MetaFrame XP for Windows,
Feature Release 2
Technical Features Presentation
June 4
th, 2002
Copyright ©2002, Citrix
Reference Sites
• Good sites to check
•Citrix Developer Network
•
http://www.citrix.com/cdn
•Yahoo Group
•http://groups.yahoo.com/group/citrixwest
•Doug’s Site
•
http://www.dabcc.com
•Rick’s Site:
Things To Know
• MF XP FR2 will support Windows 2000 Server,
Advanced Server, and Datacenter Server
•
MF XP FR2 and future releases will not support
Windows NT 4.0 TSE.
Q: What will our TSE users run?
A: They can still install up to MF 1.8 FR1 and MF XP FR1.
Q: What about Service Pack 2 for TSE?
A: If needed we will release one separately later.
• MF XP FR2 will include:
NFuse Classic 1.7
Enterprise Services for NFuse 1.7 (XPe users only)
Citrix Secure Gateway 1.1
What’s New in FR2?
Features at a Glance
Enhanced CMC and CWC Delegated Administration User Policies
User-to-User Shadowing Smart Card Support
Enhanced Content Publishing Content Redirection
Enhanced System Monitoring & Analysis Enhanced Application Packaging & Delivery Username Session Reconnect
Enhanced Printer Support and Management TLS Encryption
Enhanced Internet Proxy Support Windows Installer Support
Microsoft Certifications IBM DB2 Support
5
Product Licensing
FR2 licensing same as FR1 - all delivered via web
Packaging only contains XP licenses
New 2-user license developed - cannot add bumps - delivery
TBD
Login popup for NFR connections
Popup when XP migration licenses added warning of need for
XP base licenses
6
Product Packaging
One CD Pack for all products SKUs
Composed of three CDs
• Windows 2000 “Server CD” for XP FR2
Integrated XPs, XPa, and XPe Installation at FR2 Level, or
Applies FR2/SP2 to existing MF servers
• Windows TSE “Server CD” for XP FR1 XP
RM
IM
NM
FR1/SP1
• “Components CD”
ICA Clients 6.30
NFuse Classic 1.7
Enterprise Services for NFuse
Citrix Secure Gateway 1.1
EVAL and NFR
7
Software Installation
FR2/SP2 requires a min of SP1 on other servers in the farm
Server Drive Re-mapping as separate auto-run utility before
install
Added Installation Checklist to auto-run
No licenses added during installation since licenses install to
farm
Product Code set during installation since each server requires
one
Upgrade/Add components via Windows Add/Remove Programs
Demo of installation:
(Warning! Do not click Finish at end, but Cancel instead.)
8
Windows Installer Support
Description
Administrators can leverage the Microsoft Windows Installer
technology to automate the installation of MetaFrame XP and
related components:
Note: MSI 2.0 is now required, and included on installation CDs
MetaFrame XP with FR2
Citrix Management Console
Citrix Web Console
Enterprise Services for NFuse 1.7
Citrix Secure Gateway 1.1
NFuse Classic 1.7
Windows 32 ICA Client - both PN and PN Agent
9
Enhanced CMC
Overview
Citrix Management Console has been enhanced to provide better
integration with Active Directory, pass-through authentication during
logon and ticketing to maintain confidentiality of authentication
credentials. User search and filtering functionality added.
Benefit
Citrix administrator credentials
are no longer passed over the
wire. Active Directory
10
Enhanced CMC
Single Sign-On
This feature provides a mechanism for Citrix Administrators to log in to a
MetaFrame farm with the CMC using the credentials of the local user. This
will improve the user experience by eliminating the need to enter credentials
before logging in to a Citrix farm. This feature also employs ticketing, hence
authentication credentials will not pass over the wire.
Methods to Enable:
1. Upon first use of CMC via popup dialog.
2. Already in CMC via user preferences.
3. Command line argument:
ctxload /PTA: <servername>
11
Enhanced CMC
Active Directory Integration
The “Add User” interface of the CMC now better reflects the hierarchical relationships of the Active Directory OU structure. This allows for:
• Improved usability by better user object organization. • Faster enumeration because all user objects are not
12
Enhanced CMC
Search & Filtering
In any user session list, the administrator
can filter by username or by application
name. This includes basic column sorting,
and more advanced “match” filtering.
Given a user name, the administrator can
search for printers, applications, and
13
Delegated Administration
Description
Create specialized Citrix
administrators to handle specific
areas of MetaFrame administration
such as managing printers,
published applications, or user
policies.
Benefit
Members of an IT staff can be
granted access to various MetaFrame
XP administrative tasks without
being granted permissions to make
non-authorized configuration
changes. Allows for better modeling
of Citrix admins to the IT
14
Delegated Administration
Configuration
1. Citrix admins may be specific
account authority users or
user groups.
2. Three type of admins: View
Only, Full Administrator, and
Custom.
3. The first CMC admin added
during installation is a “full”
admin. This user may then
create “custom” admins.
4. The “Select Tasks” window is
reached during new admin
creation or by viewing an
admin’s properties.
5. During creation or at any time
afterward, an admin’s
15
Delegated Administration
Managing Tasks
1. If given the proper view permissions, “custom” admins
may be configured such that they may not make any
edits, but may still view the tasks of other admins to
locate an admin who has authority over a particular task.
2. If a CMC Administrator changes the permissions of a user
who is currently logged in to the CMC, a dialog will inform
the user that their permissions have changed and they
will be logged out.
3. Using User Policies, admins may restrict which users can
log into to the CMC.
4. If a user is a member of two groups, and each group is
given a set of delegated administrative tasks, the
16
Delegated Administration
Licensing
•
When a “FR2 CMC” connects to a farm that has at least one server
that is set to FR2 level, then all the new Delegated Admin
functionality will be enabled. If there is not at least one server that is
set to FR2, then the CMC will not display the new FR2 functionality.
Backwards Compatibility
• “FR2 CMC” to “FR2 Server” —
All functions normally
.
• “FR2 CMC” to “SP1 Server” —
Full admins will function normally,
custom admins will be view-only (both at FR2 functionality).
• “FR2 CMC” to “XP 1.0 Server” —
Full admins will function normally,
custom admins will be view-only. (both at XP 1.0 functionality)
• “Old CMC” to “FR2 Server” —
The old CMC is not aware of “custom”
admins. “Custom” admins will not be able to log on. Additionally,
when “full” admins enumerate users in the CMC, “custom” admins
will be shown as “view only” admins.
17
User Policies
Description
Apply MetaFrame XP settings to users
or user groups, rather than to the
farm, servers, or applications.
Benefit
Gain the flexibility to configure
18
User Policies
Creating Policies
1. New “Policies” node added to CMC.
19
User Policies
Assigning Users and Groups
20
User Policies
Configuring Policy “Rules”
21
User Policies
Overriding Settings
22
User Shadowing (Collaboration )
Description
One or many users may shadow a
single user. Shadowing is not just for
administrators any more.
Benefit
Saves time and money by allowing
users to view and modify the same
content from disparate locations. Also
provides for "teacher/student" and
23
User Shadowing
Configuration
1. This feature is based on Windows security, so it will not work for NDS users.
2. User Shadowing is one of the property settings of a User Policy.
3. “Shadowers” are those who are given permission to view the sessions of “shadowees”.
4. Those assigned to the policy are the “shadowees”. Inside the policy, “shadowers” are specified.
5. Example: Create a policy called “Shadow by Legal” and within its properties specify the user group for the Legal department. Users assigned to this policy may then be shadowed by the users in the Legal department.
24
User Shadowing
Use Case
1. Users may shadow one another by using the Shadow Taskbar. It is
recommended that the Shadow Taskbar (wshadow.exe) is published as a seamless application for user access.
2. Users will only be able to enumerate users to which they have permission to
25
Smart Card Support
Description
Provide secure access to applications
and data using smart card
technologies. Smart cards can also be
used with NFuse and the Program
Neighborhood Agent.
Benefit
Simplifies the authentication process
while enhancing logon security.
Support for smart card authentication
to published applications, as well as
support for "smart card enabled"
applications such as Microsoft Outlook.
26
Smart Card Support
APP WinLogon
PC/SC
SERVER
APP WinLogon
PC/SC
ICA VIRTUAL CHANNEL
CLIENT
DRIVER
CSP CSP
READER
Design
• An ICA Smart Card Virtual Channel has been developed.
• All calls, either from WinLogon or Applications to the PC/SC (more specifically the winscard.dll) on the
server are redirected to the PC/SC on the client device.
• PC/SC is provided by Microsoft with OS. CSP and drivers provided by smart card vendors.
• CSP is required on server and ICA Client device. (the only scenario in which it is not required on the ICA Client is when PN is used without pass-through
authentication for 2000 and XP).
27
Smart Card Support
ICA Client Requirements
• Windows 32 (by default PC/SC code comes with Windows XP and 2000 OS only, must obtain PC/SC for NT 4.0, ME, 98, and 95 from smart card vendor)
• Windows-based terminals only (which have a PC/SC available) – Wyse has a solution available
• Linux ( PC/SC publicly available)
Smart Card Requirements
• PC/SC-based smart cards only are supported (95% of current market). Java-based cards are not supported.
• MetaFrame intercepts calls to the PC/SC (Winscard) interface only. Specifically, PKCS #11 is not supported (RSA’s smart card std.)
• USB, COM, and PCMCIA smart card readers have been tested
28
Smart Card Support
Configuration
Windows 2000 supports two policy settings for interactive logon to a session. ICA sessions will utilize these policies:
• Require smart card for interactive session logon – This policy is a per-user policy that requires the user to use a smart card for authentication.
• Smart-card removal policy – This policy is a local-machine policy that has three possible settings (these have no affect if regular credentials were used for authentication):
• None (no affect)
• Lock Workstation (disconnects all MetaFrame sessions).
• Log-off Session (logoff all MetaFrame sessions).
By default MetaFrame XP FR2 installation will allow server logins to be
authenticated with smart cards (calls from WinLogon and LSASS are captured and redirected).
29
Smart Card Support
Configuring a Certificate Authority
(1) Set up the certificate authority
Set up a Microsoft certificate authority. If more scalability is required, you may set up additional certificate authorities.
Reference: "Step-by-Step Guide to Setting up a Certification Authority" at
http://www.microsoft.com/WINDOWS2000/library/planning/security/casetupsteps.asp
(2) Prepare certificate authority to issue smart card certificates
This step involves setting proper security permission on the Smart Card Logon and the Enrollment Agent certificate templates on the certificate authority.
Reference: See Windows 2000 help that is installed as part of the OS, under the topic \Welcome\ Security\How to...\Authenticate with Smart Card\Administer Smart Cards
(3) Prepare smart card certificate enrollment station
In this step an Enrollment Agent certificate is obtained for the administrator who will be enrolling smart cards on behalf of users.
Reference: "Step-by-Step Guide to Installing and Using a Smart Card Reader" at
http://www.microsoft.com/WINDOWS2000/library/planning/security/smartcard.asp
(4) Set up smart card for user
This step involves assigning a user certificate(s) to the smart card. The references above are good sources on how to go about doing this. Also, perform a search for “smart card” on the
30
Smart Card Support
Auto Client Reconnect
Auto client reconnect works with smart card credentials, just as it works
with username/password credentials. The user must have the same
smart card inserted into the reader as was used to login to the session
before the disconnect occurred.
Roaming User Reconnect
In general this feature is supported by the PN, PN Agent, and NFuse
clients interfaces. When smart cards are used, Roaming User
31
Enhanced Content Publishing
Description
Administrators may now configure
"Content Publishing" to open published
content with a server-based
application. (Originally released in FR1
with ability to launch only a local
application.)
Benefits
• Content published by administrators may now
be opened with a published application.
• Applications do not need to be present on the
client device, and content does not need to be
downloaded to the client.
32
Enhanced Content Publishing
Configuration
When MetaFrame publishes applications they will be associated with
a collection of file extensions and mime types. When any published
content of a type associated with a published application is launched
from NFuse, the published application will be launched with the
content.
There are no configuration file settings required for this feature.
There is no ability to prevent published content from being launched
on MetaFrame.
ICA Client Requirements:
• NFuse with any ICA Client
33
Content Redirection
Benefits
• Administrators can specify whether local or remote applications
are used to open content.
• Allows for the appropriate application to be launched to better
meet the needs of the user.
• Provides flexibility when considering application installation and
content storage locations.
• Allows administrators to leverage local applications or
multimedia players to offload MetaFrame server resources.
Description
Open content, whether stored locally or remotely, with either
local or remote applications.
Implementation
There are two flavors of Content Redirection:
• From Client to Server
34
Content Redirection
Content Redirect from Client to Server
When using a local application, accessed content may be opened using a published application.
Example:
A user is using a local application (e.g. Outlook, IE, Word, Explorer) and clicks on a PDF file to open it. But the client device does not have Acrobat Reader, hence normally an error would occur. With this feature, however, a published Acrobat Reader
application will launch and the PDF will open.
CLIENT
SERVER
Local Application (Outlook, Word, IE)
Acrobat content located anywhere Published
35
Content Redirection
Content Redirect from Client to Server (cont.)
Administrator must publish the server application to the user and configure the FTA screen that has been added to the Published Application Wizard.
36
Content Redirection
Content Redirect from Client to Server (cont.)
For this feature to work, the client device must have the file type association table downloaded to it from the servers in the farm. The only client interface which supports this functionality is PN Agent. As PN Agent periodically checks for new published applications, the FTA information for each application is downloaded into the client OS registry.
ICA Client Requirements:
• PN Agent from the Windows 32 ICA Client
37
Content Redirection
Content Redirect from Server to Client
When using a published application, Web and multimedia links may be opened using a local application.
Example:
A user is using a
published application (e.g. Outlook, Word) and clicks on a URL link to open the content. But rather than opening the link with IE on the server, the local IE on the client device launches and the URL is opened.
CLIENT
SERVER
Published Application (Outlook, Word)
with URL Link
Web Page Local
38
Content Redirection
Content Redirect from Server to Client (cont.)
The ability to intercept a URL link inside a MetaFrame session and play it in a local player will be controlled on the server side via the CMC. It can be enabled on a farm-wide basis, per-server basis, or per-user basis using User Policies.
Embedded URLs are intercepted on the server and sent via the ICA control virtual channel to the client. The client will not be allowed to disable this feature. If the client does not have an appropriate player or cannot directly access the content, the
server player will be used.
URLs Redirected by Default:
http Hypertext Transfer Protocol
https Secure Hypertext Transfer Protocol rtsp Real Player and QuickTime
rtspu Real Player and QuickTime pnm Older Real Players
mms Microsoft’s Media Format
URLs Not Redirected:
ftp File Transfer protocol gopher The Gopher protocol mailto Electronic mail address
news USENET news
nntp USENET news using NNTP access telnet Reference to interactive sessions wais Wide Area Information Servers file Host-specific file names
prospero Prospero Directory Service
Note: The above is all or nothing, hence once enabled, all redirected URLs above will be redirected, as granular selection is not supported.
39
Enhanced System Monitoring & Analysis
Description
Collect performance, session, and application
data into a single centralized database for the
entire MetaFrame farm while maintaining
manageability, scalability, reliability, and control.
Reports may be based on pre-defined Crystal
report templates.
Benefit
40
Enhanced System Monitoring & Analysis
Summary
Database
(SQL or Oracle)
DB Connection
Server (XPe)
Resource
Manager
Servers (XPe)
IMA Event
Bus
41
Enhanced System Monitoring & Analysis
Summary DB Configuration
• Monitor health of Database Connection Server
• Schedule the transfer of daily data from MetaFrame servers to allow for network traffic management
42
Enhanced System Monitoring & Analysis
Select Data to Store
• Specify server metric to record in Summary DB on a per server basis. • Audit users to track user activity including session statistics, favorite
43
Enhanced System Monitoring & Analysis
Billing
44
Enhanced System Monitoring & Analysis
Assign Fees
45
Enhanced System Monitoring & Analysis
Define Cost Centers
46
Enhanced System Monitoring & Analysis
Define Bill Information
47
Enhanced System Monitoring & Analysis
Report Templates
• The HTML report template below is provided for report viewing • A set of pre-defined Crystal templates is provided for use with a
48
Enhanced Application
Packaging & Delivery
Description
Group packages and define
installation intervals for MetaFrame
XP server groups. Configure multiple
share points for WAN package
delivery. Add Windows Installer
patch files to existing packages.
Benefit
Administrators can more efficiently
deploy packages to servers, and to
sites in different geographic
49
Enhanced Application
Packaging & Delivery
Improved Deployment Configuration
Enhanced Installation Scheduling
• Time interval during which installations can occur
• Run large jobs across different days until completed
Create “Package Groups”
• A package group may contain multiple packages
• Set sequence of installation for packages inside a package group
• Specify how current and new user connections should be handled during
installations
• Specify if a reboot should occur between individual package installs or
uninstalls or only when all packages have completed
• With FR1 one set of credentials was specific for all network share access,
now with FR2, each package group may be configured with its own set of
credentials to access its network share
50
51
Roaming User Reconnect
Description
Reconnect to MetaFrame sessions by
user name rather than by client
device ID.
Benefit
This will allow users to move
between different client devices and
still be able to reconnect to their
52
Roaming User Reconnect
Implementation
NFuse and PN Agent already have this feature that was released in MetaFrame XP FR1. The FR2 release will add this support to the Program Neighborhood client interface.
Does not work for:
• Smart card authentication via PN
53
Enhanced Printer Support and Management
Description
Improved administrator and user
control of printer properties and print
queue purging, and improvements to
printer mapping performance. Also,
network printer settings will be
detected and used rather than
arbitrary "default" printer settings.
Benefit
54
Enhanced Printer Support and Management
Issue
Before FR2
After FR2
Default settingsalways used for newly auto-created network printers
The first time a network printer is auto-created on a client, it gets default manufacturer properties, causing problems like wrong paper size for A4 users.
We added a printing preferences dialog in the CMC. Administrators set “auto-creation default settings” for properties for Paper Size, Copy Count, Resolution, and Orientation.
Changes to auto-created client printer settings inside ICA sessions are not saved
If a user changes their printer settings from with a published application, these changes will be lost at next logon
Administrators can now elect whether or not to refresh a user’s ICA session auto-created client local printer settings at each logon from the settings on their local printer.
Printing to network printers that existed before ICA
connection is slow
Although a “network printer”, ICA treats these as auto-created client printers. Hence print jobs are sent down to client first, then back up to printer server.
Print jobs will now be sent directly from the ICA session on the MetaFrame server to the print server, without having to go down to the client and back up again.
Print jobs to client local printers suspended during logout
If a user starts a print job and then logs out, the job is suspended, and only restarted upon later login to the same server with the same client device.
Administrators may now elect whether to save or purge the print queue upon user logout.
Printers are created
synchronously
When a user connects to an
application, all auto-created printers are created first, then the application is launched.
Administrators may now elect to allow
55
Enhanced Printer Support and Management
56
TLS Encryption
Description
Support for the latest cryptographic security protocol, TLS
(Transport Layer Security). This is the next generation
security protocol, a successor of SSL (Secure Sockets Layer).
Benefit
Client/server connections now pass through the latest
57
TLS Encryption
Implementation
TLS support has been added to the following components in FR2:
• SSL Relay (uses Microsoft SChannel)
• ICA Clients:
Windows 32 (uses Microsoft SChannel) Windows CE
Linux Java
• NFuse Classic 1.7
• Citrix Secure Gateway 1.1 (between CSG server and ICA Client only)
FIPS 140
For compliance the following requirements must be met:
• End-to-end TLS encryption
• Use of an approved encryption protocol such as Microsoft SChannel
For compliance the following components must be employed:
• Configure SSL Relay directly on every MetaFrame server
58
Enhanced Internet Proxy Support
Description
ICA Clients may use local Web browser settings to configure client
proxy settings. Also added support for the Secure Proxy protocol
(also known as "SSL Tunneling" ) to allow ICA to tunnel securely
through firewalls using SSL. Much as HTTP employs HTTPS for
proxy support, ICA can be configured to employ Secure Proxy.
Benefit
Users can now easily and securely connect to applications
deployed across the Internet. Administrators can centrally
configure proxy server information for the ICA Clients of all users
by using global management of Web browser settings.
59
Enhanced Internet Proxy Support
New Features
• HTTP/SSL Tunnel Proxy Support - Support for HTTP Connect method tunnel proxy, also known as ‘‘Secure Proxy”. This common type of proxy is an alternative to the SOCKS proxy that is currently supported.
• Proxy Authentication - Support for proxy authentication with both SOCKS and HTTP/SSL Tunnel proxies.
• Proxy Auto-Detection - Support for automatic detection of proxy
configuration by querying proxy configuration information managed by either Internet Explorer or the Netscape browser.
60
Enhanced CWC
Description
Citrix Web Console usability has been enhanced:
•
New look and feel
•
Search and filtering
•
Better layout
•
Static button bar
Note:
61
Microsoft Certifications
Description
Microsoft certification for:
• Windows 2000 Server
• Windows 2000 Advanced Server
• Windows 2000 Datacenter Server
• Windows XP
• Windows 2000 Professional
Benefit
Solidifies Citrix's compatibility with
62
Improved ICA Performance
Description
Improve overall performance of ICA
Client to MetaFrame server
communication. Transfer files to and
from a MetaFrame XP server more
quickly than ever.
Benefit
63
Improved ICA Performance
3MB File Download
0 5 10 15 20 25 30 35 40 45 Modem 33.6KB ~250ms Latency WAN 1.54MB ~150ms Latency Satellite 512KB ~1.5s Latency Connection Type M in u te s XP FR1 XP FR2 ThinWire Benchmark 0 5 10 15 20 25 30 35 40 45 Modem 33.6KB ~250ms Latency WAN 1.54MB ~150ms Latency Satellite 512KB ~1.5s Latency Connection Type M in u te s XP FR1 XP FR2
Large Print Job
64
Database Support
For hosting the MetaFrame XP data store, support has been
added for IBM DB2 Universal Database Enterprise Edition
v7.2 (with FixPack5) for Windows 2000.
MetaFrame
Data Store
RM
Summary
Database
ESN
Database
MS Access
(v9, v10)
No NO
Oracle
(v7, v8i, and v9i)
YES NO
SQL
(v7 and v2000)
YES YES
65
Novell Integration
• No longer require ZenWorks on MF server
• Still need Novell client on each MF server
• We have tested Novell 4.x and 5.x
• Able to view NDS OU structure in CMC (FR1)
• No smart card support for NDS users
• No shadowing support for NDS users
• No single sign-on support for NDS users (CMC,
NFuse, PN and PN Agent)
66
Server Farm Reliability
DSMaint
• Use to rebuild LHC
• Use to change ODBC data source target
DS Connectivity Failure
• Event Log entries added upon failure
• New Performance Monitor to track minutes
since failure
• Added to default RM Set with Alerts
Licensing
67
Enhanced MetaFrame SDK
Description
All Feature Release 2 functionality and
all printer management functionality
since the release of MetaFrame XP are
now included in the MetaFrame SDK.
Benefit
