CCA Citrix MetaFrame XP for Windows Administrator Study Guide Exam 70-220
Authors: Oglesby R., Craft M
Published year: 2001
|< Free Open Study >|
Program Neighborhood is the client-side software that allows Independent Computing Architecture (ICA) connectivity through a variety of client devices to connect published applications and MetaFrame servers. Currently, the list of supported devices includes
32-bit Windows -based PCs
16-bit Windows-based PCs
Windows CE, Linux, and Windows NT Embedded thin client devices
Personal Digital Assistants (PDAs)
IBM OS/2-based PCs
Apple Macintosh computers
EPOC/Symbian Operating System (OS) clients
For the remainder of this chapter, we will focus on the Win32 Program Neighborhood unless otherwise specified. The minimum requirements for the Win32 client are
An Intel or compatible 386 CPU or better (OS requirement)
An Intel or compatible 133 MHz Pentium CPU for Windows 2000 (OS requirement)
A Win32 OS (Windows 9 x , Windows ME, Windows NT 3.5 x , Windows NT 4.0, Windows 2000)
8MB of RAM for Windows 9 x
16MB of RAM for Windows NT
64MB of RAM for Windows 2000
A VGA or SVGA video adapter
A 1.44MB floppy drive
A hard drive with available space for client
Optional sound card for audio
Optional Network Interface Card (NIC) for network connections with appropriate protocols installed
Optional internal or external modem for dial-up connections
Program Neighborhood consists of three distinct views: Application Set Manager, Default, and Custom ICA Connections.
The Application Set Manager view (Figure 10-1) lists existing farm connections, and it allows the user to connect to new application sets (server farms). The user can also select a default view, the initial view seen when PN is launched. The default view can either be a server farm or the Custom ICA Connections view.
Figure 10-1: The Application Set Manager view
You should get exposure to as many different ICA clients as you can. DOS, Win16, and Win32 clients may be easier to come by; but if possible, practice installing and configuring the Java, MAC, CE and Unix clients. Note what features are not available in the non-Win32 and Java clients, such as connections to a server farm.
Remember, many handheld devices run Windows CE, so you can have full Windows NT or 2000 functionality on a handheld device. However, there is no PALM OS client, so these devices will not work. Practice using the various color depths, screen sizes, and
seamless windows, and note how each behaves.
-Joel W. Stolk, CCA, CCNA, MCSE
This icon launches the Find New Application Set Wizard (see Figure 10-2).
Figure 10-2: The Find New Application Set Wizard
This screen asks you to select from the following options: Local Area Network, Wide Area Network, and Dial-Up Networking (PPP/RAS). Local Area Network will send out a broadcast for the ICA Master Browser for a list of server farms. Wide Area Network performs the same action as the Local Area Network, with the only difference being that this will turn on bitmap caching. Bitmap caching stores commonly used bitmaps and graphics on the local hard drive, and helps speed up slower connections. Bitmap caching is enabled by default on Dial-Up Networking (PPP/RAS) connections. Dial-Up Networking connections are direct connections over a modem, ISDN, DSL, or other type of WAN connection. Choosing a Dial-Up Networking (PPP/RAS) connection will allow you to launch Dial-Up Networking on the client device and allow you to choose an existing dial-up connection.
The next screen in the wizard (Figure 10-3) allows for the connection to the farm itself. The description will be the same as your server farm by default. If your server farm is on your subnet it will appear when you click the drop-down arrow. Program Neighborhood sends a broadcast packet and listens for the nearest ICA browser to respond. Once this happens, the client will request a list of farms from the ICA Browser. If you need to make a connection to a remote server farm or want to specify a server or protocol, you need modify connection properties by clicking the Server Location button.
Figure 10-3: The Find New Application Set Wizard, Screen 2
The Locate New Application Set (Figure 10-4) lets you specify the connection protocol and server(s) to which you need to connect for ICA browsing. The available protocols are TCP/IP, TCP/IP + HTTP, IPX/SPX and NetBIOS. When using a TCP/IP + HTTP connection, you must have a Citrix server on your network mapped to the default name of ica. yourdomain , or specify an address.
Figure 10-4: The Locate New Application Set dialog box
The Server Group lets you specify up to three address groups to which you can connect. The groups are used in the following order:
The client will attempt connection to servers in the Primary group. If no connection is made after five seconds, the Backup group will be selected, and so on. These groups can be renamed with the Rename Group button. Servers can be added or deleted from groups in the address list box. When using TCP/IP + HTTP, you can specify a port, but the default is 80.
When you click the Firewalls… button, the screen in Figure 10-5 appears.
Figure 10-5: The Firewall Settings dialog box
The Use Alternate Address For Firewall Connection check box allows you to connect to the public address if your ICA browser is inside a firewall.
The program altaddr.exe specifies an alternate address on a Citrix server. This is the external address specified on a router when using Network Address Translation (NAT) on a private network. The format for altaddr.exe is
servername /SET AlternateAddress (to set an external address) servername /DELETE AdapterAddress (to delete an external address)
The check box Connect Via SOCKS Proxy will allow the client to connect to a remote ICA browser when the client is inside a SOCKS firewall. You must specify the IP of the SOCKS proxy and its port.
After you have made your connection to your Application Set (Farm), you have the option to configure how the connections will be presented on the next screen (Figure 10-6). The Enable Sound For This Application Set check box will turn client audio mapping on if selected. Under the Windows Colors drop-down menu, you can choose between 16 Colors, 256 Colors, High Color (16-bit), and True Color (24-bit). Under Window Size , we have the following options:
Figure 10-6: Application Set settings
Custom (in pixels)
Percent of Screen Size (up to 100%)
The first six options let us specify the size of the connection window in pixels. These first six options will also dictate the amount of bandwidth to be consumed for graphics, as will the numbers of colors. When trying to enhance performance, the least amount of pixels and colors should be used in a session. The Percent Of Screen Size option will size the connection window as a percentage of the client's screen size. A full screen window will fill the entire client screen with the connection window. A Seamless Window will have no window around the session. It will appear as if the session is running on the local client machine. The user will have to press ALT-DEL to return to the local client window.
Once your application set has been created, you can right-click the icon and select from several options (see Figure 10-7).
Figure 10-7: Application Set options
If you select Set As Default, this will specify the application set to be the Default view, which is discussed in the next section. Create Desktop Shortcut will create an icon on the desktop that will allow connection to the Application Set without going through Program Neighborhood. Duplicate, or F8, will make a copy of the application set. Choosing Delete, or DEL, will delete the application set from this view. Rename, or F2 , will allow you to rename the application set. Application Set Settings brings up the following tabs:
The Connection tab options (Figure 10-8) allow us to set all of the settings, such as the Server Location… button mentioned earlier, with the addition of one option: Auto-detect Network Protocol. When this is selected, the Server Location entries are circumvented, and the ICA client searches for the ICA browser automatically on the local subnet.
Figure 10-8: The Connection tab
The Default Options tab (Figure 10-9) lets you specify several settings for this connection. Data compression reduces the amount of bandwidth needed for the connection, at the expense of additional processor utilization. It is recommended for slower connections. The Use Disk Cache For Bitmaps option turns bitmap caching on or off. Queuing mouse movements and keystrokes reduces bandwidth by waiting longer to send this information to the server, but also slows responsiveness within an ICA session. It should be used only on very slow connections. Turning off desktop integration will prevent the set from creating icons on the desktop. This helps if you have a rogue administrator who likes to flood your desktop with ICA shortcuts to published applications. Select the Enable Sound check 2box to enable client audio remapping. You can choose from the following options:
Figure 10-9: The Default Options tab
High Best sound quality (up to 1.3 Mbps); can use a lot of bandwidth
Medium Compressed sound up to 64 Kbps; good for LAN connections
Low Compressed sound up to 16 Kbps; good for slower LANs and RAS connections
|On The Job||
Client audio remapping should be disabled unless absolutely necessary. It uses a lot of unnecessary bandwidth, especially over dial-up connections. The easiest way to disable this is on the server side, which will override the client settings. Whenever remapping client ports and devices, the advantages and disadvantages of such actions should be weighed. Advantages concern things like functionality, while disadvantages include losing bandwidth and slowing down the login process.
The encryption level, also referred to as SecureICA, is also selected in this tab. The client-side encryption levels are as follows (from lowest to highest security):
Basic (default minimal ICA encryption)
128-bit Logons Only (session is encrypted during the logon process only)
40-bit (all of the session is encrypted at this bit rate)
56-bit (all of the session is encrypted at this bit rate)
128-bit (all of the session is encrypted at this bit rate)
If your client-side encryption is set lower than the Citrix server's minimum requirement for a published application, the user will not be able to connect. It's best to leave this setting as Use Server Default.
SpeedScreen latency has three settings: Off (default), On, and Auto. When this setting is set to On or Auto, you can turn on Mouse Click Feedback and Local Text Echo. This gives low-bandwidth users instant feedback and makes their session appear to be running faster. This should be turned off on LAN connections. The Auto setting is used when you are unsure of your bandwidth. The last part of this tab concerns the window size and colors we covered earlier.
The last tab on the application set settings is the Login Information tab (Figure 10-10). This lets us specify login information for the domain to which we are connecting. This tab should be used with great caution, as it could pose a security risk if a user walks away from their computer. The Don't Use Local Username And Password Option is grayed out. This option is available when the Program Neighborhood software is installed, and in this instance it has been turned off.
Figure 10-10: The Login Information tab
The Default view is the initial view displayed when Program Neighborhood is launched and is selected from within the Application Set Manager view. When a default view is chosen , a check box appears on the top right of the icon.
The Custom ICA Connections view (Figure 10-11) allows the user to create direct connections to specific MetaFrame servers, or connect directly to a published application. If applications are published to an NT domain instead of a farm, custom connections will need to be created for each published application to which the users need to connect.
Figure 10-11: The Custom ICA Connections view
Only the Windows 32-bit and Java clients support the Application Set Manager. However, this can be circumvented by publishing PN as an application using ICA PassThrough.
ICA PassThrough is essentially publishing Program Neighborhood to ICA clients that do not support connecting to server farms. ICA PassThrough is installed on a MetaFrame XP server by default and resides on the server in the subfolder %systemroot%\system32\ICA PassThrough. To enable ICA PassThrough, publish PN.EXE in an NT domain scope, and create a custom connection to the published application. Essentially , this type of connection is an ICA session within an ICA session, but special modifications to ICA PassThrough increase the overall performance.
Client LPT and COM port mapping is not supported when using ICA PassThrough. However, it does support drive, printer queue, and audio mapping.
Let's look at some examples of when we would use the Application Set Manager, Custom Connections, and Default views.
Application Set Manager view
Use this view when connecting to one or more Application Sets or farms.
Custom Connections view
Use this view when connecting to a specific published application or server.
Use this view when you want a specific application set to appear when a user first launches Program Neighborhood.
The Add ICA Connection icon launches a wizard to create your custom connection. The wizard screens are as follows:
The first screen in the Add New ICA Connection Wizard (Figure 10-12) lets you specify your connection type. The only new connection type we see here is the ICA Dial-in. An ICA Dial-in connection allows you to connect directly to a modem or modem pool connected to the Citrix server, and can be used instead of a Dial-Up Networking (PPP/RAS) connection. An ICA Dial-in differs from a RAS connection in that you're authenticated within the session instead of making a network connection outside of the session beforehand.
Figure 10-12: The Add New ICA Connection Wizard
You can configure your server for ICA Dial-in or RAS, but not both. You must use one or the other for dial-up connections.
This screen is similar to the Application Set Wizard (Figure 10-13), but now we have the option to connect either directly to a Citrix server, or to a Published Application. The available protocols are TCP/IP, TCP/IP + HTTP, IPX, SPX, and NetBIOS. Again, we can use the Server Location… button to create a custom connection configuration.
Figure 10-13: The Add New ICA Connection Wizard, Screen 2
Configuring the connection here is the same as in the Application Set Wizard (Figure 10-4 and Figure 10-5), so we won't rehash it. If your connection has been configured, you should select either a server or published application to which you want to connect (Figure 10-14). If you have contacted the ICA browser, the drop-down menu will display a list of servers or applications to which you can connect.
Figure 10-14: The Locate Server or Published Application dialog box
If you are making a connection to a published application, the next screen in the wizard will prompt you to select either a seamless window or a remote desktop window (Figure 10-15).
Figure 10-15: Connecting to a Published Application
Again, a seamless window will make the application appear to be running on the local client machine, and a remote desktop window will run the application inside of a window.
The next wizard screen will prompt you to select an encryption level for this connection (see Figure 10-16). These encryption options will be the same as if we were connecting to an application group. Select the Use Default check box if you want the server to determine the encryption level for this connection.
Figure 10-16: Encryption settings
The next screen will prompt you to enter domain logon information to be saved with this session (see Figure 10-17). This is similar to the screen we saw for an application group (Figure 10-10). Be cautious when entering information here, as it will be saved on the client machine-albeit lightly encrypted. The Use Local User Name And Password is grayed out here because this option was not turned on when the Program Neighborhood client software was installed.
Figure 10-17: Connection Logon Information
The last noteworthy screen in this wizard concerns selecting the color depth and screen size. If you selected seamless window, you will see the options listed next (see Figure 10-18). If you selected a remote desktop window, you will have the additional option of selecting the window size. If you leave the Use Default check box selected, the server on which the application is published will determine these settings. Decreasing the color depth of the ICA connection will reduce the amount of bandwidth used on the ICA connection, and it will speed up slower sessions.
Figure 10-18: Published application screen options
The wizard screens differ a bit when connecting to a server. The next screen you will see after adding the server connection (Figure 10-13) will be the encryption settings (Figure 10-16). The screen after that in the wizard will be the logon information (Figure 10-17), followed by both the screen options and the window size option (Figure 10-18).
The last noteworthy screen in the wizard is a new one. This screen allows you to specify an application to run once the connection is made to the server (Figure 10-19). The working directory should be the working directory of the application you will be running. By default, you should leave these options blank if you want to simply make a connection to an Explorer window.
Figure 10-19: Choosing an application
When you right-click an icon in the Custom ICA Connection view, you see the same options as when you right-click an icon in the Application Set Manager view (Figure 10-7). The only option you do not have is to set a custom connection as the Default view. This is because the Default view can only be an application set. When we select Custom Connection Settings from this context menu, the connection options will see two tabs, Connection and Default Options. The Connection tab will display and allow us to change the connection settings seen in the wizard (Figure 10-14).
The Default Options tab (Figure 10-20) will allow us to configure the session settings, specifically the sound, encryption, and video settings for this custom connection.
Figure 10-20: The Default Options tab
The ICA Toolbar is an integral part of Program Neighborhood. You can perform most or all of PN's functions from this toolbar, including many of the menu options and context menus .
Program Neighborhood has several buttons (see Figure 10-21). Table 10-1 explains what each one does. Many of these features are available from the right-click context menus within Program Neighborhood (explained in the previous section).
Allows the user to change view from Custom ICA Connections to Application Set Manager, or from Application Set Manager to the default view. When this icon is grayed out, the user is at the topmost view.
Queries the ICA Master Browser for the latest information or application set.
When an item or items are selected, this icon will delete the item(s).
Displays the properties of a selected custom connection or a published application.
Displays the connection settings and options of a custom connection, published application, or application group.
Switches the current PN view between Large Icons, Small Icons, List, and Details.
Figure 10-21: The ICA Toolbar
|On The Job||
Many administrators do not want end users to have access to many of these features. It is best that they be disabled when users are running Program Neighborhood on a published desktop or direct server connection, or when Program Neighborhood is published using an ICA PassThrough. A restricted (gray) Program Neighborhood can be downloaded from http://www.thethin.net.
There are four menus within Program Neighborhood:
The File menu allows users to open a connection or close the program. In the Application Set Manager view or Custom Connections view, right-click context menu items are added to this menu (see Figure 10-7).
The View menu allows customization of the Program Neighborhood menus and icons, which can also be found by right-clicking the toolbar itself or using the Views button. You can remove the toolbar buttons or text; change the icon size; or refresh the current view, which is the same as clicking the Refresh button.
The Tools menu is the most important, as it allows customization of the client itself. These are the three menu items on the Tools menu:
The ICA Settings menu item shows four tabs (Figure 10-22): General, Bitmap Cache, Hotkeys, and Event Logging.
Figure 10-22: The General tab
The General tab allows you to set the following items:
Client Name A unique identifier for the client. This must be unique because Citrix uses this identifier to map client devices. By default, this will be filled in by the local computer name. This name is stored in the file %HOMEDRIVE%\wfname.ini.
Serial Number This field is normally left blank unless you are using a client from a Citrix PC Client Pack.
Keyboard Layout This is set by default to the local client machine's keyboard layout. You can change this to another language layout if necessary.
Keyboard Type This is set, by default, to the local client machine's keyboard type. You can change this to another language type if necessary.
Display Connect To Screen Before Making Dial-In Connection s Selecting this check box shows the Connecting To screen when a connection is attempted.
Display Terminal Window When Making Dial-In Connections Selecting this check box will show an ASCII terminal screen when a dial-in connection is made.
Allow Automatic Client Updates Select this check box to allow the client to be automatically updated on the Citrix server.
Pass-Through Authentication Select this check box to enable authentication information to be 'passed through' to other sessions.
Use Local Username And Password For Logon When this option is selected during Program Neighborhood installation, select this check box to use the local client login information when connecting to a session or application set.
The Bitmap Cache tab, meanwhile, lets you set the following items (see Figure 10-23):
Figure 10-23: The Bitmap Cache tab
Amount Of Disk Space To Use Specifies the percentage of disk that will be used for bitmap caching.
Bitmap Cache Directory Specifies the path to which the bitmaps will be cached. By default, this will be in the user's profile path .
Change Directory Use this button to change the bitmap cache directory location.
The Minimum Size Bitmap That Will Be Cached Defines the minimum size bitmap allowed for caching.
Clear Cache Now Clears the bitmap cache.
The Hotkeys tab (Figure 10-24) allows you to change the mapped out hotkeys within a session. This is useful when applications have hard-coded hotkeys that cannot be changed. These hotkeys are set by default to not interfere with local client Windows hotkeys.
Figure 10-24: The Hotkeys tab
On the Event Logging tab (Figure 10-25), you can set the following items:
Figure 10-25: The Event Logging tab
Event Log File Here, you can specify the path to Program Neighborhood's event log, and whether or not you want it to overwrite or append the log each time PN is run. By default, this log file is located in the local user's profile path.
Log Events This section specifies which events will be logged.
The Modems item in the Tools menu brings up the TAPI (Telephone Application Programming Interface) from the local computer (Figure 10-26). This is the same interface that can be accessed from the Control Panel and can be used to add and delete modems, set dialing rules, and configure TAPI service providers. It is not an interface specific to Program Neighborhood. DOS and Win16 clients have built-in TAPI emulation support.
Figure 10-26: TAPI
The Serial Devices item on the Tools menu allows configuration of direct connections to a Citrix server through a COM port (see Figure 10-27). Although this configuration is rarely seen, it is still supported by Program Neighborhood. Here you can add, remove, and configure COM ports for a direct connection.
Figure 10-27: Serial Devices
Now that you understand the difference between Custom Connections and Application Sets, let's look at some examples of when to use each.
You need to log on to a particular server in your load-balanced farm for administrator tasks .
A custom connection would be better because connecting to a load-balanced published desktop may connect you to an unintended server.
A user needs to use a published Office XP suite.
An application set would be best because the user would only have to make one connection to get all their applications.
You have one MetaFrame server that users connect to for a remote desktop.
Either a custom connection or application set would work. However, an application set would allow for future growth of the farm.
Program Neighborhood allows for custom preconfiguration of the client. Preconfiguration is also called creating 'ready connect' clients. This is done by first extracting the client installation package and editing the following text files:
After these files are edited with a text editor, you can repackage your installation and roll out your preconfigured client to your users. When installed, the .src extension will become an .ini extension. Alternatively, you can install the client on a machine and configure it the way you want for the users. After this is done, you can rename the .ini files to .src and copy over the .src files in your package. This is an easier way to get the changes you want if you do not know or understand the parameters of the .src files.
Appsrv.src will allow you to edit parameters relating to custom ICA connections, specifically application servers and the client settings seen in the Custom ICA Connections view. You can use this file to restrict users to a particular view and remove icons you do not want them to use. Module.src contains information about network protocols and transports, including COM ports. Pn.src configures settings in relation to application sets and contains two sections: Program Neighborhood and Application Set. The Program Neighborhood section defines the application sets. The Application Set section defines all configuration information for those defined sets. Wfclient.src defines general PN client configuration, including keyboard settings and video defaults.
Be sure to remember all four of these filenames.
Exercise 10-1: Creating Custom Client Diskettes Using the ICA Client Creator
You should practice creating custom client diskettes because this situation is likely to come up on the job. Perhaps you have a remote group of users who have no local support, and who need to connect to a MetaFrame XP server with no hassles. Sending a custom client diskette set would be the best option.
To complete this exercise, you need a Win32 computer and two blank floppies.
On the server, go to the ICA Client Creator under the Start menu by choosing Programs MetaFrame XP ICA Client Creator.
When you see the Make Installation Set window, select the appropriate client set. This dialog box will let you know how many disks are required for the ICA client set.
After the disks are created, open Disk 2. You'll notice the .src files are located here.
Install the client (not necessarily from the disk set) onto a Win32 computer, and then customize the client as if it were for a remote user.
Set up an ICA dial-in connection, or alternatively, set up a connection to the Internet.
Create an application set connection. Make the application set you connect to the Default view.
Rename and copy Appsrv.ini, Module.ini, Pn.ini, and Wfclient.ini to Appsrv.src, Module.src, Pn.src, and Wfclient.src. Remember to copy and overwrite the files on disk 2 of the custom client set.
Uninstall the client on the Win32 machine and reinstall using the disk set. You should have exactly the same configuration you did before the uninstall, and the application set should start as the Default view.
In order to deliver the applications we want, to the users we want, we need to publish the applications using the Citrix Management Console (CMC) on the MetaFrame XP server (Figure 10-28).
Figure 10-28: The Citrix Management Console
Applications are published using the Applications folder within the CMC. Here we can have a published application (Notepad), a published desktop (Remote Desktop), and Program Neighborhood folders. Program Neighborhood folders allow us to publish applications in a logical folder structure, similar to the logical layout of a hard drive partition. We can group common applications in their own folders, so when a user connects to an application set, they can more easily navigate the list of published applications. These applications and folders will show up in the Application Set Manager view or Default view (if a server farm has been set as default). However, users will only see the applications and folders published to them, either explicitly or anonymously.
When MetaFrame is installed, 15 anonymous user accounts are installed on the local computer in a local group called Anonymous. This is so you can publish applications that do not require a username or password to connect. These accounts will be guest access accounts and will have the name Anon XXX, where XXX is a number from 000 to 014. These accounts will have the following restricted access rights: 10-minute idle timeout on sessions, broken or timed-out sessions will be logged off, no password required, and users will not be able to change their password. However an administrator can change the properties of these accounts.
The fact that there are 15 accounts is related to the original 15 licenses that are installed with the base MetaFrame. If you add licenses, you may wish to increase the number of anonymous accounts.
The server will not save any user profile information when an anonymous user logs off the session.
Anonymous user accounts will only be created on servers that are not domain controllers.
Explicit users are, by definition, normal user accounts. These can be domain accounts, or local user accounts if no domain is present. You should always use explicit users when security is important. Explicit users will use their normal logon credentials when connecting to an application set or custom connection, and unlike anonymous accounts, their user profile information will be saved when the explicit user logs off.
Let's look at some examples of when to use Anonymous versus Explicit users:
You need to set up a kiosk in a mall for public use of a Web browser.
Anonymous: Logins are unwanted.
You are publishing an accounting application to a group of remote employees .
Explicit: Security is important.
You need to set up a product demo in your office lobby so guests can demo your software.
Anonymous: Security is not an issue. Ease of use is more important.
You are rolling out a published desktop to all your users in your domain.
Explicit: Security and profiles are necessary.
Your CEO requests touchscreen thin client devices running a published MP3 player application in the executive bathrooms.
Anonymous: Ease of use is most important.
Utilizing explicit applications will allow you to deliver the correct applications to users, regardless of what device they use to connect. When you publish an explicit application, you select which users you want to see that application when they make a connection to that application set. When a user moves from one computer to another, all the user has to do is create a connection to their server farm in the Application Set Manager view, and their applications will appear. For users that move from Win32 or Java clients to other non-Program Neighborhood clients, it is important to publish Program Neighborhood using an ICA PassThrough.
|< Free Open Study >|
CCA Citrix MetaFrame XP for Windows Administrator Study Guide Exam 70-220
Authors: Oglesby R., Craft M
Published year: 2001