Study Guide Microsoft

8/9/2019 Study Guide Microsoft

1/46

Citrixxperience.com

1Y0-259 Citrix Presentation Server 4.5:Administration

Study Guide

Version 1.0(September 4, 2008)


2/46


3/46

For more Citrix certification preparation products, visit Citrixxperience.com. iii

Table of Contents

Subject Page

Installing and Managing Citrix Presentation Server 1

Configuring Farm Settings 3

Configuring ICA Sessions 10

Configuring Policies 14

Publishing Applications and Content 20

Deploying Applications 25

Creating and Assigning Load Evaluators 28

Configuring Printing 31

Enabling Web Access to Published Applications and Content 36

Securing Access to Published Applications and Content 41

The most trusted web site for Citrix certification preparation products, Citrixxperience.com


4/46

VisitCitrixxperience.comformoreCitrixcertificationpreparationproducts.

ThemosttrustedwebsiteforCitrixcertificationpreparation,Citrixxperience.com

1

1Y0259CitrixXenApp:AdministrationStudyGuide

InstallingandManagingCitrixPresentationServer

InstallPresentationServer4.5License

OpentheLicenseManagementConsole.

ClickConfigureLicenseServer>Step1:DownloadlicensefilefromMyCitrix.com.

LogintoMyCitrixandfromtheCurrentTooldropdownlistselectActivate/Allocate.

Downloadthelicensefile.

CopythelicensefiletoyourlicenseserverwiththeLicenseServerManagementConsole.

MakesurethedirectoryappearsintheUploadlicensepage,orbrowsetoitandclick

Upload.

OntheLicenseFilespage,clickUpdatelicensedata.

Thefilewillappearinthetableonthepage.

InstallingProgramNeighborhoodAgent

WhenusingtheProgramNeighborhoodAgent,ifyouwanttheuserstobepromptedfor

authenticationtoaCitrixPresentationServereverytime,selectNowhenconfiguringpass

throughauthentication

during

Program

Neighborhood

Agent

installation.

WhenconfiguringProgramNeighborhoodAgent:

TypethenameoftheserverhostingtheProgramNeighborhoodAgentServicessite.

Intheformatofhttp://servernameorhttps://servernameandthenclickNext.

ReplaceservernamewiththenameoftheWebInterfaceserver.

UpdatePresentation

Server

ToupdateaPresentationServer3.0or4.0serverfarmrunningonWindows2003youcantake

advantageoftheautomaticupgradepath.

OntheinitialAutorunscreenofSetup,selectInstallCitrixPresentationServer4.5andits

components.


5/46


6/46



3

SinglezonesworkbestwhenallPresentationServersarelocatedinthesamegeographical

locationwhilemultiplezonesworkbestwhenPresentationServersareseparated

geographically.

ConfiguringShadowingDuringInstallation

ShadowingrestrictionssetduringtheinstallationofPresentationServerarepermanent.

Ifshadowingwasdisabledorcapabilitiesrestrictedduringtheinstallation,neithershadowing

northerestrictedcapabilitiescanbeenabledaftertheinstallationiscompletewithout

reinstallingPresentationServer.

IMAEncryption

PresentationServercanbeconfiguredtoencrypttheIMAcommunicationsusedtosend

informationto

the

data

store

and

configuration

logging

databases.

Thisencryptioncanaddalayerofsecuritytothesensitivedatastoredinthedatabases.

UsersandGroupsConsiderationsatInstallation

DuringtheinstallationofPresentationServer,theexistingusersandgroupsandtheanonymous

useraccountscreatedbyPresentationServercanbeaddedtothelocalRemoteDesktopUsers

groupontheserver.

Only

users

and

groups

that

are

members

of

the

local

Remote

Desktop

Users

group

can

access

resourcesontheserverusingtheICAorRDPprotocol.

Iftheusersandgroupsdonotexistatthetimeoftheinstallationortheadministratorwantsto

manuallyaddtheusersandgroups,theadministratorcanusetheComputerManagement

utilityontheservertoperformthistaskaftertheinstallationcompletes.

ConfiguringFarmSettings

HealthMonitoring

and

Recovery

CitrixprovidesastandardsetofHealthMonitoringandRecoverytests.

CitrixIMAServicetest

CitrixXMLServicetest


7/46


8/46



5

Toconfigureaserverasthedatacollector,theadministratorshouldsettheserverselection

preferencetoMostPreferred.

Toconfigureaservertoneverbecomethedatacollector,theadministratorshouldsetthe

serverselectionpreferencetoNotPreferred.

Otherelectionpreferencesare:Preferred,whichisthebackupdatacollector,andDefault

Preference,whichallowstheservertobethedatacollectorifthemostpreferreddatacollector

andbackupdatacollectorarenotavailable.

Afterconfiguringtheelectionpreference,restarttheIMAServiceorreboottheserver.

ConfigurationLogging

Theconfigurationloggingfeatureallowsyoutokeeptrackofadministrativechangesmadeto

yourserverfarmandgeneratesreportsthatshowwhatchangesweremade,whentheywere

madeand

who

made

them.

Ahighlevelexplanationofconfiguringconfigurationlogging:

Createtheconfigurationloggingdatabase.

VerifytheconfigurationloggingdatabaseisspecifiedintheDatabasetypefield.

Configuretheconfigurationsettingsfortheserverfarm.

Whenneeded,theadministratorcanclearthedatastoredintheconfigurationloggingdatabase.

Tosetuploggingofadministrativetasks:

OpentheAccessManagementConsole.

RightclicktheserverfarmnodeandclickProperties.

ExpandtheFarmwidenodeandclickConfigurationLogging.

VerifythataconfigurationloggingdatabaseisspecifiedintheDatabasetypefield.

SelectLogadministrativetaskstotheloggingdatabase.

ClickOK.

VirtualIPAddressing

SomeapplicationsneedauniqueIPaddressforeachapplicationforlicensing,addressing,

identificationorotherpurposes.


9/46



6

WithvirtualIPaddressing,youcanassignastaticrangeofIPaddressestoaserverorservers

andhavetheseaddressesindividuallyallocatedtoeachsessionsothatconfiguredapplications

runningwithinthatsessionappeartohaveauniqueIPaddress.

ToconfigurevirtualIPaddressing:

OpentheAccessManagementConsoleselectafarm.

SelectAction>Modifyfarmproperties>ModifyvirtualIPproperties.

OpenAddressConfigurationfromtheVirtualIPpageinthefarmsPropertieslist.

UsetheAddressConfigurationdialogboxtoconfigurethevirtualIPaddressrangesand

assignthemtoservers.

ClickOKtorestarttheaffectedservers.

ThenumberofvirtualIPaddressesspecifiedforaservershouldbeequaltoorexceedthe

maximumnumberofconcurrentsessionstotheserver.

IfavirtualIPaddressisnotavailableatconnectiontime,anInsufficientvirtualIPaddressesare

notavailableerrormessageisdisplayedontheclient.Thesessionmayopen,butapplications

thatrequireanIPaddressmaynotworkcorrectly.

CitrixPorts

Port

2512

is

used

for

server

to

server

communication

using

the

IMA

Service.

TheAccessManagementConsoleusesport135.

CitrixSSLRelayusesport443.

ICAsessionsuseport1494.

ClienttoserverUDPsessionsuseport1604.

TheIMAServiceusesport2513forcommunicationbetweenthePresentationServer

ConsoleandPresentationServers.

Sessionreliabilityusesport2598.

TheLicenseManagementConsoleusesport8082.

Servertolicenseservercommunicationtakesplaceoverport27000.


10/46



7

VirtualLoopback

Virtualloopbackprovidespublishedapplicationswithloopbackaddressestouseinsessions.

Whenenabled,thevirtualloopbackfunctiondoesnotrequireanyadditionalconfigurationother

thanspecifyingwhichprocessesusethefeature.

Whenanapplicationusesthelocalhostaddress(127.0.0.1)inaWinsockcall,thevirtual

loopbackfeaturesimplyreplaces127.0.0.1with127.X.X.XwhereX.X.Xisarepresentationofthe

sessionID+1.

Forexample,asessionIDof7is127.0.0.8.

SessionReliability

Sessionreliabilitykeepssessionsactiveontheusersscreenwhennetworkconnectivityis

interrupted.

Userscontinuetoseetheapplicationtheyareusinguntilnetworkconnectivityresumes,butthe

displayfreezesandthecursorchangestoaspinninghourglass.

Theadvantageisthatwhennetworkconnectivityresumes,theydonthavetoreconnecttothe

application.

Toenablesessionreliability,chooseAllowuserstoviewsessionsduringbrokenconnectionin

thesessionreliabilitysettings.

AutoClientReconnect

AutoclientreconnectallowsClientsforWindows,JavaandWindowsCEtodetectbroken

connectionsandautomaticallyreconnectuserstodisconnectedsessions.

Whenaclientdetectsaninvoluntarydisconnectionofasession,itattemptstoreconnectthe

usertothesessionuntilthereisasuccessfulreconnectionortheusercancelsthereconnection

attempts.

Whenconfiguringsessionreliability:

Anadministrator

can

enable

it

by

selecting

Allow

users

to

view

sessions

during

abroken

connection.

DisableitbydeselectingAllowuserstoviewsessionsduringabrokenconnection.

ChangetheportnumberinthePortnumberfield.


11/46



8

ChangetheamountoftimesessionsremainactivewhenconnectivityislostintheSeconds

tokeepsessionsactivefield.

Ifanadministratorwantsuserstoreauthenticatebeforereconnectingtoactivesessions,auto

clientreconnectshouldbeenabled.

Whensessionreliabilityisenabled,KeepAlivesettingsarenotusedevenwhentheyare

configuredintheserverfarm.

VirtualMemoryManagement

Virtualmemorymanagementmonitorsandregulatesthe.DLLandvirtualmemoryutilizationso

memoryisusedmoreefficiently.

Schedulevirtualmemoryoptimizationatatimewhenyourservershavetheirlightestloads.

RebalancerService

TheRebalancerServiceisresponsibleforenhancingresourcemanagementonserverswith

multipleCPUs.

Theserviceissettostartmanuallybydefault.

Ifanenvironmentisrunningmanyshortlivedapplicationsandtheapplicationsappeartobe

runningonthesameCPU,theadministratorshouldsettheservicetostartautomatically.

If

this

service

is

not

started

on

servers

with

multiple

CPUs,

the

benefits

of

CPU

utilization

managementarelost.

CitrixAdministratorAccounts

WhencreatinganewCitrixadministratoraccountyoucanchooseViewOnly,Full

Administration,orCustompermissions.

AdministratorswithViewOnlyprivilegescanviewallareasofserverfarmmanagementbut

cannot modifythem.

Administratorswith

Full

Administration

privileges

can

view

and

modify

all

areas

of

server

farmmanagement.

OnlyadministratorswithFullAdministrationcancreateotheradministratorsandcreate

ordeleteserverandapplicationfolders.

Bydefault,administratorswithcustomaccountsarecreatedwiththeLogonto

ManagementConsolepermission.UsethePermissionsscreentoallowcustom

administratorstoperformadditionaltasks.


12/46



9

TomodifypermissionsforaCitrixadministratoraccount:


Clicktheserverfarmnode.

DoubleclickAdministratorsinthedropdownlistdetailspane.

RightclicktheadministratoraccountorgroupinthedetailspaneandclickModify

administratorproperties.

ClickPermissionsintheleftpaneofthePropertiesscreen.

Clickafolderandthenselectthepermissionsintherightpanethattheselected

administratororgroupwillhaveforthatfolder.

Repeatthe

last

step

until

all

the

appropriate

permissions

are

set.

ClickOK.

ICAConnections

Whenauserstartsapublishedapplication,anICAconnectionismadetoaPresentationServer.

Iftheuserstartsapublishedapplicationonadifferentserver,anotherICAconnectionismade.

If

a

user

starts

a

published

application

on

a

server

that

the

user

already

has

an

ICA

connection

to,thesameICAconnectionwillbeused;anewICAconnectionwillnotbestarted.

ToconfigureICAconnections:


RightclicktheserverfarmnodeandclickProperties.

ExpandtheFarmwidenodeandclickConnectionLimits.

ConfigurethenumberofICAconnectionsallowedperuser.

ConfigurethenumberofICAconnectionsallowedperadministrator.

ConfigureICAconnectionlimitlogging.

ClickOK.


13/46



10

ICAKeepAlive

ICAKeepAliveisasettingusedtomanagethestatesoftheICAsessionstoensurethattheyare

accuratelyreported.

WhenICAKeepAliveisconfigured,packetsaresenttoeachclientdevicetodeterminewhether

aconnectionstillexists.

Iftheclientdevicedoesnotrespond,thestateofthesessionusingtheconnectionischanged

fromactivetodisconnected.

ConfiguringICASessions

SpeedScreen

SpeedScreenLatency

Reduction

Manager

provides

mouse

click

feedback

and

local

text

echo

to

reducetheusersperceptionoflatencywhentypingandclicking.

SpeedScreenBrowserAccelerationoptimizestheresponsivenessofgraphicsrichHTMLpagesin

publishedversionsofMicrosoftOutlook,OutlookExpressandInternetExplorer.

SpeedScreenBrowserAccelerationmustbeenabledateitherthefarmlever(default)orthe

serverlevelandDeterminewhentocompressmustbeselected.

(Authorsnote:TheselectionmayalsobeAdjustcompressionlevelbasedonavailable

bandwidth).

TofurtheracceleratetheaccessibilityofWebpagesandemailusingSpeedScreenBrowser

Acceleration,JPEGcompressioncanbeenabled.

JPEGcompressionoffersatradeoffbetweenthequalityoftheJPEGimagesasthey

appearontheclientdevicesandtheamountofbandwidththefilesconsume

transferringfromservertoclient.

JPEGimageaccelerationresultsinslightlylowerimageresolutionandslightlyhigher

resourceconsumptiononbothserverandclient.

When

JPEG

image

acceleration

is

enabled,

select

the

Image

compression

level

based

on

availablebandwidth:Low,MediumorHigh.

SpeedScreenMultimediaAccelerationallowsyoutocontrolandoptimizethewayCitrix

PresentationServerpassesstreamingaudioandvideotousers.

SpeedScreenFlashAccelerationallowsyoutocontrolandoptimizethewayCitrixPresentation

ServerpassesMacromediaFlashanimationstousers.


14/46



11

SpeedScreenImageAccelerationoffersyouatradeoffbetweenthequalityofphotographic

imagefilesastheyappearonclientdevicesandtheamountofbandwidththefilesconsumeon

theirwayfromtheservertotheclient.

SpeedScreenProgressiveDisplayallowsyoutoimproveinteractivitywhendisplayinghighdetail

imagesbytemporarilyincreasingthelevelofcompression(decreasingthequality)ofsuchan

imagewhenitisfirsttransmittedoveralimitedbandwidthconnection,toprovideafast(but

lowquality)initialdisplay.

Iftheimageisnotimmediatelychangedoroverwrittenbytheapplication,itisthen

improvedinthebackgroundtoproducethenormalqualityimage,asdefinedbythenormal

lossycompressionlevel.

HeavyweightcompressionallowsyoutoincreasethecompressionoftheSpeedScreen

ImageAccelerationandSpeedScreenProgressiveDisplaywithoutimpactingimagequality.

Becauseheavyweight

compression

is

CPU

intensive

and

affects

server

scalability,

it

is

recommendedforuseonlywithlowbandwidthconnections.

ProgramNeighborhoodAgent

TheProgramNeighborhoodAgentallowsyouruserstoaccessalloftheirpublishedresourcesin

afamiliarWindowsdesktopenvironment.

Usersworkwithyourpublishedresourcesthesamewaytheyworkwithlocalapplications

andfiles.

Publishedresourcesarerepresentedthroughouttheclientdesktop,includingtheStart

MenuandWindowsnotificationarea,byiconsthatbehavejustlikelocalicons.

ProgramNeighborhoodAgentisconfiguredatasitecreatedintheAccessManagementConsole

andassociatedwiththesitefortheWebInterfaceserver.

WhenconfiguringProgramNeighborhoodAgent,theURLoftheappropriateWebInterface

servermustbeenteredintheformathttp://servernameorhttps://servername.

ProgramNeighborhoodAgentconnectstotheserveratstartuptogetthelatestconfiguration

informationincludingavailablepublishedresourcesandpermissionstochangelocalsettings.

WebClient

TheWebClientisasmallerclientthatcanbeinstalledfroma.CABfileorfromthemain.MSI

file.

TheWebClientsetupfilesaresignificantlysmallerthantheotherclients.


15/46



12

Thesmallsizeallowsuserstoquicklydownloadandinstalltheclientsoftware.

TheWebClientdoesnotrequireuserconfigurationanddoesnothaveauserinterface.

UsersaccessthepublishedresourcesbyclickingonlinksfromaWebpageorcorporateintranet.

ThefollowingbrowserswillworkwiththeClientforWeb:

InternetExplorer5.0through7.0

NetscapeNavigator4.78,and6.2through7.1

MozillaFirefox1.0through1.5

TousethebuiltinWebInterfaceclientinstallationfeature,youmustmakesuretheweb

servers\Clientsfoldercontainstheappropriateclientfiles.

ProgramNeighborhood

ProgramNeighborhoodsupportsthefullCitrixPresentationServerfeaturesetanditrequires

userconfigurationandmaintenance.

ChooseProgramNeighborhoodforthePresentationServerClientifyoudonotwanttopublish

yourresourcesusingWebInterface.

IfyouchoosetoimplementtheWebInterfaceatalatertime,ProgramNeighborhooduserscan

also

access

resources

published

through

Web

Interface.

ClientDeployment

BeforedeployingaclientpackageviaActiveDirectorytoanyclientsbeforeWindowsXP,

WindowsInstaller2.0mustbeinstalledontheclients.

AdministratorscanuseActiveDirectorytodeployclientsusingthe.MSIfileontheComponents

CDforPresentationServerorusingacustomclientfilepackagecreatedwithClientPackager.

ToassignaclientpackagetoanOrganizationalUnit(OU):

Createanetworkshareandcopythe.MSIfilecontainingtheclienttothenetworkshare

location.

InActiveDirectoryUsersandComputersrightclicktheappropriateOUandclick

Properties.

ClicktheGroupPolicytabandclickNewtocreateanewGroupPolicy.


16/46



13

TypethenamefortheGroupPolicyandpressEnter.

ClickEditandnavigatetoComputerConfiguration>SoftwareSettings>Software

Installation.

RightclicktheblankareaintherightpaneandclickNew>Package.

LocatetheclientpackageonthenetworkshareandclickOpen.

ClickAssignedintheDeploySoftwaredialogandclickOK.

Astheclientrestarts,ActiveDirectoryGroupPolicyautomaticallyinstallstheclientonthe

computer.

AfterdeployingaclientpackageviaActiveDirectoryandrestartingtheclientdevice,the

administratorshouldlogintotheclientdevicetoverifythattheclientisinstalled.

ClientPackager

WhencreatingapackagewiththeClientPackager,thedefaultclientnameoptionisUse

machinenameasclientname.

Bydefault,Citrixclientsgetthesamenameasthemachineatdeployment.

TheotherclientnameoptionisLetusersspecifyaclientname.

By

choosing

No

on

the

pass

through

authentication

screen,

the

administrator

would

make

sure

thattheusersmustentertheirusernameandpasswordtologontosessions.

EnableQuickLaunchBarandEnableCustomICAConnectionsarebothconfigurationchoices

forProgramNeighborhood.

WhilecreatingaProgramNeighborhoodpackage:

Tohelpensureduplicateclientnamesdonotexistonthenetwork,allowtheusertoname

theclientbychoosingLetuserspecifyaclientname.

Toletusersopensessionswithoutenteringtheirusernameandpassword,chooseUse

Kerberosonly

to

enable

pass

through

authentication.

ToallowuserstomakeserverconnectionswithoutusingtheICAConnectionWizard,choose

EnableQuickLaunchBar.

Toensureolderclientversionsareoverwrittenwithnewerclients,leaveAllowupgradeif

packageisnewerthanexistingclientversionchosen;thatisthedefaultclientreplacement

option.


17/46



14

ConfiguringPolicies

LimitConcurrentSessions

Toallowuserstohavemoresessionsrunningthantheserverfarmisconfiguredtoallow:

CreateanewpolicyinthePresentationServerConsole.

AddthepolicyruleLimittotalconcurrentsessions.

Configurethesessionstoasmanyasneededandapplythepolicytothedesiredusersor

groups.

PolicyFilters

Afterapolicyhasbeencreatedandconfigured,andadministratorcanfilterthepolicyusing:

Clientnames

Accesscontrol(connectionsmadethroughAccessGateway)

Usersandusergroups

Servers

ClientIPaddresses

Tofilter

apolicy

to

affect

only

acertain

range

of

IP

addresses:

ClickthePolicynodeinthePresentationServerConsole,rightclicktheappropriatepolicy

intherightpaneandselectApplythispolicyto.

ClickClientIPAddress.

ClickFilterbasedonclientIPaddress.

ClickAdd.

ClickIPRangeandclickOK.

ClickAllowandclickOK.

Shadowing

Tocreateanewshadowingpolicywheretheusersarenotifiedthattheyarebeingshadowed

andtheuserdoingtheshadowingcannotcontrolthekeyboardormouse:


18/46



15

CreateanewpolicyinthePresentationServerConsole.

InthepolicyspropertiesopentheShadowingfolderundertheUserWorkspacefolderin

theleftpane.

SelecttheConfigurationruleandenableit.

SelectAllowshadowing.

SelectProhibitbeingshadowedwithoutnotification.

SelectProhibitremoteinputwhenbeingshadowed.

SelecttherulenamedPermissionsintheleftpaneandenableit.

ClickConfiguretoselecttheuserswhowilldotheshadowing.

ClickOKwhendoneaddingtheusers.

ClickOKatthebottomofthepolicysproperties.

Applythepolicytotheuserswhowillbeshadowed.

ZonePreferenceandFailover

AZonePreferenceandFailoverpolicyisconfiguredintheUserWorkspacefolderinthe

properties

of

a

policy.

Theprimaryandbackupzonesareconfiguredandwhichzoneusersconnecttoisidentified.

ClientforWebandProgramNeighborhoodAgentsupportZonePreferenceandFailover.

InaZonePreferenceandFailoverpolicy,connectionscanbedirectedtoapreferredzoneand

failovertoabackupzone.

PrintJobRoutingPolicy

Printjob

routing

has

two

settings:

Connectdirectlytonetworkprintserverifpossible

Alwaysconnectindirectlyasaclientprinter

IftheconcernisbandwidthusageoveraWANconnection,Alwaysconnectindirectlyasaclient

printershouldbeused.


19/46


20/46



17

SpeedScreen

ImageAccelerationusinglossycompression

SessionLimits,including:

Audio

Clipboard

COMPorts

LPTPorts

Drives

OEMVirtual

Channels

OverallSession

Printing

TWAINRedirection

PDASynchronization

Toconfigure

PDA

synchronization

using

USB

tethering:

EnablethepolicyruleTurnonautomaticvirtualCOMportmapping.

ThisruleallowsUSBtovirtualCOMportemulationinclientsessions.

ThisruleisfoundinapolicyatClientDevices>Resources>PDADevices.

UserWorkspaceFolderinPolicies

Inthe

User

Workspace

folder

of

aPresentation

Server

policy,

an

administrator

can

configure:

Connections,including:

Limittotalconcurrentsessions

Zonepreferenceandfailover


21/46



18

Servertoclientcontentredirection

Shadowing

configurationandpermissions

TimeZones

Donotestimatelocaltimeforlegacyclients

DonotuseClientslocaltime

CitrixPasswordManager

CentralCredentialStore

DonotuseCitrixPasswordManager

StreamedApplication

Configuredeliveryprotocol

Specifiestheapplicationdeliverymethodusedtostreamapplicationstothedesktopsof

clientdevicesorservers.

ApplicationDeliveryMethod

Whenconfiguring

an

application

delivery

method

policy,

the

administrator

can

configure:

Forceserveraccess

Forcesstreamedapplicationstoalwayslaunchfromtheserver.

Forcestreameddelivery

Forcestheapplicationstoalwaysstreamtothedesktopsoftheclientdevices.

SecureICA

AnadministratorcanconfiguretherequiredSecureICAencryptionlevelpersessioninSecurity>

Encryption>SecureICAencryption.ThisistheonlypolicyruleavailableinaPresentationServer

policy.

ApplyPolicytoUsersandGroups


22/46



19

ToapplyaPresentationServerpolicytoauserorgroup:

InthePresentationServerConsole,clickthePolicynodeintheleftpane.

RightclicktheappropriatepolicyintherightpaneandclickApplythispolicyto.

ClickUsers.

ClickFilterbasedonusers.

Configuretheusersandgroupsfilteroptioninoneoffourways:

Applythepolicytoallexplicitusers(nonanonymous)

Applythepolicytoallanonymoususers

Applythe

policy

to

aspecific

user

account

or

user

group

Avoidapplyingthepolicytoaspecificuseraccountorusergroup

ClickOK.

PolicyPriority

Eachpolicyreceivesanumberuponcreation.Bydefault,anewpolicyhasthelowestpriorityof

allpolicies.Thenumberassignedisbasedonthenumberofpoliciesthatexistinaserverfarm.

Toprioritizeapolicy,inthePresentationServerConsole:

ClickthePoliciesnode.

RightclickthepolicyintherightpaneandclickPriority.

Ifyouwanttoassignthepolicythehighestpriority,clickMakeHighestPriority.

Ifyouwanttoassignthepolicythelowestpriority,clickMakeLowestPriority.

If

you

want

to

increase

the

priority

of

the

policy

one

level,

click

Increase

Priority.

Ifyouwanttodecreasethepriorityonelevel,clickDecreasePriority.

PolicySearchEngine


23/46



20

ThepolicysearchengineisafeatureofthePresentationServerConsolethatallowsan

administratortofindallpoliciesthatcanpotentiallyapplytoaspecificconnectionandconfirm

howfinalpolicyrulesaremergedforthatconnection,thusmakingsureitisappliedcorrectly.

Tousethepolicysearchengine:

RightclickonthePolicynodeinthePresentationServerConsoleandclickSearch.

Configurethesearchcriteria(IPAddress,ClientName,User,Server,AccessControl)and

clickSearch.

ClickYestosearchtheentireActiveDirectoryifdesired.

Optionally,doubleclickapolicyinthesearchresultstoviewthepolicypriorities.

ClickViewResultantPolicyandtheResultantPolicyPropertiesscreenlaunches.

Expandeach

node

to

view

individual

resultant

policy

rules.

ClickOKtoclosetheResultantPolicyPropertiesscreen.

ClickOKtoclosetheSearchscreen.

PublishingApplicationsandContent

PublishedApplications

Whenpublished,userscanaccessapplicationsinstalledonthePresentationServers.

Theapplicationsappeartorunlocallyontheclientdevices.

Publishedapplicationsprovidetheadministratorscontroloverwhatresourcesuserscanaccess

onaserver,unlikepublishedserverdesktops.

Publishedapplicationsprovideadministratorscontroloverwhatresourcesuserscanaccessona

server.

PublishedServerDesktops

Publishedserverdesktopsallowusersunlimitedaccesstotheresourcesonaserverwhichcan

resultinuserschangingconfigurationsandsettingsthatcancauseservervulnerabilities.

PublishedContent


24/46



21

Userscanopenpublishedcontentusingclienttoserverorservertoclientcontentredirection.

Whencontentispublished,itprovidesusersaccesstodatafiles,suchas:

Documents

Spreadsheets

MediafilesandotherdatathatareaccessiblebyusersusinganHTMLwebsite

Suchashttp://www.citrixxperience.com

Afileonawebsite

Suchashttp://www.citrixxperience.com/study/archive/exams/218.doc

AdirectoryonanFTPserver

Suchasftp://ftp.citrix.com/edu

AfileonanFTPserver

Suchasftp://ftp.citrix.com/edu/readme.txt

AUNCfilepath

Suchas\\servername\sharename\filename

AUNC

directory

path

Suchas\\servername\sharename

OrganizePublishedResources

Anadministratorcanorganizepublishedresourcesinanapplicationsetbyplacingthepublished

resourcesinfoldersduringtheresourcepublishingprocessorafterwards.

Bydefault,allresourcesarepublishedtotherootfolderoftheapplicationset.

Anadministratorcanorganizethepublishedresourcesintofolderstohelpusersquicklylocate

theapplicationstheyneed.

Forexample,ifmanyMicrosoftOfficeapplicationsarepublished,anadministratormight

decidetoplacetheMicrosoftOfficeapplicationsintoafoldercalledMicrosoftOfficemaking

iteasierforuserstolocatetheseapplications.


25/46



22

ClienttoServerContentRedirection

ClienttoservercontentredirectionallowsusersoftheProgramNeighborhoodAgenttousea

publishedapplicationtoaccessfilesresidingonthelocalclientdevice.

ClienttoservercontentredirectionthroughfiletypeassociationrequiresProgram

NeighborhoodAgentontheclientdevices.

Clientdrivemappingmustbeenabledsothatthelocalcontentcanbeaccessedbythe

applicationontheserver.

Ifdrivemappingisnotenabled,thepublishedapplicationopensanddisplaysanerror

becausetheapplicationisunabletoaccessthelocalcontentthatinitiallytriggeredthe

applicationtostart.

FileType

Association

IfyouinstallandpublishanapplicationafterinstallingPresentationServer,youmustupdatethe

filetypeassociationintheserversWindowsregistry.

Toupdatefiletypeassociations:

IntheAccessManagementConsole,selecttheserverwheretheapplicationispublished.

SelectAction>AllTasks>Updatefiletypesfromregistry.

ServertoClientContentRedirection

UsersmightfrequentlyaccesswebandmultimediaURLstheyencounterwhenrunninganemail

programpublishedonaserver.

Ifyoudonotenableservertoclientcontentredirection,usersopentheseURLswithweb

browsersormultimediaplayersonthePresentationServers.

Tofreeserversfromprocessingthesetypesofrequests,youcanredirectapplicationlaunching

forsupportedURLsfromtheservertothelocalclientdevice.

Thefollowing

URL

types

are

redirected:

HTTP

HTTPS

RTSP(RealPlayerandQuickTime)


26/46



23

RTSPU(RealPlayerandQuickTime)

PNM(LegacyRealPlayer)

MMS(MicrosoftsMediaFormat)

ApplicationIsolationEnvironment

Anapplicationisolationenvironmenthasthefollowingproperties:

Applications

Specifieswhichapplicationsareassociatedwithorinstalledinthisparticularisolation

environment.

Roots

Specifiesthedirectoriesandregistrylocationsinwhichfilesmodifiedbyusers(userprofile

root)andapplications(installationroot)reside.

Rules

Specifiespoliciesthatspecifyhowanisolatedapplicationaccessessystemresources,suchas

files,registryandnamedobjects.

Security

Specifies

the

security

policy

to

apply

to

the

isolation

environment,

which

can

either

be

enhancedorrelaxed.

Anapplicationisolationenvironmentcancontainassociated,installedorpublishedapplications.

Associatedapplicationsareinstalleddirectlyontotheoperatingsystemofoneormore

PresentationServersandareconfiguredtolaunchwithintheconfinesoftheisolation

environmentandcanbeaccessedfromoutsideoftheenvironment.

InstalledapplicationsareinstalledintoanisolationenvironmentusingtheAIESETUP

commandandmustbepublishedonaPresentationServerbeforetheycanbemade

availabletousers.

PublishedapplicationshavebeeninstalledintotheisolationenvironmentusingAIESETUP

andarepublishedforoneormoreuser.

Deletinganisolationenvironmenthasnoeffectonanapplication;however,userspecificfiles

createdwithintheisolationenvironmentaredeleted.


27/46



24

Inanapplicationisolationenvironment,theuserprofileroot(wherefilescreatedorsavedby

thecurrentuserarelocated)is:%APPDATA%\Citrix\AIE\AIE_name

Where%APPDATA%isaWindowsenvironmentvariableandisreplacedbytheapplication

datafolderforthecurrentuser.

TypicallyC:\DocumentsandSettings\%USERNAME%\ApplicationData.

AIE_nameisreplacedbythenameoftheapplicationisolationenvironment.

Installationrootspecifiestheperisolationenvironmentlocationofdirectoryorregistrykey

hierarchyforapplicationsinstalledintoanisolationenvironment.

Installationrootisuniqueforeachisolationenvironment.

Whenanapplicationisinstalledinanisolationenvironment,theinstallationrootislocatedat

C:\ProgramFiles\Citrix\AIE\AIE_name.

AIE_nameisthenameoftheapplicationisolationenvironment.

Thepathtotheactualfileisaddedontotheinstallationrootsoeachapplicationhasitsown

virtualcopyofthefilessotheydontconflictwitheachother.

TheAPPUTILcommandlineutilitycanbeusedtoinstallpackagedapplicationsintoanisolation

environment.

Applicationscanbeassociatedwithisolationenvironmentsduringtheapplicationpublishing

processusingthePublishApplicationWizard.

TheycanbeassociatedaftertheapplicationhasbeenpublishedinthePresentationServer

Console.

AIESETUPisusedtoinstallapplicationsintoisolationenvironments.

Afteranapplicationisinstalledinanisolationenvironment(usingAIESETUP)itcanonlybe

removedfromtheisolationenvironmentbyuninstallingtheapplication.

ConfigurePublishedResoures

Publishedresources

can

be

configured

to

control

the

following

options

for

the

client

device:

Legacyaudio

AllowssupportforapplicationstowhichSpeedScreenMultimediaAccelerationdoesnot

apply.

SSLandTLSprotocols


28/46


29/46



26

InstallationManagerDeploymentProcess

Theuserwhoinstallspackagestothetargetserversmusthavereadaccesstothenetworkshare

pointandadministrativeaccessonthetargetservers.

Beforeyoupublishapackagedapplication,makesurethepackagehasbeenaddedtothe

InstallationManagerdatabase.

ThefollowingprocessesareinvolvedindeployingapackageusingInstallationManager:

ApackageiscreatedusingthePackagerandtheADFfileisplacedonthefileserver.

ThepackageisaddedtotheInstallationManagerdatabaseusingthePresentationServer

Console,PackagerorAPPUTIL.

ThepackageisscheduledfordeploymentusingthePresentationServerConsoleor

APPUTIL.

ThepackageisdeployedtothetargetPresentationServers.

ThePresentationServerConsoleisupdatedtodisplayajobstatusofsuccessfulwhenthe

packagehasbeendeployedsuccessfully.

Packager

AfterusingthePackagertocreateapackagecontainingarecording,thePackagermustbe

returned

to

a

clean

state.

TherollbackfunctioninthePackagerreturnsthePackagertoacleanstatebyremovingallthe

changesmadetotheoperatingsystem,filesandregistryasaresultofpackaginganapplication.

ThePackagerdoesnotneedtoberolledbackaftercreatingapackagethatdoesnotincludea

recordingofanapplicationinstallation.

Todetermineifapackagemustberolledback,clickToolsandselectRollbackinthePackager.

IfmultiplepackagesarecreatedbeforethePackagerisrolledback,thepackagesmustberolled

backinreverseorder.

Forexample,ifPackage1wascreatedandthePackage2wascreatedwithoutrollingback

Package1,thenPackage2mustberolledbackbeforePackage1canberolledback.

Torollbackapackage:

OpenthePackagerandclickTools>Rollback.


30/46


31/46



28

Ifneeded,typethecommandlineparametersfortheinstallationprogramintheCommand

LineParametersfield.

Selectthepackagingoptions.Choosefrom:

Rebootafterprograminstallation

Runprogramfromsourcelocation

Copyprogramplusthefollowingfileslocallyandthenruntheprogram

SelectthefileorfolderoptionsifCopyprogramwaschosen.ClickNext.

ClickBrowse,navigatetothenetworksharepointonthefileserverwherethepackageis

storedandclickOK.ClickNext.

VerifytheinformationontheResultsscreenandclickFinish.

ClickProject>BuildPackage.

ClickFile>SaveProject.

Checkthenetworksharepointtoverifythatthepackageexists.

CreatingandAssigningLoadEvaluators

LoadEvaluators

Aloadevaluatorisasetofrulesthatcanbeusedtodeterminetheloadonaserverbasedon

systemresourcesandsystemresourceconsumption.

Loadevaluatorscanbeassignedtoserversandapplications.

Allserversmusthavealoadevaluatorappliedtothem.

Onlyoneloadevaluatorcanbeassignedtoeachserverandeachpublishedapplication.

Rules

ThedefaultfullloadfortheCPUUtilizationandMemoryUsagerulesis90%.Thedefaultno

loadforbothis10%.

TheContextSwitchesruledefinesthenumberoftimestheoperatingsystemswitchesfromone

processtoanother.


32/46



29

TheLoadThrottlingrulelimitsthenumberofconcurrentconnectionattemptsaserveris

expectedtohandleandcannotbeappliedtoanindividualapplication.

TheLoadThrottlingrulemustbeattachedtoaservertowork.

IftheLoadThrottlingruleisincludedinaloadevaluatorthatisattachedtoapublished

application,theruleisignored.

TheServerUserLoadrulelimitsthenumberofsessionsallowedtoconnecttoaselectedserver.

TheCPUUtilizationruledefinestherangeofprocessorutilizationforaselectedserver.

TheMemoryUsageruledefinestherangeofmemoryusageforaserver.

AdvancedLoadEvaluator

TheAdvancedloadevaluatorincludestherules:

CPUUtilization

LoadThrottling

MemoryUsage

PageSwaprules

DefaultLoadEvaluator

TheDefaultloadevaluatorincludestherules:

LoadThrottling

ServerUserLoadrules

BooleanRules

Booleanrules

are

based

on

conditions

being

true

or

false.

Booleanrulesmustbeusedinconjunctionwithatleastoneotherrulebecausetheydonot

returnactualloadvaluesforaserver.

ThetwoBooleanrulesare:

IPRange


33/46



30

DefinestherangeofallowedordeniedclientIPaddressesforapublishedapplication.

Scheduling

Schedulestheavailabilityofselectedpublishedapplications.

CustomLoadEvaluator

Tocreateacustomloadevaluator:

OpenthePresentationServerConsole.

RightclicktheLoadEvaluatorsnodeandclickNewLoadEvaluator.

TypethenameforthecustomloadevaluatorintheNamefield.

Typeadescriptioninthedescriptionfieldifdesired.

ClickaruleintheAvailableRuleslistandclickAdd.

ConfiguretheparametersfortheselectedruleandclickOK.

MaximumServerLoad

Whencreatingacustomloadevaluator,thefullloadthresholdvalueshouldbesetbelowthe

valuedetermined

as

the

maximum

sever

load.

Todeterminethemaximumserverload,anadministratormustfirstdeterminethebaselineand

peakvaluesforkeymetricsontheserver.

SharingInformationAcrossZones

Bydefault,adatacollectordoesnotcommunicatetheloadinformationtootherdatacollectors

intheserverfarm.

Iftheadministratorwantstoshareloadinformationacrosszones,theShareloadinformation

acrosszonesoptionmustbeselectedintheserverfarmpropertiesofthePresentationServerConsole.


34/46



31

ConfiguringPrinting

TypesofPrinting

Inclientlocalprinting,theprintjobspoolsfromthePresentationServertotheclientdeviceand

then

to

the

client

local

printer.

Inclientnetworkprinting,theprintjobspoolsfromthePresentationServertotheclientdevice

ornetworkprintserver,dependingonthepolicyconfiguration,tothenetworkprintserverand

thentothenetworkprinter.

Inservernetworkprinting,theprintjobspoolsfromthePresentationServertothenetwork

printserverandthentotheprinter.

Inserverlocalprinting,theprintjobspoolsfromthePresentationServertotheserverlocal

printer.

ImportPrintServer

Toimportaprintserver:

InthePresentationServerConsole,rightclickPrinterManagementandclickImport

NetworkPrintServer.

IntheNetworkPrintServerdialogbox:

TypethenameorIPaddressoftheprintserverintheServerfield.

Typeauseraccountnamethathasaccessrightstothespecifiedprinterinthe

ConnectedAsfield.

TypethepasswordfortheuseraccountinthePasswordfield.ClickOK.

PrinterPolicyRules

Autocreateallclientprintersautomaticallyconnectsalltheprintersonaclientdevice.

Always

connect

indirectly

as

a

client

printer

routes

print

jobs

through

the

client

device,

where

it

isredirectedtothenetworkprintserver.

DatasenttotheclientdeviceiscompressedusingtheICAprotocol;therefore,less

bandwidthisconsumedasthedatatravelsacrosstheWAN.

Applyingaprinterbandwidthpolicyallowstheadministratortocontroltheamountofmaximum

bandwidthinkilobytespersecondthatmaybeusedforprinting.


35/46



32

Thiswillfreeupsomebandwidthforotherresources,includingapplications,usingtheWAN

link.

BycreatingapolicywithAutocreateclientsdefaultprinteronly,logontimeswillbespedup

becausetheclientdeviceswillnolongertrytoconnecttoandautocreatenetworkprint

devices.

LegacyclientprintersenablestheuseofoldstyleclientprinternamesasusedbyTerminal

ServicesorPresentationServer3.0orearlier.

Autocreationenablestheuseofautocreationofall,local,defaultornoclientprinters.

Printerpropertiesretentioncontrolswhetherornotprinterpropertiesarestoredontheclient

deviceortheuserprofileontheserver.

PrintjobroutingcontrolswhetherornotnetworkprintjobsflowdirectlyfromPresentation

Serverto

the

print

server

or

take

an

extra

step

and

are

routed

back

through

the

client

device.

WhentheruleisconfiguredtoConnectdirectlytonetworkprintserverifpossible,the

printjobsarerouteddirectlyfromthePresentationServertothenetworkprintserver.

IfAlwaysconnectindirectlyasaclientprinterisconfigured,printjobsareroutedthrough

theclientdeviceviatheICAprotocolandredirectedtothenetworkprintserver.

Turnoffclientprintermappingdisablesthemappingofallclientprinters.

Sessionprintersallowsanadministratortocontroltheassignmentofnetworkprinters.

Administratorscanassignthedefaultprinteraswellasdesignatetheconnectiontonetwork

printersbasedonthedesiredpolicyfilter.

ThepolicycanbeconfiguredbyIPaddress.

Forexample:TheIPrangeofthecomputersoneachfloorofabuildingcanhavea

differentpolicysowhenauserisonthefifthfloortheywillhaveaccesstothefifthfloor

printersandwhentheyhavetomovetofloortwo,theywillhaveaccesstothesecond

floorprinters.

PrintDrivers

Beforeaprintercanbeused,aprintdrivermustbeinstalledonthePresentationServer.

Toadd,removeandreinstallprintdriversonaserver,andadministratorcanusetheDrivers

utilityonaWindowsServerbygoingtoPrintersandFaxes>File>ServerProperties>Drivers

Utility.


36/46



33

PrintDriverReplication

Inordertomaketheprintdriveravailableonotherserversintheserverfarmanadministrator

canleverageprintdriverreplicationtodeploytheprintdivertoallmemberservers.

Printdriverreplicationrequiresthatthedriverbeinstalledandavailableononeserverperbase

operatingsystem.

Thedriverreplicationprocesscantakeaconsiderableamountoftimeandrequiresasubstantial

amountofsystemresources.

Becauseoftheseresourcerequirements,thereplicationshouldbeperformedduringoffpeak

hourswhenhigherprioritytrafficisnotimpacted.

AnautoreplicationlistiscreatedusingthePresentationServerConsole.

Ifaserver

is

added

to

the

server

farm

that

does

not

have

the

print

driver

detected,

the

driver

is

installed.

Tocreateadriverautoreplicationlist:

ExpandthePrinterManagementnodeinthePresentationServerConsole.

RightclickDrivers.

SelectAutoreplication.

In

the

Auto

replication

dialog

box,

select

the

appropriate

operating

system

platform

from

theplatformdropdownlist.

ClickAddtoaddaprintdrivertoreplicatefortheselectedplatform.

SelecttheappropriatesourceserverintheServerdropdownlist.

Ifnospecificsourceisrequired,theAnyoptioncanbeusedtolistallprintdrivers

availableonallserversinthefarm.

SelectOverwriteexistingdriversifdesired.

ClickOK

in

the

confirmation

if

Any

was

chosen

as

the

source

server.

ClickOKintheAutoreplicationdialogbox.

ClickOKinthereplicationqueueconfirmationmessage.

UniversalPrintDriver


37/46



34

Benefitsoftheuniversalprintdriverinclude:

Theenhancedmetafileformatwhich:

Reducesthesizeofsomeprintjobs.

Allowsjobstoprintfaster.

Allowsuserstosetprinterpropertiesandpreviewdocumentsreadyforprinting.

Reducesloadontheserver.

BandwidthandCPUprocessingaresaved.

Reducesdelayswhenspoolingoverslowconnections.

Avoidsmore

problems

in

adiverse

environment.

Limitstheinstallationandduplicationofprintdriversonservers.

Ensuresthatclientprintersautocreateregardlessofprintdriveravailabilityontheserver.

Minimizeshelpdeskcalls.

Enablesuserstoprinttoalmostanyprinter.

Redirectsclientprintersonly.

ByenablingtheUniversaldriverruleUseonlyprintermodelspecificdrivers,theadministrator

makessurethatonlythemanufacturersdriversareused.

ByselectingtheUseuniversaldriveronlyiftherequesteddriverisunavailablerule,an

administratormakessurethatthereisalwaysadriveravailable,whetheritsthemanufacturers

driverortheuniversaldriverbyallowingtheprinterstofirsttrytousethemanufacturers

drivers,butiftheyarenotavailable,theuniversaldriverwillbeafallback.

NativeDrivers

Bynotallowingnativeprintdriverstoautomaticallybeinstalledfromautocreatedprinters,

administratorscanmakesurethatnoroguedriversmakeitintothefarm.

Byusingaprintdrivercompatibilitylist,administratorscancontrolwhichdriversareallowedin

thefarm.


38/46



35

Ifanadministratorknowsthedriversthatareallowed,butdoesntknowwhichdriversmighttry

toinstalllater,theadministratorcanselectAllowonlydriversinthelistandaddtheknown

acceptabledriverstothelist.

ThepolicyNativedriverautoinstallcanbesettotheruleInstallWindowsnativedriversas

needed.

Thatallowsthemanufacturersprintdriverstobeusedinthefarm.

PrinterMappings

PrintermappingscanbemanagedusingthePresentationServerConsoleorinaneditablefile

namedWTSUPRN.INF.

Note:TheWTSPRNT.INFfileliststheprintermappingsmadeusingthePresentationServer

Consoleandshouldnotbeedited.

PrinterCreation

Withsynchronousprintercreation,printerscreatebeforetheusershaveaccesstointeractwith

andusetheirsessions.

Shouldbeusedwhenapplicationsrequireallprinterstobecreatedfirstorwhen

applicationsrequireastableprintingenvironment.

Theusersmustwaitforallprinterstocreateinthebackgroundbeforetheycanperformany

activities.

Withasynchronousprintercreation,printerscreateinthebackgroundwhiletheusershave

controlofandareusingtheirsessions.

Thisminimizestheamountoftimeittakesfortheuserstobeginusingtheapplicationand

doesnotimpacttheusersbecausesomeapplicationactivityusuallyoccursbeforeprinting.

PrinterBandwidth

Printerbandwidthcanbelimitedonaperserverbasisthroughserverpropertiesorwithapolicy

rule.

PrinterAutoCreation

Insomeinstances,itmightbepreferabletonotautocreateclientprinters.Inthiscase,an

administratorcanusetheTurnoffclientprintermappingruletoautocreateonlynetwork

printersorprintersconnecteddirectlytotheserver.


39/46



36

ByusingtheruleAutocreatelocalclientprintersonly,onlytheprintersconnecteddirectlyto

theusersclientdevicethroughanLPTorotherlocalportwillbeautomaticallyconnected.

Enablingthissettingensuresanynetworkprintersdefinedontheclientdevicearenotauto

createdwithintheICAsessionandlogontimeswillbereducedforthosewhohaveseveral

networkprintersconfiguredontheirclientdevice.

SmoothRoaming

SmoothRoamingallowsausertodisconnectfromoneICAsessionandreconnectfromanother

devicetocontinuethatsamesession.

PrintDriverCompatibilityList

Theprint

driver

compatibility

list

allows

an

administrator

to

control

print

drivers

available

to

users.

Duringuserlogon,nativedriversarepermittedandtheautocreatedprintersarechecked

againstthelistofallowedordeniedprintdrivers.

Aprintdrivermappinglistresolvescompatibilityissuesbetweenprintdriversthathavedifferent

namesforthesameprinterondifferentserveroperatingsystems.

EnablingWeb

Access

to

Published

Applications

and

Content

WebInterfaceCommunication

WhenauserlogsintotheWebInterface,theWebInterfaceforwardsthelogoncredentialsto

theCitrixXMLServiceonthePresentationServer.

TheCitrixXMLServiceretrievesalistofapplications(theapplicationset)thattheusercan

accessbasedonthesuppliedcredentials.

WebInterfaceBrowsing

ThefollowingbrowserscanlogontotheWebInterface:InternetExplorer5.x,6.x,and7.0;

Safari2.0;Firefox1.x;Mozilla1.x;Netscape7.0.

ConfigureWebInterface


40/46


41/46



38

Tomakesureusershavetoentertheirusernameandpasswordeverytimetheyconnect,

Explicitmustbeselectedforauthentication.

TouseRSASecurID(orSafeWord),twofactorauthenticationmustbeconfigured.

WorkspaceControl

Inordertouseworkspacecontrol:

ClientdevicesmusthavetheClientforWindows8.xorlater.

PresentationServermustbeinstalledandconfigured.

WebInterfacemustbeinstalledandconfigured.

Thefollowingaresomeofthefunctionalityofworkspacecontrol:

CanonlyreconnecttoexistingsessionsonPresentationServers.

Cannotreconnectanonymoususerstoapplicationsaftertheydisconnect.

PromptssmartcardusersfortheirPINsforeachreconnectedsessionwhenpassthrough

authenticationwithsmartcardsisnotenabled.

RequiresthattheWebInterfacebesettooverridetheclientnamesettingintheManage

sessionpreferencestask.

Workspace

control

functions

are

disabled:

IftheWebInterfacedetectsthatitisbeingaccessedfromwithinaclientsession.

Ifpassthroughorsmartcardauthenticationmethodsareusedandnotrustrelationship

existsbetweentheWebInterfaceserverandthePresentationServers.

Anadministratorcanconfigureworkspacecontrol:

Toprovideautomaticreconnectionduringlogon.

Provideautomaticreconnectionafterlogon,logoffallsessionswhenauserlogsofffrom

theWeb

Interface

site.

AllowuserstocustomizetheWebInterfacesite.

Whenconfiguringworkspacecontrol,anadministratorcanchoose:

Automaticreconnecttosessionwhenuserlogsinprovidesautomaticreconnectionduring

logon.


42/46


43/46



40

IntheAccessManagementConsole,expandtheWebInterfacenode.

ClickthedesiredAccessPlatformSitenode.

ClicktheConfigureauthenticationmethodstask.

ClickProperties.

ClickDomainRestrictionintheleftpaneoftheAccessPlatformauthenticationmethods

properties.

ChooseRestrictdomainstothefollowingdomains.

Addthedomainsthatareallowedaccess.ClickOK.

CitrixPasswordManagerIntegration

TointegrateCitrixPasswordManagerintotheauthenticationoftheAccessPlatformsite:

IntheAccessManagementConsole,expandtheWebInterfacenode.

ClickthedesiredAccessPlatformSitenode.

ClicktheConfigureauthenticationmethodstask.

ClickProperties.

Click

Account

Self

Service

in

the

left

pane

of

the

Access

Platform

authentication

methods

properties.

IntheAccountSelfServicewindow,youcanchoosetoenablepasswordresetorallow

accountunlock.

Toonlyallowuserstochangetheirpasswordwhenitexpires,Allowuserstochange

passwordmustbeconfiguredforOnlywhenitexpiresinthePasswordSettings

window.

ClickOK.

DMZSettings

Directaccessistypicallyconfiguredinsituationswhereinternalusersconnectfromtrusted

environments,suchasacorporateintranet,andthereisnoneedtokeeptheaddressofthe

PresentationServerprivate.


44/46



41

AlternateaccessisconfiguredinsituationswheretheIPaddressofthePresentationServermust

bekeptprivatefromusers.

AnadministratormustconfigurePresentationServertouseanalternateaddressbyusing

theALTADDRcommand.

Ifmultipleserversarebeingusedtoprovideapplicationaccess,translatedaccesswouldbe

used.

TranslatedaccessisconfiguredinsituationswheretheIPaddressofthePresentationServer

mustbekeptprivatefromusersandmultipleserversintheserverfarmareusedtoprovide

applicationaccess.

Whenafirewallisused,WebInterfacemustbeconfiguredwiththeappropriateIPaddressin

theclientfiles.

SecuringAccesstoPublishedApplicationsandContent

SecuringCommunication

ICAencryptionguardsagainstthethreatofeavesdroppingbysecuringtheinformationsent

betweentheclientdeviceandPresentationServer.

AvailableinBasic,RC5(128bit)logononly,RC5(40bit),RC5(56bit)andRC5(128bit).

IsconfiguredinPresentationServerpoliciesorpublishedapplications.

CitrixSSLRelaycansecureendtoendcommunicationbetweenclientdevicesandPresentation

ServersusingencryptionandcommunicationswithserversthathosttheXMLServiceinsmall

environments.

CanbeusedtosecurecommunicationbetweentheWebInterfaceserverandPresentation

Server.

ProvidesendtoendencryptionofICAcommunicationsbetweenclientdevicesand

PresentationServerandXMLcommunicationsbetweenWebInterfaceandPresentation

Server.

WhenSSLRelayisused,anadministratorcanconfigurewhichciphersuiteswillbeused.

Aciphersuiteisanencryption/decryptionalgorithm.

PresentationServer,bydefault,providesCOMandGOVciphersuites.

ToconfigureSSLRelay:


45/46



42

ObtainandinstallauniqueservercertificateoneachPresentationServer.

InstallarootcertificateoneachclientdeviceandWebInterfaceserver.

Configuretherelaycredentials,connectionsandciphersuitesusingtheSSLRelay

Configurationtool.

RestartthePresentationServers.

SecureGatewaycansecurelargeserverenvironmentsandprovideInternetaccesstoserversin

aserverfarmwithasinglepointofencryption,theinternalIPaddressesofservershiddenand

twofactorauthenticationsupportthroughWebInterface.

WebInterfaceandSecureGateway

Toconfigure

aWeb

Interface

site

to

work

with

Secure

Gateway:

IntheAccessManagementConsoleclicktheManagesecureaccesstaskandclickEdit

gatewaysettings.

TypetheFQDNoftheSecureGatewayserverintheAddress(FQDN)field.

Configuresessionreliability.

ConfiguretheSTAsettings.

Click

OK.

DMZSettings

InasinglehopDMZdeploymentofSecureGateway,aservercertificatemustbeinstalledon:

TheSecureGatewayServer

TheWebInterfaceServer

ThePresentationServer

Arootcertificatewillbeinstalledon:

SecureGateway

WebInterfaceServer

Clientdevice


46/46

VisitCitrixxperience.comformoreCitrixcertificationpreparationproducts. 43

GatewaydirectsendstheactualaddressofthePresentationServertotheSecureGateway.

GatewayalternatesendsthealternateaddressofthePresentationServertotheSecure

Gateway.

GatewaytranslatedusestheaddresstranslationmappingsintheWebInterfacetodetermine

whichaddressissenttotheSecureGatewayserver.

GatewaytranslatedusestheaddresstranslationmappingssetintheWebInterfaceto

determinewhichaddressissenttotheSecureGatewayserver.

ThissettingisusefulwhentheaddressandportofthePresentationServeraretranslatedat

theinternalfirewall.

ToconfigureGatewaytranslation:

Inthe

Access

Management

Console

click

the

Manage

secure

client

access

task

and

click

Edit

DMZsettings.

ConfiguretheclientroutebychoosingAddanewclientroute,Editanexistingclientroute

orRemoveanexistingclientroute.

SelectTranslatedastheaccessmethod.

ClickManagesecureclientaccessinthetaskpaneandclickEditaddresstranslations.

ClickAdd.

ConfiguretheinternalandexternalIPaddresstranslationmappingsbyselectingClientroute

translation,GatewayroutetranslationorClientandGatewayroutetranslation.

TypetheinternalIPaddressofaPresentationServerintotheInternalIPaddressfield.

TypetheinternalportnumberofaPresentationServerintotheInternalportfield.

Typethetranslated(external)IPaddressorhostnamethatclientdevicesmustuseto

connecttoaPresentationServerintotheExternaladdressfield.

TypetheexternalportnumberofaPresentationServerintotheExternalportfield.Click

OK.

Study Guide Microsoft

Documents

Transcript of Study Guide Microsoft