advanced concepts for metaframe xp with feature …...c h a p t e r 1introduction advanced concepts...

Advanced Concepts

Citrix® MetaFrame XP™ for Windows with Feature Release 2(Includes Service Pack 2)

The information in this publication is subject to change without notice.

THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”) SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix.

Citrix, ICA, MetaFrame, and Program Neighborhood are registered trademarks, and MetaFrame XP and NFuse are trademarks of Citrix Systems, Inc. in the United States and other countries.

Copyright © 2002 Citrix Systems, Inc. All rights reserved

Trademark Acknowledgements

Adobe and Acrobat are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Apple is a registered trademark of Apple Computer Inc.

DB2 is a registered trademark and PowerPC is a trademark of International Business Machines Corp. in the U.S. and other countries.

Java, Solaris, and Sun are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Sun Microsystems, Inc has not tested or approved this product.

Microsoft, MS-DOS, Windows, Windows NT, Win32, ActiveX, SQL Server, Office and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.

Novell Directory Services, NDS, NetWare, Novell Client, and eDirectory are trademarks or registered trademarks of Novell, Inc. in the United States and other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries.

Packeteer and PacketShaper are trademarks or registered trademarks of Packeteer, Inc. in the United States and other countries.

Compaq is a registered trademark of Compaq in the United States and other countries.

UNIX is a registered trademark of The Open Group.

All other trademarks and registered trademarks are the property of their owners.

Document code: July 12, 2002 3:11 pm MP

Contents

Chapter 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8MetaFrame XP, Feature Release 2 Documentation . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2 Pre-Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Recommended Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3 Independent Management Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Understanding Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Function of the Data Store in a Server Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Working with the Local Host Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4 MetaFrame XP Server Farm Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Designing Server Farms for Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Planning Zones in Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Using MetaFrame XP on Multihomed Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Data Store Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Data Store Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Data Store Network Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Implementing the Data Store in a Storage Area Network. . . . . . . . . . . . . . . . . . . . 53MetaFrame XP Server Farm Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 5 Deploying MetaFrame XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Rapid Deployment of MetaFrame XP Feature Release 2/Service Pack 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Installing Citrix Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Deploying Citrix ICA Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Deploying NFuse Classic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Chapter 6 Publishing Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Using Installation Manager to Deploy Windows Installer Packages . . . . . . . . . . . 89Application Deployment Considerations with Installation Manager 2.2 . . . . . . . . 91Publishing in Domains with Thousands of Objects . . . . . . . . . . . . . . . . . . . . . . . . 92

4 Advanced Concepts for MetaFrame XP

Working with the Content Redirection feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Troubleshooting Tips, Error Messages, and Conditions . . . . . . . . . . . . . . . . . . . . . 99Enhanced Content Publishing and Content Redirection Supportin NFuse Classic 1.7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 7 Integrating MetaFrame with Novell Directory Services . . . . . . . . . . . . . . . 107Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Implementing NDS Support in MetaFrame XP . . . . . . . . . . . . . . . . . . . . . . . . . . 107Tips and Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 8 Security Issues and Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Securing MetaFrame XP Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Security Considerations for the Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Network Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129MetaFrame Server and Client Configurations for Seamless Proxy Integration . . 133Using Smart Cards with Feature Release 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Deploying the Java Client using NFuse Classic with Custom SSL/TLS Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 9 Printer Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Printer Driver Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 10 Maintaining MetaFrame XP Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . 151Cycle Booting MetaFrame XP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Changing Farm Membership of Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Renaming a MetaFrame Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Uninstalling MetaFrame Servers in Indirect Mode . . . . . . . . . . . . . . . . . . . . . . . . 154

Chapter 11 Managing MetaFrame XP Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Citrix Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Citrix Installation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Citrix Resource Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Citrix Network Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165User Policies Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167User-to-User Shadowing Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Delegated Administration Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Contents 5

Chapter 12 Optimizing the Performance of MetaFrame XP. . . . . . . . . . . . . . . . . . . . . . 169Client Optimizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Disk Optimizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Memory Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Network Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Server Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176User Settings Optimizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Chapter 13 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183DRIVEREMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184DSVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188IMAPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189MSGHOOK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191QPRINTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192QUERYDC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194QUERYDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195QUERYHR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197SCCONFIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Chapter 14 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Troubleshooting IMA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Troubleshooting Novell Directory Services Integration . . . . . . . . . . . . . . . . . . . . 205Collecting Citrix Technical Support Information . . . . . . . . . . . . . . . . . . . . . . . . . 208Troubleshooting Frequently Encountered Obstacles. . . . . . . . . . . . . . . . . . . . . . . 211

Appendix A Configuring Microsoft SQL Server 2000 for Replication . . . . . . . . . . . .215Setting up the SQL Server Data Store for Distribution. . . . . . . . . . . . . . . . . . . . . 215

Appendix B Configuring Microsoft SQL Server 7 for Replication . . . . . . . . . . . . . . .225Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Replicating a MetaFrame XP Server Farm’s Data Store . . . . . . . . . . . . . . . . . . . 226Pointing MetaFrame XP Servers to the Replicated Database. . . . . . . . . . . . . . . . 229

Appendix C Distributing Connections Among NFuse Classic 1.7 Servers . . . . . . . .231Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231


Appendix D Using Citrix Products in a Wireless LAN Environment . . . . . . . . . . . . .235Wireless LAN Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Citrix Architecture Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Appendix E Tested Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

Appendix F IMA Subsystem Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

Appendix G IMA Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Appendix H Citrix Management Console Error Codes . . . . . . . . . . . . . . . . . . . . . . . .253

Appendix I Registered Citrix Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

C H A P T E R 1

Introduction

Advanced Concepts for MetaFrame XP with Feature Release 2 and Service Pack 2 — this book — is a collection of best practices, tips, and suggestions for effectively using Citrix MetaFrame XP with Feature Release 2 and Service Pack 2. The information in this guide is compiled from departments within Citrix, including the worldwide Test and Development Engineering departments, Systems Engineers, and Citrix Consulting Services. To get the most from this guide, you should be familiar with the concepts and configuration procedures in the MetaFrame XP Administrator’s Guide and additional documentation for MetaFrame XP components.

Be sure to read the Feature Release 2 readme file, named sp12-fr2_readme.txt, and the ICA Client readme files for known issues and work arounds. For further information or to get white papers about some of the topics discussed in this document, visit the Citrix Web site at http://www.citrix.com.

Note All terminology, product references, and recommendations are subject to change without notice.

Editing Registry SettingsMany topics throughout this guide refer to settings in the Windows registry. Be sure to take precautions to protect the security and integrity of the registry on MetaFrame XP servers. For information about backing up the registry and other precautions, refer to the documentation included with Windows operating systems.

CAUTION Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it. If you are running Windows NT, make sure you also update your Emergency Repair Disk.


Documentation ConventionsReferences to Load Manager and load management apply to MetaFrame XPa and MetaFrame XPe editions only; Load Manager is not available with MetaFrame XPs edition.

References to Citrix Resource Manager, Citrix Installation Manager, and Citrix Network Manager apply to MetaFrame XPe only.

Terms and AbbreviationsFor a complete glossary of MetaFrame XP terminology, see the glossary at the back of the MetaFrame XP Administrator’s Guide.

The following terms and abbreviations are used in this document:

CSG Citrix Secure Gateway

CSP Cryptographic Service Provider; used with Smart Card implementations

DCS Database Connection Server

DirXML A utility that allows multiple trees to be combined to look like one tree

DLU Dynamic Local User; created and given rights to access a Windows system when an NDS user logs on to a MetaFrame server

DMZ Demilitarized zone; a “neutral” zone between a company’s private network and the outside public network. Also referred to as a “screened subnet.”

DSN Data Source Name

eDirectory A platform-independent version of NDS

farm server Any MetaFrame server in a Citrix server farm, including member servers, data collectors, and host servers

FQDN Fully Qualified Domain Name

FMS Farm Metric Server

host server The MetaFrame XP server in a farm that hosts an Access data store

Chapter 1 Introduction 9

ICA Independent Computing Architecture; the protocol developed by Citrix for remote display

IMA Independent Management Architecture; the internal communication architecture of MetaFrame XP, usually refers to the Citrix IMA Service that is installed with MetaFrame XP

LHC Local host cache; the subset of information from the data store that resides on each MetaFrame XP server

member server Any server in a farm that is not a data collector or host server

MSCS Microsoft Clustering Services; used to allow access to a group of server resources from one access point

MTS Multi-threaded Server mode for Oracle servers

NDS Novell Directory Services; NDS contains network resources, such as users, applications, and network devices, in a database

NTS Windows NT Security authentication mode for Oracle Servers

ODBC Open Database Connectivity

OPS Oracle Parallel Server

OS Operating system, usually referring to the Microsoft Windows 2000 Server Family (with Terminal Services installed) or Microsoft Windows NT Server 4.0, Terminal Server Edition

TSE Microsoft Windows NT Server 4.0, Terminal Server Edition

WEP Wireless Encryption Privacy; the communication protocol between a wireless networking card and wireless access point

Win32 32-bit Windows platforms such as Windows NT, Windows 2000, Windows 95, Windows 98, Windows Me, and Windows XP

ZWFD Novell’s ZENworks for Desktops 3; used to manage desktops in a Novell environment


MetaFrame XP, Feature Release 2 DocumentationThe documentation for MetaFrame XP, Feature Release 2 includes electronic manuals and online application help.

The documentation included with MetaFrame XP is available in the Docs directory on the MetaFrame XP CD. Documentation for ICA Client software and additional MetaFrame components is available on the MetaFrame XP Components CD.

Important additional documentation for Citrix products is available from the Product Documentation page in the Support area of the Citrix Web site at www.citrix.com/support.

On a MetaFrame XP server, documentation is installed in a Documentation folder. You can display the contents of this folder by choosing Programs > Citrix > Documentation from the Start menu.

The following documentation is included with MetaFrame XP, Feature Release 2:

• The MetaFrame XP Administrator’s Guide provides conceptual information and procedures for system administrators who install, configure, and maintain MetaFrame XP for Windows.

• The sp2-fr2_readme.txt file contains last minute updates, corrections to the documentation, and a list of known problems. This file is in the root directory of the MetaFrame XP CD.

• The NFuse Classic Administrator’s Guide and Customizing NFuse include information about installing, configuring, and customizing NFuse.

• The Citrix ICA Client Administrator’s Guides provide instructions for system administrators who deploy ICA Clients to end-users on various computing platforms.

• The Citrix Secure Gateway Administrator’s Guide provides instructions for installing and administering Citrix Secure Gateway.

• The Enterprise Services for NFuse Administrator’s Guide provides instructions for setting up and administering enterprise services that complement NFuse.

Using PDF DocumentationTo access the Citrix documentation that is provided in PDF files, use Adobe Acrobat Reader 4 or later. Acrobat Reader lets you view, search, and print the documentation.

You can download Acrobat Reader for free from the Adobe Systems Web site (http:// www.adobe.com). The self-extracting file includes installation instructions.

Chapter 1 Introduction 11

Typographic ConventionsMetaFrame XP documentation uses the following typographic conventions for Windows directories, command syntax, and keyboard keys:

Using Online HelpOnline help is available for the Citrix Management Console and the other tools that are included with MetaFrame XP.

You can access online help from the Help menu of each program; the program must be running for you to view its online help. You can use shortcuts to launch MetaFrame XP utilities and the Citrix Management Console. Shortcut icons are located in the MetaFrame XP folder. To open this folder, click the Start menu and choose Programs > Citrix > MetaFrame XP.

Online help for the Citrix Management Console is in JavaHelp format and requires the Java Run-Time Environment (JRE), which MetaFrame XP installs by default on the server. Online help for server utilities and the Windows ICA Clients is in WinHelp format, which is available by default on all Windows systems. Online help for other ICA Clients uses standard help formats for their platforms.

Citrix ICA Client software for all platforms includes online help for using applications and configuration settings. Help is available from Help menus or Help buttons in the ICA Clients.

Convention Definition

Boldface Menu commands and commands that you type at a command prompt on a MetaFrame server.

Italics Placeholders for information or parameters provided by the user (such as filename for the name of a specific file), new technical terms, and book titles.

UPPERCASE Keyboard keys, such as CTRL for the Control key and F2 for the function key labeled F2.

Monospace Registry keys and text displayed at a command prompt or in a script file.

%SystemRoot% The Windows system directory, usually WTSRV, WINNT, or WINDOWS.

%ProgramFiles% The Windows Program Files directory where application files are placed during installation (default is C:\Program Files).

[ ] (brackets) Optional items in command statements, such as [/ping] to mean you can type /ping (without brackets) in a command statement.

| (vertical bar) A separator between items in braces or brackets in command statements, such as { /hold | /release | /delete } to mean you type /hold or /release or /delete.


Providing Feedback About this GuideWe invite your comments and suggestions to help us ensure that the information in Advanced Concepts is accurate and complete. This document may be updated to include new and revised information and corrections as necessary. New versions of the document will be available on the Citrix Web site.

We strive to provide accurate, clear, complete, and usable documentation for our products. If you have any comments, corrections, or suggestions for improving our documentation, we want to hear from you.

You can send email to the documentation authors at [email protected]. Please include the product name, product version number, and the title of the document in your message. Include a detailed description of your correction or suggestion, and your return email address if you would like a reply.

C H A P T E R 2

Pre-Installation

Recommended Server ConfigurationThis chapter includes recommendations for server hardware and operating system configurations. Be sure to read and consider these recommendations before deploying MetaFrame XP with Feature Release 2.

Hardware ConfigurationIn multi-processor configurations, Citrix recommends a RAID (Redundant Array of Independent Disks) setup. If RAID is not an option, a fast SCSI 2, 3, or Ultra 160 drive is recommended.

For quad and eight-way servers, install at least two controllers, one for operating system disk usage and the other to store applications and temporary files. Isolate the operating system as much as possible; applications should not be installed on its controller. Distribute hard drive access load as evenly as possible across the controllers. One way to accomplish this is to separate the applications and temporary files on two separate controllers.

The sizes of the partitions and hard drives are dependent on both the number of users connecting to the MetaFrame server and the applications running on the server. Running applications such as Microsoft Internet Explorer and the Microsoft Office suite can result in user profile directory sizes of hundreds of megabytes. Large numbers of user profiles can use gigabytes of disk space on the server. You must have enough disk space for these profiles on the server.

Operating System ConfigurationAll partitions, especially the system partition, must be in NT File System (NTFS) format to allow security configuration, better performance, and fault tolerance. NTFS also saves disk space usage because NTFS partitions have much smaller and constant cluster sizes (the minimum size is 4KB).


FAT partitions require much larger cluster sizes as the size of the partition increases (with the minimum being 32KB). More space is wasted on FAT partitions because the file system requires an amount of physical disk space equal to the cluster size of the partition used to store a file, even if the file is smaller than the cluster size. For more information about cluster sizes of FAT and NTFS partitions, see Microsoft Knowledge Base article Q140365.

If possible, install only one network protocol on the server. This practice frees up system resources and reduces network traffic. If multiple protocols are needed, set the bind order so that the most commonly used protocol is first.

When working with Terminal Services, increase the registry size to accommodate the additional user profile and applications settings that are stored in the registry. On a single-processor server, you need to reserve at least 40MB for the registry. Reserve at least 100MB on quad and eight-way servers.

You can also increase performance by properly tuning the pagefile. For more information about the pagefile, see Microsoft Knowledge Base article Q197379.

Service Packs and UpdatesMetaFrame XP servers use Microsoft Jet drivers extensively. The Microsoft Jet Database Engine is used by the local host cache on every MetaFrame XP server. It is also used when Citrix Resource Manager is installed. Citrix recommends installing Microsoft service packs for the Microsoft Jet Database Engine. Older versions contain memory leaks that appear as Citrix IMA Service memory leaks. Apply these service packs and patches before installing MetaFrame on the servers. See TechNet article Q273772 at http://support.microsoft.com/support/ for more information.

Important A memory leak in the Microsoft Jet Database Engine is fixed in Windows 2000 Service Pack 2. To use MetaFrame XP on a Windows 2000 system on which Windows 2000 Service Pack 2 is not installed, you must install the hotfix described in TechNet article Q273772, “FIX: Memory Leak in Jet ODBC Driver with SQL NUMERIC or SQL C BINARY Data,” at http://support.microsoft.com/ support/.

The amount of memory consumed by the Citrix IMA Service can be reduced by changing MaxBufferSize in a registry entry for the Microsoft Jet 4.0 database engine.

Chapter 2 Pre-Installation 15

� To change the maximum buffer size

1. Run regedt32.

2. Locate the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Jet 4.0

3. Double-click MaxBufferSize in the right pane.

4. In the DWORD Editor dialog box, enter 0x200 in the Data box. Accept the default radix, Hex, in the Radix box.

5. Click OK.

CAUTION Observe precautions when editing the registry. See Microsoft documentation for more information about backing up and editing the registry.

C H A P T E R 3

Independent Management Architecture

This chapter includes information about the internal communication architecture in MetaFrame XP, known as Independent Management Architecture (IMA), that you should consider during your planning and pilot phases. Be sure to read this chapter before deploying MetaFrame XP in a production environment. Topics discussed in this chapter include:

• Zones

• The server farm’s data store

• The local host cache

Understanding ZonesZones in a farm perform two functions. The first is to collect data from member servers in a hierarchical structure. The second is to efficiently distribute changes to all servers in the farm. All member servers must belong to a zone. By default, the zone name is the subnet ID on which the member server resides.

Each zone data collector has a connection open to all other data collectors in the farm. This connection is used to immediately relay any changes reported by servers that are members of the zone by that zone’s data collector to the data collectors of all other zones. Thus all data collectors are aware of the server load, licensing, and session information for every server in the farm. The formula for interzone connections is N * (N-1)/2, where N is the number of zones in the farm.


If no communication is received from a member server in its own zone within the configured time interval, the zone data collector pings (IMA Ping) that server to verify that it is online. The default interval is one minute. You can configure this interval by adding the following value to the registry. The interval, in milliseconds, is expressed in hexadecimal notation.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\KeepAliveInterval (DWORD)

Value: 0xEA60 (60,000 milliseconds default)

In normal operation, data collectors are synchronized through frequent updates. Occasionally, an update sent from one data collector to another data collector can fail. Instead of repeatedly trying to contact a zone that is down or unreachable, a data collector waits a specified interval before attempting to communicate again. The default wait interval is five minutes. You can configure this interval by adding the following value to the registry. The interval, in milliseconds, is expressed in hexadecimal notation.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\GatewayValidationInterval (DWORD)

Value: 0x493E0 (300,000 milliseconds)

Configuring Data Collectors in Large ZonesThe data collector maintains all load and session information for every server in its zone. By default, a single zone supports up to 256 member servers. If a zone has more than 256 member servers, each zone data collector and potential zone data collector must have a new registry setting. This new setting controls how many open connections to member servers a data collector can have at one time.

To prevent the data collector from constantly destroying and recreating connections to stay within the limit, set the registry value higher than the number of servers in the zone. You can configure this value by adding the following value, expressed in hexadecimal notation, to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\MaxHostAddress CacheEntries (DWORD)

Value: 0x100 (default 256 entries)

Chapter 3 Independent Management Architecture 19

Function of the Data Store in a Server FarmThe data store provides a repository of persistent information about the server farm for all servers to reference. The data store retains information that does not change frequently, including the following:

• Published application configurations

• Server configurations

• Citrix administrator accounts

• Trust relationships

• Licenses

• Printer configurations

CAUTION If the MetaFrame XP data store database is lost, you must recreate the farm. You cannot recreate the data store from an existing farm.

Database Format With the exception of indexes, all information in the data store is in binary format. Meaningful queries cannot be executed directly against the data store. Neither Citrix administrators nor users should directly query or change information in the data store. Use only IMA-based tools, such as the Citrix Management Console, to access the information in the data store.

CAUTION Do not directly edit any data in the data store database with IBM DB2, Microsoft SQL Server, or Oracle tools. Doing so corrupts the farm database and causes the farm to become unstable or completely unusable.


Data Store ActivityAll servers in the farm query the data store when they are started. The following registry setting determines whether or not IMA requires a connection to the data store in order to start:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\PSRequired (DWORD)

Value: 0 or 1

If the value is 0, IMA can start without a connection to the data store. If the value is 1, IMA requires a connection to the data store in order to start. After the first time the IMA service starts successfully, the value is set to 0.

Working with the Local Host CacheA subset of the information from the data store is stored locally on each MetaFrame XP server. This subset is called the local host cache (LHC). All of the servers in the MetaFrame XP server farm query the data store periodically to determine if any changes were made since the LHC was last updated. If changes were made, the servers request these changes. The default data store query interval is 10 minutes. You can configure the interval using the following registry key, with the value expressed in hexadecimal notation:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DCNChangePollingInterval (DWORD)

Value: 0x927C0 (default 600,000 milliseconds)

Important If a server in the farm is unable to contact the data store for 96 hours, licensing stops functioning on the member server and connections are disabled.

When the Citrix Management Console is opened, it connects to the specified MetaFrame server. The Citrix IMA Service running on this server performs all reads and writes to the data store for the Citrix Management Console. Most changes made through the Citrix Management Console are written to the data store.

Refreshing the Local Host CacheIf the Citrix IMA Service is running, but published applications do not appear correctly when ICA Clients browse for application sets, you can force a manual refresh of the local host cache by executing dsmaint refreshlhc from a command prompt on the affected server. This action forces the local host cache to read all changes immediately from the data store.

Chapter 3 Independent Management Architecture 21

A discrepancy in the local host cache occurs only if the IMA Service on a server misses a change event and is not synchronized correctly with the data store.

Recreating the Local Host CacheThe Citrix IMA Service can fail to start because of a corrupt local host cache. For more information about troubleshooting when the IMA Service fails to start, see “Troubleshooting IMA” on page 201.

To recreate the local host cache, run dsmaint recreatelhc, which performs three actions:

1. Sets the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\PSRequired\ key to 1.

2. Deletes the existing imalhc.mdb.

3. Recreates an empty imalhc.mdb.

When the IMA service is stopped and restarted, the local host cache is repopulated with the data from the data store.

Important The data store server must be available for dsmaint recreatelhc to work. If the data store is not available, the Citrix IMA Service fails to start.

C H A P T E R 4

MetaFrame XP Server Farm Design

This chapter includes information to consider when planning the design of your MetaFrame XP server farm. Topics discussed in this chapter include:

• Designing server farms

• Planning zones in server farms

• Choosing a data store database

• Working with the data store database

Designing Server Farms for EnterprisesOne of the decisions you must make before you deploy MetaFrame XP is whether or not to implement a single MetaFrame XP server farm or multiple server farms. This section discusses the factors you should consider before you make this decision.

Deploying a Single FarmWhile you can configure one server farm in an enterprise environment, there are several factors, including hardware capability, database performance, and network congestion, that can decrease the farm’s performance.

The following points describe the benefits of implementing a single MetaFrame XP server farm.

Pooled licenses. All MetaFrame XP licenses are pooled together and can be used by all servers in the farm.

Simple maintenance and administration. Citrix administrators log on to one farm only for all maintenance and administrative tasks. Administrators do not need to open multiple Citrix Management Console windows to view all servers in the enterprise. Opening multiple Citrix Management Console windows on a server uses more resources than opening a single Citrix Management Console window.


Deploying Multiple FarmsThe following points describe the benefits of implementing multiple MetaFrame XP server farms.

Reduced IMA traffic. One server farm with remote zone data collectors must communicate frequently to keep published application and user connection information synchronized across the farm. Previous versions of MetaFrame queued up these communications and sent them across an ICA gateway at configurable intervals. MetaFrame XP sends these communications as they are generated, requiring a dedicated WAN connection between zone data collectors. If the WAN cannot support the network traffic, you can improve performance by implementing a separate farm at each remote site.

No data store replication. Citrix recommends that you replicate the data store to remote sites when using one server farm in a WAN environment. Implementing multiple farms eliminates the need for data store replication because each remote site maintains its own data store.

No Internet traffic. When you implement multiple farms, they do not span an Internet WAN connection. As a result, IMA traffic and ODBC connection information cannot be intercepted.

No firewall changes. By default, IMA uses TCP ports 2512 and 2513 to communicate. If you want to change the default IMA communication ports, you can do so using the imaport utility. Regardless of the port numbers used for IMA communication, they must be open when the server farm spans a firewall. Implementing a separate server farm at each site eliminates the need to open ports 2512 and 2513 on the firewall and any ODBC ports used for data store communication.

Deploying Multiple Farms at a Single SiteThe following points describe the benefits of implementing multiple MetaFrame XP server farms in a single-site environment.

Departmental Licensing. Implementing a separate server farm for each department keeps licensing localized.

Separate Administration. Application Service Providers can implement a separate farm for each customer, further easing security concerns and controlling Citrix administrators’ access to farms.

With Independent Management Architecture, the internal communication architecture of MetaFrame XP, you can remotely manage multiple farms with the Citrix Management Console.

Chapter 4 MetaFrame XP Server Farm Design 25

You can manage all farms from a single server or workstation that has the Citrix Management Console installed. When logging on to the console, Citrix administrators enter the name of a server in the farm to which they want to connect.

You can also run multiple instances of the Citrix Management Console simultaneously; for example, one for each farm. However, doing so uses more resources on the server running the multiple instances of the console.

Note You can use Citrix Enterprise Services for NFuse to provide a single point of access to applications from multiple MetaFrame server farms across the enterprise. For more information about Enterprise Services for NFuse, see the Enterprise Services for NFuse Administrator’s Guide, located on the MetaFrame XP Components CD.

Planning Zones in Server FarmsThe layout and distribution of zones in a MetaFrame XP server farm can greatly affect the end user’s perception of performance. The following recommendations are the result of extensive testing in the Citrix eLabs.

A 500MHz Pentium III data collector can support approximately 190 resolutions per second. The number of resolutions per second that a data collector can handle is directly related to the number of servers hosting a published application.

Consider the following points when designing zones:

• The number of users connecting to the farm

• The length of time the average user stays logged on to a session (a single daily session or repeated short sessions)

• The number of users logging on simultaneously

• The number of published applications with load evaluators (using Citrix Load Manager) attached

The last two items result in a much higher load on the data collector. Monitor the CPU and memory usage on the data collector to ensure that it is not being overloaded with requests.


Zone DeploymentEach zone’s data collector stores information about all of the servers in the farm. Member servers in each zone frequently send updated information about session and load information to their zone’s data collector. When a user logs on or off, connects or disconnects, or a server load changes, the data collector relays the new information to all other data collectors in the farm. The amount of bandwidth used by each operation increases proportionally to the number of zones. To optimize performance, keep the number of zones in the MetaFrame farm as low as possible while still being able to fulfill all enumeration and resolution requests in a timely manner.

Having a large number of zones in a server farm can impact the performance of the network and the MetaFrame XP farm because this configuration can result in high network bandwidth consumption and decreased performance of the data collectors.

If you experience network congestion or performance degradation in the server farm, consider taking one of the following actions to minimize network traffic:

• Reduce the number of zones in the farm

• Configure each zone to reside on its own subnet

Depending on the server hardware and farm activity, a data collector can support more than 100 servers. Therefore, when sizing a zone, start with 100 servers per zone. Monitor the CPU usage on the data collector during normal farm activity to determine what the data collector hardware can support. If the data collector begins to get overwhelmed with enumeration or resolution requests or regular reporting, consider taking the following actions to reduce the load on the current data collector:

• Divide the current zone into two zones

• Dedicate the data collector to handle only ICA Client requests and to not accept ICA Client connections

Important If you are installing MetaFrame XP on servers that reside on multiple subnets in the same zone, do not use the default zone name presented to you during MetaFrame Setup. The default zone name is based on the subnet of the server joining the farm. If you did not change the zone name when you installed MetaFrame, you can change it on the farm’s Properties dialog box using Citrix Management Console.


Using a Dedicated Data CollectorIn general, if users experience slow connection times due to high CPU utilization on the data collector, consider dedicating a MetaFrame XP server to act solely as the zone data collector.

When deciding whether or not to dedicate a MetaFrame XP server for use solely as a zone data collector, consider the following factors:

• The number of member servers within the zone

• The number of zones within the farm (interzone communication)

• The number of times users log on and request application enumerations

• The number of times you restart the servers in the zone

Using MetaFrame XP on Multihomed ServersMetaFrame XP (with Service Pack 1 or later) includes support for multihomed servers. This section explains how to implement MetaFrame XP on a server operating with two or more network interface cards (NICs).

You can run MetaFrame XP on multihomed servers to provide access to two network segments with no direct route to each. Because each separate network uses the same MetaFrame resources, the networks can access the same server farm.

Running MetaFrame XP on multihomed servers also allows you to separate server-to-server communication from client-to-server communication. This scenario is illustrated in the figure below and is the subject of the examples referred to in this section


Citrix recommends that you do not configure multihomed servers running MetaFrame XP to operate as routers (TCP/IP forwarding).

Web Serverw/NFuse Classic

"WEB01"

MultihomedMetaFrame"MFSRV01"

MultihomedMetaFrame"MFSRV02"

Router

ICA Client"ICA02"

ICAClient

"ICA01"

10.8.2.20

10.8.2.1

10.8.1.1

10.8.1.2 10.8.1.3 10.8.1.4

172.16.1.3 172.16.1.4

172.16.1.1

192.168.1.1

192.168.1.2192.168.1.0/24

Network

172.16.1.0/24Network

10.8.2.0/24Network

10.8.1.0/24Network

Router

Web Serverw/NFuse Classic

"WEB02"

172.16.1.5

Simple representation of a multihomed MetaFrame server farm


To successfully run MetaFrame XP on multihomed servers, you may need to manually configure the local routing tables. When Windows automatically builds the server’s routing tables, the resulting network card binding order and default gateway configuration may not meet your needs. For information about changing the default gateway, see “Configuring a Default Gateway” on page 30.

When ICA Clients request a server name or published application, the MetaFrame XP server that receives the request returns the TCP/IP address of the appropriate MetaFrame server.

The following requests from ICA Clients require address resolution:

• Find the address of the data collector

• Find the TCP/IP address of a given MetaFrame server name

• Find the TCP/IP address of the least loaded server for a published application

When a MetaFrame server receives an address resolution request from an ICA Client, the server compares the TCP/IP address of the ICA Client to its local routing table to determine which network interface to return to the client. If the routing table is not configured correctly, the client’s request cannot be filled.

The figure above illustrates two multihomed MetaFrame servers, each with a connection to the 10.8.1.0/24 and 172.16.1.0/24 subnets. Neither server is configured to route between the two network interfaces.

The process described below occurs when an ICA Client requests a response from a MetaFrame XP server.

1. The ICA Client with TCP/IP address 10.8.2.20 (ICA01) sends an address resolution request to the MetaFrame XP server named MFSRV01.

2. MFSRV01 has the TCP/IP address 10.8.1.3. This server also has a second NIC with TCP/IP address 172.16.1.3.

3. ICA01 is configured with MFSRV01 for its server location. ICA01 contacts MFSRV01 and requests a load-balanced application.

4. The TCP/IP address of the least loaded server hosting the requested published application must be supplied to ICA01. MFSRV01 determines that MFSRV02 is the least loaded server.

5. MFSRV02 has two TCP/IP addresses, 10.8.1.4 and 172.16.1.4.


6. MFSRV02 determines the source address of ICA01. The MetaFrame XP server uses its local routing table to determine what network interface should be returned to the client. In this case, the NIC configured on the 10.8.2.0/24 network is returned to the client. If there is no explicit entry for the NIC in the local routing table, the default route, configured automatically by Windows, is used.

7. MFSRV01 uses the local routing table to correctly respond with the 10.8.1.4 address when directing the client to MFSRV02.

Configuring the Routing TableTo set up a routing table on a multihomed server running MetaFrame XP, first configure a single default gateway and then add static routes.

Configuring a Default GatewayAlthough Windows servers build multiple default gateways, the network binding order of the NICs in the server determine which default gateway to use. Using the example illustrated in the figure above, we selected the 10.8.1.1 address as our default gateway. However, we must move the network card operating on the 10.8.1.0/24 network to the first position in the network binding order.

� To configure the network binding order

For Windows 2000

1. Open Start > Control Panel > Network Connections.

2. Select Advanced on the Advanced Settings menu.

3. In the Connections area, move the NIC you want to act as your default gateway to the first position in the list.

For Windows NT

1. Open Properties of Network Neighborhood.

2. On the Bindings tab, select “show bindings” for All protocols.

3. Expand the TCP/IP branch of the tree.

4. Select the network interface you want to operate as the default route.

5. Click Move Up until the selected NIC is in the first position in the list.


There may be certain environments where the configuration of the network binding order will not be sufficient for MetaFrame XP to function properly. For example, if you have a MetaFrame XP server with two connections to the Internet where each connection provides ICA connectivity for a diverse range of IP subnets, the MetaFrame XP server uses only the default gateway of the first NIC in its network binding order (referred to as Network 1).

If the MetaFrame XP server receives a request from an ICA Client on its second NIC (Network 2), which is not the default gateway, and there is no entry in the local routing table of the MetaFrame server for Network 2, the response to the client request is sent through Network 1 and cause the client’s request to fail.

Alternatively, you can remove the additional default gateway configurations from each NIC on the server. This is done through the server’s TCP/IP configuration. Using servers MFSRV01 and MFSRV02 from our example, we select 10.8.1.1 as our default gateway for both servers and remove the default gateway setting from the NICs operating on the 172.16.1.0/24 network.

Running the command line utility IPCONFIG on MFSRV01 returns the following:

Windows IP Configuration

Ethernet adapter Local Area Connection #1:

Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 10.8.1.3Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 10.8.1.1


Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 172.16.1.3Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . :

Running IPCONFIG on MFSRV02 returns the following:

Windows IP Configuration


Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 10.8.1.4Subnet Mask . . . . . . . . . . . : 255.255.255.0


Default Gateway . . . . . . . . . : 10.8.1.1


Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 172.16.1.4Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . :

Adding Static RoutesYou can define static, persistent routes to avoid potential routing conflicts. Depending on your network configuration, adding static routes may be the only way to provide ICA connectivity to a multihomed MetaFrame XP server. The data displayed below uses the example illustrated in the preceeding figure.

Executing the ROUTE PRINT command from a command prompt on the routing table on MFSRV01 returns the following:==========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x2 ...00 a0 c9 2b f8 dc ...... Intel 8255x-based Integrated Fast Ethernet0x3 ...00 c0 0d 01 12 f5 ...... Intel(R) PRO Adapter====================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.8.1.1 10.8.1.3 110.8.1.0 255.255.255.0 10.8.1.3 10.8.1.3 110.8.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1

10.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1172.16.1.0 255.255.255.0 172.16.1.3 172.16.1.3 1172.16.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1

172.16.1.255 255.255.255.255 172.16.1.3 172.16.1.3 1224.0.0.0 224.0.0.0 10.8.1.3 10.8.1.3 1224.0.0.0 224.0.0.0 172.16.1.3 172.16.1.3 1

255.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1Default Gateway: 10.8.1.1==========================================================================Persistent Routes:

None


MFSRV01 is currently configured with a default gateway using the router at 10.8.1.1. Note that the second client, ICA02, is located on the 192.168.1.0/24 network, which is accessed through the router at 172.16.1.1. For MFSRV01 to have network connectivity and to avoid using the default gateway when responding to requests from ICA02, define a static route for the 192.168.1.0/24 network:ROUTE -p ADD 192.168.1.0 MASK 255.255.255.0 172.16.1.1

Executing ROUTE PRINT on MFSRV01 now returns:===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x2 ...00 a0 c9 2b f8 dc ...... Intel 8255x-based Integrated Fast Ethernet0x3 ...00 c0 0d 01 12 f5 ...... Intel(R) PRO Adapter======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.8.1.1 10.8.1.3 110.8.1.0 255.255.255.0 10.8.1.3 10.8.1.3 110.8.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1

10.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1172.16.1.0 255.255.255.0 172.16.1.3 172.16.1.3 1172.16.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1

172.16.1.255 255.255.255.255 172.16.1.3 172.16.1.3 1192.168.1.0 255.255.255.0 172.16.1.1 172.16.1.3 1224.0.0.0 224.0.0.0 10.8.1.3 10.8.1.3 1224.0.0.0 224.0.0.0 172.16.1.3 172.16.1.3 1

255.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1Default Gateway: 10.8.1.1===========================================================================Persistent Routes:

Network Address Netmask Gateway Address Metric192.168.1.0 255.255.255.0 172.16.1.1 1

Configure MFSRV02 the same way. When the static routes are set up, both ICA Clients can ping the TCP/IP addresses of both MetaFrame servers, and the servers can ping the clients.

Each MetaFrame server can now correctly resolve the network interface to which either ICA Client is connecting. The TCP/IP addresses that the ICA01 client can receive are 10.8.1.3 and 10.8.1.4. The TCP/IP addresses that the ICA02 client can receive are 172.16.1.3 and 172.16.1.4.


Data Store GuidelinesUse the chart below as a guideline to determine which scenario most closely matches your environment. If your environment doesn’t fit neatly into the categories listed, choose the category that has the most in common with your environment.

The following points describe general recommendations for the server farm’s data store:

• Microsoft Access is suitable for all small and many medium-sized environments

• Microsoft SQL Server, Oracle, and IBM DB2 are suitable for any size environment and are especially recommended for all large and enterprise environments

Consider the following points when choosing a database product to host the server farm’s data store:

• Microsoft Access is best used for farms that are located in one physical location.

• Microsoft Access supports only indirect mode for all servers other than the host server and, therefore, has decreased performance compared with a data store operating in direct mode in large farms.

• Access does not support database replication.

• Select a database product that supports replication when deploying large farms across a WAN. You can obtain considerable performance advantage by distributing the load over multiple database servers.

• In the Citrix eLabs, Microsoft SQL Server, Oracle, and IBM DB2 had similar performance results when tested with large farms. Oracle Parallel Server includes the added advantage of load balancing incoming requests among the servers.

Small Medium Large Enterprise

Servers 1-50 25-100 50-100 100 or more

Named users < 150 < 3000 < 5000 > 3000

Applications < 100 < 100 < 500 < 2000


CAUTION Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix eLabs. Oracle Parallel Server is designed to allow multiple database servers to access the same back end database. In theory, this would provide good scalability in centrally located farms with hundreds of servers.

The Data Store and the Disk EnvironmentThis section describes factors to consider if you are thinking about putting the server farm’s data store in a Redundant Array of Independent Disks (RAID) environment. See the points below for information about cost, performance, and fault tolerance related to four different RAID configurations.

RAID 0RAID 0 has no redundancy. It is “striped,” which means that data is divided into blocks spanning multiple disks. RAID 0 has multiple actuators (read/write mechanisms) because of the multiple disk use. More actuators improve read and write performance.

Citrix does not recommend the use of RAID 0 for critical data, such as a MetaFrame XP server farm’s data store. The savings realized from purchasing fewer disks does not make up for the costs resulting from downtime and support.

RAID 1RAID 1 is fully redundant disk mirroring. With disk mirroring, a complete copy of one drive is maintained on another drive. RAID 1 provides high fault tolerance and can improve read performance.

However, RAID 1 writes the data twice, which can degrade write performance in single disk/controller environments. In addition, this type of redundancy requires twice the disk space.

RAID 5Like RAID 0, RAID 5 is striped. However, because RAID 5 adds parity to the data striping, it includes fault tolerance. If one disk in a RAID 5 group fails, the logical disk continues to function. The parity information is used to recreate data on a replacement disk. The loss of two disks in a group at one time cannot be sustained. RAID 5 uses multiple disk actuators that provide improved read and write performance.


RAID 10RAID 10 combines RAID 1 and RAID 0. It is a striped and fully mirrored set of disks. It is the best configuration for both redundancy and performance. Because of this, it is the most expensive storage option.

Using Replicated Data Store DatabasesHaving a single data store is recommended where appropriate, but in some situations, a replicated data store can improve farm performance. This section covers the concerns and situations that arise from using replicated database technology.

High Latency WAN ConcernsHigh latency links without the use of replicated databases can create situations where the data store is locked for extended periods of time when performing maintenance from remote sites. This means that the Citrix IMA Service may start after extended periods of time and some normal operations may fail when performed from the remote site.

Tip Citrix recommends that you do not perform farm maintenance using the Citrix Management Console from a remote site that has high latency.

The following issues can arise in a high-latency situation:

• Data store writes take longer to complete and, for a period of time, block all additional writes from local or remote sites.

• Data store reads do not generally adversely affect local connections, but remote sites experience slower performance.

Replicated Database IssuesBecause servers in a server farm perform many more reads from the data store than writes to the data store, you may want to use replicated databases to speed performance. Most reads occur when the server is starting up because this is when each server populates its local host cache.

In a LAN environment, using replicated databases can speed the startup time of the Citrix IMA Service and improve the responsiveness of the servers in large farms.


In a WAN environment, the configuration of the data store is especially important. Because MetaFrame XP is read-intensive, place replicas of the data store at sites where a considerable number of servers reside. This practice minimizes reads across the WAN link. Limit the use of replicated databases to situations where the remote site has enough MetaFrame XP servers to justify the cost of placing a replicated copy of the database at the site.

Note Database replication consumes bandwidth. Note that the frequency of database updates is controlled by the configuration of the database software and not MetaFrame XP.

Data Store RequirementsThis section describes minimum requirements for the four database products — Microsoft Access, Microsoft SQL Server, Oracle, and IBM DB2 — you can use to host a MetaFrame XP farm’s data store. Although MetaFrame XP uses ODBC for connectivity, other ODBC-compliant databases are not supported with MetaFrame XP.

The supported and tested versions of database products you can use with MetaFrame XP, Feature Release 2 are listed below.

• Microsoft Access Jet Engine 4.x

• Microsoft SQL Server 7.0 with SP2 and SQL Server 2000

• Oracle Server 7 (7.3.4) for NT

• Oracle Server 8 (8.0.6) for NT

• Oracle Server 8i (8.1.5, 8.1.6) for NT and UNIX

• Oracle Server 9i (9.0.1) for NT

• IBM DB2 with FixPak 5 for NT

The following table lists the supported and tested ODBC client databases versions.:

Database Driver version

SQL 7.0 Enterprise for NT MDAC 2.5 3.70.0820

SQL 7.0 Enterprise for NT MDAC 2.5 SP1 3.70.0821

SQL 2000 Enterprise for NT MDAC 2.5 SP2 3.70.0961

SQL 2000 Enterprise for NT MDAC 2.6 SP1 2000.80.380.0

SQL 2000 Enterprise for NT MDAC 2.7 2000.81.7713.00


CAUTION The Oracle Client Version 8.1.5 is not supported. If you are using this version, upgrade to 8.1.55.

Important The 8.1.7 and 8.1.7.2 native Oracle Clients require a registry modification prior to the installation of MetaFrame XP 1.0. This does not apply to MetaFrame XP Feature Release 2. Refer to Citrix Knowledge Base article CTX949726 for more information about this issue. You can access the Citrix Knowledge Base at http:// www.citrix.com/support.

Tip Before installing an update of Microsoft Data Access Components (MDAC), stop the Microsoft Terminal Services Licensing service. Restart the server before beginning MetaFrame XP Setup. For more information, see the MetaFrame XP Administrator’s Guide.

Using Microsoft AccessChoosing Use a local database (Microsoft Access) on this server during MetaFrame XP Setup creates a Microsoft Access database on the MetaFrame server. This database acts as the server farm’s data store. The ODBC connection to Access uses Microsoft Jet Engine 4.x.

Oracle 7.3.4 for NT 2.50.0301

Oracle 8.1.5 for NT 8.01.55.00

Oracle 8.1.6 for NT 8.1.6.00

Oracle 8.1.6 for Solaris 8.1.6.00

Oracle 8.1.7 for NT 8.1.7.00

Oracle 9.0.1 for NT 9.00.11.00

IBM DB2 FixPak 5 for NT 7.01.00.55

Database Driver version


Minimum Requirements• Approximately 50MB of disk space for every 100 servers in the farm. The disk

space used can increase if a large number of published applications are in the farm.

• 32MB of additional RAM if the MetaFrame XP server will also host connections

AuthenticationWhen you select the option to create an Access database, MetaFrame Setup creates a database called “mf20.mdb.” The default user name and password for this database are “citrix” and “citrix.” To change the password on the database, use the dsmaint config /pwd:newpassword command with the IMA service running. Keep the new password in a secure place so you can access it if you decide to migrate to another database.

Tip Back up the Access database using the command dsmaint backup before changing the password.

Automatic Backup

CAUTION Run dsmaint backup prior to executing dsmaint recover. Do not execute dsmaint recover if no Mf20.bak file exists because this command removes the existing Mf20.mdb from the server.

CAUTION If the server runs out of disk space on the drive where the Mf20.mdb file is stored, automatic backups cease. Ensure that the amount of free disk space is at least three times the size of the Mf20.mdb file.

Each time the IMA service is stopped or a server is restarted, the existing Mf20.mdb file is backed up, compacted, and copied as Mf20.unk. Each time the IMA service starts, it deletes Mf20.bak if it exists and renames the Mf20.unk file to Mf20.bak. This process helps ensure that the Mf20.bak file is a valid farm database. This file is used when the dsmaint recover command is executed. The Mf20.mdb file and all automatic backup files are located by default in the %ProgramFiles%\Citrix\Independent Management Architecture folder.


Additional Notes• All indirect servers connect and maintain connections to the host server.

• By default, the server that hosts the database is also its zone’s data collector.

• Tuning the Jet Database Engine with registry settings can improve performance for large farms. Consult the Microsoft documentation about performance tuning for the Jet Database Engine. Back up both the registry and the Mf20.mdb file before changing the tuning parameters.

• Use dsmaint backup to perform an online backup of the data store. This can be scripted easily in a batch file.

• Back up the MetaFrame XP data store before using the Citrix Management. Console to change the data store. Scheduling a daily backup is sufficient in most cases.

Using Microsoft SQL ServerThis section suggests the best practices for using Microsoft SQL Server as the data store for the server farm. You should be thoroughly familiar with the information in Microsoft SQL Server documentation before you install and configure Microsoft SQL Server. These recommendations apply to both Microsoft SQL Server 7 and SQL Server 2000.

Minimum Requirements• Approximately 100MB of disk space for every 250 servers in the farm. The disk


• Set the “temp” database to Auto Grow on a partition with at least 1GB of free space.

• Verify that enough disk space exists on the server to support growth of both the temp database and the farm database.

Server Configuration• When using Microsoft SQL Server in a replicated environment, be sure to use

the same user account for the data store on each Microsoft SQL Server.

• Each MetaFrame XP farm requires a dedicated database. However, multiple databases can be running on a single Microsoft SQL Server. Do not configure the MetaFrame XP farm to use a database that is shared with any other client/server applications.


• Set the Truncate log on Checkpoint option in your database to control log space.

• Follow Microsoft’s recommendations for configuring database and transaction logs for recovery.

• Whenever a change is made using the Citrix Management Console, back up the database. Scheduling a daily backup is sufficient in most cases.

• If your MetaFrame XP farm has more than 256 servers and uses a Microsoft SQL Server data store, the number of worker threads available for the database must be equal to or greater than the number of servers in the server farm. Follow the procedure below to increase the number of worker threads.

� To increase SQL Server worker threads

1. Launch the Microsoft SQL Server Enterprise Manager.

2. Select Server Configuration Properties.

3. On the Processor tab, change the maximum worker thread count from 256 to a number greater than the number of servers in the server farm.

Comparing Fibers and ThreadsUsing fibers may provide better performance in some configurations of the SQL server used to house the data store. The operating system code that manages threads is in the kernel. Switching threads requires mode switches between the user mode of the application code and the kernel mode of the thread manager, a moderately expensive operation.

Fibers, a subcomponent of threads, are managed by code running in user mode. Switching fibers does not require the user-mode to kernel-mode transition needed to switch threads. The application manages the scheduling of fibers. The Windows operating system manages the scheduling of threads. Each thread can have multiple fibers.

Using fibers reduces context switches by allowing SQL Server to handle scheduling rather than using the Windows NT or Windows 2000 Scheduler. Use the lightweight pooling option to configure SQL Server to use fibers. If applications are running on a multiple-processor system and there are a large number of context switches, try setting the lightweight pooling parameter to 1, which enables lightweight pooling.


After setting this parameter, monitor the number of context switches again to verify that they are reduced. The default value is 0, which disables the use of fibers. This causes SQL Server to schedule one thread per concurrent user command, up to the number of maximum worker threads. In fiber mode, an instance of SQL Server allocates one thread per CPU, and then allocates a fiber per concurrent user command, up to the maximum number of worker threads. An instance of SQL Server uses the same algorithms to schedule and synchronize tasks when using either threads or fibers.

Fibers work best when the server has multiple CPUs and a relatively low user-to-CPU ratio. For example, on an enterprise installation with 32 CPUs and 250 users, a noticeable performance boost is seen with fibers. When there are eight CPUs and 5000 users, a performance decrease may be seen with fibers.

Note Threads are most beneficial for the majority of MetaFrame XP data store implementations.

At the time of this release, additional information and instructions about configuring fibers can be found at:

• http://msdn.microsoft.com/library Search using keywords: SQL Server Task Scheduling

• http://www.microsoft.com/technetSearch using keywords: Configuring, Threading, Priority, and Fibers

• http://www.microsoft.com/LEARNING_TOOLSSearch using keywords: Microsoft SQL Server 7.0 Performance Tuning, then select “sample chapter.”

Authentication and SecurityConsider the following points related to authentication and security when using SQL Server.

• Microsoft SQL Server supports Windows NT and Microsoft SQL Server authentication. Consult the Microsoft SQL Server documentation for configuring Windows NT authentication support. For high-security environments, Citrix recommends using Windows NT authentication only.

• The account used for the data store connection must have db_owner (database owner) rights for the database that is being used for the data store.

• For better security, after the initial installation of the database as database owner, set the user permissions to read/write only.


Note Changing user rights from database owner can prevent future MetaFrame XP service packs or feature releases from being installed correctly. Be sure to change permissions back to database owner when installing a MetaFrame XP service pack or feature release.

Using Sockets Rather Than Named Pipes Citrix recommends that you use TCP/IP sockets to connect MetaFrame XP servers to a Microsoft SQL Server. Data transmissions are more streamlined for TCP/IP sockets and have less overhead. Performance enhancement mechanisms, such as windowing and delayed acknowledgements, can provide significant performance improvement in a slow network.

Named pipes is an authenticated protocol. Any time a user attempts to open a connection to the SQL Server using named pipes, the Windows NT authentication process occurs. TCP/IP sockets do not rely on Windows NT authentication to establish a connection, but do provide user/password authentication to the SQL Server after the connection is established. This eliminates the possibility of an error if the SQL Server and the MetaFrame server do not have the correct domain or ADS trust relationship.

The following procedures explain how to configure the connection to use TCP/IP sockets.

� To create a SQL Server data source connection during MetaFrame XP Setup

1. Select Microsoft SQL Server as the data store. You are prompted to create a new data source connection to the SQL Server.

2. Enter the Data Source description and SQL Server to which to connect. Click Next.

3. Select NT Authentication or SQL Server Authentication.

4. Click Client Configuration.

5. Select TCP/IP from the available network libraries. Click OK.

� To modify a Data Source Name (DSN) after MetaFrame XP installation

1. Open Data Sources (ODBC) from Administrative Tools. This opens the ODBC Data Source Administrator.

2. On the File DSN tab, browse to %Program Files%\Citrix\Independent Management Architecture.

3. Select the MetaFrame DSN you created when you installed MetaFrame XP. Select Configure.


4. Click Next in the Microsoft SQL Server DSN Configuration dialog box. Select Client Configuration.

5. Select TCP/IP from the available network libraries. Click OK.

6. Click Next and then Finish.

7. Restart the MetaFrame XP Server.

FailoverFor fault tolerance with Microsoft SQL Server, use Microsoft Cluster Services (MSCS). This provides failover and failback for clustered systems.

An MSCS cluster group is a collection of clustered resources, such as disk drives, that are owned by one of the failover cluster nodes. You can transfer the ownership of the group from one node to another, but each group can be owned by only one node at a time.

The database files for an instance of Microsoft SQL Server 2000 are placed in a single MSCS cluster group owned by the node on which the instance is installed. If a node running an instance of Microsoft SQL Server fails, MSCS switches the cluster group containing the data files for that instance to another node. Because the new node already has the executable files and registry information for that instance of Microsoft SQL Server on its local disk drive, it can start up an instance of Microsoft SQL Server and start accepting connection requests for that instance.

Note MSCS clustering does not support load balancing between clustered servers because it functions in standby mode.

Distributed DatabasesMetaFrame XP supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. Microsoft SQL Server uses replication to create the distributed database environment.

MetaFrame XP requires data coherency across multiple databases. Therefore, a two-phase commit algorithm is required for writes to the database.

When configuring Microsoft SQL Server for a two-phase commit, you must use the Immediate Updating Subscriber model. See your Microsoft SQL Server documentation for information about setting up replication with the Immediate Updating Subscriber model.

The following procedure explains how to set up a distributed database environment for an existing MetaFrame XP server farm.


� To set up a distributed environment for an existing MetaFrame XP server farm

1. Configure a Publisher (the Microsoft SQL Server currently hosting the data store), and Subscribers (remote sites) using Microsoft SQL Server Enterprise Manager.

2. Execute the dsmaint publishsqlds command on a MetaFrame XP server in the server farm. This step executes the necessary SQL statements to create the published articles on the current Microsoft SQL Server (Publisher). For more information about the dsmaint command, see the MetaFrame XP Administrator’s Guide.

3. Configure the remote sites (Subscribers) to subscribe to the published articles you created in Step 2.

Using OracleThe practices outlined in this section are suggested implementations for using Oracle as the MetaFrame XP server farm’s data store. They are not intended to be a substitute for the Oracle documentation. Read all of the Oracle documentation prior to installing Oracle. The guidelines described here apply to Oracle7, Oracle8, Oracle8i, and Oracle 9i, except as noted otherwise.

Minimum Requirements• Approximately 100MB of disk space for every 250 servers in the farm. The


• The Oracle Client (Version 8.1.55 or later) must be installed on the terminal server before you install MetaFrame XP. The 8.1.5 client is not supported with any version of MetaFrame XP.

Note If you do not restart the server after installing the Oracle Client, MetaFrame XP fails to connect to the data store during Setup.


Server ConfigurationConsider the following guidelines when configuring an Oracle server to host the MetaFrame XP server farm’s data store.

• Create a separate tablespace for the data store to simplify backup and restoration operations.

• Use Shared/Multi-Threaded Server (MTS) mode to reduce the number of processes in farms with more than 100 servers. However, performance may be affected because of high data store load. Consult your Oracle documentation for information about configuring the database to run in MTS mode.

• Add one additional process for each MetaFrame server connected directly to the Oracle database when using an Oracle server in dedicated mode. If the Oracle server uses100 processes before installing MetaFrame XP and the server farm has 50 servers, set the processes value to at least 150 in the Init.ora file on the Oracle server. Consult the Oracle documentation for more information.

• If you are running Oracle in MTS mode, verify that the following parameters in the Init.ora file are greater than or equal to the values shown below. If you are running multiple farms on the same Oracle database, include all MetaFrame XP servers for the calculations listed below. Round up for fractional values.MTS_SERVERS = {#MFXP Servers} / 10MTS_MAX_SERVERS = {#MFXP Servers} / 5SERIALIZABLE = FalseROW_LOCKING = Always

• Whenever a change is made using the Citrix Management Console, back up the database. Scheduling a daily backup is sufficient in most cases.

• Citrix recommends online backups using archivelog mode. Archivelog mode reduces the recovery time of a crashed database.

Note If you are using the same Oracle database for multiple MetaFrame XP server farms, Citrix recommends that you create a unique tablespace for each farm with its own user/password for added security. Do not use the default system account within Oracle.


Client ConfigurationIf you use the Oracle 8.1.7 client to access the data store, you must take several steps to ensure proper operation with MetaFrame XP. The Oracle 8.1.7.0 driver installs a security feature, called NT Security (NTS), that uses Windows NT credentials to authenticate to the Oracle server. Because the Citrix IMA Service is configured to use the system account to access the data store, the service fails to connect to the Oracle server when the NTS feature is enabled. If this happens, IMA reports the error code 2147483649.

Note The following steps are not required with the Oracle 8.1.6 client because it does not use NTS.

For MetaFrame XP Setup to recognize that the Oracle 8.1.7.x client is installed, do the following:

1. Install the Oracle 8.1.6.x client and upgrade to 8.1.7.x.

2. Run the Net8 Assistant.

3. Navigate to Configuration > Local > Profile.

4. Select Oracle Advanced Security.

5. On the Authentication tab, remove NTS from the Selected Methods list if it is present.

6. Install MetaFrame XP.

If you use the dsmaint command to migrate from an Access database to an Oracle 8.1.7 database, the IMA service fails to start because the Oracle 8.1.7.0 driver alters the logon authentication method. To avoid this problem, disable the Oracle NTS feature before migrating an Access database to Oracle 8.1.7, as described below.

� To disable the Oracle NTS feature

1. Run the Net8 Assistant.

2. Navigate to Configuration > Local > Profile.

3. Select Oracle Advanced Security.

4. On the Authentication tab, remove NTS from the Selected Methods list if it is present.


Authentication and SecurityConsider the following points related to authentication and security when using Oracle for the server farm’s data store.

• Oracle for Solaris supports Oracle authentication only. It does not support Windows NT authentication.

• Oracle for Windows NT supports both Windows NT and Oracle authentication. Consult the Oracle documentation for information about configuring Windows NT authentication.

• The Oracle user account must be the same for every server in the farm because all servers share a common schema.

• Each farm in the database must have a different user account because the data store information is stored in the Oracle user account’s schema.

• The account used for the data store connection needs to have the following Oracle permissions:

• Connect

• Resource

• You can also assign the following permission:

• Unlimited Tablespace

FailoverWith Oracle, you can maintain a standby database for quick disaster recovery. A standby database maintains a copy of the production database in a permanent state of recovery. If there is a disaster in the production database, you can open the standby database with a minimum amount of recovery.

Important items concerning Oracle failover:

• With Oracle8i, the management of standby databases is fully automatic.

• The standby database must run on the same version of the kernel that is on the production system.

• Standby databases fail only one way. They cannot fail back.

• If a database fails, use the dsmaint config command to reconfigure the MetaFrame XP servers to point to the standby database.

• Citrix recommends the use of a standby database for MetaFrame farms.

See the Oracle documentation for instructions about setting up a standby database.


Distributed DatabasesMetaFrame XP supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. Oracle uses replication to create the distributed database environment. Important items concerning distributed databases are listed below.

• To reduce the load on a single database server, install read/write replicas and distribute the farm servers evenly across the master and replicas.

• MetaFrame XP requires data coherency across multiple databases. Therefore, a two-phase commit algorithm is required for writes to the database.

Using Oracle as a distributed database solution requires the following:

• All participating databases must be running Oracle.

• All participating databases must be running in MTS/Shared mode (rather than Dedicated mode).

• All clients (MetaFrame XP direct servers) must be SQL*Net Version 2 or Net8.

• Install the farm database first on the master site, and then configure replication at the snapshot sites.

• Replicate all objects contained in the data store user’s schema (tables, indexes, and stored procedures).

Tip If the performance at the replicated database site is significantly slower, verify that all the indexes for the MetaFrame XP user’s schema are successfully replicated.

When configuring Oracle for a two-phase commit, Citrix recommends the following:

• Use updateable, synchronous snapshots with a single master site. MetaFrame XP does not work with read-only snapshots. Some functions need write access to the data store.

• Use “Fast Refresh” where possible (this requires snapshot logs).

• Do not configure conflict resolution when setting up the replication environment.

• Set the replication link interval to be as frequent as the network environment allows (one minute is recommended). With Oracle replication, if no changes are made, data is not sent over the link.


• If Oracle is configured in MTS mode and remote reads or writes are initiated from the remote site, these can block local reads or writes. This is because all connections share a set of worker threads called MTS servers in MTS mode. To remedy this, increase the value of the Max_Mts_Servers parameter in the Init.ora file.

Citrix recommends that you consult the Oracle documentation when setting up replication. You can find documentation for Oracle8i on the Web at http://technet.oracle.com/docs/products/oracle8i/doc_index.htm.

Using Oracle Parallel Server

CAUTION Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix eLabs. Oracle Parallel Server is designed to have multiple database servers accessing the same back end database. In theory, this provides good scalability in centrally located farms with hundreds of servers.

Oracle Parallel Server can provide exceptional performance gains in extremely large farms where having only a single front-end database server creates a performance bottleneck.

An Oracle Parallel Server configuration provides a load-balanced environment where multiple front-end Oracle servers share the same disk subsystem and database tables. Oracle Parallel Server distributes load evenly across all participating servers, and, in the event of a server failure, automatically routes connections to the surviving nodes.

Using IBM DB2With Feature Release 2, MetaFrame XP supports using IBM DB2 (Universal Database Enterprise Edition Version 7.2 for Windows 2000 with FixPak 5) for the server farm’s data store.

To use IBM DB2, install the DB2 Run-Time Client and apply FixPak 5 on each MetaFrame XP server that will directly access the database server.

If you have multiple MetaFrame XP farms, create a separate database/tablespace for each farm’s data store. Restart the system after you install the IBM DB2 Run-Time Client and FixPak 5 and before you install MetaFrame XP Feature Release 2. You may also need to restart the system after you install the Run-Time Client and before you install FixPak 5. See the documentation included with IBM DB2 for more information.


Important MetaFrame XP uses the data type of binary large object (BLOB) to store information in an IBM DB2 database. IBM DB2 does not support the use of BLOB data types in an updateable replication scenario. Therefore, if your server farm needs to have updateable replicas, use Microsoft SQL Server or Oracle for the farm’s data store instead of IBM DB2.

Depending on the size of your server farm, you may need to modify the following options in IBM DB2 Control Center:

• appheapsz, app_ctl_heap_sz, maxlocks. You may need to modify these options if you have a large server farm (50 or more servers) that is relatively active.

• maxappls. This setting must be greater than the number of servers in the farm, or the servers will fail to connect (the default is 40).

• avg_appls. This setting should be equal to the number of servers in the farm.

• logfilsiz, logprimary, logsecond. You may need to adjust these settings upwards if you are migrating the farm from another database.

Citrix recommends using a separate database with a dedicated tablespace for the MetaFrame XP, Feature Release 2 server farm’s data store.

Minimum RequirementsThe points outlined below are suggested practices for using an IBM DB2 database for the server farm’s data store. Be sure to read the documentation included with IBM DB2 before you install and configure DB2 databases.

The following minimum requirements can apply to MetaFrame XP implementations that use DB2 as the farm’s data store.

• You need approximately 100MB of disk space for every 250 servers and 50 published applications in the farm. The required disk space increases if a large number of published applications are in the farm.

• If you create a data source name (DSN) for use with an unattended installation of IBM DB2, Citrix recommends that you create the DSN using the Microsoft ODBC Data Source Administration screen. Doing so ensures that the DSN is populated according to MetaFrame requirements for proper connectivity to the DB2 database or tablespace.

• Citrix eLabs tested the IBM DB2 environment with the following permissions assigned to the user: connect database, create tables, register functions to execute to database manager’s process, and create schemas implicitly.


Distributed DatabasesMetaFrame XP supports distributed databases. Distributed databases are useful when too many read requests to the data store create a processing bottleneck. You can use a distributed database to distribute the load of reads. IBM DB2 uses replication to create the distributed database environment.

Data Store Network OptimizationsYou can configure the MetaFrame data store in several different ways to increase the performance and throughput of the database server.

In large farms with powerful database servers, the network can become the performance bottleneck when reading information from the data store during startup. In these circumstances, Citrix recommends that you use a teaming NIC solution, such as adaptive load balancing, to improve the available bandwidth of the data store. To find out if the network is the bottleneck, monitor the CPU usage on the data store. If the CPU utilization is not at 100% while the Citrix IMA Service is starting and it is still in the process of starting, the network can be the bottleneck.

Testing was performed in the Citrix eLabs on a 100Mbps switched LAN. Gigabit Ethernet environments provide much better performance.

Teaming Network Interface Card ConfigurationsThe following teaming NIC configurations were tested on MetaFrame servers and on SQL servers hosting the data store. In all cases, Citrix recommends teaming NICs using the MAC address, not the IP address. Because the MAC address is at a lower layer and is not subject to modification unless the burned-in address (BIA) is modified, this is a more basic and stable configuration.

Network Fault Tolerance This option provides the safety of an additional backup link between the server and the hub or switch. If the primary adapter fails, the secondary adapter takes over with very minor interruption in server operations. There is no performance gain with this setting, but fault tolerance is improved.

Transmit Load Balancing (Formerly Adaptive Load Balancing)This option creates a team of adapters to increase transmission throughput and ensure that all network users experience similar response times. All adapters must be linked to the same layer 2 network switch.


As adapters are added to the server, they are grouped in teams to provide a single virtual adapter with increased transmission bandwidth. For example, a transmit load balancing team containing four Fast Ethernet adapters configured for full-duplex operation provides an aggregate maximum transmit rate of 400Mbps and a 100Mbps receive rate, resulting in a total bandwidth of 500Mbps. One adapter is configured for transmit and receive, while the others are configured for transmit only.

Adapter teams configured for transmit load balancing provide the benefit of network fault tolerance because if the primary adapter that supports both transmit and receive fails, another adapter then supports this functionality.

Switch Assisted Load Balancing (Formerly Fast Ether Channel)Unlike transmit load balancing, you can configure Fast Ether Channel (FEC) to increase both transmitting and receiving channels between the server and switch. For example, an FEC team containing four Fast Ethernet adapters configured for full-duplex operation provides an aggregate maximum transmit rate of 400Mbps and an aggregate maximum receive rate of 400Mbps, resulting in a total bandwidth of 800Mbps. All adapters are configured for transmit and receive, with the load spread roughly equally.

FEC works only with FEC-enabled switches. The FEC software continuously analyzes load on each adapter and balances network traffic across the adapters as needed. Adapter teams configured for FEC also provide the benefits of Network Fault Tolerance (NFT). For more information, see Citrix Knowledge Base article CTX434260 or contact your hardware vendor.

Implementing the Data Store in a Storage Area NetworkA Storage Area Network (SAN) is a dedicated high-speed network. It is separate and distinct from the Local Area Network (LAN) that provides shared storage through an external disk storage pool. The SAN is a back end network that carries only I/O traffic between servers and a disk storage pool while the front-end network, the LAN, carries email, file, print, and Web traffic.

Fibre Channel TechnologySome early SCSI implementations have a distance limitation of six feet and can support only seven devices. These implementations use a parallel bus with multiple lines running in parallel.


Although some SAN configurations utilize this implementation, the most commonly used SCSI technology for SAN implementations is Fibre Channel. Fibre Channel is the standard for bidirectional communications implementing serial SCSI through a single cable connecting servers, storage systems, workstations, hubs, and switches. It features high performance, serial-interconnections.

Fibre Channel has the following capabilities:

• Bidirectional data transfer rates up to 200Mbps

• Support for up to 126 devices on a single host adapter

• Communications up to 20km (approximately 12 miles)Fibre Channel implementations can use either of the following networking technologies:

• Fibre Channel Arbitrated Loop (FC-AL)FC-AL networks use shared media technology similar to Fibre Distributed Data Interface (FDDI) or Token Ring. Each network node has one or more ports that allow external communication; FC-AL creates logical point-to-point connections between ports.

• Fibre Channel Fabric (FC-SW)Fabric networks use switched network technology similar to switched Ethernet. A fabric switch divides messages into packets containing data and a destination address, and then transmits the packets individually to the receiving node, which reassembles the message. Fabric switches can cascade, allowing a SAN to support thousands of nodes.

Hardware ComponentsStorage Area Networks typically include the following hardware components:

• Host I/O BusThe current I/O bus standard is Peripheral Component Interface (PCI). Older standards include Industry Standard Architecture (ISA) and Extended Industry Standard Architecture (EISA).

• Host Bus AdapterThe host bus adapter (HBA) is the interface from the server to the host I/O bus. The HBA is similar in function to a Network Interface Card (NIC), but is more complex.

HBA functions include the following:

• Converting signals passed between the LAN and the SAN’s serial SCSI

• Initializing the server onto a FC-AL network or providing a Fabric network logon


• Scanning the FC-AL or Fabric network, then attempting to initialize all connected devices in the same way that parallel SCSI scans for logical devices at system startup

• CablingFibre channel cables include lines for transmitting and for receiving. Because of the shape, you cannot install them incorrectly.

• SAN networking equipmentThere are many similarities between a SAN and other networks such as a LAN. The basic network components are the same: hubs, switches, bridges, and routers.

• Storage devices and subsystemsA storage subsystem is a collection of devices that share a power distribution, packaging, or management system such as tape libraries or RAID disk drives.

SAN Tape Backup SupportSANs provide easy, on-the-fly tape backup strategies. Tape backups are much quicker and consume fewer resources, because all of the disk access occurs on the SAN’s fiber network, and not on the LAN. This allows the data store to be backed up easily even while it is in use.

Cluster Failover SupportThe data store is an integral part of the MetaFrame XP architecture. In large enterprise environments, it is important to have the database available all the time. For maximum availability, the data store should be in a clustered database environment with a SAN backbone.Hardware redundancy allows the SAN to recover from most component failures. Adding additional software, such as SQL Server 2000 utilizing Microsoft Clustering Services (MSCS) and Compaq’s SANWorks products, allows for the failover in a catastrophic software failure.

With Microsoft Clustering Services, available on Windows 2000 Advanced Server and Datacenter products, you can fail over the MetaFrame XP data store to a functioning server in the event of a catastrophic server failure.

MSCS monitors the health of standard applications and services and automatically recovers mission-critical data and applications from many common types of failures. A graphical management console allows you to monitor the status of all resources in the cluster and to manage workloads accordingly. In addition, Windows 2000 Advanced Server and Datacenter Server integrate middleware and load balancing services that distribute network traffic evenly across the clustered servers.


You can build redundancy and recovery into each major component of the data store. Deploying the following technologies can eliminate single points-of-failure from the data store:

• Microsoft Cluster Service (MSCS)

• Redundant hardware

• Software monitoring and management toolsThe basic SAN configuration in the figure below shows each clustered server with dual HBAs cabled to separate FC-AL switches. A system with this redundancy can continue running when any component in this configuration fails.

SAN architecture is very reliable. It provides redundant systems in all aspects of the configuration with multiple paths to the network. Windows 2000 Advanced Server allows two nodes to be clustered. Windows 2000 Datacenter allows four clustered nodes.

If there is a software or hardware failure on the owner of the cluster node, the MetaFrame servers lose their IMA connection to the database. When the connection is dropped, the farm goes into a two-minute waiting period. The servers then attempt to reconnect to the database. If the Citrix IMA Service cannot immediately reconnect to the data store, it continues to try to reconnect every two minutes. The MetaFrame servers automatically reconnect to the database, which has the same IP address, once it fails over to the other node of the cluster.

FC-AL Switches

Database Cluster

Data Storage

Redundant SAN configuration


Clustering does not mean that both databases are active and load balanced.With SQL clustering, the only supported clustering method allows one server to handle all the requests while the other server simply stands by waiting for the other machine to fail.

Note When installing MetaFrame in a clustered SQL Server environment, Windows NT authentication must be used for connecting to the database.

SAN TuningIn addition to increased reliability, you can tune the SAN to provide better database performance. In testing at Citrix eLabs, the data store was used mainly as a repository for reading configuration information. In this configuration, the number of reads far exceeds the number of writes. For optimal data access to the data store through the SAN, you can tune the array controller on the SAN for 100% reads and 0% writes.

Note Tuning the SAN for100% reads and 0% writes still allows servers to write to the data store.

MetaFrame XP Server Farm Deployment ScenariosThe following sections describe sample MetaFrame XP implementations and make recommendations for each one.

Many of the recommendations discussed here are based on product design and theoretical concepts. Every effort was made in the Citrix eLabs to test the theories discussed in this section. However, you may encounter issues in live production environments that were not factored into these recommendations.

The abbreviations DS for data store and DC for data collector are used in the following tables.


Small Farm – Central Location This scenario describes a simple single farm environment where all servers reside in one location and are configured as follows:

Citrix recommends the following in this scenario:

• Dedicate a data collector for zones with more than 50 member servers

• Consider creating multiple zones to enhance performance

• If using Access for the server farm’s data store, configure a single server to act as the data collector and to host the data store

Servers 1-100

Zone(s) 1-2

Physical Sites 1

Data Store Microsoft Access, Microsoft SQL Server, IBM DB2 or Oracle

Connectivity 10Mbps or higher (LAN)

Small farm at a single location


Large Farm – Central LocationThis scenario describes a larger, but only slightly more complex, single farm environment where all servers reside in one location and are configured as follows:

Servers 100+

Zone(s) 3+

Physical Sites 1

Data Store Microsoft SQL Server or Oracle

Connectivity 10Mbps or higher (switched 100Mbps is recommended)

Large farm in a single location



• Dedicate a data collector for zones with more than 50 member servers

CAUTION Because of the hardware configuration required for Oracle Parallel Server, this product was not tested in the Citrix eLabs. Oracle Parallel Server is designed to have multiple database servers accessing the same back end database. In theory, this provides good scalability in centrally located farms with hundreds of servers.

• With extremely large farms, use replicated Microsoft SQL Server databases, replicated Oracle databases, or Oracle Parallel Server to improve performance and prevent a bottleneck at the data store

• Do not exceed 25 zones in a single farm

Small Farm – Distributed SitesThis scenario describes a small single farm environment where servers reside in a few locations as follows:

Servers 1-100 (evenly distributed at a few physical locations)

Zone(s) 1-4

Physical Sites 2-4

Data Store Microsoft Access, Microsoft SQL Server, IBM DB2, or Oracle

Connectivity 512Kbps or higher to a central site or between all locations



• Use a single zone if all distributed sites have a connection to a central site and the frequency of logons is limited.If you are using multiple zones, provide all sites hosting a zone with direct connectivity to all other zone sites. Otherwise, all locations need connectivity to a central site where the zone data collector is located.

• Restart servers only when WAN links are at low utilization.

Small farm with distributed sites


Small Farm – Remote SitesThis scenario describes a small single farm environment where small groups of 2-5 servers are distributed in multiple locations.


• Make links dedicated connections to a central site

• Restart servers only when WAN links are at low utilization

• Consider using Virtual Private Network (VPN) technology for remote sites

• Although spanning a farm across a slow WAN is possible, consider centralizing the servers and using ICA across the WAN to optimize performance

Servers 1-100 (2-5 at each site to support local use)

Zone(s) 1

Physical Sites 2+

Data Store Microsoft Access, Microsoft SQL Server, IBM DB2, or Oracle

Connectivity 128Kbps or higher to a central site

Central Office

Remote sites with central office


Large Farm – Multiple Data CentersThis scenario describes a large single farm environment where all servers reside in large data centers as specified in the following configuration:


• Use registry settings to fine-tune data collector communication. For more information, see “Understanding Zones” on page 17.

• Tune database replication intervals to reduce WAN utilization. Be aware that changes made at the central site can take a few minutes to disseminate to replicas.The IBM DB2 database does not support updateable replicas and should therefore not be used in this scenario.

Servers 200+

Zone(s) 2-4

Physical Sites 2

Data Store Microsoft SQL Server or Oracle (replicated to speed server boot time and minimize WAN queries)

Connectivity High speed (T1 or higher)

Multiple data centers


Large Farm – Regional SitesThis scenario describes a large single farm environment where servers reside both in regional sites and small remote sites.


• Use registry settings to fine-tune data collector communication. For more information, see “Understanding Zones” on page 17.

• Consider using Virtual Private Network (VPN) technology for remote sites

• Although spanning a farm across a slow WAN is possible, consider centralizing the servers and using ICA across the WAN to optimize performance.

Servers 200+ (smaller sites connect to closest regional site)

Zone(s) 1 per regional site

Physical Sites 2+

Data Store Microsoft SQL Server or Oracle (replicated to each regional site)

Connectivity High speed (T1 or higher) between all regional sites128Kpbs or higher between regional and smaller sites

Regional sites with remote access


• Tune database replication intervals to reduce WAN utilization. Be aware that changes made at the central site can take a few minutes to disseminate to replicas.The IBM DB2 database does not support updateable replicas and should therefore not be used in replicated scenarios.

C H A P T E R 5

Deploying MetaFrame XP

This chapter contains recommendations for deploying MetaFrame XP with Feature Release 2 and Service Pack 2, including manual installation, rapid deployment, application publishing, client deployment, and NFuse deployment.

Citrix recommends that you deploy Feature Release 2 or Service Pack 2 in all server farms.

Important Feature Release 2/Service Pack 2 is not supported on Windows NT 4.0, Terminal Services Edition (TSE). Any references to Windows NT 4.0, TSE are for backward compatibility only.

Note The first installation of Feature Release 2 in a farm requires the specified database user to have database owner permissions.

MetaFrame XP with Feature Release 2 and Service Pack 2 Setup is compiled into a Windows Installer installation package. Windows Installer is a component of Windows 2000 that manages the installation and removal of applications. Windows Installer applies a set of centrally defined setup rules during the installation process that define the configuration of the application.

For more information about Windows Installer technology and the Windows Installer Service, see the Windows 2000 online Help or the Microsoft Web site at http://www.microsoft.com.

For more information about working with the MetaFrame XP, Feature Release 2 Windows Installer package, see the MetaFrame XP Administrator’s Guide.


CAUTION Windows 2000 Server includes Version 1.1 of the Windows Installer Service (MSI) by default. Citrix strongly recommends that you install Windows Installer Version 2.0 or later on the server before you install MetaFrame XP. For more information, see the MetaFrame XP Administrator’s Guide.

Important When upgrading a farm that uses Microsoft Access as the data store, be sure to upgrade the host server first or installation will fail.

If you intend to change the server’s drive letters to allow users to retain their original drive letters on client devices, you should do so before you install MetaFrame XP or upgrade to Feature Release 2. If you change server drive letters after installing or upgrading, you must do so before you install any applications. To change the server’s drive letters, click Remap Drives on the Install or Update MetaFrame Autorun screen. You can also run the driveremap utility to change the server’s drive letters. For more information about this utility, see “DRIVEREMAP” on page 184.

� To install or upgrade to MetaFrame XP, Feature Release 2

1. Start Autorun from the MetaFrame XP CD, a network share point, or a mapped network drive containing all the files from the CD image.

2. Select Install or update MetaFrame. If you want the new features included with Feature Release 2, select MetaFrame XP Feature Release 2. If you want to install the service pack only, select MetaFrame XP Service Pack 2.

3. Accept the License Agreement and click Next.

Note Installation automatically detects which version of MetaFrame is currently installed, if any, and automatically upgrades it to Feature Release 2 or Service Pack 2.

4. After installing Feature Release 2, add and activate the appropriate Feature Release 2 licenses.

Chapter 5 Deploying MetaFrame XP 69

Issues to Consider when Upgrading to MetaFrame XP Feature Release 2You should consider the following issues when upgrading to MetaFrame XP Feature Release 2:

• If MetaFrame 1.8 for Windows 2000 was installed with remapped drives, the COM+ Catalog may have been damaged. To determine if the server has been damaged in this way, click Start > Programs > Administrative Tools > Component Services. In the Console Root, click Component Services > Computers > My Computer > COM+ Applications. If the server is damaged, use the drvremap utility located on the MetaFrame 1.8 for Windows 2000, Feature Release 1 or Service Pack 3 CDs. To use the drvemap utility, perform the following steps:

1. At a command prompt, type:subst C: M:/

2. At a command prompt, type:drvremap /drive:M /remap /com

3. At a command prompt, type:subst C: /d

4. Restart the server.For more information about this issue, refer to Citrix Online Knowledge Base article CTX240747. You can access the Citrix Knowledge Base at http:// www.citrix.com/support.

• After an upgrade from MetaFrame 1.8 for Windows 2000 to MetaFrame XP Feature Release 2, the system cannot be downgraded.

• You must install and activate Feature Release 2 licenses to use the new features.

• For reasons of security, SSL settings are not migrated. When upgrading to Feature Release 2, you must reconfigure SSL manually. For more information about configuring SSL, see the Citrix SSL Relay utility’s online help.

• If you upgrade a server that does not have Installation Manager and Resource Manager installed, these components are not installed during the upgrade. To install these components, verify that a MetaFrame XPe license is installed, and install these components using Add/Remove Programs in Control Panel.

• After remapping the server’s drives and upgrading to Feature Release 2, when you install Internet Information Services (IIS), you must manually modify the file and directory locations for IIS.To modify these locations for IIS, click Start > Administrative Tools > Internet Service Manager. Set the directory locations for Web files and scripts to correct the referenced drive letters. After you correct the referenced drive letters, you can install NFuse Classic.


Downgrading from Feature Release 2Consider the following issues when downgrading from MetaFrame XP Feature Release 2.

• The Client Update Database used in the Auto Client Update feature is removed completely after a downgrade.

• You can run downgrade in silent mode by using: msiexec /x {1E43A449-2D4E-48EA-A840-66111C015123} /l*v “C:\unismsi.log” /q CTX_DOWNGRADE=”Yes”

• After you downgrade, the Documents shortcut may be missing. To view the MetaFrame XP documentation, use Windows Explorer to browse to Program Files > Citrix > Documentation.

Rapid Deployment of MetaFrame XP Feature Release 2/Service Pack 2

This section covers practices regarding rapid deployment of MetaFrame XP in the enterprise environment, including server cloning, unattended installations, and simultaneous installations. For information about unattended installation, refer to the MetaFrame XP Administrator’s Guide.

Server CloningA few manual steps are required for cloning MetaFrame XP servers. These steps vary depending on the type of data store used for the farm, and are described in the following sections. MetaFrame XP and feature releases are compatible with server cloning, but cloning software can contain issues that cause the operating system or its add-ons to function incorrectly after being cloned. When using server cloning, it is important to clone one server and test its operation before deploying the rest of the farm.

CAUTION Do not attempt to image a server with an SSL certificate installed because SSL certificates are unique to the hardware.


Issues to Consider Before Cloning a MetaFrame ServerZone settings are not retained when cloning a server. When the Citrix IMA Service on the cloned server starts for the first time, the MetaFrame XP server joins the default zone. The name of the default zone is the ID of the subnet on which the cloned server resides. When deploying images to servers on multiple subnets, assign zone information for each server after the imaging process completes.

Prior to changing the Security ID (SID) on the machine used to access the Citrix Management Console, add one of the following user accounts as a Citrix administrator with full privileges:

• A domain administrator

• The local administrators group

• A local administrator from a machine where the SID is not being changed

CAUTION Do not attempt to use drive image software to restore an image of a MetaFrame server with remapped drives. Remapped drives will partially revert to the original configuration on the deployed server rendering the server unusable. Servers with remapped drives can be duplicated using a hardware solution such as Compaq Smart Array controllers with RAID1 drive mirroring.

You must complete the following tasks before re-imaging a server that is already a member of a MetaFrame server farm.

� To prepare a server in a MetaFrame server farm for re-imaging

1. From the Citrix Management Console, remove the list of servers configured to host any applications.

2. Remove the server from the server farm by uninstalling MetaFrame XP.

3. If the server entry still exists in the Citrix Management Console server list, right-click and manually remove the server name from the server list.

4. Apply the system image and add the server to the server farm.

Important If a server is not removed from a MetaFrame server farm before a new system image is applied to it, performance problems can result. The Citrix Management Console can display invalid data if the server is returned to the same server farm because the old server’s host record in the data store is applied to the newly imaged server.


If cloning is not an option, such as when configuring with remapped drives, you can create custom unattended installation scripts for both the operating system and applications, including MetaFrame.

Rapid Deployment if you Are Using Microsoft AccessWhen using Microsoft Access, you must manually install the first server in the new MetaFrame XP farm that will host the data store. You can image the second server in the farm for the deployment of additional servers.

� To image a server for rapid deployment with Access

1. Follow all necessary steps from the MetaFrame XP Administrator’s Guide to install the first MetaFrame XP server in the farm.

2. Install a second MetaFrame XP server in the farm with an indirect connection to the data store you created on the first server.

3. With the second server successfully installed and restarted, log on to the console of the second server as a local or domain administrator.

4. On the second server, delete the Wfcname.ini file, if it exists, from the root drive of the server.

5. Stop the Citrix IMA Service using the Services Control Panel. Set the start up type to manual.

6. If MetaFrame XPe components are installed, see “Cloning MetaFrame XPe Systems” on page 74.

7. Take the image of the second server and then restart the second server.

8. Deploy the image obtained in Step 7.

Important It is important that some type of SID generation utility be executed when deploying Windows 2000 or Windows NT Terminal Services Edition images.

� To set up the server and verify that it is added

1. Set the SID of the server with your chosen SID generator.

2. Rename the new server with a unique name.

3. Manually start the Citrix IMA Service and set the service to start automatically.

4. Verify that the server is successfully added to the farm by executing qfarm at a command prompt. If the addition is successful, the newly imaged server will appear in the list of servers.


Rapid Deployment if you Are Using Microsoft SQL Server, Oracle, or IBM DB2 When using Microsoft SQL Server, Oracle, or IBM DB2 for the server farm’s data store, you can image the first server in the farm and use it to deploy all other servers.

� To image a server for rapid deployment with SQL Server, Oracle, or IBM DB2

1. Follow the steps from the MetaFrame XP Administrator’s Guide for installing the first MetaFrame XP server in the farm.

2. When the server is successfully restarted, log on to the console as a local or domain administrator.

3. Delete the Wfcname.ini file, if it exists, from the root drive of the server.

4. Edit the Mf20.dsn file with Notepad or another text editor. By default, the DSN file is located in the %ProgramFiles%\Citrix\Independent Management Architecture folder.For a Microsoft SQL Server installation, the Data Source Name (DSN) file will look similar to this:[ODBC]

DRIVER=SQL Server

UID=SQL_USERNAME

DATABASE=NAME_OF_DATABASE

WSID=NAME_OF_MF_SERVER

APP=Citrix IMA

SERVER=NAME_OF_SQL_SERVER

Remove the following line: WSID=NAME_OF_MF_SERVER

The DSN now looks like this:[ODBC]

DRIVER=SQL Server

UID=SQL_USERNAME

DATABASE=NAME_OF_DATABASE

APP=Citrix IMA

SERVER=NAME_OF_SQL_SERVER

5. Save the changes to the DSN file.

6. Stop the Citrix IMA Service and set the start up type to manual.


7. If MetaFrame XPe components are installed, see “Cloning MetaFrame XPe Systems” on page 74.

8. Take the image of the server and then restart the server.

9. Deploy the image obtained in Step 8.

Important It is important that some type of SID generation utility be executed when deploying Windows 2000.

� To verify that the server is added

1. Set the Security ID of the server with your chosen SID generator.

2. Rename the new server with a unique name.

3. Manually start the Citrix IMA Service and set the service to start automatically.

4. Verify that the server is successfully added to the farm by executing qfarm at a command prompt on any server in the farm. If the addition is successful, the newly imaged server will appear in the list of servers.

Cloning MetaFrame XPe SystemsIf you are running Resource Manager on a MetaFrame XPe server, you must delete the local database used by Resource Manager (named RMLocalDatabase) so that the cloned server does not retain information from the server you are using as the source for the cloning. The RMLocalDatabase is installed in Citrix Resource Manage\LocalDB in the MetaFrame installation directory, %Program Files%\Citrix by default.

On the cloned server, the RMLocalDatabase file is recreated when the Citrix IMA Service starts. There is no need to manually recreate this database.

Simultaneous InstallationsCitrix recommends that you do not simultaneously intall more than ten servers. During installation, servers must write configurations to the same indexes in the data store. The more servers installed at once, the greater the probability of creating deadlocks on the database server.

Important Deadlocks occur when one server times out while waiting to write to a piece of data that is locked by another server. In this event, the IMA service simply retries after a short interval.


When you install servers to a new zone, it is best to first install a single server in the new zone. When installation of the first server in the zone is finished and the server restarts, launch the Citrix Management Console and set the server preference for the first server in the zone to Most Preferred. This avoids problems with new servers in the zone becoming the zone data collector during installation.

Important When creating a new farm, the first server installed in the first zone is automatically configured with a server preference of Most Preferred. Therefore, the process of setting the server preference described above applies only when creating additional zones.

Deploying Feature Release 2 Using Installation Manager to a Feature Release 1 Server FarmIf you have Feature Release 1 installed in your MetaFrame XPe server farm, you can use Installation Manager to deploy the MetaFrame Setup Windows Installer package to upgrade your servers to Feature Release 2. Note that you can only perform the upgrade to Feature Release 2 on those MetaFrame servers on which you have installed the Installation Manager component for Feature Release 1 (Installation Manager Version 2.1).

CAUTION Citrix strongly recommends that you upgrade Microsoft Windows Installer to Version 2.0 before you install Feature Release 2. For more information about this issue, see the MetaFrame XP Administrator’s Guide.

Before you begin deploying Feature Release 2, make sure you meet the following conditions:

• There are no users logged on to the Feature Release 1 servers (the Feature Release 2 installation requires that you restart the server)

• The network account being used for Installation Manager package deployment is a member of the Local Administrators group on each target server

Important If you are using Installation Manager Version 2.1 to deploy Feature Release 2 from a Windows Installer package, you cannot use Installation Manager to remove Feature Release 2 from any server on which the package is deployed. If you uninstall the package using Installation Manager, Meta Frame XP is completely removed. If you need to downgrade to Feature Release 1, use Add/Remove Programs to manually uninstall Feature Release 2 from each server.


� To deploy the Feature Release 2 Windows Installer package to Feature Release 1 servers

1. Install Windows Installer 2.0 on all the Feature Release 1 servers in the farm. The Windows Installer 2.0 install program, Instmsiw.exe, is in the folder support\msi20 on the MetaFrame XP with Feature Release 2 CD.To install Windows Installer 2.0, either:

• Install Windows Installer 2.0 manually on each target server. Copy the Intmsiw.exe file from the support\msi20 folder to the target servers, then execute the file.

-or-

• Create an unattended installation package for the Windows Installer 2.0 install using the Installation Manager Packager and deploy it to the target servers. Use the /q option for unattended installation.

Citrix recommends that you set the Force reboot after install option in Installation Manager when scheduling the installation. This ensures that the server will restart after installation.

2. Copy the contents of the Feature Release 2 CD-ROM to a file share on a network share point.

Note Copy the Feature Release 2 files from the CD-ROM manually. Do not use the /a option with the msiexec command to copy files. (For some Windows Installer packages, this method is used to create an Administrator Installation Point.)

3. For deployment of Service Pack 2 only, perform the following steps:

1. Using a transform editor, create a transform file using MFXP001.msi. If you use Microsoft Orca as the editor, use Version 2.0.26 or higher.

2. From within the editor, choose the Property table in MFXP001.msi.

3. Find the property CTX_MF_TURN_FEATURE_RELEASE_ON.

4. Change the value from Yes to No.

5. Generate a transform file that includes this change and save the file in the same directory as the MFXP001.msi package. If you do not do so, installation will fail.


Important Do not alter the original MFXP001.msi file. To download a transform file (servicepack.mst) already prepared for deployment of Service Pack 2 only, see Citrix Knowledge Base Article CTX342366.You can access the Citrix Knowledge Base at http:// www.citrix.com/support.

4. Verify that no users are logged on to the consoles of the target servers.

5. Use the Citrix Management Console to connect to the Feature Release 1 farm and in the left pane click Installation Manager.The Installation Manager’s network account must have administrator’s privileges on each target server and must have permission to access the Feature Release 2 files on the network file share. This cannot be a NetWare Account.

6. Add the Feature Release 2 Windows Installer package to the Installation Manager database.

7. Deploy the Feature Release 2 Windows Installer package to the target servers.

8. For deployment of Service Pack 2 only, add the transform file created in Step 3 above.

9. When the deployment is complete and the servers restart, log on to the server farm from the Citrix Management Console. Add the Feature Release 2 licenses to the farm and activate them.

10. If any server is not included in the package deployment (for example, if you are using the Citrix Management Console from a server in the server farm), upgrade that server to Feature Release 2, either from the files on the network share, or by logging on to a different server and deploying the package to the Feature Release 1 server.

11. Check that all the deployed servers are at Feature Release 2 level.


� To deploy Feature Release 2 using Installation Manager and Windows Installer 1.1

CAUTION Citrix strongly recommends using Windows Installer Version 2.0 because of a memory allocation failure that can be encountered if you use Windows Installer 1.1. If this error occurs, the operating system will need to be reinstalled.

If Windows Installer 2.0 cannot be installed on the target server before deploying Feature Release 2, follow these steps:

1. From the MetaFrame XP CD, navigate to the \support\install folder and copy the Microsoft transform file Ignoremsicheck.mst to the folder that contains the Feature Release 2 Windows Installer package (MFXP001.msi).

Note This transform file (with an .mst extension) must be located in the same directory as the Feature Release 2 Windows Installer package. If it is not, deployment will fail.

2. To deploy the Windows Installer package to the target servers, follow the steps above in the section “To deploy the Feature Release 2 Windows Installer package to Feature Release 1 servers.”

Deploying MetaFrame with Active DirectoryBefore you attempt to deploy MetaFrame XP Feature Release 2 using Active Directory Services, complete the following tasks:

• Place the target and source servers in the same domain. The source server hosting the Feature Release 2 Windows Installer package and any transforms to be applied must be a member of the same domain as the servers to which Feature Release 2 is being deployed.

• Enable Windows Installer logging (as described below), because Active Directory does not notify the user if a deployment fails.

Important If you enable Windows Installer logging in Windows Installer Version 1.1 (included by default with the Windows 2000 operating system), passwords are saved in the log file in unencrypted plain text. Check the documentation included with later versions of Windows Installer for support of encrypted passwords in log files.


� To enable Windows Installer logging

1. Run regedt32. 2. Locate the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

3. Right-click in any blank space on the right window and select String Value.

4. Name the string value Logging and then click OK.

5. Double-click the new Logging value and enter the string iwearucmopv under Value Data.

6. Restart the system so the new registry value can take effect.

CAUTION Be sure to turn off Windows Installer logging at the end of the procedure. If you do not, all Windows Installer deployments are logged.

When you enable logging using the procedure specified above, log files are stored in the directory %SystemRoot%\Temp. To determine why a deployment has failed, open the log file and search for the line above Return Value 3.

Deploying MetaFrame XP, Feature Release 2 with CA Unicenter This section describes the basic steps for deploying Feature Release 2 using CA Unicenter’s Software Delivery product. For more detailed information, see the Unicenter documentation, available from the CA Web site at http://www.ca.com.

� To deploy MetaFrame XP, Feature Release 2 using CA Unicenter

1. Edit any MetaFrame XP Windows Installer transforms to be applied to the MetaFrame XP Windows Installer installation package. Sample transforms that you can edit to fit your installation scenario are included on the MetaFrame XP CD in the Support\Install folder. For more information about the MetaFrame XP Windows Installer package and the sample transforms, see the MetaFrame XP Administrator’s Guide for Feature Release 2, located in the Docs directory on the MetaFrame XP CD.

2. Copy the MetaFrame XP Windows Installer installation package and your customized transforms to a directory on the source server. Citrix recommends that you copy these files to the server’s root directory. Copy the installation package and transforms to the same directory.


Important Install the Unicenter Software Delivery Agent on each server on which you want to install MetaFrame XP, Feature Release 2. For information about unattended installation of the Agent, consult the CA Unicenter documentation. Feature Release 2 runs on Windows 2000 Server operating systems only.

3. Create a new volume using the Software Library node. In the Register Software dialog box, type the name MetaFrame XP, Feature Release 2 and the version, 1.0. A node is created with this name.

4. On the General tab of the Register Procedure dialog box, choose the Install task and choose Windows 32-bit from the list of operating systems.

5. On the Embedded File tab, enter MFXP001.msi in the File field. In the Subpath field, enter the path to the location of the MetaFrame XP installation package and transforms. If you copied these files to the server’s root directory, enter “\”.

6. Select Install for the MSI method. In the Transforms field, enter the name of any customized transforms you created using the sample transforms from the MetaFrame XP CD.

7. On the Options tab of the Register Procedure dialog box, select all logging options. Click OK to close the Register Procedure dialog box.

8. Right-click the MetaFrame XP, Feature Release 2 node and select Seal.

9. Deploy the MetaFrame XP, Feature Release 2 package. You can drag and drop the package to the target servers listed under the All Computers and Users node.

Important It is likely that you will receive an error message while deploying MetaFrame XP, Feature Release 2 with Unicenter. This is attributed to an error in Unicenter because in all cases the installation of Feature Release 2 is successful. Clear the error message and then restart the server when prompted.

Installing Citrix Administrative ToolsYou use the Citrix Management Console and Citrix Web Console to manage MetaFrame XP server farms. The procedures below explain how to install these administrative tools.

� To skip installation of the Citrix Management Console

You can skip installation of the Citrix Management Console. To do so, use the following command during the Feature Release 2 installation:

msiexec /i mfxp001.msi addlocal=all reinstall=ctx_mf_cmc


� To install or upgrade the Citrix Management Console on standalone servers

1. Run Autorun from the MetaFrame XP Feature Release 2 CD.

2. Click Other tools and components > Administrative tools > Citrix Management Console and follow the dialog boxes to complete installation of the Citrix Management Console.

� To install the Citrix Web Console on standalone servers

The following software must be installed and requirements met prior to installing the Citrix Web Console as a standalone application on a non-MetaFrame server:

• Internet Information Server 5.0

• The Citrix MetaFrame XP Feature Release 2 MFCOM SDK

Note The Feature Release 2 MFCOM SDK must point to a MetaFrame XP server with Service Pack 2 installed.

1. Install the MFCOM SDK, following the instructions distributed with the SDK.

2. When prompted, enter the name of the MetaFrame XP Feature Release 2/Service Pack 2 server on which you want to run MFCOM.

3. Insert the Feature Release 2/Service Pack 2 CD.

4. Close the Autorun menu.

5. From a command prompt, run msiexec /i cwc.msi CWC_MFCHECK=”N” from the \Administration\CWC directory on the CD.

6. Follow the wizard and complete the installation.

To change the MetaFrame server to which the Web console points, run the command MFREG <servername> from a command prompt or from the run command.

Deploying Citrix ICA ClientsMetaFrame XP Feature Release 2 contains Microsoft Windows Installer (MSI) packages for both the Program Neighborhood Client and the Program Neighborhood Agent. The following section describes how to deploy the Windows Installer clients to various client devices using both the Windows Installer service and Active Directory’s IntelliMirror.


Silent Installation of Program Neighborhood Agent or Program Neighborhood Client using Windows InstallerThis section describes how to modify the Program Neighborhood Agent and the Program Neighborhood Classic Windows Installer packages so you can use them in a silent installation with the Windows Installer service. A silent installation is an installation without user interaction.

Currently, when installing these packages with the Windows Installer service, users are prompted to select a server with the Citrix XML Service installed. To make the deployment of the Windows Installer package truly silent, you must make some modifications. When you make the following changes, you can use the Windows Installer, Microsoft Systems Management Server, or Active Directory to deliver the modified ICA Clients packages. These packages can be installed without any user interaction.

Requirements• Program Neighborhood Agent (Version 6.20.985 or greater)

• Program Neighborhood Client (Version 6.20.985 or greater)

• Microsoft Windows Installer SDK (Version 1.5 or above)

There are two ways to create a silent install package of the ICA Win32 Clients. You can:

• Create a new Windows Installer package with specific changes, or

• Create a transform file (.mst) and apply it to the original Windows Installer package

� To create a new Windows Installer package

1. Create a temporary directory on the system and copy the ICA Win32 Client into it. For example, create the directory C:\MST and copy Ica32a.msi into it.

2. Open the Orca editor that comes with the Windows Installer SDK.

3. In the Orca editor, open the Ica32a.msi file.

4. In the Tables pane, select Property.


5. Click Property. The parameters of Property are displayed, as illustrated below.

6. Select the Property column header in the right pane to sort the column into alphabetical order. Scroll through the list to the SERVER_LOCATION object, as displayed below.

7. By default, the value of this object is PNAgent. Change this to the name or IP address of a server that hosts the Citrix XML Service. This server name or address must be prefaced by http://<server or FQDN of server> orhttps://<server or FQDN of server>.

8. Change Accept to Yes.

9. Save the file with a new file name; for example, NewIca32a.msi. This will remind you that the file is modified from the original.

10. At a command prompt, type:MSIEXEC /I drive:\NewIca32a.msi /QN

11. Deploy the new Windows Installer file to a single server first to test that all settings are set correctly.


� To create a transform file for the existing Windows Installer file

Creating a transform file is an extension of the procedure for creating a new Windows Installer package. The Windows Installer SDK includes a utility called MSITRAN. MSITRAN compares two Windows Installer files and writes the differences to a file. This file is then used as the transform file.

1. Follow the steps in the procedure, “To create a new Windows Installer package” on page 82. Run MSITRAN from the command prompt. Use the following syntax: msitran -g {base db}{new db}{transform}{error/validation conditions}]For example:msitran –g ica32a.msi NewICA32A.msi ICA32A.MST X

2. When you run this utility, you will see the following:C:\ >msitran -g c:\mst\ica32a.msi c:\mst\newica32a.msi

c:\mst\ica32a.mst x

3. The new MST file can now be used as the transform file for the original ICA32A.msi file. From the command prompt, run: ica32a.msi transforms=ica32a.mst

Tip The latest version of the Windows Installer SDK is available athttp://www.microsoft.com/ msdownload/platformsdk/sdkupdate/.

Silent Installation of Program Neighborhood Agent ExecutableYou can limit user interaction with the self-extracting executable setup program by entering values in the Install.ini file before you deploy the Program Neighborhood Agent to your users.

Important You can use any standard compression utility to extract the client files from the packaged executable. However, you must use commercially available software to repackage the client files for distribution to your users.


� To configure the self-extracting executable for silent user installation

1. Extract the ICA Client files from Ica32a.exe using your preferred compression utility software, or by entering the following at a command prompt:

ica32a.exe -a -unpack:<Directory Location>

where <Directory Location> is the directory to which you want to extract the client files.

2. Locate and open the Install.ini file in a text editor.You can set the following parameters. When you enter values for these parameters, the setup program dialog boxes do not appear on the user’s screen.ServerURL=<NFuse Classic server URL>The default value is PNAgent. Enter the URL of the NFuse Classic server hosting the Config.xml file in the format http://servername, or https://servername for SSL-secured communications.SetMachineNameClientName=<On>This accepts the Windows machine name as the client device name.Location=<installation location>Use <PROGRAM_FILES> to install the files in a directory in the Program Files folder.StartMenu=<Start menu path> The path entered here is appended to the Programs folder of the Start menu.InstallSingleSignOn=<On> This enables pass-through authentication.AcceptClientSideEULA=<On> This accepts the end-user license agreement.

3. Save the file and exit the text editor.

4. This step is optional and is only required for specifying a default NDS context. Locate and open the Install.ini file in a text editor.Locate the section named [WFClient].Add the following line to the list of parameters and values in the [WFClient] section:DEFAULT_NDSCONTEXT=<Context1 [,–]>.If you are including more than one context, separate the contexts by a comma.Save the file and exit the text editor.

5. Repackage the client files for distribution to your users.


Citrix ICA Client Deployment on the Compaq iPaqThe ICA Client is supported on Compaq iPaq devices. This device can be used as a client as well as a server farm management tool for high density MetaFrame servers.

Recommended client version combinations:

• ICA Client for WinCE ARM: 6.20

• Extranet client 2.5.1 for PocketPC

Tip The ICA Client supports input from both the iPaq keyboard and character recognizer and transcriber within a session.

IPaq ConfigurationConfigure the following settings in the ICA Client for better performance with cellular digital packet data (CDPD) or code division multiple access (CDMA) connections:

• Disable sound

• Deselect Use Printer configuration utility

• Limit session color depth to 256 colors

• Set the encryption level to Basic

• If possible, avoid accessing the client drives in the session

To run the Citrix Management Console in an ICA session, set the ICA settings as follows:

• Window Size: Absolute (in pixels). When you set the Allow Intermediate Zoom Factor, the ICA Client can dynamically zoom the session window.

• Window Color: 256.

• Data Compression: On.

The version of Internet Explorer that comes installed on the iPaq supports the Citrix Web Console if it is installed on the MetaFrame server. Some manual adjustment of the screen is necessary; however, the Web Console will be fully functional. To access the Citrix Web Console, enter the URL of the server where the Web Console is installed; for instance http://webserver/citrix/webconsole/default.asp.


Wireless LAN (802.11b) and Traditional Network ConnectionsAny network settings selected for the iPaq should have minimal impact on session performance because of the high speeds and available bandwidth on most networks and wireless LANs. To alleviate poor CDPD connections or to provide better support for roaming on a wireless LAN, adjust the Keep Alive settings on the MetaFrame servers. This improves performance and helps prevent connections from being dropped on networks that contain dead spots. See the Citrix Knowledge Base article CTX708444 for configuration settings. You can access the Citrix Knowledge Base at http:// www.citrix.com/support.

Deploying NFuse ClassicNFuse Classic 1.7 is distributed with MetaFrame XP, Feature Release 2.

If you are installing NFuse Classic 1.7 into a MetaFrame XP environment, be sure to read the documentation that ships with NFuse Classic 1.7. See the NFuse Classic Administrator’s Guide for information about the interoperation between NFuse and MetaFrame XP.

This section provides additional deployment information that is not included in the NFuse Classic 1.7 documentation.

Important If you install NFuse 1.7 on a server that is running MetaFrame XP Service Pack 1/Feature Release 1 or earlier and that has remapped server drive letters, you must change every instance of C:\ in the NFuse.properties file to the new %SystemRoot% drive letter. If you are upgrading the server to Feature Release 2/Service Pack 2, this operation is performed automatically. Stop and restart the WWW Service for the changes to take effect.

NFuse Classic 1.7 Deployment Tips• If you are installing NFuse Classic 1.7 on Internet Information Server 4.0, see

the Microsoft Knowledge Base article “IIS 4.0 Recommended Installation Procedure.” This article contains tips concerning the fine-tuning of the IIS 4.0 Web server for best performance. You can access this article at http://www.Microsoft.com.

• When using NFuse Classic 1.7 with ticketing in a server farm, ensure that the Citrix XML Service is running on all servers in the farm and is configured to listen on the same port number on all servers. Also, check that all the servers have licenses.


NFuse Classic 1.7 Launch OptimizationsThe NFuse Classic 1.7 Web server can be configured to send application authentication, enumeration, and launch requests to specific servers in the farm. This functionality is equivalent to the Default Server Location setting in Program Neighborhood.

NFuse Classic 1.7 ScalabilityIn the Citrix eLabs, the NFuse Classic 1.7 Web extension has never been a performance bottleneck. NFuse Classic 1.7 scalability is equivalent to any ASP or JSP Web site.

C H A P T E R 6

Publishing Applications

This chapter includes information about deploying applications with Citrix Installation Manager, publishing applications in environments with large numbers of objects, and using the Content Redirection feature.

Using Installation Manager to Deploy Windows Installer Packages

Consider the following issues before you use Citrix Installation Manager to deploy Windows Installer packages.

• If you are applying more than one Windows Installer transform file (files with the .mst extension) to the same Windows Installer package (files with the .msi extension), each transform will install different components but apply them to the same MSI package. For example, if you use transforms with an installation file for Microsoft Office, any components you select in the transforms are not installed even though the installation job appears to complete successfully.

• It is not necessary to record Microsoft patch packages (files with the .msp extension). You can browse through Installation Manager and add the *.msp file.

• You can uninstall a Microsoft patch package from the target server; however you cannot uninstall the patch from the server to which it was deployed. If you need to apply another patch to the application installed on the target server, first uninstall the application on the target server and then deploy the application and the patch again.

Important When installing multiple Windows Installer packages (with or without Installation Manager), a memory leak can occur in Msiexec.exe. To avoid this issue, install the latest Windows 2000 service pack available from Microsoft.


Force Reinstall OptionWhen a package is scheduled to be deployed to a target server, Installation Manager detects if the package is already installed. If an application from the package is detected, Installation Manager does not deploy the application and instead reports a status of “Already Installed.”

If you need to overwrite an existing installation, set the Force Reinstall option on the Properties screen of the already installed package. This new installation can be used to fix any previously damaged installations or to overwrite the existing application of the same version with any changes you applied.

Note After you use the Force Reinstall option to write over a package, the package you used to install the original application cannot be used to uninstall the application from the target server. You can uninstall only the newly installed package.

After you use the Force Reinstall option on the same package, the Installed Packages tab for the target server reports two records for the same package.

Installation Manager Interoperability Installation Manager Version 2.2, the version of Installation Manager included with MetaFrame XP, Feature Release 2, supports packages created with Installation Manager Version 2.1, the version of Installation Manager included with MetaFrame XP, Feature Release 1.

However, some applications may not behave as expected if you use the older version of Installation Manager with MetaFrame XP, Feature Release 2. Because of this, Citrix recommends that you recreate any packages using Installation Manager Version 2.2. When recording a package, configure the source server the same as the target servers.

Interaction with Load Manager and Application PublishingUse the Application Publishing wizard to deploy Installation Manager packages in the server farm through the Installation Manager node of the Citrix Management Console. The wizard allows you to automatically install, publish, and load balance the applications. If you use Installation Manager without the wizard, applications are not automatically published or load balanced.

Chapter 6 Publishing Applications 91

Note Packages created by earlier versions of Installation Manager may not allow access to this feature.

Uninstallation BehaviorBy default, a deployed package can be uninstalled using only the original package.

For example, you cannot directly uninstall an ADF package that has a status of “Already Installed.” Instead, perform another full installation using the Force Reinstall option. This new package can be used to uninstall the same package. The application can also be uninstalled from target servers without Installation Manager by using Add/Remove Programs in Control Panel.

Note If you uninstall from the “Already Installed” package, the target server will not detect the uninstall and still report that the package is installed.

Application Deployment Considerations with Installation Manager 2.2

The version of Installation Manager included with Feature Release 2 is improved in the areas of usability, scalability, stability, and functionality. However, there are some items to consider:

• Installation Manager prematurely reports success on unattended installations of packages. Installation Manager spawns unattended installations on the remote target servers. After the unattended installation sequence is activated remotely, the Installation Manager software on the remote server takes over. Because the job is done on the source server, Installation Manager reports success. Workaround: Check the individual servers to verify success.

• Installation Manager does not support Novell NetWare share points for package deployment, although the Citrix Management Console allows you to browse to a NetWare share point. Workaround: Copy the desired package and files to a Windows NT share point and deploy from that location.


• The package group’s custom network credentials are not used if you use the browse button in the “Add Package” window to add that package group. With Feature Release 2, you can create a package group and customize its network account and default file share path. This is so you can set a different file share path for your package having different permissions than the default network credentials and file share path you set in the Installation Manager Properties window. The customized network account is not used when you use the browse button in the “Add a Package” window to browse for a package for the package group. Workaround: Type the full path to the package in the File field of the “Add a Package” window.

Publishing in Domains with Thousands of ObjectsMetaFrame XP with Feature Release 2 was tested in domains with over 10,000 objects in a single directory services container. Using MetaFrame XP in a directory services or domain environment that contains a large number of objects, such as Novell Directory Service or Microsoft Active Directory Service, presents factors you should consider.

If you use a directory services environment with a large number of objects, the following recommendations can help you when publishing applications:

• Use groups to categorize and easily assign permissions to large numbers of users. An application published to one group of 1,000 users requires MetaFrame XP to validate only one object for all 1,000 users. That same application published to 1,000 individual user accounts requires MetaFrame to validate 1,000 objects.

• Do not assign more than 1,000 users or group objects to a published application. This practice decreases the application publishing time, because all user and group accounts must be verified. Publishing an application with 10,000 objects may take up to 41 minutes to complete. Although the Citrix Management Console may appear to time out after five minutes, MetaFrame continues to publish the application in the background.

• Use the Add List of Names button instead of scrolling to locate a user when the user’s container holds thousands of objects.


Working with the Content Redirection featureThis section includes information about using the Content Redirection feature.

With Content Redirection, you determine which applications — remote or local — users launch and in which situations. Use Content Redirection to redirect application launching from:

• Client to server

• Server to client

• Server to server

For information about how to configure and use Content Redirection from client to server and from server to client, see Chapter 10 of the MetaFrame XP Administrator’s Guide. For information about how to set up MetaFrame for Content Redirection from server to server, see “Content Redirection from Server to Server” on page 97.

Content Redirection From Client to ServerWhen you configure Content Redirection from client to server, users running the ICA Win32 Program Neighborhood Agent open all files of the associated type encountered in locally running applications with applications published on the MetaFrame XP server. You must use NFuse Classic to allow users to connect to published applications with the Program Neighborhood Agent.

The Program Neighborhood Agent gets updated properties for published applications from the NFuse Classic server. When you publish an application and associate it with file types, the application’s file type association is changed to reference the published application in the client device’s Windows registry.

Using FTACLN.exeUse the ftacln utility, located on the MetaFrame XP CD in the location Support\debug\i386, to clean up the file type associations in the Windows registry on the device running the Program Neighborhood Agent.

The file type associations on the client device may become unusable if the Program Neighborhood Agent software is unresponsive or if the MetaFrame XP server farm goes offline while users are logged on.

If these situations occur, restart the Program Neighborhood Agent after logging off or exiting. This restores the client device’s operating system to its default state.


However, if you encounter situations where the Program Neighborhood Agent ceases to function, use the ftacln utility to restore the client device’s file type associations. This utility has been tested on client devices running Windows 95, Windows 98, and Windows XP Professional.

To use this utility, execute Ftacln.exe from a command line. The utility returns a list of the file type extensions that were cleaned up. Citrix recommends that you log back on to the farm at this point using Program Neighborhood Agent to restore the application sets and published content.

You can use the standard Microsoft utility ftype, which is built into all Windows operating systems, to determine which file types are currently available and with which applications they are associated. For more information about this utility, see its online help (use the parameter /?) or the Microsoft Web site at www.microsoft.com.

Note Content Redirection from client to server does not work for Windows NT user accounts on Windows NT 4.0 Workstation and Windows NT 4.0 Server without terminal services because the Windows registry on these platforms works differently. Users on client platforms that use HKLM instead of HKCU must have local administrator privileges for content redirection to work. Microsoft merged HKCU\Software\Classes and HKLM\Software\Classes starting with Windows NT 4.0, Terminal Server Edition (TSE).

Using Windows Explorer on Client Devices If you enable Content Redirection from client to server, context menu commands available from within Windows Explorer function differently than on client devices that do not use this feature. For example, if you right-click a file in Windows Explorer on a client device with Content Redirection from client to server enabled for the file type, the Open command opens the file with the remote application on the MetaFrame XP server.

Most commands on the Windows Explorer context menu are unaffected because they are not configured under keys modified by MetaFrame XP Feature Release 2. MetaFrame overwrites only the items that are under ...\Classes\<FileType>\shell. Context menu items are generally defined by each application when installed.


The table below describes the behavior for the most commonly used context menu commands on client devices that have Content Redirection from client to server enabled and are running the Program Neighborhood Agent.

Content Redirection From Server to ClientWhen Content Redirection is enabled from server to client, embedded URLs are intercepted on the MetaFrame server and sent to the ICA Client using the ICA Control virtual channel. The user’s locally installed browser is used to play the URL. Users cannot disable this feature.

For example, users may frequently access Web and multimedia URLs they encounter when running an email program published on a MetaFrame server. If you do not enable Content Redirection from server to client, users open these URLs with Web browsers or multimedia players present on MetaFrame servers.

To free servers from processing these types of requests, you can redirect application launching for supported URLs from the MetaFrame server to the local client device.

Setting Default Web Browser MessagesIf you enable Content Redirection from server to client, users may see messages when the Web browser on the MetaFrame XP server starts. The message states that the Web browser is not the default browser for the system.

Menu CommandBehavior with Program Neighborhood Agent and Content Redirection

Open Opens the file in the published application associated with the file type.

Open With [Set under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts]

In some cases, you may have a submenu command available called “PN Agent.” If you select this, the file is opened in the published application associated with the file type.

Edit Not available locally until you log off, exit, or restart Program Neighborhood Agent.

Print Not available locally until you log off, exit, or restart Program Neighborhood Agent.

New Not available locally until you log off, exit, or restart Program Neighborhood Agent.


Change the following Windows registry settings to stop the messages from appearing.

To set Internet Explorer as the default Web browser, make the following change under \HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main:

check_associations=no

To set Netscape as your default Web browser, make the following change under HKEY_LOCAL_MACHINE\SOFTWARE\MOZILLA\Desktop:

value=havebeenset=1

Working with URL TypesThe following URL types are supported by default with Feature Release 2 when Content Redirection from server to client is enabled. URLs for the Web sites of companies that create products associated with the URL types are included for your convenience.

RTSP Real Player and QuickTime

RTSPUReal Player and QuickTimehttp://rtsp.org/http://www.real.com/realone/?src=realaudiohttp://www.apple.com/quicktime/

PNMOlder Real Playershttp://www.real.com/realone/?src=realaudio

MMS Microsoft’s Media Formathttp://www.microsoft.com/windows/windowsmedia/technologies.aspExamples of streaming video server software include Apple’s Darwin Streaming Server 4, Microsoft’s Windows Media Services, and Real Network’s RealSystem Iq. Hardware based solutions include Amnis Systems NAC-3000 and VBrick Systems 3200 and 6200.

HTTPHypertext Transfer Protocol

HTTPSSecure Hypertext Transfer Protocol


Known Issues for Content Redirection from Server to Client • Content Redirection from server to client is unidirectional. This means that if a

user clicks a URL in a mail program running in a remote session, the link is launched in a browser installed on the client device. However, if the user attempts to use the “mail to” function, for example, inside the locally running browser, that mail link is not redirected back to the remotely running mail application. The default mail program on the client device opens.

• For server to client Content Redirection to function, MetaFrame must access the “SHELL/open/command” values for application types. This is what is changed to redirect and point to the use of ServerFTA.exe.

• Microsoft Word for Windows (Winword.exe) does not redirect HTTP or HTTPS type hyperlinks to the Web browser on the client device.For example, if a user clicks a hyperlink encountered in a Word document running in the remote Word application, the Web browser on the MetaFrame XP server opens, not the locally installed Web browser. This is because the Microsoft Office suite does not directly access the “Shell” values and redirects these types of links directly to the application itself. MMS and PNM URL links do work from within Word.

• Neither the Notepad text editor (Notepad.exe) nor the Write text editor (Write.exe) support URL hyperlinks.

• The Textpad text editor (Version 4.5.0, 32 bit edition from Helios Software Solutions) redirects both the HTTP and HTTPS types of URL hyperlinks. This application does not redirect multimedia URL links, however.

Content Redirection from Server to ServerEnable Content Redirection from server to server to allow users to access information with applications published on different MetaFrame XP servers. When you enable Content Redirection from server to server, users working in one published application on a MetaFrame server can open attachments with different applications published on different MetaFrame servers.

To enable Content Redirection from server to server, you must install the Program Neighborhood Agent on any MetaFrame XP servers hosting published applications to which you want to give users access. For example, if Microsoft Word is published on server A and you want users running Word to be able to open Microsoft Excel spreadsheets embedded into Word documents, you must install the Program Neighborhood Agent on Server A (the server running Word).


MetaFrame XP with Feature Release 2 supports this scenario: Word is published on Server A. A user opens a Word document and sees an inserted icon or link to an Excel spreadsheet. Excel may be published on Server B. When the icon or link is accessed, the content will open in Excel.

MetaFrame XP with Feature Release 2 does not support this scenario: Word is published on Server A. A user opens a Word document that has an embedded chart that was originally created with Excel and linked or embedded into the Word document. The user will not see the chart. Object linking and embedding (OLE) is supported only if both applications are published on the same server.

Note Because the Program Neighborhood Agent is configured to start each time a user launches a remote session, multiple instances of Program Neighborhood Agent are launched if a user has more than one session running on the same server and session sharing is not enabled. For example, if a user launches Outlook on one server and attempts to open a Word attachment without session sharing enabled, two instances of the Program Neighborhood Agent will run.

� To enable Content Redirection from server to server

1. Install the ICA Win32 Program Neighborhood Agent on the MetaFrame XP servers hosting the published application to which you want to give users access. Point the Program Neighborhood Agent to an NFuse Web server.

2. Create a command script file in the location %WINDIR%\system32. A sample script file is listed below.REM ----- begin -----@echo offstart C:\PROGRA~1\Citrix\PNAgent\PNagent.exeREM ----- end -------Be sure that the path to the Program Neighborhood Agent executable is in the short form and does not include spaces.

3. Add the command script file you created in Step 2 to the registry key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon.Add the file name to the AppSetup value. Typical entries for AppSetup can include “UsrLogon.Cmd,cmstart.exe,PNAgent.cmd.”

4. Add PNAgent.exe to the list of executables that must be terminated when users log off by editing the registry key HKLM\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI. Add the executable name to the value LogoffCheckSysModules.


Known Issues for Content Redirection from Server to Server• In some instances the Program Neighborhood Agent logon dialog box may

appear in the background.

• If Pass-Through Authentication is not enabled in the Program Neighborhood Agent software running on MetaFrame XP servers, users are prompted for their credentials each time an application is launched on a new server. See the ICA Win32 Clients Administrator’s Guide for more information about Pass-Through Authentication and the Program Neighborhood Agent.

• Using Word as the default Outlook mail editor may affect how the Program Neighborhood Agent connection is made if a user launches a Word attachment from Outlook.

Troubleshooting Tips, Error Messages, and ConditionsContent Redirection from Client to ServerIf you see the error messages listed below, check that the appropriate conditions are met.

• Logon failure: unknown user name or bad password.Action: Verify the user has proper access permissions to the share point of the document or application.

• The network name cannot be found.Action: Verify that client device mapping is not disabled or is disabled for the ICA session and/or user account.

If you connect to a Web page that contains an embedded document link or a UNC path to the link (for example, to an Excel spreadsheet), Content Redirection from client to server will not work and you are prompted to Open, Save as, or Cancel the document.

Action: Save the document locally. Program Neighborhood Agent then launches an ICA session and displays the contents of the Excel file.

You may encounter the following scenarios if you enable Content Redirection.

Scenario 11. Publish Excel on a MetaFrame XP server and associate it with the .XLS

extension.

2. Publish Internet Explorer but do not associate it with any extensions.


3. From a client running the Program Neighborhood Agent, log on and connect to the Internet Explorer published application.

4. Save a “.xls” type file to a remote network share point and make sure the user has access to the share.

5. In Internet Explorer, create a link to the “.xls” type file you created in Step 1.

The Program Neighborhood Agent does not open the remote Excel to display the file. Instead, you are prompted to choose from Open, Save As, or Cancel.

The ICA session opens Excel and displays the contents properly if the document link is first saved to the local hard disk drive and then launched. This behavior also works if you enter the path in the Run dialog box, accessed from the Start menu on a client device running Program Neighborhood Agent.

Scenario 2Content Redirection from client to server does not redirect shortcuts located on a network UNC share from the client device.

For example, if you map client device drive letters to network shares, and you attempt to open a file of a file type associated with a published application, the file does not open in the published application. Instead, you receive an error message after the published application opens informing you that the file could not be opened.

If you open the shortcut on the local client drive and not the network share, the file opens in the published application.

Scenario 3In some instances Citrix Management Console may report the wrong file type associations for a published application. This issue has occurred using Notepad.exe as a published application and associating it with the .txt file types to enable Content Redirection from client to server.

You may encounter this issue when you view the Content Redirection tabs in the following areas:

• The farm's Properties dialog box

• The Application folder

• Any newly created folders


Scenario 4Content Redirection from client to server does not function properly for Adobe Acrobat Reader 4.0 files (files with a .pdf extension). If you attempt to redirect Acrobat Reader files from the client to the server, and Acrobat Reader Version 4.0 is installed on the client, you may encounter the following problems.

• If a .pdf file is opened from within Internet Explorer, Internet Explorer launches Acrobat using the DDEExec application AcroView. As long as any instance of Internet Explorer is open, AcroView remains resident and all attempts to launch .pdf files are redirected to the local viewer.

• If you attempt to launch Internet Explorer, it attempts to launch both the DDEExec and the Open commands (which point to Program Neighborhood Agent). In this case, you may receive an error message stating that the file cannot be found.

Enhanced Content Publishing and Content Redirection Support in NFuse Classic 1.7

This section provides further information about NFuse Classic 1.7 support for the Enhanced Content Publishing and Content Redirection features available in Feature Release 2 for MetaFrame XP.

Published content can be associated with a published application in a server farm. Previously, users could open published content only with locally installed applications. When published content is accessed, content redirection now allows the ICA Clients to automatically launch a connection to a MetaFrame server and open that content.

For applications to work with Enhanced Content Publishing and Content Redirection, they must be capable of accepting command line arguments. For example, Notepad accepts UNC addresses but not URLs.

To associate an application with content, the application must be published appropriately on the MetaFrame server. When an application is published, the percent and asterisk symbols (%*) must be included at the end of the command line; for example: C:\Program Files\Office\WINWORD.EXE “%*”.

Note that the Citrix Management Console in Feature Release 2 for MetaFrame XP includes the %* automatically. If the percent and asterisk symbols are not included, the application starts but the content does not appear when users attempt to open the content.


Using Web Server ScriptsThis section is for users who are familiar with writing Web server scripts to manipulate NFuse Classic Java objects. It provides information about the Java objects associated with the Content Publishing feature. It also provides example scripts that are designed to act as a guide to using the NFuse Classic objects.

Content Publishing uses the new findAppByExtension() method on the existing AppDataList object. This method accepts the address of the content and searches the list of applications it contains for one that supports the associated type of content (based upon the document’s extension). For example, if a Microsoft Word document is published as the URL: http://mywebsite/spec.doc, the following is used: findAppByExtension (“http://mywebsite/spec.doc”).

If a published application is available that supports the document content (in this example, Microsoft Word), an NFuse Classic “App” object is returned that describes the published application. The application can then be launched using NFuse Classic, passing the address of the published content (in this example, http://mywebsite/spec.doc) as a command-line parameter. The latest ICA Clients (Version 6.30 or later) support the specification of command-line arguments through ICA files using the LongCommandLine setting (except the ICA Java Client).

Example scripts are shown below for both ASP (Active Server Pages for IIS Web servers) and JSP (JavaServer Pages for Java Web servers). These scripts assume that the address of the published content is supplied as a URL or UNC path.

The main steps in the scripts are:

1. Obtain the list of published applications available to the user

2. Locate the published application associated with the content’s extension

3. Launch the published application by generating an appropriate ICA file

ASP Example

Obtain the List of ApplicationsSet credentials = Server.CreateObject("com.citrix.nfuse.ClearTextCredentials")

credentials.initialize "user", "domain", "password"

Set gateway = Server.CreateObject("com.citrix.nfuse.CitrixWireGateway")

gateway.initialize credentials

Set appList = gateway.getAppDataList()

Locate the Published Application Using File Type AssociationSet contentApp = appList.findAppByExtension("http://mywebsite/spec.doc")


Launch the Application with the Content' Create a TemplateParser object (to generate the ICA file)

Set parser = Server.CreateObject("com.citrix.nfuse.TemplateParser")

' Set up the launching credentials

CookStr = "NFuse_User=user&NFuse_Domain=domain&NFuse_LogonMode=Explicit&NFuse_Password=password"

' Set these as cookie session fields

parser.setCookieSessionFields(CookStr)

' Set the published application to use for launching the content

urlSessionFields = "NFuse_Application=" & contentApp.getNameUrlEncoded & "&NFuse_AppFriendlyNameURLEncoded=" & contentApp.getFriendlyNameUrlEncoded

' Set these as URL session fields

parser.setUrlSessionFields(UrlSessionFields)

' Set the address of the content to use as a command line argument

parser.setSingleSessionField "NFuse_AppCommandLine", "http://mywebsite/spec.doc"

' Specify the template ICA file to use

parser.setSingleSessionField "NFuse_Template", "template.ica"

' Generate the content of the ICA file and return as MIME type "x-ica"

' This will cause the browser to launch the ICA file and hence the

' published application.

If parser.Parse() Then

Response.ContentType = "application/x-ica"

Continue = True

While (Continue)

HtmlString = parser.getNextDataBlock()

If Len(HtmlString) = 0 Then

Continue = False

Else

Response.write(HtmlString)


End If

Wend

Else

' Parser failed. Attempt to display the published content using

' local (client side) application.

Response.Redirect(docURL)

End If

JSP Example

Obtain the List of ApplicationsClearTextCredentials credentials = new ClearTextCredentials();

credentials.initialize("user", "domain", "password");

CitrixWireGateway gateway = new CitrixWireGateway();

gateway.initialize(credentials);

AppDataList appList = gateway.getAppDataList();

Locate the Published Application Using File Type AssociationApp contentApp = appList.findAppByExtension("http://mywebsite/spec.doc");

Launch the Application with the Content// Create a TemplateParser object (to generate the ICA file)

TemplateParser parser = new TemplateParser();

// Set up the launching credentials

String CookStr = "NFuse_User=user&NFuse_Domain=domain&NFuse_LogonMode=Explicit&NFuse_Password=password";

// Set these as cookie session fields

parser.setCookieSessionFields(CookStr);

// Set the published application to use for launching the content

urlSessionFields = "NFuse_Application=" + contentApp.getNameUrlEncoded + "&NFuse_AppFriendlyNameURLEncoded=" + contentApp.getFriendlyNameUrlEncoded;

// Set these as URL session fields


parser.setUrlSessionFields(UrlSessionFields);

// Set the address of the content to use as a command line argument

parser.setSingleSessionField("NFuse_AppCommandLine", "http://mywebsite/spec.doc");

// Specify the template ICA file to use

parser.setSingleSessionField("NFuse_Template", "template.ica");

// Generate the content of the ICA file and return as MIME type "x-ica"

// This will cause the browser to launch the ICA file and hence the

// published application.

if (parser.Parse()) {

String contentType = parser.getContentType();

response.setContentType(contentType);

boolean continue = True;

while (continue) {

String HtmlString = parser.getNextDataBlock();

If (HtmlString.length() == 0) {

continue = False;

} else {

out.println(HtmlString);

}

}

} else {

// Parser failed. Attempt to display the published content using

// local (client side) application.

response.sendRedirect(docURL);

}

Sample Template.ica File[Encoding]

InputEncoding=ISO8859_1

[WFClient]


Version=2

ClientName=[NFuse_ClientName]

RemoveICAFile=yes

[ApplicationServers]

[NFuse_AppName]=

[[NFuse_AppName]]

Address=[NFuse_AppServerAddress]

InitialProgram=#[NFuse_AppName]

LongCommandLine="[NFuse_AppCommandLine]"

DesiredColor=[NFuse_WindowColors]

TransportDriver=TCP/IP

WinStationDriver=ICA 3.0

[NFuse_ClientLogon]

[NFuse_SOCKSSettings]

AutologonAllowed=ON

[NFuse_Ticket]

[NFuse_IcaAudio]

[NFuse_IcaWindow]

[NFuse_IcaEncryption]

SessionsharingKey=[NFuse_SessionSharingKey]

C H A P T E R 7

Integrating MetaFrame with Novell Directory Services

OverviewFeature Release 2 supports Novell Directory Services (NDS) authentication to MetaFrame XP servers, published applications, and published content. This chapter explains how to use NDS with Feature Release 2 for MetaFrame XP, NFuse Classic, and the ICA Win32 Clients (Version 6.20 and later).

This chapter assumes that you are familiar with NDS and related Novell products. See the Novell Web site at http://www.novell.com for more information about the Novell products referred to in this document.

Prior to the release of Feature Release 1, MetaFrame XP offered limited support for NDS users through the use of the BUILTIN group. In MetaFrame XP, you select the BUILTIN group to specify dynamic local users managed by Novell’s ZENworks for Desktops when you publish applications and assign users to network printers.

While use of the BUILTIN group is supported in Feature Release 2 for MetaFrame XP for backward compatibility, Citrix recommends enabling NDS support in Feature Release 2. Feature Release 2 allows tighter integration between MetaFrame XP and NDS trees and allows NDS users to take advantage of more features. To use NDS with MetaFrame XP, Feature Release 2, you must install and activate a Feature Release 2 license. At least one server in the server farm must have Feature Release 2 enabled.

Implementing NDS Support in MetaFrame XPWith Feature Release 2, you can now use MetaFrame XP to publish applications, desktops, and content for users managed by NDS or Directory Services in Windows 2000 and Windows NT. However, using MetaFrame XP in a network environment that employs multiple directory services requires careful planning.


Read the following sections carefully before installing MetaFrame XP and Feature Release 2 in an NDS environment.

Planning your Deployment of MetaFrame XP for NDS SupportTo use MetaFrame XP, Feature Release 2 in an NDS environment, complete the following tasks in the order they are listed. Each task is explained in detail in this chapter.

1. Decide which servers will host applications and content published for NDS users when MetaFrame XP is installed.

2. Install the Novell Client for Windows NT/2000, Version 4.81 or later on those servers.

3. Install MetaFrame XP and Feature Release 2.

• Activate the required MetaFrame XP and Feature Release 2 licenses.

• Set the MetaFrame XP server Feature Release level to Feature Release 2.

4. Enable the Dynamic Local User policy in ZENworks for Desktops or make sure the same user accounts and passwords exist in both NDS and Windows NT or Active Directory domains.

5. Enable NDS support in the MetaFrame XP server farm.

• Assign Citrix administrator privileges to NDS objects.

• Log on to the Citrix Management Console with NDS credentials.

• Publish applications, desktops, or content for NDS users on MetaFrame XP Feature Release 2 servers to which only NDS users will connect.

6. If you are using NFuse Classic, enable NDS support in NFuse Classic.

7. Instruct users how to connect to published applications and content using their NDS credentials. If you are deploying the ICA Win32 Program Neighborhood Agent, enable NDS support in the Program Neighborhood Agent.

The following sections outline the procedures required to use MetaFrame XP, Feature Release 2 in an NDS environment.

Chapter 7 Integrating MetaFrame with Novell Directory Services 109

Farm Layout and System RequirementsUsing MetaFrame XP in a network environment that employs multiple directory services requires careful planning. While the MetaFrame XP server farm can contain servers that are in Windows NT or Windows 2000 domains and servers enabled for NDS, MetaFrame XP servers running the Novell Client and that use Dynamic Local User functionality should be members of a workgroup, and not members of a domain. You must use the Dynamic Local User feature of Novell ZENworks for Desktops in this configuration.

To implement MetaFrame XP in an NDS environment, designate application servers to host applications and content published only for NDS users. These servers must run Version 4.81 of the Novell Client for Windows NT/2000 and MetaFrame XP, Feature Release 2. The following figure illustrates the required layout of a MetaFrame XP server farm supporting NDS.

.

The following software must be installed for MetaFrame XP to successfully access NDS:

On the NDS server (a server supporting NDS authentication and responding to NDS queries from clients):

NDS eDirectory 8.5 for Windows or for Novell NetWare 5 with Support Pack 6 or later, or for Novell NetWare 5.1 with Support Pack 2 or later, or Netware 6 and later.

On MetaFrame XP for Windows Servers:

• Novell Client for Windows NT/2000, Version 4.81 or later

• MetaFrame XP for Windows, Feature Release 2

MetaFrame XP Farm

Servers hosting applications and content published for NDS users

NDS Users

Servers hosting applications and content published for all other users

All Other Users


Important If using ZENworks Dynamic Local User function to gain access to Windows, you must install Novell ZENworks for Desktops 3 or later.

If you are not using ZENworks to gain access to Windows, you must have accounts with the same user name and password in both NDS and Windows NT or Active Directory domains.

To synchronize domains, do either of the following:

• Manually synchronize accounts.

• Use third-party software such as Novell’s Account Manager 2.1 for NT or DirXML that can automatically synchronize accounts between NDS and Windows NT domains.

Important IP (Internet Protocol) is the only supported protocol for interaction between MetaFrame XP, NDS, and ZENworks for Desktops.

Installing Required SoftwareCitrix recommends installing the Novell Client and related service packs on a server before installing MetaFrame XP. If the server is already running MetaFrame XP, see “Installing the Novell Client on a Server with MetaFrame XP” on page 111.

Installing the Novell Client on a Server Without MetaFrame XPComplete the following tasks prior to installing MetaFrame XP.

1. Install and configure the Novell Client for Windows NT/2000, Version 4.81 or later.

2. Restart the server.

3. Verify that you can log on to NDS.

If you cannot log on to NDS, you may need to add a Directory Agent (DA) location to the Novell Client. A DA is needed when the NDS server is located on a different subnet. If a DA does not exist, make sure that the NDS server and the MetaFrame server are part of the same subnet.

4. To optimize logon and browsing response times, change the order of the network providers using the following steps:

• Right-click the My Network Places icon on the server’s desktop.

• Choose Properties from the short-cut menu. The Network and Dial-up Connections dialog box appears.


• Choose Advanced Settings on the Advanced menu. The Advanced Settings dialog box appears.

• On the Provider Order tab, adjust the order of the network providers so that Microsoft Windows Network is above NetWare Services.

• Click OK to close the Advanced Settings dialog box.

5. To optimize logon time, add the Windows fonts directory located in %systemroot% to the system path environment variable.

6. To suppress a MetaFrame XP setup program error message informing you that the FileSysChange parameter is invalid, complete the following steps:

• Open the System.ini file located in %systemroot%.

• In the [386Enh] section of System.ini, set the following value: FileSysChange=off

• Save and close System.ini.The appearance of this error message causes unattended setup of MetaFrame XP to fail. Make sure the FileSysChange parameter is set to off before running an unattended installation.

7. Install MetaFrame XP and Feature Release 2. Be sure to activate the appropriate licenses and set the feature release level of the server to Feature Release 2.

If MetaFrame XP fails to install, complete the following steps:

1. Uninstall the Novell Client from the server.

2. Install MetaFrame XP with Feature Release 2 by following the instructions in “Installing the Novell Client on a Server with MetaFrame XP” below.

If the system is working properly, you can skip to “Configuring ZENworks for Desktops for MetaFrame XP Support” on page 113.

Installing the Novell Client on a Server with MetaFrame XPIf MetaFrame XP is already installed on the server before you install the Novell Client, you must change the Windows registry on the server before and after you install the Novell Client.

Note If the MetaFrame server has the IPX protocol installed along with the Novell Client, the MetaFrame XP with Feature Release 2 installation may fail and display a wowexec error message. To work around this issue, disable the NWLink protocol on all adapters in the server. After MetaFrame XP with Feature Release 2 is installed, re-enable NWLink.


If MetaFrame XP is already installed on the server, complete the following tasks.

1. Run regedt32.

2. Edit the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

3. Double-click the GinaDLL entry located in the right-hand pane. In the String Editor dialog box that appears, replace the value Ctxgina.dll with the value Msgina.dll.

4. Install and configure the Novell Client for Windows NT/2000, Version 4.81 or later.

5. Do not restart when prompted by the Novell Client setup program.

6. Edit the registry entry for GinaDLL as in Step 2. In the String Editor dialog box that appears, replace the value Nwgina.dll with the value Ctxgina.dll.

7. With the key path for Winlogon still selected, choose Add Value on the Edit menu.

8. Type CTXGINADLL in the Add Value dialog box. The data type is REG_SZ.

9. Enter Nwgina.dll in the String Editor dialog box to assign this value to the new CTXGINADLL entry.

On MetaFrame XP servers, Ctxgina.dll is loaded by Winlogon.exe to process the auto-logon information transmitted by ICA Clients. Ctxgina.dll can process auto-logon credentials in excess of 20 characters. For example, if Ctxgina.dll is not loaded, auto-logon user names greater than 20 characters are truncated to 20 characters by Termsrv.exe. When Ctxgina.dll acquires users’ auto-logon credentials, they are passed in their entirety to the installed Gina.dll file to complete the authentication process. In most cases, the installed GINA is Msgina.dll. When the Novell Client is installed, the GINA is Nwgina.dll.

Note Steps 1-9 above are required to ensure that CTXGINA is installed on the MetaFrame XP with Feature Release 2 server. CTXGINA is required for logging on automatically with user names that exceed 20 characters.


2. To optimize logon and browsing response times, change the order of the network providers using the following steps:

• Right-click the My Network Places icon on the server’s desktop.

• Choose Properties from the shortcut menu that appears. The Network and Dial-up Connections dialog box appears.


• Choose Advanced Settings on the Advanced menu. The Advanced Settings dialog box appears.

• On the Provider Order tab, adjust the order of the network providers so that Microsoft Windows Network is above NetWare Services.

• Click OK to close the Advanced Settings dialog box.

3. To optimize logon time, add the Windows fonts directory located in %systemroot% to the system path environment variable.

The system is now ready for you to set up the Windows account authentication to be used to access Windows 2000 servers.

Windows Account AuthenticationWhen a Novell Client is running on a Windows NT or Windows 2000 server, users are required to have two accounts: one for authentication to NDS and one to gain access to Windows.

There are two different methods you can use to allow users access to Windows.

• Use Novell’s Dynamic Local User functionality, available in Novell’s ZENworks for Desktop product (this is the only supported method if you are running MetaFrame XP, Feature Release 1).

• Create user accounts with the same user name and password in both NDS and Windows NT or Active Directory domains for each user (this support is new in MetaFrame XP with Feature Release 2). Synchronizing the user accounts in this way allows you to integrate MetaFrame and NDS without using Novell’s ZENworks.

If you want to use MetaFrame in an NDS environment using ZENworks, see “Configuring ZENworks for Desktops for MetaFrame XP Support” below.

If you want to use MetaFrame in an NDS environment without using ZENworks, see “Configuring NDS Support in MetaFrame Without ZENworks” on page 116.

Configuring ZENworks for Desktops for MetaFrame XP SupportWhen the Novell Client is running on a Windows NT or Windows 2000 server, users are normally required to enter separate sets of credentials to log on to Windows and NDS. Enabling the Dynamic Local User policy in ZENworks for Desktops eliminates this need.


The following section explains how to configure the Container Package and User Package in ZENworks for Desktops to eliminate the need for users to specify two sets of credentials when connecting to a MetaFrame XP server. Configure the Container Package to specify the users (by container) to whom you want to apply the Dynamic Local User policy. Configure the User Package to specify how the Dynamic Local User policy is applied to those users.

Note These settings are configured on the NDS server through ConsoleOne.

Configuring the ZENworks for Desktops Container Package The Container Package searches for policies located within the tree and then applies them to the users associated with a particular container. Follow the example below to create a Container Package that searches only the local container for policies applied to users within that container. This sample configuration is useful for small companies.

Complete the following tasks for containers that hold user objects requiring the Dynamic Local User policy.

1. Select a container that holds user objects.

2. On the New Object menu, choose Policy Package > Container Package.

3. Choose Define Additional Properties and click Finish.

4. On the Policies tab, enable the Search policy.

5. In the Search policies up to field, choose Object Container to search only the container in which the search policy resides.The other choices are:Root (default) - Searches the local container and any container in the direct path to the root of the tree. This is not recommended for medium to large trees.Partition - Searches the local container and any container up to the root of the partition. This method works well for large environments, but you need to specify the partition boundaries.Selected Container - Searches the container between the current container and the root of the tree that you select.

6. Leave the search level at the default setting of 0.

7. Click Apply, then Close.

8. On the Associations tab, choose Add and browse to the container that holds the container package you just created.

9. Click OK and then Close.


Configuring the ZENworks for Desktops User Package The User Package in ZENworks for Desktops enables Dynamic Local User functionality for users who are associated with that particular package. Follow the example below to create a User Package that enables the Dynamic Local User functionality.

Important If the Search Policy Package, the User Policy Package, and the user are not located in the same container, the policy is not applied to the user.

1. Choose the Organizational Unit that holds the Container Policy from above.

2. On the New Object menu, choose Policy Package > User Package.

3. Near the end of the wizard, choose Define Additional Properties and then click Finish.

4. Choose WinNT-2000 on the Policies tab.

5. Choose Enable Dynamic Local User and then choose Properties.

6. Choose Dynamic Local User at the top of the page.

7. Choose Manage Existing NT Account (if any). This changes the password and other items to match for a seamless integration.

Note Novell recommends that you create a separate Dynamic Local User policy for users who have the user name Administrator if the local administrator account has not been renamed.

8. Choose Use NetWare Credential. This creates a local Microsoft user who has the same user name and password as the NDS user. If this is not enabled, the Dynamic Local User feature creates a random user name and password, resulting in the loss of MetaFrame XP functionality. Do not enable Volatile User unless you have very large profiles and want to conserve disk space.

9. On the Not Member of tab, choose User > Add. Select the users or groups to whom you want to apply the policy. Applying the policy to users gives them rights to log on and run MetaFrame applications.

10. Click Apply and then OK two times to finish creating the policy.


Configuring NDS Support in MetaFrame Without ZENworksIn an environment with a Novell Client running on a Windows NT or Windows 2000 server, users are required to enter separate sets of credentials to log on to Windows and NDS. Using synchronized accounts between NDS and Windows NT or Active Directory domains eliminates this need. MetaFrame XP with Feature Release 2 adds support for this type of configuration.

To enable NDS support in MetaFrame without using Zenworks, set the following registry key on all the servers that have the Novell Client installed but are not using ZENworks for Desktops Dynamic Local User functionality. Set the value to the Windows NT or Active Directory downlevel domain name containing the user accounts that match the accounts in NDS.

1. Run regedt32.

2. Edit the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix

3. With the key path for Citrix still selected, choose New Key on the Edit menu.

4. Rename the newly created key to “NDS.”

5. Highlight the new NDS key.

6. With the NDS key still selected, choose New String Value on the Edit menu.

7. Enter SyncedDomainName in the String Value dialog box.

8. Enter the name of the Windows domain that has the same user accounts as NDS in the String Editor dialog box to assign this value to the new SyncedDomainName entry.

Note When you set this registry key, Ctxgina.dll replaces the NDS tree name that is passed from the client to the server with the string that is entered in SyncedDomainName. Ctxgina.dll then passes the credentials to Nwgina.dll, allowing the user name and password to be authenticated to NDS. The domain is then specified in SyncedDomainName.


Enabling NDS Support in the MetaFrame XP FarmBy default, a MetaFrame XP farm supports only Microsoft Windows users. Follow the steps below to specify the preferred NDS tree for the farm. Feature Release 2 for MetaFrame XP supports only one NDS tree in each farm.

1. Log on to the Citrix Management Console and connect to a MetaFrame XP, Feature Release 2 server configured for NDS support.

2. Right-click the farm node in the left pane of the console and choose Properties.

3. Click the MetaFrame Settings tab in the Properties dialog box.

4. Specify the tree name in the NDS Preferred Tree field and then click OK. To disable NDS support for the farm, delete the entry in the NDS Preferred Tree field and then click OK.

Assigning Citrix Administrator Privileges to NDS ObjectsFollow the steps below to assign Citrix administrator privileges to objects such as country, organization, organization unit, group, user, or alias in an NDS tree.

1. Log on to the Citrix Management Console.

2. Right-click the Citrix Administrators node in the left-hand pane and choose Add Citrix Administrator from the menu that appears.

3. In the Add Citrix Administrator dialog box, open the NDS tree. Objects in the NDS tree represent container and leaf objects.

4. When prompted to log on to the tree, enter the distinguished name and password of an NDS user.

5. Select the Show Users option to display user and alias objects in this hierarchy.

6. Double-click to open container objects. Select the objects to be granted Citrix administrator privileges. Add at least one NDS user account that has read and write privileges.

Note While it is possible to grant a Citrix administrator access to a context, users within the context or in contexts that are children of the granted context will also be Citrix administrators. This is not recommended because of the difficulty of managing permissions granted to contexts.

7. Click Add. Select the level of permission and tasks you want to assign to the administrator.

8. Click OK.


Logging on to the Citrix Management Console Using NDS CredentialsFollow the steps below to use NDS credentials to log on to the Citrix Management Console to manage a MetaFrame XP server farm.

1. Launch the Citrix Management Console.

2. Enter a distinguished name in the User Name field. A fully distinguished name starts with a period and has a period between each object name up to the root of the tree.For example, user JoeX, within two container objects (the Admin organization unit within the PNQ organization) would enter .JoeX.Admin.PNQ in the User Name field.

3. Enter a password in the Password field.

4. Enter the NDS tree name in the Domain field.

5. Click OK.

Note Enabling Pass-Through Authentication to the Citrix Management Console is not supported with NDS users.

Publishing Applications for NDS UsersFollow the steps below to publish applications on MetaFrame servers configured for NDS support. Only NDS users can connect to the applications you publish on these servers.

1. Log on to the Citrix Management Console using NDS credentials.

2. From the Actions menu, choose New > Published Application.

3. Follow the instructions in the Published Application wizard. Click Help to obtain detailed help for each step.

4. On the Specify What to Publish dialog box, enter the UNC (universal naming convention) path to the application you want to publish in the Command Line field.

For example, the NDS tree MYNDSTREE contains organization object MYORG, which contains NetWare volume NW50_SYS. The executable path on NW50_SYS is \APPS\OFFICE\WINWORD.EXE. The full UNC path to Winword.exe is \\MYNDSTREE\MYORG\NW50_SYS\APPS\OFFICE\WINWORD.EXE.

You can leave the Working Directory field blank.


5. Because the Application Publishing wizard cannot access the application’s icon, default MetaFrame icons appear in the Program Neighborhood Settings dialog box. To use the application’s icon, you can copy the icon file (ending with an .ico extension) or the entire executable to a MetaFrame server that is not running the Novell Client. Click the Change Icon button to browse for the icon or executable on this other MetaFrame server.

6. In the Specify Servers dialog box, be sure to select only those servers running the Novell Client Version 4.81 or later.

7. In the Specify Users dialog box, select the NDS tree from the list. This enumerates the objects in the tree. Double-click container objects to open them. Choose the Show Users option to view users and alias objects in the current container. Select the desired object and click Add.

You can also manually enter NDS user names. Choose Add List of Names and enter one or more NDS account names separated by a semicolon (;). Each account name must be entered in the fully distinguished name format prefixed by an NDS tree name and a slash (\).

For example, enter CitrixNDSTree\.joeX.admin.pnq;CitrixNDSTree\.mary.test.pnq.

Click Check Names to validate the account names or click OK if you are done adding accounts.

Double-click to open container or leaf objects until the object to be granted access is displayed. Select the object and click Add.

Configuring Printer Autocreation in NDSUse the Citrix Management Console to choose Windows NT or Windows 2000 Active Directory print queues and assign them to NDS objects for autocreation. Permissions to the print queue must be granted to the Dynamic Local User created when the NDS user logs on to a server. This may require enabling the guest account on the print server. See the Microsoft online Knowledge Base article Q271901 for information about enabling the guest account.

MetaFrame XP does not support autocreating NDS printers. See Novell’s documentation for autocreating NDS printers (NDPS and non-NDPS) in ZENworks for Desktops.


Enabling NDS Support in NFuse ClassicComplete the following tasks to configure Citrix NFuse Classic for NDS support.

1. Open the NFuse.conf file located in %systemroot%\Program Files\Citrix\NFuse\conf on the NFuse Web server.

2. Edit the following parameters:Set the LoginType to NDS.Set the NDSTreeName to the name of the preferred NDS tree for the MetaFrame XP Feature Release 2 farm.

3. If the optional parameter SearchContextList is not set, the NFuse “Contextless” authentication feature searches the entire tree to locate a user. This may take a long time in a tree that has a lot of objects. Use SearchContextList to reduce the time required for contextless authentication. Set this parameter to a comma-delimited list of contexts from the NDS tree. The NFuse Contextless authentication feature searches only these contexts to locate the user instead of the entire tree.

Note The Novell Client must be running on the NFuse Classic server to allow authentication.

4. Restart the IIS Admin Service for the changes to take effect.

NDS Support in the ICA Win32 ClientWhen users launch the ICA Win32 Client, they can log on and be authenticated using their NDS credentials. Supported NDS credentials are user name (or distinguished name), password, directory tree, and context.

NDS support is integrated into the following:

• The Program Neighborhood Client and Program Neighborhood Agent

If NDS is enabled in the MetaFrame XP farm, NDS users enter their credentials on an NDS tab on the ICA Client logon screen. If users have the Novell Client (Version 4.81 or later) installed, they can browse the NDS tree to choose their context. See “Enabling NDS Support in the ICA Program Neighborhood Agent” on page 123 to configure the Program Neighborhood Agent for NDS support.

• Pass-Through Authentication

If users have the Novell Client (Version 4.81 or later) installed, their credentials are passed to the MetaFrame XP server, eliminating the need for multiple system and application authentications.


Note To enable pass-through authentication when using Novell’s ZENworks for Desktops dynamic local user functionality, set the “Use NetWare Credentials” value in ZWFD DLU policy package to On.

• Session Sharing

Session sharing works correctly with NDS users only if the application permissions are assigned at a user or container level. Session sharing does not work if assigned at the group level.

The session sharing feature is not currently supported for custom ICA connections that are configured with NDS user credentials (under Properties > Login Information). To use the session sharing feature for Custom ICA Connections, do not specify user credentials for a connection on the connection’s Login Information tab.

• Custom ICA Connections

When users run the Add New ICA Connection wizard, they must enter a distinguished name in the User Name field and a password in the Password field and place the NDS tree name in the Domain field. Users running earlier versions of ICA Win32 Clients can also enter credentials in this manner.

• Single Sign-On

When the Novell Client is installed on the client device and Single Sign-On is enabled, Single Sign-On sends users’ NDS credentials to the server. If you want users to use Windows credentials, add the following to the Appsrv.ini or .ica file.

• Appsrv.ini file - Under the [WFCLIENT] section, add or modify the SSOnCredentialType entry to SSOnCredentialType=NT.

• ICA file - Under the application name section, add or modify the SSOnCredentialType entry to SSOnCredentialType=NT.

Configuring Default Contexts for UsersConfiguring default contexts for users eliminates the need for users to know their context when they log on. Listed below are ways to configure default contexts on ICA Client devices:

• Enable pass-through authentication for the ICA Client

If the client device is running the Novell Client, enable the ICA Client to use pass-through authentication. When pass-through authentication is enabled on the ICA Client, the user name context and password are passed from the Novell Client to the MetaFrame server.


• Edit the Windows registry on the client device

Create a script using regini or regedit that modifies the registry entry HKEY_CURRENT_USER\Software\Citrix\CtxLogon with the correct context of the user. Edit the value RecentContexts to specify context(s). Each context must appear on a new line.

• Add a default context to the Windows Installer Setup package for the Program Neighborhood Client or Program Neighborhood Agent

At a command prompt, type:msiexec /I <MSI_Package> /qn+ Default_NDSCONTEXT= <Context >

where <MSI_Package> is the name of the Windows Installer package and <Context> is the default NDS context you want to display in the client. If you are including more than one context, separate the contexts by a comma.

• Add a default context to the self-extracting executable for the Program Neighborhood ClientExtract the ICA Client files from Ica32a.exe by typing at a command line: ica32a.exe -a -unpack:<Directory Location>

where <Directory Location> is the directory to which you want to extract the client files.

• Open the Appsrv.src file in a text editor.

• Locate the section named [WFClient].

• Add the following line to the list of parameters and values in the [WFClient] section:DEFAULT_NDSCONTEXT=<Context1 [,]>. Include this parameter if you want to set a default context for NDS. If you are including more than one context, place the entire value in quotation marks and separate the contexts by a comma.Examples of correct parameters:DEFAULT_NDSCONTEXT=Context1DEFAULT_NDSCONTEXT=“Context1,Context2”

Note The self-extracting executable setup program for the Program Neighborhood Agent does not support adding a default context.


Enabling NDS Support in the ICA Program Neighborhood AgentComplete the following tasks to allow NDS users to log on to the ICA Win32 Program Neighborhood Agent.

1. Open the Config.xml file located in the InetPub\Citrix\PNAgent directory on the NFuse Classic server.

2. Set Logon/SupportNDS to True.

3. Set Logon/NDS_Settings/DefaultTree to the name of the preferred NDS tree for the MetaFrame XP farm.

4. Restart the IIS Admin Service on the NFuse Classic server for the changes to take effect.

5. Restart the Program Neighborhood Agent.

Tips and TechniquesCreating Aliases If you need to create aliases in NDS, follow the guidelines below.

• Make sure the distinguished name of the object does not exceed 48 characters.

• Alias object names are unique within the tree. The Alias object can be the same name as the actual object.

Note You can use third-party tools, such as the Lyncx tool from Centralis, to automate the process of creating aliases for large trees. See the Centralis Web site at http:// www.centralis.co.uk for more information.

When users log on, they are given the rights of the object to which the alias object points.

Organizing Published Applications for NDS Users It may be helpful to set up groups in NDS and associate published applications with them.

For example, you can create an NDS group called Default_User_Apps for business and office applications. Add this group when specifying which users have access to those published applications. When you add new users to this group, they are granted rights to the applications.


Create a separate group for specialty applications that are not distributed to a wide audience. For example, create a group in NDS called Accounting_Program and then publish an application called Accounting_Program in MetaFrame XP Feature Release 2. In MetaFrame specify the NDS group Accounting_Program to the published application called Accounting_Program. When assigning new users to the accounting application, simply add them to the group called Accounting_Program in NDS.

C H A P T E R 8

Security Issues and Guidelines

This chapter includes information about securing your MetaFrame XP infrastructure. The information in this chapter is intended to supplement the information about securing a MetaFrame XP environment found in the following documents:

• The Citrix Secure Gateway Administrator’s Guide

• The MetaFrame XP Administrator’s Guide

• The NFuse Classic Administrator’s Guide

• The Administrator’s Guides for the ICA Clients

These documents are available from the MetaFrame XP server CD and MetaFrame XP Components CD, or from the Citrix Web site at http://www.citrix.com/support. Click Product Documentation.

For periodic updates to the information in these documents, check the Citrix online knowledge base at http://www.citrix.com/support.

Securing MetaFrame XP ServersThis section discusses security precautions you can take to secure MetaFrame XP servers.

Controlling Physical AccessRestrict physical access to the servers to those individuals who are involved with administering the MetaFrame XP environment.

Use NTFS PartitionsFor maximum security, install MetaFrame XP only on NTFS-formatted disk partitions.


Installing MetaFrame XP on NTFS partitions ensures that the local Access databases are secured because the folder %Program Files%\Citrix\Independent Management Architecture is marked so that only system and local administrators have full control. Do not change these Access Control Lists (ACLs).

Control Connection AccessFor increased control of access to the Terminal Server listeners, use the Citrix Connection Configuration utility (Mfcfg.exe) to remove the Everyone group from the Permissions list for each of the listeners and specify only the user groups that require access.

Configuring the SNMP ServiceThe SNMP service on Windows has read/write privileges by default. If you use Citrix Network Manager or other SNMP management software for monitoring the server only (not remote management), Citrix recommends that the privileges be read only. If no SNMP consoles are used, remove the SNMP service from the server.

Note You must give read/create permissions to the SNMP service for administrative tasks, such as logoff and disconnect through Network Manager.

You can configure the SNMP community and designated management consoles to prevent unauthorized access. Configure SNMP agents to accept traps from known SNMP consoles only. For more information about correctly configuring the SNMP agent, see the online help for Windows.

Microsoft has released security bulletins for SNMP security risks on both Windows NT 4.0 (MS00-095, MS02-006) and Windows 2000 (MS00-096, MS02-006).

Tip Block incoming SNMP traffic from the Internet by using a firewall that prevents passage of traffic on UDP ports 161 and 162.

Configuring Citrix Administrator AccountsLimit Citrix administrator accounts to users who are members of the Windows network administrators group. This group is presumed to be well controlled and to have administrative access to network resources, including print servers.

To lessen the risk of compromising the domain administrator account, use a global group of limited user accounts to administer MetaFrame XP servers.

Chapter 8 Security Issues and Guidelines 127

� To configure administrator accounts using a global group

1. In the domain where you manage user accounts, create a domain global group. In this example, this group is named “MFAdmins.”

2. Add the user accounts of people who need Citrix administrator privileges to the MFAdmins global group.

3. Add the MFAdmins global group to each MetaFrame server’s local administrators group.

4. In the Citrix Management Console, add the MFAdmins global group to the list of Citrix administrators.

5. When a new user account requires Citrix administrator privileges, add the account to the MFAdmins global group.

When Citrix administrators are members of an Active Directory domain, use a domain local group for farms within a single Active Directory domain or a universal group for farms that span a forest.

Security Considerations for the Data StoreUsers who access MetaFrame XP servers do not require and should not be granted any access to the data store.

With direct mode access, all of the servers in the server farm share a single user account and password for accessing the data store. Select a password that is not easy to deduce. Keep the user name and password secure and give it to Citrix administrators only for the purposes of installing MetaFrame XP.

If the user account for direct mode access to the database is changed at a later time, the Citrix IMA Service will fail to start on all MetaFrame servers configured with that account. To reconfigure the Citrix IMA Service password, use the dsmaint config command on each affected server.

Depending on the database product you use for the MetaFrame XP farm’s data store, Citrix recommendations for securing the data store vary. This section discusses security measures to consider for the database products supported by MetaFrame XP.

Microsoft AccessFor an Access data store, the default user name is “citrix” and the password is “citrix.” If users have access to the data store server, change the password using dsmaint config and keep the information in a safe place.


Microsoft SQL ServerThe user account that is used to access the data store on Microsoft SQL Server has public and db_owner roles on the server and database. System administrator (sa) account credentials are not needed for data store access; do not use a system administrator account because this poses an inherent security risk.

If the Microsoft SQL Server is configured for mixed mode security (you can use either Microsoft SQL Server authentication or Windows NT authentication), you may want to create a Microsoft SQL Server user account for the sole purpose of accessing the data store. Because this Microsoft SQL Server user account would only access the data store, there is no risk of compromising a Windows domain if the user’s password is compromised.

Tip For high security environments, Citrix recommends using only Windows NT authentication.

For tighter security, you can change the user account’s permission to db_reader and db_writer after the initial installation of the database with db_owner permission.

Important Changing the user account’s permission from db_owner may cause problems installing future MetaFrame XP service packs or feature releases. Be sure to change the account permission back to db_owner before installing a MetaFrame XP service pack or feature release.

OracleIf the data store is hosted on Oracle, give the Oracle user account that is used for the MetaFrame XP farm “connect” and “resource” permissions only. System administrator (system or sys) account permissions are not needed for data store access.

IBM DB2If the data store is hosted on IBM DB2, give the DB2 user account that is used for the MetaFrame XP farm the following permissions:

• Connect database

• Create tables

• Register functions to execute to database manager’s process

• Create schemas implicity


System administrator (DB2Admin) account permissions are not needed for data store access.

Network Security ConsiderationsMetaFrame XP servers and the server farm’s data store should reside on networks that are secure from network packet capturing or sniffing. In some instances, including the following, IMA communication (MetaFrame XP server to server communication) is in clear text.

• Communication between the Citrix Management Console and the MetaFrame XP server over TCP port 2513, by default

• Communication between the member servers and the data collectors over TCP port 2512, by default

Note You can use the imaport utility to change the IMA communication ports to decrease security risks.

• Communication between the member servers and the data store through ODBC

Microsoft SQL Server communication is secure when the multi-protocol encryption option is configured correctly on both the Microsoft SQL Server and the clients. For more information about enabling multi-protocol encryption, consult the Microsoft SQL Server documentation.

Securing your Network against Denial of Service AttacksDenial of service (DoS) attacks saturate networks and servers with useless calls for information. Attackers use multiple sites to make distributed attacks on one or more networks, servers, or Web sites. Servers subjected to this sort of jamming either become unresponsive or too busy to be of use when a network becomes flooded. Not only is the network compromised for communication, it also becomes unavailable as a tool for tracing the attacks.

CAUTION Be sure to protect the security and integrity of the registry on MetaFrame XP servers. For information about backing up the registry, see Microsoft’s documentation for the operating system you are running. Editing registry settings other than those discussed in this document can corrupt your server configuration and is not supported by Citrix.


Microsoft makes recommendations for taking steps and fixing registry settings to make your networks and servers less prone to network DoS attacks which you can find on the Microsoft Web site at http://www.microsoft.com/technet. Try a keyword search using “Security Considerations for Network Attacks” to see this information. Microsoft suggests changing the following registry settings to help secure your network against DoS attacks:

• SynAttackProtect

• TcpMaxHalfOpen

• TcpMaxHalfRetried

• Enable PMTUDiscovery

• NoNameReleaseOnDemand

• EnableDeadGWDetect

• KeepAliveTime

• PerformRouterDiscovery

• EnableICMPRedirects

Securing Citrix Management ConsoleCitrix Management Console is a Java application that can be run on MetaFrame XP servers and other workstations. However, to prevent packet capturing, run the Citrix Management Console only on MetaFrame XP servers or in environments where packet sniffing cannot occur.

� To run the Citrix Management Console on a remote server

1. Make a secure connection from an ICA Client to a MetaFrame XP server.

2. Launch the Citrix Management Console in the ICA session.

3. In the Log On to Citrix Farm dialog box, select the server on which the ICA session is running.

Ensure that only Citrix administrators have access to the Citrix Management Console. You can set NTFS permissions so that non-administrators do not have Execute permission for the Citrix Management Console executable (Ctxload.exe).


Securing Citrix Web ConsoleThe Citrix Web Console relies on IIS security for logon authentication. The Citrix Web Console allows authentication only with accounts that are recognized by the local IIS server and that are also designated as Citrix administrators. Local accounts work if the Web console is run on a MetaFrame server. Windows NT and Active Directory Services domain accounts work if the Citrix Web Console server is a member of the domain or trusts the domain.

To ensure the security of credentials when logging off from the Citrix Web Console, close the Web browser to log off from the session.

Using SSL Encryption with Citrix Web ConsoleIIS causes every packet passed between client and server to contain the cached credentials. This could compromise security. Citrix recommends enabling SSL encryption on Citrix Web Console connections, especially for connections made across any public network.

� To set up your IIS server for SSL encryption

1. Set up your IIS server with an SSL certificate.

2. Open the Internet Services Manager and go to Default Web Site\Citrix\Webconsole\WebConsoleApp.

3. Right-click WebconsoleApp and select Properties.

4. In the Properties dialog box, select Directory Security.

5. In the Secure Communications section, click Edit.

6. Select Require secure channel (SSL).

7. Optionally, select Require 128-bit encryption (for this option, install the high-encryption pack available for download at http://www.microsoft.com).

By default, the Citrix Web Console detects if a connection uses SSL and allows you to reconnect with SSL or to continue with no encryption. Requiring encryption functionality at a higher level than WebConsoleApp prevents this page from being displayed if you connect without encryption. The error “Page cannot be displayed” is shown instead.

Important The Citrix Web Console does not support Netscape or non-Windows versions of Internet Explorer. Use Internet Explorer 4.0 or later on a Windows platform. Running the Citrix Web Console on an unsupported platform can result in security risks.


Securing ICA Client CommunicationDepending on your MetaFrame environment, several features included with MetaFrame XP allow you to further secure communications between ICA Clients and MetaFrame XP servers.

MetaFrame XP included support for ICA encryption, which uses RSA’s RC5 encryption, between MetaFrame servers and ICA Clients. Support for open standards technology was added with the release of MetaFrame XP, Feature Release 1. Feature Release 1 added Citrix SSL Relay, which uses standard Secure Sockets Layer (SSL) encryption between MetaFrame XP servers and ICA Clients.

MetaFrame XP with Feature Release 2 includes the Citrix Secure Gateway solution. Citrix Secure Gateway provides an SSL/TLS Internet gateway between MetaFrame XP servers and ICA Clients located on the Internet.

For more information about setting encryption, see the Citrix Secure Gateway Administrator’s Guide, the MetaFrame XP Administrator’s Guide, and the Administrator’s Guides for the ICA Clients.

Securing NFuse Classic CommunicationWhen using NFuse Classic, you can put in place the following to secure client-to-server communication:

• Instruct users to connect to NFuse Classic Web pages using HTTPS (secure HTTP). IIS must have an SSL certificate installed to establish a secure HTTP connection.

• Configure NFuse Classic ticketing to further secure the direct communication between the ICA Clients and the MetaFrame XP servers.

• Configure NFuse Classic to use SSL Relay for encryption between the NFuse Classic Web server and the MetaFrame XP servers.

If you are configuring SSL Relay on a MetaFrame XP server with a static IP address, set the following registry key to the fully qualified domain name (FQDN) of the MetaFrame XP server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

Tip To ensure that only ICA connections using SSL (typically port 443) are allowed through a firewall, block port 1494.

For more information about configuring security, see the MetaFrame XP Administrator’s Guide and the NFuse Classic Administrator’s Guide.


NFuse Classic Administration Console Security NFuse Classic includes a Web-based tool you can use to configure the NFuse Classic Service. The changes you make using this utility modify the Nfuse.conf file located in %ProgramFiles%\Citrix\NFuse\Conf. The NFuse Classic Administration Console can be used to modify virtually all aspects of NFuse Classic configuration. Users need administrative access to the system to use this utility.

This utility does not offer an option for logging off. User credentials are cached and administrators are not logged off until they close their browsers. Citrix recommends that administrators close their Web browsers after using the utility to prevent access by users who do not have rights to administer the system.

MetaFrame Server and Client Configurations for Seamless Proxy Integration

ICA Client Secure Proxy/SOCKS ConnectionsThis section covers recommended configurations for ICA Clients connecting through a firewall with SOCKS support or Secure Proxy connections. It assumes that the firewall or Secure Proxy server is configured according to the server’s documentation and recommended configurations. For the purpose of this section, the default ports are used for each component of the firewall/proxy policy configuration.

The typical ports are as follows:

ICA Port: 1494

SOCKS (v4 or v5): 1080

Web Proxy: 80 and/or 8080

Secure Proxy: 443 and/or 563

Note Some Web proxy configurations may use port 3128 as the default Web proxy port.

Proxy ICA/INI File ParametersYou can add the following parameters to the user’s .ini files (located in the %userprofile%\Application Data\ICA Client\APPSRV.INI file) or ICA files (including Citrix NFuse Classic and Citrix Program Neighborhood Template.ica) on the client device.

Each parameter is defined later in this section.


Add the parameters to the [WFCLIENT]section of the .ini or .ica file or in the [<APPLICATION>] section only if the DoNotUseDefaultCSL=ON parameter is set in the same section.

INI File Parameters for ICA Client Version 6.20.986 ICASOCKSProtocolVersion={-1|0|4|5}

ICASOCKSProxyHost=FQDN Proxy Address or IP Address

ICASOCKSProxyPortNumber=Proxy Port

ICASOCKSrfc1929UserName=SOCKSv5 User Name

ICASOCKSrfc1929Password=SOCKSv5 User Name Password

ICASOCKSTimeout=Time in milliseconds after the client waits for initial response from the proxy server

INI File Parameters for ICA Client Version 6.30.1050

Tip The 6.30.1050 Version of the ICA Win32 Client responds to the 6.20.986 parameters for backward compatibility.

ProxyType={None|Auto|Socks|SocksV4|SocksV5|Secure|Script}

ProxyHost=Proxy Address:Proxy Port or IP Address:Proxy Port

ProxyBypassList=Domain names/IP Addresses that the Proxy Server will ignore at connection time

ProxyAutoConfigURL=Address of Http server path of Auto-Configuration File

ProxyUsername=SOCKSv5/Secure Proxy Username

ProxyPassword=SOCKSv5/Secure Proxy Password

ProxyTimeout=Time in milliseconds after the client waits for initial response from the proxy server; minimum value is 1000


Definitions of the ParametersProxyType. Determines the type of connection used by the client device.

None — the client always uses a direct connection to the server; there is no connection to the proxy/firewall serverAuto — uses the client device’s Web browser settings (Microsoft Internet Explorer 4.x or later, Netscape Navigator 4.76 or later)SOCKS — creates a SOCKS connection to the server and auto-detects the SOCKS version number used by the proxy/firewallSOCKS V4 — creates SOCKS Version 4 connectionsSOCKS V5 — creates SOCKS Version 5 connectionsSecure — connects through a secure tunnel protocol; usually a high encryption or SSL/TLS connection. You must configure the Citrix SSL/TLS Relay or use Citrix Secure Gateway. Citrix recommends that you use the SSL/TLS+HTTP connection protocol or use TCP/IP+HTTP and set the encryption to 128-bit.Script — uses the JavaScript Proxy Auto-Configuration file (*.PAC) or the Microsoft Internet Explorer Internet Settings file (*.INS) to configure the proxy connection set in the mentioned formats. Set the ProxyType to Auto and use the client’s Web browser preferences for auto configuration scripts. The path to the file is set in the ProxyAutoConfigURL parameter.

ProxyHost. Includes the address of the proxy host and port number. To set the IP address of the proxy server or to use its fully qualified domain name (FQDN), enter the proxy/firewall port number at the end of the address using the following sample formats: 192.168.0.1:8080 or proxy.citrix.com:1080.

ProxyBypassList. Allows you to specify domain names that should be ignored during a proxy connection.

Use the ProxyBypassList setting to connect the client to servers in the same subnet or network without using proxy or firewall servers. For example, a client device may reside in the same domain (corp.company.com) as MetaFrame XP servers. In this case, you can set the ProxyBypassList parameter to *.corp.company.com *.partner.company.com instead of configuring each connection for direct connections. Setting the parameter to this value configures the client to ignore any proxy servers when connecting to these domains.Use a semicolon or a comma to separate entries if adding multiple domains.


ProxyAutoConfigURL. Allows you to include an HTTP URL to a JavaScript Proxy Auto-Configuration file (*.PAC) or the Microsoft Internet Explorer Internet Settings file (*.INS).

This setting is used when an administrator wants to centralize proxy or firewall server-client configuration by using a script file. The script file can be either a JavaScript PAC file or Microsoft Internet Explorer INS file. For information about creating these files, follow the links below:MSDN Article on PAC Files:http://www.microsoft.com/mind/defaulttop.asp?page=/mind/0599/faq/faq0599.htm&nav=/mind/0599/inthisissuecolumns0599.htmInternet Explorer Administration Kit Article:http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/default.asp?URL=/windows/ieak/techinfo/deploy/60/en/autodis.htm

ProxyUsername/ProxyPassword. Location to configure the SOCKS 5 or Secure Proxy authentication credentials.

If the ProxyUsername/ProxyPassword parameters are not set and the proxy or firewall connects to a server configured for SOCKS 5 or Secure Proxy with authentication, the user is prompted for credentials. The user credentials are for proxy authentication only and may not be the same as the user’s domain or network credentials. When the ProxyUsername/ProxyPassword parameters are set, the ICA Client passes the user’s credentials to the proxy server.

Important On any SOCKS 5 or Secure Proxy server configured to require authentication, the user name and password are passed in clear text. Citrix recommends that you do not set these parameters if credentials are going to be passed through a public network such as the Internet. Even if the ICA connection is set to use SSL/TLS+HTTP, the credential packets are sent before any secured tunnel is established.

ProxyTimeout. The time in milliseconds after the client waits for initial response from the proxy server

Citrix Program Neighborhood Client and Proxy ConnectionsWhen using the ICA Win32 Program Neighborhood Client, the following parameters can be set from the Custom Connection Settings>Connection Properties>Application Set settings interface. In the Server Location dialog box, click Firewalls to set the following parameters:

Use Web browser proxy settings sets the ProxyType parameter to a value of “Auto.”


None (direct connection) sets the ProxyType parameter to a value of “None.”

SOCKS sets the ProxyType parameter to a value of “SOCKS.” To specify a version number for SOCKS, edit the user’s Appsrv.ini file and change the value for the ProxyType to the correct version parameter. You must add the proxy address and port fields to this setting.

Secure sets the ProxyType parameter to a value of “Secure.” You must specify the proxy address and port fields. Doing so sets the ProxyHost parameter.

Note For more information, see the Citrix ICA Win32 Clients Administrator’s Guide.

Citrix NFuse Classic and Proxy/Firewall ConnectionsThere are two ways to enable the ICA Client to use NFuse Classic to pass through a proxy or firewall server.

1. Use the NFuse Administration Console to enable Client-Side Firewall settings. This is accessed through http://server/Citrix/NFuseAdmin on the NFuse server.

• Click Client-Side Firewalls.

• Select the option to use a SOCKS proxy.

• Enter a proxy address and port number.

• This enables only the previous SOCKS parameters as those listed above in the ICA/INI File Parameters Section. Using this method will not allow any Secure Proxy settings, only SOCKS settings. Additionally, SOCKS Version 5 and Secure Proxy authentication parameters are not configurable through this console.

2. Edit the %ProgramFiles%\Citrix\NFuse\Template.ica file and add new parameters as needed. Citrix recommends that you add the parameters to both the [WFCLIENT] and [<APPLICATION>] sections of the Template.ica file to ensure proper connectivity for all client types.You can add parameters to the [WFCLIENT] and [<APPLICATION>] sections of the Template.ica file only if the DoNotUseDefaultCSL parameter is set to “ON” in the same section.If both older and newer versions of ICA Clients are accessing NFuse Classic, edit the Template.ica file and include both older and newer clients’ ICASOCKS parameters as described in “Proxy ICA/INI File Parameters” on page 133. If you follow this procedure, legacy versions of ICA Clients connect using the parameters set for their client version. This ensures correct connectivity for both sets of ICA Clients.


The Web browser uses its own proxy settings to connect to the NFuse Classic Web site, and the Template.ica file enables the ICA Client to connect by reading the proxy parameters as mentioned above.

The Template.ica parameters are not dependent on the version of NFuse Classic being used. If you are using NFuse 1.61, set the client version parameters in the Template.ica file to specify which parameters are read from the Template.ica file.

Note For more information about the NFuse Classic Administration Console, see the NFuse Classic Administrator’s Guide.

Citrix Program Neighborhood Agent and Proxy ConnectionsTo ensure that users running the Program Neighborhood Agent can connect through proxy or firewall servers, follow the steps outlined in “Citrix NFuse Classic and Proxy/Firewall Connections” on page 137. Note that the Template.ica file for the Program Neighborhood Agent is located in a different directory (%webroot%\Citrix\PNAgent). If you use the NFuse Administration Console to modify the settings for SOCKS connections only, you do not need to modify the Template.ica file for the Program Neighborhood Agent. The Program Neighborhood Agent Template.ica file reads the parameters from the Nfuse.conf file.

When you install the Program Neighborhood Agent, the Config.xml file contains the NetBIOS name of the Web server’s URL. Citrix recommends that you change the URL in the Config.xml file to an external IP address for Internet tunneling (configure the alternate address parameter in NFuse Classic for proper security), or to the fully qualified domain name (FQDN) of the Web server. Certain proxy server configurations allow you to route HTTP traffic directly to a Web server. You can therefore use this tunneling configuration if one NFuse Classic Web server receives all Internet traffic. The Program Neighborhood Agent can connect to the external interface of the proxy server, while the configuration prevents the internal network from being exposed through the XML traffic or configuration parameters.

Note For more information about the NFuse Classic Administration Console, see the NFuse Classic Administrator’s Guide.


Recommended MetaFrame Server and ICA Client Proxy ConfigurationsMany proxy servers are configured to permit Web proxy connections only to standard ports, typically ports 443 and 80. ICA Client proxy connections use destination ports based on the type of connection indicated in the ICA connection properties. For example, an ICA connection configured to use TCP/IP with a proxy server will attempt to proxy to port 1494 on the MetaFrame server. On certain proxy servers, this connection may be rejected.

Citrix recommends that you configure your MetaFrame server to run the Citrix SSL Relay Service on port 443. Configure the ICA Client to use SSL/TLS+HTTP to connect. Configuring the ICA Client to use SSL/TLS+HTTP forces it to contact the proxy server with a destination port of 443 on the MetaFrame server. This configuration allows connections through the proxy server without having to reconfigure the proxy server policy.

If your proxy server is configured to allow connections only to an authorized set of IP addresses, modify the proxy server policy to include the FQDN or IP addresses of MetaFrame XP servers.

Using Smart Cards with Feature Release 2This section includes information about using smart cards with MetaFrame XP. This section assumes that you set up your smart card environment properly. Before you attempt to use smart cards with MetaFrame XP, make sure you set up the following:

• The user’s PIN and certificate are saved to the smart card

• Active Directory domains and Certificate Authorities are configured for smart card support

• The vendor’s smart card software tool is installed on the server

• The vendor’s smart card software tool is installed on the clients, if necessary

See the documentation from your smart card vendor for details. For more information about using smart cards with Windows 2000, see Microsoft Knowledge Base support articles Q313557 and Q227873. For more information about configuring Active Directory domains and Certificate Authority for smart card support, see Microsoft Knowledge Base support articles Q313274, Q257480, and Q231881.

Default readers and cards supported by Microsoft are listed in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais.


The smart card vendor’s unique software tool (which installs the vendor’s Cryptographic Service Provider – CSP) must be installed on the MetaFrame server for each vendor-specific smart card. These tools do not have to be installed on the client devices except when using the client’s Web browser to connect to NFuse or using the Program Neighborhood Agent on a 32-bit client operating system other than Windows 2000 or Windows XP.

Important Windows 2000 and Windows XP include native support for some smart card readers. To determine if the reader is supported by default, attach the reader to the client and let the operating system detect and install the drivers. If there is not an option to log on using a smart card after you restart the system, you must install the vendor’s software drivers.

Note Smart card readers and tools can be installed before or after MetaFrame is installed.

Copying Smart Card User CertificatesWhen users log on to MetaFrame XP servers to run applications that require certificates, the certificate needs to be copied to the user’s personal store. Certificates are copied to the personal store when users log on if the following registry key exists on the MetaFrame XP server:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\Notify\ScCertProp

If the registry key listed above does not exist on the MetaFrame server, see Microsoft Knowledge Base support articles Q313557, Q265087, and Q281245 for additional information about copying certificates.

The following procedure explains how to determine if the certificate is available in the user’s personal store.

� To determine if the certificate is available in the user’s personal store

1. Start Internet Explorer.

2. Click Tools and choose Internet Options.

3. Click the Certificates button on the Content tab.

4. The user’s certificate is listed on the Personal tab of the Certificates dialog box.


Important The user’s certificate must be present in the personal store to use smart cards with the Program Neighborhood Agent and NFuse.

You can also copy the user’s certificate to the personal store by logging on locally to the MetaFrame XP server with the user’s smart card. Run the smart card tool on the server and register the user’s certificate. This procedure varies depending upon the smart card vendor tool that is installed. See the online help installed with the specific tool for details.

Using Smart Cards with NFuse Classic 1.7 and the Program Neighborhood AgentUsing smart cards with MetaFrame XP, Feature Release 2, the ICA Clients, and/or NFuse Classic simplifies the authentication process while enhancing logon security.

This section assumes that the NFuse Classic Web server is running Windows 2000 with Microsoft Internet Information Services (IIS). To use smart cards with NFuse Classic, configure the IIS Web server and enable smart card authentication using the NFuse Classic Administration Console.

To use smart cards with the Program Neighborhood Agent, you must configure IIS to support smart card authentication.

Configure IIS to have a Certificate Authority which can be set up in an Active Directory domain. For more information, see Microsoft’s documentation about IIS and Certificate Authorities.

Note Citrix recommends that you use Active Directory Services if you want to use smart cards with MetaFrame.

Configuring IIS for Smart Card SupportTo configure IIS to support smart card authentication, you must complete the following tasks. These tasks are described in more detail below.

1. Enable the Windows Directory Mapper Service.

2. Install a server certificate.

3. Ensure that SSL is enabled on the NFuse Classic Web server.

� To enable the Windows Directory Mapper Service

1. Open the Computer Management utility by right-clicking on My Computer and choosing Manage.

2. Navigate to and expand Services and Applications.


3. Navigate to and expand Internet Information Services; right-click and choose Properties.

4. Under the Internet Information Services tab, in the Master Properties box, click Edit.

5. Select the Enable the Windows Directory Service Mapper option on the Directory Security tab.

6. Click OK until you return to the Computer Management dialog box.

� To install a server certificate

1. In the Computer Management utility under Internet Information Services, expand the tree until Default Web Site is displayed.

2. Right-click Default Web Site and choose Properties.

3. Click Server Certificate on the Directory Security tab to begin the Web Server Certificate Wizard. Click Next.

4. Choose Create New Certificate and click Next.

5. Choose Send the request immediately to the certification authority and click Next.

6. Enter a friendly name for the certificate and click Next.

Tip Use the server’s FQDN for the friendly name.

7. Enter the corresponding organization and organizational unit and click Next.

8. For the Common Name, enter the FQDN of the NFuse Classic Web server and click Next.

9. Enter State/Province and City/Locality and click Next.

10. If the Certificate Authority is not automatically filled in, select it from the list.

11. Click Next twice and then click Finish.

� To ensure that SSL is enabled on the NFuse Classic Web server

1. In the Computer Management utility under Internet Information Services, expand the tree until Default Web Site appears.

2. Right-click Default Web Site and select Properties.

3. Choose the Web Site tab and make sure that SSL Port 443 is available for SSL connections.

4. Close the Computer Management utility.


Enabling Smart Card Authentication using the NFuse Classic Administration ConsoleComplete the following tasks to configure NFuse Classic to accept credentials using smart cards.

1. Open a browser and browse to http://<your NFuse server>/Citrix/NfuseAdmin.

2. Click the Authentication menu on the left side of the screen.

3. Enable the Smart Card option at the top of the screen.

4. Click Yes to choose the Enable ICA Client pass-through authentication option.

5. Set the Use smart card to log in to MetaFrame option to Auto.

6. Click Save.

7. In the left side frame, select Apply Changes and then click Apply Changes.

8. Close the Administration Console by closing the browser window.

To test the configuration, log on to the NFuse Classic server (http:<your NFuseServer>) from an ICA Client using a smart card and launch a published application.

Miscellaneous Smart Card Information

CAUTION Cryptographic Service Providers (CSPs) from Schlumberger and ActivCard do not function properly if they are both installed on the same server. However, each can be installed with the GemPlus CSP.

• You can use smart cards with single sign-on only on client devices running Windows 2000 and Windows XP because they are the only client operating systems that support logging on locally with a smart card.

• To test that a server is set up correctly for logging on with a smart card over an ICA connection, log on locally to the server using the smart card. If you can log on locally, you can log on over an ICA session.

• The CSP to be installed on the server is dependent upon the type of smart card that is used. However, most smart card readers work with different vendors’ smart cards.

• On Windows XP operating systems, Schlumberger Cryptoflex 8K cards can be used without installing additional drivers; however, Schlumberger Cryptoflex 16K cards require additional drivers.


• On occasion, the USB readers can stop working for various reasons. Removing and replacing the USB connector restores the reader to working order. Check Microsoft’s Knowledge Base support articles Q265087 and Q293507 for additional information.

Deploying the Java Client using NFuse Classic with Custom SSL/TLS Certificates

The Java ICA Client Version 6.30, available from the MetaFrame XP Feature Release Components CD, runs in applet mode only. The ICA Java Client is streamlined for use in environments where access to applications through a Web browser is required. You can configure NFuse Classic to automatically download a Java Client package to the client device when users launch applications.

Use the NFuse Classic Administration Console (on the ICA Client Deployment page) to specify which Java Client features to deploy. To make an ICA connection using SSL/TLS, select the SSL/TLS component.

If SSL/TLS is selected, the Java Client package that NFuse Classic deploys will contain built-in certificates for a number of Certificate Authorities. See the ICA Java Client Administrator’s Guide for a full list of built-in certificates.

If the environment already has server certificates from one of these Certificate Authorities, the Java client already includes details of the necessary root certificate to allow it to verify the authenticity of the MetaFrame server. However, if the certificate is not one of those included in the built-in list of certificates used by the Java Client (for example, if your organization has its own certificate authority), you must configure NFuse Classic so that it passes the correct root certificate to the Java ICA Client package when users launch applications.

� To enable the ICA Java Client to connect to MetaFrame servers secured with custom SSL/TLS certificates

1. Contact your Certificate Authority and obtain the root certificates that correspond to the server certificates being used on the MetaFrame servers.

2. In a text editor, open the Appembed.asp file. In a default installation of NFuse Classic, this file is located in C:\Inetpub\Wwwroot\Citrix\NFuse17.

3. Find the section between the <applet> and </applet> HTML tags.

4. Before the </applet> tag, specify which SSL/TLS certificates the ICA Java Client should use. Use the following parameters:

• SSLNoCACerts - the number of specified certificates in the client archive.


• SSLCACert0, SSLCert1...SSLCert<n> - The names of the root certificates to use when validating the name of the server certificate. The number of root certificates that you specify must match the number specified in the SSLNoCACerts parameter.For example, if you have two custom root certificates with the file names A.crt and B.crt, insert the following lines:<param name="SSLNoCACerts" value="2"><param name="SSLCACert0" value="A.crt"><param name="SSLCACert1" value="B.crt">

5. Search for “codebase” and make a note of the path listed on this line. Remember to translate <%=langCode%> as the folder name of the language you are working with. Do not edit this line.

6. Save the Appembed.asp file.

7. From the Web server’s document root folder (in a default installation of IIS this is located at C:\Inetpub\Wwwroot), navigate to the path noted in Step 5; for example, Citrix\ICAWEB\en\icajava.

8. Copy the root certificates obtained from the Certificate Authority to this folder. Ensure that the file names match the file names specified earlier in the Appembed.asp file.

9. On the client device, launch the Web browser and connect to the NFuse Classic Web page. All embedded Java ICA sessions to secured MetaFrame servers work transparently using SSL.

Note Following this procedure also allows access using Citrix Secure Gateway. To use the configuration detailed in the procedure above with Citrix Secure Gateway, use the NFuse Classic Administration Console to configure the Server Side Firewall Settings page to use Citrix Secure Gateway.

Security with Pass-Through Authentication� To disable pass-through authentication

1. In the ICA Win32 Program Neighborhood Client, choose Tools > ICA Settings. 2. Clear the check box for the Pass-Through Authentication option.3. Delete the following files from the ICA Client files folder to disable the feature

and prevent a user from enabling it again in the ICA Client:• Ssoncom.exe

• Ssonstub.dll

• Ssonsvr.exe

C H A P T E R 9

Printer Management

MetaFrame XP provides centralized printer management with the Citrix Management Console.

Printer Driver ReplicationPrinter driver replication is designed to copy printer driver files and registry settings across the server farm. Install all required printer drivers on one MetaFrame XP server in the farm, then replicate the files and registry settings to all other servers in the farm. Manage the printer driver replication through the Citrix Management Console. Printer driver replication does not replicate printer properties such as paper size and print quality.

Tip The process of replicating printer drivers can consume a lot of CPU resources on the source server. To improve performance, avoid replicating drivers while the farm is under heavy load, such as when many users are logging on.

Managing the Printer Driver Replication QueueEach printer driver/server combination creates an item in the printer replication queue. For best performance, this queue should not exceed 1,500 entries in length. To determine the queue size, use the following formula:QueueSize = Drivers * Servers

Where:Drivers = Number of printer driversServers = Number of servers to which the printer drivers are being replicated

Using this formula, the queue can include 30 drivers for replication to 50 servers (30*50=1,500) or 3 drivers for replication to 500 servers (3*500=1,500) without exceeding the queue size recommendation.


You can monitor the replication queue items with the qprinter /replica command. For more information about this utility, see “QPRINTER” on page 192.

Tip You can determine whether or not printer drivers are successfully replicated by checking the Application Log in Event Viewer on the target servers.

Driver Replication and Performance IssuesThe number of printer drivers installed on or replicated to each server in the farm can affect server performance and the IMA service response time. The following sections provide recommendations for minimizing potential performance issues when installing or replicating printer drivers.

Driver Replication and Server PerformanceThe time required to complete printer driver replications depends on network traffic and server load. The replication distribution queue is handled by the Citrix IMA Service at a low priority.

The printer driver replication subsystem can process an average of 50 entries every minute in a 50-server farm under a light user and network load. A 500-server farm under the same conditions can process an average of 20 entries a minute.

The distribution subsystem monitors the load on the MetaFrame server that is replicating the print drivers while they are distributed across the server farm. If the subsystem detects that the server is becoming overloaded, it reduces the speed at which it sends the replication jobs. This can cause very large replication jobs to take several hours.

To complete printer driver replication as quickly as possible, Citrix recommends that you replicate large numbers of printer drivers during off-peak hours when higher-priority network traffic is at a minimum.

Tip You can monitor the progress of the printer replication jobs by running qprinter/replica.

Driver Replication and IMA PerformanceThe server farm’s data store holds one record for each printer driver, one record for each farm server, and one record for each printer driver/server combination. Installing more printer drivers on MetaFrame servers in the farm causes the size of the printer driver tables in the data store to increase. Larger tables in the data store result in increased delay when restarting the MetaFrame servers because the Citrix IMA Service has more information to query.

Chapter 9 Printer Management 149

To avoid degraded performance because of larger tables in the server farm’s data store, limit the number of printer drivers in the farm using the following guidelines.

• Install printer drivers only for printers that will be used by ICA Clients in the farm

• Install printer drivers only on servers that will host users who need access to the printers

• Install printer drivers that work for multiple printer types, if possible

• If a printer is removed from a server, delete the associated registry key and restart the server

• Remove unnecessary printer drivers from cloned images

• In WAN environments where a large number of printer drivers are installed, use a replicated data store if better performance is necessary

• Use the Citrix Universal Print Driver instead of the native windows drivers, if possible

Using Auto-ReplicationWhen an auto-replication job is scheduled, the Citrix IMA Service attempts to download the job when the IMA Service starts up. If several printer replication jobs are destined for a server, the IMA Service may take an extended amount of time to start. Using the “Overwrite existing drivers” option is not recommended because this causes the printer drivers to be downloaded each time the IMA Service starts.

Citrix recommends using scheduled replication instead of auto-replications to reduce network traffic.

If auto-replication must be used, do not use the “Overwrite existing drivers” option and keep the number of printer drivers to be replicated to a minimum.

C H A P T E R 10

Maintaining MetaFrame XP Server Farms

This chapter includes information about maintaining MetaFrame XP server farms.

Cycle Booting MetaFrame XP ServersYou do not have to restart MetaFrame XP servers regularly to increase performance. However, if you want to configure cycle booting, follow the guidelines in this section.

When the Citrix IMA Service starts after you restart a MetaFrame XP server, it establishes a connection to the data store and performs various reads to update the local host cache. These reads can vary from a few hundred kilobytes of data to several megabytes of data, depending on the size and configuration of the server farm.

To reduce the load on the data store and to reduce the Citrix IMA Service start time, Citrix recommends maintaining cycle boot groups of no more than 100 servers. In large server farms with hundreds of servers, or when the database hardware is not sufficient, restart servers in groups of approximately 50, with at least 10 minute intervals between groups.

Tip If the Service Control Manager reports that the IMA Service could not be started after a restart of a MetaFrame XP server, but the service eventually starts, ignore this message. The Service Control Manager has a timeout of six minutes. The IMA Service can take longer than six minutes to start because the load on the database exceeds the capabilities of the database hardware. To eliminate this message, try restarting fewer servers at the same time.


Changing Farm Membership of Servers To change the farm membership of MetaFrame XP servers, you must use the chfarm command. The correct use of the chfarm command is discussed below.

CAUTION Misuse of chfarm can corrupt the data store.

Using chfarmYou can execute chfarm from:

• %ProgramFiles%\Citrix\system32\citrix\ima

• The MetaFrame XP CD

• A network image of the CD

CAUTION If chfarm reports any error, continuing the process can corrupt the data store. Instead, click Cancel and use the procedure for restoring an unresponsive server. For more information, see “Recovering an Unresponsive Server” on page 204.

Executing chfarmExecuting chfarm does the following on the host server:

1. Attempts to remove the server from the farm.

2. Stops the Citrix IMA Service.

3. Configures the data store.

4. Restarts the IMA Service.

5. Initializes the license database.

Important Considerations when Running chfarmConsider the following when you use chfarm:

• Chfarm deletes the current data store database. Do not use chfarm on the server hosting the Microsoft Access database until all other servers in that farm are moved to a new server farm. Failure to follow this process causes errors when chfarm is executed on those servers that no longer have a valid data store.

Chapter 10 Maintaining MetaFrame XP Server Farms 153

• When you create a Microsoft Access data store on a server in a new server farm:

1. Run chfarm first on the server hosting the new data store.

2. Execute chfarm on other servers to be added to the new server farm.

3. Run chfarm on any servers that hosted an old data store.

• Close all connections to the Citrix Management Console on the local server before executing the chfarm command.

• Execute chfarm only on a functioning MetaFrame XP server. Do not execute chfarm on a server that was removed from a server farm.

Important Using chfarm does not migrate published applications or any server settings to the new server farm.

Renaming a MetaFrame ServerThe name and security ID given to a server when it is installed and added to a server farm generally remains unchanged, but the server can be renamed if necessary.

� To rename a server in a server farm

1. In the Citrix Management Console:

• In the Add Administrators wizard, select the checkbox to Add local administrators to the Citrix Administrator node

• From the Select Tasks screen, choose Full Administration

2. Use chglogon /disable to prevent users from logging on to the server.

3. Remove the server to be renamed from any published applications assigned to that server.

4. Stop the Citrix IMA Service.

5. Change the name of the server.


7. Log on to the Citrix Management Console using the local administrator account.

8. Expand the Servers folder.

9. Assign a product code and feature release/service pack level to the new server name.

10. Ensure that licenses are present and activated.


11. Remove the old server name from the Citrix Management Console list of servers.

12. Add the new server name to the list of configured servers for published applications.

� To verify the success of the server name change

1. At a command prompt, type clicense in_use_by.

2. Verify all appropriate licenses are installed and in use.

3. Type clicense in_use_by <servername> or clicense in_use_by <servername> -l.If the new server name is displayed in place of the old name, the server has been successfully renamed.

Uninstalling MetaFrame Servers in Indirect ModeIf you remove MetaFrame XP from the server that directly accesses the data store, any servers that indirectly access the data store lose access to the data store. Information such as licensing and product codes is lost. Citrix recommends that you uninstall MetaFrame from the indirect servers first and the direct server last. Uninstalling MetaFrame from the direct server first prevents any other servers from being removed from the data store.

To force an uninstall of MetaFrame when the data store cannot be accessed, use the following command:

msiexec /x mfxp001.msi CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=YES

where /x is the uninstall switch and mfxp001.msi is the name and location of the MetaFrame XP Feature Release 2 Windows Installer package. For more information about how to pass properties to the Windows Installer, see the MetaFrame XP Administrator’s Guide.

C H A P T E R 11

Managing MetaFrame XP Server Farms

This chapter includes best practices for managing MetaFrame XP server farms and users. This chapter includes information about the Citrix Management Console, Installation Manager, Resource Manager, and Network Manager.

Load Manager is a component of MetaFrame XPa and XPe; it requires a MetaFrame XPa or XPe product license to function. Installation Manager, Resource Manager, and Network Manager are components of MetaFrame XPe; they require a MetaFrame XPe product license.

Citrix Management ConsoleThis section offers recommendations for using the Citrix Management Console in an enterprise environment.

Configuring Data RefreshBy default, automatic refresh of data is disabled in the Citrix Management Console. Enabling automatic refresh increases CPU utilization by the console and increases TCP traffic on the network. Opening multiple Citrix Management Console instances in the same farm with automatic refresh enabled increases network congestion.

However, if you want to enable automatic refresh, to view real-time data related to ICA Client connections and disconnections, for example, complete the following tasks.

� To enable automatic data refresh in the Citrix Management Console

1. Launch the Citrix Management Console and log on to the farm.

2. Choose View > Preferences > User Data.


3. Select the automatic refresh options and enter the refresh rate. You can specify automatic refresh for server data, server folders, and application user data.

4. Click OK to apply the settings.

Auto-refresh settings are saved on the server on which the Citrix Management Console is running.

Performance ConsiderationsThe Citrix Management Console queries the data collector and the member servers for information such as running processes, connected users, and server loads. Depending on the size of the server farm, the Citrix Management Console might affect performance in the server farm. Consider the following recommendations for managing performance issues with the Citrix Management Console:

• In MetaFrame XP deployments with hundreds of servers and thousands of users, connect only one instance of the Citrix Management Console to the farm for each zone.

• Connect the Citrix Management Console to a data collector so that the console can query data directly, rather than through an intermediate MetaFrame server.

• In large farms, the Citrix Management Console can take a long time to refresh. The refresh time depends on the number of servers in the zone, the number of ICA Clients requesting connections, and the number of Citrix Management Console instances that are requesting information. If the refresh query takes longer to complete than the specified automatic refresh interval, the data collector becomes overloaded. Make the automatic refresh interval for users and applications as long as is practical. Citrix recommends that you do not use the minimum refresh interval of 10 seconds. For best performance, disable automatic refresh and manually refresh the data as needed.

• When managing a farm across a congested WAN, run the Citrix Management Console within an ICA session to a remote server rather than running it locally. Running the console from within an ICA session reduces the amount of bandwidth consumed across the WAN and provides better performance from the console.

Using Server and Application FoldersThe Citrix Management Console allows you to group servers and applications into folders. There is no correlation between Citrix Management Console folders and Program Neighborhood folders that appear in application sets.

Chapter 11 Managing MetaFrame XP Server Farms 157

Citrix Management Console folders help you manage a large number of servers and applications and increase performance because the console queries for data only for the servers or applications in the current folder view. One way to increase response time is to divide the list of servers into folders based on their zones.

Tip Viewing server details for large groups of servers may result in incomplete information being gathered for all of the servers. To reduce this occurrence, group servers in folders under the Servers node of the Citrix Management Console.

Load Management TipsWhen you are selecting servers to configure for load management or attaching load evaluators in large farms, Citrix Management Console can take several minutes to populate the lists of available servers and selected servers. During this delay, the console does not always indicate that it is still retrieving information.

Citrix Installation Manager This section covers design and architecture topics you should be familiar with before you use Installation Manager to deploy applications in a MetaFrame XP farm. Concepts discussed include group size considerations, WAN recommendations, and application deployment recommendations.

Group Size ConsiderationsWith Installation Manager, you can install applications to predefined groups of servers. When you create server groups, you can install applications to a specific set of servers quickly and efficiently. Creating server groups eliminates the need to manually select individual servers with every installation.

When you create a server group for application deployment, consider the following:

• How you want to use your server groups.

• Installation Manager allows applications to be installed to a group of servers. However, uninstalling the applications requires selecting individual servers from the Citrix Management Console.

• Keep your group size reasonable (see table below).

Small Medium Large

Application size < 5 MB 5–20MB > 20MB

Recommended group size < 100 < 80 < 50


Installation Manager deploys applications to servers simultaneously, but does not use multicasting. Each target server reads the data from the location where the installation package is stored. Large installation packages (for example, Microsoft Office XP) copy more than 200 megabytes of data from the package server to the target server. The amount of data transferred across the network is:D = I x N

Where: D = the amount of dataI = the size of the installationN = the number of target servers

Smaller group sizes are needed when installing applications that require a server to restart. Installations occur simultaneously and all of the MetaFrame servers will restart at nearly the same time. Because of this, a transient load is placed on the data store. The capacity of the data store server and the internetworking infrastructure greatly affect the performance of the network when you are deploying applications and restarting servers. The table above contains suggestions based on a 100Mbps switched Ethernet infrastructure.

Cluster groups logically. Deployment is more efficient if several logical groups are created that match the schema of the overall enterprise. One group might contain servers that host standard business applications, another group can host engineering applications, and so on.

Network Setup RecommendationsThe network setup recommendations for MetaFrame XP Feature Release 2 all apply to Installation Manager. The more efficient and capable the network, the quicker and easier applications are to install. The use of switches, high-speed backbones, and high-speed disk drives greatly enhance the ability of Installation Manager to install applications to large server farms efficiently.

WAN RecommendationsDo not install applications to target servers across a WAN. The amount of bandwidth and time required to install an application over a WAN can congest the network for extended periods of time, which can result in networking timeouts. To avoid this situation, take the following steps:

• Create a new application package at the remote site where the application is to be deployed

• If there is more than one remote target server, copy the package and the associated installation files over the WAN once, then deploy it on that segment


Application Deployment RecommendationsThis section contains issues you should consider when using Installation Manager in conjunction with MetaFrame XP Feature Release 2 to deploy applications.

Package ServerUse the package server when recording application installations. The following package server recommendations help ensure a clean package file:

• Keep the package server as similar in configuration (both hardware and software) as possible to the target server.

• Make the package server as “clean” as possible. Roll back previously installed applications before recording. For additional information, see Getting Started with Citrix Installation Manager.

• Do not run other applications while an image is recording.

• Do not package applications through an ICA session.

Deployment ServerThe deployment server is the server where the package and installation files reside. All target servers communicate with this server to get the files and information required to install the application. The following recommendations offer helpful information about deploying packages:

• Put the deployment server on a server grade machine. Each target server requests the same file set from the deployment server. The load on the deployment server can be high. The deployment server must be capable of handling the combined load of the servers connecting and requesting information simultaneously in a deployment group.

• Put the deployment server on a 100Mbps switched Ethernet port. Running the deployment server in a shared collision domain increases latency. Connections can be refused due to time-out or server overload. This problem increases on a busy network and when many servers are targeted for a single installation.

Network Share AccountΤhe network share account allows the target server to have access rights to the network share point where the package is located.

� To set up a network share account

1. Right-click the Citrix Installation Manager node in the Citrix Management Console and choose Properties.


2. Type the domain account and password that will be used to access network shares.

When running an unattended or silent installation, the network share account must have administrator privileges on the target server.

Important Installation Manager supports only Windows domain authentication models; it does not support workgroups.

Package Group DeploymentPackage groups are used to deploy multiple packages to the same target server or server groups in one schedule. Consider the following points when deploying package groups:

• To simplify deployment, create package groups from similar packages.

• After the package groups are deployed, do not make changes such as adding packages to or deleting packages from the package group. Making changes to the package group may result in uninstall errors. If you need to deploy new packages, create a new package group and then deploy it.

• If changes are made to a deployed package group, the Job status tab of the Job Properties window does not report installation status for the deleted or newly added package.

• After scheduling an installation of a package group, do not make changes to the package group contents, because it may result in temporarily inaccurate job result information. Refresh the Citrix Management Console to correct this behavior.

Job Scheduling and Staggered InstallationsThe following recommendations can lower bandwidth consumption, allowing the farm to function without a loss of performance.

• Schedule the installation of packages during times of low network usage

• Avoid installations during scheduled server backups or restorations

Important While an application is being deployed to a server, all ICA connections are terminated until the installation is completed.


Installation Manager with Feature Release 2 supports staggered installations of package groups. Installation window options and multiple dates can be used for package groups to schedule the installation job during a certain time period within specific days. Consider the following recommendations when staggering installations:

• Schedule the installation window during times of low network usage.

• Select multiple dates if the installation of the packages in a package group requires multiple dates for installation. The packages that haven’t been installed will begin installation in the same installation window on the selected dates.

Important A staggered installation of a single package is not supported.

User Specified RebootThe behavior of the server when it is restarted when deploying packages is affected by three options:

• Do not reboot servers if any user sessions are open. If you set this option before deploying packages, the target server will not restart if a user connection to the target server is detected even though the package deployment requires a restart. To finish the deployment, the target server must be restarted manually after the user logs off. This can be overwritten if you set the “Force reboot after job” option (see below) during the scheduling of the installation of a package.

• Delay reboot until the end of job. If you deploy a package group and one or more of the applications require a restart at the end of the deployment, you can set the “Delay reboot until the end of Job” option when you schedule the installation. This postpones the restart until the end of the entire package group deployment.

• Force reboot after job. If you set this option, the server restarts after the package is deployed. Any active user sessions receive a message from the server asking them to log off. The messages are sent at five minute intervals for 15 minutes, and then the server restarts. Any active sessions are terminated.

Recording Applications During InstallationInstallation Manager Packager monitors the changes that occur on the packaging server when an application is installed, records the changes as installation commands in a script, and then packages all application files so you can deploy the package on target servers. Read the list below for guidance about recording applications:

• Installation Manager Packager cannot resume package recording if the server is restarted while you are installing an application.


• When recording an application that prompts the user for a restart, cancel the restart and stop the recording on the Packager.

• Installation Manager Packager cannot record an application that forces a restart that cannot be canceled by the user.

• Installation Manager Packager cannot record an application that requires multiple server restarts during installation (see next point).

• If an application has an unattended installation program, the Packager creates a package from the unattended installation program only. The Packager will not record the actual installation. When using the Packager to package the application, choose the Add Unattended Program option to package an unattended install program and any other necessary files. This method allows applications that require one or more restarts during installation to be packaged using Installation Manager.

Citrix Resource ManagerResource Manager is a component of MetaFrame XPe and is not available in MetaFrame XPa or MetaFrame XPs. This section includes information about Resource Manager and discusses topics including the local Resource Manager Database, the Farm Metric Server, and the Summary Database.

The version of Resource Manager included with Feature Release 2/Service Pack 2 is improved in the areas of performance, usability, stability, and scalability. Resource Manager now includes the Summary Database, which allows you to store historical data on metrics and servers and produce reports on the stored data.

Resource Manager Database and Metric ServerResource Manager stores all of its configurations, settings, thresholds, and metrics in the data store and in the local host cache. Resource Manager contains a local Resource Manager database and a Farm Metric Server. Feature Release 2 introduces a Database Connection Server that is used with Summary Database.

Local Resource Manager DatabaseEach MetaFrame server with Resource Manager installed has a local database in which it stores the individual server’s metric information. It is important to note the following:

• The local Resource Manager database is a Microsoft Access Jet Database called RMLocalDatabase.mdb that is in %ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB


• The local Resource Manager database is accessed when creating real-time graphs, displaying system snapshots, running reports on that specific server, and writing server metrics

• The local Resource Manager database holds metric values and application information for the previous 96 hours

• This database is compacted when the IMA service is started and once a day while the IMA service is running

Farm Metric ServerThe Farm Metric Server is used for application and server monitoring. The Farm Metric Server gathers its information from the data collector. Because the Farm Metric Server accesses the data collector every 15 seconds, configuring data collectors to also perform the role of the Farm Metric Server and the backup Farm Metric Server can improve performance. The Farm Metric Server may also perform the role of the Database Connection Server.

Although Resource Manager can track any Performance Monitor counter as a server metric, Citrix recommends you limit the total number of metrics tracked on a server to fewer than 50.

Important In a farm that contains servers running various MetaFrame XP feature release levels, the primary Farm Metric Server must be running Feature Release 2 or you will encounter errors with the Summary Database.

AlertsResource Manager can send alerts to users or groups of users. The following list offers tips for using alerts:

• If your email service does not send alerts, the Citrix administrator should delete and recreate the MAPI profile. The administrator should also verify that the mail client being used (for example, Microsoft Outlook) is the default mail client for the server.

• To enable Resource Manager to send SNMP traps for application alerts, SNMP must be set up on the primary and backup Farm Metric Servers.

Summary DatabaseThe Summary Database is used for storing historical data from servers in the farm. Citrix administrators can produce reports, such as billing, based on the stored data. The reports can use several criteria, such as CPU usage or application usage. Consider the following when using the Summary Database:


• Each farm that requires the Summary Database must have a Database Connection Server (DCS), which writes the metric information from other farm servers to the Summary Database.

• The connection between the DCS and the database where the metric information is stored is defined by a system Data Source Name (DSN) called RMSummaryDatabase.

• Data is stored on each server in summary files. Summary files are updated whenever a session or process terminates, whenever an event occurs, and once an hour for metrics.

• Each Resource Manager server in the farm caches its own summary data locally for 24 hours and then transmits it to the Database Connection Server at a configurable time of day, preferably at off-peak hours.

• Reports on data in the Summary Database can be generated by the Citrix Management Console in a manner similar to those available for the local database for each server.

Tip Report templates for use with Crystal Reports software are available from the Citrix Web site at http://www.citrix.com.

Tip By default, metrics are stored in the Summary Database. You can change this on the Threshold Configuration screen. You can also specify the time of day or week that metrics are recorded in the Summary Database on a per server basis.


The following table shows the database products and client versions with which the Summary Database was tested:

The data store and the Summary Database can reside on different platforms and database servers.

IBM DB2 is not supported for use as the Summary Database.

Data PurgingThe Summary Database allows Citrix administrators to control how long data is stored by purging the database at set periods. You can also turn off purging, in which case all data is kept for an indefinite period.

Citrix Network ManagerNetwork Manager is a component of MetaFrame XPe and is not available in MetaFrame XPa or MetaFrame XPs. Below are some known issues with Network Manager.

DBMS Version Client Version ODBC Driver Version

SQL Server 2000 MDAC Version

MDAC 2.5 SP2 2.52.6019.2 3.70.09.61

MDAC 2.7 SP2 2.70.7713.4 2000.81.7713

SQL Server 7

MDAC 2.5 SP2 2.52.6019.2 3.70.09.61

MDAC 2.7 SP2 2.70.7713.4 2000.81.7713

Oracle Net8 Client Version

7.3.4 7.3.4Hotfix RME102W003 is required for Oracle 7.3.4 support. This hotfix is not compatible with Oracle 8, 8i, or 9i.

8.0.6 8.0.6

8.0.6 8.0.6 8.1.6 8.1.6

8(8i) 8.1.6 8.1.6 8.1.6

8.1.7 8.1.7 8.01.07.00

9i 9.0.1.1.1 9.0.1.1.1 9.0.1.1.1


• In Tivoli NetView, the server icon is sometimes green, while the subsystem icons are light blue. In this case, highlight the green server icon and perform a status update to update the status of the subsystem icons. This is a Tivoli NetView IP map issue that occurs when NetView is left running over long periods of time.

• When using Tivoli NetView, if the Trapd.exe process is killed while the Metadis.exe and Metalan.exe services are running, each service acquires 50% CPU utilization. The services do not return to normal CPU levels until Trapd.exe is restarted. This is a known issue with Tivoli NetView.

• In HP Network Node Manager, a link-down status is represented by a blue icon. This occurs only if the server cannot be contacted by the console when the status update is performed. In Tivoli NetView, a link-down status is displayed in red.

• When Network Manager is uninstalled from one of the SNMP management consoles, by default the Network Manager icons stay in the IP map until they are deleted and the nodes are rediscovered.

Network Manager SNMP Agent IssuesThe following are known issues and recommendations for the SNMP Agent:

• Microsoft SNMP does not function properly if installed on top of Windows NT 4.0 with Service Pack 6 or Windows NT 4.0 Terminal Services Edition with Service Pack 6. Action: Reinstall Service Pack 6 after installing the SNMP service.

• In Windows 2000, the default security setting for the SNMP service is read only. In Windows NT, TSE, it is read/write. Network administrators cannot perform SET operations (logoff, disconnect, send message, and terminate process) or restart and shut down servers from Network Manager consoles unless the security setting is read/create.Action: Change security to read-create.

• Microsoft has released security bulletins for SNMP security risks. Apply the following bulletins to all MetaFrame servers and Citrix Management Console instances:

• MS00-095: Windows NT 4.0

• MS00-096: Windows 2000

• MS02-006: Windows NT4, TSE, Windows 2000, and Windows XP

Tip Enable or disable the SNMP Agent when farm activity is low.


User Policies Best PracticesUser policies allow you to apply selected MetaFrame settings, including shadowing permission settings, printer autocreation settings, and client device mapping settings, to specific users or user groups. Using policies, you can tailor your environment at the user level. User policy settings override all other MetaFrame XP and Terminal Services settings.

The following list contains tips and troubleshooting guidelines for working with user policies in MetaFrame XP Feature Release 2:

• Assign user policies to user groups rather than individual users. If you assign user policies to user groups, assignments are updated automatically when you add or remove users from the group.

• Disable unused policies. Policies with all the rules set to Not Configured create unnecessary processing.

• Avoid conflicting settings in Citrix Connection Configuration or in the farm-wide settings of the Citrix Management Console. Several policy rules can also be set in Citrix Connection Configuration, and/or the farm-wide settings in the Citrix Management Console. When possible, keep all settings consistent (enabled or disabled) for ease of troubleshooting.

• Use the Search feature to see which policy rules are being applied to users or user groups.

• Use the drag and drop feature of user policies to quickly assign the correct priority to a user policy.

User-to-User Shadowing Best PracticesUsers can shadow other users without requiring administrator rights. Multiple users from different locations can view presentations and training sessions, allowing one-to-many, many-to-one, and many-to-many online collaboration. The following list comprises recommendations for working with user-to-user shadowing:

• Do not assume that members of the administrators group have shadow rights by default. Although local administrators may have shadowing rights enabled in Citrix Connection Configuration, they cannot shadow users who have been assigned to the policy by default. You must add the members of the local administrators group to the list of people with shadow rights in the user policy.

• Although in general user policies take precedence over settings configured in other MetaFrame utilities, shadowing is an exception. If shadowing is disabled during MetaFrame XP Setup or disabled in Citrix Connection Configuration for a particular connection, user policies with shadowing enabled have no effect.


Delegated Administration TipsTo allow a Citrix administrator to shadow using the Citrix Management Console, enable the following permissions at a minimum:

• Citrix Administrators

• Log on to the Citrix Management Console

• Servers

• View Server Information

• Sessions

• View Session Management

C H A P T E R 12

Optimizing the Performance of MetaFrame XP

This chapter suggests optimizations that can increase the performance of MetaFrame XP, Feature Release 2 and Windows 2000. Many of the recommendations are from Microsoft Knowledge Base articles accessible from the Microsoft Web site at http://support.microsoft.com. For additional information regarding server and operating system configurations, see “Recommended Server Configuration” on page 13.

Client OptimizationsImproving Connectivity over Inconsistent WAN LinksThis section includes information about decreasing the number of disconnected TCP/IP sessions when clients connect over the Internet or any other WAN link with inconsistent bandwidth.

If the quality of a WAN link dramatically decreases after a user connects to a MetaFrame XP server, the connection can be dropped. Users experiencing this problem receive the following error message:

“Error in Connection: the Citrix server is no longer available.”

By default, the TCP/IP protocol uses the initial packet round-trip time at the moment when the session is initiated to determine what is “normal” for that connection. Because of this, it is better to have a consistently slow WAN connection than to have a connection that starts out fast and then becomes slow. Such an erosion of connection speed is common when connecting through an Internet Service Provider (ISP), particularly when the connection is opened in the morning and maintained throughout the day.

To accommodate this erosion of bandwidth, add a value to the TcpMaxDataRetransmissions subkey under the following registry key:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Subkey: TcpMaxDataRetransmissions (REG_DWORD): 10

� To add the subkey TcpMaxDataRetransmissions when it does not exist

1. Highlight PARAMETERS. From the Edit menu, choose Add Value.

2. Type TcpMaxDataRetransmissions in the Value Name box.

3. Select REG_ DWORD in the Data Type box. Click OK.

4. Select Decimal from the radix options.

5. Type 10 in the Data box. Click OK.

Retransmission BehaviorTCP starts a retransmission timer when each outbound segment is handed down to IP. If no acknowledgment is received for the data in a given segment before the timer expires, the segment is retransmitted up to the TcpMaxDataRetransmissions number of times. The default value for this parameter is five.

The retransmission timer is initialized to three seconds when a TCP connection is established; however, it is adjusted dynamically to match the characteristics of the connection using Smoothed Round Trip Time (SRTT) calculations as described in RFC793.The timer for a given segment is doubled after each retransmission of that segment.

Using this algorithm, TCP tunes itself to the normal delay of a connection. Because the default number of retries is five, the round-trip time can double four times (in other words, it can become 16 times slower than its initial value) before the session is dropped. By increasing this number to 10, you allow the round-trip time to double nine times instead of four, which allows the connection quality to erode up to 512 times its original value before being dropped. For example, a connection that begins with a round-trip time of 20 milliseconds has to erode to a round-trip time of 10,240 milliseconds before being dropped by the server.

If possible, make this registry change on the client device as well. More information is available in Microsoft TechNet Articles Q120642 and Q17035 available at http://support.microsoft.com.

Selecting Non-Standard TCP Packet SizesBy default, ICA sessions connecting over TCP use maximum sized TCP packets (up to 1460 bytes of data) for the transmission of large amounts of data. However, there are a small number of network types, usually particular wireless or satellite-based networks, where better performance can be achieved by using smaller maximum sized packets.

Chapter 12 Optimizing the Performance of MetaFrame XP 171

For MetaFrame XP, Feature Release 2, you can override the normal maximum size (1460) on a server by setting the following registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\Wds\icawd\MaxICAPacketLength

If required, define the entry as a DWORD parameter (for example, 1000). Restart the server for this registry value to take effect.

If the entry is undefined, has a value of zero, or a value greater than 1460, it will have no effect. But other values will cause the server and its clients to use a smaller maximum length for all packets sent after connection time.

CAUTION Setting this registry value to enforce a lower maximum will have a significant negative effect on performance on all normal networks and it should, therefore, be used only in special situations.

Disk OptimizationsSeveral registry settings can be modified to increase disk performance and throughput. This section describes enhancements such as increasing I/O locks and disabling last file access updates.

I/O LocksThe registry setting IoPageLockLimit specifies the limit of the number of bytes that can be locked for I/O operations. Because RAM is being sacrificed for increased disk performance, determine the optimal setting for this value through pilot tests. Changing this setting from the default can speed up file system activity. Use the table below as a guide for changing the registry setting.

Modify the registry setting as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Value: IoPageLockLimit (REG_DWORD): 0 (512 KB is used)

Server RAM (MB) IoPageLockLimit (decimal) IoPageLockLimit (hex)

64–128 4096 1000

256 8192 2000

512 16384 4000

1024+ 65536 10000


For additional information about the IoPageLockLimit registry setting, see Microsoft Knowledge Base articles Q121965 and Q102985 at http://support.microsoft.com.

Last Access UpdateThe NTFS file system stores the last time a file is accessed, whether it is viewed in a directory listing, searched, or opened. In a multiuser environment, this updating can cause a small performance decrease. To disable this feature, modify the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemValue: NtfsDisableLastAccessUpdate (REG_DWORD): 1

Memory OptimizationsThis section describes configurations for a direct-mapped level 2 (L2) cache, the system paging file, and system page table entries.

Level 2 CacheFor processors that use a direct-mapped L2 cache, configuring the value manually can yield a performance improvement. A direct-mapped L2 cache does not provide performance gains on Pentium II and later processors. For more information, see Microsoft Knowledge Base support articles Q228766 and Q183063. Use the following registry setting to modify a direct-mapped L2 cache:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Value: SecondLevelDataCache (REG_DWORD): x

where x is the L2 size in decimal (default: 0, which sets the cache to 256KB)

Example: If the CPU has a 512KB cache, set the entry to 512 (in decimal).

Paging FileThe paging file is temporary storage used by the operating system to hold program data that does not fit into the physical RAM of the server. The ratio of physical memory to paged memory is the most important factor when determining the size of a paging file. When configuring the paging file, follow these guidelines:

• A proper balance between physical memory and paged memory prevents thrashing. Verify that more memory is in physical RAM than paged to disk. For optimal performance, this ratio should be approximately 3:1.


• Place the paging file on its own disk controller or on a partition that is separate from the operating system, application, and user data files. If the paging file must share a partition or disk, place it on the partition or disk with the least amount of activity.

• To prevent disk fragmentation of the paging file, always set the paging file initial size to be the same as the maximum size.

• The optimal size of a paging file is best determined by monitoring the server under a peak load. Set the paging file to be three to five times the size of the physical RAM and then stress the server while observing the size of the paging file. To conserve resources, set the paging file to a value slightly larger than the maximum utilized while under stress.

• If the server is short on physical RAM, use the paging file to provide additional memory at the expense of performance.

Note For debugging purposes, create a paging file on the root partition that is slightly larger than the amount of RAM installed.

Page Table EntriesYou can improve single-server scalability (number of users on a server) by manually adjusting the page table entries (PTE) in the registry. The Windows NT kernel uses PTE values to allocate physical RAM between two pools of memory. By manually setting the maximum space allocated to the system PTE, the remaining space can be used to increase the number of users supported on the server.

Determining the optimal configuration for PTE values is a complex task. For detailed information, see the Microsoft Knowledge Base article Q247904. A Kernel Tuning Assistant for Windows 2000 server is also available from Microsoft.

Network OptimizationsSome simple changes to network settings can often improve network performance. This section covers a few common issues you can remedy by adjusting the default Windows NT network configuration.

Network CardsMost 10/100-based network cards auto-sense the network speed by default. Manually setting these cards prevents the auto-sensing process from interfering with communication and forces the desired speed. If the server is connected to an auto-sensing device, apply these settings to this device as well.


Verify that only the necessary protocols are installed, and that the binding order of those protocols to the network interface card lists the most commonly used protocol first.

Network Request BufferIf working in a mixed Windows 2000 and TSE environment, you can gain additional performance by modifying the network request buffer size on the TSE servers. Increasing this value to 65,536 bytes from the default of 4,356 bytes significantly improves LAN Manager file writes. For more information, see Microsoft Knowledge Base article Q279282.

To modify the network request buffer size, make the following changes to the registry settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Value: SizReqBuf (REG_DWORD): 65536

Range: 512 bytes to 65536 bytes

Refused ConnectionsThe server can refuse connections due to self-imposed limits specified by the MaxMpxCt and MaxWorkItem registry values. If this happens, users see the following errors:

“System could not log you on because domain <domainname> is not available.”

“You do not have access to logon to this session.”

Before changing these values, read Microsoft Knowledge Base article Q232476. When modifying the following registry settings, be sure that the MaxWorkItems value is always four times the MaxMpxCt value. Suggested new values for MaxMpxCt and MaxWorkItems are 1024 and 4096 respectively.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Parameters

Value: MaxMpxCt (REG_DWORD): 1024

Value: MaxWorkItems (REG_DWORD): 4096


TCP/IP and ICA KeepAlivesIn networks that are subject to periodic intervals of high network latency, ICA Clients may time out when connected to a session. When users attempt to reconnect to a dropped session, they receive a new session instead of being reconnected to their previous session because the server is not aware that the previous session was dropped.

You can remedy this problem by enabling TCPKeepAlives for ICA sessions that are connected through TCP. Modification of the TCPKeepAlive parameter helps the host server become aware sooner of any sessions dropped due to network problems. For more information about TCP parameters, see Microsoft Knowledge Base article Q120642.

Make the following registry changes to the TCP stack to tune the server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value: KeepAliveTime (REG_DWORD): 0000ea60

Value: KeepAliveInterval (REG_DWORD): 000003e8

Important Aggressive parameters may cause TCP/IP-based communications to time out prematurely. Adjust these parameters as necessary to prevent this behavior.

MetaFrame also has an ICAKeepAlive packet which is not protocol-specific. To configure ICAKeepAlives, edit the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix

Value: ICAEnableKeepAlive (REG_DWORD): 1 (0 is default, Off)

Value: KeepAliveInterval (REG_DWORD): <number of seconds> (default is 60 seconds)

Important Enabling KeepAlives may keep demand-dial links up in a WAN environment.

For more information about Configuring TCP and ICA KeepAlive values, see the Citrix Knowledge base article CTX708444 at http://www.citrix.com.


Server OptimizationsThis section describes ways in which correctly configuring Windows services and applications for use in a multiuser environment improves performance and prevents system problems.

Application PerformanceIn some instances, modifying the Windows application performance setting can provide an additional performance boost. Disabling the default preference given to applications running locally can provide other users with improved performance.

� To change the application performance setting on TSE

Note Information about Windows NT, Terminal Services Edition is provided throughout this section for backward compatibility with MetaFrame XP, Feature Release 1.

1. From Control Panel, double-click System.

2. Click the Performance tab.

3. Move the Application Performance slider to None and click OK to save the new setting.

� To change the application performance setting on Windows 2000

1. From Control Panel, double-click System.

2. Click the Advanced tab.

3. Click Performance Options.

4. Click Background Services and click OK to save the new setting. You must restart the computer to apply the setting.


Auto-End TasksIf an application does not properly exit, either when closed or upon server shutdown, the operating system can terminate the application using Auto-End Tasks. Auto-End Tasks terminates any task that does not respond to a shutdown notice within the default time-out period.

Enabling Auto-End Tasks affects all applications on the server and can cause issues with some applications that require a shutdown time period that is longer than the default time-out period. Therefore, the default time-out period must be greater than the time required for the longest successful shutdown for any server application. To enable Auto-End Tasks and set the default time-out period, modify the following registry settings:

HKEY_USERS\.DEFAULT\Control Panel\Desktop

Value: AutoEndTasks (REG_SZ): 1

Value: WaitToKillAppTimeout (REG_SZ): x

where x is the interval in milliseconds (default is 20000)

For more information, see Microsoft Knowledge Base articles Q123058 and Q191805.

System Hard Error MessagesMessages generated by system hard errors appear on the server console. If left unanswered on an unattended console, messages can cause ICA sessions to hang. You can configure system hard errors to create an entry in the System log instead of displaying a message on the console.

Disabling the display of messages to the console decreases the likelihood of hung ICA sessions, but increases the need to monitor the event log for these types of errors. For more information, see Microsoft Knowledge Base articles Q124873 and Q229012.

The following registry change disables system hard error messages on the console:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows

Value: ErrorMode (REG_DWORD): 00000002

Dr. WatsonIf you are using Dr. Watson, run the Dr. Watson Application Compatibility script to prevent stability problems. Citrix recommends that you disable the Visual Notification option available on the main screen of Drwtsn32.exe.


You can disable Dr. Watson completely by clearing the following registry key value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

Value: Debugger REG_SZ: (blank)

You can restore Dr. Watson as the default debugger by executing drwtsn32.exe –i.

Configuring the Event LogChange the default event log configuration to prevent log files from running out of space, which generates errors.

� To change event log settings on TSE

1. Launch Event Viewer.

2. Choose Log > Log Settings.

3. Choose System in the Change settings for box.

4. Set the Maximum Log Size to at least 1024KB.

5. Choose Overwrite events as needed.

6. Choose Application in the Change setting for box and repeat Steps 4 and 5.

7. Click OK to save the settings.

� To change event log settings on Windows 2000 Server

1. Launch Event Viewer.

2. Right-click System Log and choose Properties.

3. Set the Maximum Log Size to at least 1024KB.

4. Choose Overwrite events as needed.

5. Click OK to save the settings.

6. Repeat Steps 3–5 for the Application Log.


Configuring Print Job LoggingBy default, each print job logs two informational messages to the System log. On MetaFrame servers with many users, this feature generates numerous events and fills up the log faster. If you do not require these messages, you can disable them by changing the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers

Value: EventLog (REG_DWORD): 0

Removing the EventLog value from the registry and restarting the server re-enables the logging of all print events.

Remote Procedure Call (RPC) ServicesWhen opening RPC-aware applications such as Windows Explorer and Control Panel, delays of several minutes can result from incorrect service startup settings. Verify that the RPC service Startup type is set to Automatic and the RPC Locator service Startup type is set to Manual.

Server ServiceConfigure the Server service to represent the server role more appropriately. The performance boost realized from this server optimization setting depends on the function of the server.

For example, if the server has available RAM, select the Maximize Throughput for Network Applications. Otherwise, select Minimize Memory Used.

� To configure the Server service on TSE servers

1. From Control Panel, double-click Network.

2. Click the Services tab.

3. Click the Server service.

4. Click Properties.

� To configure the Server service on Windows 2000 servers

1. From Control Panel, double-click Network and Dial-up Connections.

2. Right-click Local Area Connection and choose Properties from the Context menu.

3. Choose File and Printer Sharing for Microsoft Networks.

4. Click Properties.


For more information, see Microsoft Knowledge Base article Q154075.

User Settings OptimizationsThis section describes how correctly setting up users can provide additional performance gains. Where possible, modify the Default User profile to include the recommendations listed below.

Tip When making changes to the Default User profile, restarting the server might be necessary before the changes take effect because the Ntuser.dat file is in use and unavailable to new users.

Windows NT PoliciesUse system and group policies where possible, especially in an Active Directory environment. For more information about configuring policies, see Microsoft Knowledge Base articles Q161334 and Q260370.

ProfilesUsers require an initial setup when logging on for the first time. This setup time is minimized by the use of roaming profiles. For more information about configuring roaming profiles, see Microsoft Knowledge Base articles Q142682 and Q154120.

When you set up roaming profiles:

• Configure a dedicated server to host the profiles. If it is not possible to place the profiles on a dedicated server, place them on an isolated disk or partition.

• When using a server or drive dedicated to profiles and temp files, change the users’ profile and temp directories to point to the dedicated location.

Cached ProfilesYou can disable locally cached profiles by changing the access of the following registry key and all subkeys to Read access only for everyone except SYSTEM (which should have Full Control):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList


Menu RefreshYou can change the menu refresh rate to expedite menu response time by modifying the following registry key:

HKEY_USERS\.DEFAULT\Control Panel\Desktop

Value: MenuShowDelay (REG_SZ): 10

Removing Unnecessary FeaturesTo conserve ICA bandwidth, remove any unnecessary drive mappings, printers, or ports. Unless any of the following features are needed for specific applications, disable them:

• Disable Active Desktop on Windows 2000 through Terminal Services Configuration

• Desktop Wallpaper (In addition, remove any .bmp files found in the %SystemRoot% directory to prevent users from selecting them.)

• Screen savers

• Microsoft Office FindFast

• Microsoft Office Assistants

Smooth ScrollingMany applications have smooth scrolling or other features that increase the frequency of updates sent to the client workstation. If applications exhibit poor performance, disable these features to improve performance. Two common settings are in Microsoft Excel and Microsoft Internet Explorer:

• Microsoft Excel 97/2000

1. Choose Tools > Options.

2. Click the Edit tab.

3. Clear the Provide feedback with Animation check box.

• Microsoft Internet Explorer 5

1. Choose Tools > Internet Options.


3. Clear the Use Smooth Scrolling check box in the Browsing section.


Tip While the server is in install mode (change user /install), changing application settings applies the changes to all future users. When finished, place the server back into execute mode (change user /execute).

Microsoft Internet Explorer WizardOn the first launch of Microsoft Internet Explorer, the Internet Connection wizard requests the connection type. If you are using a LAN connection, you can bypass this dialog box by editing the default user’s registry settings as follows:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard

Value: Completed (REG_DWORD): 0x1

Explorer TipsYou can disable the tips that are displayed at server startup by modifying the following registry settings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Tips

Value: DisplayInitialTipWindow (REG_DWORD): 0x0

Value: Next (REG_DWORD): 0x100

Value: ShowIE4 (REG_DWORD): 0x0

Value: Show (REG_DWORD): 0x0

C H A P T E R 13

Utilities

This chapter describes the Citrix utilities included with MetaFrame XP that you can use for configuration, management, and troubleshooting. Use command-line utilities at the command prompt, in a batch file on the MetaFrame XP server, or in an ICA session.

This chapter explains how to use the following utilities:

DRIVEREMAP

DSVIEW

IMAPORT

MSGHOOK

QPRINTER

QUERYDC

QUERYDS

QUERYHR

SCCONFIG


DRIVEREMAPUse the driveremap utility to change the MetaFrame XP server’s drive letters.

Previous releases of MetaFrame XP prompted you to change the server’s drive letters during MetaFrame installation. With the release of MetaFrame XP with Feature Release 2, however, you can run the driveremap utility as a separate executable. In previous releases of MetaFrame, the utility was named drvremap.exe.

After you run MetaFrame XP Setup, the driveremap utility is in c:\Program Files\Citrix\System32. If you upgrade to Feature Release 2 from MetaFrame XP or MetaFrame XP with Feature Release 1, the utility is placed in the %systemroot%\system32 directory.

Important If you are installing MetaFrame XP with Feature Release 2 on a server that is not running a previous version of MetaFrame, run the driveremap utility before you install MetaFrame XP with Feature Release 2. Citrix recommends that you do not change server drive letters after you install MetaFrame XP and any applications you want to publish for users to access.

Syntaxdriveremap /?

driveremap /drive:M

driveremap /u

driveremap /noreboot

driveremap /IME

OptionsThe following parameters can be used with Driveremap.exe at a command line.

/?Displays a dialog box with the available command line options. The same dialog is displayed if there is incorrect usage of any of these parameters.

/drive:M Specifies the drive letter to use for the first remapped drive. The drive letter must be in upper case when using the version of this utility that ships with Feature Release 2.

Chapter 13 Utilities 185

/uAllows for an unattended or silent install where no dialog boxes are displayed and no user input is required. This option must be used in conjuction with the/drive: option.

/norebootSurpresses the “Restart Computer” dialog box and does not restart the system. Citrix strongly recommends that you restart the system after running this utility.

/ime[filename] Changes the drive letter specified in Software\Microsoft\Windows\CurrentVersion\Ime\Japan\IMEJP\Dictionaries for all of the loaded hives under HKEY_USERS.

RemarksWith Feature Release 2, the driveremap utility has a user interface that allows you to select the drive letters you want to map. The user interface is available from the Autorun screen and when you run Driveremap.exe with no command line parameters.

The Driveremap.exe interface is displayed below.

ExamplesThe following command remaps the server’s drive letters. The first available drive is changed to M. The command uses the noreboot option, which suppresses the appearance of any dialog boxes.

driveremap /u /drive:M /noreboot


The following command changes the server’s drive letters back to the drive letters that start at C:, and then prompts you to restart the server.

driveremap /u /drive:M /drive:C

Known IssuesThe following items are known issues you may encounter when running the driveremap utility.

• The drive letters must be in uppercase when using the version of this utility included on the MetaFrame XP CD in the Feature Release 2 media pack. A newer version of the driveremap utility that is not case-sensitive is available from Citrix Technical Support.

• If the server is a member of an Active Directory domain, running Driveremap.exe causes the server to hang if you use the version of this utility on the MetaFrame XP CD in the Feature Release 2 media pack. To work around this issue, you can move the server into a workgroup, remap the drives, and then rejoin the server to the Active Directory domain. A newer version of the driveremap utility that does not require the work around is available from Citrix Technical Support.

• When running Driveremap.exe with no parameters, the drive letter choices in the drop-down list may be greyed out. This can occur if the server has non-contiguous drive letters, for example, C, D, X. The mapped drive letters are spread over the interval [a..z] and no reasonable interval shifting can be performed. Network drives are also taken into account.

• To work around this issue, change the drive letters to C:, D:, E: and then run the driveremap utility.

• At the command prompt, if you silently remap to a letter that is in use, nothing happens and you are returned to the prompt. Locate the server’s drive letters in Windows Explorer to verify that the drive letters are changed.

• MetaFrame XP server drive remapping is not supported on Windows 2000 Dynamic Disks.

• Installation of “turnkey” NFuse Classic may fail if upgrading a server with remapped drives. If you are upgrading to MetaFrame XP, Feature Release 2 from MetaFrame 1.8 for Windows 2000 and the server has remapped drives, the installation of NFuse Classic may fail. To fix the problem, you must update the server’s COM+ catalog. See article CTX240747 in the online Citrix Knowledge Base at http://www.citrix.com/support for more information.


• If you upgrade from MetaFrame 1.8 to MetaFrame XP on a server with changed server drive letters, the ICA Win32 Pass-Through Client is not updated. To avoid this issue, be sure the server is operating in install mode before running Setup. To update the Pass-Through Client, install the “standalone” version of the client, available from the MetaFrame XP Components CD. The Components CD is included in the Feature Release 2 media pack.

Security RestrictionsOnly Citrix administrators can execute this command.


DSVIEWUse this utility to view the contents of the data store, local host cache, and to look up ContextIds and UIDs. This utility includes a user interface, shown below.

RemarksDsview replaces IMATester, a utility documented in earlier editions of MetaFrame XP Advanced Concepts. It is located in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD.

Security Restrictions Only local administrators can use dsview to view data.


IMAPORTUse this utility to modify the TCP ports utilized by the Independent Management Architecture (IMA) service — for example, to use the TCP ports for communication within a farm whose servers are separated by firewalls. With imaport, you can change the TCP ports used by the IMA service to listen for incoming and outgoing data, using up to three different TCP ports. The following table shows the default TCP port values for each IMA function:

The IMA service uses ports 2512 and 2513 to listen for incoming IMA communication. Port 2512 is also used for outgoing IMA data by an indirect server to communicate with its direct server.

Important You must restart the IMA service after modifying TCP/IP ports with the imaport command

Syntaximaport /query

imaport /set [ ima:num | ds:num | cmc:num ]

imaport /reset [ ima | ds | cmc | all ]

Parametersnum

The port number to which to set the communications port.

Options/query

Query current settings for IMA communication.

TCP Port Function Direction

2512 Server-to-server farm communication. Inbound

2513 Citrix Management Console to host server communication. Inbound

2512 Indirect server to data store server — used only in indirect mode. Outbound


/setSet the specified TCP/IP port(s) to the specified port number.ima:num

Set the IMA communication port to the specified port number.cmc:num

Set the Citrix Management Console connection port to the specified port number.

ds:numSet the data store server port to the specified number (indirect servers only).

/resetReset the specified TCP/IP port to its default port number.ima

Reset the IMA communication port to 2512.cmc

Reset the Citrix Management Console connection port to 2513.ds

Reset the data store server port to 2512 (indirect servers only).all

Reset all ports to their defaults.

RemarksImaport modifies the TCP ports for the local server only. Every server can have IMA ports assigned to different TCP ports. Citrix recommends, though it is not necessary, that you assign the same TCP ports to every server. For server-to-server communication, each server finds every other server’s IMA TCP port by reading this information from the farm’s data store.

In the case of a farm with indirect communication, all indirect servers must have their IMA communication ports and DS communication ports set to the same port numbers as the server that hosts the data store for the farm.

Before reassigning ports for IMA service, use the netstat -a command to list TCP and UDP ports currently in use. Citrix recommends that you do not use ports that are in use by other applications or services. Imaport cannot detect if a port is in use by another application or service.

After changing the port number used for Citrix Management Console communication, you must change to the same port number the TCP port used by the Citrix Management Console for outbound communication. To do this, run the following at a command prompt:

ctxload -port:num


MSGHOOKUse this utility to display all IMA traffic on a member server.

Syntaxmsghook

RemarksExecute msghook only if information is requested by a Citrix Technical Support representative or a Citrix engineer. When invoked, this command significantly reduces MetaFrame XP performance.

Msghook is not installed by default. The executable is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD.

Security Restrictions Only Citrix administrators can execute this command.


QPRINTERUse this utility to monitor the progress of the printer driver replication queue and to import printer name mapping parameters into the data store.

Syntaxqprinter [/replica]

qprinter [/imprmapping mappingfilename]

Parametersmappingfilename

Specifies the full path to the text file containing the printer mapping parameters to import. The filename cannot have more than 256 characters and cannot contain quotation marks.

Options/replica

Displays all the replication entries queued for distribution but not yet completed.

/imprmapping mappingfilenameImports printer mappings from the file specified by mappingfilename into the data store. The file format can be in either the Wtsprnt.inf format or the Wtsuprn.txt format.

RemarksThe /replica switch displays all events in the queue, including broken or failed events.

The /imprmapping switch allows central administration of all printer name mappings. The file can be imported once from any server in the farm and is available for all servers in the farm.

The /imprmapping switch does not process an improperly formatted file and does not return an error when provided with an invalid file format. To verify the information is correctly imported into the data store, use the Citrix Management Console.

The MetaFrame XP installation first attempts to import the Wtsuprn.txt file, followed by the Wtsprnt.inf file. If the two files fail to import, no error is returned. Use the /imprmapping switch to manually import either file.


Qprinter is not installed by default. It is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD.

Security RestrictionsOnly Citrix administrators can execute this command.


QUERYDCUse this utility to determine the data collector for a given zone. Without any parameters, querydc defaults to the host server’s zone and returns the zone name and name of the current zone data collector.

Syntaxquerydc [-a]

querydc [-e]

querydc [-z zonename]

querydc [-?]

Parameterszonename

The name of the zone to be queried. Enclose multi-word zone names within quotation marks.

Options-a

Displays all zones in the farm with the current zone data collector for each.

-eForces a new zone data collector election in the current zone.

-z zonenameDisplays the current zone data collector for the zone specified by zonename.

-?Displays the syntax for the utility and information about the utility’s options.

RemarksQuerydc uses the IMA service to contact the local zone data collector for the requested information. Therefore, the IMA service must be running for querydc to be successful.

Querydc is not installed by default. The executable is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD.

Security Restrictions Only Citrix administrators can execute this command.


QUERYDSBecause all dynamic information is stored in tables in the data collector’s physical RAM, this command-line utility is provided to query the current information on the local zone data collector.

Syntaxqueryds tables

queryds /table:tablename

queryds /query:querystring

(Query String is optional, but you must specify a tablename.)

Parameterstablename

The name of the data collector table to query. Table names are case-sensitive.

Optionstables

Returns a complete list of all tables available to query.

/table:tablenameOutputs to the screen the entire contents of the table specified by tablename.

RemarksYou can use queryds to determine which servers are currently available in a farm. It retrieves all information from the tables stored on the local zone data collector. For example, the PN_Table contains information about all available servers that are accepting Program Neighborhood connections. To view the entire contents of the PN_Table, execute the following command:

queryds /table:PN_Table

The output when executed on a single-server farm looks similar to the following:[PN_Table]: 1 records.

name:588f

host:XPSERVER1

zone:Zone1


Version:1

Tcp:enabled

Ipx:enabled

Netbios:disabled

In a farm with 100 servers, this command outputs 702 lines of data. Use the findstr and sort command-line utilities to filter and sort the output for easier reading.

Tip The findstr and sort commands are installed by default on both the TSE and Windows 2000 server families. For more information about using the findstr command to filter output, type findstr /? at a command prompt. For more information about the sort command, type sort /? at a command prompt.

The first entry shows the number of records in the PN_Table. This number also corresponds directly to the number of server records in the PN_Table. A server record does not exist in the PN_Table unless the server’s IMA service is started and the server is accepting Program Neighborhood connections. Thus, you can use the following command to determine how many servers in the farm are online:

queryds /table:PN_Table | findstr /r PN_Table

The command shown below filters output using the word “host” (which prefaces each host name in the table) and displays an alphabetized list of all the servers currently online:

queryds /table:PN_Table | findstr /r host | sort

Using queryds in this manner provides a fast, customizable method to query any data collector table.

Queryds is not installed by default. It is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD.

Security RestrictionsYou must be a Citrix administrator to execute this command.


QUERYHRUse this utility to display information about member servers in the farm. Executing queryhr with no parameters lists all servers in the farm.

Syntaxqueryhr [-z]

queryhr [-h zonename]

queryhr [-l]

queryhr [-n hostname]

queryhr [-i hostid]

queryhr [-N]

queryhr [-d hostid]

queryhr [-?]

Parameterszonename

The name of the zone to be queried. Enclose multi-word zone names within quotation marks.

hostnameThe name of the member server.

hostidThe host ID of the member server.

Options-z

Displays all available zones in the farm.

-h zonenameDisplays all member servers in the zone specified by zonename.

-lDisplays the host record of the local host server.

-n hostnameDisplays the host record for the member server specified by hostname, which is not case-sensitive.


-i hostidDisplays the record for the member server specified by hostid.

-NDisplays the farm name.

-d hostidDeletes the IMA Host Entry identified by hostid from the data collector, data store, and local host cache. For further information, see the Remarks section below.

-?Displays the syntax for the utility and information about the utility’s options.

RemarksQueryhr obtains information from the local host cache.

Queryhr is best used to display information about servers in the farm, such as data collector ranking, host ID, zone names, and host names.

CAUTION Do not use the –d switch on farm servers that are working properly. After this switch is executed on a server, the server is no longer a member of the farm and the IMA service will no longer start. The server must be reinstalled into the farm to restore functionality.

The –d switch has a special use. See “Recovering from a Failed Installation” on page 204.

Queryhr is not installed by default. The executable is in the \W2K\support\debug\i386 folder on the MetaFrame XP, Feature Release 2 CD.

Security RestrictionsYou must be a Citrix administrator to execute this command.


SCCONFIGBy default, only processes required for smart card logon functionality (that is, Winlogon.exe and Lsass.exe) are turned on in MetaFrame XP, Feature Release 2. The smart card utility (Scconfig.exe) is installed when you install Feature Release 2 and can be used to enable or disable smart card functionality for specific processes.

Syntaxscconfig [/?]

scconfig [/server:sss] [/q]

scconfig [/farm] [/q]

scconfig [/server:sss] [/query]

scconfig [/farm] [/query]

scconfig [/server:sss] [/logon:on|off]

scconfig [/farm] [/logon:on|off]

scconfig [/server:sss] [/enable_process:ppp]

scconfig [/farm] [/enable_process:ppp]

scconfig [/server:sss] [/disable_process:ppp]

scconfig [/farm] [/disable_process:ppp]

scconfig [/server:sss] [/inherit:on|off]

Parameterssss

Name of server.

pppName of process (for example, Outlook.exe).

Options/farm

View or modify farm-wide settings.

/q, queryQuery current settings.

/logon:on|offEnable/disable smart card logon on the server or farm.


/enable_process:pppEnable smart card support for the process specified.

/disable_process:pppDisable smart card support for the process specified.

/inherit:on|offInherit server settings from the farm.

/server:sssServer to view or modify. This defaults to the local server.

Example: To use Microsoft Outlook digital signatures and encryption with a smart card, you must enable the process Outlook.exe. On the remote server, the MetaFrame server subsystem handles the data store change event and makes the registry changes to enable or disable the feature. Use the /farm option to query or set a farm-wide default. Use the /inherit option to determine whether a server inherits a farm-wide default. This functionality mimics that of twconfig and acrcfg.

C H A P T E R 14

Troubleshooting

This chapter includes information that can help you troubleshoot problems you may encounter with MetaFrame XP.

Troubleshooting IMAThe Citrix IMA Service is the core of MetaFrame XP and runs on all servers. The solutions presented in this section can help resolve most production IMA issues.

IMA Service Fails to Start The following guidelines and hints can be useful when the Citrix IMA Service fails to start:

• If the Service Control Manager reports that the IMA Service could not be started, but the service eventually starts, ignore this message. The Service Control Manager has a time-out of six minutes. The IMA Service can take longer than six minutes to start either because the load on the database exceeds the capabilities of the database hardware or because the network has high latency.

• Examine the following registry setting:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\CurrentlyLoadingPlugin

• If the value is blank, the IMA Service could not connect to the data store or the local host cache is missing or corrupt.

• If a value exists, the IMA Service made a connection to the data store. The value displayed is the name of the subsystem that failed to load. For additional information about subsystem troubleshooting, see “IMA Service Logging” on page 203.


• If you are using a direct connection to the data store, verify that ODBC connectivity exists. For more information, see “ODBC Connection Fails” on page 202.

• If you are using an indirect connection to the data store, verify that the IMA Service is running on the direct server.

• Review the entries in the event log for the IMA Service error code that is returned. For more information about why the IMA Service fails to start, see Appendix I, “Feature Release 2 IMA Error Codes.”

• Verify that the Spooler service is started in the context of System rather than a user.

• If you see an “IMA Service Failed” message(with error code 2147483649) when restarting a server, the local system account may be missing a temp directory. Change the IMA Service startup account to the local administrator. If the IMA Service starts under the local administrator’s account, check for a missing temp directory.Switch the service back to the local system account and try manually creating the temp directory %systemroot%\temp. Verify that both the TMP and TEMP environment variables point to this directory. For more information, see Microsoft article Q251254 at http://support.microsoft.com/support/.

IMA Service Fails to StopThe SMS Netmon2 client utility is not supported on MetaFrame servers. The IMA Service fails to stop when running on a server with this utility installed. Uninstall the Netmon2 client when installing MetaFrame on servers that have this utility already installed.

ODBC Connection FailsIf you are using direct mode connections to the data store, ODBC connectivity is required for proper operation of the IMA Service. If you suspect ODBC issues, try the following steps:

• Verify that the Microsoft SQL Server or Oracle server is online

• Verify the name of the DSN file that the IMA Service is using by looking in the registry at:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName

• Attempt to connect to the database using the DSN file with an ODBC Test Utility (such as Oracle ODBC Test, DB2 Client Configuration Assistant test, or SQL Server ODBC Test).

Chapter 14 Troubleshooting 203

• Verify that the correct user name and password are being used for database connectivity. You can change the user name and password using the dsmaint config command. For more information, see the MetaFrame XP Administrator’s Guide.

• Reinstall MDAC 2.6 SP1 or later to verify that the correct ODBC files are installed.

• Enable ODBC Tracing for further troubleshooting. For more information, see “ODBC Tracing” on page 210.

Citrix MetaFrame Server Failed to Connect to Data StoreThis error can indicate a corrupt local host cache. Before attempting the following steps, verify ODBC connectivity to the database. For more information, see “ODBC Connection Fails” on page 202.

• Copy Imalhc.mdb to another directory for backup purposes.

• From a command prompt, recreate the local host cache using the dsmaint recreatelhc command.

• Restart the server.

Failed to Initialize Permanent Storage During InstallationThis error usually indicates that the IMA Service is unable to create objects in the data store. Before attempting the following steps, verify ODBC connectivity to the database; see “ODBC Connection Fails” on page 202.

• Verify that the user account for the database has permissions to create tables, stored procedures, and index objects. For Microsoft SQL Server, the permission is db_owner. For Oracle, the permission is resource. For IBM DB2, the permission is database administrator authority or the list of permissions set out in the MetaFrame XP Administrator’s Guide.

• Verify that the system tablespace is not full on the Oracle server.

IMA Service LoggingFor advanced troubleshooting of the IMA Service, you can enable logging at the server level. Use the following procedure to enable logging for either debug output (viewed using a debug hook utility like DBGVIEW from SysInternals) or a text file.


� To enable server logging of IMA events

1. Modify the following registry values as desired:HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Tracer Value: Log to Debugger (REG_DWORD): 0x0 (disables debug output) or 0x1 (enables debug output)Value: Log to File (REG_DWORD): 0x0 (disables file output) or 0x1 (enables file output)Value: Log File Name (REG_SZ): full path and file name of the output file

2. The HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Tracer key contains a key for each subsystem about which information can be traced. Tracing for all subsystems is on by default, but the specific types of messages for the subsystems are off. To enable tracing for a subsystem, both the default value (specified as the first value in the key) and the message values must have a value of 1. The default value must be 1 and should never be changed. Other values within each key correspond to types of messages to log and are set to 0 by default. To enable tracing for those items, set their value to 1. For more information about the keys and subsystems you can trace, see Appendix G, “Feature Release 2 IMA Subsystem Tracing”.

Recovering from a Failed InstallationIf installation fails, the data collector may continually attempt to contact the server on which you attempted to install MetaFrame.

After a failed installation, compare the list of servers in the Citrix Management Console to the list of servers returned by queryhr. Use the command queryhr -d hostID to remove any servers listed in the queryhr results that are not listed in the Citrix Management Console.

CAUTION Do not use the –d switch on farm servers that are functioning properly. This switch removes the server from the farm and the server must then be reinstalled into the farm to regain functionality.

Recovering an Unresponsive ServerIf a member server is no longer responding to IMA requests and the IMA Service cannot be started, the server is considered to be unresponsive. You cannot use the chfarm command with an unresponsive server because the command requires connectivity to the data store.


CAUTION The original state of the server cannot be recovered after performing the following procedure. Before using this procedure, first attempt all the other solutions presented in the section “Troubleshooting IMA” on page 201.

� To rejoin an unresponsive server to the farm

1. Uninstall MetaFrame XP from the unresponsive server.

2. Remove the unresponsive server from the farm using the Citrix Management Console.

3. Reinstall MetaFrame XP on the unresponsive server and rejoin the farm during installation.

Troubleshooting Novell Directory Services IntegrationThis section lists troubleshooting tips and known issues that can occur when using MetaFrame XP, Feature Release 2 in an NDS environment.

Troubleshooting Tips • If you cannot log on to or assign rights to published applications using NDS

credentials, try the following troubleshooting tips to correct the problem:

• Verify that NDS is enabled for the farm. To do this, right-click the farm name in the Citrix Management Console and choose Properties. Click the MetaFrame Settings tab and verify that the Novell Directory Services Preferred Tree is set correctly.

• Verify that you are using a valid user name, password, context, and tree name during logon by logging on from another computer using the same information.

• Verify that the Novell Client is configured correctly by browsing the tree and logging on from the console of the server.

• If the ZENworks Dynamic Local User (DLU) policies are not being applied on some MetaFrame XP servers, check the Novell Workstation Manager component of the Novell Client, as described in the following procedure.

� To check the Novell Workstation Manager component in Windows 2000

1. Right-click the My Network Places icon on the server’s desktop and choose Properties.

2. In the Network and Dial-up Connections window, right-click Local Area Connection and choose Properties.


3. Choose Novell Workstation Manager from the components list and click Properties.

4. Verify the following settings:

• Workstation Manager is enabled

• The tree name is set to the tree that has the Dynamic Local User policies applied

• All other options have the default settings applied

If you set the Dynamic Local User policy in NDS to delete users after they log off (Volatile User option) and the volatile user accounts are not being deleted, make sure the Enable Volatile User Caching option is disabled.

• If you are experiencing autologon problems with or without the ZENworks DLU feature as the Windows authentication method, try the following:

1. Make a desktop connection using an ICA Custom Connection with the Autologon feature enabled.

2. Specify User Credentials:

• Username – a valid Distinguished Name such as .SampleUser.company

• Password – a valid password

• Domain – a domain that contains the NDS tree name

Important The “If” statements below are not always true if the custom connection is not created exactly as described above.

3. Launch the connection and, based on the result, troubleshoot using the guidelines below:

• The Novell Client displays an error message about an invalid username, server, or tree.Action: Log on to the Citrix Management Console as the same user. If you do not log on successfully, the Novell Client is not configured properly.

• The Microsoft Client prompts you to re-enter your credentials or displays an error message.Action: Click Cancel to return to the Novell logon dialog box. On the NT/2000 tab, view the user information:

• If the Username field in the NT/2000 field contains a Distinguished Name (.username.context.)Action: Upgrade to Novell Client 4.81 or later. (Older Novell Clients do not parse the username from the Distinguished Name.)


• If the Domain name field is blank or set to the local machine name and ZENworks DLU feature is being usedAction: Troubleshoot Dynamic Local User policies (DLU is not functioning properly).

• If the Domain name field is blank or is set to the local machine name and ZENworks DLU feature is not being usedAction: Locate or create the following the registry key HKEY_LOCAL_MACHINE\Software\Citrix\ NDS\SyncedDomainName and set the registry key value to the name of the NT domain that is synchronized with the NDS tree.

• If the Domain name field contains the name of the NDS treeAction: Enable NDS integration.

• If the Domain name field contains the name of a Windows NT domain and you are not using ZENworks DLU functionality for Windows authenticationAction: Verify that the server has a valid trust relationship between the server’s domain and the user’s domain.

Known Issues and Workarounds • ZENworks for Desktops 3 does not distinguish between users with the same

user name, even if they are in different contexts. If the first user is still logged on when the second user logs on, the profile of the first user is utilized by the second user. Workaround: Be sure to use unique names in the tree. If your tree already includes users with the same user name, you can work around this by creating aliases. See “Creating Aliases” on page 123.

CAUTION Logging on to a MetaFrame XP server can fail if you uninstall the Novell Client from the server after MetaFrame XP is installed. If this occurs, do not restart the MetaFrame server until you follow the instructions below.

After uninstalling the Novell Client, you must reapply the proper settings to the registry. The following registry key contains the GINA values:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonThe registry values for the default MetaFrame logon screen (without the Novell Client) are:GinaDLL Data: Ctxgina.dllCtxGinaDLL Data: Msgina.dll


• If you designate an NDS preferred tree but none of the servers are set to MetaFrame XP Feature Release 1 or later, MetaFrame XP prompts your users for NDS credentials but does not accept them. Workaround: Set the feature release level to Feature Release 1 or later on at least one server in the farm, remove the NDS tree name in the NDS Preferred Tree field Farm Properties > MetaFrame Settings, and then reset the Feature Release level to “None.”

• The session sharing feature is not supported for ICA Win32 Client custom ICA connections that are configured for NDS user credentials. Workaround: To use session sharing for custom ICA connections in Program Neighborhood, do not specify user credentials on the Login Information tab in the Properties dialog box.

• If you are connecting by dial-up ICA to a MetaFrame XP, Feature Release 2 server that has the Novell Client installed, the server returns the Microsoft logon dialog box instead of the Novell logon dialog box. This occurs because the Use Default NT Authentication check box is selected by default on Windows 2000 servers. Workaround: If you want to use Novell authentication on a server under these circumstances, clear the Use Default NT Authentication check box. To do this, from the Start menu choose Programs > Citrix > MetaFrame XP > Citrix Connection Configuration > Advanced Connection Settings. If a Windows 2000 server without Service Pack 2 is set up to use the default Windows NT authentication and a third-party authentication software such as the Novell Client is installed, the third-party logon dialog box appears instead of the default Windows logon dialog box. To resolve this problem, install Service Pack 2 for Windows 2000.

Important When using the Citrix Management Console to remove a server from a farm that has NDS enabled, connect the Citrix Management Console to a server that has Feature Release 2 installed.

Note The Novell Client does not set the APPDATA environment variables.

Collecting Citrix Technical Support InformationThis section discusses methods for collecting information that Citrix Technical Support can use for debugging purposes. Before contacting Citrix Technical Support, try the solutions detailed in “Troubleshooting IMA” on page 201.


Obtaining Installation/Uninstallation LogsIf your MetaFrame XP, Feature Release 2 installation fails to complete, Citrix Technical Support will require an installation log file to troubleshoot the problem. Because the MetaFrame XP, Feature Release 2 installation is a Windows Installer package (.msi file), the Windows Installer must be invoked with the /l command line option to create an installation log file. Citrix recommends that if your Feature Release 2 installation fails, a second installation be attempted using the following command line to create a log file:

Msiexec /i <CD>\MF\MFXP001.msi /l*v %SystemDrive%\msi.log

Replace <CD> with the CD drive letter (for example, D:) containing the MetaFrame XP, Feature Release 2 installation CD. If the Feature Release 2 CD was copied to a hard drive or network share, you can also replace <CD> with the full path to the Feature Release 2 CD image. The above command line creates a log file named Msi.log in the root of the system drive.

Further information about the Windows Installer is available at the Microsoft Web site at http://www.microsoft.com/windows2000/docs/wininstaller.doc.

Capturing Citrix Management Console Debug OutputTo capture debug output from the Citrix Management Console, launch the console with the –debugFile command line option. Citrix recommends that you create a shortcut using the following procedure:

1. Right-click on the desktop and choose New > Shortcut from the context menu.

2. The Create shortcut wizard starts. In the Type the location of the item field type: %SystemRoot%\system32\java.exe. When prompted to Type a name for this shortcut:, type a description such as CMC Debugging.

3. Right-click on the new shortcut and choose Properties from the context menu.

4. On the Shortcut tab, type the following text in the Target field (because of page width constraints, the text is wrapped below but must be entered as one line):java.exe -Djava.ext.dirs="ext;%ProgramFiles%\JavaSoft\ JRE\1.3\lib\ext" -jar Tool.jar -debugFile:output.log

5. Change the Start in field to %ProgramFiles%\Citrix\Administration.

6. Click Change Icon and type: %ProgramFiles%\Citrix\Administration\ctxload.exe

7. On the Layout tab, set the Screen buffer size to 9999 lines.

8. Click OK to save the shortcut.


When the shortcut is launched, two windows are displayed. The first window is a command window containing the debug messages output by Java.exe. The second window is the Citrix Management Console user interface. If the console hangs or otherwise fails, press CTRL + BREAK in the command window to view the stack trace.

Obtaining System InformationWhen troubleshooting an issue, Citrix Technical Support may also request information about the state of your system. The easiest way to obtain such information is to execute winmsd, which launches the System Information tool on Windows 2000. From the Microsoft Management Console’s Action menu, select Save as System Information File. If necessary, you can then send the file to Citrix Technical Support.

ODBC TracingAdditional ODBC tracing information might be requested by Citrix Technical Support or the database vendor support team. The procedure to enable ODBC tracing depends on the database server software you are using. The alternative procedures are set out below.

� To activate Microsoft SQL Server ODBC tracing

1. Launch the ODBC Data Source Administrator.

2. Click the Tracing tab.

3. Type a path for the log file in the Log File Path box.

4. Click Start Tracing Now to begin tracing. Click Stop Tracing Now to end tracing.

� To activate Oracle ODBC Tracing

1. Launch the Net8 Assistant.

2. Click Configuration > Local > Profile.

3. Choose General from the drop-down box on the right-pane.

4. Use the Tracing and Logging tabs to configure ODBC tracing as needed.

� To activate IBM DB2 ODBC Tracing

1. Launch the DB2 Client Configuration Assistant.

2. Click Client Settings… > Diagnostics.

3. Set the Diagnostic error capture level to 4 (all errors, warnings, and information messages).


Installation Manager Debug FilesObtain the relevant Installation Manager files before calling Citrix Technical Support for Installation Manager troubleshooting questions:

• wfs (the package script)

• ael (the recorder log file)

• aep (the packager project file)

• log (the windows installer log file)

Troubleshooting Frequently Encountered ObstaclesBelow is a list of frequently encountered obstacles.

Cannot Connect to ApplicationThis error usually occurs when a user who is attempting to connect to a load-managed application is sent to a server that is not currently using a MetaFrame XPa or XPe product license count. For more information, see “Servers Do Not Take Product License Counts” on page 212.

Program Neighborhood Agent Cannot Connect Through Citrix Secure GatewayIf a user receives the message “Cannot connect to the Citrix server: Protocol driver error” when attempting to connect to Citrix Secure Gateway from the Program Neighborhood Agent, the most likely cause is that the client device does not have 128-bit encryption installed.

Cannot Launch Secure NFuse Classic Application Through Internet Explorer If you have users connecting through a secure NFuse Classic site (HTTPS) and they receive an error message of “ICA file not found,” ensure the security settings within Internet Explorer are not set to Do not save encrypted pages to disk.

� To check security settings in Internet Explorer

1. Open Internet Explorer.

2. Click Tools > Internet Options.


4. Scroll down to Security.


5. Be sure the option Do not save encrypted pages to disk is not enabled.

6. Click OK.

Folders Do Not Appear in Program Neighborhood Folders that you create to organize applications in the Citrix Management Console are not related to application folders that appear in Program Neighborhood.

To specify application folders for Program Neighborhood, use the Program Neighborhood Settings tab in the Properties dialog box for the published application.

� To set an application’s Program Neighborhood folder

1. Right-click the published application in the Citrix Management Console and choose Properties.

2. On the Program Neighborhood Settings tab, type the folder name in the Program Neighborhood Folder box.

Importing Network Printers from Other DomainsPrinters cannot be imported from a network print server when:

• The print server resides in a workgroup

• The printer is in a different domain from any servers in the server farm

� To enable the printer to be imported

1. Do one of the following:

• Add the network print server to the same domain as the MetaFrame servers.

• Add one of the MetaFrame servers to the same domain as the network print server.

2. Assign the printers to the Everyone group instead of to groups or users. Authenticate without credentials to receive the list of printers assigned to everyone.

3. To allow Novell users to access Microsoft print servers, you must enable the Guest account and assign Everyone or Guest access.

Servers Do Not Take Product License CountsIf a MetaFrame XP, Feature Release 2 server is not taking a license count, try the following:


• Using the Citrix Management Console, select the server and choose Actions > Server > Set MetaFrame Product Code. Verify that the correct product code is set for the server.

• Execute clicense refresh from the command prompt of the affected server.

• Stop and restart the IMA Service.

Important If you do not enter a license serial number during MetaFrame XP installation, you must set the product code on each server using the Citrix Management Console.

USB Redirection Does Not WorkMetaFrame XP, Feature Release 2 on Windows 2000 supports USB printers installed on the server.

ICA Win32 Clients support installed USB printers when the client platform is Windows 98, Windows 2000, or Windows Me.

Other USB devices, including scanners and cameras, are not currently supported by MetaFrame XP with Feature Release 2.

Content Redirection Options Are Disabled When Publishing an ApplicationIf you install and then publish applications after installing MetaFrame XP, Feature Release 2, you must update the file type associations in each server’s registry.

� To update file type associations in a server farm

1. Open the Citrix Management Console.

2. Expand the Servers node in the left window pane.

3. Right-click a server and select Update File Types from Registry.

4. After the file type updates are completed, check the properties of the published application. The content redirection options should no longer be disabled.

Unable to Log User Sessions OffYou cannot log users off from the Citrix Web Console if the user name contains an underscore character (for example, “john_smith”). To work around this issue, either use the Citrix Management Console to log users off, or remove the underscore character from the user name.

A P P E N D I X A

Configuring Microsoft SQL Server 2000 for Replication

This section describes how to replicate a SQL Server 2000 database. To replicate a SQL Server 2000 database, use SQL Enterprise Manager. Begin by creating a new database on the SQL server that will be used as the source for all replicas you create. Be sure that the account you use to create the database has db_owner permissions and is the same one you use on the replicated database.

Before setting up replication, complete the following tasks:

• Use a clean (not cloned) installation of Windows 2000 Server

• Install SQL Server on the servers designated for the data stores

• Verify that the Microsoft Distributed Transaction Coordinator is installed on the servers designated for the data stores

Setting up the SQL Server Data Store for DistributionComplete the following tasks on servers running SQL to set up the data store for distribution.

1. From the Start menu, start the Services Manager.

2. From Services Manager, set up the same domain log on account for the following services (the local system account does not work):

• SQLServerAgent

• MSSQLServer

• MSDTC (Distributed Transaction Coordinator on Windows 2000)


The general tasks to successfully replicate a SQL Server database are described below. Each task is explained in more detail in the following sections.

1. Establish the distributor server.

2. Set the distributor properties.

3. Publish the source database.

4. Push the published database out to subscribers.

Step 1 – Establish the Distributor ServerComplete the following steps to define the server that will act as the distributor.

1. Microsoft SQL 2000 servers acting as publisher, distributor, and subscriber must be in the same Windows NT or Active Directory domain. Start SQL Services under the same account.

2. Open Enterprise Manager on the server on which the source database is located.

3. Right-click the Replication folder and select Configure Publishing > Subscribers > Distribution Wizard.

4. On the Select Distributor page, select the current server to act as the distributor.

5. Keep the default Snapshot folder.

6. On the Customize the Configuration page, choose the option No, use the following default settings.

7. Click Finish.

Step 2 – Set the Distributor PropertiesComplete the following steps to set the distributor properties.

1. Right-click the Replication Monitor folder and choose Distributor Properties.

Appendix A Configuring Microsoft SQL Server 2000 for Replication 217

2. On the Publication Databases tab, check the “Trans” box next to the database you want to replicate, as shown in the figure below.

Step 3 – Publish the Source DatabaseComplete the following steps to publish the database that you want to replicate.

1. Right-click the database name and go to New > Publication to start the Create Publication wizard.

2. Click Show advanced options in this wizard and then click Next.

3. On the Choose Publication Database screen, select the database you want to replicate and then click Next.

4. On the Select Publication Type page, choose Transactional publication.


5. On the Updatable Subscriptions page, select the Immediate updating option, as shown in the figure below.

.

6. On the Specify Subscriber Types page, select the Servers running SQL Server 2000 option. Click Next.


7. On the left side of the Specify Articles page, select both Show and Publish for the table’s object type. Do not publish stored procedures to the replicated databases.

8. Click Next on the Article Issues page.

9. Name the publication.

10. On the Customize the Properties of the Publication page, choose No, create the publication as specified.


11. Click Finish to complete the wizard. The publication is displayed in the Publications folder, as shown below.

Step 4 – Push the Published Database to SubscribersComplete the following steps to push the publication to subscribers.

1. Right-click the published database in the Publications folder and choose Push new subscription to start the Push Subscription wizard.

2. Click Show advanced options in this wizard and then click Next.

3. On the Choose Subscribers page, select the subscribers for the published database.

4. On the next page, choose the destination database to which you want to replicate the source database.

5. On the Set Distribution Agent Location page, choose to run the agent at the distributor.

6. Set the Distribution Agent Schedule to “continuously.”


7. On the Initialize Subscription page, shown below, choose Yes, initialize the schema and data, and select the option to Start the Snapshot Agent.

8. On the Updateable Subscriptions page, select the Immediate updating option.

9. On the Start Required Services page, displayed below, the services that must be running are listed. Verify that the applicable required services are running on the distributor server.


10. Click Finish on the next screen to complete the wizard.

TroubleshootingMake sure that the following seven tables on the replicated database are listed, as displayed in the figure below.

DATATABLE

INDEXTABLE

KEYTABLE

MSreplication_objects

MSreplication_subscriptions

MSsubscription_agents

MSsubscription_properties

If not all tables are listed, delete the replication setup and begin again. The dtproperties table appears if you used the Database Diagram wizard in Enterprise Manager.

If you are installing MetaFrame XP for the first time, select the server hosting the replicated database when prompted.


If you have a server in the server farm that you want to connect to the new database, create a new DSN file on the MetaFrame XP server and point it to the replicated SQL Server database. You can then use the dsmaint config command to point the Citrix IMA Service to the new database.

A P P E N D I X B

Configuring Microsoft SQL Server 7 for Replication

This section describes how to replicate a SQL Server 7 database. Refer to Microsoft’s SQL 7 documentation for the latest information about configuring SQL Server 7 for replication.

IntroductionBefore beginning the replication process, complete the following tasks:

• Be sure you are using an uncloned installation of Windows NT or Windows 2000 Server

• Install SQL Server 7 on the servers that will host the MetaFrame XP server farm data store

• Create a database on both the source server (the distributor) and the server that will host the replicated database (the subscriber)

Important Both new databases must have the same name so that you can replicate the source database to the copy.

• Verify that the Microsoft Distributed Transaction Coordinator is installed on the servers that will host the data store

This chapter discusses an environment with two servers running SQL Server 7, referred to in this chapter as Server A and Server B.

In the procedures below, Server A is configured to be the distributor or publisher of the replicated database because it is expected to service the most requests from MetaFrame XP servers. Server B is configured to be the subscriber server.


Replicating a MetaFrame XP Server Farm’s Data StoreThe basic tasks you need to complete to configure SQL Server 7 software to replicate a database that hosts the MetaFrame XP server farm’s data store are listed below. The detailed procedures for each task are laid out in this chapter.

1. Prepare the servers for replication (Server A and Server B).

2. Set up the database distributor (Server A).

3. Enable replication on the distributor (Server A).

4. Enable the data store database for replication (Server A).

5. Publish the source data store database using the dsmaint utility (on a MetaFrame XP server).

6. Distribute the database on Server A to Server B.

Step 1 — Prepare the Servers for Replication (Servers A and B)Complete the following tasks to prepare both Server A and Server B for the replication process.

1. Verify that you created two databases — one on Server A and one on Server B — with the same name. The procedures in this chapter assume that both Server A and Server B are in the same SQL Server Group.

2. From the Start menu, start the Services Manager.

3. In Services Manager, set up the same domain logon account for the following services (the local system account does not work):

• SQLServerAgent

• MSSQLServer

• MSDTC (Distributed Transaction Coordinator on Windows 2000)

Step 2 — Set Up the Database Distributor (Server A)Complete the following tasks to set up Server A as the database distributor.

1. Locate the SQL Server database you created previously. This database will be the server farm’s data store and will be the source database to be replicated or published.

2. Install MetaFrame XP and point it to the database you created previously on Server A. The database on Server A is now the server farm’s data store.

Appendix B Configuring Microsoft SQL Server 7 for Replication 227

Step 3 — Enable Replication on the Distributor (Server A)Complete the following steps to enable replication on Server A, which is acting as the database distributor.

1. From the Start menu start the Enterprise Manager.

2. Select Replicate Data in the right pane of Enterprise Manager.

3. Select Configure Replication. This starts the Configure Publishing and Distribution Wizard. Click Next.

4. Select Yes, use <Server A> as the Distributor/Publisher, where <Server A> is the server you selected to distribute the data store database.

5. Select No, use the following default settings as the distribution settings. The default settings designate Server A as the sole distributor.

6. Click Finish. Server A is now set up to replicate the data store.

Step 4 — Enable the Data Store Database for Replication (Server A)Complete the following tasks to enable Server A for replication.

1. Start the Enterprise Manager from the Start menu.

2. Select Replicate Data in the right pane of Enterprise Manager.

3. Select Configure Replication. The Publisher and Distributor Properties wizard appears. Click Next.

4. On the Publication Databases tab, check the “Trans” box next to the database holding the data store. Click OK. The data store can now be replicated using transactional replication.

Note The dsmaint utility returns an error if you try to create the publication for the database if the database is not enabled for replication.


Step 5 — Publish the Source Data Store Database Using the dsmaint Utility (on a MetaFrame XP server)Complete the following tasks to publish the source data store.

Important These tasks are carried out on a MetaFrame XP server.

1. From a command prompt, enter the command dsmaint publishsqlds / user:<username /pwd:<password>, where <username> and <password> are the credentials of the account used by MetaFrame to access the database. This account needs db_owner rights to configure the publication.

2. Confirm that the publication was successfully created. The publication is named “mfxpds” when you run the command in Step 1.

Step 6— Distribute the Database on Server A to Server BComplete the following tasks to distribute the data store on Server A using the Push Subscription wizard.

1. Verify that the SQL server set up as the subscriber (Server B) is registered in the SQL Server Group.

2. Start Enterprise Manager on the SQL server set up as the distributor (Server A).

3. In the left pane of Enterprise Manager, expand the folders under the Database folder until you see MFXPDS, the publication you created with the dsmaint command.

4. Right-click MFXPDS and choose Push New Subscription from the shortcut menu that appears. Click Next.

5. The Choose Subscribers dialog box appears. Select the subscriber (Server B) from the SQL Server Group tree. Server B is the destination to host the copy of the data store pushed from the distributor. Click Next.

6. The Specify Immediate-Updating Subscriptions dialog box appears.On this dialog box, select Yes, make this an immediate-updating subscription(s). You must employ immediate updating subscriptions to ensure coherency. Click Next.

Important Merge replication is not supported by MetaFrame because it cannot guarantee uniqueness of object creation across all servers in the enterprise.

Appendix B Configuring Microsoft SQL Server 7 for Replication 229

7. The Set Distribution Agent Schedule dialog box appears.Select Continuously in Set Distribution Agent Schedule. Continuous updating and a two-phase commit algorithm ensure data coherency. When the subscriber receives a request to write to the data store, the data is initially written to the data store on the publisher, then propagated by the distributor to the copy of the data store on the subscriber. The distributor is the only server that can write information to the data store on the subscriber.Click Next.

8. The Initialize Subscription dialog box appears. Select the following options on this dialog box:Yes, initialize the schema and data at the Subscriber. The database on the subscriber is not yet initialized, so the schema and data need to be initialized.Start the agent immediately. The Distribution Agent begins replication as soon as the database becomes available.Click Next.

9. The Start Required Services dialog box appears. On this dialog box, verify that all necessary services are running on both Server A and Server B. The state for the MSDTC service on the subscriber always displays as “Unknown” even though it is running. To verify that MSDTC is running, check Services in Administrative Tools in the Control Panel on Server B.Click Next.

10. The Completing the Push Subscription Wizard appears.When the Push Subscription Wizard is done running, replication begins. You can monitor the progress of the replication in Replication Monitor in Enterprise Manager. When replication is complete, make sure there are no replication alert errors in Replication Monitor.

Pointing MetaFrame XP Servers to the Replicated DatabaseWhen you are done replicating the server farm’s data store, you can install MetaFrame XP on additional servers. Complete the following tasks to point additional MetaFrame XP servers to the replicated data store.

1. Start MetaFrame XP Setup.

2. When you are prompted for the location of the database that is hosting the server farm’s data store, point the server to the replicated data store (on Server B).


3. When you are done installing MetaFrame XP, open Citrix Management Console and publish an application.

4. If the MetaFrame server can write the information about the published application to the data store, the data store was successfully replicated on Server B.

Note You can redirect existing servers to the replicated copy of the data store by running the dsmaint config command.

A P P E N D I X C

Distributing Connections Among NFuse Classic 1.7 Servers

This section describes a sample configuration to show how you can use a hardware load balancer to perform round-robin HTTP redirection to distribute connections between two NFuse Classic servers.

In the example, the load balancer is a Cisco LocalDirector 416, with software Version 4.1.2. The NFuse Classic servers are Compaq DL320s running Microsoft Windows 2000 Server with Service Pack 2.

OverviewThe sample configuration is configured as follows:

First, the load balancer is configured to listen for HTTP connection requests on ports 80, 81, and 82. Ports 81 and 82 are configured to direct traffic straight to the first and second NFuse servers, and port 80 is configured to perform the load balancing.

Clients are directed to make their connections to http://nfuse.inter.net/Citrix/NFuse17. When HTTP traffic arrives on port 80 on the load balancer, a load balancing decision is made and an HTTP redirect is returned to the client browser specifying an alternate port for the connection. When this occurs and the client is using NFuse Classic, the data is always transmitted to the same NFuse Classic server and session state data is not lost.

TopologyIn the example, the network topology consists of:

• A public network in which the clients reside

• A demilitarized zone (DMZ) containing the NFuse server

• An internal network in which the MetaFrame XP server farm resides


The DMZ is situated between two firewalls, with the first network interface card (NIC) of the load balancer connected directly into the DMZ. The NFuse Classic servers are connected to the load balancer’s second NIC. This configuration is illustrated in the figure below.

The machines in the DMZ all have static IP addresses in the network 192.168.1.0/ 255.255.255.0. The client-facing firewall presents an external IP for the load balancer (172.27.19.4 in this example), which is converted to the real load balancer IP address (192.168.1.4) after firewall traversal. Clients on the public network can resolve the external load balancer IP address from the name nfuse.inter.net.

The machines on the internal network are in the range 192.168.2.0/255.255.255.0. On the internal network there is a MetaFrame XP Feature Release 2 server, named mf1, with a static IP address of 192.168.2.10, running the Citrix XML Service (shared with IIS) on port 80.

The NFuse Classic servers, nfuse1 and nfuse2, are configured with the static IP addresses 192.168.1.10 and 192.168.1.11, respectively. The NFuse Classic configuration on each server is identical for all but the target server configuration. It may be beneficial to vary the order of the target MetaFrame XP servers that are running the Citrix XML Service to stop a single MetaFrameXP server from being contacted by all the NFuse Classic servers at the same time. In this example, a single Citrix XML Service (mf1 with IP Address 192.168.2.10:80) was used for both NFuse Classic servers.

Appendix C Distributing Connections Among NFuse Classic 1.7 Servers 233

Example ConfigurationThe following section describes the example configuration

Step 1 — Configure the Load BalancerThe load balancer is configured to present three virtual IP:port combinations to the real world: 192.168.1.4:80, 192.168.1.4:81, and 192.168.1.4:82

On the Cisco LocalDirector 416, do this using:

• virtual 192.168.1.4:80:0:tcp is

• virtual 192.168.1.4:81:0:tcp is

• virtual 192.168.1.4:82:0:tcp is

Step 2 — Create URL Mappings for RedirectionTwo URL mappings are created for performing the HTTP redirection:

- http://nfuse.inter.net:81/%p

- http://nfuse.inter.net:82/%p


• url nfuse1 http://nfuse.inter.net:81/%p 302

• url nfuse2 http://nfuse.inter.net:82/%p 302

Step 3 — Bind URLs to Virtual ServerThe URLs are then bound to the virtual server 192.168.1.4:80.


• bind 192.168.1.4:80:0:tcp nfuse1

• bind 192.168.1.4:80:0:tcp nfuse2

Step 4 — Bind Ports on Virtual Server to Actual IP AddressesPorts 81 and 82 of the virtual server are bound to the real NFuse Classic server IP addresses and Web server ports:

192.168.1.4:81 => 192.168.1.10:80

192.168.1.4:82 => 192.168.1.11:80


• bind 192.168.1.4:81:0:tcp 192.168.1.10:80:0:tcp

• bind 192.168.1.4:82:0:tcp 192.168.1.11:80:0:tcp


Step 5 — Ensure Valid URLsLinks are then created between the HTTP redirection URLs and the virtual NFuse servers so that the load balancer takes the URL out of service when the respective NFuse Classic server is out of service:

http://nfuse.inter.net:81/%p => 192.168.1.4:81

http://nfuse.inter.net:82/%p => 192.168.1.4:82


• link nfuse1 192.168.1.4:81:0:tcp

• link nfuse2 192.168.1.4:82:0:tcp

Step 6 — Ensure Continuity of ServiceThe final step is to ensure that clients that have already been load balanced to one of the NFuse Classic servers continue to function (not without noticing) if the server they are using fails. To do this, the NFuse Classic servers specify 192.168.1.4:80 as their backup server.


• backup 192.168.1.4:81:0:tcp 192.168.1.4:80:0:tcp

• backup 192.168.1.4:82:0:tcp 192.168.1.4:80:0:tcp

With the configuration described and the client-facing firewall allowing traffic to 192.168.1.4 on ports 80, 81, and 82, the load balancing solution worked.

A P P E N D I X D

Using Citrix Products in a Wireless LAN Environment

The findings in this chapter are the result of coordinated testing between Citrix and Compaq. Citrix and Compaq teamed together to test security in a wireless Local Area Network (wLAN) environment to determine and evaluate the inherent security risks associated with these types of networks. There is little physical security associated with wLANs, resulting in the possibility that the radio signals could be intercepted with malicious intent. For example, today’s hackers are using tools and methods to obtain MAC addresses and channels used by internal networks.

Wireless LAN VulnerabilitiesThe Wireless Encryption Privacy (WEP) relies on the RC4 encryption algorithm, which uses the same key to scramble and unscramble packets. If the key management system cycles through the same set of keys in a predictable manner, determined intruders can correlate data with the keys to decipher the encryption. This intrusion technique can be successful with both 40-bit and 128-bit RC4 encryptions. Additionally, the network name and MAC addresses are broadcast in clear-text and can be easily intercepted. An intruder can then program these addresses on a personal wLAN adapter to access the network.

Additionally, the Wireless Application Protocol (WAP), which is used by wireless devices to access text, has a known security hole that allows intruders to intercept decrypted data from transmission points before the data is encrypted for transmission. During a WAP transmission, the following security protocols are used:

• Wireless Transport Layer Security (WTLS) - over the wLAN

• Secure Socket Layer (SSL) - over the wired LAN


There is a split-second of vulnerability at the WAP gateway when the data is decrypted and then re-encrypted to switch protocols. Organizations cannot rely on the use of encryption keys and SSIDs to provide adequate security in a wLAN environment. However, using MetaFrame XP software with the ICA protocol offers a number of features that protect against security vulnerabilities.

Citrix Architecture SecurityThe architecture in Citrix products provides the following security features:

• Pane-of-glass security. ICA protocol inherently prevents intruders from sniffing out data or code. Applications reside on a server; ICA transmits keystrokes, mouse clicks and screen updates. Only a graphic representation of the user interface actually crosses the network.

• Data encryption. The ICA protocol offers built-in encryption on the client and server, adding an extra layer of protection against attempted hacking.

• Authentication. MetaFrame XP offers an additional layer of authentication security for role-based application access.

• Device loss protection. The ICA protocol allows critical data to be stored and protected on a server rather than the client, ensuring that the loss of a client device creates only a minimal security risk.

Appendix D Using Citrix Products in a Wireless LAN Environment 237

Citrix Secure GatewayThe Citrix Secure Gateway (CSG) can supplement existing security measures to create a complete end-to-end security solution, as shown in the figure below.

CSG functions as a secure Internet gateway between the MetaFrame XP server and the ICA Client, without publishing the address of every MetaFrame server across the Internet, thus ensuring the privacy and integrity of information flowing across public networks. All Internet traffic between the client device and the CSG server is encrypted using SSL technology.

CSG eliminates the need to install additional client software (beyond the ICA Client) and can easily traverse Internet firewalls.


Note MetaFrame servers are hidden from the Internet and cannot be accessed directly.

Citrix Secure Gateway provides the following capabilities:

• SSL 128-bit encryption

• High-performance gateway service

• Firewall traversal

• Single-point server certificate management

• Minimal client configuration

• Secure ticketing authority

• Connection logging

• Reliability and fault tolerance

• High scalability

The following communications take place between Citrix Secure Gateway Components before a secure connection is established.

1. A remote user launches a Web browser and connects to an NFuse Web server on port 80 (HTTP) or port 443 (HTTPS). The NFuse Web portal requires the user to authenticate using valid user credentials.

2. NFuse utilizes the user credentials to contact the Citrix XML Service on port 80 running on a MetaFrame server, and obtains a list of applications that the user is authorized to access. These applications are then displayed in the NFuse Web page.

3. When the user clicks a link for a published application, NFuse sends the IP address for the requested MetaFrame server to the Secure Ticket Authority (STA) and requests a Citrix Secure Gateway ticket for the user. The STA saves the IP address and issues the requested Citrix Secure Gateway ticket to NFuse.

4. NFuse generates an ICA file containing the ticket issued by the STA, and then sends it to the client browser. Note that the ICA file generated by NFuse contains only the IP address of the Citrix Secure Gateway. The address of the MetaFrame server to which the ICA Client eventually connects is never exposed.

5. The browser passes the ICA file to the ICA Client, which launches an SSL connection to the Citrix Secure Gateway. Initial SSL handshaking is performed to establish the identity of the Citrix Secure Gateway.

Appendix D Using Citrix Products in a Wireless LAN Environment 239

6. The Citrix Secure Gateway accepts the ticket from the ICA Client and uses information contained in the Citrix Secure Gateway ticket to identify and contact the STA for ticket validation.If the STA can validate the ticket, it returns the IP address of the MetaFrame server on which the requested application resides. If the ticket is invalid or has expired, the STA informs the Citrix Secure Gateway, and an error message is displayed on the ICA Client device.

7. On receipt of the IP address for the MetaFrame server, the Citrix Secure Gateway establishes an ICA connection to the MetaFrame server. After the ICA connection is established, the Citrix Secure Gateway monitors ICA data flowing through the connection, and encrypts and decrypts client-server communications.

More information about CSG is available on http://www.citrix.com.

Using Citrix products in conjunction with wireless Local Area Networks provides end to end security, minimizing potential threats to your environment.

A P P E N D I X E

Tested Hardware

The following hardware was used in the Citrix eLabs for testing MetaFrame XP:

Apple iMac

Cisco LocalDirector 416

Cisco PIXX 515 Firewall Appliance

Compaq Aero

Compaq DeskPro EN SFF

Compaq DL 320

Compaq DL 350

Compaq DL 360

Compaq DL 380

Compaq DL 580

Compaq iPaq

Compaq EVO T20

Compaq ML 330

Compaq Proliant 1850R

Compaq Proliant 800

Compaq Proliant 8500R

Compaq StorageWorks FC-AL Switch

Compaq StorageWorks RA4100

Compaq TaskSmart N2400

Dell 1650

Dell OptiPlex GX1


Dell PowerEdge 1400

Hewlett Packard Jornada

Hewlett Packard LaserJet Printers

Hewlett Packard NetServer LXe Pro

Hewlett Packard TC4100

IBM 4600

IBM NetFinity 3000

IBM NetFinity 3500 M10

IBM NetFinity 3500 M20

IBM NetFinity 5500

Intel 640T

Lucent Pipeline ISDN Router

Packeteer AppVantage ASM-70

Packeteer Packetshaper 4500

Shunra Storm

Seirra Wireless PCMCIA cards

Sun Ultra 5

Wyse Winterms

A P P E N D I X F

IMA Subsystem Tracing

Use the information in this table to determine which registry keys need to be activated for different MetaFrame XP systems.

MetaFrame XP System Subsystems to Trace

Application Management, Application Folders ImaAdminSal

COM/SDK, Citrix Management Console Remote Access

Common Application settings (LM, IM, MF, Unix)

ImaAppSal, ImaAppSs

Common Server (common farm server properties and server enumeration)

ImaSrvSal, ImaSrvSs

Data store (including LHC) Directory Subsystem, System\DataStoreDriver,Profiling\DataStore, Profiling\LHC, Runtime\PersistentStore

Dynamic Store Runtime\DynamicStore, Profiling\DynamicStore

File Browsing IMA_FileSS

Folder Enumeration ImaGrpSal, IMAGroup

Host Resolver Runtime\HostResolver

Ilicense Ilicense

IMA Browser IMA_Browser

IMA Program Interface (Terminal Services, other software)

ImaRpc, ImaLicRpc, ImaMfRpc

IMS ImsSal

Licensing LicenseSal, IMA_License


Load Management LmsSal, LMS_Subsystem

MetaFrame Applications (enumeration and properties)

MfAppSal, MFApp

MetaFrame Server Properties (ICA Display, MetaFrame Settings)

MfSrvSal, MFSrvSs

Policy Policy

Printer Management and Printer Drivers MfPrintSal, IMA_Printer, ImaRelSal, IMARelationship

Printer Replication ImaDistSal, IMADistribution

Program Neighborhood MfPNSal

Remote Access RemoteAccess, Remote Access

Runtime Runtime\Runtime

Service Locator Runtime\ServiceLocator

Subscription Manager Runtime\SubscriptionManager

User Management (User Lists, Viewing and Launching Applications. Network Printer Auto-creation)

ImaUserSal, IMA_AAMS, WinDrvSS, NDSDrvSS

Zone Manager Runtime\ZoneManager

MetaFrame XP System Subsystems to Trace

A P P E N D I X G

IMA Error Codes

The items in the table below are Citrix IMA Service error codes that can appear in the Event Viewer

Hex value Signed value Unsigned value Mnemonic

00000000h 0 0 IMA_RESULT_SUCCESS

00000001h 1 1 IMA_RESULT_OPERATION_INCOMPLETE

00000002h 2 2 IMA_RESULT_CALL_NEXT_HOOK

00000003h 3 3 IMA_RESULT_DISCARD_MESSAGE

00000004h 4 4 IMA_RESULT_CREATED_NEW

00000005h 5 5 IMA_RESULT_FOUND_EXISTING

00000009h 9 9 IMA_RESULT_CONNECTION_IDLE

00130001h 1245185 1245185 IMA_RESULT_DS_NOT_INSTALLED

00130002h 1245186 1245186 IMA_RESULT_SECURITY_INFO_INCOMPLETE

002D0001h 2949121 2949121 IMA_RESULT_ALREADY_MASTER

80000001h -2147483647 2147483649 IMA_RESULT_FAILURE

80000002h -2147483646 2147483650 IMA_RESULT_NO_MEMORY

80000003h -2147483645 2147483651 IMA_RESULT_INVALID_ARG

80000004h -2147483644 2147483652 IMA_RESULT_UNKNOWN_MESSAGE

80000005h -2147483643 2147483653 IMA_RESULT_DESTINATION_UNREACHABLE

80000006h -2147483642 2147483654 IMA_RESULT_REFERENCE_COUNT_NOT_ZERO

80000007h -2147483641 2147483655 IMA_RESULT_ENTRY_NOT_FOUND


80000008h -2147483640 2147483656 IMA_RESULT_NETWORK_FAILURE

80000009h -2147483639 2147483657 IMA_RESULT_NOT_IMPLEMENTED

8000000Ah -2147483638 2147483658 IMA_RESULT_INVALID_MESSAGE

8000000Bh -2147483637 2147483659 IMA_RESULT_TIMEOUT

8000000Ch -2147483636 2147483660 IMA_RESULT_POINTER_IS_NULL

8000000Dh -2147483635 2147483661 IMA_RESULT_UNINITIALIZED

8000000Eh -2147483634 2147483662 IMA_RESULT_FINDITEM_FAILURE

8000000Fh -2147483633 2147483663 IMA_RESULT_CREATEPOOL_FAILURE

80000010h -2147483632 2147483664 IMA_RESULT_SUBSYS_NOT_FOUND

80000013h -2147483629 2147483667 IMA_RESULT_PS_UNINITIALIZED

80000014h -2147483628 2147483668 IMA_RESULT_REGMAPFAIL

80000015h -2147483627 2147483669 IMA_RESULT_DEST_TOO_SMALL

80000016h -2147483626 2147483670 IMA_RESULT_ACCESS_DENIED

80000017h -2147483625 2147483671 IMA_RESULT_NOT_SHUTTING_DOWN

80000018h -2147483624 2147483672 IMA_RESULT_MUSTLOAD_FAILURE

80000019h -2147483623 2147483673 IMA_RESULT_CREATELOCK_FAILURE

8000001Ah -2147483622 2147483674 IMA_RESULT_SHUTDOWN_FAILURE

8000001Ch -2147483620 2147483676 IMA_RESULT_SENDWAIT_FAILURE

8000001Dh -2147483619 2147483677 IMA_RESULT_NO_COLLECTORS

8000001Eh -2147483618 2147483678 IMA_RESULT_UPDATED

8000001Fh -2147483617 2147483679 IMA_RESULT_NO_CHANGE

80000020h -2147483616 2147483680 IMA_RESULT_LEGACY_NOT_ENABLED

80000021h -2147483615 2147483681 IMA_RESULT_VALUE_ALREADY_CREATED

80000022h -2147483614 2147483682 IMA_RESULT_UID_EXCEEDED_BOUNDS

80000023h -2147483613 2147483683 IMA_RESULT_NO_EVENTS

80000024h -2147483612 2147483684 IMA_RESULT_NOT_FOUND


Appendix G IMA Error Codes 247

80000025h -2147483611 2147483685 IMA_RESULT_ALREADY_EXISTS

80000026h -2147483610 2147483686 IMA_RESULT_GROUP_ALREADY_EXISTS

80000027h -2147483609 2147483687 IMA_RESULT_NOT_A_GROUP

80000028h -2147483608 2147483688 IMA_RESULT_GROUP_DIR_ACCESS_FAILURE

80000029h -2147483607 2147483689 IMA_RESULT_EOF

8000002Ah -2147483606 2147483690 IMA_RESULT_REGISTRY_ERROR

8000002Bh -2147483605 2147483691 IMA_RESULT_DSN_OPEN_FAILURE

8000002Ch -2147483604 2147483692 IMA_RESULT_REMOVING_PSSERVER

8000002Dh -2147483603 2147483693 IMA_RESULT_NO_REPLY_SENT

8000002Eh -2147483602 2147483694 IMA_RESULT_PLUGIN_FAILED_VERIFY

8000002Fh -2147483601 2147483695 IMA_RESULT_FILE_NOT_FOUND

80000030h -2147483600 2147483696 IMA_RESULT_PLUGIN_ENTRY_NOT_FOUND

80000031h -2147483599 2147483697 IMA_RESULT_CLOSED

80000032h -2147483598 2147483698 IMA_RESULT_PATH_NAME_TOO_LONG

80000033h -2147483597 2147483699 IMA_RESULT_CREATEMESSAGEPORT_FAILED

80000034h -2147483596 2147483700 IMA_RESULT_ALTADDRESS_NOT_DEFINED

80000035h -2147483595 2147483701 IMA_RESULT_WOULD_BLOCK

80000036h -2147483594 2147483702 IMA_RESULT_ALREADY_CLOSED

80000037h -2147483593 2147483703 IMA_RESULT_TOO_BUSY

80000038h -2147483592 2147483704 IMA_RESULT_HOST_SHUTTING_DOWN

80000039h -2147483591 2147483705 IMA_RESULT_PORT_IN_USE

8000003Ah -2147483590 2147483706 IMA_RESULT_NOT_SUPPORTED

80040001h -2147221503 2147745793 IMA_RESULT_FILE_OPEN_FAILURE

80040002h -2147221502 2147745794 IMA_RESULT_SESSION_REQUEST_DENIED

80040003h -2147221501 2147745795 IMA_RESULT_JOB_NOT_FOUND

80040004h -2147221500 2147745796 IMA_RESULT_SESSION_NOT_FOUND



80040005h -2147221499 2147745797 IMA_RESULT_FILE_SEEK_FAILURE

80040006h -2147221498 2147745798 IMA_RESULT_FILE_READ_FAILURE

80040007h -2147221497 2147745799 IMA_RESULT_FILE_WRITE_FAILURE

80040008h -2147221496 2147745800 IMA_RESULT_JOB_CANNOT_BE_UPDATED

80040009h -2147221495 2147745801 IMA_RESULT_NO_TARGET_HOSTS

8004000Ah -2147221494 2147745802 IMA_RESULT_NO_SOURCE_FILES

80060001h -2147090431 2147876865 IMA_RESULT_ATTR_NOT_FOUND

80060002h -2147090430 2147876866 IMA_RESULT_CONTEXT_NOT_FOUND

80060003h -2147090429 2147876867 IMA_RESULT_VALUE_NOT_FOUND

80060004h -2147090428 2147876868 IMA_RESULT_DATA_NOT_FOUND

80060005h -2147090427 2147876869 IMA_RESULT_ENTRY_LOCKED

80060006h -2147090426 2147876870 IMA_RESULT_SEARCH_HASMORE

80060007h -2147090425 2147876871 IMA_RESULT_INCOMPLETE

80060008h -2147090424 2147876872 IMA_RESULT_READEXCEPTION

80060009h -2147090423 2147876873 IMA_RESULT_WRITEEXCEPTION

8006000Ah -2147090422 2147876874 IMA_RESULT_LDAP_PARTIALINSTALL

8006000Bh -2147090421 2147876875 IMA_RESULT_LDAP_NOTREADY

8006000Ch -2147090420 2147876876 IMA_RESULT_BUFFER_TOO_SMALL

8006000Dh -2147090419 2147876877 IMA_RESULT_CONTAINER_NOT_EMPTY

8006000Eh -2147090418 2147876878 IMA_RESULT_CONFIGURATION_ERROR

8006000Fh -2147090417 2147876879 IMA_RESULT_GET_BASEOBJECT

80060010h -2147090416 2147876880 IMA_RESULT_GET_DERIVEDOBJECT

80060011h -2147090415 2147876881 IMA_RESULT_OBJECTCLASS_NOTMATCH

80060012h -2147090414 2147876882 IMA_RESULT_ATTRIBUTE_NOTINDEXED

80060013h -2147090413 2147876883 IMA_RESULT_OBJECTCLASS_VIOLATION

80060014h -2147090412 2147876884 IMA_RESULT_ENUMFAIL



80060015h -2147090411 2147876885 IMA_RESULT_ENUMNODATA

80060016h -2147090410 2147876886 IMA_RESULT_DBCONNECT_FAILURE

80060017h -2147090409 2147876887 IMA_RESULT_TRUNCATE

80060018h -2147090408 2147876888 IMA_RESULT_DUPLICATE

80060019h -2147090407 2147876889 IMA_RESULT_PS_NOTINITIALIZED

8006001Ah -2147090406 2147876890 IMA_RESULT_USING_ORACLE_7

8006001Bh -2147090405 2147876891 IMA_RESULT_USING_ORACLE_8

8006001Ch -2147090404 2147876892 IMA_RESULT_USING_ORACLE_UNKNOWN

8006001Dh -2147090403 2147876893 IMA_RESULT_LOAD_DAO_ENGINE_FAILED

8006001Eh -2147090402 2147876894 IMA_RESULT_COMPACT_DB_FAILED

80060033h -2147090381 2147876915 IMA_RESULT_ODBC_NO_CONNECTIONS_AVAILABLE

80060034h -2147090380 2147876916 IMA_RESULT_CREATE_SQL_ENVIRONMENT_FAILED

80060035h -2147090379 2147876917 IMA_RESULT_SQL_EXECUTE_FAILED

80060036h -2147090378 2147876918 IMA_RESULT_SQL_FETCH_FAILED

80060037h -2147090377 2147876919 IMA_RESULT_SQL_BIND_PARAM_FAILED

80060038h -2147090376 2147876920 IMA_RESULT_SQL_GET_COLUMN_DATA_FAILED

80060039h -2147090375 2147876921 IMA_RESULT_REPLICATED_DATA_CONTENTION

8006003Ah -2147090374 2147876922 IMA_RESULT_DB_TABLE_NOT_FOUND

8006003Bh -2147090373 2147876923 IMA_RESULT_CONNECTION_EXIST

8006003Ch -2147090372 2147876924 IMA_RESULT_QUERY_MAX_NODEID_FAILED

8006003Dh -2147090371 2147876925 IMA_RESULT_SQL_FUNCTION_SEQUENCE_ERROR

8006003Eh -2147090370 2147876926 IMA_RESULT_DB_CONNECTION_TIMEOUT

80110104h -2146369276 2148598020 LMS_RESULT_NO_SERVER_AVAILABLE

80110105h -2146369024 2148598272 IMA_RESULT_FULL_SERVER_OR_APP_LOAD_REACHED

80130001h -2146238463 2148728833 IMA_RESULT_MORE_ITEMS

80130002h -2146238462 2148728834 IMA_RESULT_INVALID_ACCOUNT



80130003h -2146238461 2148728835 IMA_RESULT_INVALID_PASSWORD

80130004h -2146238460 2148728836 IMA_RESULT_EXPIRED_PASSWORD

80130005h -2146238459 2148728837 IMA_RESULT_GROUP_IGNORED

80130006h -2146238458 2148728838 IMA_RESULT_BUILTIN_GROUP

80130007h -2146238457 2148728839 IMA_RESULT_DC_NOT_AVAILABLE

80130008h -2146238456 2148728840 IMA_RESULT_NW_CLIENT_NOT_INSTALLED

80130009h -2146238455 2148728841 IMA_RESULT_ACCOUNT_LOCKED_OUT

8013000Ah -2146238454 2148728842 IMA_RESULT_INVALID_LOGON_HOURS

8013000Bh -2146238453 2148728843 IMA_RESULT_ACCOUNT_DISABLED

8013000Ch -2146238452 2148728844 IMA_RESULT_PREFERRED_TREE_NOT_SET

80160001h -2146041855 2148925441 IMA_RESULT_NODE_NOT_FOUND

80160002h -2146041854 2148925442 IMA_RESULT_NODE_NAME_INVALID

80160003h -2146041853 2148925443 IMA_RESULT_NODE_NOT_EMPTY

80160004h -2146041852 2148925444 IMA_RESULT_NODE_MOVE_DENIED

80160005h -2146041851 2148925445 IMA_RESULT_NODE_NAME_NOT_UNIQUE

80160006h -2146041850 2148925446 IMA_RESULT_NODE_RENAME_DENIED

80160007h -2146041849 2148925447 IMA_RESULT_CONSTRAINT_VIOLATION

80160008h -2146041848 2148925448 IMA_RESULT_LDAP_PROTOCOL_ERROR

80160009h -2146041847 2148925449 IMA_RESULT_LDAP_SERVER_DOWN

8016000Ch -2146041844 2148925452 IMA_RESULT_NODE_DELETE_DENIED

8016000Fh -2146041841 2148925455 IMA_RESULT_CANNOTCHANGE_PASSWORD

80160010h -2146041840 2148925456 IMA_RESULT_CANNOTCHANGE_LAST_RW

80160011h -2146041839 2148925457 IMA_RESULT_LOGON_USER_DISABLED

80160012h -2146041838 2148925458 IMA_RESULT_CMC_CONNECTION_DISABLED

80160013h -2146041837 2148925459 IMA_RESULT_INSUFFICIENT_SERVER_SEC_FOR_USER

80160014h -2146041836 2148925460 IMA_RESULT_FEATURE_LICENSE_NOT_FOUND



80160015h -2146041835 2148925461 IMA_RESULT_DISALLOW_CMC_LOGON

80260001h -2144993279 2149974017 IMA_RESULT_NW_PRINT_SERVER_ALREADY_PRESENT

80260002h -2144993278 2149974018 IMA_RESULT_SERVER_ALREADY_PRESENT

802D0001h -2144534527 2150432769 IMA_RESULT_TABLE_NOT_FOUND

802D0002h -2144534526 2150432770 IMA_RESULT_NOT_TABLE_OWNER

802D0003h -2144534525 2150432771 IMA_RESULT_INVALID_QUERY

802D0004h -2144534524 2150432772 IMA_RESULT_TABLE_OWNER_HAS_CHANGED

802D0005h -2144534523 2150432773 IMA_RESULT_SERVICE_NOT_AVAILABLE

802D0006h -2144534522 2150432774 IMA_RESULT_ZONE_MASTER_UNKNOWN

802D0007h -2144534521 2150432775 IMA_RESULT_NON_UNIQUE_HOSTID

802D0008h -2144534520 2150432776 IMA_RESULT_REG_VALUE_NOT_FOUND

802D0009h -2144534519 2150432777 IMA_RESULT_PARTIAL_LOAD

802D000Ah -2144534518 2150432778 IMA_RESULT_GATEWAY_NOT_ESTABLISHED

802D000Bh -2144534517 2150432779 IMA_RESULT_INVALID_GATEWAY

802D000Ch -2144534516 2150432780 IMA_RESULT_SERVER_NOT_AVAILABLE

80300001h -2144337919 2150629377 IMA_RESULT_SERVICE_NOT_SUPPORTED

80300002h -2144337920 2150629378 IMA_RESULT_BUILD_SD_FAILED

80300003h -2144337921 2150629379 IMA_RESULT_RPC_USE_ENDPOINT_FAILED

80300004h -2144337922 2150629380 IMA_RESULT_RPC_REG_INTERFACE_FAILED

80300005h -2144337923 2150629381 IMA_RESULT_RPC_LISTEN_FAILED

80300006h -2144337924 2150629382 IMA_RESULT_BUILD_FILTER_FAILED

80300007h -2144337925 2150629383 IMA_RESULT_RPC_BUFFER_TOO_SMALL

80300008h -2144337926 2150629384 IMA_RESULT_REQUEST_TICKET_FAILED

80300009h -2144337927 2150629385 IMA_RESULT_INVALID_TICKET

8030000Ah -2144337928 2150629386 IMA_RESULT_LOAD_TICKETDLL_FAILED


A P P E N D I X H

Citrix Management Console Error Codes

The information in the table below can aid you when you call Citrix Technical Support for solutions. Citrix Technical Support requires the information in the last column; this information does not appear in any other documentation.

Error Code (decimal)

Error Code (hex) Error Message Error Comes From

-1072297332 c0160a8c Unable to connect with the Farm Metric Server. The Watcher window may not correctly reflect the farm status.

ResourceMgr

-1072297322 c0160a96 An error occurred while attempting to retrieve the backup Farm Metric Server details. The error returned was: ~0~.

ResourceMgr

-1072297321 c0160a97 An error occurred while attempting to set the Farm Metric Servers. The error returned was: ~0~.

ResourceMgr

-1072297320 c0160a98 The backup Farm Metric server may not be identical to the primary Farm Metric Server. Please choose a different backup Farm Metric Server.

ResourceMgr

-1072297319-1072297318

c0160a99 No alarm objects have been returned from the monitor. ResourceMgr

-1072297318 c0160a9a Cannot retrieve counter instance names. ResourceMgr

-1072297302 c0160aaa Could not retrieve the list of ignored processes. ResourceMgr

-1072297301 c0160aab Could not save the new list of ignored processes. ResourceMgr

-1072297300 c0160aac Could not save the new list of ignored processes: ~0~. ResourceMgr

-1072297282 c0160abe The application name is invalid. It cannot contain any of the following characters: ~0~.

ResourceMgr

-1072297281 c0160abf There was no response from Resource Manager. ResourceMgr


-1072297280 c0160ac0 An error occurred when attempting to create the application. The error returned was: ~0~.

ResourceMgr

-1072297277 c0160ac3 You must specify an application name. ResourceMgr

-1072297276 c0160ac4 You must specify the full path and filename of the application.

ResourceMgr

-1072297275 c0160ac5 You must select at least one server. ResourceMgr

-1072297274 c0160ac6 You have not provided a new application name. ResourceMgr

-1072297273 c0160ac7 This application name already exists. Please enter a different application name.

ResourceMgr

-1072297272 c0160ac8 An error occurred when attempting to update the application properties. The error returned was: ~0~.

ResourceMgr

-1072297271 c0160ac9 Error sending request for counter list from Farm Metric Server.

ResourceMgr

-1072297270 c0160aca Error talking to the monitor subsystem. ResourceMgr

-1072297268 c0160acc Error updating application properties. Confirm that the data store can be accessed.

ResourceMgr

-1072297267 c0160acd An object with the same name already exists in the target folder!

ResourceMgr

-1072297266 c0160ace An unexpected error occurred when trying to move the application. The error returned was: ~0~.

ResourceMgr

-1072297265 c0160acf The application name can be no longer than ~0~ characters.

ResourceMgr

-1072297262 c0160ad2 Error reading application metric properties information. ResourceMgr

-1072297261 c0160ad3 Error retrieving metric properties. ResourceMgr

-1072297260 c0160ad4 Error writing application metric properties information. ResourceMgr

-1072297259 c0160ad5 Error writing server metric properties information. ResourceMgr

-1072297258 c0160ad6 An error occurred while updating the application metrics. ResourceMgr

-1072297257 c0160ad7 An error occurred while updating the application metric properties.

ResourceMgr

-1072297245 c0160ae3 An unknown error occurred while trying to get the log for ~0~.

ResourceMgr



Appendix H Citrix Management Console Error Codes 255

-1072297251 c0160add An unexpected error occurred retrieving the reboot message details. The error returned was: ~0~.

ResourceMgr

-1072297250 c0160ade An unexpected error occurred setting the reboot message details. The error returned was: ~0~.

ResourceMgr

-1072297231 c0160af1 Error sending request for counter list from Farm Metric Server.

ResourceMgr

-1072297230 c0160af2 The Farm Metric Server(s) cannot be contacted. This will cause Resource Manager to function incorrectly. Check that the Farm Metric Server(s) are running and can be contacted.

ResourceMgr

-1072297221 c0160afb Failed to set alerts configuration ResourceMgr

-1072297216 c0160b00 Failed to set SNMP alerts configuration: ~0~. ResourceMgr

-1072297200 c0160b10 Must supply a gateway name. ResourceMgr

-1072297199 c0160b11 Must supply a user name. ResourceMgr

-1072297198 c0160b12 Must supply a group name. ResourceMgr

-1072297197 c0160b13 Gateway "~0~" already exists. ResourceMgr

-1072297196 c0160b14 User or group name "~0~" already exists. ResourceMgr

-1072297195 c0160b15 Illegal character(s) in phone number. ResourceMgr

-1072297194 c0160b16 Cannot add a user - configure a gateway first. ResourceMgr

-1072297193 c0160b17 Cannot add a group - configure a user first ResourceMgr

-1072297192 c0160b18 Cannot delete gateway while a user item still refers to it. ResourceMgr

-1072297191 c0160b19 Illegal character(s) in prefix. ResourceMgr

-1072297182 c0160b22 Failed to retrieve report: ~0~. ResourceMgr

-1072297180 c0160b24 Failed to save report: ~0~. ResourceMgr

-1072297179 c0160b25 Failed to convert report: ~0~. ResourceMgr

-1072297142 c0160b4a Citrix Resource Manager is not licensed. ResourceMgr

-1072297141 c0160b4b Unable to contact IMA service running on ResourceMgr

-1072297140 c0160b4c Unable to contact IMA service running on ResourceMgr




-1072297139 c0160b4d Received an invalid packet from the IMA service running on

ResourceMgr

-1072297132 c0160b54 Failed to generate Server Summary report. Check that the DBMS and Database Connection Servers, and the IMA connection to the Database Connection Server are working properly.

ResourceMgr

-1072297131 c0160b55 Failed to generate User Summary report. Check that the DBMS and Database Connection Servers, and the IMA connection to the Database Connection Server are working properly.

ResourceMgr

-1072297130 c0160b56 Failed to generate Process Summary report. Check that the DBMS and Database Connection Servers, and the IMA connection to the Database Connection Server are working properly.

ResourceMgr

-1072297129 c0160b57 Failed to create Server Snapshot report ResourceMgr

-1072297128 c0160b58 Failed to create Current User report ResourceMgr

-1072297127 c0160b59 Failed to create Current Process report ResourceMgr

-1072297126 c0160b5a Unable to communicate with the Resource Manager Database Connection Server. Summary reports will not be available.

ResourceMgr

-1072297125 c0160b5b Unable to communicate with the Resource Manager Database Connection Server. Summary reports will not be available.

ResourceMgr

-1072297124 c0160b5c Unable to communicate with the Resource Manager Database Connection Server. Summary reports will not be available.

ResourceMgr

-1072297123 c0160b5d Unable to communicate with the Resource Manager local database. Current reports will not be available

ResourceMgr

-1072297122 c0160b5e Unable to communicate with the Resource Manager local database. Current reports will not be available

ResourceMgr

-1072297121 c0160b5f Unable to communicate with the Resource Manager local database. Current reports will not be available

ResourceMgr

-1072297120 c0160b60 The summary database does not contain enough information to generate a Process Summary report.

ResourceMgr

-1072297119 c0160b61 The summary database contains no server information. ResourceMgr




-1072297118 c0160b62 The summary database does not contain enough information to generate a User Summary report.

ResourceMgr

-1072297117 c0160b63 Failed to save reports ResourceMgr

-1072297116 c0160b64 Unable to identify the summary database software versions. Summary database functionality may not operate correctly in the Citrix Management Console.

ResourceMgr

-1072297115 c0160b65 Unable to identify any Resource Manager summary database servers in the farm.

ResourceMgr

-1072297114 c0160b66 All start times should be less than the stop times ResourceMgr

-1072297252 c0160adc Summary database functionality cannot be enabled without a Database Connection Server being set.

ResourceMgr

-1072297113 c0160b67 Unable to identify Database Connection Server ResourceMgr

500 1F4 A timeout has occured! Please try again! AdminMgr

510 1FE A folder name cannot contain any of the following characters: \ / : * ? " < > |

AdminMgr

511 1FF Please enter a folder name! AdminMgr

512 200 An object with the same name already exists in the target folder!

AdminMgr

513 201 Can't rename folder! AdminMgr

514 202 The selected folder is not empty. A folder cannot be deleted until it is empty.

AdminMgr

515 203 Can't delete folder! AdminMgr

516 204 The selected folder is not empty. A folder cannot be moved until it is empty.

AdminMgr

517 205 Can't move folder! AdminMgr

518 206 A folder name cannot contain more than 256 characters! AdminMgr

700 2BC The license list is incomplete. The request for information could have timed out.

LicenseMgr

701 2BD Failed to initialize list control. LicenseMgr

702 2BE There was an unexpected internal error in processing this action.

LicenseMgr




703 2BF The view could not be refreshed. The view could not be found.

LicenseMgr

704 2C0 The view could not be refreshed. The selection in the tree changed unexpectedly.

LicenseMgr

705 2C1 The license list is incomplete. An error occurred while getting the information.

LicenseMgr

710 2C6 You must have Administrator rights to run this application. LicenseMgr

800 320 The license could not be added. LicenseMgr

801 321 The license could not be added. It is already installed. LicenseMgr

802 322 The license could not be added. It is not a valid serial number.

LicenseMgr

803 323 The license could not be added. The licensing subsystem did not respond.

LicenseMgr

804 324 The license could not be added. The product associated with this license was not found in this farm.

LicenseMgr

805 325 The serial number must be entered in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.

LicenseMgr

806 326 You have reached the maximum number of license packs allowed per server. You cannot install additional license packs. Please contact Citrix Technical Support.

LicenseMgr

807 327 Please enter a serial number. LicenseMgr

820 334 The license could not be removed. LicenseMgr

821 335 None of the selected licenses could be removed. LicenseMgr

822 336 Not all of the Licenses were successfully removed. There might be a delay before the license information is updated.

LicenseMgr

823 337 This product license cannot be removed. LicenseMgr

824 338 There was an unexpected internal error in removing these licenses.

LicenseMgr

825 339 The license may or may not have been removed because the request timed out. There might be a delay before the license information is updated.

LicenseMgr




826 33A The licenses may or may not have been removed because the request timed out. There might be a delay before the license information is updated.

LicenseMgr

830 33E The activation code must be entered in the following format: XXXXX-XXXXX.

LicenseMgr

831 33F The license could not be activated. It may already be activated.

LicenseMgr

832 340 The license could not be activated. The activation code is incorrect. Check that you entered the code correctly.

LicenseMgr

833 341 The license could not be activated. The licensing subsystem did not respond.

LicenseMgr

834 342 Please enter an activation code. LicenseMgr

850 352 Could not find assignment data. LicenseMgr

851 353 There are no licenses in this license set. LicenseMgr

852 354 All of the licenses in this license set are already assigned to servers.

LicenseMgr

853 355 The license could not be assigned. LicenseMgr

854 356 The full <license number> could not be assigned. Only <number> was assigned. It may take a moment for this change to appear fully in the views.

LicenseMgr

855 357 Please select a server in the tree. LicenseMgr

856 358 The license could not be assigned. You cannot assign more than one of each product license to a server.

LicenseMgr

857 359 Please enter a value between 1 and <number>. LicenseMgr

858 35A This assignment already exists. This product license has already been assigned to the selected server.

LicenseMgr

859 35B There are no licenses installed on this farm. You must add (and activate) one or more licenses to make them available for assignment.

LicenseMgr

860 35C None of the licenses installed on this farm are available for assignment. You cannot assign Inactivated, Evaluation, or Expired licenses to a Citrix server. For existing license assignments, you must drop or reduce the assignment before you can assign the license to a new Citrix server.

LicenseMgr




870 366 The selected assignment could not be dropped. LicenseMgr

871 367 Some of the selected assignments could not be dropped. There might be a delay before the license information is updated.

LicenseMgr

872 368 None of the selected assignments could be dropped. LicenseMgr

880 370 License assignment could not be changed. LicenseMgr

881 371 The full <license number> could not be assigned. Only <number> was assigned. It may take a moment for this change to appear fully in the views.

LicenseMgr

882 372 This license cannot be pooled. LicenseMgr

1100 An unknown error occurred while loading <Plugin name> Its features will not be available during this session.

PluginMgr

1110 Farm Logon Error PluginMgr

1111 Pass-through Authentication failed, failed to connect to server <server>

PluginMgr

1300 514 The ICA Display settings could not be changed. ServerMgrNew

1301 515 The product code you entered was invalid. The server's product code has not been changed.

ServerMgrNew

1302 516 The product code you entered was invalid. None of the servers' product codes have been changed.

ServerMgrNew

1305 519 The product code could not be changed. ServerMgrNew

1306 51A The value entered for "maximum memory to use for each session's graphics" is invalid. Please enter a value between 150 kilobytes and 8192 kilobytes.

ServerMgrNew

1307 51B Failed to change the listening TCP port for the Citrix XML Service!

ServerMgrNew

1308 51C Some servers' product codes were changed, but some could not be.

ServerMgrNew

1309 51D None of the servers' product codes could be changed. ServerMgrNew

1311 51F Please make sure that the Reset value is greater or equal than the Set value.

ServerMgrNew

1312 520 Session information is not available for this session. User information will be refreshed.

ServerMgrNew




1313 521 Failed to disconnect session. User information will be refreshed.

ServerMgrNew

1314 522 Failed to connect session. User information will be refreshed.

ServerMgrNew

1314 522 Wrong password. Letters in passwords must be typed using the correct case. Make sure that Caps lock is not accidentally on.

ServerMgrNew

1315 523 Failed to reset session. User information will be refreshed.

ServerMgrNew

1316 524 Unable to send message to the selected session. User information will be refreshed.

ServerMgrNew

1317 525 Status information is not available for this session. User information will be refreshed.

ServerMgrNew

1318 526 Unable to collect process data for this server. The request timed out.

ServerMgrNew

1319 527 Unable to collect session data for this server. The request timed out.

ServerMgrNew

1320 528 The Auto Client Reconnect settings could not be changed.

ServerMgrNew

1330 532 Please choose a Feature Release level. ServerMgrNew

1331 533 The Feature Release level could not be changed. ServerMgrNew

1340 The File Type Association settings could not be changed. ServerMgrNew

1600 640 A zone with the same name already exists! IMACoreSettingsMgr

1601 641 A zone cannot be deleted until all servers have been removed from it!

IMACoreSettingsMgr

1602 642 A zone must contain at least one server! IMACoreSettingsMgr

5556 15B4 An internal error occured while loading default icons. Ext.Widgets.IconChooser

5650 1612 The data store is not available. Some features may not be available.

Ext.Framework.Tools

2147483659 8000000B The operation to remove the server from farm has timed out, but it may have succeeded.

AdminUserMgr

2147483692 8000002C The persistent store server cannot be removed. AdminUserMgr




2148598021 80110105 The load evaluator name is already being used. Please use a different name.

LMSAdmin

2148598022 80110106 Cannot delete the default evaluator. LMSAdmin

2148598023 80110107 The load evaluator is still in use. Please detach the load evaluator from any servers or applications before deleting.

LMSAdmin

2148598022 80110106 Cannot delete the default evaluator or load evaluators that are still in use. Please detach the load evaluators from any servers or applications before deleting.

LMSAdmin

2148598023 80110107 At least one load evaluator could not be deleted because it is still in use. Please detach the load evaluators from any servers or applications before deleting.

LMSAdmin

Various Various At least one load evaluator could not be deleted. LMSAdmin

2149318670 801C000E The server is still reachable, and cannot be removed. It should be removed by uninstall program.

AdminUserMgr

3221553157 C0050005 Could not read application data from the Citrix server farm.

MetaFramePubAppMgr

3221553158 C0050006 Could not write application data to the Citrix server farm. MetaFramePubAppMgr

3221553159 C0050007 Could not delete application data from the Citrix server farm.

MetaFramePubAppMgr

3221553162 C005000A Display Name not specified. MetaFramePubAppMgr

3221553163 C005000B The Display Name already exists in this application folder. MetaFramePubAppMgr

3221553166 C005000E The Application Name cannot contain any of the following characters: \/;:.*?=<>|[]()'"

MetaFramePubAppMgr

3221553167 C005000F The command line is required to publish an application. Enter the path and filename of the application's executable file in the Command Line box.

MetaFramePubAppMgr

3221553167 C005000F The content address is required to publish a content. Enter the UNC or the URL address for the content.

MetaFramePubAppMgr

3221553170 C0050012 The window size specified is too small. MetaFramePubAppMgr

3221553171 C0050013 The window size specified is too large. MetaFramePubAppMgr

3221553173 C0050015 File paths cannot contain any of the following characters: / *?"<>|

MetaFramePubAppMgr




3221553174 C0050016 The ICA file name you entered cannot be found. Use the Browse button to locate and select the ICA file.

MetaFramePubAppMgr

3221553175 C0050017 Unable to write the file to disk. MetaFramePubAppMgr

3221553178 C005001A The Display Name cannot contain any of the following characters: \/;:.*?=<>|[]()'"

MetaFramePubAppMgr

3221553180 C005001C The application has a minimum required encryption level of: <level>. You cannot create an ICA file with an encryption level less than this.

MetaFramePubAppMgr

3221553181 C005001D The application has a minimum audio requirement. You must specify an audio setting.

MetaFramePubAppMgr

3221553182 C005001E You must enter a TCP/IP port between 1 and 65536. MetaFramePubAppMgr

3221553182 C005001E You must specify a server to get browsing information from.

MetaFramePubAppMgr

3221553186 C0050022 The Application Name may only have a maximum of 38 ANSI characters, or 19 UNICODE characters.

MetaFramePubAppMgr

3221553187 C0050023 The selected application may not have been published because the request has timed out. If the published application does not appear in Citrix Management Console, please try again.

MetaFramePubAppMgr

3221553188 C0050024 The selected published application could not be copied because the data cannot be accessed from the data store.

MetaFramePubAppMgr

3221553189 C0050025 You cannot change the properties of an application published with an updated version of MetaFrame XP. To edit the properties, you must connect to a MetaFrame XP server with the latest service pack installed or install the latest service pack on all MetaFrame XP servers in your farm.

MetaFramePubAppMgr

3221553190 C0050026 The ICA file was not created because a server hosting the application did not respond. Please try again.

MetaFramePubAppMgr

3221553191 C0050027 The Application Name already exists in the server farm. MetaFramePubAppMgr

3222470657 C0130001 Failed to add Network Print Server <servername>. PrinterMgr

3222470658 C0130002 The specified Network Print Server has already been added.

PrinterMgr

3222470659 C0130003 The specified Network Print Server could not be contacted or has no printers.

PrinterMgr




3222470660 C0130004 You must enter a user name. PrinterMgr

3222470661 C0130005 Failed to delete Network Print Server <servername>. PrinterMgr

3222470662 C0130006 Failed to refresh Network Print Server data for server <servername>.

PrinterMgr

3222470663 C0130007 Could not enumerate all printers. PrinterMgr

3222470664 C0130008 Could not enumerate printers for server <servername>. PrinterMgr

3222470665 C0130009 Could not enumerate all drivers. PrinterMgr

3222470666 C013000A Could not enumerate drivers for server <servername>. PrinterMgr

3222470667 C013000B Could not enumerate MetaFrame servers for this farm. PrinterMgr

3222470668 C013000C Could not enumerate servers that have print driver <drivername>.

PrinterMgr

3222470669 C013000D Replication failed. PrinterMgr

3222470670 C013000E Replication from server <servername> failed. PrinterMgr

3222470671 C013000F The drivers you selected are for different PrinterMgr

platforms. When selecting multiple drivers, all drivers must be for the same platform.

3222470672 C0130010 Could not enumerate operating system platforms. PrinterMgr

3222470673 C0130011 The specified driver already exists in the Compatibility list. PrinterMgr

3222470674 C0130012 Failed to set Compatibility list. PrinterMgr

3222470675 C0130013 Could not enumerate Driver Mapping list. PrinterMgr

3222470676 C0130014 Failed to set Driver Mapping list. PrinterMgr

3222470677 C0130015 Could not enumerate bandwidth limits. PrinterMgr

3222470678 C0130016 Failed to set bandwidth limits. PrinterMgr

3222470680 C0130018 Could not enumerate users and groups configured for printer <printername>.

PrinterMgr

3222470681 C0130019 Could not enumerate all users and groups for specified domain.

PrinterMgr

3222470682 C013001a Failed to set Auto-creation settings for printer <printername>.

PrinterMgr




3222470684 C013001C Failed to copy Auto-creation settings from printer <printername>.

PrinterMgr

3222470685 C013001D Could not enumerate Client Printer list. PrinterMgr

3222470686 C013001E The specified client printer already exists in the list. PrinterMgr

3222470687 C013001F The specified port has already been assigned for this client.

PrinterMgr

3222470688 C0130020 Could not enumerate Auto-replication list. PrinterMgr

3222470689 C0130021 Failed to set Auto-replication list. PrinterMgr

3222470690 C0130022 Could not enumerate Compatibility list. PrinterMgr

3222470691 C0130023 The specified client driver already exists in the Mapping list.

PrinterMgr

3222470692 C0130024 Could not enumerate domains. PrinterMgr

3222470693 C0130025 Failed to set Client Printer list. PrinterMgr

3222470694 C0130026 Failed to determine operating system platform for one or more servers in the farm. These servers cannot be used as destinations for printer driver replication actions.

PrinterMgr

3222470695 C0130027 The printer management system on the preferred server could not be contacted. You will not be able to make changes to printer-related data.

PrinterMgr

3222470696 C0130028 Could not enumerate servers with the print driver <drivername>.

PrinterMgr

3222470697 C0130029 The names of some users could not be obtained. PrinterMgr

3222470698 C013002A Could not get the platform for server <servername>. PrinterMgr

3222470699 C013002B Could not enumerate Network Print Servers. PrinterMgr

3222470700 C013002C Failed to get driver for printer PrinterMgr

<servername>.

3222470701 C013002D The specified domain does not exist or does not trust the farm.

PrinterMgr

3222470704 C0130030 The specified driver has been marked incompatible with all server platforms in the farm.

PrinterMgr

3222470705 C0130031 Search failed. PrinterMgr




3222503424 C0138000 An unknown error occurred. PrinterMgr

3222503425 C0138001 General failure. PrinterMgr

3222503426 C0138002 There is not enough memory to complete the operation. PrinterMgr

3222503428 C0138004 There are not enough resources to complete the operation.

PrinterMgr

3222503429 C0138005 The item was not found. PrinterMgr

3222503430 C0138006 The operation timed out. PrinterMgr

3222503431 C0138007 Enumeration failed. PrinterMgr

3222503432 C0138008 Access is denied. PrinterMgr

3222503433 C0138009 Network failure. PrinterMgr

3222503434 C013800A The destination could not be found. PrinterMgr

3222503440 C0138010 The server could not be contacted. PrinterMgr

3222503442 C0138012 Authentication failed. PrinterMgr

3222503443 C0138013 The domain controller could not be contacted. PrinterMgr

3222503444 C0138014 The item already exists. PrinterMgr

3222503445 C0138015 The server is part of the farm. PrinterMgr

3222503446 C0138016 The network server has already been added. PrinterMgr

3222798336/Various

C0180000/Various

Could not enumerate the user accounts in this Domain. There might be communication problems on the network.

UserEnumeration

3222798337 C0180001 Could not collect required user account information for some or all of the accounts from this Domain. These users will not be added to Configured Accounts list.

UserEnumeration

3222798338 C0180002 The domain controller for this domain is not available. UserEnumeration

3222798339 C0180003 One or more servers selected to host this application have failed to complete the initial startup sequence. The server(s) will not be available for publishing applications until the IMA service is restarted.

UserEnumeration

3222798340 C0180004 The accounts trusted by the selected servers could not be determined.

UserEnumeration

3222798341 C0180005 Could not enumerate domains. UserEnumeration




Various Various Could not attach load evaluator to this server. LMSAdmin

Various Various Could not create a new load evaluator. LMSAdmin

Various Various Could not delete the load evaluator. LMSAdmin

Various Various Could not get the list of servers attached to the application.

LMSAdmin

Various Various Could not modify the load evaluator. LMSAdmin

Various Various The Citrix Management Console failed to remove the server.

AdminUserMgr

80240008 IM network browser failed. IMSMgr

80240002 Installer failed (usually ADF installer since MSI has its own error codes).

IMSMgr

80240003 Logon to the network share account failed. IMSMgr

80240001 No network share point account is specified. IMSMgr

80240005 Package is in use and cannot be modified. IMSMgr

80240004 Package with the same name already exists. IMSMgr

80240006 The operation is not allowed, for example, a job cannot be modified after it is started.

IMSMgr

80240007 The package file provided (when adding a package to the data store) is not a valid (msi or adf) package.

IMSMgr



A P P E N D I X I

Registered Citrix Ports

Name Number Protocol Description

ica 1494 TCP ICA

ica 1494 UDP <not used>

ica 0x85BB IPX ICA

ica 0x9010 SPX ICA

icabrowser 1604 TCP <not used>

icabrowser 1604 UDP ICA Browser

icabrowser 0x85BA IPX ICA Browser

citrixima 2512 TCP IMA (server to server)

citrixima 2512 UDP <not used>

citrixadmin 2513 TCP IMA (CMC to server)

citrixadmin 2513 UDP <not used>

citriximaclient 2598 TCP <not used>

citriximaclient 2598 UDP <not used>

citrix-rtmp 2897 TCP rtmp (Control) Video Frame

citrix-rtmp 2897 UDP rtmp (Streaming Data) Video Frame

Citrix Systems 3845 MIB Private Enterprise Number. Used for SNMP MIB Object ID and Active Directory Schema Object Ids (OID).

271

Index

Aaccess to servers, controlling 125Access, see Microsoft AccessActive Directory Services 78adaptive load balancing, see transmit load balancingadministrative tools 80administrator accounts

configuring 126administrator privileges, assigning to NDS objects 117aliases, creating in NDS 123application deployment recommendations 159–162

job scheduling and staggered install 160package group deployment server 160package server 159

application folders 156application performance, setting 176applications

publishing 89auto-end tasks 177automatic data refresh 155auto-replication of printer drivers 149

Cchfarm command 152Citrix Installation Management

application deployment recommendations 159–162group size considerations 157network setup considerations 158WAN recommendations 158

Citrix Installation Manager 157–162Citrix Management Console 117–118, 130, 155

configuring data refresh 155error codes 253–267load management 157logging on with NDS credentials 118performance considerations 156security 130using server and application folders 156

Citrix Management Console (CMC) 119Citrix Network Manager 165

Network Manager SNMP agent issues 166Citrix Resource Manager

data purging 165

Farm Metric server 163local database 162metric server 162summary database 163

Citrix Web console 131logging off users 213security 131

client optimizations 169–171improving connectivity 169retransmission behavior 170TCP/IP packet sizes 170

cloningon MetaFrame XPe systems 74

cluster failover supportin data store 55–57

configuringadministrator accounts 126client and server proxy settings 139data collectors 18data refresh 155default contexts for users (NDS) 121default gateway 30distributed databases 44event log 178IIS server 131level 2 cache 172operating system 13Oracle servers 46paging file 172print job logging 179printer autocreation in NDS 119roaming profiles 180SNMP service 126TCP/IP and ICA keepalives 175Windows services 176ZENworks for Desktops

container package (NDS) 114connection access, controlling 125connectivity, improving 169Content Redirection 93

and NFuse 101from client to server 93from server to client 95using ftacln.exe 93


cycle booting, of servers 151

Ddata purging 165data source connection, creating for SQL Server 43Data Source Name

modifying 43data stores

activity 20cluster failover support 55configuring SQL Server 7 for replication 225database format 19hardware components 54hosting with Access 38, 127hosting with DB2 50, 128hosting with Oracle 45, 128hosting with SQL Server 40, 128implementing in storage area network 53–57in server farm 19network optimizations 52recommendations 34–37recreating local host cache 21refreshing local host cache 20requirements 37–52SAN tape backup support 55SAN tuning 57security considerations 127–129troubleshooting connections 203

DB2as data store host 50, 128security considerations 128with distributed databases 52

denial of service (DoS) attacks 129deployment of MetaFrame XP 70–80

application deployment recommendations 159–162cloning on MetaFrame XPe systems 74configuring ZENworks for MetaFrame support 113–

116deploying Feature Release 2 using Installation

Manager 75downgrading from Feature Release 2 70enabling Windows Installer logging 79example scenarios 57–65planning for NDS support 108server cloning 70simultaneous installations 74verifying that server has been added 74with Active Directory 78with CA Unicenter 79

deployment scenarios 57–65

large farm, central location 59large farm, multiple data centers 63large farm, regional sites 64small farm, central location 58small farm, distributed sites 60small farm, remote sites 62

disk optimization 171–172I/O locks 171last access update 172

distributed databasesusing with DB2 52using with Oracle 49using with SQL Server 44

documentationonline help, using 11

downgrading from Feature Release 2 70Dr. Watson utility 177driver replication 148DSN, see Data Source Name

Eencryption for ICA communications 132error codes 245–251, 253–267error messages 177, 245–251, 253–267event log, configuring 178

Ffailed installations, troubleshooting 204failover

on Oracle 48on SQL Server 44support in data store 55–57

farm maintenance 151–154changing farm membership of servers 152cycle booting servers 151renaming servers 153uninstalling servers in indirect mode 154using chfarm command 152

farm management 155–168Citrix Installation Manager 157–162Citrix Management Console 155Citrix Resource Manager 162minimum permissions 168network management 165–166user policies best practices 167user-to-user shadowing best practices 167

farm membership of servers, changing 152fast ether channel, see switch assisted load balancingfile type association 213

Index 273

Hhardware components, of data store 54hardware, tested with MetaFrame XP 241

II/O locks 171IBM DB2, see DB2ICA Client

proxy configuration 139ICA keepalives 175ICA Win32 Client

NDS support in 120proxy INI file parameters 133–137

IMA subsystem tracing 243–244Installation Manager 89, 157–162

debug files 211group size considerations 157network setup considerations 158packager 161recording applications requiring reboot during

installation 161Internet Information Services

configuring for smart card support 141

JJava clients

enabling connection 144job scheduling, in server farms 160

Kkeepalives 175

Llast access update 172layout, of server farm 109level 2 cache, configuring 172license counts 212load balancers, configuring with NFuse Classic 231Load Manager

using with Citrix Management Console 157logging print jobs 179

Mmaximum buffer size, changing 15memory 172–173

optimizing 172

memory, optimizingadjusting page table entries 173configuring level 2 cache 172configuring paging file 172

menu refresh rate, changing 181MetaFrame XP system requirements 109metric server 162Microsoft Access

authentication 39automatic backup 39using to host data store 38

multihomed servers, using MetaFrame XP on 27–33

NNDS (Novell Directory Services) Integration 107–124

assigning administrator privileges 117configuring default contexts for users 121configuring printer autocreation 119configuring ZENworks for Desktops Container

Package 114–115creating aliases 123enabling in NFuse Classic 120enabling in server farm 117farm layout 109implementing in MetaFrame 107logging on to Citrix Management Console with NDS

credentials 118organizing published applications for NDS users 123overview 107planning MetaFrame deployment with 108support in ICA Win32 Client 120system requirements 109tips and techniques 123troubleshooting 205–208

network cards 173network fault tolerance 52network management 165–166Network Manager SNMP agent, recommendations 166network optimization 173–175

network cards 173network request buffer 174refused connections 174TCP/IP and ICA keepalives 175

network printersimporting from other domains 212

network request buffer, modifying 174network security 129–133

Citrix Management Console 130Citrix Web console 131denial of service (DoS) attacks 129


NFuse Classic Administration Console security 133NFuse Classic communication 132secure client communication 132SSL encryption 131using encryption 132

network security considerations 129network setup, recommendations 158NFuse Classic

Administration Console security 133distributing connections between multiple NFuse

servers 231enabling NDS support in 120enabling smart card authentication 143enabling SSL 142proxy/firewall connections 137securing communication 132

NTFS partitions 125

OODBC tracing 210operating system

configuring 13service packs and updates 14

optimizations 169–182client 169–171disk 171–172memory 172–173network 173–175server 176–180users 180–182

Oracleauthentication and security 48client configuration 47disabling NTS feature 47distributed databases 49failover 48security considerations 128server configuration 46using to host data store 45

Oracle Parallel Server 50

Ppackage group deployment, recommendations 160package server, recommendations 159page table entries, adjusting 173paging file, configuring 172Pass-Through Authentication

disabling 145ports, registered 269–270

print jobs, logging 179printer autocreation in NDS 119printer drivers 147–149

auto replication 149driver replication and IMA performance 148driver replication and server performance 148managing the replication queue 147replication 147replication and performance issues 148

profiles, roaming 180Program Neighborhood

agent and proxy connections 136, 138Proxy INI file parameters for ICA Win32 Client 133proxy settings, of client and server 139published applications

organizing for NDS users 123troubleshooting 213

publishing applications 89in domains with thousands of objects 92with Installation Manager 89

Rrefresh rate of menus, changing 181refused connections 174registered Citrix ports 269–270re-imaging a server 71renaming servers 153replicating the data store

using SQL Server 2000 215using SQL Server 7 226

Resource Manager 162database 162using alerts 163

retransmission 170roaming profiles 180RPC services 179

SSAN tape backup support

in data store 55SAN tuning

in data store 57secure client communication 132security

agent and proxy connections 136Citrix Management Console 130Citrix Web console 131client and server proxy settings 139controlling access to servers 125

Index 275

controlling connection access 125data store considerations 127–129denial of service (DoS) attacks 129enabling smart card authentication 143enabling SSL 142encryption 132INI file parameters for ICA clients 133–137Internet Explorer settings 211neighborhood agent and proxy connections 138network considerations 129–133NFuse Classic 132NFuse Classic proxy/firewall connections 137Pass-Through Authentication 145secure client communication 132secure proxy/SOCKS connections 133SSL encryption 131using smart cards 139–144

security certificateinstalling 142

server access, controlling 125server cloning 70

on MetaFrame XPe systems 74server configuration, recommendations 13server farms

changing farm membership of servers 152cycle booting servers 151deployment scenarios 57designing 23–25enabling NDS support in 117farm layout 109function of data store in 19group size considerations 157job scheduling and staggered install 160planning zones in 25–27renaming servers 153system requirements 109uninstalling servers in indirect mode 154updating file type associations 213using chfarm command 152

server folders 156server optimization 176–180

application performance 176auto-end tasks 177configuring event log 178Dr. Watson utility 177logging print jobs 179RPC services 179server services 179system error messages 177

server services, configuring 179

setting up a a server 72simultaneous installations 74smart cards 139–144

enabling authentication 143miscellaneous information 143using with MetaFrame XP 139using with NFuse Classic 141

smooth scrolling, disabling 181SNMP service

configuring 126SQL Server

authentication and security 42creating data source connection during MetaFrame

setup 43distributed databases 44failover 44modifying data source name 43security considerations when using for data store 128server configuration 40troubleshooting 222using to host data store 40

SQL Server 2000setting up for replication 215

SQL Server 7configuring for replication 225

SSL encryption 131using with Citrix Web Console 131

storage area networkimplementing data store in 53–57

summary database 163switch assisted load balancing 53system error messages 177system information, obtaining 210system requirements, for MetaFrame XP 109

TTCP/IP keepalives 175TCP/IP packets 170teaming network interface card configurations 52

network fault tolerance 52switch assisted load balancing 53transmit load balancing 52

technical supportobtaining information 208–211

Terminal Server listeners, controlling access to 125tested hardware, for MetaFrame XP 241–242tracing 243–244transmit load balancing 52troubleshooting


failed installations 204frequently encountered obstacles 211–213IMA service fails to start 201IMA service fails to stop 202IMA service logging 203Novell Directory Services integration 205ODBC connection fails 202server fails to connect to data store 203unresponsive server 204

Uuninstalling servers in indirect mode 154upgrade considerations 69USB redirection 213user optimization 180–182

Internet Explorer wizard 182menu refresh rate 181roaming profiles 180smooth scrolling 181Windows NT policies 180

user policies 167user-to-user shadowing 167utilities 183–200

DRIVEREMAP 184DSVIEW 188IMAPORT 189MSGHOOK 191QPRINTER 192QUERYDC 194

QUERYDS 195QUERYHR 197SCCONFIG 199

Vverifying that a server has been added to a farm 74

WWANs, recommendations 158Win32 client

configuring default contexts for users 121Windows Directory Mapper Service

enabling 141Windows Installer logging, enabling 79Windows services, configuring 176wireless LANs

using Citrix products with 235wLANs and Citrix 235

ZZENworks for Desktops

configuring 113–115configuring Container Package 114configuring for MetaFrame support 113configuring User Package 115

zonesconfiguring data collectors in 18overview 17