Certification Objective 6.03: Creating Connections with the Citrix Connection Configuration

When a Citrix user accesses a Citrix server or a published application, three major components are required for the connection. In a very simple overview, an ICA client, a network connection, and a Citrix server are the three components necessary. The ICA client has to know the address of the Citrix server and the type of network connection being used for the connection. On the other hand, the Citrix server has to know what kind of network connection is present, and the server must be configured to accept incoming connections.

The Citrix Connection Configuration utility (Figure 6-10) is a very granular tool that is used to configure and manage server connections. When MetaFrame is installed on a Terminal Server, one ICA connection is created for each network protocol. The Citrix Connection Configuration tool can be used to add more listeners or edit the existing ICA and RDP (Remote Display Protocol) connections. By default, ICA connections do not provide a high level of security, but there are many options for securing a Citrix ICA connection. Some people may refer to ICA and RDP connections as 'listeners.' In fact, throughout the rest of this section, we will do just that. This way we will not confuse the term with an actual client connection.

Figure 6-10: The Citrix Connection Configuration tool

RDP, or Remote Display Protocol, is Microsoft's version of a thin-client protocol. RDP operates on many of the same principles as the ICA protocol. RDP allows users to access and control Windows Terminal Servers remotely, using a minimal amount of resources on the client device. However, the RDP protocol is not as robust as the ICA protocol. The RDP protocol only supports TCP/IP and lacks many of the ICA features that create a seamless user experience for Citrix clients. The ICA protocol also supports a wide range of client devices, and there is an ICA client available for almost every software platform. The client devices and platforms that RDP can support, on the other hand, are somewhat limited.

Exercise 6-3: Creating an ICA Connection With the Citrix Connection Configuration tool

1. Open the Citrix Connection Configuration tool and select the New option from the Connection menu.

2. From the New Connection dialog box, name the connection TEST.

3. Set the connection type to ICA and select TCP as the transport type.

4. Select the Advanced button and adjust the Timeout settings so that the ICA connection will reset disconnected sessions after two minutes; then select the OK button to return to the New Connection dialog box.

5. Select the Client Settings button and check the option to Disable Audio Mapping; then select the OK button to return to the New Connection dialog box.

6. From the New Connection dialog box, select the OK button again to create the new ICA connection.

7. Open up the Citrix Server Administration tool and locate the Citrix server. Expanding the view of the server should now allow you to see the new listener you created.

Citrix administrators may need to create additional ICA listeners to provide users with connectivity to a Citrix server or published applications. By default, MetaFrame will create an ICA listener for each network protocol that is in use at the time of the MetaFrame installation. Administrators can use the Citrix Connection Configuration tool to edit the listeners that are created during the MetaFrame installation, but they may also want to use this tool to create additional listeners. Opening the Citrix Connection Configuration tool will provide administrators with a list of the existing listeners and the options to create new listeners. Selecting New from the Connection menu brings up the New Connection dialog box (as shown in Figure 6-11).

Figure 6-11: Creating a new connection

When creating a new connection, administrators will need to select a name for the listener. Each listener on a Citrix server needs to have a unique name. Administrators must also select the connection type and transport for the new listener. The connection type will determine what transport options are available for the connection. If the connection type is set to use RDP, the only transport option that is available will be TCP. Setting the connection type to use ICA will provide more options to select from in the transport field. ICA can be transported over TCP, IPX, SPX, NetBIOS, and async (asynchronous) connections. When a transport option is selected, administrators will see an additional set of transport configuration options in the New Connection dialog box.

If the transport option is set to use a network protocol, administrators will see a list of network adapters configured for the selected protocol. By default, the listener will be bound to all the LAN (local area network) adapters that are configured with the selected protocol, and there will be unlimited connections available on the listener. An ICA listener can be restricted to allow a specified number of connections; otherwise, connectivity to the listener is only limited by Citrix licensing. Listeners can be bound to a specific LAN adapter if the Citrix server has multiple network adapters. Administrators may bind different listeners to different network adapters as a means of securing access to a Citrix server. Since each listener has its own set of security options, Citrix administrators can control who connects to a particular listener, how many users can access the listener simultaneously, and what configuration options will be set for those users.

If the transport option is set for asynchronous connections, administrators will see a list of devices that are available for asynchronous connectivity. A list of COM ports and/or modems will be displayed, along with a set of options for the device being used. Async connections have many of the same security features as network connections, but each Async listener is limited to one connection. Asynchronous connections also have additional configuration options not available with network connections. If asynchronous connections are configured for dial-up access, the properties of the selected modem are accessible through the Citrix Connection Configuration tool. Administrators may wish to alter modem settings or configure modem callback using the Citrix Connection Configuration tool.

After creating a new ICA listener, Citrix administrators can use the Citrix Connection Configuration tool to alter the settings of the listener at a later time. Opening the Citrix Connection Configuration tool provides administrators with a list of listeners installed by default, as well as any additional listeners created. Administrators can double-click any of the listeners to access the properties of that particular listener, or highlight the listener and select the Edit option from the Connection menu. Viewing the properties of a selected listener will show the basic configuration information for that listener, along with the following buttons that can be used for managing more detailed configuration options:

• ICA Settings This button provides access to the client audio settings, which can be set to low, medium, or high. Higher audio quality requires more bandwidth.

• Client Settings This button is used for configuring the client settings for a selected listener. Administrators will have access to information, such as client mapping options (as shown in Figure 6-12). Some of these options are available at a user level and can be inherited from a user's configuration.

Figure 6-12: Configuring Client Settings

• Advanced Settings This button allows administrators to manage the advanced options of a selected listener. Administrators can apply a number of different configurations here to secure incoming connections for a selected listener. Many of these options are also available on a user level and can be inherited from a user's configuration.

The Client Settings button, which can be located by editing the properties of an ICA listener, provides access to several settings that are used to restrict access to certain client mappings. By default, a Citrix server will map resources from the Citrix server to an ICA client device to provide a seamless user experience. When an ICA client logs on to a Citrix server, the server will map its own resources to the appropriate resource of the client device so the user can utilize local resources from within an ICA session. However, Citrix administrators may want to restrict access to all or some of these local resources.

Now that you are familiar with the Citrix Connection Configuration utility, let's look at some possible scenarios you may run into as a Citrix administrator.

Using the Citrix Connection Configuration tool, Citrix administrators can disable all or some of the resources mapped by default. This includes ICA client drives, ports, and printers. ICA clients also map to the client's clipboard, so the user can cut and paste between ICA sessions and local applications. Administrators can configure an ICA listener so it does not map these resources at logon. If a resource is not configured to map during a session logon, the resource can be mapped after logging on to the server. If an administrator does not want users to map resources after logging on, the resource mapping must be disabled in the Citrix Connection Configuration tool.

Some of the options in the Citrix Connection Configuration tool are available at the user level using Microsoft's User Manager For Domains or by using the Active Directory Users and Computers utility in Windows 2000. ICA listeners can be configured to use the settings that have been established at a user level or to override any settings that have been applied at a user level. Establishing these settings at a user level provides a higher level of granularity, but also creates more administrative overhead.

Citrix administrators should pay close attention to the configuration of client printers. With such a wide array of client devices and printers, Citrix administrators may find themselves overwhelmed by printing issues. Between technically 'challenged' end users and the importance of printing, some administrators may even be tempted to send each user a camera and ask them to take pictures of their screens! On the other hand, a few simple configuration changes may keep the printing problems in check. The Other Options section of the Client Settings has an option for only connecting to a client's default printer. If this option is left unchecked, the Citrix server will attempt to map every printer the client is using. In small Citrix environments, this may not present an issue, but a Citrix server with higher user volume may experience problems.

There are several advanced settings that can be configured for a selected ICA connection. The Advanced button can be found by editing the settings of an ICA connection, and provides administrators with access to the Advanced Connection Settings dialog box, shown in Figure 6-13. From here administrators have several options:

Figure 6-13: Configuring Advanced Connection Settings

• Logon Disable/Enable This option simply gives Citrix administrators the ability to enable or disable logons for a selected listener. Selecting this option will keep users from connecting to a selected listener without taking the server offline or making serious configuration changes.

• Timeout Settings Timeout settings can be configured to terminate connected, disconnected, or idle sessions after a given amount of time elapses. Administrators may wish to use a combination of these settings to keep users from inadvertently wasting server resources. Citrix users may not know the difference between disconnecting from a remote session and logging off from a session, in which case administrators may want to configure timeout settings so that disconnected sessions will be reset.

• Security Required Encryption This feature can be used to set the desired level of data encryption for the listener. If the required encryption is set higher than basic encryption, the ICA client must be configured to use a higher level of encryption. This feature also has an option for using Default NT Authentication. If Default NT Authentication is in use, users on the selected connection will be authenticated using the default NT authentication DLL (Dynamic Link Library), regardless of any other authentication packages installed on the server.

• On Broken Or Timed-Out Connection This option specifies how the server handles sessions that are erroneously disconnected or timed-out. Broken sessions are configured to disconnect by default, but sessions can be configured to reset if the session is broken or timed-out.

• Reconnect Session Disconnected With this feature, Citrix administrators can allow users to reconnect to disconnected sessions from any client device. This option can also be set so users can only reconnect to a disconnected session from the client device that began the session.

• Shadowing Shadowing can be enabled or disabled with this feature. It also allows administrators to turn input and prompting on or off for the selected listener.

• AutoLogon The AutoLogon option can be configured so all connections to a selected listener automatically log on with a specified user account. However, administrators should carefully consider the security implications of using this option. If this option is used carelessly, administrators may not be able to control who accesses the Citrix server.

• Initial Program This feature allows administrators to specify a program that will be run automatically for all sessions that connect to a selected listener. This feature will also give administrators the ability to configure the listener to only allow access to published applications.

• User Profile Overrides This option simply allows administrators to disable wallpaper that is associated with a user's profile. Some users may have graphically intensive wallpaper associated with their mandatory or roaming profile. Disabling wallpaper could provide these users with better performance over slow network connections.

Many of the options found in the Advanced Connection Settings are available in User Manager For Domains. The same options can also be found in the Active Directory Users and Computers utility in Windows 2000. The settings that can be configured on a user level have an option for inheriting the user configuration. Any settings configured for a specific server listener will override settings applied at the user level.