Citrix MetaFrame XP for Windows with Feature Release 2 (Includes Service Pack 2)

Transcription

1 Advanced Concepts Citrix MetaFrame XP for Windows with Feature Release 2 (Includes Service Pack 2)

2 The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. ( CITRIX ) SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. Citrix, ICA, MetaFrame, and Program Neighborhood are registered trademarks, and MetaFrame XP and NFuse are trademarks of Citrix Systems, Inc. in the United States and other countries. Copyright 2002 Citrix Systems, Inc. All rights reserved Trademark Acknowledgements Adobe and Acrobat are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple is a registered trademark of Apple Computer Inc. DB2 is a registered trademark and PowerPC is a trademark of International Business Machines Corp. in the U.S. and other countries. Java, Solaris, and Sun are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Sun Microsystems, Inc has not tested or approved this product. Microsoft, MS-DOS, Windows, Windows NT, Win32, ActiveX, SQL Server, Office and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. Novell Directory Services, NDS, NetWare, Novell Client, and edirectory are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Packeteer and PacketShaper are trademarks or registered trademarks of Packeteer, Inc. in the United States and other countries. Compaq is a registered trademark of Compaq in the United States and other countries. UNIX is a registered trademark of The Open Group. All other trademarks and registered trademarks are the property of their owners. Document code: July 12, :11 pm MP

3 Contents Chapter 1 Introduction Documentation Conventions MetaFrame XP, Feature Release 2 Documentation Chapter 2 Pre-Installation Recommended Server Configuration Chapter 3 Independent Management Architecture Understanding Zones Function of the Data Store in a Server Farm Working with the Local Host Cache Chapter 4 MetaFrame XP Server Farm Design Designing Server Farms for Enterprises Planning Zones in Server Farms Using MetaFrame XP on Multihomed Servers Data Store Guidelines Data Store Requirements Data Store Network Optimizations Implementing the Data Store in a Storage Area Network MetaFrame XP Server Farm Deployment Scenarios Chapter 5 Deploying MetaFrame XP Rapid Deployment of MetaFrame XP Feature Release 2/ Service Pack Installing Citrix Administrative Tools Deploying Citrix ICA Clients Deploying NFuse Classic Chapter 6 Publishing Applications Using Installation Manager to Deploy Windows Installer Packages Application Deployment Considerations with Installation Manager Publishing in Domains with Thousands of Objects

4 4 Advanced Concepts for MetaFrame XP Working with the Content Redirection feature Troubleshooting Tips, Error Messages, and Conditions Enhanced Content Publishing and Content Redirection Support in NFuse Classic Chapter 7 Integrating MetaFrame with Novell Directory Services Overview Implementing NDS Support in MetaFrame XP Tips and Techniques Chapter 8 Security Issues and Guidelines Securing MetaFrame XP Servers Security Considerations for the Data Store Network Security Considerations MetaFrame Server and Client Configurations for Seamless Proxy Integration Using Smart Cards with Feature Release Deploying the Java Client using NFuse Classic with Custom SSL/TLS Certificates Chapter 9 Printer Management Printer Driver Replication Chapter 10 Maintaining MetaFrame XP Server Farms Cycle Booting MetaFrame XP Servers Changing Farm Membership of Servers Renaming a MetaFrame Server Uninstalling MetaFrame Servers in Indirect Mode Chapter 11 Managing MetaFrame XP Server Farms Citrix Management Console Citrix Installation Manager Citrix Resource Manager Citrix Network Manager User Policies Best Practices User-to-User Shadowing Best Practices Delegated Administration Tips

5 Contents 5 Chapter 12 Optimizing the Performance of MetaFrame XP Client Optimizations Disk Optimizations Memory Optimizations Network Optimizations Server Optimizations User Settings Optimizations Chapter 13 Utilities DRIVEREMAP DSVIEW IMAPORT MSGHOOK QPRINTER QUERYDC QUERYDS QUERYHR SCCONFIG Chapter 14 Troubleshooting Troubleshooting IMA Troubleshooting Novell Directory Services Integration Collecting Citrix Technical Support Information Troubleshooting Frequently Encountered Obstacles Appendix A Configuring Microsoft SQL Server 2000 for Replication Setting up the SQL Server Data Store for Distribution Appendix B Configuring Microsoft SQL Server 7 for Replication Introduction Replicating a MetaFrame XP Server Farm s Data Store Pointing MetaFrame XP Servers to the Replicated Database Appendix C Distributing Connections Among NFuse Classic 1.7 Servers Overview

6 6 Advanced Concepts for MetaFrame XP Appendix D Using Citrix Products in a Wireless LAN Environment Wireless LAN Vulnerabilities Citrix Architecture Security Appendix E Tested Hardware Appendix F IMA Subsystem Tracing Appendix G IMA Error Codes Appendix H Citrix Management Console Error Codes Appendix I Registered Citrix Ports Index

7 Introduction C H A P T E R 1 Advanced Concepts for MetaFrame XP with Feature Release 2 and Service Pack 2 this book is a collection of best practices, tips, and suggestions for effectively using Citrix MetaFrame XP with Feature Release 2 and Service Pack 2. The information in this guide is compiled from departments within Citrix, including the worldwide Test and Development Engineering departments, Systems Engineers, and Citrix Consulting Services. To get the most from this guide, you should be familiar with the concepts and configuration procedures in the MetaFrame XP Administrator s Guide and additional documentation for MetaFrame XP components. Be sure to read the Feature Release 2 readme file, named sp12-fr2_readme.txt, and the ICA Client readme files for known issues and work arounds. For further information or to get white papers about some of the topics discussed in this document, visit the Citrix Web site at Note All terminology, product references, and recommendations are subject to change without notice. Editing Registry Settings Many topics throughout this guide refer to settings in the Windows registry. Be sure to take precautions to protect the security and integrity of the registry on MetaFrame XP servers. For information about backing up the registry and other precautions, refer to the documentation included with Windows operating systems. CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. If you are running Windows NT, make sure you also update your Emergency Repair Disk.

8 8 Advanced Concepts for MetaFrame XP Documentation Conventions References to Load Manager and load management apply to MetaFrame XPa and MetaFrame XPe editions only; Load Manager is not available with MetaFrame XPs edition. References to Citrix Resource Manager, Citrix Installation Manager, and Citrix Network Manager apply to MetaFrame XPe only. Terms and Abbreviations For a complete glossary of MetaFrame XP terminology, see the glossary at the back of the MetaFrame XP Administrator s Guide. The following terms and abbreviations are used in this document: CSG CSP DCS DirXML DLU DMZ DSN edirectory farm server FQDN FMS host server Citrix Secure Gateway Cryptographic Service Provider; used with Smart Card implementations Database Connection Server A utility that allows multiple trees to be combined to look like one tree Dynamic Local User; created and given rights to access a Windows system when an NDS user logs on to a MetaFrame server Demilitarized zone; a neutral zone between a company s private network and the outside public network. Also referred to as a screened subnet. Data Source Name A platform-independent version of NDS Any MetaFrame server in a Citrix server farm, including member servers, data collectors, and host servers Fully Qualified Domain Name Farm Metric Server The MetaFrame XP server in a farm that hosts an Access data store

9 Chapter 1 Introduction 9 ICA IMA LHC member server MSCS MTS NDS NTS ODBC OPS OS TSE WEP Win32 ZWFD Independent Computing Architecture; the protocol developed by Citrix for remote display Independent Management Architecture; the internal communication architecture of MetaFrame XP, usually refers to the Citrix IMA Service that is installed with MetaFrame XP Local host cache; the subset of information from the data store that resides on each MetaFrame XP server Any server in a farm that is not a data collector or host server Microsoft Clustering Services; used to allow access to a group of server resources from one access point Multi-threaded Server mode for Oracle servers Novell Directory Services; NDS contains network resources, such as users, applications, and network devices, in a database Windows NT Security authentication mode for Oracle Servers Open Database Connectivity Oracle Parallel Server Operating system, usually referring to the Microsoft Windows 2000 Server Family (with Terminal Services installed) or Microsoft Windows NT Server 4.0, Terminal Server Edition Microsoft Windows NT Server 4.0, Terminal Server Edition Wireless Encryption Privacy; the communication protocol between a wireless networking card and wireless access point 32-bit Windows platforms such as Windows NT, Windows 2000, Windows 95, Windows 98, Windows Me, and Windows XP Novell s ZENworks for Desktops 3; used to manage desktops in a Novell environment

10 10 Advanced Concepts for MetaFrame XP MetaFrame XP, Feature Release 2 Documentation The documentation for MetaFrame XP, Feature Release 2 includes electronic manuals and online application help. The documentation included with MetaFrame XP is available in the Docs directory on the MetaFrame XP CD. Documentation for ICA Client software and additional MetaFrame components is available on the MetaFrame XP Components CD. Important additional documentation for Citrix products is available from the Product Documentation page in the Support area of the Citrix Web site at On a MetaFrame XP server, documentation is installed in a Documentation folder. You can display the contents of this folder by choosing Programs > Citrix > Documentation from the Start menu. The following documentation is included with MetaFrame XP, Feature Release 2: The MetaFrame XP Administrator s Guide provides conceptual information and procedures for system administrators who install, configure, and maintain MetaFrame XP for Windows. The sp2-fr2_readme.txt file contains last minute updates, corrections to the documentation, and a list of known problems. This file is in the root directory of the MetaFrame XP CD. The NFuse Classic Administrator s Guide and Customizing NFuse include information about installing, configuring, and customizing NFuse. The Citrix ICA Client Administrator s Guides provide instructions for system administrators who deploy ICA Clients to end-users on various computing platforms. The Citrix Secure Gateway Administrator s Guide provides instructions for installing and administering Citrix Secure Gateway. The Enterprise Services for NFuse Administrator s Guide provides instructions for setting up and administering enterprise services that complement NFuse. Using PDF Documentation To access the Citrix documentation that is provided in PDF files, use Adobe Acrobat Reader 4 or later. Acrobat Reader lets you view, search, and print the documentation. You can download Acrobat Reader for free from the Adobe Systems Web site ( The self-extracting file includes installation instructions.

11 Chapter 1 Introduction 11 Typographic Conventions MetaFrame XP documentation uses the following typographic conventions for Windows directories, command syntax, and keyboard keys: Convention Boldface Italics UPPERCASE Monospace %SystemRoot% %ProgramFiles% Definition Using Online Help Menu commands and commands that you type at a command prompt on a MetaFrame server. Placeholders for information or parameters provided by the user (such as filename for the name of a specific file), new technical terms, and book titles. Keyboard keys, such as CTRL for the Control key and F2 for the function key labeled F2. Registry keys and text displayed at a command prompt or in a script file. The Windows system directory, usually WTSRV, WINNT, or WINDOWS. The Windows Program Files directory where application files are placed during installation (default is C:\Program Files). [ ] (brackets) Optional items in command statements, such as [/ping] to mean you can type /ping (without brackets) in a command statement. (vertical bar) A separator between items in braces or brackets in command statements, such as { /hold /release /delete } to mean you type /hold or /release or /delete. Online help is available for the Citrix Management Console and the other tools that are included with MetaFrame XP. You can access online help from the Help menu of each program; the program must be running for you to view its online help. You can use shortcuts to launch MetaFrame XP utilities and the Citrix Management Console. Shortcut icons are located in the MetaFrame XP folder. To open this folder, click the Start menu and choose Programs > Citrix > MetaFrame XP. Online help for the Citrix Management Console is in JavaHelp format and requires the Java Run-Time Environment (JRE), which MetaFrame XP installs by default on the server. Online help for server utilities and the Windows ICA Clients is in WinHelp format, which is available by default on all Windows systems. Online help for other ICA Clients uses standard help formats for their platforms. Citrix ICA Client software for all platforms includes online help for using applications and configuration settings. Help is available from Help menus or Help buttons in the ICA Clients.

12 12 Advanced Concepts for MetaFrame XP Providing Feedback About this Guide We invite your comments and suggestions to help us ensure that the information in Advanced Concepts is accurate and complete. This document may be updated to include new and revised information and corrections as necessary. New versions of the document will be available on the Citrix Web site. We strive to provide accurate, clear, complete, and usable documentation for our products. If you have any comments, corrections, or suggestions for improving our documentation, we want to hear from you. You can send to the documentation authors at Please include the product name, product version number, and the title of the document in your message. Include a detailed description of your correction or suggestion, and your return address if you would like a reply.

13 C H A P T E R 2 Pre-Installation Recommended Server Configuration This chapter includes recommendations for server hardware and operating system configurations. Be sure to read and consider these recommendations before deploying MetaFrame XP with Feature Release 2. Hardware Configuration In multi-processor configurations, Citrix recommends a RAID (Redundant Array of Independent Disks) setup. If RAID is not an option, a fast SCSI 2, 3, or Ultra 160 drive is recommended. For quad and eight-way servers, install at least two controllers, one for operating system disk usage and the other to store applications and temporary files. Isolate the operating system as much as possible; applications should not be installed on its controller. Distribute hard drive access load as evenly as possible across the controllers. One way to accomplish this is to separate the applications and temporary files on two separate controllers. The sizes of the partitions and hard drives are dependent on both the number of users connecting to the MetaFrame server and the applications running on the server. Running applications such as Microsoft Internet Explorer and the Microsoft Office suite can result in user profile directory sizes of hundreds of megabytes. Large numbers of user profiles can use gigabytes of disk space on the server. You must have enough disk space for these profiles on the server. Operating System Configuration All partitions, especially the system partition, must be in NT File System (NTFS) format to allow security configuration, better performance, and fault tolerance. NTFS also saves disk space usage because NTFS partitions have much smaller and constant cluster sizes (the minimum size is 4KB).

14 14 Advanced Concepts for MetaFrame XP FAT partitions require much larger cluster sizes as the size of the partition increases (with the minimum being 32KB). More space is wasted on FAT partitions because the file system requires an amount of physical disk space equal to the cluster size of the partition used to store a file, even if the file is smaller than the cluster size. For more information about cluster sizes of FAT and NTFS partitions, see Microsoft Knowledge Base article Q If possible, install only one network protocol on the server. This practice frees up system resources and reduces network traffic. If multiple protocols are needed, set the bind order so that the most commonly used protocol is first. When working with Terminal Services, increase the registry size to accommodate the additional user profile and applications settings that are stored in the registry. On a single-processor server, you need to reserve at least 40MB for the registry. Reserve at least 100MB on quad and eight-way servers. You can also increase performance by properly tuning the pagefile. For more information about the pagefile, see Microsoft Knowledge Base article Q Service Packs and Updates MetaFrame XP servers use Microsoft Jet drivers extensively. The Microsoft Jet Database Engine is used by the local host cache on every MetaFrame XP server. It is also used when Citrix Resource Manager is installed. Citrix recommends installing Microsoft service packs for the Microsoft Jet Database Engine. Older versions contain memory leaks that appear as Citrix IMA Service memory leaks. Apply these service packs and patches before installing MetaFrame on the servers. See TechNet article Q at for more information. Important A memory leak in the Microsoft Jet Database Engine is fixed in Windows 2000 Service Pack 2. To use MetaFrame XP on a Windows 2000 system on which Windows 2000 Service Pack 2 is not installed, you must install the hotfix described in TechNet article Q273772, FIX: Memory Leak in Jet ODBC Driver with SQL NUMERIC or SQL C BINARY Data, at support/. The amount of memory consumed by the Citrix IMA Service can be reduced by changing MaxBufferSize in a registry entry for the Microsoft Jet 4.0 database engine.

15 Chapter 2 Pre-Installation 15 To change the maximum buffer size 1. Run regedt Locate the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Jet Double-click MaxBufferSize in the right pane. 4. In the DWORD Editor dialog box, enter 0x200 in the Data box. Accept the default radix, Hex, in the Radix box. 5. Click OK. CAUTION Observe precautions when editing the registry. See Microsoft documentation for more information about backing up and editing the registry.

16

17 C H A P T E R 3 Independent Management Architecture Understanding Zones This chapter includes information about the internal communication architecture in MetaFrame XP, known as Independent Management Architecture (IMA), that you should consider during your planning and pilot phases. Be sure to read this chapter before deploying MetaFrame XP in a production environment. Topics discussed in this chapter include: Zones The server farm s data store The local host cache Zones in a farm perform two functions. The first is to collect data from member servers in a hierarchical structure. The second is to efficiently distribute changes to all servers in the farm. All member servers must belong to a zone. By default, the zone name is the subnet ID on which the member server resides. Each zone data collector has a connection open to all other data collectors in the farm. This connection is used to immediately relay any changes reported by servers that are members of the zone by that zone s data collector to the data collectors of all other zones. Thus all data collectors are aware of the server load, licensing, and session information for every server in the farm. The formula for interzone connections is N * (N-1)/2, where N is the number of zones in the farm.

18 18 Advanced Concepts for MetaFrame XP If no communication is received from a member server in its own zone within the configured time interval, the zone data collector pings (IMA Ping) that server to verify that it is online. The default interval is one minute. You can configure this interval by adding the following value to the registry. The interval, in milliseconds, is expressed in hexadecimal notation. HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\ KeepAliveInterval (DWORD) Value: 0xEA60 (60,000 milliseconds default) In normal operation, data collectors are synchronized through frequent updates. Occasionally, an update sent from one data collector to another data collector can fail. Instead of repeatedly trying to contact a zone that is down or unreachable, a data collector waits a specified interval before attempting to communicate again. The default wait interval is five minutes. You can configure this interval by adding the following value to the registry. The interval, in milliseconds, is expressed in hexadecimal notation. HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\ GatewayValidationInterval (DWORD) Value: 0x493E0 (300,000 milliseconds) Configuring Data Collectors in Large Zones The data collector maintains all load and session information for every server in its zone. By default, a single zone supports up to 256 member servers. If a zone has more than 256 member servers, each zone data collector and potential zone data collector must have a new registry setting. This new setting controls how many open connections to member servers a data collector can have at one time. To prevent the data collector from constantly destroying and recreating connections to stay within the limit, set the registry value higher than the number of servers in the zone. You can configure this value by adding the following value, expressed in hexadecimal notation, to the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\MaxHost Address CacheEntries (DWORD) Value: 0x100 (default 256 entries)

19 Function of the Data Store in a Server Farm Chapter 3 Independent Management Architecture 19 The data store provides a repository of persistent information about the server farm for all servers to reference. The data store retains information that does not change frequently, including the following: Published application configurations Server configurations Citrix administrator accounts Trust relationships Licenses Printer configurations CAUTION If the MetaFrame XP data store database is lost, you must recreate the farm. You cannot recreate the data store from an existing farm. Database Format With the exception of indexes, all information in the data store is in binary format. Meaningful queries cannot be executed directly against the data store. Neither Citrix administrators nor users should directly query or change information in the data store. Use only IMA-based tools, such as the Citrix Management Console, to access the information in the data store. CAUTION Do not directly edit any data in the data store database with IBM DB2, Microsoft SQL Server, or Oracle tools. Doing so corrupts the farm database and causes the farm to become unstable or completely unusable.

20 20 Advanced Concepts for MetaFrame XP Data Store Activity All servers in the farm query the data store when they are started. The following registry setting determines whether or not IMA requires a connection to the data store in order to start: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\PSRequired (DWORD) Value: 0 or 1 If the value is 0, IMA can start without a connection to the data store. If the value is 1, IMA requires a connection to the data store in order to start. After the first time the IMA service starts successfully, the value is set to 0. Working with the Local Host Cache A subset of the information from the data store is stored locally on each MetaFrame XP server. This subset is called the local host cache (LHC). All of the servers in the MetaFrame XP server farm query the data store periodically to determine if any changes were made since the LHC was last updated. If changes were made, the servers request these changes. The default data store query interval is 10 minutes. You can configure the interval using the following registry key, with the value expressed in hexadecimal notation: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ DCNChangePollingInterval (DWORD) Value: 0x927C0 (default 600,000 milliseconds) Important If a server in the farm is unable to contact the data store for 96 hours, licensing stops functioning on the member server and connections are disabled. When the Citrix Management Console is opened, it connects to the specified MetaFrame server. The Citrix IMA Service running on this server performs all reads and writes to the data store for the Citrix Management Console. Most changes made through the Citrix Management Console are written to the data store. Refreshing the Local Host Cache If the Citrix IMA Service is running, but published applications do not appear correctly when ICA Clients browse for application sets, you can force a manual refresh of the local host cache by executing dsmaint refreshlhc from a command prompt on the affected server. This action forces the local host cache to read all changes immediately from the data store.

21 Chapter 3 Independent Management Architecture 21 A discrepancy in the local host cache occurs only if the IMA Service on a server misses a change event and is not synchronized correctly with the data store. Recreating the Local Host Cache The Citrix IMA Service can fail to start because of a corrupt local host cache. For more information about troubleshooting when the IMA Service fails to start, see Troubleshooting IMA on page 201. To recreate the local host cache, run dsmaint recreatelhc, which performs three actions: 1. Sets the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\PSRequired\ key to Deletes the existing imalhc.mdb. 3. Recreates an empty imalhc.mdb. When the IMA service is stopped and restarted, the local host cache is repopulated with the data from the data store. Important The data store server must be available for dsmaint recreatelhc to work. If the data store is not available, the Citrix IMA Service fails to start.

22

23 C H A P T E R 4 MetaFrame XP Server Farm Design This chapter includes information to consider when planning the design of your MetaFrame XP server farm. Topics discussed in this chapter include: Designing server farms Planning zones in server farms Choosing a data store database Working with the data store database Designing Server Farms for Enterprises One of the decisions you must make before you deploy MetaFrame XP is whether or not to implement a single MetaFrame XP server farm or multiple server farms. This section discusses the factors you should consider before you make this decision. Deploying a Single Farm While you can configure one server farm in an enterprise environment, there are several factors, including hardware capability, database performance, and network congestion, that can decrease the farm s performance. The following points describe the benefits of implementing a single MetaFrame XP server farm. Pooled licenses. All MetaFrame XP licenses are pooled together and can be used by all servers in the farm. Simple maintenance and administration. Citrix administrators log on to one farm only for all maintenance and administrative tasks. Administrators do not need to open multiple Citrix Management Console windows to view all servers in the enterprise. Opening multiple Citrix Management Console windows on a server uses more resources than opening a single Citrix Management Console window.

24 24 Advanced Concepts for MetaFrame XP Deploying Multiple Farms The following points describe the benefits of implementing multiple MetaFrame XP server farms. Reduced IMA traffic. One server farm with remote zone data collectors must communicate frequently to keep published application and user connection information synchronized across the farm. Previous versions of MetaFrame queued up these communications and sent them across an ICA gateway at configurable intervals. MetaFrame XP sends these communications as they are generated, requiring a dedicated WAN connection between zone data collectors. If the WAN cannot support the network traffic, you can improve performance by implementing a separate farm at each remote site. No data store replication. Citrix recommends that you replicate the data store to remote sites when using one server farm in a WAN environment. Implementing multiple farms eliminates the need for data store replication because each remote site maintains its own data store. No Internet traffic. When you implement multiple farms, they do not span an Internet WAN connection. As a result, IMA traffic and ODBC connection information cannot be intercepted. No firewall changes. By default, IMA uses TCP ports 2512 and 2513 to communicate. If you want to change the default IMA communication ports, you can do so using the imaport utility. Regardless of the port numbers used for IMA communication, they must be open when the server farm spans a firewall. Implementing a separate server farm at each site eliminates the need to open ports 2512 and 2513 on the firewall and any ODBC ports used for data store communication. Deploying Multiple Farms at a Single Site The following points describe the benefits of implementing multiple MetaFrame XP server farms in a single-site environment. Departmental Licensing. Implementing a separate server farm for each department keeps licensing localized. Separate Administration. Application Service Providers can implement a separate farm for each customer, further easing security concerns and controlling Citrix administrators access to farms. With Independent Management Architecture, the internal communication architecture of MetaFrame XP, you can remotely manage multiple farms with the Citrix Management Console.

25 Chapter 4 MetaFrame XP Server Farm Design 25 You can manage all farms from a single server or workstation that has the Citrix Management Console installed. When logging on to the console, Citrix administrators enter the name of a server in the farm to which they want to connect. You can also run multiple instances of the Citrix Management Console simultaneously; for example, one for each farm. However, doing so uses more resources on the server running the multiple instances of the console. Note You can use Citrix Enterprise Services for NFuse to provide a single point of access to applications from multiple MetaFrame server farms across the enterprise. For more information about Enterprise Services for NFuse, see the Enterprise Services for NFuse Administrator s Guide, located on the MetaFrame XP Components CD. Planning Zones in Server Farms The layout and distribution of zones in a MetaFrame XP server farm can greatly affect the end user s perception of performance. The following recommendations are the result of extensive testing in the Citrix elabs. A 500MHz Pentium III data collector can support approximately 190 resolutions per second. The number of resolutions per second that a data collector can handle is directly related to the number of servers hosting a published application. Consider the following points when designing zones: The number of users connecting to the farm The length of time the average user stays logged on to a session (a single daily session or repeated short sessions) The number of users logging on simultaneously The number of published applications with load evaluators (using Citrix Load Manager) attached The last two items result in a much higher load on the data collector. Monitor the CPU and memory usage on the data collector to ensure that it is not being overloaded with requests.

26 26 Advanced Concepts for MetaFrame XP Zone Deployment Each zone s data collector stores information about all of the servers in the farm. Member servers in each zone frequently send updated information about session and load information to their zone s data collector. When a user logs on or off, connects or disconnects, or a server load changes, the data collector relays the new information to all other data collectors in the farm. The amount of bandwidth used by each operation increases proportionally to the number of zones. To optimize performance, keep the number of zones in the MetaFrame farm as low as possible while still being able to fulfill all enumeration and resolution requests in a timely manner. Having a large number of zones in a server farm can impact the performance of the network and the MetaFrame XP farm because this configuration can result in high network bandwidth consumption and decreased performance of the data collectors. If you experience network congestion or performance degradation in the server farm, consider taking one of the following actions to minimize network traffic: Reduce the number of zones in the farm Configure each zone to reside on its own subnet Depending on the server hardware and farm activity, a data collector can support more than 100 servers. Therefore, when sizing a zone, start with 100 servers per zone. Monitor the CPU usage on the data collector during normal farm activity to determine what the data collector hardware can support. If the data collector begins to get overwhelmed with enumeration or resolution requests or regular reporting, consider taking the following actions to reduce the load on the current data collector: Divide the current zone into two zones Dedicate the data collector to handle only ICA Client requests and to not accept ICA Client connections Important If you are installing MetaFrame XP on servers that reside on multiple subnets in the same zone, do not use the default zone name presented to you during MetaFrame Setup. The default zone name is based on the subnet of the server joining the farm. If you did not change the zone name when you installed MetaFrame, you can change it on the farm s Properties dialog box using Citrix Management Console.

27 Chapter 4 MetaFrame XP Server Farm Design 27 Using a Dedicated Data Collector In general, if users experience slow connection times due to high CPU utilization on the data collector, consider dedicating a MetaFrame XP server to act solely as the zone data collector. When deciding whether or not to dedicate a MetaFrame XP server for use solely as a zone data collector, consider the following factors: The number of member servers within the zone The number of zones within the farm (interzone communication) The number of times users log on and request application enumerations The number of times you restart the servers in the zone Using MetaFrame XP on Multihomed Servers MetaFrame XP (with Service Pack 1 or later) includes support for multihomed servers. This section explains how to implement MetaFrame XP on a server operating with two or more network interface cards (NICs). You can run MetaFrame XP on multihomed servers to provide access to two network segments with no direct route to each. Because each separate network uses the same MetaFrame resources, the networks can access the same server farm. Running MetaFrame XP on multihomed servers also allows you to separate serverto-server communication from client-to-server communication. This scenario is illustrated in the figure below and is the subject of the examples referred to in this section

28 28 Advanced Concepts for MetaFrame XP Simple representation of a multihomed MetaFrame server farm /24 Network ICA Client "ICA01" Router /24 Network Multihomed MetaFrame "MFSRV01" Multihomed MetaFrame "MFSRV02" Web Server w/nfuse Classic "WEB01" /24 Network Router Web Server w/nfuse Classic "WEB02" /24 Network ICA Client "ICA02" Citrix recommends that you do not configure multihomed servers running MetaFrame XP to operate as routers (TCP/IP forwarding).

29 Chapter 4 MetaFrame XP Server Farm Design 29 To successfully run MetaFrame XP on multihomed servers, you may need to manually configure the local routing tables. When Windows automatically builds the server s routing tables, the resulting network card binding order and default gateway configuration may not meet your needs. For information about changing the default gateway, see Configuring a Default Gateway on page 30. When ICA Clients request a server name or published application, the MetaFrame XP server that receives the request returns the TCP/IP address of the appropriate MetaFrame server. The following requests from ICA Clients require address resolution: Find the address of the data collector Find the TCP/IP address of a given MetaFrame server name Find the TCP/IP address of the least loaded server for a published application When a MetaFrame server receives an address resolution request from an ICA Client, the server compares the TCP/IP address of the ICA Client to its local routing table to determine which network interface to return to the client. If the routing table is not configured correctly, the client s request cannot be filled. The figure above illustrates two multihomed MetaFrame servers, each with a connection to the /24 and /24 subnets. Neither server is configured to route between the two network interfaces. The process described below occurs when an ICA Client requests a response from a MetaFrame XP server. 1. The ICA Client with TCP/IP address (ICA01) sends an address resolution request to the MetaFrame XP server named MFSRV MFSRV01 has the TCP/IP address This server also has a second NIC with TCP/IP address ICA01 is configured with MFSRV01 for its server location. ICA01 contacts MFSRV01 and requests a load-balanced application. 4. The TCP/IP address of the least loaded server hosting the requested published application must be supplied to ICA01. MFSRV01 determines that MFSRV02 is the least loaded server. 5. MFSRV02 has two TCP/IP addresses, and

30 30 Advanced Concepts for MetaFrame XP 6. MFSRV02 determines the source address of ICA01. The MetaFrame XP server uses its local routing table to determine what network interface should be returned to the client. In this case, the NIC configured on the /24 network is returned to the client. If there is no explicit entry for the NIC in the local routing table, the default route, configured automatically by Windows, is used. 7. MFSRV01 uses the local routing table to correctly respond with the address when directing the client to MFSRV02. Configuring the Routing Table To set up a routing table on a multihomed server running MetaFrame XP, first configure a single default gateway and then add static routes. Configuring a Default Gateway Although Windows servers build multiple default gateways, the network binding order of the NICs in the server determine which default gateway to use. Using the example illustrated in the figure above, we selected the address as our default gateway. However, we must move the network card operating on the /24 network to the first position in the network binding order. To configure the network binding order For Windows Open Start > Control Panel > Network Connections. 2. Select Advanced on the Advanced Settings menu. 3. In the Connections area, move the NIC you want to act as your default gateway to the first position in the list. For Windows NT 1. Open Properties of Network Neighborhood. 2. On the Bindings tab, select show bindings for All protocols. 3. Expand the TCP/IP branch of the tree. 4. Select the network interface you want to operate as the default route. 5. Click Move Up until the selected NIC is in the first position in the list.

31 Chapter 4 MetaFrame XP Server Farm Design 31 There may be certain environments where the configuration of the network binding order will not be sufficient for MetaFrame XP to function properly. For example, if you have a MetaFrame XP server with two connections to the Internet where each connection provides ICA connectivity for a diverse range of IP subnets, the MetaFrame XP server uses only the default gateway of the first NIC in its network binding order (referred to as Network 1). If the MetaFrame XP server receives a request from an ICA Client on its second NIC (Network 2), which is not the default gateway, and there is no entry in the local routing table of the MetaFrame server for Network 2, the response to the client request is sent through Network 1 and cause the client s request to fail. Alternatively, you can remove the additional default gateway configurations from each NIC on the server. This is done through the server s TCP/IP configuration. Using servers MFSRV01 and MFSRV02 from our example, we select as our default gateway for both servers and remove the default gateway setting from the NICs operating on the /24 network. Running the command line utility IPCONFIG on MFSRV01 returns the following: Windows IP Configuration Ethernet adapter Local Area Connection #1: Connection-specific DNS Suffix. : IP Address : Subnet Mask : Default Gateway : Ethernet adapter Local Area Connection #2: Connection-specific DNS Suffix. : IP Address : Subnet Mask : Default Gateway : Running IPCONFIG on MFSRV02 returns the following: Windows IP Configuration Ethernet adapter Local Area Connection #1: Connection-specific DNS Suffix. : IP Address : Subnet Mask :

32 32 Advanced Concepts for MetaFrame XP Default Gateway : Ethernet adapter Local Area Connection #2: Connection-specific DNS Suffix. : IP Address : Subnet Mask : Default Gateway : Adding Static Routes You can define static, persistent routes to avoid potential routing conflicts. Depending on your network configuration, adding static routes may be the only way to provide ICA connectivity to a multihomed MetaFrame XP server. The data displayed below uses the example illustrated in the preceeding figure. Executing the ROUTE PRINT command from a command prompt on the routing table on MFSRV01 returns the following: ========================================================================== Interface List 0x1... MS TCP Loopback interface 0x a0 c9 2b f8 dc... Intel 8255x-based Integrated Fast Ethernet 0x c0 0d f5... Intel(R) PRO Adapter ========================================================================== ========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric Default Gateway: ========================================================================== Persistent Routes: None

33 Chapter 4 MetaFrame XP Server Farm Design 33 MFSRV01 is currently configured with a default gateway using the router at Note that the second client, ICA02, is located on the /24 network, which is accessed through the router at For MFSRV01 to have network connectivity and to avoid using the default gateway when responding to requests from ICA02, define a static route for the /24 network: ROUTE -p ADD MASK Executing ROUTE PRINT on MFSRV01 now returns: =========================================================================== Interface List 0x1... MS TCP Loopback interface 0x a0 c9 2b f8 dc... Intel 8255x-based Integrated Fast Ethernet 0x c0 0d f5... Intel(R) PRO Adapter =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric Default Gateway: =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric Configure MFSRV02 the same way. When the static routes are set up, both ICA Clients can ping the TCP/IP addresses of both MetaFrame servers, and the servers can ping the clients. Each MetaFrame server can now correctly resolve the network interface to which either ICA Client is connecting. The TCP/IP addresses that the ICA01 client can receive are and The TCP/IP addresses that the ICA02 client can receive are and

34 34 Advanced Concepts for MetaFrame XP Data Store Guidelines Use the chart below as a guideline to determine which scenario most closely matches your environment. If your environment doesn t fit neatly into the categories listed, choose the category that has the most in common with your environment. Small Medium Large Enterprise Servers or more Named users < 150 < 3000 < 5000 > 3000 Applications < 100 < 100 < 500 < 2000 The following points describe general recommendations for the server farm s data store: Microsoft Access is suitable for all small and many medium-sized environments Microsoft SQL Server, Oracle, and IBM DB2 are suitable for any size environment and are especially recommended for all large and enterprise environments Consider the following points when choosing a database product to host the server farm s data store: Microsoft Access is best used for farms that are located in one physical location. Microsoft Access supports only indirect mode for all servers other than the host server and, therefore, has decreased performance compared with a data store operating in direct mode in large farms. Access does not support database replication. Select a database product that supports replication when deploying large farms across a WAN. You can obtain considerable performance advantage by distributing the load over multiple database servers. In the Citrix elabs, Microsoft SQL Server, Oracle, and IBM DB2 had similar performance results when tested with large farms. Oracle Parallel Server includes the added advantage of load balancing incoming requests among the servers.

35 Chapter 4 MetaFrame XP Server Farm Design 35 CAUTION Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix elabs. Oracle Parallel Server is designed to allow multiple database servers to access the same back end database. In theory, this would provide good scalability in centrally located farms with hundreds of servers. The Data Store and the Disk Environment This section describes factors to consider if you are thinking about putting the server farm s data store in a Redundant Array of Independent Disks (RAID) environment. See the points below for information about cost, performance, and fault tolerance related to four different RAID configurations. RAID 0 RAID 0 has no redundancy. It is striped, which means that data is divided into blocks spanning multiple disks. RAID 0 has multiple actuators (read/write mechanisms) because of the multiple disk use. More actuators improve read and write performance. Citrix does not recommend the use of RAID 0 for critical data, such as a MetaFrame XP server farm s data store. The savings realized from purchasing fewer disks does not make up for the costs resulting from downtime and support. RAID 1 RAID 1 is fully redundant disk mirroring. With disk mirroring, a complete copy of one drive is maintained on another drive. RAID 1 provides high fault tolerance and can improve read performance. However, RAID 1 writes the data twice, which can degrade write performance in single disk/controller environments. In addition, this type of redundancy requires twice the disk space. RAID 5 Like RAID 0, RAID 5 is striped. However, because RAID 5 adds parity to the data striping, it includes fault tolerance. If one disk in a RAID 5 group fails, the logical disk continues to function. The parity information is used to recreate data on a replacement disk. The loss of two disks in a group at one time cannot be sustained. RAID 5 uses multiple disk actuators that provide improved read and write performance.

36 36 Advanced Concepts for MetaFrame XP RAID 10 RAID 10 combines RAID 1 and RAID 0. It is a striped and fully mirrored set of disks. It is the best configuration for both redundancy and performance. Because of this, it is the most expensive storage option. Using Replicated Data Store Databases Having a single data store is recommended where appropriate, but in some situations, a replicated data store can improve farm performance. This section covers the concerns and situations that arise from using replicated database technology. High Latency WAN Concerns High latency links without the use of replicated databases can create situations where the data store is locked for extended periods of time when performing maintenance from remote sites. This means that the Citrix IMA Service may start after extended periods of time and some normal operations may fail when performed from the remote site. Tip Citrix recommends that you do not perform farm maintenance using the Citrix Management Console from a remote site that has high latency. The following issues can arise in a high-latency situation: Data store writes take longer to complete and, for a period of time, block all additional writes from local or remote sites. Data store reads do not generally adversely affect local connections, but remote sites experience slower performance. Replicated Database Issues Because servers in a server farm perform many more reads from the data store than writes to the data store, you may want to use replicated databases to speed performance. Most reads occur when the server is starting up because this is when each server populates its local host cache. In a LAN environment, using replicated databases can speed the startup time of the Citrix IMA Service and improve the responsiveness of the servers in large farms.

37 Chapter 4 MetaFrame XP Server Farm Design 37 In a WAN environment, the configuration of the data store is especially important. Because MetaFrame XP is read-intensive, place replicas of the data store at sites where a considerable number of servers reside. This practice minimizes reads across the WAN link. Limit the use of replicated databases to situations where the remote site has enough MetaFrame XP servers to justify the cost of placing a replicated copy of the database at the site. Note Database replication consumes bandwidth. Note that the frequency of database updates is controlled by the configuration of the database software and not MetaFrame XP. Data Store Requirements This section describes minimum requirements for the four database products Microsoft Access, Microsoft SQL Server, Oracle, and IBM DB2 you can use to host a MetaFrame XP farm s data store. Although MetaFrame XP uses ODBC for connectivity, other ODBC-compliant databases are not supported with MetaFrame XP. The supported and tested versions of database products you can use with MetaFrame XP, Feature Release 2 are listed below. Microsoft Access Jet Engine 4.x Microsoft SQL Server 7.0 with SP2 and SQL Server 2000 Oracle Server 7 (7.3.4) for NT Oracle Server 8 (8.0.6) for NT Oracle Server 8i (8.1.5, 8.1.6) for NT and UNIX Oracle Server 9i (9.0.1) for NT IBM DB2 with FixPak 5 for NT The following table lists the supported and tested ODBC client databases versions.: Database Driver version SQL 7.0 Enterprise for NT MDAC SQL 7.0 Enterprise for NT MDAC 2.5 SP SQL 2000 Enterprise for NT MDAC 2.5 SP SQL 2000 Enterprise for NT MDAC 2.6 SP SQL 2000 Enterprise for NT MDAC

38 38 Advanced Concepts for MetaFrame XP Database Driver version Oracle for NT Oracle for NT Oracle for NT Oracle for Solaris Oracle for NT Oracle for NT IBM DB2 FixPak 5 for NT CAUTION The Oracle Client Version is not supported. If you are using this version, upgrade to Important The and native Oracle Clients require a registry modification prior to the installation of MetaFrame XP 1.0. This does not apply to MetaFrame XP Feature Release 2. Refer to Citrix Knowledge Base article CTX for more information about this issue. You can access the Citrix Knowledge Base at Tip Before installing an update of Microsoft Data Access Components (MDAC), stop the Microsoft Terminal Services Licensing service. Restart the server before beginning MetaFrame XP Setup. For more information, see the MetaFrame XP Administrator s Guide. Using Microsoft Access Choosing Use a local database (Microsoft Access) on this server during MetaFrame XP Setup creates a Microsoft Access database on the MetaFrame server. This database acts as the server farm s data store. The ODBC connection to Access uses Microsoft Jet Engine 4.x.

39 Chapter 4 MetaFrame XP Server Farm Design 39 Minimum Requirements Approximately 50MB of disk space for every 100 servers in the farm. The disk space used can increase if a large number of published applications are in the farm. 32MB of additional RAM if the MetaFrame XP server will also host connections Authentication When you select the option to create an Access database, MetaFrame Setup creates a database called mf20.mdb. The default user name and password for this database are citrix and citrix. To change the password on the database, use the dsmaint config /pwd:newpassword command with the IMA service running. Keep the new password in a secure place so you can access it if you decide to migrate to another database. Tip Back up the Access database using the command dsmaint backup before changing the password. Automatic Backup CAUTION Run dsmaint backup prior to executing dsmaint recover. Do not execute dsmaint recover if no Mf20.bak file exists because this command removes the existing Mf20.mdb from the server. CAUTION If the server runs out of disk space on the drive where the Mf20.mdb file is stored, automatic backups cease. Ensure that the amount of free disk space is at least three times the size of the Mf20.mdb file. Each time the IMA service is stopped or a server is restarted, the existing Mf20.mdb file is backed up, compacted, and copied as Mf20.unk. Each time the IMA service starts, it deletes Mf20.bak if it exists and renames the Mf20.unk file to Mf20.bak. This process helps ensure that the Mf20.bak file is a valid farm database. This file is used when the dsmaint recover command is executed. The Mf20.mdb file and all automatic backup files are located by default in the %ProgramFiles%\Citrix\Independent Management Architecture folder.

40 40 Advanced Concepts for MetaFrame XP Additional Notes All indirect servers connect and maintain connections to the host server. By default, the server that hosts the database is also its zone s data collector. Tuning the Jet Database Engine with registry settings can improve performance for large farms. Consult the Microsoft documentation about performance tuning for the Jet Database Engine. Back up both the registry and the Mf20.mdb file before changing the tuning parameters. Use dsmaint backup to perform an online backup of the data store. This can be scripted easily in a batch file. Back up the MetaFrame XP data store before using the Citrix Management. Console to change the data store. Scheduling a daily backup is sufficient in most cases. Using Microsoft SQL Server This section suggests the best practices for using Microsoft SQL Server as the data store for the server farm. You should be thoroughly familiar with the information in Microsoft SQL Server documentation before you install and configure Microsoft SQL Server. These recommendations apply to both Microsoft SQL Server 7 and SQL Server Minimum Requirements Approximately 100MB of disk space for every 250 servers in the farm. The disk space used can increase if a large number of published applications are in the farm. Set the temp database to Auto Grow on a partition with at least 1GB of free space. Verify that enough disk space exists on the server to support growth of both the temp database and the farm database. Server Configuration When using Microsoft SQL Server in a replicated environment, be sure to use the same user account for the data store on each Microsoft SQL Server. Each MetaFrame XP farm requires a dedicated database. However, multiple databases can be running on a single Microsoft SQL Server. Do not configure the MetaFrame XP farm to use a database that is shared with any other client/ server applications.

41 Chapter 4 MetaFrame XP Server Farm Design 41 Set the Truncate log on Checkpoint option in your database to control log space. Follow Microsoft s recommendations for configuring database and transaction logs for recovery. Whenever a change is made using the Citrix Management Console, back up the database. Scheduling a daily backup is sufficient in most cases. If your MetaFrame XP farm has more than 256 servers and uses a Microsoft SQL Server data store, the number of worker threads available for the database must be equal to or greater than the number of servers in the server farm. Follow the procedure below to increase the number of worker threads. To increase SQL Server worker threads 1. Launch the Microsoft SQL Server Enterprise Manager. 2. Select Server Configuration Properties. 3. On the Processor tab, change the maximum worker thread count from 256 to a number greater than the number of servers in the server farm. Comparing Fibers and Threads Using fibers may provide better performance in some configurations of the SQL server used to house the data store. The operating system code that manages threads is in the kernel. Switching threads requires mode switches between the user mode of the application code and the kernel mode of the thread manager, a moderately expensive operation. Fibers, a subcomponent of threads, are managed by code running in user mode. Switching fibers does not require the user-mode to kernel-mode transition needed to switch threads. The application manages the scheduling of fibers. The Windows operating system manages the scheduling of threads. Each thread can have multiple fibers. Using fibers reduces context switches by allowing SQL Server to handle scheduling rather than using the Windows NT or Windows 2000 Scheduler. Use the lightweight pooling option to configure SQL Server to use fibers. If applications are running on a multiple-processor system and there are a large number of context switches, try setting the lightweight pooling parameter to 1, which enables lightweight pooling.

42 42 Advanced Concepts for MetaFrame XP After setting this parameter, monitor the number of context switches again to verify that they are reduced. The default value is 0, which disables the use of fibers. This causes SQL Server to schedule one thread per concurrent user command, up to the number of maximum worker threads. In fiber mode, an instance of SQL Server allocates one thread per CPU, and then allocates a fiber per concurrent user command, up to the maximum number of worker threads. An instance of SQL Server uses the same algorithms to schedule and synchronize tasks when using either threads or fibers. Fibers work best when the server has multiple CPUs and a relatively low user-to- CPU ratio. For example, on an enterprise installation with 32 CPUs and 250 users, a noticeable performance boost is seen with fibers. When there are eight CPUs and 5000 users, a performance decrease may be seen with fibers. Note Threads are most beneficial for the majority of MetaFrame XP data store implementations. At the time of this release, additional information and instructions about configuring fibers can be found at: Search using keywords: SQL Server Task Scheduling Search using keywords: Configuring, Threading, Priority, and Fibers Search using keywords: Microsoft SQL Server 7.0 Performance Tuning, then select sample chapter. Authentication and Security Consider the following points related to authentication and security when using SQL Server. Microsoft SQL Server supports Windows NT and Microsoft SQL Server authentication. Consult the Microsoft SQL Server documentation for configuring Windows NT authentication support. For high-security environments, Citrix recommends using Windows NT authentication only. The account used for the data store connection must have db_owner (database owner) rights for the database that is being used for the data store. For better security, after the initial installation of the database as database owner, set the user permissions to read/write only.

43 Chapter 4 MetaFrame XP Server Farm Design 43 Note Changing user rights from database owner can prevent future MetaFrame XP service packs or feature releases from being installed correctly. Be sure to change permissions back to database owner when installing a MetaFrame XP service pack or feature release. Using Sockets Rather Than Named Pipes Citrix recommends that you use TCP/IP sockets to connect MetaFrame XP servers to a Microsoft SQL Server. Data transmissions are more streamlined for TCP/IP sockets and have less overhead. Performance enhancement mechanisms, such as windowing and delayed acknowledgements, can provide significant performance improvement in a slow network. Named pipes is an authenticated protocol. Any time a user attempts to open a connection to the SQL Server using named pipes, the Windows NT authentication process occurs. TCP/IP sockets do not rely on Windows NT authentication to establish a connection, but do provide user/password authentication to the SQL Server after the connection is established. This eliminates the possibility of an error if the SQL Server and the MetaFrame server do not have the correct domain or ADS trust relationship. The following procedures explain how to configure the connection to use TCP/IP sockets. To create a SQL Server data source connection during MetaFrame XP Setup 1. Select Microsoft SQL Server as the data store. You are prompted to create a new data source connection to the SQL Server. 2. Enter the Data Source description and SQL Server to which to connect. Click Next. 3. Select NT Authentication or SQL Server Authentication. 4. Click Client Configuration. 5. Select TCP/IP from the available network libraries. Click OK. To modify a Data Source Name (DSN) after MetaFrame XP installation 1. Open Data Sources (ODBC) from Administrative Tools. This opens the ODBC Data Source Administrator. 2. On the File DSN tab, browse to %Program Files%\Citrix\Independent Management Architecture. 3. Select the MetaFrame DSN you created when you installed MetaFrame XP. Select Configure.

44 44 Advanced Concepts for MetaFrame XP 4. Click Next in the Microsoft SQL Server DSN Configuration dialog box. Select Client Configuration. 5. Select TCP/IP from the available network libraries. Click OK. 6. Click Next and then Finish. 7. Restart the MetaFrame XP Server. Failover For fault tolerance with Microsoft SQL Server, use Microsoft Cluster Services (MSCS). This provides failover and failback for clustered systems. An MSCS cluster group is a collection of clustered resources, such as disk drives, that are owned by one of the failover cluster nodes. You can transfer the ownership of the group from one node to another, but each group can be owned by only one node at a time. The database files for an instance of Microsoft SQL Server 2000 are placed in a single MSCS cluster group owned by the node on which the instance is installed. If a node running an instance of Microsoft SQL Server fails, MSCS switches the cluster group containing the data files for that instance to another node. Because the new node already has the executable files and registry information for that instance of Microsoft SQL Server on its local disk drive, it can start up an instance of Microsoft SQL Server and start accepting connection requests for that instance. Note MSCS clustering does not support load balancing between clustered servers because it functions in standby mode. Distributed Databases MetaFrame XP supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. Microsoft SQL Server uses replication to create the distributed database environment. MetaFrame XP requires data coherency across multiple databases. Therefore, a two-phase commit algorithm is required for writes to the database. When configuring Microsoft SQL Server for a two-phase commit, you must use the Immediate Updating Subscriber model. See your Microsoft SQL Server documentation for information about setting up replication with the Immediate Updating Subscriber model. The following procedure explains how to set up a distributed database environment for an existing MetaFrame XP server farm.

45 Chapter 4 MetaFrame XP Server Farm Design 45 To set up a distributed environment for an existing MetaFrame XP server farm 1. Configure a Publisher (the Microsoft SQL Server currently hosting the data store), and Subscribers (remote sites) using Microsoft SQL Server Enterprise Manager. 2. Execute the dsmaint publishsqlds command on a MetaFrame XP server in the server farm. This step executes the necessary SQL statements to create the published articles on the current Microsoft SQL Server (Publisher). For more information about the dsmaint command, see the MetaFrame XP Administrator s Guide. 3. Configure the remote sites (Subscribers) to subscribe to the published articles you created in Step 2. Using Oracle The practices outlined in this section are suggested implementations for using Oracle as the MetaFrame XP server farm s data store. They are not intended to be a substitute for the Oracle documentation. Read all of the Oracle documentation prior to installing Oracle. The guidelines described here apply to Oracle7, Oracle8, Oracle8i, and Oracle 9i, except as noted otherwise. Minimum Requirements Approximately 100MB of disk space for every 250 servers in the farm. The space used can increase if a large number of published applications are in the farm. The Oracle Client (Version or later) must be installed on the terminal server before you install MetaFrame XP. The client is not supported with any version of MetaFrame XP. Note If you do not restart the server after installing the Oracle Client, MetaFrame XP fails to connect to the data store during Setup.

46 46 Advanced Concepts for MetaFrame XP Server Configuration Consider the following guidelines when configuring an Oracle server to host the MetaFrame XP server farm s data store. Create a separate tablespace for the data store to simplify backup and restoration operations. Use Shared/Multi-Threaded Server (MTS) mode to reduce the number of processes in farms with more than 100 servers. However, performance may be affected because of high data store load. Consult your Oracle documentation for information about configuring the database to run in MTS mode. Add one additional process for each MetaFrame server connected directly to the Oracle database when using an Oracle server in dedicated mode. If the Oracle server uses100 processes before installing MetaFrame XP and the server farm has 50 servers, set the processes value to at least 150 in the Init.ora file on the Oracle server. Consult the Oracle documentation for more information. If you are running Oracle in MTS mode, verify that the following parameters in the Init.ora file are greater than or equal to the values shown below. If you are running multiple farms on the same Oracle database, include all MetaFrame XP servers for the calculations listed below. Round up for fractional values. MTS_SERVERS = {#MFXP Servers} / 10 MTS_MAX_SERVERS = {#MFXP Servers} / 5 SERIALIZABLE = False ROW_LOCKING = Always Whenever a change is made using the Citrix Management Console, back up the database. Scheduling a daily backup is sufficient in most cases. Citrix recommends online backups using archivelog mode. Archivelog mode reduces the recovery time of a crashed database. Note If you are using the same Oracle database for multiple MetaFrame XP server farms, Citrix recommends that you create a unique tablespace for each farm with its own user/password for added security. Do not use the default system account within Oracle.

47 Chapter 4 MetaFrame XP Server Farm Design 47 Client Configuration If you use the Oracle client to access the data store, you must take several steps to ensure proper operation with MetaFrame XP. The Oracle driver installs a security feature, called NT Security (NTS), that uses Windows NT credentials to authenticate to the Oracle server. Because the Citrix IMA Service is configured to use the system account to access the data store, the service fails to connect to the Oracle server when the NTS feature is enabled. If this happens, IMA reports the error code Note The following steps are not required with the Oracle client because it does not use NTS. For MetaFrame XP Setup to recognize that the Oracle x client is installed, do the following: 1. Install the Oracle x client and upgrade to x. 2. Run the Net8 Assistant. 3. Navigate to Configuration > Local > Profile. 4. Select Oracle Advanced Security. 5. On the Authentication tab, remove NTS from the Selected Methods list if it is present. 6. Install MetaFrame XP. If you use the dsmaint command to migrate from an Access database to an Oracle database, the IMA service fails to start because the Oracle driver alters the logon authentication method. To avoid this problem, disable the Oracle NTS feature before migrating an Access database to Oracle 8.1.7, as described below. To disable the Oracle NTS feature 1. Run the Net8 Assistant. 2. Navigate to Configuration > Local > Profile. 3. Select Oracle Advanced Security. 4. On the Authentication tab, remove NTS from the Selected Methods list if it is present.

48 48 Advanced Concepts for MetaFrame XP Authentication and Security Consider the following points related to authentication and security when using Oracle for the server farm s data store. Oracle for Solaris supports Oracle authentication only. It does not support Windows NT authentication. Oracle for Windows NT supports both Windows NT and Oracle authentication. Consult the Oracle documentation for information about configuring Windows NT authentication. The Oracle user account must be the same for every server in the farm because all servers share a common schema. Each farm in the database must have a different user account because the data store information is stored in the Oracle user account s schema. The account used for the data store connection needs to have the following Oracle permissions: Connect Resource You can also assign the following permission: Unlimited Tablespace Failover With Oracle, you can maintain a standby database for quick disaster recovery. A standby database maintains a copy of the production database in a permanent state of recovery. If there is a disaster in the production database, you can open the standby database with a minimum amount of recovery. Important items concerning Oracle failover: With Oracle8i, the management of standby databases is fully automatic. The standby database must run on the same version of the kernel that is on the production system. Standby databases fail only one way. They cannot fail back. If a database fails, use the dsmaint config command to reconfigure the MetaFrame XP servers to point to the standby database. Citrix recommends the use of a standby database for MetaFrame farms. See the Oracle documentation for instructions about setting up a standby database.

49 Chapter 4 MetaFrame XP Server Farm Design 49 Distributed Databases MetaFrame XP supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. Oracle uses replication to create the distributed database environment. Important items concerning distributed databases are listed below. To reduce the load on a single database server, install read/write replicas and distribute the farm servers evenly across the master and replicas. MetaFrame XP requires data coherency across multiple databases. Therefore, a two-phase commit algorithm is required for writes to the database. Using Oracle as a distributed database solution requires the following: All participating databases must be running Oracle. All participating databases must be running in MTS/Shared mode (rather than Dedicated mode). All clients (MetaFrame XP direct servers) must be SQL*Net Version 2 or Net8. Install the farm database first on the master site, and then configure replication at the snapshot sites. Replicate all objects contained in the data store user s schema (tables, indexes, and stored procedures). Tip If the performance at the replicated database site is significantly slower, verify that all the indexes for the MetaFrame XP user s schema are successfully replicated. When configuring Oracle for a two-phase commit, Citrix recommends the following: Use updateable, synchronous snapshots with a single master site. MetaFrame XP does not work with read-only snapshots. Some functions need write access to the data store. Use Fast Refresh where possible (this requires snapshot logs). Do not configure conflict resolution when setting up the replication environment. Set the replication link interval to be as frequent as the network environment allows (one minute is recommended). With Oracle replication, if no changes are made, data is not sent over the link.

50 50 Advanced Concepts for MetaFrame XP If Oracle is configured in MTS mode and remote reads or writes are initiated from the remote site, these can block local reads or writes. This is because all connections share a set of worker threads called MTS servers in MTS mode. To remedy this, increase the value of the Max_Mts_Servers parameter in the Init.ora file. Citrix recommends that you consult the Oracle documentation when setting up replication. You can find documentation for Oracle8i on the Web at technet.oracle.com/docs/products/oracle8i/doc_index.htm. Using Oracle Parallel Server CAUTION Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix elabs. Oracle Parallel Server is designed to have multiple database servers accessing the same back end database. In theory, this provides good scalability in centrally located farms with hundreds of servers. Oracle Parallel Server can provide exceptional performance gains in extremely large farms where having only a single front-end database server creates a performance bottleneck. An Oracle Parallel Server configuration provides a load-balanced environment where multiple front-end Oracle servers share the same disk subsystem and database tables. Oracle Parallel Server distributes load evenly across all participating servers, and, in the event of a server failure, automatically routes connections to the surviving nodes. Using IBM DB2 With Feature Release 2, MetaFrame XP supports using IBM DB2 (Universal Database Enterprise Edition Version 7.2 for Windows 2000 with FixPak 5) for the server farm s data store. To use IBM DB2, install the DB2 Run-Time Client and apply FixPak 5 on each MetaFrame XP server that will directly access the database server. If you have multiple MetaFrame XP farms, create a separate database/tablespace for each farm s data store. Restart the system after you install the IBM DB2 Run- Time Client and FixPak 5 and before you install MetaFrame XP Feature Release 2. You may also need to restart the system after you install the Run-Time Client and before you install FixPak 5. See the documentation included with IBM DB2 for more information.

51 Chapter 4 MetaFrame XP Server Farm Design 51 Important MetaFrame XP uses the data type of binary large object (BLOB) to store information in an IBM DB2 database. IBM DB2 does not support the use of BLOB data types in an updateable replication scenario. Therefore, if your server farm needs to have updateable replicas, use Microsoft SQL Server or Oracle for the farm s data store instead of IBM DB2. Depending on the size of your server farm, you may need to modify the following options in IBM DB2 Control Center: appheapsz, app_ctl_heap_sz, maxlocks. You may need to modify these options if you have a large server farm (50 or more servers) that is relatively active. maxappls. This setting must be greater than the number of servers in the farm, or the servers will fail to connect (the default is 40). avg_appls. This setting should be equal to the number of servers in the farm. logfilsiz, logprimary, logsecond. You may need to adjust these settings upwards if you are migrating the farm from another database. Citrix recommends using a separate database with a dedicated tablespace for the MetaFrame XP, Feature Release 2 server farm s data store. Minimum Requirements The points outlined below are suggested practices for using an IBM DB2 database for the server farm s data store. Be sure to read the documentation included with IBM DB2 before you install and configure DB2 databases. The following minimum requirements can apply to MetaFrame XP implementations that use DB2 as the farm s data store. You need approximately 100MB of disk space for every 250 servers and 50 published applications in the farm. The required disk space increases if a large number of published applications are in the farm. If you create a data source name (DSN) for use with an unattended installation of IBM DB2, Citrix recommends that you create the DSN using the Microsoft ODBC Data Source Administration screen. Doing so ensures that the DSN is populated according to MetaFrame requirements for proper connectivity to the DB2 database or tablespace. Citrix elabs tested the IBM DB2 environment with the following permissions assigned to the user: connect database, create tables, register functions to execute to database manager s process, and create schemas implicitly.

52 52 Advanced Concepts for MetaFrame XP Distributed Databases MetaFrame XP supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. You can use a distributed database to distribute the load of reads. IBM DB2 uses replication to create the distributed database environment. Data Store Network Optimizations You can configure the MetaFrame data store in several different ways to increase the performance and throughput of the database server. In large farms with powerful database servers, the network can become the performance bottleneck when reading information from the data store during startup. In these circumstances, Citrix recommends that you use a teaming NIC solution, such as adaptive load balancing, to improve the available bandwidth of the data store. To find out if the network is the bottleneck, monitor the CPU usage on the data store. If the CPU utilization is not at 100% while the Citrix IMA Service is starting and it is still in the process of starting, the network can be the bottleneck. Testing was performed in the Citrix elabs on a 100Mbps switched LAN. Gigabit Ethernet environments provide much better performance. Teaming Network Interface Card Configurations The following teaming NIC configurations were tested on MetaFrame servers and on SQL servers hosting the data store. In all cases, Citrix recommends teaming NICs using the MAC address, not the IP address. Because the MAC address is at a lower layer and is not subject to modification unless the burned-in address (BIA) is modified, this is a more basic and stable configuration. Network Fault Tolerance This option provides the safety of an additional backup link between the server and the hub or switch. If the primary adapter fails, the secondary adapter takes over with very minor interruption in server operations. There is no performance gain with this setting, but fault tolerance is improved. Transmit Load Balancing (Formerly Adaptive Load Balancing) This option creates a team of adapters to increase transmission throughput and ensure that all network users experience similar response times. All adapters must be linked to the same layer 2 network switch.

53 Chapter 4 MetaFrame XP Server Farm Design 53 As adapters are added to the server, they are grouped in teams to provide a single virtual adapter with increased transmission bandwidth. For example, a transmit load balancing team containing four Fast Ethernet adapters configured for full-duplex operation provides an aggregate maximum transmit rate of 400Mbps and a 100Mbps receive rate, resulting in a total bandwidth of 500Mbps. One adapter is configured for transmit and receive, while the others are configured for transmit only. Adapter teams configured for transmit load balancing provide the benefit of network fault tolerance because if the primary adapter that supports both transmit and receive fails, another adapter then supports this functionality. Switch Assisted Load Balancing (Formerly Fast Ether Channel) Unlike transmit load balancing, you can configure Fast Ether Channel (FEC) to increase both transmitting and receiving channels between the server and switch. For example, an FEC team containing four Fast Ethernet adapters configured for full-duplex operation provides an aggregate maximum transmit rate of 400Mbps and an aggregate maximum receive rate of 400Mbps, resulting in a total bandwidth of 800Mbps. All adapters are configured for transmit and receive, with the load spread roughly equally. FEC works only with FEC-enabled switches. The FEC software continuously analyzes load on each adapter and balances network traffic across the adapters as needed. Adapter teams configured for FEC also provide the benefits of Network Fault Tolerance (NFT). For more information, see Citrix Knowledge Base article CTX or contact your hardware vendor. Implementing the Data Store in a Storage Area Network A Storage Area Network (SAN) is a dedicated high-speed network. It is separate and distinct from the Local Area Network (LAN) that provides shared storage through an external disk storage pool. The SAN is a back end network that carries only I/O traffic between servers and a disk storage pool while the front-end network, the LAN, carries , file, print, and Web traffic. Fibre Channel Technology Some early SCSI implementations have a distance limitation of six feet and can support only seven devices. These implementations use a parallel bus with multiple lines running in parallel.

54 54 Advanced Concepts for MetaFrame XP Although some SAN configurations utilize this implementation, the most commonly used SCSI technology for SAN implementations is Fibre Channel. Fibre Channel is the standard for bidirectional communications implementing serial SCSI through a single cable connecting servers, storage systems, workstations, hubs, and switches. It features high performance, serial-interconnections. Fibre Channel has the following capabilities: Bidirectional data transfer rates up to 200Mbps Support for up to 126 devices on a single host adapter Communications up to 20km (approximately 12 miles) Fibre Channel implementations can use either of the following networking technologies: Fibre Channel Arbitrated Loop (FC-AL) FC-AL networks use shared media technology similar to Fibre Distributed Data Interface (FDDI) or Token Ring. Each network node has one or more ports that allow external communication; FC-AL creates logical point-to-point connections between ports. Fibre Channel Fabric (FC-SW) Fabric networks use switched network technology similar to switched Ethernet. A fabric switch divides messages into packets containing data and a destination address, and then transmits the packets individually to the receiving node, which reassembles the message. Fabric switches can cascade, allowing a SAN to support thousands of nodes. Hardware Components Storage Area Networks typically include the following hardware components: Host I/O Bus The current I/O bus standard is Peripheral Component Interface (PCI). Older standards include Industry Standard Architecture (ISA) and Extended Industry Standard Architecture (EISA). Host Bus Adapter The host bus adapter (HBA) is the interface from the server to the host I/O bus. The HBA is similar in function to a Network Interface Card (NIC), but is more complex. HBA functions include the following: Converting signals passed between the LAN and the SAN s serial SCSI Initializing the server onto a FC-AL network or providing a Fabric network logon

55 Chapter 4 MetaFrame XP Server Farm Design 55 Scanning the FC-AL or Fabric network, then attempting to initialize all connected devices in the same way that parallel SCSI scans for logical devices at system startup Cabling Fibre channel cables include lines for transmitting and for receiving. Because of the shape, you cannot install them incorrectly. SAN networking equipment There are many similarities between a SAN and other networks such as a LAN. The basic network components are the same: hubs, switches, bridges, and routers. Storage devices and subsystems A storage subsystem is a collection of devices that share a power distribution, packaging, or management system such as tape libraries or RAID disk drives. SAN Tape Backup Support SANs provide easy, on-the-fly tape backup strategies. Tape backups are much quicker and consume fewer resources, because all of the disk access occurs on the SAN s fiber network, and not on the LAN. This allows the data store to be backed up easily even while it is in use. Cluster Failover Support The data store is an integral part of the MetaFrame XP architecture. In large enterprise environments, it is important to have the database available all the time. For maximum availability, the data store should be in a clustered database environment with a SAN backbone. Hardware redundancy allows the SAN to recover from most component failures. Adding additional software, such as SQL Server 2000 utilizing Microsoft Clustering Services (MSCS) and Compaq s SANWorks products, allows for the failover in a catastrophic software failure. With Microsoft Clustering Services, available on Windows 2000 Advanced Server and Datacenter products, you can fail over the MetaFrame XP data store to a functioning server in the event of a catastrophic server failure. MSCS monitors the health of standard applications and services and automatically recovers mission-critical data and applications from many common types of failures. A graphical management console allows you to monitor the status of all resources in the cluster and to manage workloads accordingly. In addition, Windows 2000 Advanced Server and Datacenter Server integrate middleware and load balancing services that distribute network traffic evenly across the clustered servers.

56 56 Advanced Concepts for MetaFrame XP You can build redundancy and recovery into each major component of the data store. Deploying the following technologies can eliminate single points-of-failure from the data store: Microsoft Cluster Service (MSCS) Redundant hardware Software monitoring and management tools The basic SAN configuration in the figure below shows each clustered server with dual HBAs cabled to separate FC-AL switches. A system with this redundancy can continue running when any component in this configuration fails. Database Cluster FC-AL Switches Data Storage Redundant SAN configuration SAN architecture is very reliable. It provides redundant systems in all aspects of the configuration with multiple paths to the network. Windows 2000 Advanced Server allows two nodes to be clustered. Windows 2000 Datacenter allows four clustered nodes. If there is a software or hardware failure on the owner of the cluster node, the MetaFrame servers lose their IMA connection to the database. When the connection is dropped, the farm goes into a two-minute waiting period. The servers then attempt to reconnect to the database. If the Citrix IMA Service cannot immediately reconnect to the data store, it continues to try to reconnect every two minutes. The MetaFrame servers automatically reconnect to the database, which has the same IP address, once it fails over to the other node of the cluster.

57 Chapter 4 MetaFrame XP Server Farm Design 57 Clustering does not mean that both databases are active and load balanced.with SQL clustering, the only supported clustering method allows one server to handle all the requests while the other server simply stands by waiting for the other machine to fail. Note When installing MetaFrame in a clustered SQL Server environment, Windows NT authentication must be used for connecting to the database. SAN Tuning In addition to increased reliability, you can tune the SAN to provide better database performance. In testing at Citrix elabs, the data store was used mainly as a repository for reading configuration information. In this configuration, the number of reads far exceeds the number of writes. For optimal data access to the data store through the SAN, you can tune the array controller on the SAN for 100% reads and 0% writes. Note Tuning the SAN for100% reads and 0% writes still allows servers to write to the data store. MetaFrame XP Server Farm Deployment Scenarios The following sections describe sample MetaFrame XP implementations and make recommendations for each one. Many of the recommendations discussed here are based on product design and theoretical concepts. Every effort was made in the Citrix elabs to test the theories discussed in this section. However, you may encounter issues in live production environments that were not factored into these recommendations. The abbreviations DS for data store and DC for data collector are used in the following tables.

58 58 Advanced Concepts for MetaFrame XP Small Farm Central Location This scenario describes a simple single farm environment where all servers reside in one location and are configured as follows: Servers Zone(s) 1-2 Physical Sites 1 Data Store Connectivity Microsoft Access, Microsoft SQL Server, IBM DB2 or Oracle 10Mbps or higher (LAN) Small farm at a single location Citrix recommends the following in this scenario: Dedicate a data collector for zones with more than 50 member servers Consider creating multiple zones to enhance performance If using Access for the server farm s data store, configure a single server to act as the data collector and to host the data store

59 Chapter 4 MetaFrame XP Server Farm Design 59 Large Farm Central Location This scenario describes a larger, but only slightly more complex, single farm environment where all servers reside in one location and are configured as follows: Servers 100+ Zone(s) 3+ Physical Sites 1 Data Store Connectivity Microsoft SQL Server or Oracle 10Mbps or higher (switched 100Mbps is recommended) Large farm in a single location

60 60 Advanced Concepts for MetaFrame XP Citrix recommends the following in this scenario: Dedicate a data collector for zones with more than 50 member servers CAUTION Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix elabs. Oracle Parallel Server is designed to have multiple database servers accessing the same back end database. In theory, this provides good scalability in centrally located farms with hundreds of servers. With extremely large farms, use replicated Microsoft SQL Server databases, replicated Oracle databases, or Oracle Parallel Server to improve performance and prevent a bottleneck at the data store Do not exceed 25 zones in a single farm Small Farm Distributed Sites This scenario describes a small single farm environment where servers reside in a few locations as follows: Servers Zone(s) 1-4 Physical Sites 2-4 Data Store Connectivity (evenly distributed at a few physical locations) Microsoft Access, Microsoft SQL Server, IBM DB2, or Oracle 512Kbps or higher to a central site or between all locations

61 Chapter 4 MetaFrame XP Server Farm Design 61 Small farm with distributed sites Citrix recommends the following in this scenario: Use a single zone if all distributed sites have a connection to a central site and the frequency of logons is limited. If you are using multiple zones, provide all sites hosting a zone with direct connectivity to all other zone sites. Otherwise, all locations need connectivity to a central site where the zone data collector is located. Restart servers only when WAN links are at low utilization.

62 62 Advanced Concepts for MetaFrame XP Small Farm Remote Sites This scenario describes a small single farm environment where small groups of 2-5 servers are distributed in multiple locations. Servers Zone(s) 1 Physical Sites 2+ Data Store Connectivity (2-5 at each site to support local use) Microsoft Access, Microsoft SQL Server, IBM DB2, or Oracle 128Kbps or higher to a central site Central Office Remote sites with central office Citrix recommends the following in this scenario: Make links dedicated connections to a central site Restart servers only when WAN links are at low utilization Consider using Virtual Private Network (VPN) technology for remote sites Although spanning a farm across a slow WAN is possible, consider centralizing the servers and using ICA across the WAN to optimize performance

63 Chapter 4 MetaFrame XP Server Farm Design 63 Large Farm Multiple Data Centers This scenario describes a large single farm environment where all servers reside in large data centers as specified in the following configuration: Servers 200+ Zone(s) 2-4 Physical Sites 2 Data Store Connectivity Microsoft SQL Server or Oracle (replicated to speed server boot time and minimize WAN queries) High speed (T1 or higher) Multiple data centers Citrix recommends the following in this scenario: Use registry settings to fine-tune data collector communication. For more information, see Understanding Zones on page 17. Tune database replication intervals to reduce WAN utilization. Be aware that changes made at the central site can take a few minutes to disseminate to replicas. The IBM DB2 database does not support updateable replicas and should therefore not be used in this scenario.

64 64 Advanced Concepts for MetaFrame XP Large Farm Regional Sites This scenario describes a large single farm environment where servers reside both in regional sites and small remote sites. Servers Zone(s) Physical Sites 2+ Data Store Connectivity 200+ (smaller sites connect to closest regional site) 1 per regional site Microsoft SQL Server or Oracle (replicated to each regional site) High speed (T1 or higher) between all regional sites 128Kpbs or higher between regional and smaller sites Regional sites with remote access Citrix recommends the following in this scenario: Use registry settings to fine-tune data collector communication. For more information, see Understanding Zones on page 17. Consider using Virtual Private Network (VPN) technology for remote sites Although spanning a farm across a slow WAN is possible, consider centralizing the servers and using ICA across the WAN to optimize performance.

65 Chapter 4 MetaFrame XP Server Farm Design 65 Tune database replication intervals to reduce WAN utilization. Be aware that changes made at the central site can take a few minutes to disseminate to replicas. The IBM DB2 database does not support updateable replicas and should therefore not be used in replicated scenarios.

66

67 Deploying MetaFrame XP C H A P T E R 5 This chapter contains recommendations for deploying MetaFrame XP with Feature Release 2 and Service Pack 2, including manual installation, rapid deployment, application publishing, client deployment, and NFuse deployment. Citrix recommends that you deploy Feature Release 2 or Service Pack 2 in all server farms. Important Feature Release 2/Service Pack 2 is not supported on Windows NT 4.0, Terminal Services Edition (TSE). Any references to Windows NT 4.0, TSE are for backward compatibility only. Note The first installation of Feature Release 2 in a farm requires the specified database user to have database owner permissions. MetaFrame XP with Feature Release 2 and Service Pack 2 Setup is compiled into a Windows Installer installation package. Windows Installer is a component of Windows 2000 that manages the installation and removal of applications. Windows Installer applies a set of centrally defined setup rules during the installation process that define the configuration of the application. For more information about Windows Installer technology and the Windows Installer Service, see the Windows 2000 online Help or the Microsoft Web site at For more information about working with the MetaFrame XP, Feature Release 2 Windows Installer package, see the MetaFrame XP Administrator s Guide.

68 68 Advanced Concepts for MetaFrame XP CAUTION Windows 2000 Server includes Version 1.1 of the Windows Installer Service (MSI) by default. Citrix strongly recommends that you install Windows Installer Version 2.0 or later on the server before you install MetaFrame XP. For more information, see the MetaFrame XP Administrator s Guide. Important When upgrading a farm that uses Microsoft Access as the data store, be sure to upgrade the host server first or installation will fail. If you intend to change the server s drive letters to allow users to retain their original drive letters on client devices, you should do so before you install MetaFrame XP or upgrade to Feature Release 2. If you change server drive letters after installing or upgrading, you must do so before you install any applications. To change the server s drive letters, click Remap Drives on the Install or Update MetaFrame Autorun screen. You can also run the driveremap utility to change the server s drive letters. For more information about this utility, see DRIVEREMAP on page 184. To install or upgrade to MetaFrame XP, Feature Release 2 1. Start Autorun from the MetaFrame XP CD, a network share point, or a mapped network drive containing all the files from the CD image. 2. Select Install or update MetaFrame. If you want the new features included with Feature Release 2, select MetaFrame XP Feature Release 2. If you want to install the service pack only, select MetaFrame XP Service Pack Accept the License Agreement and click Next. Note Installation automatically detects which version of MetaFrame is currently installed, if any, and automatically upgrades it to Feature Release 2 or Service Pack After installing Feature Release 2, add and activate the appropriate Feature Release 2 licenses.

69 Chapter 5 Deploying MetaFrame XP 69 Issues to Consider when Upgrading to MetaFrame XP Feature Release 2 You should consider the following issues when upgrading to MetaFrame XP Feature Release 2: If MetaFrame 1.8 for Windows 2000 was installed with remapped drives, the COM+ Catalog may have been damaged. To determine if the server has been damaged in this way, click Start > Programs > Administrative Tools > Component Services. In the Console Root, click Component Services > Computers > My Computer > COM+ Applications. If the server is damaged, use the drvremap utility located on the MetaFrame 1.8 for Windows 2000, Feature Release 1 or Service Pack 3 CDs. To use the drvemap utility, perform the following steps: 1. At a command prompt, type: subst C: M:/ 2. At a command prompt, type: drvremap /drive:m /remap /com 3. At a command prompt, type: subst C: /d 4. Restart the server. For more information about this issue, refer to Citrix Online Knowledge Base article CTX You can access the Citrix Knowledge Base at After an upgrade from MetaFrame 1.8 for Windows 2000 to MetaFrame XP Feature Release 2, the system cannot be downgraded. You must install and activate Feature Release 2 licenses to use the new features. For reasons of security, SSL settings are not migrated. When upgrading to Feature Release 2, you must reconfigure SSL manually. For more information about configuring SSL, see the Citrix SSL Relay utility s online help. If you upgrade a server that does not have Installation Manager and Resource Manager installed, these components are not installed during the upgrade. To install these components, verify that a MetaFrame XPe license is installed, and install these components using Add/Remove Programs in Control Panel. After remapping the server s drives and upgrading to Feature Release 2, when you install Internet Information Services (IIS), you must manually modify the file and directory locations for IIS. To modify these locations for IIS, click Start > Administrative Tools > Internet Service Manager. Set the directory locations for Web files and scripts to correct the referenced drive letters. After you correct the referenced drive letters, you can install NFuse Classic.

70 70 Advanced Concepts for MetaFrame XP Downgrading from Feature Release 2 Consider the following issues when downgrading from MetaFrame XP Feature Release 2. The Client Update Database used in the Auto Client Update feature is removed completely after a downgrade. You can run downgrade in silent mode by using: msiexec /x {1E43A449-2D4E-48EA-A C015123} /l*v C:\unismsi.log /q CTX_DOWNGRADE= Yes After you downgrade, the Documents shortcut may be missing. To view the MetaFrame XP documentation, use Windows Explorer to browse to Program Files > Citrix > Documentation. Rapid Deployment of MetaFrame XP Feature Release 2/ Service Pack 2 This section covers practices regarding rapid deployment of MetaFrame XP in the enterprise environment, including server cloning, unattended installations, and simultaneous installations. For information about unattended installation, refer to the MetaFrame XP Administrator s Guide. Server Cloning A few manual steps are required for cloning MetaFrame XP servers. These steps vary depending on the type of data store used for the farm, and are described in the following sections. MetaFrame XP and feature releases are compatible with server cloning, but cloning software can contain issues that cause the operating system or its add-ons to function incorrectly after being cloned. When using server cloning, it is important to clone one server and test its operation before deploying the rest of the farm. CAUTION Do not attempt to image a server with an SSL certificate installed because SSL certificates are unique to the hardware.

71 Chapter 5 Deploying MetaFrame XP 71 Issues to Consider Before Cloning a MetaFrame Server Zone settings are not retained when cloning a server. When the Citrix IMA Service on the cloned server starts for the first time, the MetaFrame XP server joins the default zone. The name of the default zone is the ID of the subnet on which the cloned server resides. When deploying images to servers on multiple subnets, assign zone information for each server after the imaging process completes. Prior to changing the Security ID (SID) on the machine used to access the Citrix Management Console, add one of the following user accounts as a Citrix administrator with full privileges: A domain administrator The local administrators group A local administrator from a machine where the SID is not being changed CAUTION Do not attempt to use drive image software to restore an image of a MetaFrame server with remapped drives. Remapped drives will partially revert to the original configuration on the deployed server rendering the server unusable. Servers with remapped drives can be duplicated using a hardware solution such as Compaq Smart Array controllers with RAID1 drive mirroring. You must complete the following tasks before re-imaging a server that is already a member of a MetaFrame server farm. To prepare a server in a MetaFrame server farm for re-imaging 1. From the Citrix Management Console, remove the list of servers configured to host any applications. 2. Remove the server from the server farm by uninstalling MetaFrame XP. 3. If the server entry still exists in the Citrix Management Console server list, right-click and manually remove the server name from the server list. 4. Apply the system image and add the server to the server farm. Important If a server is not removed from a MetaFrame server farm before a new system image is applied to it, performance problems can result. The Citrix Management Console can display invalid data if the server is returned to the same server farm because the old server s host record in the data store is applied to the newly imaged server.

72 72 Advanced Concepts for MetaFrame XP If cloning is not an option, such as when configuring with remapped drives, you can create custom unattended installation scripts for both the operating system and applications, including MetaFrame. Rapid Deployment if you Are Using Microsoft Access When using Microsoft Access, you must manually install the first server in the new MetaFrame XP farm that will host the data store. You can image the second server in the farm for the deployment of additional servers. To image a server for rapid deployment with Access 1. Follow all necessary steps from the MetaFrame XP Administrator s Guide to install the first MetaFrame XP server in the farm. 2. Install a second MetaFrame XP server in the farm with an indirect connection to the data store you created on the first server. 3. With the second server successfully installed and restarted, log on to the console of the second server as a local or domain administrator. 4. On the second server, delete the Wfcname.ini file, if it exists, from the root drive of the server. 5. Stop the Citrix IMA Service using the Services Control Panel. Set the start up type to manual. 6. If MetaFrame XPe components are installed, see Cloning MetaFrame XPe Systems on page Take the image of the second server and then restart the second server. 8. Deploy the image obtained in Step 7. Important It is important that some type of SID generation utility be executed when deploying Windows 2000 or Windows NT Terminal Services Edition images. To set up the server and verify that it is added 1. Set the SID of the server with your chosen SID generator. 2. Rename the new server with a unique name. 3. Manually start the Citrix IMA Service and set the service to start automatically. 4. Verify that the server is successfully added to the farm by executing qfarm at a command prompt. If the addition is successful, the newly imaged server will appear in the list of servers.

73 Chapter 5 Deploying MetaFrame XP 73 Rapid Deployment if you Are Using Microsoft SQL Server, Oracle, or IBM DB2 When using Microsoft SQL Server, Oracle, or IBM DB2 for the server farm s data store, you can image the first server in the farm and use it to deploy all other servers. To image a server for rapid deployment with SQL Server, Oracle, or IBM DB2 1. Follow the steps from the MetaFrame XP Administrator s Guide for installing the first MetaFrame XP server in the farm. 2. When the server is successfully restarted, log on to the console as a local or domain administrator. 3. Delete the Wfcname.ini file, if it exists, from the root drive of the server. 4. Edit the Mf20.dsn file with Notepad or another text editor. By default, the DSN file is located in the %ProgramFiles%\Citrix\Independent Management Architecture folder. For a Microsoft SQL Server installation, the Data Source Name (DSN) file will look similar to this: [ODBC] DRIVER=SQL Server UID=SQL_USERNAME DATABASE=NAME_OF_DATABASE WSID=NAME_OF_MF_SERVER APP=Citrix IMA SERVER=NAME_OF_SQL_SERVER Remove the following line: WSID=NAME_OF_MF_SERVER The DSN now looks like this: [ODBC] DRIVER=SQL Server UID=SQL_USERNAME DATABASE=NAME_OF_DATABASE APP=Citrix IMA SERVER=NAME_OF_SQL_SERVER 5. Save the changes to the DSN file. 6. Stop the Citrix IMA Service and set the start up type to manual.

74 74 Advanced Concepts for MetaFrame XP 7. If MetaFrame XPe components are installed, see Cloning MetaFrame XPe Systems on page Take the image of the server and then restart the server. 9. Deploy the image obtained in Step 8. Important It is important that some type of SID generation utility be executed when deploying Windows To verify that the server is added 1. Set the Security ID of the server with your chosen SID generator. 2. Rename the new server with a unique name. 3. Manually start the Citrix IMA Service and set the service to start automatically. 4. Verify that the server is successfully added to the farm by executing qfarm at a command prompt on any server in the farm. If the addition is successful, the newly imaged server will appear in the list of servers. Cloning MetaFrame XPe Systems If you are running Resource Manager on a MetaFrame XPe server, you must delete the local database used by Resource Manager (named RMLocalDatabase) so that the cloned server does not retain information from the server you are using as the source for the cloning. The RMLocalDatabase is installed in Citrix Resource Manage\LocalDB in the MetaFrame installation directory, %Program Files%\Citrix by default. On the cloned server, the RMLocalDatabase file is recreated when the Citrix IMA Service starts. There is no need to manually recreate this database. Simultaneous Installations Citrix recommends that you do not simultaneously intall more than ten servers. During installation, servers must write configurations to the same indexes in the data store. The more servers installed at once, the greater the probability of creating deadlocks on the database server. Important Deadlocks occur when one server times out while waiting to write to a piece of data that is locked by another server. In this event, the IMA service simply retries after a short interval.

75 Chapter 5 Deploying MetaFrame XP 75 When you install servers to a new zone, it is best to first install a single server in the new zone. When installation of the first server in the zone is finished and the server restarts, launch the Citrix Management Console and set the server preference for the first server in the zone to Most Preferred. This avoids problems with new servers in the zone becoming the zone data collector during installation. Important When creating a new farm, the first server installed in the first zone is automatically configured with a server preference of Most Preferred. Therefore, the process of setting the server preference described above applies only when creating additional zones. Deploying Feature Release 2 Using Installation Manager to a Feature Release 1 Server Farm If you have Feature Release 1 installed in your MetaFrame XPe server farm, you can use Installation Manager to deploy the MetaFrame Setup Windows Installer package to upgrade your servers to Feature Release 2. Note that you can only perform the upgrade to Feature Release 2 on those MetaFrame servers on which you have installed the Installation Manager component for Feature Release 1 (Installation Manager Version 2.1). CAUTION Citrix strongly recommends that you upgrade Microsoft Windows Installer to Version 2.0 before you install Feature Release 2. For more information about this issue, see the MetaFrame XP Administrator s Guide. Before you begin deploying Feature Release 2, make sure you meet the following conditions: There are no users logged on to the Feature Release 1 servers (the Feature Release 2 installation requires that you restart the server) The network account being used for Installation Manager package deployment is a member of the Local Administrators group on each target server Important If you are using Installation Manager Version 2.1 to deploy Feature Release 2 from a Windows Installer package, you cannot use Installation Manager to remove Feature Release 2 from any server on which the package is deployed. If you uninstall the package using Installation Manager, Meta Frame XP is completely removed. If you need to downgrade to Feature Release 1, use Add/Remove Programs to manually uninstall Feature Release 2 from each server.

76 76 Advanced Concepts for MetaFrame XP To deploy the Feature Release 2 Windows Installer package to Feature Release 1 servers 1. Install Windows Installer 2.0 on all the Feature Release 1 servers in the farm. The Windows Installer 2.0 install program, Instmsiw.exe, is in the folder support\msi20 on the MetaFrame XP with Feature Release 2 CD. To install Windows Installer 2.0, either: Install Windows Installer 2.0 manually on each target server. Copy the Intmsiw.exe file from the support\msi20 folder to the target servers, then execute the file. -or- Create an unattended installation package for the Windows Installer 2.0 install using the Installation Manager Packager and deploy it to the target servers. Use the /q option for unattended installation. Citrix recommends that you set the Force reboot after install option in Installation Manager when scheduling the installation. This ensures that the server will restart after installation. 2. Copy the contents of the Feature Release 2 CD-ROM to a file share on a network share point. Note Copy the Feature Release 2 files from the CD-ROM manually. Do not use the /a option with the msiexec command to copy files. (For some Windows Installer packages, this method is used to create an Administrator Installation Point.) 3. For deployment of Service Pack 2 only, perform the following steps: 1. Using a transform editor, create a transform file using MFXP001.msi. If you use Microsoft Orca as the editor, use Version or higher. 2. From within the editor, choose the Property table in MFXP001.msi. 3. Find the property CTX_MF_TURN_FEATURE_RELEASE_ON. 4. Change the value from Yes to No. 5. Generate a transform file that includes this change and save the file in the same directory as the MFXP001.msi package. If you do not do so, installation will fail.

77 Chapter 5 Deploying MetaFrame XP 77 Important Do not alter the original MFXP001.msi file. To download a transform file (servicepack.mst) already prepared for deployment of Service Pack 2 only, see Citrix Knowledge Base Article CTX You can access the Citrix Knowledge Base at Verify that no users are logged on to the consoles of the target servers. 5. Use the Citrix Management Console to connect to the Feature Release 1 farm and in the left pane click Installation Manager. The Installation Manager s network account must have administrator s privileges on each target server and must have permission to access the Feature Release 2 files on the network file share. This cannot be a NetWare Account. 6. Add the Feature Release 2 Windows Installer package to the Installation Manager database. 7. Deploy the Feature Release 2 Windows Installer package to the target servers. 8. For deployment of Service Pack 2 only, add the transform file created in Step 3 above. 9. When the deployment is complete and the servers restart, log on to the server farm from the Citrix Management Console. Add the Feature Release 2 licenses to the farm and activate them. 10. If any server is not included in the package deployment (for example, if you are using the Citrix Management Console from a server in the server farm), upgrade that server to Feature Release 2, either from the files on the network share, or by logging on to a different server and deploying the package to the Feature Release 1 server. 11. Check that all the deployed servers are at Feature Release 2 level.

78 78 Advanced Concepts for MetaFrame XP To deploy Feature Release 2 using Installation Manager and Windows Installer 1.1 CAUTION Citrix strongly recommends using Windows Installer Version 2.0 because of a memory allocation failure that can be encountered if you use Windows Installer 1.1. If this error occurs, the operating system will need to be reinstalled. If Windows Installer 2.0 cannot be installed on the target server before deploying Feature Release 2, follow these steps: 1. From the MetaFrame XP CD, navigate to the \support\install folder and copy the Microsoft transform file Ignoremsicheck.mst to the folder that contains the Feature Release 2 Windows Installer package (MFXP001.msi). Note This transform file (with an.mst extension) must be located in the same directory as the Feature Release 2 Windows Installer package. If it is not, deployment will fail. 2. To deploy the Windows Installer package to the target servers, follow the steps above in the section To deploy the Feature Release 2 Windows Installer package to Feature Release 1 servers. Deploying MetaFrame with Active Directory Before you attempt to deploy MetaFrame XP Feature Release 2 using Active Directory Services, complete the following tasks: Place the target and source servers in the same domain. The source server hosting the Feature Release 2 Windows Installer package and any transforms to be applied must be a member of the same domain as the servers to which Feature Release 2 is being deployed. Enable Windows Installer logging (as described below), because Active Directory does not notify the user if a deployment fails. Important If you enable Windows Installer logging in Windows Installer Version 1.1 (included by default with the Windows 2000 operating system), passwords are saved in the log file in unencrypted plain text. Check the documentation included with later versions of Windows Installer for support of encrypted passwords in log files.

79 Chapter 5 Deploying MetaFrame XP 79 To enable Windows Installer logging 1. Run regedt Locate the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows\Installer 3. Right-click in any blank space on the right window and select String Value. 4. Name the string value Logging and then click OK. 5. Double-click the new Logging value and enter the string iwearucmopv under Value Data. 6. Restart the system so the new registry value can take effect. CAUTION Be sure to turn off Windows Installer logging at the end of the procedure. If you do not, all Windows Installer deployments are logged. When you enable logging using the procedure specified above, log files are stored in the directory %SystemRoot%\Temp. To determine why a deployment has failed, open the log file and search for the line above Return Value 3. Deploying MetaFrame XP, Feature Release 2 with CA Unicenter This section describes the basic steps for deploying Feature Release 2 using CA Unicenter s Software Delivery product. For more detailed information, see the Unicenter documentation, available from the CA Web site at To deploy MetaFrame XP, Feature Release 2 using CA Unicenter 1. Edit any MetaFrame XP Windows Installer transforms to be applied to the MetaFrame XP Windows Installer installation package. Sample transforms that you can edit to fit your installation scenario are included on the MetaFrame XP CD in the Support\Install folder. For more information about the MetaFrame XP Windows Installer package and the sample transforms, see the MetaFrame XP Administrator s Guide for Feature Release 2, located in the Docs directory on the MetaFrame XP CD. 2. Copy the MetaFrame XP Windows Installer installation package and your customized transforms to a directory on the source server. Citrix recommends that you copy these files to the server s root directory. Copy the installation package and transforms to the same directory.

80 80 Advanced Concepts for MetaFrame XP Important Install the Unicenter Software Delivery Agent on each server on which you want to install MetaFrame XP, Feature Release 2. For information about unattended installation of the Agent, consult the CA Unicenter documentation. Feature Release 2 runs on Windows 2000 Server operating systems only. 3. Create a new volume using the Software Library node. In the Register Software dialog box, type the name MetaFrame XP, Feature Release 2 and the version, 1.0. A node is created with this name. 4. On the General tab of the Register Procedure dialog box, choose the Install task and choose Windows 32-bit from the list of operating systems. 5. On the Embedded File tab, enter MFXP001.msi in the File field. In the Subpath field, enter the path to the location of the MetaFrame XP installation package and transforms. If you copied these files to the server s root directory, enter \. 6. Select Install for the MSI method. In the Transforms field, enter the name of any customized transforms you created using the sample transforms from the MetaFrame XP CD. 7. On the Options tab of the Register Procedure dialog box, select all logging options. Click OK to close the Register Procedure dialog box. 8. Right-click the MetaFrame XP, Feature Release 2 node and select Seal. 9. Deploy the MetaFrame XP, Feature Release 2 package. You can drag and drop the package to the target servers listed under the All Computers and Users node. Important It is likely that you will receive an error message while deploying MetaFrame XP, Feature Release 2 with Unicenter. This is attributed to an error in Unicenter because in all cases the installation of Feature Release 2 is successful. Clear the error message and then restart the server when prompted. Installing Citrix Administrative Tools You use the Citrix Management Console and Citrix Web Console to manage MetaFrame XP server farms. The procedures below explain how to install these administrative tools. To skip installation of the Citrix Management Console You can skip installation of the Citrix Management Console. To do so, use the following command during the Feature Release 2 installation: msiexec /i mfxp001.msi addlocal=all reinstall=ctx_mf_cmc

81 Chapter 5 Deploying MetaFrame XP 81 To install or upgrade the Citrix Management Console on standalone servers 1. Run Autorun from the MetaFrame XP Feature Release 2 CD. 2. Click Other tools and components > Administrative tools > Citrix Management Console and follow the dialog boxes to complete installation of the Citrix Management Console. To install the Citrix Web Console on standalone servers The following software must be installed and requirements met prior to installing the Citrix Web Console as a standalone application on a non-metaframe server: Internet Information Server 5.0 The Citrix MetaFrame XP Feature Release 2 MFCOM SDK Note The Feature Release 2 MFCOM SDK must point to a MetaFrame XP server with Service Pack 2 installed. 1. Install the MFCOM SDK, following the instructions distributed with the SDK. 2. When prompted, enter the name of the MetaFrame XP Feature Release 2/ Service Pack 2 server on which you want to run MFCOM. 3. Insert the Feature Release 2/Service Pack 2 CD. 4. Close the Autorun menu. 5. From a command prompt, run msiexec /i cwc.msi CWC_MFCHECK= N from the \Administration\CWC directory on the CD. 6. Follow the wizard and complete the installation. To change the MetaFrame server to which the Web console points, run the command MFREG <servername> from a command prompt or from the run command. Deploying Citrix ICA Clients MetaFrame XP Feature Release 2 contains Microsoft Windows Installer (MSI) packages for both the Program Neighborhood Client and the Program Neighborhood Agent. The following section describes how to deploy the Windows Installer clients to various client devices using both the Windows Installer service and Active Directory s IntelliMirror.

82 82 Advanced Concepts for MetaFrame XP Silent Installation of Program Neighborhood Agent or Program Neighborhood Client using Windows Installer This section describes how to modify the Program Neighborhood Agent and the Program Neighborhood Classic Windows Installer packages so you can use them in a silent installation with the Windows Installer service. A silent installation is an installation without user interaction. Currently, when installing these packages with the Windows Installer service, users are prompted to select a server with the Citrix XML Service installed. To make the deployment of the Windows Installer package truly silent, you must make some modifications. When you make the following changes, you can use the Windows Installer, Microsoft Systems Management Server, or Active Directory to deliver the modified ICA Clients packages. These packages can be installed without any user interaction. Requirements Program Neighborhood Agent (Version or greater) Program Neighborhood Client (Version or greater) Microsoft Windows Installer SDK (Version 1.5 or above) There are two ways to create a silent install package of the ICA Win32 Clients. You can: Create a new Windows Installer package with specific changes, or Create a transform file (.mst) and apply it to the original Windows Installer package To create a new Windows Installer package 1. Create a temporary directory on the system and copy the ICA Win32 Client into it. For example, create the directory C:\MST and copy Ica32a.msi into it. 2. Open the Orca editor that comes with the Windows Installer SDK. 3. In the Orca editor, open the Ica32a.msi file. 4. In the Tables pane, select Property.

83 Chapter 5 Deploying MetaFrame XP Click Property. The parameters of Property are displayed, as illustrated below. 6. Select the Property column header in the right pane to sort the column into alphabetical order. Scroll through the list to the SERVER_LOCATION object, as displayed below. 7. By default, the value of this object is PNAgent. Change this to the name or IP address of a server that hosts the Citrix XML Service. This server name or address must be prefaced by or FQDN of server> or or FQDN of server>. 8. Change Accept to Yes. 9. Save the file with a new file name; for example, NewIca32a.msi. This will remind you that the file is modified from the original. 10. At a command prompt, type: MSIEXEC /I drive:\newica32a.msi /QN 11. Deploy the new Windows Installer file to a single server first to test that all settings are set correctly.

84 84 Advanced Concepts for MetaFrame XP To create a transform file for the existing Windows Installer file Creating a transform file is an extension of the procedure for creating a new Windows Installer package. The Windows Installer SDK includes a utility called MSITRAN. MSITRAN compares two Windows Installer files and writes the differences to a file. This file is then used as the transform file. 1. Follow the steps in the procedure, To create a new Windows Installer package on page 82. Run MSITRAN from the command prompt. Use the following syntax: msitran -g {base db}{new db}{transform}{error/validation conditions}] For example: msitran g ica32a.msi NewICA32A.msi ICA32A.MST X 2. When you run this utility, you will see the following: C:\ >msitran -g c:\mst\ica32a.msi c:\mst\newica32a.msi c:\mst\ica32a.mst x 3. The new MST file can now be used as the transform file for the original ICA32A.msi file. From the command prompt, run: ica32a.msi transforms=ica32a.mst Tip The latest version of the Windows Installer SDK is available at msdownload/platformsdk/sdkupdate/. Silent Installation of Program Neighborhood Agent Executable You can limit user interaction with the self-extracting executable setup program by entering values in the Install.ini file before you deploy the Program Neighborhood Agent to your users. Important You can use any standard compression utility to extract the client files from the packaged executable. However, you must use commercially available software to repackage the client files for distribution to your users.

85 Chapter 5 Deploying MetaFrame XP 85 To configure the self-extracting executable for silent user installation 1. Extract the ICA Client files from Ica32a.exe using your preferred compression utility software, or by entering the following at a command prompt: ica32a.exe -a -unpack:<directory Location> where <Directory Location> is the directory to which you want to extract the client files. 2. Locate and open the Install.ini file in a text editor. You can set the following parameters. When you enter values for these parameters, the setup program dialog boxes do not appear on the user s screen. ServerURL=<NFuse Classic server URL> The default value is PNAgent. Enter the URL of the NFuse Classic server hosting the Config.xml file in the format or servername for SSL-secured communications. SetMachineNameClientName=<On> This accepts the Windows machine name as the client device name. Location=<installation location> Use <PROGRAM_FILES> to install the files in a directory in the Program Files folder. StartMenu=<Start menu path> The path entered here is appended to the Programs folder of the Start menu. InstallSingleSignOn=<On> This enables pass-through authentication. AcceptClientSideEULA=<On> This accepts the end-user license agreement. 3. Save the file and exit the text editor. 4. This step is optional and is only required for specifying a default NDS context. Locate and open the Install.ini file in a text editor. Locate the section named [WFClient]. Add the following line to the list of parameters and values in the [WFClient] section: DEFAULT_NDSCONTEXT=<Context1 [, ]>. If you are including more than one context, separate the contexts by a comma. Save the file and exit the text editor. 5. Repackage the client files for distribution to your users.

86 86 Advanced Concepts for MetaFrame XP Citrix ICA Client Deployment on the Compaq ipaq The ICA Client is supported on Compaq ipaq devices. This device can be used as a client as well as a server farm management tool for high density MetaFrame servers. Recommended client version combinations: ICA Client for WinCE ARM: 6.20 Extranet client for PocketPC Tip The ICA Client supports input from both the ipaq keyboard and character recognizer and transcriber within a session. IPaq Configuration Configure the following settings in the ICA Client for better performance with cellular digital packet data (CDPD) or code division multiple access (CDMA) connections: Disable sound Deselect Use Printer configuration utility Limit session color depth to 256 colors Set the encryption level to Basic If possible, avoid accessing the client drives in the session To run the Citrix Management Console in an ICA session, set the ICA settings as follows: Window Size: Absolute (in pixels). When you set the Allow Intermediate Zoom Factor, the ICA Client can dynamically zoom the session window. Window Color: 256. Data Compression: On. The version of Internet Explorer that comes installed on the ipaq supports the Citrix Web Console if it is installed on the MetaFrame server. Some manual adjustment of the screen is necessary; however, the Web Console will be fully functional. To access the Citrix Web Console, enter the URL of the server where the Web Console is installed; for instance

87 Chapter 5 Deploying MetaFrame XP 87 Deploying NFuse Classic Wireless LAN (802.11b) and Traditional Network Connections Any network settings selected for the ipaq should have minimal impact on session performance because of the high speeds and available bandwidth on most networks and wireless LANs. To alleviate poor CDPD connections or to provide better support for roaming on a wireless LAN, adjust the Keep Alive settings on the MetaFrame servers. This improves performance and helps prevent connections from being dropped on networks that contain dead spots. See the Citrix Knowledge Base article CTX for configuration settings. You can access the Citrix Knowledge Base at NFuse Classic 1.7 is distributed with MetaFrame XP, Feature Release 2. If you are installing NFuse Classic 1.7 into a MetaFrame XP environment, be sure to read the documentation that ships with NFuse Classic 1.7. See the NFuse Classic Administrator s Guide for information about the interoperation between NFuse and MetaFrame XP. This section provides additional deployment information that is not included in the NFuse Classic 1.7 documentation. Important If you install NFuse 1.7 on a server that is running MetaFrame XP Service Pack 1/Feature Release 1 or earlier and that has remapped server drive letters, you must change every instance of C:\ in the NFuse.properties file to the new %SystemRoot% drive letter. If you are upgrading the server to Feature Release 2/Service Pack 2, this operation is performed automatically. Stop and restart the WWW Service for the changes to take effect. NFuse Classic 1.7 Deployment Tips If you are installing NFuse Classic 1.7 on Internet Information Server 4.0, see the Microsoft Knowledge Base article IIS 4.0 Recommended Installation Procedure. This article contains tips concerning the fine-tuning of the IIS 4.0 Web server for best performance. You can access this article at When using NFuse Classic 1.7 with ticketing in a server farm, ensure that the Citrix XML Service is running on all servers in the farm and is configured to listen on the same port number on all servers. Also, check that all the servers have licenses.

88 88 Advanced Concepts for MetaFrame XP NFuse Classic 1.7 Launch Optimizations The NFuse Classic 1.7 Web server can be configured to send application authentication, enumeration, and launch requests to specific servers in the farm. This functionality is equivalent to the Default Server Location setting in Program Neighborhood. NFuse Classic 1.7 Scalability In the Citrix elabs, the NFuse Classic 1.7 Web extension has never been a performance bottleneck. NFuse Classic 1.7 scalability is equivalent to any ASP or JSP Web site.

89 Publishing Applications C H A P T E R 6 This chapter includes information about deploying applications with Citrix Installation Manager, publishing applications in environments with large numbers of objects, and using the Content Redirection feature. Using Installation Manager to Deploy Windows Installer Packages Consider the following issues before you use Citrix Installation Manager to deploy Windows Installer packages. If you are applying more than one Windows Installer transform file (files with the.mst extension) to the same Windows Installer package (files with the.msi extension), each transform will install different components but apply them to the same MSI package. For example, if you use transforms with an installation file for Microsoft Office, any components you select in the transforms are not installed even though the installation job appears to complete successfully. It is not necessary to record Microsoft patch packages (files with the.msp extension). You can browse through Installation Manager and add the *.msp file. You can uninstall a Microsoft patch package from the target server; however you cannot uninstall the patch from the server to which it was deployed. If you need to apply another patch to the application installed on the target server, first uninstall the application on the target server and then deploy the application and the patch again. Important When installing multiple Windows Installer packages (with or without Installation Manager), a memory leak can occur in Msiexec.exe. To avoid this issue, install the latest Windows 2000 service pack available from Microsoft.

90 90 Advanced Concepts for MetaFrame XP Force Reinstall Option When a package is scheduled to be deployed to a target server, Installation Manager detects if the package is already installed. If an application from the package is detected, Installation Manager does not deploy the application and instead reports a status of Already Installed. If you need to overwrite an existing installation, set the Force Reinstall option on the Properties screen of the already installed package. This new installation can be used to fix any previously damaged installations or to overwrite the existing application of the same version with any changes you applied. Note After you use the Force Reinstall option to write over a package, the package you used to install the original application cannot be used to uninstall the application from the target server. You can uninstall only the newly installed package. After you use the Force Reinstall option on the same package, the Installed Packages tab for the target server reports two records for the same package. Installation Manager Interoperability Installation Manager Version 2.2, the version of Installation Manager included with MetaFrame XP, Feature Release 2, supports packages created with Installation Manager Version 2.1, the version of Installation Manager included with MetaFrame XP, Feature Release 1. However, some applications may not behave as expected if you use the older version of Installation Manager with MetaFrame XP, Feature Release 2. Because of this, Citrix recommends that you recreate any packages using Installation Manager Version 2.2. When recording a package, configure the source server the same as the target servers. Interaction with Load Manager and Application Publishing Use the Application Publishing wizard to deploy Installation Manager packages in the server farm through the Installation Manager node of the Citrix Management Console. The wizard allows you to automatically install, publish, and load balance the applications. If you use Installation Manager without the wizard, applications are not automatically published or load balanced.

91 Chapter 6 Publishing Applications 91 Note Packages created by earlier versions of Installation Manager may not allow access to this feature. Uninstallation Behavior By default, a deployed package can be uninstalled using only the original package. For example, you cannot directly uninstall an ADF package that has a status of Already Installed. Instead, perform another full installation using the Force Reinstall option. This new package can be used to uninstall the same package. The application can also be uninstalled from target servers without Installation Manager by using Add/Remove Programs in Control Panel. Note If you uninstall from the Already Installed package, the target server will not detect the uninstall and still report that the package is installed. Application Deployment Considerations with Installation Manager 2.2 The version of Installation Manager included with Feature Release 2 is improved in the areas of usability, scalability, stability, and functionality. However, there are some items to consider: Installation Manager prematurely reports success on unattended installations of packages. Installation Manager spawns unattended installations on the remote target servers. After the unattended installation sequence is activated remotely, the Installation Manager software on the remote server takes over. Because the job is done on the source server, Installation Manager reports success. Workaround: Check the individual servers to verify success. Installation Manager does not support Novell NetWare share points for package deployment, although the Citrix Management Console allows you to browse to a NetWare share point. Workaround: Copy the desired package and files to a Windows NT share point and deploy from that location.

92 92 Advanced Concepts for MetaFrame XP The package group s custom network credentials are not used if you use the browse button in the Add Package window to add that package group. With Feature Release 2, you can create a package group and customize its network account and default file share path. This is so you can set a different file share path for your package having different permissions than the default network credentials and file share path you set in the Installation Manager Properties window. The customized network account is not used when you use the browse button in the Add a Package window to browse for a package for the package group. Workaround: Type the full path to the package in the File field of the Add a Package window. Publishing in Domains with Thousands of Objects MetaFrame XP with Feature Release 2 was tested in domains with over 10,000 objects in a single directory services container. Using MetaFrame XP in a directory services or domain environment that contains a large number of objects, such as Novell Directory Service or Microsoft Active Directory Service, presents factors you should consider. If you use a directory services environment with a large number of objects, the following recommendations can help you when publishing applications: Use groups to categorize and easily assign permissions to large numbers of users. An application published to one group of 1,000 users requires MetaFrame XP to validate only one object for all 1,000 users. That same application published to 1,000 individual user accounts requires MetaFrame to validate 1,000 objects. Do not assign more than 1,000 users or group objects to a published application. This practice decreases the application publishing time, because all user and group accounts must be verified. Publishing an application with 10,000 objects may take up to 41 minutes to complete. Although the Citrix Management Console may appear to time out after five minutes, MetaFrame continues to publish the application in the background. Use the Add List of Names button instead of scrolling to locate a user when the user s container holds thousands of objects.

93 Working with the Content Redirection feature Chapter 6 Publishing Applications 93 This section includes information about using the Content Redirection feature. With Content Redirection, you determine which applications remote or local users launch and in which situations. Use Content Redirection to redirect application launching from: Client to server Server to client Server to server For information about how to configure and use Content Redirection from client to server and from server to client, see Chapter 10 of the MetaFrame XP Administrator s Guide. For information about how to set up MetaFrame for Content Redirection from server to server, see Content Redirection from Server to Server on page 97. Content Redirection From Client to Server When you configure Content Redirection from client to server, users running the ICA Win32 Program Neighborhood Agent open all files of the associated type encountered in locally running applications with applications published on the MetaFrame XP server. You must use NFuse Classic to allow users to connect to published applications with the Program Neighborhood Agent. The Program Neighborhood Agent gets updated properties for published applications from the NFuse Classic server. When you publish an application and associate it with file types, the application s file type association is changed to reference the published application in the client device s Windows registry. Using FTACLN.exe Use the ftacln utility, located on the MetaFrame XP CD in the location Support\debug\i386, to clean up the file type associations in the Windows registry on the device running the Program Neighborhood Agent. The file type associations on the client device may become unusable if the Program Neighborhood Agent software is unresponsive or if the MetaFrame XP server farm goes offline while users are logged on. If these situations occur, restart the Program Neighborhood Agent after logging off or exiting. This restores the client device s operating system to its default state.

94 94 Advanced Concepts for MetaFrame XP However, if you encounter situations where the Program Neighborhood Agent ceases to function, use the ftacln utility to restore the client device s file type associations. This utility has been tested on client devices running Windows 95, Windows 98, and Windows XP Professional. To use this utility, execute Ftacln.exe from a command line. The utility returns a list of the file type extensions that were cleaned up. Citrix recommends that you log back on to the farm at this point using Program Neighborhood Agent to restore the application sets and published content. You can use the standard Microsoft utility ftype, which is built into all Windows operating systems, to determine which file types are currently available and with which applications they are associated. For more information about this utility, see its online help (use the parameter /?) or the Microsoft Web site at Note Content Redirection from client to server does not work for Windows NT user accounts on Windows NT 4.0 Workstation and Windows NT 4.0 Server without terminal services because the Windows registry on these platforms works differently. Users on client platforms that use HKLM instead of HKCU must have local administrator privileges for content redirection to work. Microsoft merged HKCU\Software\Classes and HKLM\Software\Classes starting with Windows NT 4.0, Terminal Server Edition (TSE). Using Windows Explorer on Client Devices If you enable Content Redirection from client to server, context menu commands available from within Windows Explorer function differently than on client devices that do not use this feature. For example, if you right-click a file in Windows Explorer on a client device with Content Redirection from client to server enabled for the file type, the Open command opens the file with the remote application on the MetaFrame XP server. Most commands on the Windows Explorer context menu are unaffected because they are not configured under keys modified by MetaFrame XP Feature Release 2. MetaFrame overwrites only the items that are under...\classes\<filetype>\shell. Context menu items are generally defined by each application when installed.

95 Chapter 6 Publishing Applications 95 The table below describes the behavior for the most commonly used context menu commands on client devices that have Content Redirection from client to server enabled and are running the Program Neighborhood Agent. Menu Command Open Open With [Set under HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\FileExts] Edit Print New Behavior with Program Neighborhood Agent and Content Redirection Opens the file in the published application associated with the file type. In some cases, you may have a submenu command available called PN Agent. If you select this, the file is opened in the published application associated with the file type. Not available locally until you log off, exit, or restart Program Neighborhood Agent. Not available locally until you log off, exit, or restart Program Neighborhood Agent. Not available locally until you log off, exit, or restart Program Neighborhood Agent. Content Redirection From Server to Client When Content Redirection is enabled from server to client, embedded URLs are intercepted on the MetaFrame server and sent to the ICA Client using the ICA Control virtual channel. The user s locally installed browser is used to play the URL. Users cannot disable this feature. For example, users may frequently access Web and multimedia URLs they encounter when running an program published on a MetaFrame server. If you do not enable Content Redirection from server to client, users open these URLs with Web browsers or multimedia players present on MetaFrame servers. To free servers from processing these types of requests, you can redirect application launching for supported URLs from the MetaFrame server to the local client device. Setting Default Web Browser Messages If you enable Content Redirection from server to client, users may see messages when the Web browser on the MetaFrame XP server starts. The message states that the Web browser is not the default browser for the system.

96 96 Advanced Concepts for MetaFrame XP Change the following Windows registry settings to stop the messages from appearing. To set Internet Explorer as the default Web browser, make the following change under \HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: check_associations=no To set Netscape as your default Web browser, make the following change under HKEY_LOCAL_MACHINE\SOFTWARE\MOZILLA\Desktop: value=havebeenset=1 Working with URL Types The following URL types are supported by default with Feature Release 2 when Content Redirection from server to client is enabled. URLs for the Web sites of companies that create products associated with the URL types are included for your convenience. RTSP Real Player and QuickTime RTSPU Real Player and QuickTime PNM Older Real Players MMS Microsoft s Media Format Examples of streaming video server software include Apple s Darwin Streaming Server 4, Microsoft s Windows Media Services, and Real Network s RealSystem Iq. Hardware based solutions include Amnis Systems NAC-3000 and VBrick Systems 3200 and HTTP Hypertext Transfer Protocol HTTPS Secure Hypertext Transfer Protocol

97 Chapter 6 Publishing Applications 97 Known Issues for Content Redirection from Server to Client Content Redirection from server to client is unidirectional. This means that if a user clicks a URL in a mail program running in a remote session, the link is launched in a browser installed on the client device. However, if the user attempts to use the mail to function, for example, inside the locally running browser, that mail link is not redirected back to the remotely running mail application. The default mail program on the client device opens. For server to client Content Redirection to function, MetaFrame must access the SHELL/open/command values for application types. This is what is changed to redirect and point to the use of ServerFTA.exe. Microsoft Word for Windows (Winword.exe) does not redirect HTTP or HTTPS type hyperlinks to the Web browser on the client device. For example, if a user clicks a hyperlink encountered in a Word document running in the remote Word application, the Web browser on the MetaFrame XP server opens, not the locally installed Web browser. This is because the Microsoft Office suite does not directly access the Shell values and redirects these types of links directly to the application itself. MMS and PNM URL links do work from within Word. Neither the Notepad text editor (Notepad.exe) nor the Write text editor (Write.exe) support URL hyperlinks. The Textpad text editor (Version 4.5.0, 32 bit edition from Helios Software Solutions) redirects both the HTTP and HTTPS types of URL hyperlinks. This application does not redirect multimedia URL links, however. Content Redirection from Server to Server Enable Content Redirection from server to server to allow users to access information with applications published on different MetaFrame XP servers. When you enable Content Redirection from server to server, users working in one published application on a MetaFrame server can open attachments with different applications published on different MetaFrame servers. To enable Content Redirection from server to server, you must install the Program Neighborhood Agent on any MetaFrame XP servers hosting published applications to which you want to give users access. For example, if Microsoft Word is published on server A and you want users running Word to be able to open Microsoft Excel spreadsheets embedded into Word documents, you must install the Program Neighborhood Agent on Server A (the server running Word).

98 98 Advanced Concepts for MetaFrame XP MetaFrame XP with Feature Release 2 supports this scenario: Word is published on Server A. A user opens a Word document and sees an inserted icon or link to an Excel spreadsheet. Excel may be published on Server B. When the icon or link is accessed, the content will open in Excel. MetaFrame XP with Feature Release 2 does not support this scenario: Word is published on Server A. A user opens a Word document that has an embedded chart that was originally created with Excel and linked or embedded into the Word document. The user will not see the chart. Object linking and embedding (OLE) is supported only if both applications are published on the same server. Note Because the Program Neighborhood Agent is configured to start each time a user launches a remote session, multiple instances of Program Neighborhood Agent are launched if a user has more than one session running on the same server and session sharing is not enabled. For example, if a user launches Outlook on one server and attempts to open a Word attachment without session sharing enabled, two instances of the Program Neighborhood Agent will run. To enable Content Redirection from server to server 1. Install the ICA Win32 Program Neighborhood Agent on the MetaFrame XP servers hosting the published application to which you want to give users access. Point the Program Neighborhood Agent to an NFuse Web server. 2. Create a command script file in the location %WINDIR%\system32. A sample script file is listed below. REM begin off start C:\PROGRA~1\Citrix\PNAgent\PNagent.exe REM end Be sure that the path to the Program Neighborhood Agent executable is in the short form and does not include spaces. 3. Add the command script file you created in Step 2 to the registry key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. Add the file name to the AppSetup value. Typical entries for AppSetup can include UsrLogon.Cmd,cmstart.exe,PNAgent.cmd. 4. Add PNAgent.exe to the list of executables that must be terminated when users log off by editing the registry key HKLM\SYSTEM\CurrentControlSet\ Control\Citrix\wfshell\TWI. Add the executable name to the value LogoffCheckSysModules.

99 Chapter 6 Publishing Applications 99 Known Issues for Content Redirection from Server to Server In some instances the Program Neighborhood Agent logon dialog box may appear in the background. If Pass-Through Authentication is not enabled in the Program Neighborhood Agent software running on MetaFrame XP servers, users are prompted for their credentials each time an application is launched on a new server. See the ICA Win32 Clients Administrator s Guide for more information about Pass-Through Authentication and the Program Neighborhood Agent. Using Word as the default Outlook mail editor may affect how the Program Neighborhood Agent connection is made if a user launches a Word attachment from Outlook. Troubleshooting Tips, Error Messages, and Conditions Content Redirection from Client to Server If you see the error messages listed below, check that the appropriate conditions are met. Logon failure: unknown user name or bad password. Action: Verify the user has proper access permissions to the share point of the document or application. The network name cannot be found. Action: Verify that client device mapping is not disabled or is disabled for the ICA session and/or user account. If you connect to a Web page that contains an embedded document link or a UNC path to the link (for example, to an Excel spreadsheet), Content Redirection from client to server will not work and you are prompted to Open, Save as, or Cancel the document. Action: Save the document locally. Program Neighborhood Agent then launches an ICA session and displays the contents of the Excel file. You may encounter the following scenarios if you enable Content Redirection. Scenario 1 1. Publish Excel on a MetaFrame XP server and associate it with the.xls extension. 2. Publish Internet Explorer but do not associate it with any extensions.

100 100 Advanced Concepts for MetaFrame XP 3. From a client running the Program Neighborhood Agent, log on and connect to the Internet Explorer published application. 4. Save a.xls type file to a remote network share point and make sure the user has access to the share. 5. In Internet Explorer, create a link to the.xls type file you created in Step 1. The Program Neighborhood Agent does not open the remote Excel to display the file. Instead, you are prompted to choose from Open, Save As, or Cancel. The ICA session opens Excel and displays the contents properly if the document link is first saved to the local hard disk drive and then launched. This behavior also works if you enter the path in the Run dialog box, accessed from the Start menu on a client device running Program Neighborhood Agent. Scenario 2 Content Redirection from client to server does not redirect shortcuts located on a network UNC share from the client device. For example, if you map client device drive letters to network shares, and you attempt to open a file of a file type associated with a published application, the file does not open in the published application. Instead, you receive an error message after the published application opens informing you that the file could not be opened. If you open the shortcut on the local client drive and not the network share, the file opens in the published application. Scenario 3 In some instances Citrix Management Console may report the wrong file type associations for a published application. This issue has occurred using Notepad.exe as a published application and associating it with the.txt file types to enable Content Redirection from client to server. You may encounter this issue when you view the Content Redirection tabs in the following areas: The farm's Properties dialog box The Application folder Any newly created folders

101 Chapter 6 Publishing Applications 101 Scenario 4 Content Redirection from client to server does not function properly for Adobe Acrobat Reader 4.0 files (files with a.pdf extension). If you attempt to redirect Acrobat Reader files from the client to the server, and Acrobat Reader Version 4.0 is installed on the client, you may encounter the following problems. If a.pdf file is opened from within Internet Explorer, Internet Explorer launches Acrobat using the DDEExec application AcroView. As long as any instance of Internet Explorer is open, AcroView remains resident and all attempts to launch.pdf files are redirected to the local viewer. If you attempt to launch Internet Explorer, it attempts to launch both the DDEExec and the Open commands (which point to Program Neighborhood Agent). In this case, you may receive an error message stating that the file cannot be found. Enhanced Content Publishing and Content Redirection Support in NFuse Classic 1.7 This section provides further information about NFuse Classic 1.7 support for the Enhanced Content Publishing and Content Redirection features available in Feature Release 2 for MetaFrame XP. Published content can be associated with a published application in a server farm. Previously, users could open published content only with locally installed applications. When published content is accessed, content redirection now allows the ICA Clients to automatically launch a connection to a MetaFrame server and open that content. For applications to work with Enhanced Content Publishing and Content Redirection, they must be capable of accepting command line arguments. For example, Notepad accepts UNC addresses but not URLs. To associate an application with content, the application must be published appropriately on the MetaFrame server. When an application is published, the percent and asterisk symbols (%*) must be included at the end of the command line; for example: C:\Program Files\Office\WINWORD.EXE %*. Note that the Citrix Management Console in Feature Release 2 for MetaFrame XP includes the %* automatically. If the percent and asterisk symbols are not included, the application starts but the content does not appear when users attempt to open the content.

102 102 Advanced Concepts for MetaFrame XP Using Web Server Scripts This section is for users who are familiar with writing Web server scripts to manipulate NFuse Classic Java objects. It provides information about the Java objects associated with the Content Publishing feature. It also provides example scripts that are designed to act as a guide to using the NFuse Classic objects. Content Publishing uses the new findappbyextension() method on the existing AppDataList object. This method accepts the address of the content and searches the list of applications it contains for one that supports the associated type of content (based upon the document s extension). For example, if a Microsoft Word document is published as the URL: the following is used: findappbyextension ( ). If a published application is available that supports the document content (in this example, Microsoft Word), an NFuse Classic App object is returned that describes the published application. The application can then be launched using NFuse Classic, passing the address of the published content (in this example, mywebsite/spec.doc) as a command-line parameter. The latest ICA Clients (Version 6.30 or later) support the specification of command-line arguments through ICA files using the LongCommandLine setting (except the ICA Java Client). Example scripts are shown below for both ASP (Active Server Pages for IIS Web servers) and JSP (JavaServer Pages for Java Web servers). These scripts assume that the address of the published content is supplied as a URL or UNC path. The main steps in the scripts are: 1. Obtain the list of published applications available to the user 2. Locate the published application associated with the content s extension 3. Launch the published application by generating an appropriate ICA file ASP Example Obtain the List of Applications Set credentials = Server.CreateObject("com.citrix.nfuse.ClearTextCredentials") credentials.initialize "user", "domain", "password" Set gateway = Server.CreateObject("com.citrix.nfuse.CitrixWireGateway") gateway.initialize credentials Set applist = gateway.getappdatalist() Locate the Published Application Using File Type Association Set contentapp = applist.findappbyextension("

103 Chapter 6 Publishing Applications 103 Launch the Application with the Content ' Create a TemplateParser object (to generate the ICA file) Set parser = Server.CreateObject("com.citrix.nfuse.TemplateParser") ' Set up the launching credentials CookStr = "NFuse_User=user&NFuse_Domain=domain&NFuse_LogonMode=Explicit&NF use_password=password" ' Set these as cookie session fields parser.setcookiesessionfields(cookstr) ' Set the published application to use for launching the content urlsessionfields = "NFuse_Application=" & contentapp.getnameurlencoded & "&NFuse_AppFriendlyNameURLEncoded=" & contentapp.getfriendlynameurlencoded ' Set these as URL session fields parser.seturlsessionfields(urlsessionfields) ' Set the address of the content to use as a command line argument parser.setsinglesessionfield "NFuse_AppCommandLine", " spec.doc" ' Specify the template ICA file to use parser.setsinglesessionfield "NFuse_Template", "template.ica" ' Generate the content of the ICA file and return as MIME type "x-ica" ' This will cause the browser to launch the ICA file and hence the ' published application. If parser.parse() Then Response.ContentType = "application/x-ica" Continue = True While (Continue) HtmlString = parser.getnextdatablock() If Len(HtmlString) = 0 Then Continue = False Else Response.write(HtmlString)

104 104 Advanced Concepts for MetaFrame XP End If Wend Else ' Parser failed. Attempt to display the published content using ' local (client side) application. Response.Redirect(docURL) End If JSP Example Obtain the List of Applications ClearTextCredentials credentials = new ClearTextCredentials(); credentials.initialize("user", "domain", "password"); CitrixWireGateway gateway = new CitrixWireGateway(); gateway.initialize(credentials); AppDataList applist = gateway.getappdatalist(); Locate the Published Application Using File Type Association App contentapp = applist.findappbyextension(" Launch the Application with the Content // Create a TemplateParser object (to generate the ICA file) TemplateParser parser = new TemplateParser(); // Set up the launching credentials String CookStr = "NFuse_User=user&NFuse_Domain=domain&NFuse_LogonMode=Explicit&NF use_password=password"; // Set these as cookie session fields parser.setcookiesessionfields(cookstr); // Set the published application to use for launching the content urlsessionfields = "NFuse_Application=" + contentapp.getnameurlencoded + "&NFuse_AppFriendlyNameURLEncoded=" + contentapp.getfriendlynameurlencoded; // Set these as URL session fields

105 Chapter 6 Publishing Applications 105 parser.seturlsessionfields(urlsessionfields); // Set the address of the content to use as a command line argument parser.setsinglesessionfield("nfuse_appcommandline", " spec.doc"); // Specify the template ICA file to use parser.setsinglesessionfield("nfuse_template", "template.ica"); // Generate the content of the ICA file and return as MIME type "x-ica" // This will cause the browser to launch the ICA file and hence the // published application. if (parser.parse()) { String contenttype = parser.getcontenttype(); response.setcontenttype(contenttype); boolean continue = True; while (continue) { String HtmlString = parser.getnextdatablock(); If (HtmlString.length() == 0) { continue = False; } else { out.println(htmlstring); } } } else { // Parser failed. Attempt to display the published content using // local (client side) application. response.sendredirect(docurl); } Sample Template.ica File [Encoding] InputEncoding=ISO8859_1 [WFClient]

106 106 Advanced Concepts for MetaFrame XP Version=2 ClientName=[NFuse_ClientName] RemoveICAFile=yes [ApplicationServers] [NFuse_AppName]= [[NFuse_AppName]] Address=[NFuse_AppServerAddress] InitialProgram=#[NFuse_AppName] LongCommandLine="[NFuse_AppCommandLine]" DesiredColor=[NFuse_WindowColors] TransportDriver=TCP/IP WinStationDriver=ICA 3.0 [NFuse_ClientLogon] [NFuse_SOCKSSettings] AutologonAllowed=ON [NFuse_Ticket] [NFuse_IcaAudio] [NFuse_IcaWindow] [NFuse_IcaEncryption] SessionsharingKey=[NFuse_SessionSharingKey]

107 C H A P T E R 7 Integrating MetaFrame with Novell Directory Services Overview Feature Release 2 supports Novell Directory Services (NDS) authentication to MetaFrame XP servers, published applications, and published content. This chapter explains how to use NDS with Feature Release 2 for MetaFrame XP, NFuse Classic, and the ICA Win32 Clients (Version 6.20 and later). This chapter assumes that you are familiar with NDS and related Novell products. See the Novell Web site at for more information about the Novell products referred to in this document. Prior to the release of Feature Release 1, MetaFrame XP offered limited support for NDS users through the use of the BUILTIN group. In MetaFrame XP, you select the BUILTIN group to specify dynamic local users managed by Novell s ZENworks for Desktops when you publish applications and assign users to network printers. While use of the BUILTIN group is supported in Feature Release 2 for MetaFrame XP for backward compatibility, Citrix recommends enabling NDS support in Feature Release 2. Feature Release 2 allows tighter integration between MetaFrame XP and NDS trees and allows NDS users to take advantage of more features. To use NDS with MetaFrame XP, Feature Release 2, you must install and activate a Feature Release 2 license. At least one server in the server farm must have Feature Release 2 enabled. Implementing NDS Support in MetaFrame XP With Feature Release 2, you can now use MetaFrame XP to publish applications, desktops, and content for users managed by NDS or Directory Services in Windows 2000 and Windows NT. However, using MetaFrame XP in a network environment that employs multiple directory services requires careful planning.

108 108 Advanced Concepts for MetaFrame XP Read the following sections carefully before installing MetaFrame XP and Feature Release 2 in an NDS environment. Planning your Deployment of MetaFrame XP for NDS Support To use MetaFrame XP, Feature Release 2 in an NDS environment, complete the following tasks in the order they are listed. Each task is explained in detail in this chapter. 1. Decide which servers will host applications and content published for NDS users when MetaFrame XP is installed. 2. Install the Novell Client for Windows NT/2000, Version 4.81 or later on those servers. 3. Install MetaFrame XP and Feature Release 2. Activate the required MetaFrame XP and Feature Release 2 licenses. Set the MetaFrame XP server Feature Release level to Feature Release Enable the Dynamic Local User policy in ZENworks for Desktops or make sure the same user accounts and passwords exist in both NDS and Windows NT or Active Directory domains. 5. Enable NDS support in the MetaFrame XP server farm. Assign Citrix administrator privileges to NDS objects. Log on to the Citrix Management Console with NDS credentials. Publish applications, desktops, or content for NDS users on MetaFrame XP Feature Release 2 servers to which only NDS users will connect. 6. If you are using NFuse Classic, enable NDS support in NFuse Classic. 7. Instruct users how to connect to published applications and content using their NDS credentials. If you are deploying the ICA Win32 Program Neighborhood Agent, enable NDS support in the Program Neighborhood Agent. The following sections outline the procedures required to use MetaFrame XP, Feature Release 2 in an NDS environment.

109 Chapter 7 Integrating MetaFrame with Novell Directory Services 109 Farm Layout and System Requirements Using MetaFrame XP in a network environment that employs multiple directory services requires careful planning. While the MetaFrame XP server farm can contain servers that are in Windows NT or Windows 2000 domains and servers enabled for NDS, MetaFrame XP servers running the Novell Client and that use Dynamic Local User functionality should be members of a workgroup, and not members of a domain. You must use the Dynamic Local User feature of Novell ZENworks for Desktops in this configuration. To implement MetaFrame XP in an NDS environment, designate application servers to host applications and content published only for NDS users. These servers must run Version 4.81 of the Novell Client for Windows NT/2000 and MetaFrame XP, Feature Release 2. The following figure illustrates the required layout of a MetaFrame XP server farm supporting NDS.. MetaFrame XP Farm NDS Users All Other Users Servers hosting applications and content published for NDS users Servers hosting applications and content published for all other users The following software must be installed for MetaFrame XP to successfully access NDS: On the NDS server (a server supporting NDS authentication and responding to NDS queries from clients): NDS edirectory 8.5 for Windows or for Novell NetWare 5 with Support Pack 6 or later, or for Novell NetWare 5.1 with Support Pack 2 or later, or Netware 6 and later. On MetaFrame XP for Windows Servers: Novell Client for Windows NT/2000, Version 4.81 or later MetaFrame XP for Windows, Feature Release 2

110 110 Advanced Concepts for MetaFrame XP Important If using ZENworks Dynamic Local User function to gain access to Windows, you must install Novell ZENworks for Desktops 3 or later. If you are not using ZENworks to gain access to Windows, you must have accounts with the same user name and password in both NDS and Windows NT or Active Directory domains. To synchronize domains, do either of the following: Manually synchronize accounts. Use third-party software such as Novell s Account Manager 2.1 for NT or DirXML that can automatically synchronize accounts between NDS and Windows NT domains. Important IP (Internet Protocol) is the only supported protocol for interaction between MetaFrame XP, NDS, and ZENworks for Desktops. Installing Required Software Citrix recommends installing the Novell Client and related service packs on a server before installing MetaFrame XP. If the server is already running MetaFrame XP, see Installing the Novell Client on a Server with MetaFrame XP on page 111. Installing the Novell Client on a Server Without MetaFrame XP Complete the following tasks prior to installing MetaFrame XP. 1. Install and configure the Novell Client for Windows NT/2000, Version 4.81 or later. 2. Restart the server. 3. Verify that you can log on to NDS. If you cannot log on to NDS, you may need to add a Directory Agent (DA) location to the Novell Client. A DA is needed when the NDS server is located on a different subnet. If a DA does not exist, make sure that the NDS server and the MetaFrame server are part of the same subnet. 4. To optimize logon and browsing response times, change the order of the network providers using the following steps: Right-click the My Network Places icon on the server s desktop. Choose Properties from the short-cut menu. The Network and Dial-up Connections dialog box appears.

111 Chapter 7 Integrating MetaFrame with Novell Directory Services 111 Choose Advanced Settings on the Advanced menu. The Advanced Settings dialog box appears. On the Provider Order tab, adjust the order of the network providers so that Microsoft Windows Network is above NetWare Services. Click OK to close the Advanced Settings dialog box. 5. To optimize logon time, add the Windows fonts directory located in %systemroot% to the system path environment variable. 6. To suppress a MetaFrame XP setup program error message informing you that the FileSysChange parameter is invalid, complete the following steps: Open the System.ini file located in %systemroot%. In the [386Enh] section of System.ini, set the following value: FileSysChange=off Save and close System.ini. The appearance of this error message causes unattended setup of MetaFrame XP to fail. Make sure the FileSysChange parameter is set to off before running an unattended installation. 7. Install MetaFrame XP and Feature Release 2. Be sure to activate the appropriate licenses and set the feature release level of the server to Feature Release 2. If MetaFrame XP fails to install, complete the following steps: 1. Uninstall the Novell Client from the server. 2. Install MetaFrame XP with Feature Release 2 by following the instructions in Installing the Novell Client on a Server with MetaFrame XP below. If the system is working properly, you can skip to Configuring ZENworks for Desktops for MetaFrame XP Support on page 113. Installing the Novell Client on a Server with MetaFrame XP If MetaFrame XP is already installed on the server before you install the Novell Client, you must change the Windows registry on the server before and after you install the Novell Client. Note If the MetaFrame server has the IPX protocol installed along with the Novell Client, the MetaFrame XP with Feature Release 2 installation may fail and display a wowexec error message. To work around this issue, disable the NWLink protocol on all adapters in the server. After MetaFrame XP with Feature Release 2 is installed, re-enable NWLink.

112 112 Advanced Concepts for MetaFrame XP If MetaFrame XP is already installed on the server, complete the following tasks. 1. Run regedt Edit the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 3. Double-click the GinaDLL entry located in the right-hand pane. In the String Editor dialog box that appears, replace the value Ctxgina.dll with the value Msgina.dll. 4. Install and configure the Novell Client for Windows NT/2000, Version 4.81 or later. 5. Do not restart when prompted by the Novell Client setup program. 6. Edit the registry entry for GinaDLL as in Step 2. In the String Editor dialog box that appears, replace the value Nwgina.dll with the value Ctxgina.dll. 7. With the key path for Winlogon still selected, choose Add Value on the Edit menu. 8. Type CTXGINADLL in the Add Value dialog box. The data type is REG_SZ. 9. Enter Nwgina.dll in the String Editor dialog box to assign this value to the new CTXGINADLL entry. On MetaFrame XP servers, Ctxgina.dll is loaded by Winlogon.exe to process the auto-logon information transmitted by ICA Clients. Ctxgina.dll can process autologon credentials in excess of 20 characters. For example, if Ctxgina.dll is not loaded, auto-logon user names greater than 20 characters are truncated to 20 characters by Termsrv.exe. When Ctxgina.dll acquires users auto-logon credentials, they are passed in their entirety to the installed Gina.dll file to complete the authentication process. In most cases, the installed GINA is Msgina.dll. When the Novell Client is installed, the GINA is Nwgina.dll. Note Steps 1-9 above are required to ensure that CTXGINA is installed on the MetaFrame XP with Feature Release 2 server. CTXGINA is required for logging on automatically with user names that exceed 20 characters. 1. Restart the server. 2. To optimize logon and browsing response times, change the order of the network providers using the following steps: Right-click the My Network Places icon on the server s desktop. Choose Properties from the shortcut menu that appears. The Network and Dial-up Connections dialog box appears.

113 Chapter 7 Integrating MetaFrame with Novell Directory Services 113 Choose Advanced Settings on the Advanced menu. The Advanced Settings dialog box appears. On the Provider Order tab, adjust the order of the network providers so that Microsoft Windows Network is above NetWare Services. Click OK to close the Advanced Settings dialog box. 3. To optimize logon time, add the Windows fonts directory located in %systemroot% to the system path environment variable. The system is now ready for you to set up the Windows account authentication to be used to access Windows 2000 servers. Windows Account Authentication When a Novell Client is running on a Windows NT or Windows 2000 server, users are required to have two accounts: one for authentication to NDS and one to gain access to Windows. There are two different methods you can use to allow users access to Windows. Use Novell s Dynamic Local User functionality, available in Novell s ZENworks for Desktop product (this is the only supported method if you are running MetaFrame XP, Feature Release 1). Create user accounts with the same user name and password in both NDS and Windows NT or Active Directory domains for each user (this support is new in MetaFrame XP with Feature Release 2). Synchronizing the user accounts in this way allows you to integrate MetaFrame and NDS without using Novell s ZENworks. If you want to use MetaFrame in an NDS environment using ZENworks, see Configuring ZENworks for Desktops for MetaFrame XP Support below. If you want to use MetaFrame in an NDS environment without using ZENworks, see Configuring NDS Support in MetaFrame Without ZENworks on page 116. Configuring ZENworks for Desktops for MetaFrame XP Support When the Novell Client is running on a Windows NT or Windows 2000 server, users are normally required to enter separate sets of credentials to log on to Windows and NDS. Enabling the Dynamic Local User policy in ZENworks for Desktops eliminates this need.

114 114 Advanced Concepts for MetaFrame XP The following section explains how to configure the Container Package and User Package in ZENworks for Desktops to eliminate the need for users to specify two sets of credentials when connecting to a MetaFrame XP server. Configure the Container Package to specify the users (by container) to whom you want to apply the Dynamic Local User policy. Configure the User Package to specify how the Dynamic Local User policy is applied to those users. Note These settings are configured on the NDS server through ConsoleOne. Configuring the ZENworks for Desktops Container Package The Container Package searches for policies located within the tree and then applies them to the users associated with a particular container. Follow the example below to create a Container Package that searches only the local container for policies applied to users within that container. This sample configuration is useful for small companies. Complete the following tasks for containers that hold user objects requiring the Dynamic Local User policy. 1. Select a container that holds user objects. 2. On the New Object menu, choose Policy Package > Container Package. 3. Choose Define Additional Properties and click Finish. 4. On the Policies tab, enable the Search policy. 5. In the Search policies up to field, choose Object Container to search only the container in which the search policy resides. The other choices are: Root (default) - Searches the local container and any container in the direct path to the root of the tree. This is not recommended for medium to large trees. Partition - Searches the local container and any container up to the root of the partition. This method works well for large environments, but you need to specify the partition boundaries. Selected Container - Searches the container between the current container and the root of the tree that you select. 6. Leave the search level at the default setting of Click Apply, then Close. 8. On the Associations tab, choose Add and browse to the container that holds the container package you just created. 9. Click OK and then Close.

115 Chapter 7 Integrating MetaFrame with Novell Directory Services 115 Configuring the ZENworks for Desktops User Package The User Package in ZENworks for Desktops enables Dynamic Local User functionality for users who are associated with that particular package. Follow the example below to create a User Package that enables the Dynamic Local User functionality. Important If the Search Policy Package, the User Policy Package, and the user are not located in the same container, the policy is not applied to the user. 1. Choose the Organizational Unit that holds the Container Policy from above. 2. On the New Object menu, choose Policy Package > User Package. 3. Near the end of the wizard, choose Define Additional Properties and then click Finish. 4. Choose WinNT-2000 on the Policies tab. 5. Choose Enable Dynamic Local User and then choose Properties. 6. Choose Dynamic Local User at the top of the page. 7. Choose Manage Existing NT Account (if any). This changes the password and other items to match for a seamless integration. Note Novell recommends that you create a separate Dynamic Local User policy for users who have the user name Administrator if the local administrator account has not been renamed. 8. Choose Use NetWare Credential. This creates a local Microsoft user who has the same user name and password as the NDS user. If this is not enabled, the Dynamic Local User feature creates a random user name and password, resulting in the loss of MetaFrame XP functionality. Do not enable Volatile User unless you have very large profiles and want to conserve disk space. 9. On the Not Member of tab, choose User > Add. Select the users or groups to whom you want to apply the policy. Applying the policy to users gives them rights to log on and run MetaFrame applications. 10. Click Apply and then OK two times to finish creating the policy.

116 116 Advanced Concepts for MetaFrame XP Configuring NDS Support in MetaFrame Without ZENworks In an environment with a Novell Client running on a Windows NT or Windows 2000 server, users are required to enter separate sets of credentials to log on to Windows and NDS. Using synchronized accounts between NDS and Windows NT or Active Directory domains eliminates this need. MetaFrame XP with Feature Release 2 adds support for this type of configuration. To enable NDS support in MetaFrame without using Zenworks, set the following registry key on all the servers that have the Novell Client installed but are not using ZENworks for Desktops Dynamic Local User functionality. Set the value to the Windows NT or Active Directory downlevel domain name containing the user accounts that match the accounts in NDS. 1. Run regedt Edit the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix 3. With the key path for Citrix still selected, choose New Key on the Edit menu. 4. Rename the newly created key to NDS. 5. Highlight the new NDS key. 6. With the NDS key still selected, choose New String Value on the Edit menu. 7. Enter SyncedDomainName in the String Value dialog box. 8. Enter the name of the Windows domain that has the same user accounts as NDS in the String Editor dialog box to assign this value to the new SyncedDomainName entry. Note When you set this registry key, Ctxgina.dll replaces the NDS tree name that is passed from the client to the server with the string that is entered in SyncedDomainName. Ctxgina.dll then passes the credentials to Nwgina.dll, allowing the user name and password to be authenticated to NDS. The domain is then specified in SyncedDomainName.

117 Chapter 7 Integrating MetaFrame with Novell Directory Services 117 Enabling NDS Support in the MetaFrame XP Farm By default, a MetaFrame XP farm supports only Microsoft Windows users. Follow the steps below to specify the preferred NDS tree for the farm. Feature Release 2 for MetaFrame XP supports only one NDS tree in each farm. 1. Log on to the Citrix Management Console and connect to a MetaFrame XP, Feature Release 2 server configured for NDS support. 2. Right-click the farm node in the left pane of the console and choose Properties. 3. Click the MetaFrame Settings tab in the Properties dialog box. 4. Specify the tree name in the NDS Preferred Tree field and then click OK. To disable NDS support for the farm, delete the entry in the NDS Preferred Tree field and then click OK. Assigning Citrix Administrator Privileges to NDS Objects Follow the steps below to assign Citrix administrator privileges to objects such as country, organization, organization unit, group, user, or alias in an NDS tree. 1. Log on to the Citrix Management Console. 2. Right-click the Citrix Administrators node in the left-hand pane and choose Add Citrix Administrator from the menu that appears. 3. In the Add Citrix Administrator dialog box, open the NDS tree. Objects in the NDS tree represent container and leaf objects. 4. When prompted to log on to the tree, enter the distinguished name and password of an NDS user. 5. Select the Show Users option to display user and alias objects in this hierarchy. 6. Double-click to open container objects. Select the objects to be granted Citrix administrator privileges. Add at least one NDS user account that has read and write privileges. Note While it is possible to grant a Citrix administrator access to a context, users within the context or in contexts that are children of the granted context will also be Citrix administrators. This is not recommended because of the difficulty of managing permissions granted to contexts. 7. Click Add. Select the level of permission and tasks you want to assign to the administrator. 8. Click OK.

118 118 Advanced Concepts for MetaFrame XP Logging on to the Citrix Management Console Using NDS Credentials Follow the steps below to use NDS credentials to log on to the Citrix Management Console to manage a MetaFrame XP server farm. 1. Launch the Citrix Management Console. 2. Enter a distinguished name in the User Name field. A fully distinguished name starts with a period and has a period between each object name up to the root of the tree. For example, user JoeX, within two container objects (the Admin organization unit within the PNQ organization) would enter.joex.admin.pnq in the User Name field. 3. Enter a password in the Password field. 4. Enter the NDS tree name in the Domain field. 5. Click OK. Note Enabling Pass-Through Authentication to the Citrix Management Console is not supported with NDS users. Publishing Applications for NDS Users Follow the steps below to publish applications on MetaFrame servers configured for NDS support. Only NDS users can connect to the applications you publish on these servers. 1. Log on to the Citrix Management Console using NDS credentials. 2. From the Actions menu, choose New > Published Application. 3. Follow the instructions in the Published Application wizard. Click Help to obtain detailed help for each step. 4. On the Specify What to Publish dialog box, enter the UNC (universal naming convention) path to the application you want to publish in the Command Line field. For example, the NDS tree MYNDSTREE contains organization object MYORG, which contains NetWare volume NW50_SYS. The executable path on NW50_SYS is \APPS\OFFICE\WINWORD.EXE. The full UNC path to Winword.exe is \\MYNDSTREE\MYORG\NW50_SYS\APPS\OFFICE \WINWORD.EXE. You can leave the Working Directory field blank.

119 Chapter 7 Integrating MetaFrame with Novell Directory Services Because the Application Publishing wizard cannot access the application s icon, default MetaFrame icons appear in the Program Neighborhood Settings dialog box. To use the application s icon, you can copy the icon file (ending with an.ico extension) or the entire executable to a MetaFrame server that is not running the Novell Client. Click the Change Icon button to browse for the icon or executable on this other MetaFrame server. 6. In the Specify Servers dialog box, be sure to select only those servers running the Novell Client Version 4.81 or later. 7. In the Specify Users dialog box, select the NDS tree from the list. This enumerates the objects in the tree. Double-click container objects to open them. Choose the Show Users option to view users and alias objects in the current container. Select the desired object and click Add. You can also manually enter NDS user names. Choose Add List of Names and enter one or more NDS account names separated by a semicolon (;). Each account name must be entered in the fully distinguished name format prefixed by an NDS tree name and a slash (\). For example, enter CitrixNDSTree\.joeX.admin.pnq;CitrixNDSTree\.mary.test.pnq. Click Check Names to validate the account names or click OK if you are done adding accounts. Double-click to open container or leaf objects until the object to be granted access is displayed. Select the object and click Add. Configuring Printer Autocreation in NDS Use the Citrix Management Console to choose Windows NT or Windows 2000 Active Directory print queues and assign them to NDS objects for autocreation. Permissions to the print queue must be granted to the Dynamic Local User created when the NDS user logs on to a server. This may require enabling the guest account on the print server. See the Microsoft online Knowledge Base article Q for information about enabling the guest account. MetaFrame XP does not support autocreating NDS printers. See Novell s documentation for autocreating NDS printers (NDPS and non-ndps) in ZENworks for Desktops.

120 120 Advanced Concepts for MetaFrame XP Enabling NDS Support in NFuse Classic Complete the following tasks to configure Citrix NFuse Classic for NDS support. 1. Open the NFuse.conf file located in %systemroot%\program Files\Citrix\NFuse\conf on the NFuse Web server. 2. Edit the following parameters: Set the LoginType to NDS. Set the NDSTreeName to the name of the preferred NDS tree for the MetaFrame XP Feature Release 2 farm. 3. If the optional parameter SearchContextList is not set, the NFuse Contextless authentication feature searches the entire tree to locate a user. This may take a long time in a tree that has a lot of objects. Use SearchContextList to reduce the time required for contextless authentication. Set this parameter to a commadelimited list of contexts from the NDS tree. The NFuse Contextless authentication feature searches only these contexts to locate the user instead of the entire tree. Note The Novell Client must be running on the NFuse Classic server to allow authentication. 4. Restart the IIS Admin Service for the changes to take effect. NDS Support in the ICA Win32 Client When users launch the ICA Win32 Client, they can log on and be authenticated using their NDS credentials. Supported NDS credentials are user name (or distinguished name), password, directory tree, and context. NDS support is integrated into the following: The Program Neighborhood Client and Program Neighborhood Agent If NDS is enabled in the MetaFrame XP farm, NDS users enter their credentials on an NDS tab on the ICA Client logon screen. If users have the Novell Client (Version 4.81 or later) installed, they can browse the NDS tree to choose their context. See Enabling NDS Support in the ICA Program Neighborhood Agent on page 123 to configure the Program Neighborhood Agent for NDS support. Pass-Through Authentication If users have the Novell Client (Version 4.81 or later) installed, their credentials are passed to the MetaFrame XP server, eliminating the need for multiple system and application authentications.

121 Chapter 7 Integrating MetaFrame with Novell Directory Services 121 Note To enable pass-through authentication when using Novell s ZENworks for Desktops dynamic local user functionality, set the Use NetWare Credentials value in ZWFD DLU policy package to On. Session Sharing Session sharing works correctly with NDS users only if the application permissions are assigned at a user or container level. Session sharing does not work if assigned at the group level. The session sharing feature is not currently supported for custom ICA connections that are configured with NDS user credentials (under Properties > Login Information). To use the session sharing feature for Custom ICA Connections, do not specify user credentials for a connection on the connection s Login Information tab. Custom ICA Connections When users run the Add New ICA Connection wizard, they must enter a distinguished name in the User Name field and a password in the Password field and place the NDS tree name in the Domain field. Users running earlier versions of ICA Win32 Clients can also enter credentials in this manner. Single Sign-On When the Novell Client is installed on the client device and Single Sign-On is enabled, Single Sign-On sends users NDS credentials to the server. If you want users to use Windows credentials, add the following to the Appsrv.ini or.ica file. Appsrv.ini file - Under the [WFCLIENT] section, add or modify the SSOnCredentialType entry to SSOnCredentialType=NT. ICA file - Under the application name section, add or modify the SSOnCredentialType entry to SSOnCredentialType=NT. Configuring Default Contexts for Users Configuring default contexts for users eliminates the need for users to know their context when they log on. Listed below are ways to configure default contexts on ICA Client devices: Enable pass-through authentication for the ICA Client If the client device is running the Novell Client, enable the ICA Client to use pass-through authentication. When pass-through authentication is enabled on the ICA Client, the user name context and password are passed from the Novell Client to the MetaFrame server.

122 122 Advanced Concepts for MetaFrame XP Edit the Windows registry on the client device Create a script using regini or regedit that modifies the registry entry HKEY_CURRENT_USER\Software\Citrix\CtxLogon with the correct context of the user. Edit the value RecentContexts to specify context(s). Each context must appear on a new line. Add a default context to the Windows Installer Setup package for the Program Neighborhood Client or Program Neighborhood Agent At a command prompt, type: msiexec /I <MSI_Package> /qn+ Default_NDSCONTEXT= <Context > where <MSI_Package> is the name of the Windows Installer package and <Context> is the default NDS context you want to display in the client. If you are including more than one context, separate the contexts by a comma. Add a default context to the self-extracting executable for the Program Neighborhood Client Extract the ICA Client files from Ica32a.exe by typing at a command line: ica32a.exe -a -unpack:<directory Location> where <Directory Location> is the directory to which you want to extract the client files. Open the Appsrv.src file in a text editor. Locate the section named [WFClient]. Add the following line to the list of parameters and values in the [WFClient] section: DEFAULT_NDSCONTEXT=<Context1 [,]>. Include this parameter if you want to set a default context for NDS. If you are including more than one context, place the entire value in quotation marks and separate the contexts by a comma. Examples of correct parameters: DEFAULT_NDSCONTEXT=Context1 DEFAULT_NDSCONTEXT= Context1,Context2 Note The self-extracting executable setup program for the Program Neighborhood Agent does not support adding a default context.

123 Chapter 7 Integrating MetaFrame with Novell Directory Services 123 Tips and Techniques Enabling NDS Support in the ICA Program Neighborhood Agent Complete the following tasks to allow NDS users to log on to the ICA Win32 Program Neighborhood Agent. 1. Open the Config.xml file located in the InetPub\Citrix\PNAgent directory on the NFuse Classic server. 2. Set Logon/SupportNDS to True. 3. Set Logon/NDS_Settings/DefaultTree to the name of the preferred NDS tree for the MetaFrame XP farm. 4. Restart the IIS Admin Service on the NFuse Classic server for the changes to take effect. 5. Restart the Program Neighborhood Agent. Creating Aliases If you need to create aliases in NDS, follow the guidelines below. Make sure the distinguished name of the object does not exceed 48 characters. Alias object names are unique within the tree. The Alias object can be the same name as the actual object. Note You can use third-party tools, such as the Lyncx tool from Centralis, to automate the process of creating aliases for large trees. See the Centralis Web site at for more information. When users log on, they are given the rights of the object to which the alias object points. Organizing Published Applications for NDS Users It may be helpful to set up groups in NDS and associate published applications with them. For example, you can create an NDS group called Default_User_Apps for business and office applications. Add this group when specifying which users have access to those published applications. When you add new users to this group, they are granted rights to the applications.

124 124 Advanced Concepts for MetaFrame XP Create a separate group for specialty applications that are not distributed to a wide audience. For example, create a group in NDS called Accounting_Program and then publish an application called Accounting_Program in MetaFrame XP Feature Release 2. In MetaFrame specify the NDS group Accounting_Program to the published application called Accounting_Program. When assigning new users to the accounting application, simply add them to the group called Accounting_Program in NDS.

125 C H A P T E R 8 Security Issues and Guidelines This chapter includes information about securing your MetaFrame XP infrastructure. The information in this chapter is intended to supplement the information about securing a MetaFrame XP environment found in the following documents: The Citrix Secure Gateway Administrator s Guide The MetaFrame XP Administrator s Guide The NFuse Classic Administrator s Guide The Administrator s Guides for the ICA Clients These documents are available from the MetaFrame XP server CD and MetaFrame XP Components CD, or from the Citrix Web site at Click Product Documentation. For periodic updates to the information in these documents, check the Citrix online knowledge base at Securing MetaFrame XP Servers This section discusses security precautions you can take to secure MetaFrame XP servers. Controlling Physical Access Restrict physical access to the servers to those individuals who are involved with administering the MetaFrame XP environment. Use NTFS Partitions For maximum security, install MetaFrame XP only on NTFS-formatted disk partitions.

126 126 Advanced Concepts for MetaFrame XP Installing MetaFrame XP on NTFS partitions ensures that the local Access databases are secured because the folder %Program Files%\Citrix\Independent Management Architecture is marked so that only system and local administrators have full control. Do not change these Access Control Lists (ACLs). Control Connection Access For increased control of access to the Terminal Server listeners, use the Citrix Connection Configuration utility (Mfcfg.exe) to remove the Everyone group from the Permissions list for each of the listeners and specify only the user groups that require access. Configuring the SNMP Service The SNMP service on Windows has read/write privileges by default. If you use Citrix Network Manager or other SNMP management software for monitoring the server only (not remote management), Citrix recommends that the privileges be read only. If no SNMP consoles are used, remove the SNMP service from the server. Note You must give read/create permissions to the SNMP service for administrative tasks, such as logoff and disconnect through Network Manager. You can configure the SNMP community and designated management consoles to prevent unauthorized access. Configure SNMP agents to accept traps from known SNMP consoles only. For more information about correctly configuring the SNMP agent, see the online help for Windows. Microsoft has released security bulletins for SNMP security risks on both Windows NT 4.0 (MS00-095, MS02-006) and Windows 2000 (MS00-096, MS02-006). Tip Block incoming SNMP traffic from the Internet by using a firewall that prevents passage of traffic on UDP ports 161 and 162. Configuring Citrix Administrator Accounts Limit Citrix administrator accounts to users who are members of the Windows network administrators group. This group is presumed to be well controlled and to have administrative access to network resources, including print servers. To lessen the risk of compromising the domain administrator account, use a global group of limited user accounts to administer MetaFrame XP servers.

127 Chapter 8 Security Issues and Guidelines 127 To configure administrator accounts using a global group 1. In the domain where you manage user accounts, create a domain global group. In this example, this group is named MFAdmins. 2. Add the user accounts of people who need Citrix administrator privileges to the MFAdmins global group. 3. Add the MFAdmins global group to each MetaFrame server s local administrators group. 4. In the Citrix Management Console, add the MFAdmins global group to the list of Citrix administrators. 5. When a new user account requires Citrix administrator privileges, add the account to the MFAdmins global group. When Citrix administrators are members of an Active Directory domain, use a domain local group for farms within a single Active Directory domain or a universal group for farms that span a forest. Security Considerations for the Data Store Users who access MetaFrame XP servers do not require and should not be granted any access to the data store. With direct mode access, all of the servers in the server farm share a single user account and password for accessing the data store. Select a password that is not easy to deduce. Keep the user name and password secure and give it to Citrix administrators only for the purposes of installing MetaFrame XP. If the user account for direct mode access to the database is changed at a later time, the Citrix IMA Service will fail to start on all MetaFrame servers configured with that account. To reconfigure the Citrix IMA Service password, use the dsmaint config command on each affected server. Depending on the database product you use for the MetaFrame XP farm s data store, Citrix recommendations for securing the data store vary. This section discusses security measures to consider for the database products supported by MetaFrame XP. Microsoft Access For an Access data store, the default user name is citrix and the password is citrix. If users have access to the data store server, change the password using dsmaint config and keep the information in a safe place.

128 128 Advanced Concepts for MetaFrame XP Microsoft SQL Server The user account that is used to access the data store on Microsoft SQL Server has public and db_owner roles on the server and database. System administrator (sa) account credentials are not needed for data store access; do not use a system administrator account because this poses an inherent security risk. If the Microsoft SQL Server is configured for mixed mode security (you can use either Microsoft SQL Server authentication or Windows NT authentication), you may want to create a Microsoft SQL Server user account for the sole purpose of accessing the data store. Because this Microsoft SQL Server user account would only access the data store, there is no risk of compromising a Windows domain if the user s password is compromised. Tip For high security environments, Citrix recommends using only Windows NT authentication. For tighter security, you can change the user account s permission to db_reader and db_writer after the initial installation of the database with db_owner permission. Important Changing the user account s permission from db_owner may cause problems installing future MetaFrame XP service packs or feature releases. Be sure to change the account permission back to db_owner before installing a MetaFrame XP service pack or feature release. Oracle If the data store is hosted on Oracle, give the Oracle user account that is used for the MetaFrame XP farm connect and resource permissions only. System administrator (system or sys) account permissions are not needed for data store access. IBM DB2 If the data store is hosted on IBM DB2, give the DB2 user account that is used for the MetaFrame XP farm the following permissions: Connect database Create tables Register functions to execute to database manager s process Create schemas implicity

129 Chapter 8 Security Issues and Guidelines 129 System administrator (DB2Admin) account permissions are not needed for data store access. Network Security Considerations MetaFrame XP servers and the server farm s data store should reside on networks that are secure from network packet capturing or sniffing. In some instances, including the following, IMA communication (MetaFrame XP server to server communication) is in clear text. Communication between the Citrix Management Console and the MetaFrame XP server over TCP port 2513, by default Communication between the member servers and the data collectors over TCP port 2512, by default Note You can use the imaport utility to change the IMA communication ports to decrease security risks. Communication between the member servers and the data store through ODBC Microsoft SQL Server communication is secure when the multi-protocol encryption option is configured correctly on both the Microsoft SQL Server and the clients. For more information about enabling multi-protocol encryption, consult the Microsoft SQL Server documentation. Securing your Network against Denial of Service Attacks Denial of service (DoS) attacks saturate networks and servers with useless calls for information. Attackers use multiple sites to make distributed attacks on one or more networks, servers, or Web sites. Servers subjected to this sort of jamming either become unresponsive or too busy to be of use when a network becomes flooded. Not only is the network compromised for communication, it also becomes unavailable as a tool for tracing the attacks. CAUTION Be sure to protect the security and integrity of the registry on MetaFrame XP servers. For information about backing up the registry, see Microsoft s documentation for the operating system you are running. Editing registry settings other than those discussed in this document can corrupt your server configuration and is not supported by Citrix.

130 130 Advanced Concepts for MetaFrame XP Microsoft makes recommendations for taking steps and fixing registry settings to make your networks and servers less prone to network DoS attacks which you can find on the Microsoft Web site at Try a keyword search using Security Considerations for Network Attacks to see this information. Microsoft suggests changing the following registry settings to help secure your network against DoS attacks: SynAttackProtect TcpMaxHalfOpen TcpMaxHalfRetried Enable PMTUDiscovery NoNameReleaseOnDemand EnableDeadGWDetect KeepAliveTime PerformRouterDiscovery EnableICMPRedirects Securing Citrix Management Console Citrix Management Console is a Java application that can be run on MetaFrame XP servers and other workstations. However, to prevent packet capturing, run the Citrix Management Console only on MetaFrame XP servers or in environments where packet sniffing cannot occur. To run the Citrix Management Console on a remote server 1. Make a secure connection from an ICA Client to a MetaFrame XP server. 2. Launch the Citrix Management Console in the ICA session. 3. In the Log On to Citrix Farm dialog box, select the server on which the ICA session is running. Ensure that only Citrix administrators have access to the Citrix Management Console. You can set NTFS permissions so that non-administrators do not have Execute permission for the Citrix Management Console executable (Ctxload.exe).

131 Chapter 8 Security Issues and Guidelines 131 Securing Citrix Web Console The Citrix Web Console relies on IIS security for logon authentication. The Citrix Web Console allows authentication only with accounts that are recognized by the local IIS server and that are also designated as Citrix administrators. Local accounts work if the Web console is run on a MetaFrame server. Windows NT and Active Directory Services domain accounts work if the Citrix Web Console server is a member of the domain or trusts the domain. To ensure the security of credentials when logging off from the Citrix Web Console, close the Web browser to log off from the session. Using SSL Encryption with Citrix Web Console IIS causes every packet passed between client and server to contain the cached credentials. This could compromise security. Citrix recommends enabling SSL encryption on Citrix Web Console connections, especially for connections made across any public network. To set up your IIS server for SSL encryption 1. Set up your IIS server with an SSL certificate. 2. Open the Internet Services Manager and go to Default Web Site\Citrix\Webconsole\WebConsoleApp. 3. Right-click WebconsoleApp and select Properties. 4. In the Properties dialog box, select Directory Security. 5. In the Secure Communications section, click Edit. 6. Select Require secure channel (SSL). 7. Optionally, select Require 128-bit encryption (for this option, install the highencryption pack available for download at By default, the Citrix Web Console detects if a connection uses SSL and allows you to reconnect with SSL or to continue with no encryption. Requiring encryption functionality at a higher level than WebConsoleApp prevents this page from being displayed if you connect without encryption. The error Page cannot be displayed is shown instead. Important The Citrix Web Console does not support Netscape or non-windows versions of Internet Explorer. Use Internet Explorer 4.0 or later on a Windows platform. Running the Citrix Web Console on an unsupported platform can result in security risks.

132 132 Advanced Concepts for MetaFrame XP Securing ICA Client Communication Depending on your MetaFrame environment, several features included with MetaFrame XP allow you to further secure communications between ICA Clients and MetaFrame XP servers. MetaFrame XP included support for ICA encryption, which uses RSA s RC5 encryption, between MetaFrame servers and ICA Clients. Support for open standards technology was added with the release of MetaFrame XP, Feature Release 1. Feature Release 1 added Citrix SSL Relay, which uses standard Secure Sockets Layer (SSL) encryption between MetaFrame XP servers and ICA Clients. MetaFrame XP with Feature Release 2 includes the Citrix Secure Gateway solution. Citrix Secure Gateway provides an SSL/TLS Internet gateway between MetaFrame XP servers and ICA Clients located on the Internet. For more information about setting encryption, see the Citrix Secure Gateway Administrator s Guide, the MetaFrame XP Administrator s Guide, and the Administrator s Guides for the ICA Clients. Securing NFuse Classic Communication When using NFuse Classic, you can put in place the following to secure client-toserver communication: Instruct users to connect to NFuse Classic Web pages using HTTPS (secure HTTP). IIS must have an SSL certificate installed to establish a secure HTTP connection. Configure NFuse Classic ticketing to further secure the direct communication between the ICA Clients and the MetaFrame XP servers. Configure NFuse Classic to use SSL Relay for encryption between the NFuse Classic Web server and the MetaFrame XP servers. If you are configuring SSL Relay on a MetaFrame XP server with a static IP address, set the following registry key to the fully qualified domain name (FQDN) of the MetaFrame XP server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\Domain Tip To ensure that only ICA connections using SSL (typically port 443) are allowed through a firewall, block port For more information about configuring security, see the MetaFrame XP Administrator s Guide and the NFuse Classic Administrator s Guide.

133 Chapter 8 Security Issues and Guidelines 133 NFuse Classic Administration Console Security NFuse Classic includes a Web-based tool you can use to configure the NFuse Classic Service. The changes you make using this utility modify the Nfuse.conf file located in %ProgramFiles%\Citrix\NFuse\Conf. The NFuse Classic Administration Console can be used to modify virtually all aspects of NFuse Classic configuration. Users need administrative access to the system to use this utility. This utility does not offer an option for logging off. User credentials are cached and administrators are not logged off until they close their browsers. Citrix recommends that administrators close their Web browsers after using the utility to prevent access by users who do not have rights to administer the system. MetaFrame Server and Client Configurations for Seamless Proxy Integration ICA Client Secure Proxy/SOCKS Connections This section covers recommended configurations for ICA Clients connecting through a firewall with SOCKS support or Secure Proxy connections. It assumes that the firewall or Secure Proxy server is configured according to the server s documentation and recommended configurations. For the purpose of this section, the default ports are used for each component of the firewall/proxy policy configuration. The typical ports are as follows: ICA Port: 1494 SOCKS (v4 or v5): 1080 Web Proxy: 80 and/or 8080 Secure Proxy: 443 and/or 563 Note Some Web proxy configurations may use port 3128 as the default Web proxy port. Proxy ICA/INI File Parameters You can add the following parameters to the user s.ini files (located in the %userprofile%\application Data\ICA Client\APPSRV.INI file) or ICA files (including Citrix NFuse Classic and Citrix Program Neighborhood Template.ica) on the client device. Each parameter is defined later in this section.

134 134 Advanced Concepts for MetaFrame XP Add the parameters to the [WFCLIENT]section of the.ini or.ica file or in the [<APPLICATION>] section only if the DoNotUseDefaultCSL=ON parameter is set in the same section. INI File Parameters for ICA Client Version ICASOCKSProtocolVersion={ } ICASOCKSProxyHost=FQDN Proxy Address or IP Address ICASOCKSProxyPortNumber=Proxy Port ICASOCKSrfc1929UserName=SOCKSv5 User Name ICASOCKSrfc1929Password=SOCKSv5 User Name Password ICASOCKSTimeout=Time in milliseconds after the client waits for initial response from the proxy server INI File Parameters for ICA Client Version Tip The Version of the ICA Win32 Client responds to the parameters for backward compatibility. ProxyType={None Auto Socks SocksV4 SocksV5 Secure Script} ProxyHost=Proxy Address:Proxy Port or IP Address:Proxy Port ProxyBypassList=Domain names/ip Addresses that the Proxy Server will ignore at connection time ProxyAutoConfigURL=Address of Http server path of Auto-Configuration File ProxyUsername=SOCKSv5/Secure Proxy Username ProxyPassword=SOCKSv5/Secure Proxy Password ProxyTimeout=Time in milliseconds after the client waits for initial response from the proxy server; minimum value is 1000

135 Chapter 8 Security Issues and Guidelines 135 Definitions of the Parameters ProxyType. Determines the type of connection used by the client device. None the client always uses a direct connection to the server; there is no connection to the proxy/firewall server Auto uses the client device s Web browser settings (Microsoft Internet Explorer 4.x or later, Netscape Navigator 4.76 or later) SOCKS creates a SOCKS connection to the server and auto-detects the SOCKS version number used by the proxy/firewall SOCKS V4 creates SOCKS Version 4 connections SOCKS V5 creates SOCKS Version 5 connections Secure connects through a secure tunnel protocol; usually a high encryption or SSL/TLS connection. You must configure the Citrix SSL/TLS Relay or use Citrix Secure Gateway. Citrix recommends that you use the SSL/TLS+HTTP connection protocol or use TCP/IP+HTTP and set the encryption to 128-bit. Script uses the JavaScript Proxy Auto-Configuration file (*.PAC) or the Microsoft Internet Explorer Internet Settings file (*.INS) to configure the proxy connection set in the mentioned formats. Set the ProxyType to Auto and use the client s Web browser preferences for auto configuration scripts. The path to the file is set in the ProxyAutoConfigURL parameter. ProxyHost. Includes the address of the proxy host and port number. To set the IP address of the proxy server or to use its fully qualified domain name (FQDN), enter the proxy/firewall port number at the end of the address using the following sample formats: :8080 or proxy.citrix.com:1080. ProxyBypassList. Allows you to specify domain names that should be ignored during a proxy connection. Use the ProxyBypassList setting to connect the client to servers in the same subnet or network without using proxy or firewall servers. For example, a client device may reside in the same domain (corp.company.com) as MetaFrame XP servers. In this case, you can set the ProxyBypassList parameter to *.corp.company.com *.partner.company.com instead of configuring each connection for direct connections. Setting the parameter to this value configures the client to ignore any proxy servers when connecting to these domains. Use a semicolon or a comma to separate entries if adding multiple domains.

136 136 Advanced Concepts for MetaFrame XP ProxyAutoConfigURL. Allows you to include an HTTP URL to a JavaScript Proxy Auto-Configuration file (*.PAC) or the Microsoft Internet Explorer Internet Settings file (*.INS). This setting is used when an administrator wants to centralize proxy or firewall server-client configuration by using a script file. The script file can be either a JavaScript PAC file or Microsoft Internet Explorer INS file. For information about creating these files, follow the links below: MSDN Article on PAC Files: faq0599.htm&nav=/mind/0599/inthisissuecolumns0599.htm Internet Explorer Administration Kit Article: default.asp?url=/windows/ieak/techinfo/deploy/60/en/autodis.htm ProxyUsername/ProxyPassword. Location to configure the SOCKS 5 or Secure Proxy authentication credentials. If the ProxyUsername/ProxyPassword parameters are not set and the proxy or firewall connects to a server configured for SOCKS 5 or Secure Proxy with authentication, the user is prompted for credentials. The user credentials are for proxy authentication only and may not be the same as the user s domain or network credentials. When the ProxyUsername/ProxyPassword parameters are set, the ICA Client passes the user s credentials to the proxy server. Important On any SOCKS 5 or Secure Proxy server configured to require authentication, the user name and password are passed in clear text. Citrix recommends that you do not set these parameters if credentials are going to be passed through a public network such as the Internet. Even if the ICA connection is set to use SSL/TLS+HTTP, the credential packets are sent before any secured tunnel is established. ProxyTimeout. The time in milliseconds after the client waits for initial response from the proxy server Citrix Program Neighborhood Client and Proxy Connections When using the ICA Win32 Program Neighborhood Client, the following parameters can be set from the Custom Connection Settings>Connection Properties>Application Set settings interface. In the Server Location dialog box, click Firewalls to set the following parameters: Use Web browser proxy settings sets the ProxyType parameter to a value of Auto.

137 Chapter 8 Security Issues and Guidelines 137 None (direct connection) sets the ProxyType parameter to a value of None. SOCKS sets the ProxyType parameter to a value of SOCKS. To specify a version number for SOCKS, edit the user s Appsrv.ini file and change the value for the ProxyType to the correct version parameter. You must add the proxy address and port fields to this setting. Secure sets the ProxyType parameter to a value of Secure. You must specify the proxy address and port fields. Doing so sets the ProxyHost parameter. Note For more information, see the Citrix ICA Win32 Clients Administrator s Guide. Citrix NFuse Classic and Proxy/Firewall Connections There are two ways to enable the ICA Client to use NFuse Classic to pass through a proxy or firewall server. 1. Use the NFuse Administration Console to enable Client-Side Firewall settings. This is accessed through on the NFuse server. Click Client-Side Firewalls. Select the option to use a SOCKS proxy. Enter a proxy address and port number. This enables only the previous SOCKS parameters as those listed above in the ICA/INI File Parameters Section. Using this method will not allow any Secure Proxy settings, only SOCKS settings. Additionally, SOCKS Version 5 and Secure Proxy authentication parameters are not configurable through this console. 2. Edit the %ProgramFiles%\Citrix\NFuse\Template.ica file and add new parameters as needed. Citrix recommends that you add the parameters to both the [WFCLIENT] and [<APPLICATION>] sections of the Template.ica file to ensure proper connectivity for all client types. You can add parameters to the [WFCLIENT] and [<APPLICATION>] sections of the Template.ica file only if the DoNotUseDefaultCSL parameter is set to ON in the same section. If both older and newer versions of ICA Clients are accessing NFuse Classic, edit the Template.ica file and include both older and newer clients ICASOCKS parameters as described in Proxy ICA/INI File Parameters on page 133. If you follow this procedure, legacy versions of ICA Clients connect using the parameters set for their client version. This ensures correct connectivity for both sets of ICA Clients.

138 138 Advanced Concepts for MetaFrame XP The Web browser uses its own proxy settings to connect to the NFuse Classic Web site, and the Template.ica file enables the ICA Client to connect by reading the proxy parameters as mentioned above. The Template.ica parameters are not dependent on the version of NFuse Classic being used. If you are using NFuse 1.61, set the client version parameters in the Template.ica file to specify which parameters are read from the Template.ica file. Note For more information about the NFuse Classic Administration Console, see the NFuse Classic Administrator s Guide. Citrix Program Neighborhood Agent and Proxy Connections To ensure that users running the Program Neighborhood Agent can connect through proxy or firewall servers, follow the steps outlined in Citrix NFuse Classic and Proxy/Firewall Connections on page 137. Note that the Template.ica file for the Program Neighborhood Agent is located in a different directory (%webroot%\citrix\pnagent). If you use the NFuse Administration Console to modify the settings for SOCKS connections only, you do not need to modify the Template.ica file for the Program Neighborhood Agent. The Program Neighborhood Agent Template.ica file reads the parameters from the Nfuse.conf file. When you install the Program Neighborhood Agent, the Config.xml file contains the NetBIOS name of the Web server s URL. Citrix recommends that you change the URL in the Config.xml file to an external IP address for Internet tunneling (configure the alternate address parameter in NFuse Classic for proper security), or to the fully qualified domain name (FQDN) of the Web server. Certain proxy server configurations allow you to route HTTP traffic directly to a Web server. You can therefore use this tunneling configuration if one NFuse Classic Web server receives all Internet traffic. The Program Neighborhood Agent can connect to the external interface of the proxy server, while the configuration prevents the internal network from being exposed through the XML traffic or configuration parameters. Note For more information about the NFuse Classic Administration Console, see the NFuse Classic Administrator s Guide.

139 Chapter 8 Security Issues and Guidelines 139 Recommended MetaFrame Server and ICA Client Proxy Configurations Many proxy servers are configured to permit Web proxy connections only to standard ports, typically ports 443 and 80. ICA Client proxy connections use destination ports based on the type of connection indicated in the ICA connection properties. For example, an ICA connection configured to use TCP/IP with a proxy server will attempt to proxy to port 1494 on the MetaFrame server. On certain proxy servers, this connection may be rejected. Citrix recommends that you configure your MetaFrame server to run the Citrix SSL Relay Service on port 443. Configure the ICA Client to use SSL/TLS+HTTP to connect. Configuring the ICA Client to use SSL/TLS+HTTP forces it to contact the proxy server with a destination port of 443 on the MetaFrame server. This configuration allows connections through the proxy server without having to reconfigure the proxy server policy. If your proxy server is configured to allow connections only to an authorized set of IP addresses, modify the proxy server policy to include the FQDN or IP addresses of MetaFrame XP servers. Using Smart Cards with Feature Release 2 This section includes information about using smart cards with MetaFrame XP. This section assumes that you set up your smart card environment properly. Before you attempt to use smart cards with MetaFrame XP, make sure you set up the following: The user s PIN and certificate are saved to the smart card Active Directory domains and Certificate Authorities are configured for smart card support The vendor s smart card software tool is installed on the server The vendor s smart card software tool is installed on the clients, if necessary See the documentation from your smart card vendor for details. For more information about using smart cards with Windows 2000, see Microsoft Knowledge Base support articles Q and Q For more information about configuring Active Directory domains and Certificate Authority for smart card support, see Microsoft Knowledge Base support articles Q313274, Q257480, and Q Default readers and cards supported by Microsoft are listed in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais.

140 140 Advanced Concepts for MetaFrame XP The smart card vendor s unique software tool (which installs the vendor s Cryptographic Service Provider CSP) must be installed on the MetaFrame server for each vendor-specific smart card. These tools do not have to be installed on the client devices except when using the client s Web browser to connect to NFuse or using the Program Neighborhood Agent on a 32-bit client operating system other than Windows 2000 or Windows XP. Important Windows 2000 and Windows XP include native support for some smart card readers. To determine if the reader is supported by default, attach the reader to the client and let the operating system detect and install the drivers. If there is not an option to log on using a smart card after you restart the system, you must install the vendor s software drivers. Note Smart card readers and tools can be installed before or after MetaFrame is installed. Copying Smart Card User Certificates When users log on to MetaFrame XP servers to run applications that require certificates, the certificate needs to be copied to the user s personal store. Certificates are copied to the personal store when users log on if the following registry key exists on the MetaFrame XP server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\Notify\ScCertProp If the registry key listed above does not exist on the MetaFrame server, see Microsoft Knowledge Base support articles Q313557, Q265087, and Q for additional information about copying certificates. The following procedure explains how to determine if the certificate is available in the user s personal store. To determine if the certificate is available in the user s personal store 1. Start Internet Explorer. 2. Click Tools and choose Internet Options. 3. Click the Certificates button on the Content tab. 4. The user s certificate is listed on the Personal tab of the Certificates dialog box.

141 Chapter 8 Security Issues and Guidelines 141 Important The user s certificate must be present in the personal store to use smart cards with the Program Neighborhood Agent and NFuse. You can also copy the user s certificate to the personal store by logging on locally to the MetaFrame XP server with the user s smart card. Run the smart card tool on the server and register the user s certificate. This procedure varies depending upon the smart card vendor tool that is installed. See the online help installed with the specific tool for details. Using Smart Cards with NFuse Classic 1.7 and the Program Neighborhood Agent Using smart cards with MetaFrame XP, Feature Release 2, the ICA Clients, and/or NFuse Classic simplifies the authentication process while enhancing logon security. This section assumes that the NFuse Classic Web server is running Windows 2000 with Microsoft Internet Information Services (IIS). To use smart cards with NFuse Classic, configure the IIS Web server and enable smart card authentication using the NFuse Classic Administration Console. To use smart cards with the Program Neighborhood Agent, you must configure IIS to support smart card authentication. Configure IIS to have a Certificate Authority which can be set up in an Active Directory domain. For more information, see Microsoft s documentation about IIS and Certificate Authorities. Note Citrix recommends that you use Active Directory Services if you want to use smart cards with MetaFrame. Configuring IIS for Smart Card Support To configure IIS to support smart card authentication, you must complete the following tasks. These tasks are described in more detail below. 1. Enable the Windows Directory Mapper Service. 2. Install a server certificate. 3. Ensure that SSL is enabled on the NFuse Classic Web server. To enable the Windows Directory Mapper Service 1. Open the Computer Management utility by right-clicking on My Computer and choosing Manage. 2. Navigate to and expand Services and Applications.

142 142 Advanced Concepts for MetaFrame XP 3. Navigate to and expand Internet Information Services; right-click and choose Properties. 4. Under the Internet Information Services tab, in the Master Properties box, click Edit. 5. Select the Enable the Windows Directory Service Mapper option on the Directory Security tab. 6. Click OK until you return to the Computer Management dialog box. To install a server certificate 1. In the Computer Management utility under Internet Information Services, expand the tree until Default Web Site is displayed. 2. Right-click Default Web Site and choose Properties. 3. Click Server Certificate on the Directory Security tab to begin the Web Server Certificate Wizard. Click Next. 4. Choose Create New Certificate and click Next. 5. Choose Send the request immediately to the certification authority and click Next. 6. Enter a friendly name for the certificate and click Next. Tip Use the server s FQDN for the friendly name. 7. Enter the corresponding organization and organizational unit and click Next. 8. For the Common Name, enter the FQDN of the NFuse Classic Web server and click Next. 9. Enter State/Province and City/Locality and click Next. 10. If the Certificate Authority is not automatically filled in, select it from the list. 11. Click Next twice and then click Finish. To ensure that SSL is enabled on the NFuse Classic Web server 1. In the Computer Management utility under Internet Information Services, expand the tree until Default Web Site appears. 2. Right-click Default Web Site and select Properties. 3. Choose the Web Site tab and make sure that SSL Port 443 is available for SSL connections. 4. Close the Computer Management utility.

143 Chapter 8 Security Issues and Guidelines 143 Enabling Smart Card Authentication using the NFuse Classic Administration Console Complete the following tasks to configure NFuse Classic to accept credentials using smart cards. 1. Open a browser and browse to NFuse server>/citrix/ NfuseAdmin. 2. Click the Authentication menu on the left side of the screen. 3. Enable the Smart Card option at the top of the screen. 4. Click Yes to choose the Enable ICA Client pass-through authentication option. 5. Set the Use smart card to log in to MetaFrame option to Auto. 6. Click Save. 7. In the left side frame, select Apply Changes and then click Apply Changes. 8. Close the Administration Console by closing the browser window. To test the configuration, log on to the NFuse Classic server ( NFuseServer>) from an ICA Client using a smart card and launch a published application. Miscellaneous Smart Card Information CAUTION Cryptographic Service Providers (CSPs) from Schlumberger and ActivCard do not function properly if they are both installed on the same server. However, each can be installed with the GemPlus CSP. You can use smart cards with single sign-on only on client devices running Windows 2000 and Windows XP because they are the only client operating systems that support logging on locally with a smart card. To test that a server is set up correctly for logging on with a smart card over an ICA connection, log on locally to the server using the smart card. If you can log on locally, you can log on over an ICA session. The CSP to be installed on the server is dependent upon the type of smart card that is used. However, most smart card readers work with different vendors smart cards. On Windows XP operating systems, Schlumberger Cryptoflex 8K cards can be used without installing additional drivers; however, Schlumberger Cryptoflex 16K cards require additional drivers.

144 144 Advanced Concepts for MetaFrame XP On occasion, the USB readers can stop working for various reasons. Removing and replacing the USB connector restores the reader to working order. Check Microsoft s Knowledge Base support articles Q and Q for additional information. Deploying the Java Client using NFuse Classic with Custom SSL/ TLS Certificates The Java ICA Client Version 6.30, available from the MetaFrame XP Feature Release Components CD, runs in applet mode only. The ICA Java Client is streamlined for use in environments where access to applications through a Web browser is required. You can configure NFuse Classic to automatically download a Java Client package to the client device when users launch applications. Use the NFuse Classic Administration Console (on the ICA Client Deployment page) to specify which Java Client features to deploy. To make an ICA connection using SSL/TLS, select the SSL/TLS component. If SSL/TLS is selected, the Java Client package that NFuse Classic deploys will contain built-in certificates for a number of Certificate Authorities. See the ICA Java Client Administrator s Guide for a full list of built-in certificates. If the environment already has server certificates from one of these Certificate Authorities, the Java client already includes details of the necessary root certificate to allow it to verify the authenticity of the MetaFrame server. However, if the certificate is not one of those included in the built-in list of certificates used by the Java Client (for example, if your organization has its own certificate authority), you must configure NFuse Classic so that it passes the correct root certificate to the Java ICA Client package when users launch applications. To enable the ICA Java Client to connect to MetaFrame servers secured with custom SSL/TLS certificates 1. Contact your Certificate Authority and obtain the root certificates that correspond to the server certificates being used on the MetaFrame servers. 2. In a text editor, open the Appembed.asp file. In a default installation of NFuse Classic, this file is located in C:\Inetpub\Wwwroot\Citrix\NFuse Find the section between the <applet> and </applet> HTML tags. 4. Before the </applet> tag, specify which SSL/TLS certificates the ICA Java Client should use. Use the following parameters: SSLNoCACerts - the number of specified certificates in the client archive.

145 Chapter 8 Security Issues and Guidelines 145 SSLCACert0, SSLCert1...SSLCert<n> - The names of the root certificates to use when validating the name of the server certificate. The number of root certificates that you specify must match the number specified in the SSLNoCACerts parameter. For example, if you have two custom root certificates with the file names A.crt and B.crt, insert the following lines: <param name="sslnocacerts" value="2"> <param name="sslcacert0" value="a.crt"> <param name="sslcacert1" value="b.crt"> 5. Search for codebase and make a note of the path listed on this line. Remember to translate <%=langcode%> as the folder name of the language you are working with. Do not edit this line. 6. Save the Appembed.asp file. 7. From the Web server s document root folder (in a default installation of IIS this is located at C:\Inetpub\Wwwroot), navigate to the path noted in Step 5; for example, Citrix\ICAWEB\en\icajava. 8. Copy the root certificates obtained from the Certificate Authority to this folder. Ensure that the file names match the file names specified earlier in the Appembed.asp file. 9. On the client device, launch the Web browser and connect to the NFuse Classic Web page. All embedded Java ICA sessions to secured MetaFrame servers work transparently using SSL. Note Following this procedure also allows access using Citrix Secure Gateway. To use the configuration detailed in the procedure above with Citrix Secure Gateway, use the NFuse Classic Administration Console to configure the Server Side Firewall Settings page to use Citrix Secure Gateway. Security with Pass-Through Authentication To disable pass-through authentication 1. In the ICA Win32 Program Neighborhood Client, choose Tools > ICA Settings. 2. Clear the check box for the Pass-Through Authentication option. 3. Delete the following files from the ICA Client files folder to disable the feature and prevent a user from enabling it again in the ICA Client: Ssoncom.exe Ssonstub.dll Ssonsvr.exe

146

147 Printer Management C H A P T E R 9 Printer Driver Replication MetaFrame XP provides centralized printer management with the Citrix Management Console. Printer driver replication is designed to copy printer driver files and registry settings across the server farm. Install all required printer drivers on one MetaFrame XP server in the farm, then replicate the files and registry settings to all other servers in the farm. Manage the printer driver replication through the Citrix Management Console. Printer driver replication does not replicate printer properties such as paper size and print quality. Tip The process of replicating printer drivers can consume a lot of CPU resources on the source server. To improve performance, avoid replicating drivers while the farm is under heavy load, such as when many users are logging on. Managing the Printer Driver Replication Queue Each printer driver/server combination creates an item in the printer replication queue. For best performance, this queue should not exceed 1,500 entries in length. To determine the queue size, use the following formula: QueueSize = Drivers * Servers Where: Drivers = Number of printer drivers Servers = Number of servers to which the printer drivers are being replicated Using this formula, the queue can include 30 drivers for replication to 50 servers (30*50=1,500) or 3 drivers for replication to 500 servers (3*500=1,500) without exceeding the queue size recommendation.

148 148 Advanced Concepts for MetaFrame XP You can monitor the replication queue items with the qprinter /replica command. For more information about this utility, see QPRINTER on page 192. Tip You can determine whether or not printer drivers are successfully replicated by checking the Application Log in Event Viewer on the target servers. Driver Replication and Performance Issues The number of printer drivers installed on or replicated to each server in the farm can affect server performance and the IMA service response time. The following sections provide recommendations for minimizing potential performance issues when installing or replicating printer drivers. Driver Replication and Server Performance The time required to complete printer driver replications depends on network traffic and server load. The replication distribution queue is handled by the Citrix IMA Service at a low priority. The printer driver replication subsystem can process an average of 50 entries every minute in a 50-server farm under a light user and network load. A 500-server farm under the same conditions can process an average of 20 entries a minute. The distribution subsystem monitors the load on the MetaFrame server that is replicating the print drivers while they are distributed across the server farm. If the subsystem detects that the server is becoming overloaded, it reduces the speed at which it sends the replication jobs. This can cause very large replication jobs to take several hours. To complete printer driver replication as quickly as possible, Citrix recommends that you replicate large numbers of printer drivers during off-peak hours when higher-priority network traffic is at a minimum. Tip You can monitor the progress of the printer replication jobs by running qprinter/replica. Driver Replication and IMA Performance The server farm s data store holds one record for each printer driver, one record for each farm server, and one record for each printer driver/server combination. Installing more printer drivers on MetaFrame servers in the farm causes the size of the printer driver tables in the data store to increase. Larger tables in the data store result in increased delay when restarting the MetaFrame servers because the Citrix IMA Service has more information to query.

149 Chapter 9 Printer Management 149 To avoid degraded performance because of larger tables in the server farm s data store, limit the number of printer drivers in the farm using the following guidelines. Install printer drivers only for printers that will be used by ICA Clients in the farm Install printer drivers only on servers that will host users who need access to the printers Install printer drivers that work for multiple printer types, if possible If a printer is removed from a server, delete the associated registry key and restart the server Remove unnecessary printer drivers from cloned images In WAN environments where a large number of printer drivers are installed, use a replicated data store if better performance is necessary Use the Citrix Universal Print Driver instead of the native windows drivers, if possible Using Auto-Replication When an auto-replication job is scheduled, the Citrix IMA Service attempts to download the job when the IMA Service starts up. If several printer replication jobs are destined for a server, the IMA Service may take an extended amount of time to start. Using the Overwrite existing drivers option is not recommended because this causes the printer drivers to be downloaded each time the IMA Service starts. Citrix recommends using scheduled replication instead of auto-replications to reduce network traffic. If auto-replication must be used, do not use the Overwrite existing drivers option and keep the number of printer drivers to be replicated to a minimum.

150

151 Maintaining MetaFrame XP Server Farms C H A P T E R 10 This chapter includes information about maintaining MetaFrame XP server farms. Cycle Booting MetaFrame XP Servers You do not have to restart MetaFrame XP servers regularly to increase performance. However, if you want to configure cycle booting, follow the guidelines in this section. When the Citrix IMA Service starts after you restart a MetaFrame XP server, it establishes a connection to the data store and performs various reads to update the local host cache. These reads can vary from a few hundred kilobytes of data to several megabytes of data, depending on the size and configuration of the server farm. To reduce the load on the data store and to reduce the Citrix IMA Service start time, Citrix recommends maintaining cycle boot groups of no more than 100 servers. In large server farms with hundreds of servers, or when the database hardware is not sufficient, restart servers in groups of approximately 50, with at least 10 minute intervals between groups. Tip If the Service Control Manager reports that the IMA Service could not be started after a restart of a MetaFrame XP server, but the service eventually starts, ignore this message. The Service Control Manager has a timeout of six minutes. The IMA Service can take longer than six minutes to start because the load on the database exceeds the capabilities of the database hardware. To eliminate this message, try restarting fewer servers at the same time.

152 152 Advanced Concepts for MetaFrame XP Changing Farm Membership of Servers To change the farm membership of MetaFrame XP servers, you must use the chfarm command. The correct use of the chfarm command is discussed below. CAUTION Misuse of chfarm can corrupt the data store. Using chfarm You can execute chfarm from: %ProgramFiles%\Citrix\system32\citrix\ima The MetaFrame XP CD A network image of the CD CAUTION If chfarm reports any error, continuing the process can corrupt the data store. Instead, click Cancel and use the procedure for restoring an unresponsive server. For more information, see Recovering an Unresponsive Server on page 204. Executing chfarm Executing chfarm does the following on the host server: 1. Attempts to remove the server from the farm. 2. Stops the Citrix IMA Service. 3. Configures the data store. 4. Restarts the IMA Service. 5. Initializes the license database. Important Considerations when Running chfarm Consider the following when you use chfarm: Chfarm deletes the current data store database. Do not use chfarm on the server hosting the Microsoft Access database until all other servers in that farm are moved to a new server farm. Failure to follow this process causes errors when chfarm is executed on those servers that no longer have a valid data store.

153 Chapter 10 Maintaining MetaFrame XP Server Farms 153 When you create a Microsoft Access data store on a server in a new server farm: 1. Run chfarm first on the server hosting the new data store. 2. Execute chfarm on other servers to be added to the new server farm. 3. Run chfarm on any servers that hosted an old data store. Close all connections to the Citrix Management Console on the local server before executing the chfarm command. Execute chfarm only on a functioning MetaFrame XP server. Do not execute chfarm on a server that was removed from a server farm. Important Using chfarm does not migrate published applications or any server settings to the new server farm. Renaming a MetaFrame Server The name and security ID given to a server when it is installed and added to a server farm generally remains unchanged, but the server can be renamed if necessary. To rename a server in a server farm 1. In the Citrix Management Console: In the Add Administrators wizard, select the checkbox to Add local administrators to the Citrix Administrator node From the Select Tasks screen, choose Full Administration 2. Use chglogon /disable to prevent users from logging on to the server. 3. Remove the server to be renamed from any published applications assigned to that server. 4. Stop the Citrix IMA Service. 5. Change the name of the server. 6. Restart the server. 7. Log on to the Citrix Management Console using the local administrator account. 8. Expand the Servers folder. 9. Assign a product code and feature release/service pack level to the new server name. 10. Ensure that licenses are present and activated.

154 154 Advanced Concepts for MetaFrame XP 11. Remove the old server name from the Citrix Management Console list of servers. 12. Add the new server name to the list of configured servers for published applications. To verify the success of the server name change 1. At a command prompt, type clicense in_use_by. 2. Verify all appropriate licenses are installed and in use. 3. Type clicense in_use_by <servername> or clicense in_use_by <servername> -l. If the new server name is displayed in place of the old name, the server has been successfully renamed. Uninstalling MetaFrame Servers in Indirect Mode If you remove MetaFrame XP from the server that directly accesses the data store, any servers that indirectly access the data store lose access to the data store. Information such as licensing and product codes is lost. Citrix recommends that you uninstall MetaFrame from the indirect servers first and the direct server last. Uninstalling MetaFrame from the direct server first prevents any other servers from being removed from the data store. To force an uninstall of MetaFrame when the data store cannot be accessed, use the following command: msiexec /x mfxp001.msi CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=YES where /x is the uninstall switch and mfxp001.msi is the name and location of the MetaFrame XP Feature Release 2 Windows Installer package. For more information about how to pass properties to the Windows Installer, see the MetaFrame XP Administrator s Guide.

155 C H A P T E R 11 Managing MetaFrame XP Server Farms This chapter includes best practices for managing MetaFrame XP server farms and users. This chapter includes information about the Citrix Management Console, Installation Manager, Resource Manager, and Network Manager. Load Manager is a component of MetaFrame XPa and XPe; it requires a MetaFrame XPa or XPe product license to function. Installation Manager, Resource Manager, and Network Manager are components of MetaFrame XPe; they require a MetaFrame XPe product license. Citrix Management Console This section offers recommendations for using the Citrix Management Console in an enterprise environment. Configuring Data Refresh By default, automatic refresh of data is disabled in the Citrix Management Console. Enabling automatic refresh increases CPU utilization by the console and increases TCP traffic on the network. Opening multiple Citrix Management Console instances in the same farm with automatic refresh enabled increases network congestion. However, if you want to enable automatic refresh, to view real-time data related to ICA Client connections and disconnections, for example, complete the following tasks. To enable automatic data refresh in the Citrix Management Console 1. Launch the Citrix Management Console and log on to the farm. 2. Choose View > Preferences > User Data.

156 156 Advanced Concepts for MetaFrame XP 3. Select the automatic refresh options and enter the refresh rate. You can specify automatic refresh for server data, server folders, and application user data. 4. Click OK to apply the settings. Auto-refresh settings are saved on the server on which the Citrix Management Console is running. Performance Considerations The Citrix Management Console queries the data collector and the member servers for information such as running processes, connected users, and server loads. Depending on the size of the server farm, the Citrix Management Console might affect performance in the server farm. Consider the following recommendations for managing performance issues with the Citrix Management Console: In MetaFrame XP deployments with hundreds of servers and thousands of users, connect only one instance of the Citrix Management Console to the farm for each zone. Connect the Citrix Management Console to a data collector so that the console can query data directly, rather than through an intermediate MetaFrame server. In large farms, the Citrix Management Console can take a long time to refresh. The refresh time depends on the number of servers in the zone, the number of ICA Clients requesting connections, and the number of Citrix Management Console instances that are requesting information. If the refresh query takes longer to complete than the specified automatic refresh interval, the data collector becomes overloaded. Make the automatic refresh interval for users and applications as long as is practical. Citrix recommends that you do not use the minimum refresh interval of 10 seconds. For best performance, disable automatic refresh and manually refresh the data as needed. When managing a farm across a congested WAN, run the Citrix Management Console within an ICA session to a remote server rather than running it locally. Running the console from within an ICA session reduces the amount of bandwidth consumed across the WAN and provides better performance from the console. Using Server and Application Folders The Citrix Management Console allows you to group servers and applications into folders. There is no correlation between Citrix Management Console folders and Program Neighborhood folders that appear in application sets.

157 Chapter 11 Managing MetaFrame XP Server Farms 157 Citrix Management Console folders help you manage a large number of servers and applications and increase performance because the console queries for data only for the servers or applications in the current folder view. One way to increase response time is to divide the list of servers into folders based on their zones. Tip Viewing server details for large groups of servers may result in incomplete information being gathered for all of the servers. To reduce this occurrence, group servers in folders under the Servers node of the Citrix Management Console. Load Management Tips Citrix Installation Manager When you are selecting servers to configure for load management or attaching load evaluators in large farms, Citrix Management Console can take several minutes to populate the lists of available servers and selected servers. During this delay, the console does not always indicate that it is still retrieving information. This section covers design and architecture topics you should be familiar with before you use Installation Manager to deploy applications in a MetaFrame XP farm. Concepts discussed include group size considerations, WAN recommendations, and application deployment recommendations. Group Size Considerations With Installation Manager, you can install applications to predefined groups of servers. When you create server groups, you can install applications to a specific set of servers quickly and efficiently. Creating server groups eliminates the need to manually select individual servers with every installation. When you create a server group for application deployment, consider the following: How you want to use your server groups. Installation Manager allows applications to be installed to a group of servers. However, uninstalling the applications requires selecting individual servers from the Citrix Management Console. Keep your group size reasonable (see table below). Small Medium Large Application size < 5 MB 5 20MB > 20MB Recommended group size < 100 < 80 < 50

158 158 Advanced Concepts for MetaFrame XP Installation Manager deploys applications to servers simultaneously, but does not use multicasting. Each target server reads the data from the location where the installation package is stored. Large installation packages (for example, Microsoft Office XP) copy more than 200 megabytes of data from the package server to the target server. The amount of data transferred across the network is: D = I x N Where: D = the amount of data I = the size of the installation N = the number of target servers Smaller group sizes are needed when installing applications that require a server to restart. Installations occur simultaneously and all of the MetaFrame servers will restart at nearly the same time. Because of this, a transient load is placed on the data store. The capacity of the data store server and the internetworking infrastructure greatly affect the performance of the network when you are deploying applications and restarting servers. The table above contains suggestions based on a 100Mbps switched Ethernet infrastructure. Cluster groups logically. Deployment is more efficient if several logical groups are created that match the schema of the overall enterprise. One group might contain servers that host standard business applications, another group can host engineering applications, and so on. Network Setup Recommendations The network setup recommendations for MetaFrame XP Feature Release 2 all apply to Installation Manager. The more efficient and capable the network, the quicker and easier applications are to install. The use of switches, high-speed backbones, and high-speed disk drives greatly enhance the ability of Installation Manager to install applications to large server farms efficiently. WAN Recommendations Do not install applications to target servers across a WAN. The amount of bandwidth and time required to install an application over a WAN can congest the network for extended periods of time, which can result in networking timeouts. To avoid this situation, take the following steps: Create a new application package at the remote site where the application is to be deployed If there is more than one remote target server, copy the package and the associated installation files over the WAN once, then deploy it on that segment

159 Chapter 11 Managing MetaFrame XP Server Farms 159 Application Deployment Recommendations This section contains issues you should consider when using Installation Manager in conjunction with MetaFrame XP Feature Release 2 to deploy applications. Package Server Use the package server when recording application installations. The following package server recommendations help ensure a clean package file: Keep the package server as similar in configuration (both hardware and software) as possible to the target server. Make the package server as clean as possible. Roll back previously installed applications before recording. For additional information, see Getting Started with Citrix Installation Manager. Do not run other applications while an image is recording. Do not package applications through an ICA session. Deployment Server The deployment server is the server where the package and installation files reside. All target servers communicate with this server to get the files and information required to install the application. The following recommendations offer helpful information about deploying packages: Put the deployment server on a server grade machine. Each target server requests the same file set from the deployment server. The load on the deployment server can be high. The deployment server must be capable of handling the combined load of the servers connecting and requesting information simultaneously in a deployment group. Put the deployment server on a 100Mbps switched Ethernet port. Running the deployment server in a shared collision domain increases latency. Connections can be refused due to time-out or server overload. This problem increases on a busy network and when many servers are targeted for a single installation. Network Share Account Τhe network share account allows the target server to have access rights to the network share point where the package is located. To set up a network share account 1. Right-click the Citrix Installation Manager node in the Citrix Management Console and choose Properties.

160 160 Advanced Concepts for MetaFrame XP 2. Type the domain account and password that will be used to access network shares. When running an unattended or silent installation, the network share account must have administrator privileges on the target server. Important Installation Manager supports only Windows domain authentication models; it does not support workgroups. Package Group Deployment Package groups are used to deploy multiple packages to the same target server or server groups in one schedule. Consider the following points when deploying package groups: To simplify deployment, create package groups from similar packages. After the package groups are deployed, do not make changes such as adding packages to or deleting packages from the package group. Making changes to the package group may result in uninstall errors. If you need to deploy new packages, create a new package group and then deploy it. If changes are made to a deployed package group, the Job status tab of the Job Properties window does not report installation status for the deleted or newly added package. After scheduling an installation of a package group, do not make changes to the package group contents, because it may result in temporarily inaccurate job result information. Refresh the Citrix Management Console to correct this behavior. Job Scheduling and Staggered Installations The following recommendations can lower bandwidth consumption, allowing the farm to function without a loss of performance. Schedule the installation of packages during times of low network usage Avoid installations during scheduled server backups or restorations Important While an application is being deployed to a server, all ICA connections are terminated until the installation is completed.

161 Chapter 11 Managing MetaFrame XP Server Farms 161 Installation Manager with Feature Release 2 supports staggered installations of package groups. Installation window options and multiple dates can be used for package groups to schedule the installation job during a certain time period within specific days. Consider the following recommendations when staggering installations: Schedule the installation window during times of low network usage. Select multiple dates if the installation of the packages in a package group requires multiple dates for installation. The packages that haven t been installed will begin installation in the same installation window on the selected dates. Important A staggered installation of a single package is not supported. User Specified Reboot The behavior of the server when it is restarted when deploying packages is affected by three options: Do not reboot servers if any user sessions are open. If you set this option before deploying packages, the target server will not restart if a user connection to the target server is detected even though the package deployment requires a restart. To finish the deployment, the target server must be restarted manually after the user logs off. This can be overwritten if you set the Force reboot after job option (see below) during the scheduling of the installation of a package. Delay reboot until the end of job. If you deploy a package group and one or more of the applications require a restart at the end of the deployment, you can set the Delay reboot until the end of Job option when you schedule the installation. This postpones the restart until the end of the entire package group deployment. Force reboot after job. If you set this option, the server restarts after the package is deployed. Any active user sessions receive a message from the server asking them to log off. The messages are sent at five minute intervals for 15 minutes, and then the server restarts. Any active sessions are terminated. Recording Applications During Installation Installation Manager Packager monitors the changes that occur on the packaging server when an application is installed, records the changes as installation commands in a script, and then packages all application files so you can deploy the package on target servers. Read the list below for guidance about recording applications: Installation Manager Packager cannot resume package recording if the server is restarted while you are installing an application.

162 162 Advanced Concepts for MetaFrame XP Citrix Resource Manager When recording an application that prompts the user for a restart, cancel the restart and stop the recording on the Packager. Installation Manager Packager cannot record an application that forces a restart that cannot be canceled by the user. Installation Manager Packager cannot record an application that requires multiple server restarts during installation (see next point). If an application has an unattended installation program, the Packager creates a package from the unattended installation program only. The Packager will not record the actual installation. When using the Packager to package the application, choose the Add Unattended Program option to package an unattended install program and any other necessary files. This method allows applications that require one or more restarts during installation to be packaged using Installation Manager. Resource Manager is a component of MetaFrame XPe and is not available in MetaFrame XPa or MetaFrame XPs. This section includes information about Resource Manager and discusses topics including the local Resource Manager Database, the Farm Metric Server, and the Summary Database. The version of Resource Manager included with Feature Release 2/Service Pack 2 is improved in the areas of performance, usability, stability, and scalability. Resource Manager now includes the Summary Database, which allows you to store historical data on metrics and servers and produce reports on the stored data. Resource Manager Database and Metric Server Resource Manager stores all of its configurations, settings, thresholds, and metrics in the data store and in the local host cache. Resource Manager contains a local Resource Manager database and a Farm Metric Server. Feature Release 2 introduces a Database Connection Server that is used with Summary Database. Local Resource Manager Database Each MetaFrame server with Resource Manager installed has a local database in which it stores the individual server s metric information. It is important to note the following: The local Resource Manager database is a Microsoft Access Jet Database called RMLocalDatabase.mdb that is in %ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB

163 Chapter 11 Managing MetaFrame XP Server Farms 163 The local Resource Manager database is accessed when creating real-time graphs, displaying system snapshots, running reports on that specific server, and writing server metrics The local Resource Manager database holds metric values and application information for the previous 96 hours This database is compacted when the IMA service is started and once a day while the IMA service is running Farm Metric Server The Farm Metric Server is used for application and server monitoring. The Farm Metric Server gathers its information from the data collector. Because the Farm Metric Server accesses the data collector every 15 seconds, configuring data collectors to also perform the role of the Farm Metric Server and the backup Farm Metric Server can improve performance. The Farm Metric Server may also perform the role of the Database Connection Server. Although Resource Manager can track any Performance Monitor counter as a server metric, Citrix recommends you limit the total number of metrics tracked on a server to fewer than 50. Important In a farm that contains servers running various MetaFrame XP feature release levels, the primary Farm Metric Server must be running Feature Release 2 or you will encounter errors with the Summary Database. Alerts Resource Manager can send alerts to users or groups of users. The following list offers tips for using alerts: If your service does not send alerts, the Citrix administrator should delete and recreate the MAPI profile. The administrator should also verify that the mail client being used (for example, Microsoft Outlook) is the default mail client for the server. To enable Resource Manager to send SNMP traps for application alerts, SNMP must be set up on the primary and backup Farm Metric Servers. Summary Database The Summary Database is used for storing historical data from servers in the farm. Citrix administrators can produce reports, such as billing, based on the stored data. The reports can use several criteria, such as CPU usage or application usage. Consider the following when using the Summary Database:

164 164 Advanced Concepts for MetaFrame XP Each farm that requires the Summary Database must have a Database Connection Server (DCS), which writes the metric information from other farm servers to the Summary Database. The connection between the DCS and the database where the metric information is stored is defined by a system Data Source Name (DSN) called RMSummaryDatabase. Data is stored on each server in summary files. Summary files are updated whenever a session or process terminates, whenever an event occurs, and once an hour for metrics. Each Resource Manager server in the farm caches its own summary data locally for 24 hours and then transmits it to the Database Connection Server at a configurable time of day, preferably at off-peak hours. Reports on data in the Summary Database can be generated by the Citrix Management Console in a manner similar to those available for the local database for each server. Tip Report templates for use with Crystal Reports software are available from the Citrix Web site at Tip By default, metrics are stored in the Summary Database. You can change this on the Threshold Configuration screen. You can also specify the time of day or week that metrics are recorded in the Summary Database on a per server basis.

165 Chapter 11 Managing MetaFrame XP Server Farms 165 The following table shows the database products and client versions with which the Summary Database was tested: DBMS Version Client Version ODBC Driver Version SQL Server 2000 The data store and the Summary Database can reside on different platforms and database servers. IBM DB2 is not supported for use as the Summary Database. Data Purging Citrix Network Manager MDAC Version MDAC 2.5 SP MDAC 2.7 SP SQL Server 7 MDAC 2.5 SP MDAC 2.7 SP Oracle Hotfix RME102W003 is required for Oracle support. This hotfix is not compatible with Oracle 8, 8i, or 9i. Net8 Client Version (8i) i The Summary Database allows Citrix administrators to control how long data is stored by purging the database at set periods. You can also turn off purging, in which case all data is kept for an indefinite period. Network Manager is a component of MetaFrame XPe and is not available in MetaFrame XPa or MetaFrame XPs. Below are some known issues with Network Manager.

166 166 Advanced Concepts for MetaFrame XP In Tivoli NetView, the server icon is sometimes green, while the subsystem icons are light blue. In this case, highlight the green server icon and perform a status update to update the status of the subsystem icons. This is a Tivoli NetView IP map issue that occurs when NetView is left running over long periods of time. When using Tivoli NetView, if the Trapd.exe process is killed while the Metadis.exe and Metalan.exe services are running, each service acquires 50% CPU utilization. The services do not return to normal CPU levels until Trapd.exe is restarted. This is a known issue with Tivoli NetView. In HP Network Node Manager, a link-down status is represented by a blue icon. This occurs only if the server cannot be contacted by the console when the status update is performed. In Tivoli NetView, a link-down status is displayed in red. When Network Manager is uninstalled from one of the SNMP management consoles, by default the Network Manager icons stay in the IP map until they are deleted and the nodes are rediscovered. Network Manager SNMP Agent Issues The following are known issues and recommendations for the SNMP Agent: Microsoft SNMP does not function properly if installed on top of Windows NT 4.0 with Service Pack 6 or Windows NT 4.0 Terminal Services Edition with Service Pack 6. Action: Reinstall Service Pack 6 after installing the SNMP service. In Windows 2000, the default security setting for the SNMP service is read only. In Windows NT, TSE, it is read/write. Network administrators cannot perform SET operations (logoff, disconnect, send message, and terminate process) or restart and shut down servers from Network Manager consoles unless the security setting is read/create. Action: Change security to read-create. Microsoft has released security bulletins for SNMP security risks. Apply the following bulletins to all MetaFrame servers and Citrix Management Console instances: MS00-095: Windows NT 4.0 MS00-096: Windows 2000 MS02-006: Windows NT4, TSE, Windows 2000, and Windows XP Tip Enable or disable the SNMP Agent when farm activity is low.

167 User Policies Best Practices Chapter 11 Managing MetaFrame XP Server Farms 167 User policies allow you to apply selected MetaFrame settings, including shadowing permission settings, printer autocreation settings, and client device mapping settings, to specific users or user groups. Using policies, you can tailor your environment at the user level. User policy settings override all other MetaFrame XP and Terminal Services settings. The following list contains tips and troubleshooting guidelines for working with user policies in MetaFrame XP Feature Release 2: Assign user policies to user groups rather than individual users. If you assign user policies to user groups, assignments are updated automatically when you add or remove users from the group. Disable unused policies. Policies with all the rules set to Not Configured create unnecessary processing. Avoid conflicting settings in Citrix Connection Configuration or in the farmwide settings of the Citrix Management Console. Several policy rules can also be set in Citrix Connection Configuration, and/or the farm-wide settings in the Citrix Management Console. When possible, keep all settings consistent (enabled or disabled) for ease of troubleshooting. Use the Search feature to see which policy rules are being applied to users or user groups. Use the drag and drop feature of user policies to quickly assign the correct priority to a user policy. User-to-User Shadowing Best Practices Users can shadow other users without requiring administrator rights. Multiple users from different locations can view presentations and training sessions, allowing oneto-many, many-to-one, and many-to-many online collaboration. The following list comprises recommendations for working with user-to-user shadowing: Do not assume that members of the administrators group have shadow rights by default. Although local administrators may have shadowing rights enabled in Citrix Connection Configuration, they cannot shadow users who have been assigned to the policy by default. You must add the members of the local administrators group to the list of people with shadow rights in the user policy. Although in general user policies take precedence over settings configured in other MetaFrame utilities, shadowing is an exception. If shadowing is disabled during MetaFrame XP Setup or disabled in Citrix Connection Configuration for a particular connection, user policies with shadowing enabled have no effect.

168 168 Advanced Concepts for MetaFrame XP Delegated Administration Tips To allow a Citrix administrator to shadow using the Citrix Management Console, enable the following permissions at a minimum: Citrix Administrators Log on to the Citrix Management Console Servers View Server Information Sessions View Session Management

169 C H A P T E R 12 Optimizing the Performance of MetaFrame XP Client Optimizations This chapter suggests optimizations that can increase the performance of MetaFrame XP, Feature Release 2 and Windows Many of the recommendations are from Microsoft Knowledge Base articles accessible from the Microsoft Web site at For additional information regarding server and operating system configurations, see Recommended Server Configuration on page 13. Improving Connectivity over Inconsistent WAN Links This section includes information about decreasing the number of disconnected TCP/IP sessions when clients connect over the Internet or any other WAN link with inconsistent bandwidth. If the quality of a WAN link dramatically decreases after a user connects to a MetaFrame XP server, the connection can be dropped. Users experiencing this problem receive the following error message: Error in Connection: the Citrix server is no longer available. By default, the TCP/IP protocol uses the initial packet round-trip time at the moment when the session is initiated to determine what is normal for that connection. Because of this, it is better to have a consistently slow WAN connection than to have a connection that starts out fast and then becomes slow. Such an erosion of connection speed is common when connecting through an Internet Service Provider (ISP), particularly when the connection is opened in the morning and maintained throughout the day. To accommodate this erosion of bandwidth, add a value to the TcpMaxDataRetransmissions subkey under the following registry key:

170 170 Advanced Concepts for MetaFrame XP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Tcpip\Parameters\ Subkey: TcpMaxDataRetransmissions (REG_DWORD): 10 To add the subkey TcpMaxDataRetransmissions when it does not exist 1. Highlight PARAMETERS. From the Edit menu, choose Add Value. 2. Type TcpMaxDataRetransmissions in the Value Name box. 3. Select REG_ DWORD in the Data Type box. Click OK. 4. Select Decimal from the radix options. 5. Type 10 in the Data box. Click OK. Retransmission Behavior TCP starts a retransmission timer when each outbound segment is handed down to IP. If no acknowledgment is received for the data in a given segment before the timer expires, the segment is retransmitted up to the TcpMaxDataRetransmissions number of times. The default value for this parameter is five. The retransmission timer is initialized to three seconds when a TCP connection is established; however, it is adjusted dynamically to match the characteristics of the connection using Smoothed Round Trip Time (SRTT) calculations as described in RFC793.The timer for a given segment is doubled after each retransmission of that segment. Using this algorithm, TCP tunes itself to the normal delay of a connection. Because the default number of retries is five, the round-trip time can double four times (in other words, it can become 16 times slower than its initial value) before the session is dropped. By increasing this number to 10, you allow the round-trip time to double nine times instead of four, which allows the connection quality to erode up to 512 times its original value before being dropped. For example, a connection that begins with a round-trip time of 20 milliseconds has to erode to a round-trip time of 10,240 milliseconds before being dropped by the server. If possible, make this registry change on the client device as well. More information is available in Microsoft TechNet Articles Q and Q17035 available at support.microsoft.com. Selecting Non-Standard TCP Packet Sizes By default, ICA sessions connecting over TCP use maximum sized TCP packets (up to 1460 bytes of data) for the transmission of large amounts of data. However, there are a small number of network types, usually particular wireless or satellitebased networks, where better performance can be achieved by using smaller maximum sized packets.

171 Chapter 12 Optimizing the Performance of MetaFrame XP 171 For MetaFrame XP, Feature Release 2, you can override the normal maximum size (1460) on a server by setting the following registry entry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\ Wds\icawd\MaxICAPacketLength If required, define the entry as a DWORD parameter (for example, 1000). Restart the server for this registry value to take effect. If the entry is undefined, has a value of zero, or a value greater than 1460, it will have no effect. But other values will cause the server and its clients to use a smaller maximum length for all packets sent after connection time. CAUTION Setting this registry value to enforce a lower maximum will have a significant negative effect on performance on all normal networks and it should, therefore, be used only in special situations. Disk Optimizations Several registry settings can be modified to increase disk performance and throughput. This section describes enhancements such as increasing I/O locks and disabling last file access updates. I/O Locks The registry setting IoPageLockLimit specifies the limit of the number of bytes that can be locked for I/O operations. Because RAM is being sacrificed for increased disk performance, determine the optimal setting for this value through pilot tests. Changing this setting from the default can speed up file system activity. Use the table below as a guide for changing the registry setting. Server RAM (MB) IoPageLockLimit (decimal) IoPageLockLimit (hex) Modify the registry setting as follows: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Session Manager\Memory Management Value: IoPageLockLimit (REG_DWORD): 0 (512 KB is used)

172 172 Advanced Concepts for MetaFrame XP For additional information about the IoPageLockLimit registry setting, see Microsoft Knowledge Base articles Q and Q at support.microsoft.com. Last Access Update Memory Optimizations The NTFS file system stores the last time a file is accessed, whether it is viewed in a directory listing, searched, or opened. In a multiuser environment, this updating can cause a small performance decrease. To disable this feature, modify the following registry setting: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Value: NtfsDisableLastAccessUpdate (REG_DWORD): 1 This section describes configurations for a direct-mapped level 2 (L2) cache, the system paging file, and system page table entries. Level 2 Cache For processors that use a direct-mapped L2 cache, configuring the value manually can yield a performance improvement. A direct-mapped L2 cache does not provide performance gains on Pentium II and later processors. For more information, see Microsoft Knowledge Base support articles Q and Q Use the following registry setting to modify a direct-mapped L2 cache: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Session Manager\Memory Management Value: SecondLevelDataCache (REG_DWORD): x where x is the L2 size in decimal (default: 0, which sets the cache to 256KB) Example: If the CPU has a 512KB cache, set the entry to 512 (in decimal). Paging File The paging file is temporary storage used by the operating system to hold program data that does not fit into the physical RAM of the server. The ratio of physical memory to paged memory is the most important factor when determining the size of a paging file. When configuring the paging file, follow these guidelines: A proper balance between physical memory and paged memory prevents thrashing. Verify that more memory is in physical RAM than paged to disk. For optimal performance, this ratio should be approximately 3:1.

173 Chapter 12 Optimizing the Performance of MetaFrame XP 173 Place the paging file on its own disk controller or on a partition that is separate from the operating system, application, and user data files. If the paging file must share a partition or disk, place it on the partition or disk with the least amount of activity. To prevent disk fragmentation of the paging file, always set the paging file initial size to be the same as the maximum size. The optimal size of a paging file is best determined by monitoring the server under a peak load. Set the paging file to be three to five times the size of the physical RAM and then stress the server while observing the size of the paging file. To conserve resources, set the paging file to a value slightly larger than the maximum utilized while under stress. If the server is short on physical RAM, use the paging file to provide additional memory at the expense of performance. Note For debugging purposes, create a paging file on the root partition that is slightly larger than the amount of RAM installed. Page Table Entries Network Optimizations You can improve single-server scalability (number of users on a server) by manually adjusting the page table entries (PTE) in the registry. The Windows NT kernel uses PTE values to allocate physical RAM between two pools of memory. By manually setting the maximum space allocated to the system PTE, the remaining space can be used to increase the number of users supported on the server. Determining the optimal configuration for PTE values is a complex task. For detailed information, see the Microsoft Knowledge Base article Q A Kernel Tuning Assistant for Windows 2000 server is also available from Microsoft. Some simple changes to network settings can often improve network performance. This section covers a few common issues you can remedy by adjusting the default Windows NT network configuration. Network Cards Most 10/100-based network cards auto-sense the network speed by default. Manually setting these cards prevents the auto-sensing process from interfering with communication and forces the desired speed. If the server is connected to an auto-sensing device, apply these settings to this device as well.

174 174 Advanced Concepts for MetaFrame XP Verify that only the necessary protocols are installed, and that the binding order of those protocols to the network interface card lists the most commonly used protocol first. Network Request Buffer If working in a mixed Windows 2000 and TSE environment, you can gain additional performance by modifying the network request buffer size on the TSE servers. Increasing this value to 65,536 bytes from the default of 4,356 bytes significantly improves LAN Manager file writes. For more information, see Microsoft Knowledge Base article Q To modify the network request buffer size, make the following changes to the registry settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Parameters Value: SizReqBuf (REG_DWORD): Range: 512 bytes to bytes Refused Connections The server can refuse connections due to self-imposed limits specified by the MaxMpxCt and MaxWorkItem registry values. If this happens, users see the following errors: System could not log you on because domain <domainname> is not available. You do not have access to logon to this session. Before changing these values, read Microsoft Knowledge Base article Q When modifying the following registry settings, be sure that the MaxWorkItems value is always four times the MaxMpxCt value. Suggested new values for MaxMpxCt and MaxWorkItems are 1024 and 4096 respectively. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Parameters Value: MaxMpxCt (REG_DWORD): 1024 Value: MaxWorkItems (REG_DWORD): 4096

175 Chapter 12 Optimizing the Performance of MetaFrame XP 175 TCP/IP and ICA KeepAlives In networks that are subject to periodic intervals of high network latency, ICA Clients may time out when connected to a session. When users attempt to reconnect to a dropped session, they receive a new session instead of being reconnected to their previous session because the server is not aware that the previous session was dropped. You can remedy this problem by enabling TCPKeepAlives for ICA sessions that are connected through TCP. Modification of the TCPKeepAlive parameter helps the host server become aware sooner of any sessions dropped due to network problems. For more information about TCP parameters, see Microsoft Knowledge Base article Q Make the following registry changes to the TCP stack to tune the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Tcpip\Parameters Value: KeepAliveTime (REG_DWORD): 0000ea60 Value: KeepAliveInterval (REG_DWORD): e8 Important Aggressive parameters may cause TCP/IP-based communications to time out prematurely. Adjust these parameters as necessary to prevent this behavior. MetaFrame also has an ICAKeepAlive packet which is not protocol-specific. To configure ICAKeepAlives, edit the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Citrix Value: ICAEnableKeepAlive (REG_DWORD): 1 (0 is default, Off) Value: KeepAliveInterval (REG_DWORD): <number of seconds> (default is 60 seconds) Important Enabling KeepAlives may keep demand-dial links up in a WAN environment. For more information about Configuring TCP and ICA KeepAlive values, see the Citrix Knowledge base article CTX at

176 176 Advanced Concepts for MetaFrame XP Server Optimizations This section describes ways in which correctly configuring Windows services and applications for use in a multiuser environment improves performance and prevents system problems. Application Performance In some instances, modifying the Windows application performance setting can provide an additional performance boost. Disabling the default preference given to applications running locally can provide other users with improved performance. To change the application performance setting on TSE Note Information about Windows NT, Terminal Services Edition is provided throughout this section for backward compatibility with MetaFrame XP, Feature Release From Control Panel, double-click System. 2. Click the Performance tab. 3. Move the Application Performance slider to None and click OK to save the new setting. To change the application performance setting on Windows From Control Panel, double-click System. 2. Click the Advanced tab. 3. Click Performance Options. 4. Click Background Services and click OK to save the new setting. You must restart the computer to apply the setting.

177 Chapter 12 Optimizing the Performance of MetaFrame XP 177 Auto-End Tasks If an application does not properly exit, either when closed or upon server shutdown, the operating system can terminate the application using Auto-End Tasks. Auto-End Tasks terminates any task that does not respond to a shutdown notice within the default time-out period. Enabling Auto-End Tasks affects all applications on the server and can cause issues with some applications that require a shutdown time period that is longer than the default time-out period. Therefore, the default time-out period must be greater than the time required for the longest successful shutdown for any server application. To enable Auto-End Tasks and set the default time-out period, modify the following registry settings: HKEY_USERS\.DEFAULT\Control Panel\Desktop Value: AutoEndTasks (REG_SZ): 1 Value: WaitToKillAppTimeout (REG_SZ): x where x is the interval in milliseconds (default is 20000) For more information, see Microsoft Knowledge Base articles Q and Q System Hard Error Messages Messages generated by system hard errors appear on the server console. If left unanswered on an unattended console, messages can cause ICA sessions to hang. You can configure system hard errors to create an entry in the System log instead of displaying a message on the console. Disabling the display of messages to the console decreases the likelihood of hung ICA sessions, but increases the need to monitor the event log for these types of errors. For more information, see Microsoft Knowledge Base articles Q and Q The following registry change disables system hard error messages on the console: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Windows Value: ErrorMode (REG_DWORD): Dr. Watson If you are using Dr. Watson, run the Dr. Watson Application Compatibility script to prevent stability problems. Citrix recommends that you disable the Visual Notification option available on the main screen of Drwtsn32.exe.

178 178 Advanced Concepts for MetaFrame XP You can disable Dr. Watson completely by clearing the following registry key value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Value: Debugger REG_SZ: (blank) You can restore Dr. Watson as the default debugger by executing drwtsn32.exe i. Configuring the Event Log Change the default event log configuration to prevent log files from running out of space, which generates errors. To change event log settings on TSE 1. Launch Event Viewer. 2. Choose Log > Log Settings. 3. Choose System in the Change settings for box. 4. Set the Maximum Log Size to at least 1024KB. 5. Choose Overwrite events as needed. 6. Choose Application in the Change setting for box and repeat Steps 4 and Click OK to save the settings. To change event log settings on Windows 2000 Server 1. Launch Event Viewer. 2. Right-click System Log and choose Properties. 3. Set the Maximum Log Size to at least 1024KB. 4. Choose Overwrite events as needed. 5. Click OK to save the settings. 6. Repeat Steps 3 5 for the Application Log.

179 Chapter 12 Optimizing the Performance of MetaFrame XP 179 Configuring Print Job Logging By default, each print job logs two informational messages to the System log. On MetaFrame servers with many users, this feature generates numerous events and fills up the log faster. If you do not require these messages, you can disable them by changing the following registry setting: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\ Providers Value: EventLog (REG_DWORD): 0 Removing the EventLog value from the registry and restarting the server re-enables the logging of all print events. Remote Procedure Call (RPC) Services When opening RPC-aware applications such as Windows Explorer and Control Panel, delays of several minutes can result from incorrect service startup settings. Verify that the RPC service Startup type is set to Automatic and the RPC Locator service Startup type is set to Manual. Server Service Configure the Server service to represent the server role more appropriately. The performance boost realized from this server optimization setting depends on the function of the server. For example, if the server has available RAM, select the Maximize Throughput for Network Applications. Otherwise, select Minimize Memory Used. To configure the Server service on TSE servers 1. From Control Panel, double-click Network. 2. Click the Services tab. 3. Click the Server service. 4. Click Properties. To configure the Server service on Windows 2000 servers 1. From Control Panel, double-click Network and Dial-up Connections. 2. Right-click Local Area Connection and choose Properties from the Context menu. 3. Choose File and Printer Sharing for Microsoft Networks. 4. Click Properties.

180 180 Advanced Concepts for MetaFrame XP For more information, see Microsoft Knowledge Base article Q User Settings Optimizations This section describes how correctly setting up users can provide additional performance gains. Where possible, modify the Default User profile to include the recommendations listed below. Tip When making changes to the Default User profile, restarting the server might be necessary before the changes take effect because the Ntuser.dat file is in use and unavailable to new users. Windows NT Policies Use system and group policies where possible, especially in an Active Directory environment. For more information about configuring policies, see Microsoft Knowledge Base articles Q and Q Profiles Users require an initial setup when logging on for the first time. This setup time is minimized by the use of roaming profiles. For more information about configuring roaming profiles, see Microsoft Knowledge Base articles Q and Q When you set up roaming profiles: Configure a dedicated server to host the profiles. If it is not possible to place the profiles on a dedicated server, place them on an isolated disk or partition. When using a server or drive dedicated to profiles and temp files, change the users profile and temp directories to point to the dedicated location. Cached Profiles You can disable locally cached profiles by changing the access of the following registry key and all subkeys to Read access only for everyone except SYSTEM (which should have Full Control): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\ProfileList

181 Chapter 12 Optimizing the Performance of MetaFrame XP 181 Menu Refresh You can change the menu refresh rate to expedite menu response time by modifying the following registry key: HKEY_USERS\.DEFAULT\Control Panel\Desktop Value: MenuShowDelay (REG_SZ): 10 Removing Unnecessary Features To conserve ICA bandwidth, remove any unnecessary drive mappings, printers, or ports. Unless any of the following features are needed for specific applications, disable them: Disable Active Desktop on Windows 2000 through Terminal Services Configuration Desktop Wallpaper (In addition, remove any.bmp files found in the %SystemRoot% directory to prevent users from selecting them.) Screen savers Microsoft Office FindFast Microsoft Office Assistants Smooth Scrolling Many applications have smooth scrolling or other features that increase the frequency of updates sent to the client workstation. If applications exhibit poor performance, disable these features to improve performance. Two common settings are in Microsoft Excel and Microsoft Internet Explorer: Microsoft Excel 97/ Choose Tools > Options. 2. Click the Edit tab. 3. Clear the Provide feedback with Animation check box. Microsoft Internet Explorer 5 1. Choose Tools > Internet Options. 2. Click the Advanced tab. 3. Clear the Use Smooth Scrolling check box in the Browsing section.

182 182 Advanced Concepts for MetaFrame XP Tip While the server is in install mode (change user /install), changing application settings applies the changes to all future users. When finished, place the server back into execute mode (change user /execute). Microsoft Internet Explorer Wizard On the first launch of Microsoft Internet Explorer, the Internet Connection wizard requests the connection type. If you are using a LAN connection, you can bypass this dialog box by editing the default user s registry settings as follows: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard Value: Completed (REG_DWORD): 0x1 Explorer Tips You can disable the tips that are displayed at server startup by modifying the following registry settings: HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Explorer\Tips Value: DisplayInitialTipWindow (REG_DWORD): 0x0 Value: Next (REG_DWORD): 0x100 Value: ShowIE4 (REG_DWORD): 0x0 Value: Show (REG_DWORD): 0x0

183 C H A P T E R 13 Utilities This chapter describes the Citrix utilities included with MetaFrame XP that you can use for configuration, management, and troubleshooting. Use command-line utilities at the command prompt, in a batch file on the MetaFrame XP server, or in an ICA session. This chapter explains how to use the following utilities: DRIVEREMAP DSVIEW IMAPORT MSGHOOK QPRINTER QUERYDC QUERYDS QUERYHR SCCONFIG

184 184 Advanced Concepts for MetaFrame XP DRIVEREMAP Use the driveremap utility to change the MetaFrame XP server s drive letters. Previous releases of MetaFrame XP prompted you to change the server s drive letters during MetaFrame installation. With the release of MetaFrame XP with Feature Release 2, however, you can run the driveremap utility as a separate executable. In previous releases of MetaFrame, the utility was named drvremap.exe. After you run MetaFrame XP Setup, the driveremap utility is in c:\program Files\Citrix\System32. If you upgrade to Feature Release 2 from MetaFrame XP or MetaFrame XP with Feature Release 1, the utility is placed in the %systemroot%\system32 directory. Important If you are installing MetaFrame XP with Feature Release 2 on a server that is not running a previous version of MetaFrame, run the driveremap utility before you install MetaFrame XP with Feature Release 2. Citrix recommends that you do not change server drive letters after you install MetaFrame XP and any applications you want to publish for users to access. Syntax driveremap /? driveremap /drive:m driveremap /u driveremap /noreboot driveremap /IME Options The following parameters can be used with Driveremap.exe at a command line. /? Displays a dialog box with the available command line options. The same dialog is displayed if there is incorrect usage of any of these parameters. /drive:m Specifies the drive letter to use for the first remapped drive. The drive letter must be in upper case when using the version of this utility that ships with Feature Release 2.

185 Chapter 13 Utilities 185 /u Allows for an unattended or silent install where no dialog boxes are displayed and no user input is required. This option must be used in conjuction with the /drive: option. /noreboot Surpresses the Restart Computer dialog box and does not restart the system. Citrix strongly recommends that you restart the system after running this utility. /ime[filename] Changes the drive letter specified in Software\Microsoft\Windows\CurrentVersion\Ime\Japan\IMEJP\Dictionaries for all of the loaded hives under HKEY_USERS. Remarks With Feature Release 2, the driveremap utility has a user interface that allows you to select the drive letters you want to map. The user interface is available from the Autorun screen and when you run Driveremap.exe with no command line parameters. The Driveremap.exe interface is displayed below. Examples The following command remaps the server s drive letters. The first available drive is changed to M. The command uses the noreboot option, which suppresses the appearance of any dialog boxes. driveremap /u /drive:m /noreboot

186 186 Advanced Concepts for MetaFrame XP The following command changes the server s drive letters back to the drive letters that start at C:, and then prompts you to restart the server. driveremap /u /drive:m /drive:c Known Issues The following items are known issues you may encounter when running the driveremap utility. The drive letters must be in uppercase when using the version of this utility included on the MetaFrame XP CD in the Feature Release 2 media pack. A newer version of the driveremap utility that is not case-sensitive is available from Citrix Technical Support. If the server is a member of an Active Directory domain, running Driveremap.exe causes the server to hang if you use the version of this utility on the MetaFrame XP CD in the Feature Release 2 media pack. To work around this issue, you can move the server into a workgroup, remap the drives, and then rejoin the server to the Active Directory domain. A newer version of the driveremap utility that does not require the work around is available from Citrix Technical Support. When running Driveremap.exe with no parameters, the drive letter choices in the drop-down list may be greyed out. This can occur if the server has noncontiguous drive letters, for example, C, D, X. The mapped drive letters are spread over the interval [a..z] and no reasonable interval shifting can be performed. Network drives are also taken into account. To work around this issue, change the drive letters to C:, D:, E: and then run the driveremap utility. At the command prompt, if you silently remap to a letter that is in use, nothing happens and you are returned to the prompt. Locate the server s drive letters in Windows Explorer to verify that the drive letters are changed. MetaFrame XP server drive remapping is not supported on Windows 2000 Dynamic Disks. Installation of turnkey NFuse Classic may fail if upgrading a server with remapped drives. If you are upgrading to MetaFrame XP, Feature Release 2 from MetaFrame 1.8 for Windows 2000 and the server has remapped drives, the installation of NFuse Classic may fail. To fix the problem, you must update the server s COM+ catalog. See article CTX in the online Citrix Knowledge Base at for more information.

187 Chapter 13 Utilities 187 If you upgrade from MetaFrame 1.8 to MetaFrame XP on a server with changed server drive letters, the ICA Win32 Pass-Through Client is not updated. To avoid this issue, be sure the server is operating in install mode before running Setup. To update the Pass-Through Client, install the standalone version of the client, available from the MetaFrame XP Components CD. The Components CD is included in the Feature Release 2 media pack. Security Restrictions Only Citrix administrators can execute this command.

188 188 Advanced Concepts for MetaFrame XP DSVIEW Use this utility to view the contents of the data store, local host cache, and to look up ContextIds and UIDs. This utility includes a user interface, shown below. Remarks Dsview replaces IMATester, a utility documented in earlier editions of MetaFrame XP Advanced Concepts. It is located in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD. Security Restrictions Only local administrators can use dsview to view data.

189 Chapter 13 Utilities 189 IMAPORT Use this utility to modify the TCP ports utilized by the Independent Management Architecture (IMA) service for example, to use the TCP ports for communication within a farm whose servers are separated by firewalls. With imaport, you can change the TCP ports used by the IMA service to listen for incoming and outgoing data, using up to three different TCP ports. The following table shows the default TCP port values for each IMA function: TCP Port Function Direction 2512 Server-to-server farm communication. Inbound 2513 Citrix Management Console to host server communication. Inbound 2512 Indirect server to data store server used only in indirect mode. Outbound The IMA service uses ports 2512 and 2513 to listen for incoming IMA communication. Port 2512 is also used for outgoing IMA data by an indirect server to communicate with its direct server. Important You must restart the IMA service after modifying TCP/IP ports with the imaport command Syntax imaport /query imaport /set [ ima:num ds:num cmc:num ] imaport /reset [ ima ds cmc all ] Parameters num The port number to which to set the communications port. Options /query Query current settings for IMA communication.

190 190 Advanced Concepts for MetaFrame XP /set Set the specified TCP/IP port(s) to the specified port number. ima:num Set the IMA communication port to the specified port number. cmc:num Set the Citrix Management Console connection port to the specified port number. ds:num Set the data store server port to the specified number (indirect servers only). /reset Reset the specified TCP/IP port to its default port number. ima Reset the IMA communication port to cmc Reset the Citrix Management Console connection port to ds Reset the data store server port to 2512 (indirect servers only). all Reset all ports to their defaults. Remarks Imaport modifies the TCP ports for the local server only. Every server can have IMA ports assigned to different TCP ports. Citrix recommends, though it is not necessary, that you assign the same TCP ports to every server. For server-to-server communication, each server finds every other server s IMA TCP port by reading this information from the farm s data store. In the case of a farm with indirect communication, all indirect servers must have their IMA communication ports and DS communication ports set to the same port numbers as the server that hosts the data store for the farm. Before reassigning ports for IMA service, use the netstat -a command to list TCP and UDP ports currently in use. Citrix recommends that you do not use ports that are in use by other applications or services. Imaport cannot detect if a port is in use by another application or service. After changing the port number used for Citrix Management Console communication, you must change to the same port number the TCP port used by the Citrix Management Console for outbound communication. To do this, run the following at a command prompt: ctxload -port:num

191 Chapter 13 Utilities 191 MSGHOOK Use this utility to display all IMA traffic on a member server. Syntax msghook Remarks Execute msghook only if information is requested by a Citrix Technical Support representative or a Citrix engineer. When invoked, this command significantly reduces MetaFrame XP performance. Msghook is not installed by default. The executable is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD. Security Restrictions Only Citrix administrators can execute this command.

192 192 Advanced Concepts for MetaFrame XP QPRINTER Use this utility to monitor the progress of the printer driver replication queue and to import printer name mapping parameters into the data store. Syntax qprinter [/replica] qprinter [/imprmapping mappingfilename] Parameters mappingfilename Specifies the full path to the text file containing the printer mapping parameters to import. The filename cannot have more than 256 characters and cannot contain quotation marks. Options /replica Displays all the replication entries queued for distribution but not yet completed. /imprmapping mappingfilename Imports printer mappings from the file specified by mappingfilename into the data store. The file format can be in either the Wtsprnt.inf format or the Wtsuprn.txt format. Remarks The /replica switch displays all events in the queue, including broken or failed events. The /imprmapping switch allows central administration of all printer name mappings. The file can be imported once from any server in the farm and is available for all servers in the farm. The /imprmapping switch does not process an improperly formatted file and does not return an error when provided with an invalid file format. To verify the information is correctly imported into the data store, use the Citrix Management Console. The MetaFrame XP installation first attempts to import the Wtsuprn.txt file, followed by the Wtsprnt.inf file. If the two files fail to import, no error is returned. Use the /imprmapping switch to manually import either file.

193 Chapter 13 Utilities 193 Qprinter is not installed by default. It is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD. Security Restrictions Only Citrix administrators can execute this command.

194 194 Advanced Concepts for MetaFrame XP QUERYDC Use this utility to determine the data collector for a given zone. Without any parameters, querydc defaults to the host server s zone and returns the zone name and name of the current zone data collector. Syntax querydc [-a] querydc [-e] querydc [-z zonename] querydc [-?] Parameters zonename The name of the zone to be queried. Enclose multi-word zone names within quotation marks. Options -a Displays all zones in the farm with the current zone data collector for each. -e Forces a new zone data collector election in the current zone. -z zonename Displays the current zone data collector for the zone specified by zonename. -? Displays the syntax for the utility and information about the utility s options. Remarks Querydc uses the IMA service to contact the local zone data collector for the requested information. Therefore, the IMA service must be running for querydc to be successful. Querydc is not installed by default. The executable is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD. Security Restrictions Only Citrix administrators can execute this command.

195 Chapter 13 Utilities 195 QUERYDS Because all dynamic information is stored in tables in the data collector s physical RAM, this command-line utility is provided to query the current information on the local zone data collector. Syntax queryds tables queryds /table:tablename queryds /query:querystring (Query String is optional, but you must specify a tablename.) Parameters tablename The name of the data collector table to query. Table names are case-sensitive. Options tables Returns a complete list of all tables available to query. /table:tablename Outputs to the screen the entire contents of the table specified by tablename. Remarks You can use queryds to determine which servers are currently available in a farm. It retrieves all information from the tables stored on the local zone data collector. For example, the PN_Table contains information about all available servers that are accepting Program Neighborhood connections. To view the entire contents of the PN_Table, execute the following command: queryds /table:pn_table The output when executed on a single-server farm looks similar to the following: [PN_Table]: 1 records. name:588f host:xpserver1 zone:zone1

196 196 Advanced Concepts for MetaFrame XP Version:1 Tcp:enabled Ipx:enabled Netbios:disabled In a farm with 100 servers, this command outputs 702 lines of data. Use the findstr and sort command-line utilities to filter and sort the output for easier reading. Tip The findstr and sort commands are installed by default on both the TSE and Windows 2000 server families. For more information about using the findstr command to filter output, type findstr /? at a command prompt. For more information about the sort command, type sort /? at a command prompt. The first entry shows the number of records in the PN_Table. This number also corresponds directly to the number of server records in the PN_Table. A server record does not exist in the PN_Table unless the server s IMA service is started and the server is accepting Program Neighborhood connections. Thus, you can use the following command to determine how many servers in the farm are online: queryds /table:pn_table findstr /r PN_Table The command shown below filters output using the word host (which prefaces each host name in the table) and displays an alphabetized list of all the servers currently online: queryds /table:pn_table findstr /r host sort Using queryds in this manner provides a fast, customizable method to query any data collector table. Queryds is not installed by default. It is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD. Security Restrictions You must be a Citrix administrator to execute this command.

197 Chapter 13 Utilities 197 QUERYHR Use this utility to display information about member servers in the farm. Executing queryhr with no parameters lists all servers in the farm. Syntax queryhr [-z] queryhr [-h zonename] queryhr [-l] queryhr [-n hostname] queryhr [-i hostid] queryhr [-N] queryhr [-d hostid] queryhr [-?] Parameters zonename The name of the zone to be queried. Enclose multi-word zone names within quotation marks. hostname The name of the member server. hostid The host ID of the member server. Options -z Displays all available zones in the farm. -h zonename Displays all member servers in the zone specified by zonename. -l Displays the host record of the local host server. -n hostname Displays the host record for the member server specified by hostname, which is not case-sensitive.

198 198 Advanced Concepts for MetaFrame XP -i hostid Displays the record for the member server specified by hostid. -N Displays the farm name. -d hostid Deletes the IMA Host Entry identified by hostid from the data collector, data store, and local host cache. For further information, see the Remarks section below. -? Displays the syntax for the utility and information about the utility s options. Remarks Queryhr obtains information from the local host cache. Queryhr is best used to display information about servers in the farm, such as data collector ranking, host ID, zone names, and host names. CAUTION Do not use the d switch on farm servers that are working properly. After this switch is executed on a server, the server is no longer a member of the farm and the IMA service will no longer start. The server must be reinstalled into the farm to restore functionality. The d switch has a special use. See Recovering from a Failed Installation on page 204. Queryhr is not installed by default. The executable is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD. Security Restrictions You must be a Citrix administrator to execute this command.

199 Chapter 13 Utilities 199 SCCONFIG By default, only processes required for smart card logon functionality (that is, Winlogon.exe and Lsass.exe) are turned on in MetaFrame XP, Feature Release 2. The smart card utility (Scconfig.exe) is installed when you install Feature Release 2 and can be used to enable or disable smart card functionality for specific processes. Syntax scconfig [/?] scconfig [/server:sss] [/q] scconfig [/farm] [/q] scconfig [/server:sss] [/query] scconfig [/farm] [/query] scconfig [/server:sss] [/logon:on off] scconfig [/farm] [/logon:on off] scconfig [/server:sss] [/enable_process:ppp] scconfig [/farm] [/enable_process:ppp] scconfig [/server:sss] [/disable_process:ppp] scconfig [/farm] [/disable_process:ppp] scconfig [/server:sss] [/inherit:on off] Parameters sss Name of server. ppp Name of process (for example, Outlook.exe). Options /farm View or modify farm-wide settings. /q, query Query current settings. /logon:on off Enable/disable smart card logon on the server or farm.

200 200 Advanced Concepts for MetaFrame XP /enable_process:ppp Enable smart card support for the process specified. /disable_process:ppp Disable smart card support for the process specified. /inherit:on off Inherit server settings from the farm. /server:sss Server to view or modify. This defaults to the local server. Example: To use Microsoft Outlook digital signatures and encryption with a smart card, you must enable the process Outlook.exe. On the remote server, the MetaFrame server subsystem handles the data store change event and makes the registry changes to enable or disable the feature. Use the /farm option to query or set a farm-wide default. Use the /inherit option to determine whether a server inherits a farm-wide default. This functionality mimics that of twconfig and acrcfg.

201 C H A P T E R 14 Troubleshooting Troubleshooting IMA This chapter includes information that can help you troubleshoot problems you may encounter with MetaFrame XP. The Citrix IMA Service is the core of MetaFrame XP and runs on all servers. The solutions presented in this section can help resolve most production IMA issues. IMA Service Fails to Start The following guidelines and hints can be useful when the Citrix IMA Service fails to start: If the Service Control Manager reports that the IMA Service could not be started, but the service eventually starts, ignore this message. The Service Control Manager has a time-out of six minutes. The IMA Service can take longer than six minutes to start either because the load on the database exceeds the capabilities of the database hardware or because the network has high latency. Examine the following registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\CurrentlyLoadingPlugin If the value is blank, the IMA Service could not connect to the data store or the local host cache is missing or corrupt. If a value exists, the IMA Service made a connection to the data store. The value displayed is the name of the subsystem that failed to load. For additional information about subsystem troubleshooting, see IMA Service Logging on page 203.

202 202 Advanced Concepts for MetaFrame XP If you are using a direct connection to the data store, verify that ODBC connectivity exists. For more information, see ODBC Connection Fails on page 202. If you are using an indirect connection to the data store, verify that the IMA Service is running on the direct server. Review the entries in the event log for the IMA Service error code that is returned. For more information about why the IMA Service fails to start, see Appendix I, Feature Release 2 IMA Error Codes. Verify that the Spooler service is started in the context of System rather than a user. If you see an IMA Service Failed message(with error code ) when restarting a server, the local system account may be missing a temp directory. Change the IMA Service startup account to the local administrator. If the IMA Service starts under the local administrator s account, check for a missing temp directory. Switch the service back to the local system account and try manually creating the temp directory %systemroot%\temp. Verify that both the TMP and TEMP environment variables point to this directory. For more information, see Microsoft article Q at IMA Service Fails to Stop The SMS Netmon2 client utility is not supported on MetaFrame servers. The IMA Service fails to stop when running on a server with this utility installed. Uninstall the Netmon2 client when installing MetaFrame on servers that have this utility already installed. ODBC Connection Fails If you are using direct mode connections to the data store, ODBC connectivity is required for proper operation of the IMA Service. If you suspect ODBC issues, try the following steps: Verify that the Microsoft SQL Server or Oracle server is online Verify the name of the DSN file that the IMA Service is using by looking in the registry at: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName Attempt to connect to the database using the DSN file with an ODBC Test Utility (such as Oracle ODBC Test, DB2 Client Configuration Assistant test, or SQL Server ODBC Test).

203 Chapter 14 Troubleshooting 203 Verify that the correct user name and password are being used for database connectivity. You can change the user name and password using the dsmaint config command. For more information, see the MetaFrame XP Administrator s Guide. Reinstall MDAC 2.6 SP1 or later to verify that the correct ODBC files are installed. Enable ODBC Tracing for further troubleshooting. For more information, see ODBC Tracing on page 210. Citrix MetaFrame Server Failed to Connect to Data Store This error can indicate a corrupt local host cache. Before attempting the following steps, verify ODBC connectivity to the database. For more information, see ODBC Connection Fails on page 202. Copy Imalhc.mdb to another directory for backup purposes. From a command prompt, recreate the local host cache using the dsmaint recreatelhc command. Restart the server. Failed to Initialize Permanent Storage During Installation This error usually indicates that the IMA Service is unable to create objects in the data store. Before attempting the following steps, verify ODBC connectivity to the database; see ODBC Connection Fails on page 202. Verify that the user account for the database has permissions to create tables, stored procedures, and index objects. For Microsoft SQL Server, the permission is db_owner. For Oracle, the permission is resource. For IBM DB2, the permission is database administrator authority or the list of permissions set out in the MetaFrame XP Administrator s Guide. Verify that the system tablespace is not full on the Oracle server. IMA Service Logging For advanced troubleshooting of the IMA Service, you can enable logging at the server level. Use the following procedure to enable logging for either debug output (viewed using a debug hook utility like DBGVIEW from SysInternals) or a text file.

204 204 Advanced Concepts for MetaFrame XP To enable server logging of IMA events 1. Modify the following registry values as desired: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Tracer Value: Log to Debugger (REG_DWORD): 0x0 (disables debug output) or 0x1 (enables debug output) Value: Log to File (REG_DWORD): 0x0 (disables file output) or 0x1 (enables file output) Value: Log File Name (REG_SZ): full path and file name of the output file 2. The HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Tracer key contains a key for each subsystem about which information can be traced. Tracing for all subsystems is on by default, but the specific types of messages for the subsystems are off. To enable tracing for a subsystem, both the default value (specified as the first value in the key) and the message values must have a value of 1. The default value must be 1 and should never be changed. Other values within each key correspond to types of messages to log and are set to 0 by default. To enable tracing for those items, set their value to 1. For more information about the keys and subsystems you can trace, see Appendix G, Feature Release 2 IMA Subsystem Tracing. Recovering from a Failed Installation If installation fails, the data collector may continually attempt to contact the server on which you attempted to install MetaFrame. After a failed installation, compare the list of servers in the Citrix Management Console to the list of servers returned by queryhr. Use the command queryhr -d hostid to remove any servers listed in the queryhr results that are not listed in the Citrix Management Console. CAUTION Do not use the d switch on farm servers that are functioning properly. This switch removes the server from the farm and the server must then be reinstalled into the farm to regain functionality. Recovering an Unresponsive Server If a member server is no longer responding to IMA requests and the IMA Service cannot be started, the server is considered to be unresponsive. You cannot use the chfarm command with an unresponsive server because the command requires connectivity to the data store.

205 Chapter 14 Troubleshooting 205 CAUTION The original state of the server cannot be recovered after performing the following procedure. Before using this procedure, first attempt all the other solutions presented in the section Troubleshooting IMA on page 201. To rejoin an unresponsive server to the farm 1. Uninstall MetaFrame XP from the unresponsive server. 2. Remove the unresponsive server from the farm using the Citrix Management Console. 3. Reinstall MetaFrame XP on the unresponsive server and rejoin the farm during installation. Troubleshooting Novell Directory Services Integration This section lists troubleshooting tips and known issues that can occur when using MetaFrame XP, Feature Release 2 in an NDS environment. Troubleshooting Tips If you cannot log on to or assign rights to published applications using NDS credentials, try the following troubleshooting tips to correct the problem: Verify that NDS is enabled for the farm. To do this, right-click the farm name in the Citrix Management Console and choose Properties. Click the MetaFrame Settings tab and verify that the Novell Directory Services Preferred Tree is set correctly. Verify that you are using a valid user name, password, context, and tree name during logon by logging on from another computer using the same information. Verify that the Novell Client is configured correctly by browsing the tree and logging on from the console of the server. If the ZENworks Dynamic Local User (DLU) policies are not being applied on some MetaFrame XP servers, check the Novell Workstation Manager component of the Novell Client, as described in the following procedure. To check the Novell Workstation Manager component in Windows Right-click the My Network Places icon on the server s desktop and choose Properties. 2. In the Network and Dial-up Connections window, right-click Local Area Connection and choose Properties.

206 206 Advanced Concepts for MetaFrame XP 3. Choose Novell Workstation Manager from the components list and click Properties. 4. Verify the following settings: Workstation Manager is enabled The tree name is set to the tree that has the Dynamic Local User policies applied All other options have the default settings applied If you set the Dynamic Local User policy in NDS to delete users after they log off (Volatile User option) and the volatile user accounts are not being deleted, make sure the Enable Volatile User Caching option is disabled. If you are experiencing autologon problems with or without the ZENworks DLU feature as the Windows authentication method, try the following: 1. Make a desktop connection using an ICA Custom Connection with the Autologon feature enabled. 2. Specify User Credentials: Username a valid Distinguished Name such as.sampleuser.company Password a valid password Domain a domain that contains the NDS tree name Important The If statements below are not always true if the custom connection is not created exactly as described above. 3. Launch the connection and, based on the result, troubleshoot using the guidelines below: The Novell Client displays an error message about an invalid username, server, or tree. Action: Log on to the Citrix Management Console as the same user. If you do not log on successfully, the Novell Client is not configured properly. The Microsoft Client prompts you to re-enter your credentials or displays an error message. Action: Click Cancel to return to the Novell logon dialog box. On the NT/ 2000 tab, view the user information: If the Username field in the NT/2000 field contains a Distinguished Name (.username.context.) Action: Upgrade to Novell Client 4.81 or later. (Older Novell Clients do not parse the username from the Distinguished Name.)

207 Chapter 14 Troubleshooting 207 If the Domain name field is blank or set to the local machine name and ZENworks DLU feature is being used Action: Troubleshoot Dynamic Local User policies (DLU is not functioning properly). If the Domain name field is blank or is set to the local machine name and ZENworks DLU feature is not being used Action: Locate or create the following the registry key HKEY_LOCAL_MACHINE\Software\Citrix\ NDS\SyncedDomainName and set the registry key value to the name of the NT domain that is synchronized with the NDS tree. If the Domain name field contains the name of the NDS tree Action: Enable NDS integration. If the Domain name field contains the name of a Windows NT domain and you are not using ZENworks DLU functionality for Windows authentication Action: Verify that the server has a valid trust relationship between the server s domain and the user s domain. Known Issues and Workarounds ZENworks for Desktops 3 does not distinguish between users with the same user name, even if they are in different contexts. If the first user is still logged on when the second user logs on, the profile of the first user is utilized by the second user. Workaround: Be sure to use unique names in the tree. If your tree already includes users with the same user name, you can work around this by creating aliases. See Creating Aliases on page 123. CAUTION Logging on to a MetaFrame XP server can fail if you uninstall the Novell Client from the server after MetaFrame XP is installed. If this occurs, do not restart the MetaFrame server until you follow the instructions below. After uninstalling the Novell Client, you must reapply the proper settings to the registry. The following registry key contains the GINA values: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon The registry values for the default MetaFrame logon screen (without the Novell Client) are: GinaDLL Data: Ctxgina.dll CtxGinaDLL Data: Msgina.dll

208 208 Advanced Concepts for MetaFrame XP If you designate an NDS preferred tree but none of the servers are set to MetaFrame XP Feature Release 1 or later, MetaFrame XP prompts your users for NDS credentials but does not accept them. Workaround: Set the feature release level to Feature Release 1 or later on at least one server in the farm, remove the NDS tree name in the NDS Preferred Tree field Farm Properties > MetaFrame Settings, and then reset the Feature Release level to None. The session sharing feature is not supported for ICA Win32 Client custom ICA connections that are configured for NDS user credentials. Workaround: To use session sharing for custom ICA connections in Program Neighborhood, do not specify user credentials on the Login Information tab in the Properties dialog box. If you are connecting by dial-up ICA to a MetaFrame XP, Feature Release 2 server that has the Novell Client installed, the server returns the Microsoft logon dialog box instead of the Novell logon dialog box. This occurs because the Use Default NT Authentication check box is selected by default on Windows 2000 servers. Workaround: If you want to use Novell authentication on a server under these circumstances, clear the Use Default NT Authentication check box. To do this, from the Start menu choose Programs > Citrix > MetaFrame XP > Citrix Connection Configuration > Advanced Connection Settings. If a Windows 2000 server without Service Pack 2 is set up to use the default Windows NT authentication and a third-party authentication software such as the Novell Client is installed, the third-party logon dialog box appears instead of the default Windows logon dialog box. To resolve this problem, install Service Pack 2 for Windows Important When using the Citrix Management Console to remove a server from a farm that has NDS enabled, connect the Citrix Management Console to a server that has Feature Release 2 installed. Note The Novell Client does not set the APPDATA environment variables. Collecting Citrix Technical Support Information This section discusses methods for collecting information that Citrix Technical Support can use for debugging purposes. Before contacting Citrix Technical Support, try the solutions detailed in Troubleshooting IMA on page 201.

209 Chapter 14 Troubleshooting 209 Obtaining Installation/Uninstallation Logs If your MetaFrame XP, Feature Release 2 installation fails to complete, Citrix Technical Support will require an installation log file to troubleshoot the problem. Because the MetaFrame XP, Feature Release 2 installation is a Windows Installer package (.msi file), the Windows Installer must be invoked with the /l command line option to create an installation log file. Citrix recommends that if your Feature Release 2 installation fails, a second installation be attempted using the following command line to create a log file: Msiexec /i <CD>\MF\MFXP001.msi /l*v %SystemDrive%\msi.log Replace <CD> with the CD drive letter (for example, D:) containing the MetaFrame XP, Feature Release 2 installation CD. If the Feature Release 2 CD was copied to a hard drive or network share, you can also replace <CD> with the full path to the Feature Release 2 CD image. The above command line creates a log file named Msi.log in the root of the system drive. Further information about the Windows Installer is available at the Microsoft Web site at Capturing Citrix Management Console Debug Output To capture debug output from the Citrix Management Console, launch the console with the debugfile command line option. Citrix recommends that you create a shortcut using the following procedure: 1. Right-click on the desktop and choose New > Shortcut from the context menu. 2. The Create shortcut wizard starts. In the Type the location of the item field type: %SystemRoot%\system32\java.exe. When prompted to Type a name for this shortcut:, type a description such as CMC Debugging. 3. Right-click on the new shortcut and choose Properties from the context menu. 4. On the Shortcut tab, type the following text in the Target field (because of page width constraints, the text is wrapped below but must be entered as one line): java.exe -Djava.ext.dirs="ext;%ProgramFiles%\JavaSoft\ JRE\1.3\lib\ext" -jar Tool.jar -debugfile:output.log 5. Change the Start in field to %ProgramFiles%\Citrix\Administration. 6. Click Change Icon and type: %ProgramFiles%\Citrix\Administration\ctxload.exe 7. On the Layout tab, set the Screen buffer size to 9999 lines. 8. Click OK to save the shortcut.

210 210 Advanced Concepts for MetaFrame XP When the shortcut is launched, two windows are displayed. The first window is a command window containing the debug messages output by Java.exe. The second window is the Citrix Management Console user interface. If the console hangs or otherwise fails, press CTRL + BREAK in the command window to view the stack trace. Obtaining System Information When troubleshooting an issue, Citrix Technical Support may also request information about the state of your system. The easiest way to obtain such information is to execute winmsd, which launches the System Information tool on Windows From the Microsoft Management Console s Action menu, select Save as System Information File. If necessary, you can then send the file to Citrix Technical Support. ODBC Tracing Additional ODBC tracing information might be requested by Citrix Technical Support or the database vendor support team. The procedure to enable ODBC tracing depends on the database server software you are using. The alternative procedures are set out below. To activate Microsoft SQL Server ODBC tracing 1. Launch the ODBC Data Source Administrator. 2. Click the Tracing tab. 3. Type a path for the log file in the Log File Path box. 4. Click Start Tracing Now to begin tracing. Click Stop Tracing Now to end tracing. To activate Oracle ODBC Tracing 1. Launch the Net8 Assistant. 2. Click Configuration > Local > Profile. 3. Choose General from the drop-down box on the right-pane. 4. Use the Tracing and Logging tabs to configure ODBC tracing as needed. To activate IBM DB2 ODBC Tracing 1. Launch the DB2 Client Configuration Assistant. 2. Click Client Settings > Diagnostics. 3. Set the Diagnostic error capture level to 4 (all errors, warnings, and information messages).

211 Chapter 14 Troubleshooting 211 Installation Manager Debug Files Obtain the relevant Installation Manager files before calling Citrix Technical Support for Installation Manager troubleshooting questions: wfs (the package script) ael (the recorder log file) aep (the packager project file) log (the windows installer log file) Troubleshooting Frequently Encountered Obstacles Below is a list of frequently encountered obstacles. Cannot Connect to Application This error usually occurs when a user who is attempting to connect to a loadmanaged application is sent to a server that is not currently using a MetaFrame XPa or XPe product license count. For more information, see Servers Do Not Take Product License Counts on page 212. Program Neighborhood Agent Cannot Connect Through Citrix Secure Gateway If a user receives the message Cannot connect to the Citrix server: Protocol driver error when attempting to connect to Citrix Secure Gateway from the Program Neighborhood Agent, the most likely cause is that the client device does not have 128-bit encryption installed. Cannot Launch Secure NFuse Classic Application Through Internet Explorer If you have users connecting through a secure NFuse Classic site (HTTPS) and they receive an error message of ICA file not found, ensure the security settings within Internet Explorer are not set to Do not save encrypted pages to disk. To check security settings in Internet Explorer 1. Open Internet Explorer. 2. Click Tools > Internet Options. 3. Click the Advanced tab. 4. Scroll down to Security.

212 212 Advanced Concepts for MetaFrame XP 5. Be sure the option Do not save encrypted pages to disk is not enabled. 6. Click OK. Folders Do Not Appear in Program Neighborhood Folders that you create to organize applications in the Citrix Management Console are not related to application folders that appear in Program Neighborhood. To specify application folders for Program Neighborhood, use the Program Neighborhood Settings tab in the Properties dialog box for the published application. To set an application s Program Neighborhood folder 1. Right-click the published application in the Citrix Management Console and choose Properties. 2. On the Program Neighborhood Settings tab, type the folder name in the Program Neighborhood Folder box. Importing Network Printers from Other Domains Printers cannot be imported from a network print server when: The print server resides in a workgroup The printer is in a different domain from any servers in the server farm To enable the printer to be imported 1. Do one of the following: Add the network print server to the same domain as the MetaFrame servers. Add one of the MetaFrame servers to the same domain as the network print server. 2. Assign the printers to the Everyone group instead of to groups or users. Authenticate without credentials to receive the list of printers assigned to everyone. 3. To allow Novell users to access Microsoft print servers, you must enable the Guest account and assign Everyone or Guest access. Servers Do Not Take Product License Counts If a MetaFrame XP, Feature Release 2 server is not taking a license count, try the following:

213 Chapter 14 Troubleshooting 213 Using the Citrix Management Console, select the server and choose Actions > Server > Set MetaFrame Product Code. Verify that the correct product code is set for the server. Execute clicense refresh from the command prompt of the affected server. Stop and restart the IMA Service. Important If you do not enter a license serial number during MetaFrame XP installation, you must set the product code on each server using the Citrix Management Console. USB Redirection Does Not Work MetaFrame XP, Feature Release 2 on Windows 2000 supports USB printers installed on the server. ICA Win32 Clients support installed USB printers when the client platform is Windows 98, Windows 2000, or Windows Me. Other USB devices, including scanners and cameras, are not currently supported by MetaFrame XP with Feature Release 2. Content Redirection Options Are Disabled When Publishing an Application If you install and then publish applications after installing MetaFrame XP, Feature Release 2, you must update the file type associations in each server s registry. To update file type associations in a server farm 1. Open the Citrix Management Console. 2. Expand the Servers node in the left window pane. 3. Right-click a server and select Update File Types from Registry. 4. After the file type updates are completed, check the properties of the published application. The content redirection options should no longer be disabled. Unable to Log User Sessions Off You cannot log users off from the Citrix Web Console if the user name contains an underscore character (for example, john_smith ). To work around this issue, either use the Citrix Management Console to log users off, or remove the underscore character from the user name.

214

215 A P P E N D I X A Configuring Microsoft SQL Server 2000 for Replication This section describes how to replicate a SQL Server 2000 database. To replicate a SQL Server 2000 database, use SQL Enterprise Manager. Begin by creating a new database on the SQL server that will be used as the source for all replicas you create. Be sure that the account you use to create the database has db_owner permissions and is the same one you use on the replicated database. Before setting up replication, complete the following tasks: Use a clean (not cloned) installation of Windows 2000 Server Install SQL Server on the servers designated for the data stores Verify that the Microsoft Distributed Transaction Coordinator is installed on the servers designated for the data stores Setting up the SQL Server Data Store for Distribution Complete the following tasks on servers running SQL to set up the data store for distribution. 1. From the Start menu, start the Services Manager. 2. From Services Manager, set up the same domain log on account for the following services (the local system account does not work): SQLServerAgent MSSQLServer MSDTC (Distributed Transaction Coordinator on Windows 2000)

216 216 Advanced Concepts for MetaFrame XP The general tasks to successfully replicate a SQL Server database are described below. Each task is explained in more detail in the following sections. 1. Establish the distributor server. 2. Set the distributor properties. 3. Publish the source database. 4. Push the published database out to subscribers. Step 1 Establish the Distributor Server Complete the following steps to define the server that will act as the distributor. 1. Microsoft SQL 2000 servers acting as publisher, distributor, and subscriber must be in the same Windows NT or Active Directory domain. Start SQL Services under the same account. 2. Open Enterprise Manager on the server on which the source database is located. 3. Right-click the Replication folder and select Configure Publishing > Subscribers > Distribution Wizard. 4. On the Select Distributor page, select the current server to act as the distributor. 5. Keep the default Snapshot folder. 6. On the Customize the Configuration page, choose the option No, use the following default settings. 7. Click Finish. Step 2 Set the Distributor Properties Complete the following steps to set the distributor properties. 1. Right-click the Replication Monitor folder and choose Distributor Properties.

217 Appendix A Configuring Microsoft SQL Server 2000 for Replication On the Publication Databases tab, check the Trans box next to the database you want to replicate, as shown in the figure below. Step 3 Publish the Source Database Complete the following steps to publish the database that you want to replicate. 1. Right-click the database name and go to New > Publication to start the Create Publication wizard. 2. Click Show advanced options in this wizard and then click Next. 3. On the Choose Publication Database screen, select the database you want to replicate and then click Next. 4. On the Select Publication Type page, choose Transactional publication.

218 218 Advanced Concepts for MetaFrame XP 5. On the Updatable Subscriptions page, select the Immediate updating option, as shown in the figure below.. 6. On the Specify Subscriber Types page, select the Servers running SQL Server 2000 option. Click Next.

219 Appendix A Configuring Microsoft SQL Server 2000 for Replication On the left side of the Specify Articles page, select both Show and Publish for the table s object type. Do not publish stored procedures to the replicated databases. 8. Click Next on the Article Issues page. 9. Name the publication. 10. On the Customize the Properties of the Publication page, choose No, create the publication as specified.

220 220 Advanced Concepts for MetaFrame XP 11. Click Finish to complete the wizard. The publication is displayed in the Publications folder, as shown below. Step 4 Push the Published Database to Subscribers Complete the following steps to push the publication to subscribers. 1. Right-click the published database in the Publications folder and choose Push new subscription to start the Push Subscription wizard. 2. Click Show advanced options in this wizard and then click Next. 3. On the Choose Subscribers page, select the subscribers for the published database. 4. On the next page, choose the destination database to which you want to replicate the source database. 5. On the Set Distribution Agent Location page, choose to run the agent at the distributor. 6. Set the Distribution Agent Schedule to continuously.

221 Appendix A Configuring Microsoft SQL Server 2000 for Replication On the Initialize Subscription page, shown below, choose Yes, initialize the schema and data, and select the option to Start the Snapshot Agent. 8. On the Updateable Subscriptions page, select the Immediate updating option. 9. On the Start Required Services page, displayed below, the services that must be running are listed. Verify that the applicable required services are running on the distributor server.

222 222 Advanced Concepts for MetaFrame XP 10. Click Finish on the next screen to complete the wizard. Troubleshooting Make sure that the following seven tables on the replicated database are listed, as displayed in the figure below. DATATABLE INDEXTABLE KEYTABLE MSreplication_objects MSreplication_subscriptions MSsubscription_agents MSsubscription_properties If not all tables are listed, delete the replication setup and begin again. The dtproperties table appears if you used the Database Diagram wizard in Enterprise Manager. If you are installing MetaFrame XP for the first time, select the server hosting the replicated database when prompted.

223 Appendix A Configuring Microsoft SQL Server 2000 for Replication 223 If you have a server in the server farm that you want to connect to the new database, create a new DSN file on the MetaFrame XP server and point it to the replicated SQL Server database. You can then use the dsmaint config command to point the Citrix IMA Service to the new database.

224

225 Configuring Microsoft SQL Server 7 for Replication A P P E N D I X B This section describes how to replicate a SQL Server 7 database. Refer to Microsoft s SQL 7 documentation for the latest information about configuring SQL Server 7 for replication. Introduction Before beginning the replication process, complete the following tasks: Be sure you are using an uncloned installation of Windows NT or Windows 2000 Server Install SQL Server 7 on the servers that will host the MetaFrame XP server farm data store Create a database on both the source server (the distributor) and the server that will host the replicated database (the subscriber) Important Both new databases must have the same name so that you can replicate the source database to the copy. Verify that the Microsoft Distributed Transaction Coordinator is installed on the servers that will host the data store This chapter discusses an environment with two servers running SQL Server 7, referred to in this chapter as Server A and Server B. In the procedures below, Server A is configured to be the distributor or publisher of the replicated database because it is expected to service the most requests from MetaFrame XP servers. Server B is configured to be the subscriber server.

226 226 Advanced Concepts for MetaFrame XP Replicating a MetaFrame XP Server Farm s Data Store The basic tasks you need to complete to configure SQL Server 7 software to replicate a database that hosts the MetaFrame XP server farm s data store are listed below. The detailed procedures for each task are laid out in this chapter. 1. Prepare the servers for replication (Server A and Server B). 2. Set up the database distributor (Server A). 3. Enable replication on the distributor (Server A). 4. Enable the data store database for replication (Server A). 5. Publish the source data store database using the dsmaint utility (on a MetaFrame XP server). 6. Distribute the database on Server A to Server B. Step 1 Prepare the Servers for Replication (Servers A and B) Complete the following tasks to prepare both Server A and Server B for the replication process. 1. Verify that you created two databases one on Server A and one on Server B with the same name. The procedures in this chapter assume that both Server A and Server B are in the same SQL Server Group. 2. From the Start menu, start the Services Manager. 3. In Services Manager, set up the same domain logon account for the following services (the local system account does not work): SQLServerAgent MSSQLServer MSDTC (Distributed Transaction Coordinator on Windows 2000) Step 2 Set Up the Database Distributor (Server A) Complete the following tasks to set up Server A as the database distributor. 1. Locate the SQL Server database you created previously. This database will be the server farm s data store and will be the source database to be replicated or published. 2. Install MetaFrame XP and point it to the database you created previously on Server A. The database on Server A is now the server farm s data store.

227 Appendix B Configuring Microsoft SQL Server 7 for Replication 227 Step 3 Enable Replication on the Distributor (Server A) Complete the following steps to enable replication on Server A, which is acting as the database distributor. 1. From the Start menu start the Enterprise Manager. 2. Select Replicate Data in the right pane of Enterprise Manager. 3. Select Configure Replication. This starts the Configure Publishing and Distribution Wizard. Click Next. 4. Select Yes, use <Server A> as the Distributor/Publisher, where <Server A> is the server you selected to distribute the data store database. 5. Select No, use the following default settings as the distribution settings. The default settings designate Server A as the sole distributor. 6. Click Finish. Server A is now set up to replicate the data store. Step 4 Enable the Data Store Database for Replication (Server A) Complete the following tasks to enable Server A for replication. 1. Start the Enterprise Manager from the Start menu. 2. Select Replicate Data in the right pane of Enterprise Manager. 3. Select Configure Replication. The Publisher and Distributor Properties wizard appears. Click Next. 4. On the Publication Databases tab, check the Trans box next to the database holding the data store. Click OK. The data store can now be replicated using transactional replication. Note The dsmaint utility returns an error if you try to create the publication for the database if the database is not enabled for replication.

228 228 Advanced Concepts for MetaFrame XP Step 5 Publish the Source Data Store Database Using the dsmaint Utility (on a MetaFrame XP server) Complete the following tasks to publish the source data store. Important These tasks are carried out on a MetaFrame XP server. 1. From a command prompt, enter the command dsmaint publishsqlds / user:<username /pwd:<password>, where <username> and <password> are the credentials of the account used by MetaFrame to access the database. This account needs db_owner rights to configure the publication. 2. Confirm that the publication was successfully created. The publication is named mfxpds when you run the command in Step 1. Step 6 Distribute the Database on Server A to Server B Complete the following tasks to distribute the data store on Server A using the Push Subscription wizard. 1. Verify that the SQL server set up as the subscriber (Server B) is registered in the SQL Server Group. 2. Start Enterprise Manager on the SQL server set up as the distributor (Server A). 3. In the left pane of Enterprise Manager, expand the folders under the Database folder until you see MFXPDS, the publication you created with the dsmaint command. 4. Right-click MFXPDS and choose Push New Subscription from the shortcut menu that appears. Click Next. 5. The Choose Subscribers dialog box appears. Select the subscriber (Server B) from the SQL Server Group tree. Server B is the destination to host the copy of the data store pushed from the distributor. Click Next. 6. The Specify Immediate-Updating Subscriptions dialog box appears. On this dialog box, select Yes, make this an immediate-updating subscription(s). You must employ immediate updating subscriptions to ensure coherency. Click Next. Important Merge replication is not supported by MetaFrame because it cannot guarantee uniqueness of object creation across all servers in the enterprise.

229 Appendix B Configuring Microsoft SQL Server 7 for Replication The Set Distribution Agent Schedule dialog box appears. Select Continuously in Set Distribution Agent Schedule. Continuous updating and a two-phase commit algorithm ensure data coherency. When the subscriber receives a request to write to the data store, the data is initially written to the data store on the publisher, then propagated by the distributor to the copy of the data store on the subscriber. The distributor is the only server that can write information to the data store on the subscriber. Click Next. 8. The Initialize Subscription dialog box appears. Select the following options on this dialog box: Yes, initialize the schema and data at the Subscriber. The database on the subscriber is not yet initialized, so the schema and data need to be initialized. Start the agent immediately. The Distribution Agent begins replication as soon as the database becomes available. Click Next. 9. The Start Required Services dialog box appears. On this dialog box, verify that all necessary services are running on both Server A and Server B. The state for the MSDTC service on the subscriber always displays as Unknown even though it is running. To verify that MSDTC is running, check Services in Administrative Tools in the Control Panel on Server B. Click Next. 10. The Completing the Push Subscription Wizard appears. When the Push Subscription Wizard is done running, replication begins. You can monitor the progress of the replication in Replication Monitor in Enterprise Manager. When replication is complete, make sure there are no replication alert errors in Replication Monitor. Pointing MetaFrame XP Servers to the Replicated Database When you are done replicating the server farm s data store, you can install MetaFrame XP on additional servers. Complete the following tasks to point additional MetaFrame XP servers to the replicated data store. 1. Start MetaFrame XP Setup. 2. When you are prompted for the location of the database that is hosting the server farm s data store, point the server to the replicated data store (on Server B).

230 230 Advanced Concepts for MetaFrame XP 3. When you are done installing MetaFrame XP, open Citrix Management Console and publish an application. 4. If the MetaFrame server can write the information about the published application to the data store, the data store was successfully replicated on Server B. Note You can redirect existing servers to the replicated copy of the data store by running the dsmaint config command.

231 A P P E N D I X C Distributing Connections Among NFuse Classic 1.7 Servers This section describes a sample configuration to show how you can use a hardware load balancer to perform round-robin HTTP redirection to distribute connections between two NFuse Classic servers. In the example, the load balancer is a Cisco LocalDirector 416, with software Version The NFuse Classic servers are Compaq DL320s running Microsoft Windows 2000 Server with Service Pack 2. Overview The sample configuration is configured as follows: First, the load balancer is configured to listen for HTTP connection requests on ports 80, 81, and 82. Ports 81 and 82 are configured to direct traffic straight to the first and second NFuse servers, and port 80 is configured to perform the load balancing. Clients are directed to make their connections to When HTTP traffic arrives on port 80 on the load balancer, a load balancing decision is made and an HTTP redirect is returned to the client browser specifying an alternate port for the connection. When this occurs and the client is using NFuse Classic, the data is always transmitted to the same NFuse Classic server and session state data is not lost. Topology In the example, the network topology consists of: A public network in which the clients reside A demilitarized zone (DMZ) containing the NFuse server An internal network in which the MetaFrame XP server farm resides

232 232 Advanced Concepts for MetaFrame XP The DMZ is situated between two firewalls, with the first network interface card (NIC) of the load balancer connected directly into the DMZ. The NFuse Classic servers are connected to the load balancer s second NIC. This configuration is illustrated in the figure below. The machines in the DMZ all have static IP addresses in the network / The client-facing firewall presents an external IP for the load balancer ( in this example), which is converted to the real load balancer IP address ( ) after firewall traversal. Clients on the public network can resolve the external load balancer IP address from the name nfuse.inter.net. The machines on the internal network are in the range / On the internal network there is a MetaFrame XP Feature Release 2 server, named mf1, with a static IP address of , running the Citrix XML Service (shared with IIS) on port 80. The NFuse Classic servers, nfuse1 and nfuse2, are configured with the static IP addresses and , respectively. The NFuse Classic configuration on each server is identical for all but the target server configuration. It may be beneficial to vary the order of the target MetaFrame XP servers that are running the Citrix XML Service to stop a single MetaFrameXP server from being contacted by all the NFuse Classic servers at the same time. In this example, a single Citrix XML Service (mf1 with IP Address :80) was used for both NFuse Classic servers.

233 Appendix C Distributing Connections Among NFuse Classic 1.7 Servers 233 Example Configuration The following section describes the example configuration Step 1 Configure the Load Balancer The load balancer is configured to present three virtual IP:port combinations to the real world: :80, :81, and :82 On the Cisco LocalDirector 416, do this using: virtual :80:0:tcp is virtual :81:0:tcp is virtual :82:0:tcp is Step 2 Create URL Mappings for Redirection Two URL mappings are created for performing the HTTP redirection: On the Cisco LocalDirector 416, do this using: url nfuse url nfuse Step 3 Bind URLs to Virtual Server The URLs are then bound to the virtual server :80. On the Cisco LocalDirector 416, do this using: bind :80:0:tcp nfuse1 bind :80:0:tcp nfuse2 Step 4 Bind Ports on Virtual Server to Actual IP Addresses Ports 81 and 82 of the virtual server are bound to the real NFuse Classic server IP addresses and Web server ports: :81 => : :82 => :80 On the Cisco LocalDirector 416, do this using: bind :81:0:tcp :80:0:tcp bind :82:0:tcp :80:0:tcp

234 234 Advanced Concepts for MetaFrame XP Step 5 Ensure Valid URLs Links are then created between the HTTP redirection URLs and the virtual NFuse servers so that the load balancer takes the URL out of service when the respective NFuse Classic server is out of service: => :81 => :82 On the Cisco LocalDirector 416, do this using: link nfuse :81:0:tcp link nfuse :82:0:tcp Step 6 Ensure Continuity of Service The final step is to ensure that clients that have already been load balanced to one of the NFuse Classic servers continue to function (not without noticing) if the server they are using fails. To do this, the NFuse Classic servers specify :80 as their backup server. On the Cisco LocalDirector 416, do this using: backup :81:0:tcp :80:0:tcp backup :82:0:tcp :80:0:tcp With the configuration described and the client-facing firewall allowing traffic to on ports 80, 81, and 82, the load balancing solution worked.

235 A P P E N D I X D Using Citrix Products in a Wireless LAN Environment The findings in this chapter are the result of coordinated testing between Citrix and Compaq. Citrix and Compaq teamed together to test security in a wireless Local Area Network (wlan) environment to determine and evaluate the inherent security risks associated with these types of networks. There is little physical security associated with wlans, resulting in the possibility that the radio signals could be intercepted with malicious intent. For example, today s hackers are using tools and methods to obtain MAC addresses and channels used by internal networks. Wireless LAN Vulnerabilities The Wireless Encryption Privacy (WEP) relies on the RC4 encryption algorithm, which uses the same key to scramble and unscramble packets. If the key management system cycles through the same set of keys in a predictable manner, determined intruders can correlate data with the keys to decipher the encryption. This intrusion technique can be successful with both 40-bit and 128-bit RC4 encryptions. Additionally, the network name and MAC addresses are broadcast in clear-text and can be easily intercepted. An intruder can then program these addresses on a personal wlan adapter to access the network. Additionally, the Wireless Application Protocol (WAP), which is used by wireless devices to access text, has a known security hole that allows intruders to intercept decrypted data from transmission points before the data is encrypted for transmission. During a WAP transmission, the following security protocols are used: Wireless Transport Layer Security (WTLS) - over the wlan Secure Socket Layer (SSL) - over the wired LAN

236 236 Advanced Concepts for MetaFrame XP There is a split-second of vulnerability at the WAP gateway when the data is decrypted and then re-encrypted to switch protocols. Organizations cannot rely on the use of encryption keys and SSIDs to provide adequate security in a wlan environment. However, using MetaFrame XP software with the ICA protocol offers a number of features that protect against security vulnerabilities. Citrix Architecture Security The architecture in Citrix products provides the following security features: Pane-of-glass security. ICA protocol inherently prevents intruders from sniffing out data or code. Applications reside on a server; ICA transmits keystrokes, mouse clicks and screen updates. Only a graphic representation of the user interface actually crosses the network. Data encryption. The ICA protocol offers built-in encryption on the client and server, adding an extra layer of protection against attempted hacking. Authentication. MetaFrame XP offers an additional layer of authentication security for role-based application access. Device loss protection. The ICA protocol allows critical data to be stored and protected on a server rather than the client, ensuring that the loss of a client device creates only a minimal security risk.

237 Appendix D Using Citrix Products in a Wireless LAN Environment 237 Citrix Secure Gateway The Citrix Secure Gateway (CSG) can supplement existing security measures to create a complete end-to-end security solution, as shown in the figure below. CSG functions as a secure Internet gateway between the MetaFrame XP server and the ICA Client, without publishing the address of every MetaFrame server across the Internet, thus ensuring the privacy and integrity of information flowing across public networks. All Internet traffic between the client device and the CSG server is encrypted using SSL technology. CSG eliminates the need to install additional client software (beyond the ICA Client) and can easily traverse Internet firewalls.

238 238 Advanced Concepts for MetaFrame XP Note MetaFrame servers are hidden from the Internet and cannot be accessed directly. Citrix Secure Gateway provides the following capabilities: SSL 128-bit encryption High-performance gateway service Firewall traversal Single-point server certificate management Minimal client configuration Secure ticketing authority Connection logging Reliability and fault tolerance High scalability The following communications take place between Citrix Secure Gateway Components before a secure connection is established. 1. A remote user launches a Web browser and connects to an NFuse Web server on port 80 (HTTP) or port 443 (HTTPS). The NFuse Web portal requires the user to authenticate using valid user credentials. 2. NFuse utilizes the user credentials to contact the Citrix XML Service on port 80 running on a MetaFrame server, and obtains a list of applications that the user is authorized to access. These applications are then displayed in the NFuse Web page. 3. When the user clicks a link for a published application, NFuse sends the IP address for the requested MetaFrame server to the Secure Ticket Authority (STA) and requests a Citrix Secure Gateway ticket for the user. The STA saves the IP address and issues the requested Citrix Secure Gateway ticket to NFuse. 4. NFuse generates an ICA file containing the ticket issued by the STA, and then sends it to the client browser. Note that the ICA file generated by NFuse contains only the IP address of the Citrix Secure Gateway. The address of the MetaFrame server to which the ICA Client eventually connects is never exposed. 5. The browser passes the ICA file to the ICA Client, which launches an SSL connection to the Citrix Secure Gateway. Initial SSL handshaking is performed to establish the identity of the Citrix Secure Gateway.

239 Appendix D Using Citrix Products in a Wireless LAN Environment The Citrix Secure Gateway accepts the ticket from the ICA Client and uses information contained in the Citrix Secure Gateway ticket to identify and contact the STA for ticket validation. If the STA can validate the ticket, it returns the IP address of the MetaFrame server on which the requested application resides. If the ticket is invalid or has expired, the STA informs the Citrix Secure Gateway, and an error message is displayed on the ICA Client device. 7. On receipt of the IP address for the MetaFrame server, the Citrix Secure Gateway establishes an ICA connection to the MetaFrame server. After the ICA connection is established, the Citrix Secure Gateway monitors ICA data flowing through the connection, and encrypts and decrypts client-server communications. More information about CSG is available on Using Citrix products in conjunction with wireless Local Area Networks provides end to end security, minimizing potential threats to your environment.

240

241 A P P E N D I X E Tested Hardware The following hardware was used in the Citrix elabs for testing MetaFrame XP: Apple imac Cisco LocalDirector 416 Cisco PIXX 515 Firewall Appliance Compaq Aero Compaq DeskPro EN SFF Compaq DL 320 Compaq DL 350 Compaq DL 360 Compaq DL 380 Compaq DL 580 Compaq ipaq Compaq EVO T20 Compaq ML 330 Compaq Proliant 1850R Compaq Proliant 800 Compaq Proliant 8500R Compaq StorageWorks FC-AL Switch Compaq StorageWorks RA4100 Compaq TaskSmart N2400 Dell 1650 Dell OptiPlex GX1

242 242 Advanced Concepts for MetaFrame XP Dell PowerEdge 1400 Hewlett Packard Jornada Hewlett Packard LaserJet Printers Hewlett Packard NetServer LXe Pro Hewlett Packard TC4100 IBM 4600 IBM NetFinity 3000 IBM NetFinity 3500 M10 IBM NetFinity 3500 M20 IBM NetFinity 5500 Intel 640T Lucent Pipeline ISDN Router Packeteer AppVantage ASM-70 Packeteer Packetshaper 4500 Shunra Storm Seirra Wireless PCMCIA cards Sun Ultra 5 Wyse Winterms

243 IMA Subsystem Tracing A P P E N D I X F Use the information in this table to determine which registry keys need to be activated for different MetaFrame XP systems. MetaFrame XP System Application Management, Application Folders COM/SDK, Citrix Management Console Common Application settings (LM, IM, MF, Unix) Common Server (common farm server properties and server enumeration) Data store (including LHC) Dynamic Store File Browsing Folder Enumeration Host Resolver Ilicense IMA Browser IMA Program Interface (Terminal Services, other software) IMS Licensing Subsystems to Trace ImaAdminSal Remote Access ImaAppSal, ImaAppSs ImaSrvSal, ImaSrvSs Directory Subsystem, System\DataStoreDriver, Profiling\DataStore, Profiling\LHC, Runtime\PersistentStore Runtime\DynamicStore, Profiling\DynamicStore IMA_FileSS ImaGrpSal, IMAGroup Runtime\HostResolver Ilicense IMA_Browser ImaRpc, ImaLicRpc, ImaMfRpc ImsSal LicenseSal, IMA_License

244 244 Advanced Concepts for MetaFrame XP MetaFrame XP System Load Management MetaFrame Applications (enumeration and properties) MetaFrame Server Properties (ICA Display, MetaFrame Settings) Policy Printer Management and Printer Drivers Printer Replication Program Neighborhood Remote Access Runtime Service Locator Subscription Manager User Management (User Lists, Viewing and Launching Applications. Network Printer Auto-creation) Zone Manager Subsystems to Trace LmsSal, LMS_Subsystem MfAppSal, MFApp MfSrvSal, MFSrvSs Policy MfPrintSal, IMA_Printer, ImaRelSal, IMARelationship ImaDistSal, IMADistribution MfPNSal RemoteAccess, Remote Access Runtime\Runtime Runtime\ServiceLocator Runtime\SubscriptionManager ImaUserSal, IMA_AAMS, WinDrvSS, NDSDrvSS Runtime\ZoneManager

245 IMA Error Codes A P P E N D I X G The items in the table below are Citrix IMA Service error codes that can appear in the Event Viewer Hex value Signed value Unsigned value Mnemonic h 0 0 IMA_RESULT_SUCCESS h 1 1 IMA_RESULT_OPERATION_INCOMPLETE h 2 2 IMA_RESULT_CALL_NEXT_HOOK h 3 3 IMA_RESULT_DISCARD_MESSAGE h 4 4 IMA_RESULT_CREATED_NEW h 5 5 IMA_RESULT_FOUND_EXISTING h 9 9 IMA_RESULT_CONNECTION_IDLE h IMA_RESULT_DS_NOT_INSTALLED h IMA_RESULT_SECURITY_INFO_INCOMPLETE 002D0001h IMA_RESULT_ALREADY_MASTER h IMA_RESULT_FAILURE h IMA_RESULT_NO_MEMORY h IMA_RESULT_INVALID_ARG h IMA_RESULT_UNKNOWN_MESSAGE h IMA_RESULT_DESTINATION_UNREACHABLE h IMA_RESULT_REFERENCE_COUNT_NOT_ZERO h IMA_RESULT_ENTRY_NOT_FOUND

246 246 Advanced Concepts for MetaFrame XP Hex value Signed value Unsigned value Mnemonic h IMA_RESULT_NETWORK_FAILURE h IMA_RESULT_NOT_IMPLEMENTED Ah IMA_RESULT_INVALID_MESSAGE Bh IMA_RESULT_TIMEOUT Ch IMA_RESULT_POINTER_IS_NULL Dh IMA_RESULT_UNINITIALIZED Eh IMA_RESULT_FINDITEM_FAILURE Fh IMA_RESULT_CREATEPOOL_FAILURE h IMA_RESULT_SUBSYS_NOT_FOUND h IMA_RESULT_PS_UNINITIALIZED h IMA_RESULT_REGMAPFAIL h IMA_RESULT_DEST_TOO_SMALL h IMA_RESULT_ACCESS_DENIED h IMA_RESULT_NOT_SHUTTING_DOWN h IMA_RESULT_MUSTLOAD_FAILURE h IMA_RESULT_CREATELOCK_FAILURE Ah IMA_RESULT_SHUTDOWN_FAILURE Ch IMA_RESULT_SENDWAIT_FAILURE Dh IMA_RESULT_NO_COLLECTORS Eh IMA_RESULT_UPDATED Fh IMA_RESULT_NO_CHANGE h IMA_RESULT_LEGACY_NOT_ENABLED h IMA_RESULT_VALUE_ALREADY_CREATED h IMA_RESULT_UID_EXCEEDED_BOUNDS h IMA_RESULT_NO_EVENTS h IMA_RESULT_NOT_FOUND

247 Appendix G IMA Error Codes 247 Hex value Signed value Unsigned value Mnemonic h IMA_RESULT_ALREADY_EXISTS h IMA_RESULT_GROUP_ALREADY_EXISTS h IMA_RESULT_NOT_A_GROUP h IMA_RESULT_GROUP_DIR_ACCESS_FAILURE h IMA_RESULT_EOF Ah IMA_RESULT_REGISTRY_ERROR Bh IMA_RESULT_DSN_OPEN_FAILURE Ch IMA_RESULT_REMOVING_PSSERVER Dh IMA_RESULT_NO_REPLY_SENT Eh IMA_RESULT_PLUGIN_FAILED_VERIFY Fh IMA_RESULT_FILE_NOT_FOUND h IMA_RESULT_PLUGIN_ENTRY_NOT_FOUND h IMA_RESULT_CLOSED h IMA_RESULT_PATH_NAME_TOO_LONG h IMA_RESULT_CREATEMESSAGEPORT_FAILED h IMA_RESULT_ALTADDRESS_NOT_DEFINED h IMA_RESULT_WOULD_BLOCK h IMA_RESULT_ALREADY_CLOSED h IMA_RESULT_TOO_BUSY h IMA_RESULT_HOST_SHUTTING_DOWN h IMA_RESULT_PORT_IN_USE Ah IMA_RESULT_NOT_SUPPORTED h IMA_RESULT_FILE_OPEN_FAILURE h IMA_RESULT_SESSION_REQUEST_DENIED h IMA_RESULT_JOB_NOT_FOUND h IMA_RESULT_SESSION_NOT_FOUND

248 248 Advanced Concepts for MetaFrame XP Hex value Signed value Unsigned value Mnemonic h IMA_RESULT_FILE_SEEK_FAILURE h IMA_RESULT_FILE_READ_FAILURE h IMA_RESULT_FILE_WRITE_FAILURE h IMA_RESULT_JOB_CANNOT_BE_UPDATED h IMA_RESULT_NO_TARGET_HOSTS Ah IMA_RESULT_NO_SOURCE_FILES h IMA_RESULT_ATTR_NOT_FOUND h IMA_RESULT_CONTEXT_NOT_FOUND h IMA_RESULT_VALUE_NOT_FOUND h IMA_RESULT_DATA_NOT_FOUND h IMA_RESULT_ENTRY_LOCKED h IMA_RESULT_SEARCH_HASMORE h IMA_RESULT_INCOMPLETE h IMA_RESULT_READEXCEPTION h IMA_RESULT_WRITEEXCEPTION Ah IMA_RESULT_LDAP_PARTIALINSTALL Bh IMA_RESULT_LDAP_NOTREADY Ch IMA_RESULT_BUFFER_TOO_SMALL Dh IMA_RESULT_CONTAINER_NOT_EMPTY Eh IMA_RESULT_CONFIGURATION_ERROR Fh IMA_RESULT_GET_BASEOBJECT h IMA_RESULT_GET_DERIVEDOBJECT h IMA_RESULT_OBJECTCLASS_NOTMATCH h IMA_RESULT_ATTRIBUTE_NOTINDEXED h IMA_RESULT_OBJECTCLASS_VIOLATION h IMA_RESULT_ENUMFAIL

249 Appendix G IMA Error Codes 249 Hex value Signed value Unsigned value Mnemonic h IMA_RESULT_ENUMNODATA h IMA_RESULT_DBCONNECT_FAILURE h IMA_RESULT_TRUNCATE h IMA_RESULT_DUPLICATE h IMA_RESULT_PS_NOTINITIALIZED Ah IMA_RESULT_USING_ORACLE_ Bh IMA_RESULT_USING_ORACLE_ Ch IMA_RESULT_USING_ORACLE_UNKNOWN Dh IMA_RESULT_LOAD_DAO_ENGINE_FAILED Eh IMA_RESULT_COMPACT_DB_FAILED h IMA_RESULT_ODBC_NO_CONNECTIONS_AVAILABLE h IMA_RESULT_CREATE_SQL_ENVIRONMENT_FAILED h IMA_RESULT_SQL_EXECUTE_FAILED h IMA_RESULT_SQL_FETCH_FAILED h IMA_RESULT_SQL_BIND_PARAM_FAILED h IMA_RESULT_SQL_GET_COLUMN_DATA_FAILED h IMA_RESULT_REPLICATED_DATA_CONTENTION Ah IMA_RESULT_DB_TABLE_NOT_FOUND Bh IMA_RESULT_CONNECTION_EXIST Ch IMA_RESULT_QUERY_MAX_NODEID_FAILED Dh IMA_RESULT_SQL_FUNCTION_SEQUENCE_ERROR Eh IMA_RESULT_DB_CONNECTION_TIMEOUT h LMS_RESULT_NO_SERVER_AVAILABLE h IMA_RESULT_FULL_SERVER_OR_APP_LOAD_REACHED h IMA_RESULT_MORE_ITEMS h IMA_RESULT_INVALID_ACCOUNT

250 250 Advanced Concepts for MetaFrame XP Hex value Signed value Unsigned value Mnemonic h IMA_RESULT_INVALID_PASSWORD h IMA_RESULT_EXPIRED_PASSWORD h IMA_RESULT_GROUP_IGNORED h IMA_RESULT_BUILTIN_GROUP h IMA_RESULT_DC_NOT_AVAILABLE h IMA_RESULT_NW_CLIENT_NOT_INSTALLED h IMA_RESULT_ACCOUNT_LOCKED_OUT Ah IMA_RESULT_INVALID_LOGON_HOURS Bh IMA_RESULT_ACCOUNT_DISABLED Ch IMA_RESULT_PREFERRED_TREE_NOT_SET h IMA_RESULT_NODE_NOT_FOUND h IMA_RESULT_NODE_NAME_INVALID h IMA_RESULT_NODE_NOT_EMPTY h IMA_RESULT_NODE_MOVE_DENIED h IMA_RESULT_NODE_NAME_NOT_UNIQUE h IMA_RESULT_NODE_RENAME_DENIED h IMA_RESULT_CONSTRAINT_VIOLATION h IMA_RESULT_LDAP_PROTOCOL_ERROR h IMA_RESULT_LDAP_SERVER_DOWN Ch IMA_RESULT_NODE_DELETE_DENIED Fh IMA_RESULT_CANNOTCHANGE_PASSWORD h IMA_RESULT_CANNOTCHANGE_LAST_RW h IMA_RESULT_LOGON_USER_DISABLED h IMA_RESULT_CMC_CONNECTION_DISABLED h IMA_RESULT_INSUFFICIENT_SERVER_SEC_FOR_USER h IMA_RESULT_FEATURE_LICENSE_NOT_FOUND

251 Appendix G IMA Error Codes 251 Hex value Signed value Unsigned value Mnemonic h IMA_RESULT_DISALLOW_CMC_LOGON h IMA_RESULT_NW_PRINT_SERVER_ALREADY_PRESENT h IMA_RESULT_SERVER_ALREADY_PRESENT 802D0001h IMA_RESULT_TABLE_NOT_FOUND 802D0002h IMA_RESULT_NOT_TABLE_OWNER 802D0003h IMA_RESULT_INVALID_QUERY 802D0004h IMA_RESULT_TABLE_OWNER_HAS_CHANGED 802D0005h IMA_RESULT_SERVICE_NOT_AVAILABLE 802D0006h IMA_RESULT_ZONE_MASTER_UNKNOWN 802D0007h IMA_RESULT_NON_UNIQUE_HOSTID 802D0008h IMA_RESULT_REG_VALUE_NOT_FOUND 802D0009h IMA_RESULT_PARTIAL_LOAD 802D000Ah IMA_RESULT_GATEWAY_NOT_ESTABLISHED 802D000Bh IMA_RESULT_INVALID_GATEWAY 802D000Ch IMA_RESULT_SERVER_NOT_AVAILABLE h IMA_RESULT_SERVICE_NOT_SUPPORTED h IMA_RESULT_BUILD_SD_FAILED h IMA_RESULT_RPC_USE_ENDPOINT_FAILED h IMA_RESULT_RPC_REG_INTERFACE_FAILED h IMA_RESULT_RPC_LISTEN_FAILED h IMA_RESULT_BUILD_FILTER_FAILED h IMA_RESULT_RPC_BUFFER_TOO_SMALL h IMA_RESULT_REQUEST_TICKET_FAILED h IMA_RESULT_INVALID_TICKET Ah IMA_RESULT_LOAD_TICKETDLL_FAILED

252

253 Citrix Management Console Error Codes A P P E N D I X H The information in the table below can aid you when you call Citrix Technical Support for solutions. Citrix Technical Support requires the information in the last column; this information does not appear in any other documentation. Error Code (decimal) Error Code (hex) Error Message Error Comes From c0160a8c Unable to connect with the Farm Metric Server. The Watcher window may not correctly reflect the farm status c0160a96 An error occurred while attempting to retrieve the backup Farm Metric Server details. The error returned was: ~0~ c0160a97 An error occurred while attempting to set the Farm Metric Servers. The error returned was: ~0~ c0160a98 The backup Farm Metric server may not be identical to the primary Farm Metric Server. Please choose a different backup Farm Metric Server. ResourceMgr ResourceMgr ResourceMgr ResourceMgr c0160a99 No alarm objects have been returned from the monitor. ResourceMgr c0160a9a Cannot retrieve counter instance names. ResourceMgr c0160aaa Could not retrieve the list of ignored processes. ResourceMgr c0160aab Could not save the new list of ignored processes. ResourceMgr c0160aac Could not save the new list of ignored processes: ~0~. ResourceMgr c0160abe The application name is invalid. It cannot contain any of the following characters: ~0~. ResourceMgr c0160abf There was no response from Resource Manager. ResourceMgr

254 254 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From c0160ac0 An error occurred when attempting to create the application. The error returned was: ~0~. ResourceMgr c0160ac3 You must specify an application name. ResourceMgr c0160ac4 You must specify the full path and filename of the application. ResourceMgr c0160ac5 You must select at least one server. ResourceMgr c0160ac6 You have not provided a new application name. ResourceMgr c0160ac7 This application name already exists. Please enter a different application name c0160ac8 An error occurred when attempting to update the application properties. The error returned was: ~0~ c0160ac9 Error sending request for counter list from Farm Metric Server. ResourceMgr ResourceMgr ResourceMgr c0160aca Error talking to the monitor subsystem. ResourceMgr c0160acc Error updating application properties. Confirm that the data store can be accessed c0160acd An object with the same name already exists in the target folder! c0160ace An unexpected error occurred when trying to move the application. The error returned was: ~0~ c0160acf The application name can be no longer than ~0~ characters. ResourceMgr ResourceMgr ResourceMgr ResourceMgr c0160ad2 Error reading application metric properties information. ResourceMgr c0160ad3 Error retrieving metric properties. ResourceMgr c0160ad4 Error writing application metric properties information. ResourceMgr c0160ad5 Error writing server metric properties information. ResourceMgr c0160ad6 An error occurred while updating the application metrics. ResourceMgr c0160ad7 An error occurred while updating the application metric properties c0160ae3 An unknown error occurred while trying to get the log for ~0~. ResourceMgr ResourceMgr

255 Appendix H Citrix Management Console Error Codes 255 Error Code (decimal) Error Code (hex) Error Message Error Comes From c0160add An unexpected error occurred retrieving the reboot message details. The error returned was: ~0~ c0160ade An unexpected error occurred setting the reboot message details. The error returned was: ~0~ c0160af1 Error sending request for counter list from Farm Metric Server c0160af2 The Farm Metric Server(s) cannot be contacted. This will cause Resource Manager to function incorrectly. Check that the Farm Metric Server(s) are running and can be contacted. ResourceMgr ResourceMgr ResourceMgr ResourceMgr c0160afb Failed to set alerts configuration ResourceMgr c0160b00 Failed to set SNMP alerts configuration: ~0~. ResourceMgr c0160b10 Must supply a gateway name. ResourceMgr c0160b11 Must supply a user name. ResourceMgr c0160b12 Must supply a group name. ResourceMgr c0160b13 Gateway "~0~" already exists. ResourceMgr c0160b14 User or group name "~0~" already exists. ResourceMgr c0160b15 Illegal character(s) in phone number. ResourceMgr c0160b16 Cannot add a user - configure a gateway first. ResourceMgr c0160b17 Cannot add a group - configure a user first ResourceMgr c0160b18 Cannot delete gateway while a user item still refers to it. ResourceMgr c0160b19 Illegal character(s) in prefix. ResourceMgr c0160b22 Failed to retrieve report: ~0~. ResourceMgr c0160b24 Failed to save report: ~0~. ResourceMgr c0160b25 Failed to convert report: ~0~. ResourceMgr c0160b4a Citrix Resource Manager is not licensed. ResourceMgr c0160b4b Unable to contact IMA service running on ResourceMgr c0160b4c Unable to contact IMA service running on ResourceMgr

256 256 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From c0160b4d Received an invalid packet from the IMA service running on c0160b54 Failed to generate Server Summary report. Check that the DBMS and Database Connection Servers, and the IMA connection to the Database Connection Server are working properly c0160b55 Failed to generate User Summary report. Check that the DBMS and Database Connection Servers, and the IMA connection to the Database Connection Server are working properly c0160b56 Failed to generate Process Summary report. Check that the DBMS and Database Connection Servers, and the IMA connection to the Database Connection Server are working properly. ResourceMgr ResourceMgr ResourceMgr ResourceMgr c0160b57 Failed to create Server Snapshot report ResourceMgr c0160b58 Failed to create Current User report ResourceMgr c0160b59 Failed to create Current Process report ResourceMgr c0160b5a Unable to communicate with the Resource Manager Database Connection Server. Summary reports will not be available c0160b5b Unable to communicate with the Resource Manager Database Connection Server. Summary reports will not be available c0160b5c Unable to communicate with the Resource Manager Database Connection Server. Summary reports will not be available c0160b5d Unable to communicate with the Resource Manager local database. Current reports will not be available c0160b5e Unable to communicate with the Resource Manager local database. Current reports will not be available c0160b5f Unable to communicate with the Resource Manager local database. Current reports will not be available c0160b60 The summary database does not contain enough information to generate a Process Summary report. ResourceMgr ResourceMgr ResourceMgr ResourceMgr ResourceMgr ResourceMgr ResourceMgr c0160b61 The summary database contains no server information. ResourceMgr

257 Appendix H Citrix Management Console Error Codes 257 Error Code (decimal) Error Code (hex) Error Message Error Comes From c0160b62 The summary database does not contain enough information to generate a User Summary report. ResourceMgr c0160b63 Failed to save reports ResourceMgr c0160b64 Unable to identify the summary database software versions. Summary database functionality may not operate correctly in the Citrix Management Console c0160b65 Unable to identify any Resource Manager summary database servers in the farm. ResourceMgr ResourceMgr c0160b66 All start times should be less than the stop times ResourceMgr c0160adc Summary database functionality cannot be enabled without a Database Connection Server being set. ResourceMgr c0160b67 Unable to identify Database Connection Server ResourceMgr 500 1F4 A timeout has occured! Please try again! AdminMgr 510 1FE A folder name cannot contain any of the following characters: \ / : *? " < > AdminMgr 511 1FF Please enter a folder name! AdminMgr An object with the same name already exists in the target folder! AdminMgr Can't rename folder! AdminMgr The selected folder is not empty. A folder cannot be deleted until it is empty. AdminMgr Can't delete folder! AdminMgr The selected folder is not empty. A folder cannot be moved until it is empty. AdminMgr Can't move folder! AdminMgr A folder name cannot contain more than 256 characters! AdminMgr 700 2BC The license list is incomplete. The request for information could have timed out. LicenseMgr 701 2BD Failed to initialize list control. LicenseMgr 702 2BE There was an unexpected internal error in processing this action. LicenseMgr

258 258 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From 703 2BF The view could not be refreshed. The view could not be found C0 The view could not be refreshed. The selection in the tree changed unexpectedly C1 The license list is incomplete. An error occurred while getting the information. LicenseMgr LicenseMgr LicenseMgr 710 2C6 You must have Administrator rights to run this application. LicenseMgr The license could not be added. LicenseMgr The license could not be added. It is already installed. LicenseMgr The license could not be added. It is not a valid serial number The license could not be added. The licensing subsystem did not respond The license could not be added. The product associated with this license was not found in this farm The serial number must be entered in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX You have reached the maximum number of license packs allowed per server. You cannot install additional license packs. Please contact Citrix Technical Support. LicenseMgr LicenseMgr LicenseMgr LicenseMgr LicenseMgr Please enter a serial number. LicenseMgr The license could not be removed. LicenseMgr None of the selected licenses could be removed. LicenseMgr Not all of the Licenses were successfully removed. There might be a delay before the license information is updated. LicenseMgr This product license cannot be removed. LicenseMgr There was an unexpected internal error in removing these licenses The license may or may not have been removed because the request timed out. There might be a delay before the license information is updated. LicenseMgr LicenseMgr

259 Appendix H Citrix Management Console Error Codes 259 Error Code (decimal) Error Code (hex) Error Message Error Comes From A The licenses may or may not have been removed because the request timed out. There might be a delay before the license information is updated E The activation code must be entered in the following format: XXXXX-XXXXX F The license could not be activated. It may already be activated The license could not be activated. The activation code is incorrect. Check that you entered the code correctly The license could not be activated. The licensing subsystem did not respond. LicenseMgr LicenseMgr LicenseMgr LicenseMgr LicenseMgr Please enter an activation code. LicenseMgr Could not find assignment data. LicenseMgr There are no licenses in this license set. LicenseMgr All of the licenses in this license set are already assigned to servers. LicenseMgr The license could not be assigned. LicenseMgr The full <license number> could not be assigned. Only <number> was assigned. It may take a moment for this change to appear fully in the views. LicenseMgr Please select a server in the tree. LicenseMgr The license could not be assigned. You cannot assign more than one of each product license to a server. LicenseMgr Please enter a value between 1 and <number>. LicenseMgr A This assignment already exists. This product license has already been assigned to the selected server B There are no licenses installed on this farm. You must add (and activate) one or more licenses to make them available for assignment C None of the licenses installed on this farm are available for assignment. You cannot assign Inactivated, Evaluation, or Expired licenses to a Citrix server. For existing license assignments, you must drop or reduce the assignment before you can assign the license to a new Citrix server. LicenseMgr LicenseMgr LicenseMgr

260 260 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From The selected assignment could not be dropped. LicenseMgr Some of the selected assignments could not be dropped. There might be a delay before the license information is updated. LicenseMgr None of the selected assignments could be dropped. LicenseMgr License assignment could not be changed. LicenseMgr The full <license number> could not be assigned. Only <number> was assigned. It may take a moment for this change to appear fully in the views. LicenseMgr This license cannot be pooled. LicenseMgr 1100 An unknown error occurred while loading <Plugin name> Its features will not be available during this session. PluginMgr 1110 Farm Logon Error PluginMgr 1111 Pass-through Authentication failed, failed to connect to server <server> PluginMgr The ICA Display settings could not be changed. ServerMgrNew The product code you entered was invalid. The server's product code has not been changed The product code you entered was invalid. None of the servers' product codes have been changed. ServerMgrNew ServerMgrNew The product code could not be changed. ServerMgrNew A The value entered for "maximum memory to use for each session's graphics" is invalid. Please enter a value between 150 kilobytes and 8192 kilobytes B Failed to change the listening TCP port for the Citrix XML Service! C Some servers' product codes were changed, but some could not be. ServerMgrNew ServerMgrNew ServerMgrNew D None of the servers' product codes could be changed. ServerMgrNew F Please make sure that the Reset value is greater or equal than the Set value Session information is not available for this session. User information will be refreshed. ServerMgrNew ServerMgrNew

261 Appendix H Citrix Management Console Error Codes 261 Error Code (decimal) Error Code (hex) Error Message Error Comes From Failed to disconnect session. User information will be refreshed Failed to connect session. User information will be refreshed Wrong password. Letters in passwords must be typed using the correct case. Make sure that Caps lock is not accidentally on Failed to reset session. User information will be refreshed Unable to send message to the selected session. User information will be refreshed Status information is not available for this session. User information will be refreshed Unable to collect process data for this server. The request timed out Unable to collect session data for this server. The request timed out The Auto Client Reconnect settings could not be changed. ServerMgrNew ServerMgrNew ServerMgrNew ServerMgrNew ServerMgrNew ServerMgrNew ServerMgrNew ServerMgrNew ServerMgrNew Please choose a Feature Release level. ServerMgrNew The Feature Release level could not be changed. ServerMgrNew 1340 The File Type Association settings could not be changed. ServerMgrNew A zone with the same name already exists! IMACoreSettingsMgr A zone cannot be deleted until all servers have been removed from it! IMACoreSettingsMgr A zone must contain at least one server! IMACoreSettingsMgr B4 An internal error occured while loading default icons. Ext.Widgets.IconChooser The data store is not available. Some features may not be available B The operation to remove the server from farm has timed out, but it may have succeeded. Ext.Framework.Tools AdminUserMgr C The persistent store server cannot be removed. AdminUserMgr

262 262 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From The load evaluator name is already being used. Please use a different name. LMSAdmin Cannot delete the default evaluator. LMSAdmin The load evaluator is still in use. Please detach the load evaluator from any servers or applications before deleting Cannot delete the default evaluator or load evaluators that are still in use. Please detach the load evaluators from any servers or applications before deleting At least one load evaluator could not be deleted because it is still in use. Please detach the load evaluators from any servers or applications before deleting. LMSAdmin LMSAdmin LMSAdmin Various Various At least one load evaluator could not be deleted. LMSAdmin C000E The server is still reachable, and cannot be removed. It should be removed by uninstall program C Could not read application data from the Citrix server farm. AdminUserMgr MetaFramePubAppMgr C Could not write application data to the Citrix server farm. MetaFramePubAppMgr C Could not delete application data from the Citrix server farm. MetaFramePubAppMgr C005000A Display Name not specified. MetaFramePubAppMgr C005000B The Display Name already exists in this application folder. MetaFramePubAppMgr C005000E The Application Name cannot contain any of the following characters: \/;:.*?=<> []()'" C005000F The command line is required to publish an application. Enter the path and filename of the application's executable file in the Command Line box C005000F The content address is required to publish a content. Enter the UNC or the URL address for the content. MetaFramePubAppMgr MetaFramePubAppMgr MetaFramePubAppMgr C The window size specified is too small. MetaFramePubAppMgr C The window size specified is too large. MetaFramePubAppMgr C File paths cannot contain any of the following characters: / *?"<> MetaFramePubAppMgr

263 Appendix H Citrix Management Console Error Codes 263 Error Code (decimal) Error Code (hex) Error Message Error Comes From C The ICA file name you entered cannot be found. Use the Browse button to locate and select the ICA file. MetaFramePubAppMgr C Unable to write the file to disk. MetaFramePubAppMgr C005001A The Display Name cannot contain any of the following characters: \/;:.*?=<> []()'" C005001C The application has a minimum required encryption level of: <level>. You cannot create an ICA file with an encryption level less than this C005001D The application has a minimum audio requirement. You must specify an audio setting. MetaFramePubAppMgr MetaFramePubAppMgr MetaFramePubAppMgr C005001E You must enter a TCP/IP port between 1 and MetaFramePubAppMgr C005001E You must specify a server to get browsing information from C The Application Name may only have a maximum of 38 ANSI characters, or 19 UNICODE characters C The selected application may not have been published because the request has timed out. If the published application does not appear in Citrix Management Console, please try again C The selected published application could not be copied because the data cannot be accessed from the data store C You cannot change the properties of an application published with an updated version of MetaFrame XP. To edit the properties, you must connect to a MetaFrame XP server with the latest service pack installed or install the latest service pack on all MetaFrame XP servers in your farm C The ICA file was not created because a server hosting the application did not respond. Please try again. MetaFramePubAppMgr MetaFramePubAppMgr MetaFramePubAppMgr MetaFramePubAppMgr MetaFramePubAppMgr MetaFramePubAppMgr C The Application Name already exists in the server farm. MetaFramePubAppMgr C Failed to add Network Print Server <servername>. PrinterMgr C The specified Network Print Server has already been added C The specified Network Print Server could not be contacted or has no printers. PrinterMgr PrinterMgr

264 264 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From C You must enter a user name. PrinterMgr C Failed to delete Network Print Server <servername>. PrinterMgr C Failed to refresh Network Print Server data for server <servername>. PrinterMgr C Could not enumerate all printers. PrinterMgr C Could not enumerate printers for server <servername>. PrinterMgr C Could not enumerate all drivers. PrinterMgr C013000A Could not enumerate drivers for server <servername>. PrinterMgr C013000B Could not enumerate MetaFrame servers for this farm. PrinterMgr C013000C Could not enumerate servers that have print driver <drivername>. PrinterMgr C013000D Replication failed. PrinterMgr C013000E Replication from server <servername> failed. PrinterMgr C013000F The drivers you selected are for different PrinterMgr platforms. When selecting multiple drivers, all drivers must be for the same platform C Could not enumerate operating system platforms. PrinterMgr C The specified driver already exists in the Compatibility list. PrinterMgr C Failed to set Compatibility list. PrinterMgr C Could not enumerate Driver Mapping list. PrinterMgr C Failed to set Driver Mapping list. PrinterMgr C Could not enumerate bandwidth limits. PrinterMgr C Failed to set bandwidth limits. PrinterMgr C Could not enumerate users and groups configured for printer <printername> C Could not enumerate all users and groups for specified domain C013001a Failed to set Auto-creation settings for printer <printername>. PrinterMgr PrinterMgr PrinterMgr

265 Appendix H Citrix Management Console Error Codes 265 Error Code (decimal) Error Code (hex) Error Message Error Comes From C013001C Failed to copy Auto-creation settings from printer <printername>. PrinterMgr C013001D Could not enumerate Client Printer list. PrinterMgr C013001E The specified client printer already exists in the list. PrinterMgr C013001F The specified port has already been assigned for this client. PrinterMgr C Could not enumerate Auto-replication list. PrinterMgr C Failed to set Auto-replication list. PrinterMgr C Could not enumerate Compatibility list. PrinterMgr C The specified client driver already exists in the Mapping list. PrinterMgr C Could not enumerate domains. PrinterMgr C Failed to set Client Printer list. PrinterMgr C Failed to determine operating system platform for one or more servers in the farm. These servers cannot be used as destinations for printer driver replication actions C The printer management system on the preferred server could not be contacted. You will not be able to make changes to printer-related data C Could not enumerate servers with the print driver <drivername>. PrinterMgr PrinterMgr PrinterMgr C The names of some users could not be obtained. PrinterMgr C013002A Could not get the platform for server <servername>. PrinterMgr C013002B Could not enumerate Network Print Servers. PrinterMgr C013002C Failed to get driver for printer PrinterMgr <servername> C013002D The specified domain does not exist or does not trust the farm C The specified driver has been marked incompatible with all server platforms in the farm. PrinterMgr PrinterMgr C Search failed. PrinterMgr

266 266 Advanced Concepts for MetaFrame XP Error Code (decimal) Error Code (hex) Error Message Error Comes From C An unknown error occurred. PrinterMgr C General failure. PrinterMgr C There is not enough memory to complete the operation. PrinterMgr C There are not enough resources to complete the operation. PrinterMgr C The item was not found. PrinterMgr C The operation timed out. PrinterMgr C Enumeration failed. PrinterMgr C Access is denied. PrinterMgr C Network failure. PrinterMgr C013800A The destination could not be found. PrinterMgr C The server could not be contacted. PrinterMgr C Authentication failed. PrinterMgr C The domain controller could not be contacted. PrinterMgr C The item already exists. PrinterMgr C The server is part of the farm. PrinterMgr C The network server has already been added. PrinterMgr / Various C / Various Could not enumerate the user accounts in this Domain. There might be communication problems on the network. UserEnumeration C Could not collect required user account information for some or all of the accounts from this Domain. These users will not be added to Configured Accounts list. UserEnumeration C The domain controller for this domain is not available. UserEnumeration C One or more servers selected to host this application have failed to complete the initial startup sequence. The server(s) will not be available for publishing applications until the IMA service is restarted C The accounts trusted by the selected servers could not be determined. UserEnumeration UserEnumeration C Could not enumerate domains. UserEnumeration

267 Appendix H Citrix Management Console Error Codes 267 Error Code (decimal) Error Code (hex) Error Message Error Comes From Various Various Could not attach load evaluator to this server. LMSAdmin Various Various Could not create a new load evaluator. LMSAdmin Various Various Could not delete the load evaluator. LMSAdmin Various Various Could not get the list of servers attached to the application. LMSAdmin Various Various Could not modify the load evaluator. LMSAdmin Various Various The Citrix Management Console failed to remove the server. AdminUserMgr IM network browser failed. IMSMgr Installer failed (usually ADF installer since MSI has its own error codes). IMSMgr Logon to the network share account failed. IMSMgr No network share point account is specified. IMSMgr Package is in use and cannot be modified. IMSMgr Package with the same name already exists. IMSMgr The operation is not allowed, for example, a job cannot be modified after it is started The package file provided (when adding a package to the data store) is not a valid (msi or adf) package. IMSMgr IMSMgr

268

269 Registered Citrix Ports A P P E N D I X I Name Number Protocol Description ica 1494 TCP ICA ica 1494 UDP <not used> ica 0x85BB IPX ICA ica 0x9010 SPX ICA icabrowser 1604 TCP <not used> icabrowser 1604 UDP ICA Browser icabrowser 0x85BA IPX ICA Browser citrixima 2512 TCP IMA (server to server) citrixima 2512 UDP <not used> citrixadmin 2513 TCP IMA (CMC to server) citrixadmin 2513 UDP <not used> citriximaclient 2598 TCP <not used> citriximaclient 2598 UDP <not used> citrix-rtmp 2897 TCP rtmp (Control) Video Frame citrix-rtmp 2897 UDP rtmp (Streaming Data) Video Frame Citrix Systems 3845 MIB Private Enterprise Number. Used for SNMP MIB Object ID and Active Directory Schema Object Ids (OID).