and content 237260 associating with file types 244 CPU prioritization 267 data on running applications 280 limiting application instances 276 passing parameters to published applications 247 pass-through client 238 procedures 243 publishing content 245, 263 redirecting launching 260 standard applications 233 user authentication 238 user permissions 78 Win16 applications 73

Q
Query command 376

R
remote control see shadowing ICA sessions Remote Desktop Connection software 223 client system requirements 224 supported features 224 user authentication 226 Remote Desktop Users group 71

434

Index

Go to Document Center
servers viewing in multiple farms 152 Session ID 281 sessions 187 managing in multiple farms 153 see ICA sessions setup see installation Shadow Taskbar 147, 305 shadowing 133, 147, 201, 304 user-to-user shadowing 306 shared printers 311 sizing systems 72 smart cards software requirements 104 using SSCONFIG 104 using with MetaFrame 103 SpeedScreen Browser Acceleration 208 Flash Acceleration 208 Image Acceleration 208 Latency Reduction Manager 208 Multimedia Acceleration 208 SpeedScreen Latency Reduction Manager 147 SQL Server creating data source connection during setup 56 distributed databases 57 failover 56 requirements 53 server configuration 55 using SQL for the data store 126 SSCONFIG 104 SSL see Citrix SSL Relay SSL Relay tool for configuring 146 system requirements see requirements

removing servers from server farms 143 Report Center snap-in 151, 155 reports creating 155 requirements data store database 47 hardware 71 IBM DB2 64 Microsoft Access 49 Oracle 58 SQL Server 53 system sizing 72 system software 69 Reset command 283 resetting ICA sessions 283

S
scalability 70 Secure Gateway for MetaFrame 172 Secure Ticket Authority fatal error messages 183 warning messages 184 Secure Ticket Authority (STA) 182 Secure Ticket Authority:informational messages 185 securing deployments with Citrix SSL Relay 172 with ICA Encryption 172 with the Secure Gateway 172 with Virtual Private Networks 173 security ICA encryption 172 Kerberos logon 181 Secure Sockets Layer (SSL) 175 Transport Layer Security (TLS) 175 sending messages to users 282 serial port mapping 216 server farms creating 108, 124 deployment scenarios 30 designing 18 joining 124 monitoring performance 154 naming 71 overview 16 single or multiple 16 upgrading 108 server location 9099 server names, extended characters in 71

T
TCP ports 100 Citrix XML Service (80) 134 SSL Relay (443) 175 TCP/IP network protocol 92 TCP/IP+HTTP Network Protocol 91 terminating processes 284 TLS 175 tools and utilities 145 transforms 390

Go to Document Center
Transport Layer Security (TLS) 175 TWAIN redirection 300 Twconfig command 386

Index

435

Z
zones configuring failover 26 data collectors 16 preferred 26 sizing 23 viewing in multiple farms 152 Specifying Locations for Publishing Content 266

U
UDP broadcasts 92 unattended installation 140 creating an answer file 141 creating Windows Installer transforms 141 uninstalling MetaFrame Presentation Server 143 universal groups 78 updating ICA Clients 232 upgrading a server farm 112 user authentication 7677, 7980, 85, 87, 110, 127, 133, 230, 238, 286, 289 user permissions 78 user policies creating 291 prioritizing 295 user-to-user shadowing 306 utilities 333387

V
virtual IP addresses 250 virtual loopback 251 virtual memory 301 virtual printers 311 Virtual Private Networks 173

W
Web browsers, optimizing performance 208 Web Interface 87, 9395, 98, 138, 221, 230231 Citrix XML Service 134 Web Interface snap-in 152, 155 WinCE 312 Windows Installer common commands 120 creating a log file 117 creating transforms 141, 389 Msiexec command 120, 142 Windows Installer transforms 389 sample setup transforms 390 Win16 applications 73

X
XML Service see Citrix XML Service

436

Index

Go to Document Center