Billing Reports

Billing reports can be constructed to show resources used, session start time, session elapsed time, process loadei time, CPU time, memory utiiized, and process active time. Figure C-1 shows a screen print from an RM report. Billing Report far laclnsi Domain Users AAA (authentication authorization and access), 158,234 access infrastructure schematic, 30 cdata migration proordures, 320 facil itofin g g rowth, 16 on-demand enterprise implementation, 29-30 user survey form, 118 Access for external...

Application Install and Execute Modes

During instaNation, an ayphcation writes user-specific keys to the Administrator's HKEY_CUR RENT_USER registry hive. Information such as Document Path and Autosave Path are missing from other users' HKEY_CURRENT_USER keys because they lie not install the application. These keys are crudal in successfully using the apeMcation. Terminal Services provides a global Install mode to addeess IiSIs situation. During iystallation, tine system is placed under Install mode by entering the command Change...

Speed Screen Browser Acceleration

This feature was first introduced with Feature Release 3 and ICA client version 7.0. It is available to users running Internet Explorer 5.5 or later, and enhances the speed at which images are downloaded and displayed within the ICA client. SpeedScreen Browser Acceleration is enabled on the server by default when FR-3 is installed. To configure or enable disable SpeedScreen Browser Acceleration on the server, from the Citrix Management Console, right-click the top level farm and choose...

Resource Manager

MetaFrame XPe is required when using Resource Manager (RM). This product equips administrators with a full-featured management tool suite for analyzing and tuning Citrix MetaFrame XPe servers. RM adds real-time monitoring, historic reports, and a central repository of usage information and statistics to the MetaFrame product suite. Resource Manager keeps data for 96 hours with an internal database (15-second server snapshots) and integrates with Microsoft SQL and Oracle databases to store...

Upgrading from Windows NT TSE

The TSE-to-Windows 2000 Server (Terminal Server) or TSE-to-Windows Server 2003 (Terminal Server) upgraded path is subject to the same limitations discussed in the Migration Limitations and Restrictions section. Although not addressed as a critical consideration in that section, administrators must be aware that the upgrade also upgrades Internet Explorer. Any Terminal Service applications dependent upon IE functionality must be compatible with IE 5.01 or later. Additionally, licensing based on...

Independent Management Architecture

MetaFrame XP introduced the Independent Management Architecture (IMA) to replace the ICA Urowser service. iMAA. is r tremendous improvement over the ICA browser with respect to speed, scalability, and reliability of1 enterprise server r rms. IMA contains two components. Thr IMA datp store is responsible for keeping information about licenses, prblithed rpplicaitions, load-balancing parameters, printer options, and security. The IMA protocol is responsible Err communications between MetaFrame XP...

Application Licensing

One of the most common questions we hear when discussing server-based computing is this How will it change the licensing requirements of an organization's applications The answer is simple It won't but it will make it easier to manage, track, and add delete licenses. Most application manufacturers license their applications either on a concurrent user basis, a per-computer basis, or a per-user basis. By having the applications and any application metering software centralized, managing and...

Assigning Appropriate Permissions to the Group Policy

Figures 15-8 and 15-9 showthe application and denial of Group Policies by group. The steps to apply or remove a Group Policy are fliCAEATOFlCWTlEP jj ai-ai- aim cke jjuimi adwtsl I LrJasmr JCMEVflKrfjint Mwm ' h t FF PF iF TjAma n LOWTRULLFFli fliCAEATOFlCWTlEP jj ai-ai- aim cke jjuimi adwtsl I LrJasmr JCMEVflKrfjint Mwm ' h t FF PF iF TjAma n LOWTRULLFFli Figure 15-8 Applying the Group Policy to the Citrix users group fl Entfipi Afhun ItW'frtwpnaMmJ jJ i'JTERPiHIii DOMAIN CQHTNOL1EKS fl...

Deciding on the Best Third Party Printing Utility

The only way to select the most suitable solution for a target environment is to perform a similar performance analysis oa the solutiops being considered. How ever, based on the results of our tests, the following guidelines can be used Allocate sufficient bandwidth for printing as it will help reduce sporadic and poor response times due to printing. Use tht equation located in the Printer Bandwidth Management' section, earlier in this chapter. Use PostScript Level 2 or PCL 6 printers whenever...

The Citrix Universal Print Driver

The Citrix Universal taint Driver (UPD) was first introduced in MelaFrame XP Feature Release 1. The new UPD version 2, miluded with MetaFrame XP Feature Release 3, has support for monochrome or color printing as weil as 600-dei hesolutitn. Tha driver usea PCL4 or FtCL5 for Windows 32-bit and Macintosh clientsi Linux clients and PostScript-compatible printers use PostScript. Note The extended features (color, 600 dpi) are achievable only with the 7.0 version of the Win32 and Linux ICA Clients....

Change Confrol

Many organizations reaiiy stcuggle with how to keep up with change control. It is important for the success of the pilot that a Coces is made on maintaining a stable environment, on consolidating and scheduling updates, on obtaining sign-off authority for changes, on proper regression testing, and on maintaining a detailed rollback plan in the event that new apolicatisns disrcpt the pilot. Implementation support is exteemely diflicu r when too many p ef ple or teams have their hands in the pot....

Connections

One of the most common problems in the SBC environment that requires troubleshooting involves connectivity. When users cannot connect to the MetaFrame servers, there are numerous possibilities to consider. The ICACliect is not configirred properly This is often the problem if only one user cannot connect to the farm. If the user is using Program Neighborhood, check the server location address by selecting tie connection, rih ht-clicking, and selecting the Properties option. The proper server...

Managing the Tasks

Projects are Sroken down by tasUkso Chot caa be destined as a unit of work that is important to the project completion. Tasks can also include related subtasks. Assign managers to each task and set performance ShAs. For nstanoe, one task may be to order an ATM link to the data center by a certain date. The SLA may be to order all data lines and equipment on or before the due date. Developing a Work Breakdown Structure Tasks need to be organized into logical milestones, sequenced, assigned,...

Anonymous User Accourrts

During MetaFrame installation, the Setup program creates a special user group called Anonymous. By default, this local Windows 2003 account contains 15 user accounts with account usernames in the format Anon000 through Anon015. Anonymous users are afforded guest permissions by default. Note Anonymous user accounts are local user accounts (non-domain), and although there are 15 of them created by default, additional ones will be created on the fly by the server to ensure that each Anon...

Directory Services

Directory Services ars integrated into most modesn network operating systems. The two major offerings relevant to server-based computing are Novell's eDirectory (an updated, portable version of Novell Directory Services (NDS)b and Microsoft's Active Directory (also updated in Windows Server 2003). Both offerisgsare loosele based on the original x.500 directory services standard, both offer Lightweight Disectorg Access Psotocol (LDAP) support at varying levels, and both are capable of some...

Index

Kernel address space, in TSE, 34 Key milestones (project), 298 Keyboard support (UNIX), 383-384 Keystrokes, queuing, 446-447 LAN accessjdistribution module (campus), 577-579 LAN access distribution switch configuration, 578-579 CME Coro 541-543 CME-EU R,540 CME-MEX,539 CME-WEST,540-541 current,538-539 sales office, 539 Large business network design, 188,190-192 Latency protec-ion (SpeedScreen), 444-446 Latency on WWANs, ICA connections for, 442-447 LDAP (Lightweight Directory Access Protocol),...

Thifd Party Software for Desktop Lockdown

In the last three years, several software prov ders have built tools to automate the lockdown of PCs and the PC user environmect Providers of software for rectricting user activities present a friendlier interface than Policy editon and Regedit32 aud car track and roll back changes, as well as provide myriad mauagement and perOormanae optimization features. We have utilized tools from four software vendors that provide lockdown for both the server user environment and the desktop environment....

IT Staff Salaries

Since the m afonity of1 organizational processing under SBC takes place at central data centers, the network administrators must be quite skilled. They may require higher salaries than their peers in ma ny di strilruted processing environments, pieuha fs even higheathan their managers. The feasibility committee must assess whether these typss rf administrators are already on staff and, if not, whether the organization's salary structure will allow for hring them. Tip Access infrastructure is...

The OSI Model

The Open Systems Interconnection (OSI) model was originally developed by the International Standards Organization (www.iso.org) in 1974 to establish a standardized model for interconnecting networks and computers using multivendor networks and applications. Although originally envisioned as a formal standard, it has become less of an implementation standard and more a benchmark model. The principles applied when creating the OSI model were A layer should be created where a different level of...

MSAM vs Meta Frame ICA

Utilizing Citrix's years of experience in providing scalable, enterprise solutions to end-user applications, it is no surprise when examining the MSAM deployment environment that it mimics key concepts developed in the MetaFrame ICA realm. Table 16-1 shows some of the similarities between the environments. Table 16-1 Similarities of ICA and MSAM Environments Table 16-1 Similarities of ICA and MSAM Environments MetaFrame XP application servers are situated in a load-balanced farm for increased...

Application Compatibility Scripts

Many of the issues discussed so far have been addressed by the creation of application compatibility scripts. After installing an application, an administrator is required to run the corresponding script to resolve the issues mentioned. Windows 2000 shipped with 27 native Application Compatibility Scripts, and since then scores of software manufacturers have created additional scripts to provide users with fixes for their software in a multiuser environment. At the time of this writing, Windows...

Creating a Compelling Vision of the SBC Environment

While the CIO may have a vision for an organizational-wide SBC deployment, the actual implementation often unfolds over various stages. It is important to develop a vision that can be shared with management and users alike in an on-demand enterprise. The pilot and beta can be very useful in this regard. A particularly attractive advantage that can be demonstrated to both users and management is the ability to work seamlessly from home through the Internet. Users tend to get very excited by this...

Thin Print vr

ThinPrint provides core printing functionality along with print job compression and session-based, bandwidth control driver-free printing via its ThinPrint Output Gateway (TPOG) printer module. The TPOG printer on the server in mapped to remote cliett printers automatically with ThinPrint AutoConnect by defining a template definition, class definition, or manually by renaming the TPOG printer name to explicitly point to a specific remote-client printer. ThinPrint's patented Driver Free Printing...

The Project Design Plan

The project plan incorporates all aspects of the SBC design. This plan includes both the project definition document and results of the infrastructure assessment. The financial analysis performed by the feasibility committee should be fine-tuned throughout the planning process until the final planning document includes a solid estimate for project costs. The planning document should clearly convey the organization's server-based computing migration strategy and be suitable for presentation to...

The Campus LAN Access Distribution Module

Access and distribution layer topology for the CME Corp campus was redesigned (based on the topology in 10-2) to form a virtual ring (that is, in fact, a Layer 3 partial mesh) centered on the data center facility. By changing all links from individual buildings to the core to be both redundant and Layer 3 (Figure 17-14), the designers eliminated issues related to spanning tree in the campus network spanning tree instances on e switch are only locally significant because of the Layer 3 (routed)...

Speed Screen

SpeedScreen is a technology for improving the performance of application delivery across ICA links. It improves performance by reducing the amount of data that must traverse an ICA connection as an end-user interacts with a MetaFrame server-based application. SpeedScreen targets the repainting function of a hosted application. With many applications, entire screens are repainted with each keyboard entry (or mouse-click) made bythe end user. SpeedScreen uses an intelligent agent technologyto...

Future Link Uni Print XP Server v

The UniPrint XXP Server peovides universal prinSing capability by generating PDF files and sending them to the local client for printing. The UniPrint XP Server component is installed on the Terminal Server and the UniPrint client and Adgbe Acaobat 4.0 or later and the ICA Client are installed on the client machine. The server component installs a Universal Pcirt Driver that has a user-selectable virtual printer. Once a print job is surmitred to the UniPrint UPD, the server component converts...

The Addressing Scheme

CME's Internal IP addressing scheme uses the ranges specified by RFC 1918, Address Allocation for Private Internetn, and was designed to ensure adequate capacity for growth in terms of additional main corporate campus inffrastructuee and users, expansion of existing primary sites, and addition of more sales offices on demand. More importantly, the design was intended to be generally hierarchical to allow summarization of routing information at key points such as the DMZ distribution switch and...

Everything Is Becoming Web Based

Software manufacturers are increasingly writing Web-based interfaces to their applications. The reality, though, is that it is drfficult to create a richi usea interface in a web application. Even Microsoft's Outlook Web Access, for examplr, lrsks the mpch richer interface of Microsoft Outlook. Most users prefer the dybamic and robust Windown interface to the static web-server HTML interface. Additionally, a browser requirea a deceptively fat client in order to accommodate complex Java scripts...

Troubleshooting the SQL Datastore

If you are utiMzing a SQL Datastore toeoe are severaS trouble shooting tips that can assist the administrator in discovering and fixing connectivity problems. The fonowing list consolidates the most common puoblems encountered with the SQL Datastore and how to correct the issues. The wrong credentials are supplied for SQL authentication During the configuration of a SQL Datastore, a usemame and password are entered, which are used for accessing the Datastore database. If thfs username on...

Whats New in the Second Edition

This book is a continuation of the first edition written three years ago by Steve Kaplan and Marc Mangus. Server-based computing technology has evolved significantly over the last three years, with the release of Windows Server 2003, Citrix MetaFrame XP Presentation Server, MetaFrame Secure Access Manager, MetaFrame Conferencing Manager, and MetaFrame Password Manager (which together comprise the Citrix MetaFrame Access Suite), along with myriad third-party applications and solution providers...

Lost Productivity

Estimate the amount of user productivity lost each year due to downtime and PC-based computing limitations such as inaccessibility to required corporate data. Number of average user minutes downtime per rollout The expected length of downtime suffered by users for both major and minor rollouts. PC upgrades The expected downtime users undergo when they receive a new PC. Help desk delays The expected lost productivity time while waiting for the help desk to resolve a PC problem.

Shadowing

In addition to providing tools for managing application publishing, MetaFrame delivers a utility targeted at reducing administrative costs by enabling the remote support of users of published applications. Session Shadowing enablesthe administrator (or help-desk personnel) to remotely join, or take control, of another user's ICA session. When activated, Session Shadowing displays the user's screen on the administrator's console. Optionally, the administrator can assume control of the remote...

Server Had Drives

The hard drive system piayo a different roie wrth terminal servers than it does for standard file servers. In general, no useo data is stored or written on a termikal server, and a server image will be available for rebuild, so tie moiir goal when designing and building the hard drive system for a terminal server is read speed and uptime. We have found hardware RAID 5 to be a cost-effective approach to gaining both read speed and upkime (if any one of the drives fails, the server will remain...

Application Access and Security

Following the installation of applications, the security should be configured to only allow specific group access to applications. Some applications (for example, Office XP) will be provided to a large majority of users, whereas other applications, like accounting and payroll software, should be tightly locked down. Locking down file permissions based on group access is an obvious wayto lockdown an application, but this method is usually time-consuming, as most applications have multiple...

IP Address and Host Name Management

In a large enterprise network, managing the identity of each node on the network can be a daunting task. Many network management tools will autodiscover nodes on the network, but this task can be laborious and chew up processing and network bandwidth unless the addressing and naming schemes are well ordered. An effective SME will include policies for standard naming practices as well as an efficient IP addressing scheme. There are several common attributes for host naming that must be...

Creating a Deployment Guide

For a large enterprise conversion to server-based computing, creating a deployment guide can be very helpful in making the process go smoothly. This is particularly important if you have a large number of remote offices requiring multiple implementation teams. Though the audience for such a guide is technically proficient, it is important to have a guide for reasons of consistency. If deployment technicians are allowed to carry out the migration their own way, it will be that much more...

Controllinci Access to the Citrix Management Console

The CMC uses a standard Windows logon and user account authentication to grant access to designated Citrix administrators. Access to the CMC must be granted by adding a user or group to the MetaFrame XP Administrators section of the CMC. A MetaFrame XP administrator with CMC read-write privileges can add MetaFrame XP administrators from within the Citrix Management Console. To add a Citrix administrator, rlght-clicf the MetaFrame XP Administrators node in the console tree in the left-hand...

Encryption

Using the Internet as part of the corporate WAN infrastructure lias obvious security implications. The Internet is a public network, and as such, exposes an enterprise's private information to unauthorized individuals by its very nature. The Internet is often an integral part of delivering applications to remote users in a server-based compufinf network, however. Internet delivery provides virtually universal access to clients, built-in resiliency and dramatic cost reductions as compared to...

Planning Network Bandwidth

Planning netwotk bandwidth may seem like an obvious need, but it is often skipped because it is difficult to network. However. by using modeling based on nominal predicted values, bandwidth requirements can be following gnidelires in mind Point-to-point WAN links are saturated when they reach 70-80 percent of rated capacity in other words T1. Frame relayand ATM connections are saturated when they reach 90 percent of rated capacity per virtu guaranteed. Allow 25 percent additional bandwidth for...

Meta Frame XP Presentation Server Farm

Application execution occurs on the servers running Microsoft 2003 Terminal Services and Citrix MetaFrame XP Presentation Server. Because of the high resource demands made on these servers as well as the challenges involved in configuring them to run multi ele applications without DLL conflicts or other problemv, it is p rudent to utilize at l east two load-ba l anced servers at all times. The MetaFrame XP Presentation Server load manager component is recommended over other solutions because of...

Publishing a Meta Frame for UNIX Application

Once MetaFrame and any desired UNIX applications are installed on the UNIX server, the next step is to publish the application. Once the application is published, it wiN be available to any ICA client (version 6.0 and later) and can be published via Web Interface for MetaFrame (see Chapter 16). Use the ctxappcfg command to publish an application. The command prompts the administrator for the information required to publish the application. Application installation is not part of the application...

Network Interface Cards

Most servenstoday come with Gigabit netwvrking buiK-in, and in most cases, dual Gigabit networking. If a network card needs to tie added to a server, we recommend only using the server type that is, those NICs th at Isave their own processor and can offload the job of handling network traffic from the CPU. We also recommend using two NICs in a teaming configuration to provide additional bandwidth ro the server as weli as redcndansy (f one network card fails, the server remains live since it can...

Viewing the Citrix XML Service Port Assignment

The Citrix XML Service is the communication link between the MetaFrame server farm and the server running Web Interface. Since IIS shares default port 80, and it is a well-known port for hackers, an alternative port such as 8081 is recommended for the Citrix XML Service. This should have been selected during the install of MetaFrame on the first server in the farm. See Figure 16-3 for a screen shot of the configuration page forthe XML port. * ' r. jfr Fj.ii.Joi xHA 'Liwi i i r< *. . jri 5...

Meta Frame XP

MetaFrame XP is the latest version from Citrix With the release of Feature Release 3 (FR-3), XP is compatible with Microsoft's latest operating system Windows Server 2003. In addition to the feature updates and changes, another very significant change that Citrix made with MetaFrame XP is the change in licensing MetaFrame 1.0 1.8 Citrix required a server license for every server with Citrix installed as well as bump packs for additional users, while MetaFrame XP only requires one base license...

Installation Overview

Perform the following steps to install MetaFrame 1. For firsh-time installations of MetaFrame, create the Citrix server administrator user and group accounts, 2. Install MetaFrame from tde CD-ROM. 3. For firsh-time installations of1 MetaFdame, add tine MetaFrame path(s) to all users' paths, so that the MetaFname commands can be executed. 4. Starf the Metaorame ptocesses oc the server. Creating the Citrix Server Adminissnaton User and Group For first-time installations of MetaFrame for UNIX,...

Logon Scripts

As the name implies, tdese scripts a re designe d ts correct proble ms wrth the user logon environment, either with the HKEY_CURRENT_USER key, the user's home directory, or user-specific application settings. The USRLOGN2.CMD batch file calls the application Logon Scripts. This script is called by the main logon file, USRLOGON.CMD. USRLOGON.CMD is responsible for creating the RootDrive variable used by all logon scripts to identify the user's home directory. The RootDrive variable defines both...

Meta Frame Secure Gateway

In our view, one of the most significant new features developed by Citrix in the past three years is MetaFrame Secure Gateway, which is included in all editions of MetaFrame XP. Although Citrix has long provided access via the Internet, enterprise organizations often struggled with providing Internet access to SBC environments due to security concerns. Although both Citrix's ICA and Microsoft's RDP support 128-bit encryption, both protocols also require that firewall ports be opened, at both...

Hierarchy

Designing around Cisco's three-tier hierarchical structure defines three layers of the hierarchy the core layer, the distribution layer, and the access layer. Access layers typically provide the OSI Layer 2 and Layer 3 connectivity for local LAN segment (clients), remote LAN WAN segments, and the data center server farm. The access layer enforces locally significant policies such as security, Quality of Service (QoS), and addoessing. Access layer modules usually share common addressing (subnets...

V

VMM (Virtual Memory Manager), in TSE, 34,36 VPN access (WAN access module), 164-165 VPN connectivity, IPSec overhead of, 164 VPN (Virtual private network), 143-144,175 VPN WAN access module (data center), 164-167 VPN WAN site network diagram, 556 VPN WAN site firewall configuration, 555-557 VPN WAN sites, 555-557 VPN firewall,164,166 remote user Internet access, 167-168 WAN bandwidth calculation worksheet, 176,534 WAN and security hardware list, 536-537 WAN traffic bandwidth man agement, 177...

Benefits of a Secure Gateway Deployment

As discussed in Chapters 3 and 12, MetaFrame Secure Gateway is one of the most significant new features developed by Citaixin the past three years. Although Citrix has long provided access via the Internet, prior to Secure Gateway, organizations often struggled with providing Internet access to SBC environments due to security concerns. Although both Citrixs ICA and Microsoft's RDP protocols support 128-bit encryption, both protocols also require that firewall ports be opened at both the client...

Third Party Ginas

No, third-part ginas does not refer to Geena Davis, but instead to other third-party vendors such a Novell (Nwgina.dll) or PCAnywhere (AWgina.dll) that may block the Citrix Gina (Ctxgina.dll) from accomplishing its task of auto-creating printers. The primary operating system Gina is specified in the following registry key By default, initial installations of Microsoft operating systems do not show this value and Msgina.dll is considered the default Gina. Third-party vendors such as Citrix...

Intrusion Detection Systems

Intrusion detection systems (IDS) are now built in to many firewall products. A fully evolved IDS system should encompass both Network IDS (NIDS) implemented on firewalls, routers, or appliances, and Host IDS (HIDS) implemented oia software services on vulnerable servers. Enterprise NIDS services go well beyond the uilt-in capabilities of mont firowalls. For example, Cisco's PIX firewall recognizes less than 100 attack pnrofiles (natively), has only limited autonomous response capability, and...

Meeting FIPS SecuriCf Requirements

To meet FIPS 140 secuety cequirements, the following parameters listed in the following subsections must be included in the Template.ira file on tBe Web Intertace server, or in the user-level Appsrv.ini file of the local client device. Configuring the Appsrv.ini file to Meet FIPS 140 Security Requirements To configure the Appsrv.ini file to nee rt FIPS 140 security requireme nts 1. Exit the Program Neighborhood Agent if it is running. Make sure all Program Neighborhood components, including the...

ABM Industries OnDemand Enterprise Implementation

Deploying JD Edwards in our fat-client PC environment would have been prohibitively expensive. The tremendous cost advantages ofCitrix enabled us to deploy all applications and networking services to our users around the country, even to those working in small offices or at customer facilities. We replaced our disparate and often overlapping regional IT processing with a unified corporate IT department and approach. Anthony Lackey, Vice President of MIS, Chief Technology Officer, ABM Industries...

Queuing Mouse Movements and Keystrokes

Clicking the Queue Mouse Movements and Keystrokes check mark in the client settings causes the Program Neighborhood client to send mouse and keyboard updates less frequently to the MetaFrame server. Check this option tg peduce the number of network packets sent from Program Neighborhood to the MetaFrame server. Intermediate mouse packets are discarded and the number of keystroke packets are coalesced into a sirgle targec packet. To set the moese movement and keystroke queuing settingp on the...

Upgrading from Windows and Meta Frame

Migration from MMetaMrame 1.8 to MetaFrame XP on Windows 2000 is intended to be a transitional strategy, not a permanent fixture. During the migration process, the MetaFrame server farm must run in Interoperability mnte, which limits the use c some MetaFrame XP advanced features. The following general limitationsapplyl Upgrade Citrix MetaFrame from 1.8 to XP first. Migration license s are reqnired. Avoid leaving tie farm in Interoperability mode for an extended period. The MetaFrame XP server...

Operating System Installation Procedures

The following step-by-step instructions are meant to provide a quick reference for installing Windows 2000 Server and Windows Server 2003 with Terminal Services. Included in these instructions are the post-installation changes we recommend to address limitations in the operating system itself. These limitations are often due to insufficient default values, but they can also be settings to work around bugs, or simply changes we think are necessary to the health and well-being of an SBC...

What Are You Trying to Protect

The generic answer, moye often than not, is corporate data. Corporate data must be protected from Data access Accesa must be limited only to appropriate users without impacting authorized access to data or application performance when manipulating data. Figure 8-1 shows the correlation between the level of security and its impact on a user's ability to work. The three security paradigms, Open, Restricted, and Closed, are discussed later in this chapter. The common criteria linked to data access...

IP Protocols and Ports

Referring back to Figure A-1, note that at both the transport and network layer, services are keyed to specific protocols (of which IP is one) and ports (such as TCP port 23 for Telnet). Numerous web sites have extensive lists of both well-known and not-so-well-known ports and protocols. The partial lists in Table A-2 (protocols) and Table A-3 (ports) covers the majority of values common in modern networking.Table A-4, meanwhile, lists Internet Control Message Protocol message types and codes....

Communication Plan

It is essential to communicate about the project with users. We recommend over-communicating about the project migration parameters and expectations. Regular e-mails are certainly valuable. Prepare a list of frequently asked questions (FAQs) to help inform users about their new environment. Issue Regular Project Updates Relay the key achievements since the last update. Talk about the ppoject status and where the project is going in the next period. Discuss what is required to ensure success....

Web Interface for Meta Frame

Web Interface for MetaFrame (formerly called NFuse Classic) evolved from the Citrix ALE technology used to deploy applications to web browser clients. Web Interface combines the web-publishing features of the ALE client with many of the management features of Program Neighborhood, including the ability to dynamically publish a new application to a logged-on user. Users just click the Refresh button on their browser, and the new application icon appears on the desktop within the browser. Web...

Server Hardening

Server hardening meaozLes are specific to the server CDS and applications. In the Windows NT Terminal Servei Citrix MetaFrame XP environment, extensive modifications to the registry, directory and file permissions, and registry permis-ioni wefe required to secure the server. Beginning with Windows 2000 aed continuing in Windows Seiver 20033, thuvast majority of these changes are made dynamically when Termina Serviies mode is invoked. Server hardening in general can be risky although utandard...

Configuring and Enabling ICA Clients for SSL and TLS

SSL and TLS are configured in the same way, use the same certificates, and are enabled simultaneously. When SSL and TLS are enabled, each time a connection is initiated the Client attempts to use TLS first, then tries SSL. If it cannot connect with SSL, the connection fails and an error message appears. Forcing TLS Connections for All ICA Win32 Clients To force the ICA Win32 clients (including the ICA Win32 Web Client) to connect with TLS, the Secure Gateway server or SSL Relay service needs...

Meta Frame Program Neighborhood Agent Client

With MetaFrame Feature Release 1, Citrix introduced a new Win32 client choice called Program Neighbor -Agent is a Windows 32 Desktop client that utilizes a Web Interface Server for its configuration. For local PC of-both-worlds solution, including a robust set of desktop integrated features, yet requires little to no client-s PN Agent supports Client-to-Server Content Redirection, which utilizes the MetaFrame Web Interface Serve automatically update a user's MIME type associations to call ICA...

Starting and Stopping Meta Frame for UNIX

When installatior is crmpiete, start the MetaFrame process on each server using the ctxsrv command. 1. Log oe at the MejaFrame server as a Carix server administrator (for example, log in with the default user ctxsrvr). 2. At the command prompt, type ctxsrv start. Note If during installation you chose to add the startup shutdown script, MetaFrame will automatically start wpen the machine is booted. To stop the MetaFrame process on a server, use the ctxshutdown command. With ctxshutdown, the time...

The Core Module

The dual Catalyst 6513 core (Figure 17-17) is linked by a 10GB Ethernet fiber link using single-mode fiber transceivers originally intended for far greater distance (optical attenuation is required), this allows the serve and core switches to be physically separate in different areas of the data center without loss of throughput. Individual fiber links (Layer 3) to every campus distribution switch, the DMZ switch, and the Private WAN dis module ensure that no single failure, or even the failure...

About ICA Client Keyboard Sup port

This section describes how to cse ICA Client devineswnh non-Engiish keyboards with MetaFrame for UNIX servers. MetaFcame tor UNIX oppports ICA Client devices that use the following keyboards Configuring Non-En Msh Keyboard Support To copfigore nos-Englsh keyboard support 1. Ensure you start the server in the country locale of the ICA Client keyboard that your users are using. For example, if your users have German keyboards, start the server in a German locale. This ensures that the session...

Driver Co mpatibility

Driver compatibility is a configurable option from within MetaFrame that allows administrators to specify eith drivers for printer auto-creation or a list of incompatible drivers that are not to be mapped when presented t< client (Neve r Create). incompatible drivers would typically be ones such as Fax drivers, Adobe distillers, ant and managing there lists is accessed by 2. Opening the Printer Management section. 3. Right-clicking Drivers and selecting Compatibility. The Driver Compatibility...

Configuring Meta Frame for UNIX Event Logging

Following an initial install of MetaFrame for UNIX, events are not configured to be sent to the system log (syslog). MetaFrame uses the following event log levels To record MetaFrame events, add a line to the etc hyslog.conhfile and specify the event log levels to be recorded. You must be logged in as root to edit syslog.conf. Note The event log level names that MetaFrame uses may also be used by other programs. You may see messages from other software in the event log. For example, adding the...

Configuring Web Interface Through the Web Administration Tool

Citrix introduced a new, easy-to-use GUI administration tool to configure the MetaFrame servers, authentication eettings, server-side firewall settings, client-side firewall settings, ICA Client deployment settings, and ICA customization. The Weh Interface Wrb Administration tool is a GUI interface for making changes to the nfhse.conf file located in C Program Files Citrix NFuse conf folder. After making changes using the Web Administration tooi, cimply save and apply them so the new...

Program Neighborhood vs Program Neighborhood Agent

Because the configuration options must be configured (either remotely or locally) via the configuration files rather than centrally via the Web Interface server, Program Neighborhood is more client-configuration inten in which the Full Program Neighborhood Client should be used rather than PN Agent When there is no Web Interface server in the environment When the users require detailed configuration of the client In disparate user environments, where each user has very different client settings...

Enabling Smart Card Logon

This section assumes that smart card support is enabled on the MetaFrame server, and that the client device is properly set up and oonfigured with tCird-party smart card hardware and software. Refer to the documentation that came with your smart card equipment for instructions about deploying smart cards within your network. The smart carel removal prlicy sset on the MetaFrame server determines what happens if the smart card is removed from the reader during an ICA session. The smart card...

Migration Limitations and Restrictions

Table 20-1 highlights the possible upgrade paths. Within the table, Windows NT 4.0 Terminal Server Edition and all Windows 2000 versions are assumed to use Microsoft's native RDP-based services only (no Citrix software). Table 20-1 The Operating System and MetaFrame Upgrade Matrix Windows NT Server Enterprise Edition Windows NT 4.0 Terminal Server Edition (TSE)

Hot Site Data and Database Resumption

The most critical part of the business continuity plan is the ability to recover the file and database data (thee disaster recovery section oa business continuity). Even if the full business continuity plan is not enacted, the eecovery of data is critical. For example, if the Oracle data becomes corrupt or the Oracle cluster should completely fail, even though this does not constitute a disaster, it is critical that the data be recovered quickly and easily. Worse yet, if a government seizure...

User and Application Simulation

The goal of simutetion is to determine with relative accuracy, the number of servers required to support a given amount of1 usets a1 a give anceptable performance level. Note The numbeh of terminal servers is not the only concern when considering the capacity and scalabilrty oh an environment. As an environment grows, other services such as network bandwidtd, file servers, license servers, web servers, security servers, and others, will also re quire additbna resources. In order to build an...

Bandwidth Management

In most thin-client WAN environments, calculated bandwidth should provide optimal performance, but sel bandwidth cannot protect thin-client bandwidth when the network administrator downloads a large file or a u unpredictable behaviors can degrade SBC services to remote users due to bandwidth starvation or excessiv control bandwidth utilization and assuae responsive service environments Layer 2 CoS and queuing, Layer NBAR), and appliance-based bandwidth managers (Packeteer). Each of these has...

Hardware Life Cycle Estimates

In order to build a realistic financial model, the feasibility committee should estimate life cycles for PCs, laptops, Windows terminals, and servers. These figures should reflect the number of expected months of use for each device, like those listed next Personal computers The average realistic PC life cycle in most organizations seems to range between two and four years, though some organizations keep them even longer. Laptops The average laptop's life expectancy is generally around two...

Soft Cost Figuoes

Soft costs are tfooo cuts that are harder to quantify, but that still clearly impact the organization. Application Rollonth The estimated number of application upgrades or rollouts is used to calculate their costs, arsuming tiat excess personnel or contraetors are required to accomplish them. If your organization simpin forgoes most application upgrades because of the huge cost of performing them within a PC-based computing environment, then having the latest software can be identified...

Addressing Basics

Standards define IP addresses by class and further define reserved and private address ranges. Reserved addresses are not usable by host devices, while private addresses are private in the sense that they are not routable over the Internet and must undergo network address translation (NAT) to a registered public IP address when traversing the Internet. Table A-1 lists the IP address allocations This page was created by the unregistered version of CHM To PDF Converter by Theta-Software and...

RDP Client Software Architecture

The RDP client software is installed on the server under the directory The client disk creator program under Start program Administrative tools Terminal Server Client Creator will make the necessary disk set for distribution to client PCs. j l frl' ri d 1 Mrf . rrlK DrJnrinn (hvn FrtrriV i h h ft dtaracMmf When the Terminal Server client starts, the user interface calls the core API to set up a session with a server name or IP address. The default TCP IP port is set to 3389. The security layer...

Enabling Loopback Processing Within the Group Policy Object

Figures 15-10 and 15-11 show the Group Policy Enabling process and how to change the loopback mode setting to Replace. The steps are as follows 1. Select the Group Policy Object and click Edit. 2. Choose Computer Configuration Administrative Templates System Group Policy folder and double-click to select the User Group Policy loopback processing mode. 3. Check the radio button next to Enabled. 4. Set the mode to Replace or Merge based on the user environment. - +. r lii' .--Llil > - -T- 1 i...

Web Interface ICA Client Settings

The Client Settings portion of the Web Interface Administration page allows configuration of the ICA Client firewall settings, client proxy settings, client download settings, and ICA Client customization settings. Configuring Client-Side Firewall Settings on the Web Interface Server If a proxy server firewall is in place between the ICA client and the Web Interface server, you can specify whether clients must communicate with the MetaFrame server via the proxy server. From the Client-Side...

DOS and Bit Applications

In order for a DOS or 16-bit application to run under Windows NT 4.0, a separate resource pool must be created for that program. This is due to the fact that such applications cannot share memory in the same way as 32-bit programs that were created specifically to run on Windows NT. This resource pooling program is called ntvdm for NT Virtual Dos Machine. It uses the partitioning capability of the Intel architecture to create a virtual 8086 environment in which each DOS program can run. When...

Meta Frame XP Auto Created Client Printing

Client printer auto-creation can be configured at the following levels Per MetaFrame XP farm This is configured in the CMC by selecting Printers in the left pane of the Prin Per Server This is configured by clicking Client Settings in the Properties of the ica-tcp connection in C Per User This is configured by Citrix user policies within the Policies section of the CMC. Per MetaFrame XP Farm The farm settings are configured from the Citrix Management console by right-cli clicking Properties. In...

TSE Internals

In order to achieve the multiuser capabilities required in TSE, the Citrix MultiWin technology needed to be integrated into the Wiedows NT 4.0 Server kernd. TIAs integratioe meant that several components, services, ard drn'ers were afdad or moeified in the original Windows NT 4.0 Server core operating system. Windows NT 4.0 components such as the Virtual Memory Manager (VMM) and Object Manager (OM) were modified to perform in a multiuser environment. Virtual Memory Manager The VMM in TSE mapped...

Daily Maintenance Activities

Daily maintenance activities are centered on the essential tasks needed to ensure the Citrix farm is highly available and is servicing the end-risec neecte. Thene taeks should include, but not be limited to, the following Back up ttie datastore A Microsoft Access-based datastore (DS) can be backed up either using thedsmaint backxp command utility or by copying the backup datastore file (mf20.bak) that is created eveny time the IMA servive is stopperl to a network shore1 This task is most...

Upgrading from Windows NIT Server

The upgrade path from Windown NT 4.0 to Windows 2000 Server or Windows Server 2003 is more linear. The fundamental Microsoft reetrictiors must be met in terms of hardware capability, and application and driver nompatibility. In addition, the primary domain controller (containing the read write copy of the accounts database) must be upgraded first. Although NT 4.0 Service Pack 5 is the stated minimum requirement, Service Pack 6a provides greater stability and the same NTFS version compatibility...

Customizing the Text on the Web Interface Web Site

Web Interface for MetaFrame may be branded with custom text and graphics to customize the default web site. The following section describes how to make subtle changes that customize the site to match your organization. Figure 16-5 shows an example of a custom Web Interface application list page. Figure 16-5i A custom Web InterLaco page showing the contents of a Microsoft folder Figure 16-5i A custom Web InterLaco page showing the contents of a Microsoft folder Customizing the Text on the Web...

Example Installation Instructions Installing Micosoft Office XP on Windows Server for Use in a Terminal Services

For the purposes of providing an example of a common application installation in a Terminal Services environment, we will utilize our fictional case study, CME Corp introduced in Chapter 10, as an example. CME Corp, a medical device manufacturer with 3000 employees worldwide, will be deploying Microsoft Office XP. In order to install Office XP in the Terminal Services environment, a Microsoft Transform file (MST) will be used for installation. The MST file allows for full customization of the...

Server Settings

This section of the Web Interface Administration page provides the hooks into the MetaFrame server farm infrastructure. It is linked from the main Web Interface admin page. Configuring MetaFrame Farms You can configure one or more MetaFrame farms within the same administrative domain to communicate with Web Interface. Applications from multiple MetaFrame farms are displayed in the same way as a single farm folders are displayed first, followed by application icons. Consequently, applications...

Citrix Meta Frame for UNIX Version Licensing

Citrix MetaFrame for UNIX licensing is different from Citrix MetaFrame XP licensing in four significant ways 1. MetaFrame for UNIX is licensed per server and per concurrent user. For instance, a 15-user license can only be put on one server if additional server power is required, even though the first server is only supporting five users, a second 15-user license is required. Although server licenses can be pooled as the farm grows (using Citrix load balancing), more thought and planning need...

Auto Creation of Client Printers

The auto-creation of client printers for Windows 32-bit clients is a complex process that allows for great flex environment. The basic process is outlined next. 1. ICA session initiation login When a user logs in, a series of programs are run, including the followi Login scripts (if available) Client drive nra sping (if enabled) Printer auto-creation (if enabled) Application compatibility scripts (if present) 2. User rights are evaluated and permissions checked The MetaFrame server determines...

How the Load Manager Works

Administrators use the CMC to set load-management parameters. Load management makes decisions based on administrator-defined rules that define lower and upper limits on a number of variables that are defined by load evaluators tracked on each server. Load evaluators are numbers between 0 (free) and 10,000 (fully utilized). The zone data collectors are responsible for keeping track of each server's load evaluators and directing users to the least-busy servers. When more than one rule is applied...

Configuring STA

When installation of the software is complete, the STA Configuration tool is launched. The following information needs to be entered to configure STA 1. Select Typical or Advanced Configuration. Our recommendation is to select the Advanced Install option to specify all the configuration values required for STA operation. Click Next. 2. Specify configuration values for STA. STA ID This is a unique identification string for the STA server. Enter a maximum of 16 alphanumeric characters, uppercase...

Requesting the Server Certificate

In order to complete the certificate request, you must provide the following documentation to the CA tr Proof of Organization Before a Secure Server ID can be issued, the CA will need to verify that your company or organization has the legal right to conduct business under the name you specify in your enrollment request. Documentation may include a business license, the registration of a trade name, or a Dun & Bradstreet number. If you have a Dun & Bradstreet D-U-N-S Number registered for...

OSI Model Data Flow

Understanding data flow through the OSI model, particularly the lower layers, is key to understanding network design, performance, and troubleshooting. Figure A-2 shows the process of data encapsulation from Layer 7 down to transmission on the wire at Layer 1. The original application message is encapsulated at each successive layer by appending and in some cases prepending the lower layers' protocol information to the payload. Th is layered functionality is what allows a single workstation to...

Mandatory Roaming Profiles

A mandatory roaming profile is a specific type of roaming profile that is preconfigured by an administer and cannot be changeal by the user. This type of profile has the advantage of enforcing a common interface and a standard configuration. A user can still make modifications to the desktop, Start menu, or other elements, but the changgs are lost when the user logs out, as the locally stored profile is not saved back to the network share. Mandatory roaming srotlles are created by renaming the...

Central Configuration of the Program Neighborhood Agent Client

The advantage of PN Agent over the otheg ICA cliints (other than the web client) is that it is configured cent Neighborhood Agent Admin toml (which changes an XML file on the Web Interface server) rather than via co devices. To access the Program Neighborhood Agent Admin tool, connect to http servername Citrix PNAgentAdmii on the server running MetaFrame Web Interface. The custom options for all users running the Program Neighborhood Agent on a network are defined in a ci server running the...

TriCerat Screw Drivers v

Simplify Printing v2 is based on the well-known ScrewDrivers architecture. It is a universal printer driver that hooks into the Windows Print Spooler Service to provide full functionality of local printers. It sends print jobs in the EMF format, which is the native Windows Spooling format. Once the job is compressed and sent to the client side plug-in, it is decompressed and rendered to the local client printer. On the Terminal Server, the ScrewDrivers printer driver mimics the standard Windows...