Application Publishing


Application publishing refers to the installation and configuration of applications on a multiuser server (or server farm), so they can be accessed readily by users. MetaFrame enhances the basic application publishing capabilities of TSE by providing a Published Application Manager to facilitate the process of fielding an application.

The objective of the Published Application Manager is not only to ease the burden of administrators, but also to shield users from the complexities of setting up applications for use on their clients. When an application is published using the Published Application Manager utility, user access is simplified in three ways:

  • Application addressing Instead of connecting to a MetaFrame server by its IP address or server name, users can connect to a specific application by whatever name has been assigned to the application itself. Connecting to applications by name eliminates the need for users to remember which servers contain which applications.

  • Application navigation With applications published under MetaFrame, the user does not need to possess knowledge of the Windows NT 4.0, Windows 2000, or Windows Server 2003 desktop (Windows NT Explorer or Program Manager) to find and start applications after connecting to MetaFrame servers. Instead, published applications present the user with the desired application in an ICA session.

  • User authentication Instead of logging on and logging off multiple MetaFrame servers to access applications, Program Neighborhood allows users to authenticate themselves a single time to all servers and obtain immediate access to all applications configured for their user group or specific username. Also, publishing applications for the special Anonymous user group allows user authentication processes to be eliminated completely. This can be a useful time-saver when publishing applications for general use by all users on the network.

User Accounts

MetaFrame application publishing provides ICA session access to two types of user accounts: anonymous and explicit. Before publishing an application, it is important to first consider who the users will be, what they will be doing when they run the application, and where they will be connecting from. This will define whether the users should be anonymous or explicitly defined (named users with full authentication).

The total number of users, whether anonymous or explicit, who can be logged on to the MetaFrame server at the same time is contingent upon an organization's licensed user count and on server and bandwidth limitations. These limitations need to be clearly understood before proceeding with application publishing (Chapter 11 discusses server and farm sizing in detail).

Anonymous User Accounts

During MetaFrame installation, the Setup program creates a special user group called "Anonymous." By default, this local Windows 2003 account contains 15 user accounts with account usernames in the format Anon000 through Anon015. Anonymous users are afforded guest permissions by default.

Note

Anonymous user accounts are local user accounts (non-domain), and although there are 15 of them created by default, additional ones will be created on the fly by the server to ensure that each Anon connection remains unique. If Anon connections are not going to be used, it is recommended that the accounts be disabled (but not necessarily deleted, due to possible future use) for security reasons.

If an application that is to be published on the MetaFrame server is intended to be accessed by guest-level users, the application can be configured using the Published Application Manager to allow access by anonymous users. When a user starts an anonymous application, the MetaFrame server does not require an explicit username and password to log the user on to the server, but selects a user from a pool of anonymous users who are not currently logged on. Anonymous user accounts are granted minimal ICA session permissions, including

  • Ten-minute idle (no user activity) time-out.

  • Automatic End Session on broken connection or time-out.

  • No password requirement.

  • Password cannot be changed by user.

Anonymous user accounts do not have a persistent identity. That is to say, no user information is retained when an anonymous user session ends. Any desktop settings, user-specific files, or other resources created or configured by the user are discarded at the end of the ICA session. Because of the inherent permission limitations of anonymous user accounts, the 15 anonymous user accounts created during MetaFrame installation usually do not require any further maintenance.

Explicit User Accounts

Explicit users, which are created and maintained via the Active Directory User Manager, have a "permanent" existence. Their desktop settings, security settings, and so on, are retained between sessions for each user in a user profile.

Explicit users can be of any user class and are generally created for a specific purpose. Their access permissions may be changed by using the Active Directory User Manager.

Identifying what groups of users will have access to an application that is about to be published will aid in server and link resource planning and may even expedite the publishing process. Administrators can capitalize on group settings and extend application access to multiple users concurrently. Conversely, using the Anonymous group is a handy way to make general-purpose applications available to the broadest possible user community in the least amount of time.

MetaFrame Password Manager

Citrix MetaFrame Password Manager (CMPM) is a single sign-on solution designed specifically for MetaFrame XP and MetaFrame Secure Access Manager. CMPM provides password security and single sign-on access to Windows, web, proprietary, and host-based applications running in the MetaFrame Access Suite environment. Users authenticate once with a single password, and MetaFrame Password Manager does the rest, automatically logging in to any password-protected information system, enforcing password policies, monitoring all password-related events, and automating end-user tasks, including password changes.

CMPM is comprised of three components:

  • A Directory Service to centrally store the password and user information. Three choices are available: File Sync (comes native with CMPM), Microsoft Active Directory, and LDAP, which consists of Sun ONE Identity Server and Novell eDirectory.

  • The MetaFrame Presentation Server Agent—a 32-bit agent that runs on MetaFrame servers or on a local client workstation

  • MetaFrame Password Manager Console

Once a user has logged in and authenticated to a directory service, the agent intercepts any future password requests with a query, asking if the user would like the password manager to manage this password. If the user answers yes, then the password information is stored in the central directory service store and handed back to the client workstation when the workstation queries for that password again.

MetaFrame Password Manager enhances security by centralizing security policies, providing an encrypted file for each user's credentials, and allowing IT administrators to automatically generate passwords that are more difficult to crack and to change them more frequently, if needed.

CMPM can either be purchased with the Access Suite Bundle or individually.

Application Publishing Security

In addition to considering the user population for an application, administrators also need to consider the security requirements of the applications they are planning to publish. MetaFrame XP provides additional methods, beyond those of Microsoft operating systems, for securing access to applications published on the MetaFrame server.

Limiting Users to Published Applications

Users of a specific connection type (dial-up, for example) can be restricted to running published applications only. By allowing users to solely access predefined applications, unauthorized users are prevented from obtaining access to the Windows desktop or a command prompt as their initial application unless published by an administrator. This type of security may be obtained by using the Advanced Connection Settings dialog box in the Connection Configuration utility.

It is important to note however that many applications and utilities have major security holes (for example, some applications permit a user to launch other applications [explorer.exe or cmd.exe] from within them). Thus a significant amount of time must be spent putting in place policies, profiles, and registry changes to more securely lock down the operating system and applications. Enterprise environments should consider a lockdown application (two popular lockdown application companies that are certified to work in an SBC environment are triCerat RES and AppSense, covered in more depth in Chapters 11, 13 and 15) to specifically automate the lockdown tasks.

Limiting Applications

The Citrix Management Console allows an administrator to restrict an application to specified users or groups of users, assuming they have been given explicit user access.

Firewall Security and Limited Access from Non-Authorized External Users

With security at the forefront of most enterprise activities, the Internet firewall has become non-optional for every enterprise to protect their resources from non-authorized Internet intrusion. But, since the Internet is such a necessary access method for many users, the firewall often poses a very difficult trade-off—full security versus easy access. MetaFrame Secure Gateway solves this trade-off by providing both easy access and industry recognized security. MetaFrame Secure Gateway is covered in much more depth later in this chapter, as well as in Chapter 16.

Usernames and Passwords

As long as explicit user accounts are specified, MetaFrame XP supports a large number of authentication approaches. For starters, strong password authentication is essential for security (see Chapter 8 for a more detailed password discussion). Even better, consider a second factor authentication approach (using not only something a user knows, but a second authentication method such as something unique that only a specific user has), such as a smart card, token, or biometric). MetaFrame XP FR-3 is fully integrated with RSA and Secure Computing's second factor authentication, as well as a large variety of authentication tools (biometric, smart card, and so on) that integrate with RSA and Secure Computing's authentication software. Additionally, companies like Secure Computing provide a method to integrate the second factor authentication with MetaFrame Web Integration access, Program Neighborhood access, and Windows 2000 Active Directory access, to make authentication seamless to the user community. See Chapter 8 for more detail and discussion on security.

ACLcheck Utility

An ACLcheck utility supplied with MetaFrame examines the security ACLs associated with MetaFrame XP files and directories. This utility can be used to report on any potential security breaches.

Application Execution Shell

The Application Execution Shell (App) in MetaFrame allows administrators to write application execution scripts that perform actions before and after application execution. These scripts can be used in connection with other security utilities to check the security of MetaFrame servers and clients.




Citrix Metaframe Access Suite for Windows Server 2003(c) The Official Guide
Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition
ISBN: 0072262893
EAN: 2147483647
Year: 2003
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net